area. bakeryat every hispanic in the state of new jersey. he made it a priority. it was a priority from day one. when he brings to the table is the fact that he can get, that he can increase the base. that he can get crossover voters. he needed to prove that he did. he made it a priority. the romney did not. do not blame hispanics. question, final question, would be that tonight you've talked a lot about what the republican party needs. you are saying that white men are not with they used to be. you touched on chris christie and what he did to appeal to the republican party and the hispanic vote. think, in your opinion, could be the candidate to aing everyone back

republican party in the white house. >> i'm jaded and biased. he is my friend. i know him. i love him. he speaks beautiful spanish. i think the best candidate in the field is jeb bush. i think -- a sickly this election cycle, i am like a plus size men's store. i'd either go in big or tall. if the tall guy does not take me to the prom, i am going with the big guy. jed is bicultural. he is not just bilingual, he is by cultural -- bicultural. we would consider him hate hispanic. give the game changer when it comes to the has anecdote. -- hispanic vote. been added his entire life.

he is not pandering. this is what he has been working on his entire time. voiceld bring a temporary to the debate. he is thoughtful. temperate voice to the debate. he is thoughtful. he has a broad international portfolio than what i think chris christie does. i do not know what his is. if hillary clinton were a candidate, that is going to matter. is goinghink hillary to be the candidate, but i seem to be in the minority. i think jeb bush would be be best candidate to change it. the question is, looking at that picture of george w. bush, people say they do not want another bush. their summary people who told me that. they think it is terrifically piers morgan asked no clinton,

who would make a better president? your wife or your daughter? ok, so. -- the the bush name bush brand is rehabilitating, has rehabilitated, and will continue to rehabilitate. if george w doesn't get involved in politics, he will not be dragged into any political controversial issue. anytime you hear or see the guy he is helping out a child with malaria in africa. bush's health becomes more frail, people will remember what a good guy he was. he was the youngest navy pilot of his generation. he was a member of the greatest generation. there are going to be issues with it. there will certainly be issues. people ask, should we have three

of the same family in the white house? think that the apparent contrast between jeb and his brother and his father to a lesser extent was actually benefited jeb bush. a lot of people do not know jeb bush. when you hear jeb bush, his level of thoughtfulness, the intellect, substance. people tend to be quite impressed. i was with him last night at the y. i think he won over the elderly, jewish, it republican vote of the upper east side of manhattan. i think there is a path. i see a path for a jeb or a chris christie. a governor is a much better candidate than a senator or somebody else.

i am a pulp). -- i am a paul ryan fan. but the stench of dysfunction that emanates from washington right now, it is hard to disguise and shake off. chris christie's record and jeb's record would stand up for scrutiny from republican conservatives. i may not agree follow that, but it is hard to argue that jeb bush did not govern as a conservative in his eight years in florida. he did not raise taxes once. i think he would be a terrific candidate. i think he seriously is thinking about it. he is intrigued by it. he is a very disciplined guy. i do not think he is going to seriously think about it and

make a decision until next year. next summer. maybe a little bit later than that. around that summer. boys --love to see his voice and the baby part of it. i think you bring so much to the table. he will not be afraid to say what he feels he needs to say. jeb bush has been out of power , what?ce -- i try to forget the following years and the rick scott years. jeb has been out of power for six years, and no, seven years. and he is still relevant. in the political debate. i would like to see him give it a shot. i'm going bigger tall.

-- big or tall. [laughter] thank you very much. [applause] [applause] >> on the next washington journal, across-the-board budget cuts to the u.s. armed forces. our guest is a former defense coordinator. with a look at changes in voting laws and the effect they could have on the ability of american citizens to vote. and a u.s. supreme court decision. we also have a guest with the cato institute. washington journal live every morning at 7:00 a.m. eastern on

c-span. >> on many campuses, young women are taught that they live in a patriarchal, oppressive society. girls are taught that they are channeled into low-paying fields . in the workplace, they are cheated out of 25% of their salaries. they face visible area errors at all sorts of forces that hold them down and keep them back out of the high echelons of power. this picture does not fit reality. it is distorted. -- the false claim claims that supported have been repeated so me times they take on this aura of truth. >> her critique of late 20th century feminism have led critics to label her as antifeminist. sunday on in-depth, your questions for author christina hoff sommers.

during radio talk show host mark levin. tv's in-depth.ok >> next a discussion about cyber attacks and espionage. one of the speakers is william plummer, the vice president of huawei technologies. -- he is joined by former cia official chad sweet. and thomas rid who is the author of a recent book on cyber warfare. this is one hour and 30 minutes. [applause] >> thank you very much tom. thank you all of you for joining us here today. group. a great

from as at this issue very different angle. it is going to be my job to try to sew together the areas they agree on and what they disagree on. introduced inbeen my plan for the evening is to have a conversation for 40-45 minutes and then open it up to all of you and then to all of you who are watching this on the internet. you have a way of sending in questions for the moderator. those are supposed to magically appear on this ipad. if they do not, it is because the nsa has hacked into it and the questions have all been eliminated. recently withel the head of the nsa. said, i doet out, he

not like question number five. with tom ridge. -- tom rid. book, after coming to a definition of what cyber war is and isn't -- i think we would all agree on this panel that we have seen gradations of cyber activity. theft ofeen cyber intellectual property, corporate secrets, state secrets, espionage that is cyber enabled. we have seen occasional cyber whichs on infrastructure is what happened in the operation of the olympic games. they tried to conceal it at the time. denial of service

attacks, an effort to bring down banking systems or, those would never happen, freeze up the entire new york times website. as the syrian electronic army managed to do over the summer. for a good number of hours. and overall cyber war, which you described in certain terms. for those out here who did not have to suffer through claude whitson's "on war." fors getting new york killing rats. it's very happy. you use a very classic definition of cyber warfare. which of these will not occur? espionage is happening and some infrastructure attacks are happening.

service attacks are happening. what you telling us what happened? >> i am not actually talking the academic aspect. this book is the opposite. it is looking at the imperial record and the technical possibilities. this intove to put context. degree, cybera weapon, they're talking about a metaphor like the war on drugs and the war on terror. and we are talking about the real thing. is help trying to do distinguish between the metaphor, which can still be very serious, and the real thing. by sayingg to do that that acts of force executed with the help of computer code need to meet three criteria.

they need to be violent or potentially violent. otherwise we're talking about a metaphor. they need to be instrumental in the sense that somebody is trying to change somebody else strategically. and they need to be political in the sense that somebody takes credit. i did this to you because i wanted to change our reality. if you run the three criteria on through all the incidents on record, they do not always meet this criteria. if it is not war, what is that? you mentioned different types already. i am grouping this into three different sets. withdrawing efficiency , or only anm extraordinary -- an external computer attack.

rather than attack from insiders. the second is espionage, or intelligence operations. for commercial or political gains. abouty, we are talking activism and hacked it is him -- acktivism, which is a separate problem. each of those requires separate action. >> i'm with you on all of that, except for the part where you say that they are not trying to be predictive because the title of the book is "cyber war will at take place," which sounds little bit like the future. [laughter] >> the title is a pond. frenchs a saying in

about the trojan war. i use it in that example as a pun, a play on words. rid's've heard dr. discussion of these groups. -- paido not get played by your clients to worry about the past. you get paid to see what could happen in the future. it strikes me that if you sent them all copies of dr. rid's book, they would stop paying you. you have a real concern and your crimes goes the range of -- tell us, sabotage at the far end of this, whether you see subsequent attacks on

infrastructure to be a one-off, right wave of the future. fitwhether you think that with the definition of war. violent or potentially violent political action. >> i want to say thank you get -- thanks again to the asian society. i was a student at columbia here new york. i live just down the street many years ago. relationsnternational with a concentration in east asia. it is an honor to be here. i appreciate the work that the asian society does. the setting that we have for this discussion, coming on the heels as david said earlier of an important address regarding our relationship not only of age as a whole, but with china in ratesular, going to dr. point, i have a lot of

appreciation for the in-depth analysis that he did. i would commend his book to you to read. i would respectfully disagree with the fundamental definition. violence of an intent to change behavior and someone claiming credit. definition, for example, if you think about it, when i was in the cia, we used to do cold war. there were a number of things that we had to do to protect the united states. they did not rise to the level of overt violence. nor did it get the cleric. we did not claim credit for. it was a lot of things that happened behind-the-scenes. a game between nations, and the art of war. as david alluded to earlier, he said that war is politics by another means.

here i would have a fight definitional difference with dr. rid. slight definitional difference of dr. rid. some areas are cleaned and some are not. a violentw today d.c. terrorist event, there may have been multiple people involved, but time will tell. certainly in the boston bombing, we did not see an initial claim of responsibility. a terroristly attack. in my view, if we define war as thenics by another mean, certainly terrorist attacks are the poor man's way of inflicting

destroy another power. that is an exact -- exact example of where we define violence are claiming credit that would not qualify as an act of war. nobody officially claimed credit for that. it depends on how you define violence. if you defined it is killing people, in that respect, it did rise to that level. violence can sadly mean ,istraction, physical property maybe it does not rise to dr. reddy's laboratories. the question of whether this will become a tool of the future, when i was telling you all at the beginning when tom said the report many decades ago said that cyber wars coming,

that was very prescient. it was all most like paul revere. factld take issue with the that the title says cyber wars happening. is it coming, it is happening every day around the world. we will go through many more examples tonight. i think cyber wars happening or cyber conflict. >> cyber wars happening. declare -- if you are a saudi arabian, the most important asset you have as a nation is your oil reserve. what happened in the attack?

what essentially happened was that the saudis were attacked because the iranians believed that they were collaborating with other powers to stop their nuclear program which was written about in the times. essentially, they were destroying over 30,000 computers , which not only did they enter the computers and infiltrate the data, they literally destroy those systems and blinded the -- blacked out millions of records on oil imaging reserves. that was an act of war. it was done by the iranians. of how iteat example is happening not in theory, but in practice. , let me circleon

say, into. rid and examples we have discussed here, and the olympic games, .entrifuges are made to blow up you've probably seen the photographs of them. these giant floor to ceiling devices that's been at supersonic speeds. it is likelow up, setting a bomb off. you do not want to be sitting next to one. to this day, we do not know if anyone was killed or not. then you heard chad described the attack on saudi aramco. but neither of those figure definitions. is that right? >> i think we have to move beyond these discussions of definitions. we have real problems to worry about. we need a language, a constant

for these very real problems. by talking about were all the time and violence all the time, we are not getting any closer to what needs to be done. thee want to discuss possibility of specific tactics, then we need to get a little more technical. but i understand that we want to do this later, so i'll refrain from getting into it. >> mr. plumber, i returned to you. you are in the foreign service for seven years. we are not tonight going to ask you to explain chinese foreign policy or represent the government of china. >> that's good because i served in latin america. [laughter] >> all the better reason to do it. about aning to ask you explanation for why the u.s.

government get so worried about technology built by companies like huawei, but not just huawei . their concern is the following. if you get a piece of equipment huawei basically makes the skeleton, backbones of the internet. and if you bring the men from a isntry which you believe searching on the espionage and intellectual property theft side , then you arem inviting in to the united states country that a foreign can exploit whether they are with you always -- huawei's permission or not. will help them

understand the structure of networks in our country. that is what you have such trouble in recent times in selling in the u.s. markets. and you have one of your executives say that you are not -- they are not interested in the u.s. market. the first question is, is the indware away -- a backdoor for a government like china? and secondly, whether it is or you change the perception of the u.s. government on that issue? but there were a great deal of questions about opening. today.is here we are a leader in this industry. huawei is a $35 billion company. in hundreds ofis different markets. their customers are over 500

telik vacations operators in the world, including nationwide operators in virtually every oac country save one. huawei is a leader. we do have business here, but not with any of the major nationwide operators. is a resource in terms of understanding the challenges that we face in today's cyber age. huawei is -- those are challenges that are raised by globalization, by interdependence, but trans- nationality. their benefits so that globalization as well. there are companies like huawei that ring things to markets that they do business with, competition, more affordable broadband, etc..

you made an interesting point and it is a concern about hardware coming from certain markets. ciscor you're huawei or or no key or ericsson, in this day or age -- day and age, you are a global company. you are conducting research and development and software and building products and relying on common supply chains on a global basis. all of that is in china. you are also subject to common vulnerabilities from state and nonstate actors will -- actors. what our industry is challenged with now and will always promoting-- huawei is , how will we continue driving the competitive benefits? and then we have to address the challenges of globalization in our industry. related to the supply

chain of information and technology companies. unless you raise the bar for everyone, with appropriate standards that are certifiable, uconn was nothing. -- youas nothing accomplish nothing in terms of securing data. >> let me take you back to why the u.s. government has such a concern. huawei has been blocked from various acquisitions in the u.s.. you yourself have said that american telecommunication companies will put the equipment in, even though they have indications that other companies would. theyare doing that because have specific concern that the

chinese government is acting not -- not the global market in mind, but with its own narrow interests in mind. are you telling us that that is a false way to think about what huawei does and what its relationship with the government is? >> absolutely. a great deal of the challenge that huawei faces in the u.s. is geopolitical. that is well beyond this company. we are 150,000 people strong. we are remarkably diverse. we have 39,000 for non-chinese. 70% of our businesses outside of china. we are a multinational come -- company. the suggestion that we can by picking any one it turns a line guide to

all of the other players are compromised. ago, we would've said that huawei was a perfect of a company where the geopolitics outweigh the global market. in the aftermath of the snowden investigation, you could argue at&t,oogle verizon anybody who is every received awards from the court to turn over data can essentially be with whatever the

government is alleging that huawei has done. this is a mirror into which the u.s. government has been looking. huawei has never been asked by any government anywhere to compromise its goods or services . we had a witness testified that it will be commercial test of -- commercial suicide to do so. in the wake of the snowden revelations, where he read on a , these concrete -- these companies that compromise are experiencing a rather devastating impact on their current business.

it is a rather remarkable demonstration of why you should not do this. it is exactly the thing that huawei would not let it happen. the snowden revelation market knowingg of the end of corporate complicity whether willingly or not and government espionage. there is an opportunity now for industry to move forward and establish pragmatic and rational and commercial and true standards to better secure networks and to undo this crisis of confidence in this industry globally.

>> chad, you were chief of staff at homeland security during the time that the definitions of what the u.s. government wanted to get out of the internet providers, all the companies we have been talking about, was expanded. when the fisa court issued secret orders to turn over data including the telephone logs, not the conversations of every phone call made in the united states which is a haystack with which you could pull needles. tell us how that clamping into this giant data pipeline differs, if at all, from what the u.s. government charges companies likehua wei does every day.

>> i have been out of the united states government since 2009. what we will discuss will be classified. [laughter] >> we will keep him going with the vodka. >> the method data program or what is called 215 which is the program that david referred to that accumulates the haystack, i would tell you to yet a sample of why the u.s. government actually visited the system. it means because the phone companies delete these records after 90 days, that is precisely why the united states government asked for them to be retained and not to search them until they go through congressional it

approved, fias approved report. the government has the ability to search but what we say is they cannot have the right to an unreasonable search without probable cause. that means in order to have a search, you have to have something to search so the accumulation of the data itself in and of itself is an example of why the government is not sitting in the system today and has to ask for the voluntary agreement of the companies to hand over -- [inaudible] this is voluntary as you go to jail. >> the government cannot

technically be inside the hardware. the concern with huawei is that the chinese are inside the hardware. that's different from the method data program. -- meta data program. >> you are telling us the u.s. is not in the hardware because they issue these orders to turn over the material that runs through the hardware? >> correct. >> supposing the chinese government went to huawei center in beijing and said you have a lot of data flowing through your service and summer outside of china and some of them are for china. we will give you whatever order

you want us to work up and we would like to put this in a repository in shanghai so that if we need to go back in and see what ibm is planning or so forth about the next defense system they are building, we have a way of getting added. would you see a distinction between whatchad just described which is the u.s. government pulling in the state and is chinese government seeking the same kind of thing? >> there are many different levels to that. what chad has described and you're talking about is the distinction between a company like huawei that provides the water and a service provider that runs the water. rather than drill random holes to get something out of the plumbing, the u.s. government

decided to drill into the reservoir. >> while you build hardware, there some countries in which huawei will run the entire network. >> that's correct. >> so you are a hardware and services company? >> we are. i think it goes back to the fundamental question, there has never been any substantiation of any current or past penetration or compromise of huawei company. there has never been any evidence of any issue.

what may happen someday in the future -- i will resist the temptation to go up -- you go out and talk about other potential compromises. huawei has made a conscious decision that it is in our best interest to maintain the integrity of our customers, networks, and their subscribers data. we are not going to commit commercial suicide by violating that integrity or those networks. >> if you receive a legal warrant, you got to do the same thing that verizon and at&t have done. >> there is not a country in

the world teach the -- they each have each of their regimes. as taxpayers, we, collectively, gave a subsidy to the total -- to the phone company to pay for the hardware and software that allows phone taps to take place. we do that because under our constitution and article four, you cannot have unreasonable searches but you can have reasonable searches. if you watch "the sopranos" we have the phone's of suspected mafia don so we -- we cannot be critical of the chinese.

i think the quake just the key question is being put on the sable is it a question of lawful intercept? the question is whether that -- what are purported to be private enterprises are tools of a foreign government for the purposes of espionage. i'm not here to suggest whether huawei is or is not. back when we were worried about the threat from the japanese against -- when they bombed rockefeller center and everyone thought the world was coming to an end. one of the great things i admire from one of my professors from columbia is that if we did not have the japanese, we should have invented them because they made a that are. it made us more competitive and the right reaction was not protectionism, it was learning to have a more competitive auto industry.

let's consider china for a moment. we know that microsoft is incorporating with the chinese government and have provided various forms of help to the chinese security establishment in order to listen into skype chats, the chinese government is good at intercepting keywords from social media's. we have a government that is able to get help from american.

this is a fundamental and ethical question. it is the flip side of what you are mentioning. if somebody gets caught in china helping american companies,, that has a real consequence for that individual. these questions can mean people are being interrogated. >> this is not very theoretical. >> cyber wars is an example. >> let me pursue that with you. if steve jobs was alive today and looked at modern warfare, i suspect, having suffered through

those thousand pages, he would be fascinated by the concept of information war. that is to say that you can have conflicts between states that is an extension of politics by other means without blowing things up or sending 100,000 troops in. you can do it by either manipulating for economic or political advantage for espionage as a category or that you could begin to effect infrastructure and you want to congress case. when they fascinating chinese base concrete case. it is the offshoot of a company that controls about 60% of the gas pipeline networks in the united states down to new mexico. they come in to work one day a

year ago and they discover that all of their code has been taken. they conclude is taken by some of chinese origin. all that was stolen was the software that tells how to turn off gas valves. if you are in a conflict with united states,, it might be useful to have the coding to turn off the gas to 60% of the country. where does that fit into this aspect? >> the word cyber weapons is often used in that context. what are cyber weapons?" let's imagine that the only big example we have.

imagine a projectile. you would have generic bomber -- vulnerabilities. generic vulnerabilities. it affected 100,000 computers but assume one of your laptops were affected, you would not even notice because this was developed for their industrial control systems. these are highly specific systems for many reasons. so-called legacy systems. mostly unique components.

stuxnet was a one-shot device. the payload was one short which that is means -- as one of the arguments i i am testing in the book. i am asked amazing -- maximizing the destructive impact. are you minimizing the target? we are doing so. that is a tough question to answer. can you just use the generic components and apply it to another target? it's a controversial question among engineers. >> that takes us to one of the first questions we have gotten on e-mail. i feel like we are doing an advice column. ann in brooklyn asks -- if the

united states wanted to conduct a cyber attack against the shanghai military site -- she is where the chinese are allegedly carrying out their cyber attacks -- could we do so? could we do it technically an could we do it politically? unitis a chinese military that we believe is responsible for a number of attacks on u.s. computer systems. but they are also blamed for the theft of intellectual property. chad this is write down your alley. could we do it technically an could we do it politically? >> aren't we all off the record? [laughter] >> yes, that's why the cameras are rolling.

just between us. >> i cannot say whether the government has the capability. if you can take down nuclear centrifuges to a specific location in iran, you probably could target a specific building in shanghai and the specific actors. >> to achieve what? >> from the objective point -- >> i mean to do what. >> in any military doctrine, if you have attribution and retribution. that goes back to the cold war. it involved mutually destroyed -- mutual-a short destruction which kept us relatively safe during one of the most threatening.

-- during one of the most threatening period of global history. in this case, the objective is -- and this is exactly why cyber is the definition i use the last requirement is claiming responsibility. part of the appeal of this particular weapon is its lack of ability to attribute data. -- who did it. attribution in this threat vector is unbelievably complicated. the ability to hide behind -- if you can have multiple jump in the cloud -- jump servers in the cloud. few people have the forensic capability to penetrate the multiple layers -- i am speaking personally because this story happened.

that particular unit of the people's liberation army attacked my firm. we were one of the 140 companies that were outlying we successfully dissected and stopped it whenever to penetrate , but the point is that this is a real threat. if we attempted to actually tradition, and this is something we all have to talk about the problem you have today , is that politically, it is difficult because of the united states did to we would have to directly to the chinese. we see the tremendous skepticism of being asked by the american people of president obama.

there is suspicion about whether the evidence is strong enough to warrant a limited strike on syria. i would argue you would find it to be even more difficult for president obama to put forth the people of this country a similar proposition that he just put forward on chemical weapons, which are, frankly, physical, more visible, there's more ability to produce victims and symptoms and signatures that you can get hair follicles that actually have the chemicals in it. my point is attribution is extremely difficult and retribution makes it even more so. maybe later we could talk about this is why a modern doctrine for this threat is so needed. i think dr. rid has done a good service by putting a forward. we need a new version of this for the cyber age. >> is that possible?

can you design a system in which the perfect attribution, when one of the reasons the world loves the internet is they can operate more anonymously? >> i know we are going have another half-hour of questions, folks here and online, and for some reason i imagined many of those questions are going to focus on china as much of this conversation has, so let me first interject that cyber conflict, cyber mischief, cyber what have you is borderless. there are states and there are non-states. whether the u.s. is hacking china or china hacking the u.s. or russia hacking both were israel hacking everyone, as is all taking place. we cannot look at the threats to network security and data integrity in the context of one country and another country and those countries versus each other.

so what can be done is there such a thing as a perfectly secure network? no, there never will be, but we can make a more secure. there are grossly speaking sort of three different domains. there is what i do, which is on the equipment side and the coding of the equipment side. everything we built at huawei or epsilon, or ericsson, others, is all with typical standards. our customers, operators, want to be up to have a competitive environment. i will take a widget from him and they can rationalize the market prices. they keep us honest. but that means what we build is intended -- is essentially interoperable.

so when you drop this equipment into the network, if you have not raised the security bar for everyone in terms of best practices and standards from ideation through end of life, your contest nothing. so the first domain is, how can we find and develop in a public/private partnership standards to raise the bar of the equipment that companies like ours deliver? the second is in the realm of service providers and data management. it has become apparent over the last couple of months that what we need in that space is more transparent regulation and a more transparent legal environment that is better geared to protecting the integrity of data. the third domain is the one that chad was speaking about, and that is governments. i would like to believe -- i would like to believe that using the example of mutually assured destruction, when two adversaries came together in the 1960s and recognized they could blow each other up umpteen

different times of mutually decided -- i'm almost done. the mutually decided, who are we commonly vulnerable to? you have the treaties and what you got was the lowest common denominator of acceptable behavior. it didn't stop floor for age and, but is loaded. if governments can agree on lowest common denominator acceptable behavior, it won't stop espionage, but it may restrict disruption for potential disruption, multi- lateralized. >> this give us a little more ground. something that should be obvious but is not obvious, computer code can only affect computer code. in other words, as i'm sitting here on the podium, i assume the same applies to the rest of you. we are invulnerable to computer attack.

i have a pacemaker with an ip address. that is a benign statement, but very important. could the u.s., -- could the u.s. attack that particular headquarters building in shanghai? it could breach the information system. it is probably not too difficult to do if it has an internet connection, etc. but he can only affect physical damage at the time he could weaponize and turn into -- it has to crash, burn, explode, whatever. stuxnet and centrifuge are good examples. >> let's all think about that when we admire the electronics on our new cars. let's go to the audience for the first question. just wait one moment. there's a microphone coming your way.

>> sure. hello? >> you are working. >> steve rodriguez, fellow at georgetown. what are the escalation options, attribution or nonintervention, and as a commercial entity, what are the options for de- escalation and receiving remediation for the physical attacks of a country or another nonstate actor? >> the question is one about escalation. there is an attack, you perceive an attack on a company in the united states. who attacks back? tell me if i'm right. the company that is attacked, do they have a right to attack back? should a government attack back on their behalf? can we only play defense?

>> that is a big debate for weather hacking back works -- that is a big debate, whether hacking back works. one, is it allowed legally? and the other one, does it deliver results? let's ignore the legal question for a moment entirely. does it deliver results? i had a conversation with a couple of companies -- let's not name them here. i've yet to see -- >> come on. [laughter] >> i've yet to see the evidence that it delivers results. the only example we have of someone hacking back is a quite a funny one. it happened in georgia about three years ago where somebody, apparently from russia, hacked a georgian ministry and try to get documents. the computer emergency response

team found out something was fishy and actually put a pdf file that was rigged with now malware embedded in it on the servers and had something like nato agreement on it. [laughter] the russian hacker a purely stepped into the trap and they hacked him and immediately took video of the guy with his webcam. it turns out it was a guy sitting there with his wife. >> if anyone hasn't seen the photo, go home tonight and dig it up. it's exactly what you think it would be. >> it is an interesting point because it doesn't solve the attribution problem. they still did not who it was. they had a picture, but did not know who it was. >> chad, back in your days at dhs, let's say company x got attacked. they call you up and say, i know my government. they're not going to attack back

on my behalf because they don't want to escalate into a cyber war. do you have any problem if we think we know who attacked us, if we don't blow up their servers? >> is a fair question. we got asked that a dhs and now that i'm out, being asked it. the analogy i would use is if we think about a bank, if somebody walks into a bank with a weapon and tries to take the money, going out the door, there is well-established precedents that a private security -- an armed private security guard legally can in fact order the individual to stop. if they refuse to cease and desist, they can in fact use lethal force. for whatever reason in the digital world, we don't allow that. and what you're saying across the commercial environment for my clients is a number

believable -- unbelievable feeling of being left hanging out to dry by your own government. what is happening is if we sit here in the asia society, we are starting to see historically the business community like the chamber of commerce and think about a sailboat, they were like the rudder, any time they started to act up against china, they would dampen things down to keep the sailboat afloat. there's so much anger and frustration about the theft taking place by state-sponsored actors including china, that we are actually seeing the business community demanding they be allowed -- if the government is going to step in and play the role of defending them, then they need to be allowed to do it. i would respectfully disagree with dr. rid that not only does

the ability to hack back or do active defense allow for change of behavior, we are seeing -- i can tell you firsthand we have seen it. if you think about it logically, there are so many soft targets were people are not responding that if they have someone who just does low-level, basic, active defense, they move onto the next soft target. >> i want to keep this going. >> this is uncharted territory and i will caveat that the point that was made is we need a legal framework because in the absence of that, people are getting frustrated and it has a lot of consequences. >> bill, now we can all feel your pain. let's say we work in one of those scenes where your company you are a company and you think you have been attacked and you think the origin is chinese -- whether it is chinese government, chinese teenagers, chinese criminal group, whatever.

i just installed the latest and greatest huawei servers in my system. i'm going to be asking the question, is the attack really from abroad? or perhaps unknown to huawei, was their backdoor built in and i sort of helped the thief come into my system? >> i've read the same data that you have about the increasing attacks on u.s. networks. and huawei has less than 1% of u.s. network market. those attacks are not taking place over our gear. for what it's worth. >> ok. good answer. [laughter] right here. >> we have been hearing for a very long time now the danger of cyberattacks on national security and we've been talking

about the corporate realm for the most part. where do you see this going? is this realistic? when will it happen? what can we do about it? >> ok, tom, you said academics don't work in the future, so look in the future. >> the biggest problem here is espionage and especially commercial espionage, not sabotage and disrupting systems. the problem is commercial espionage. where is this going in the future? that is a very difficult question to answer. but let me go to to the snowdon revelation from moment because they fit in part of this picture. what we're seeing is to the great surprise of many observers, the u.s. government, the nsa are more capable intelligence news agencies --

they are able to intercept more data and decide for more information the many people previously had assumed. i think one of the big questions for the future is, what do those revelations mean for american businesses, what do they mean for intelligence agencies, what do they mean for the balance between western intelligence agencies and children's agencies -- intelligence agencies in authoritarian countries? i'm really concerned about what is going on in the moment. yes, some of the revelations have a positive effect because we have been having informed debates about what the nsa should be able and should not be able to do. right now what i'm saying is a shouting match between those i

-- those that think snowden is a hero and those who think snowden is a traitor. in fact, we are not having a nuanced conversation in the middle about what is and what is not ok to do. they may provoke the audience by saying there's a moral case to be made, ethical case to be made for an open democracy. after all, we are in a robust open democracy, which has to be re-emphasized after this affair because many people seem to think that is not the case. both inside the united states -- even more inside the united states and outside. there's a case to be made that a powerful intelligence agency should be an healthy democracy. we don't want the most powerful intelligence agency not accountable, not controlled by the democratic process, to be sitting in an authoritarian country. >> i know i have a tendency to

be less grounded, so i will be less grounded for a moment, but we are seeing as a result of this crisis of confidence -- we read in the media that brazil is looking to localize clouds and launch a stationary satellite to africa into europe and the indian government is contemplating the elimination of gmail and yahoo! mail accounts for government employees. germany is looking to localize clouds and launching e-mail made in germany, which is safe from the nsa. we are seeing this fragmentation of the internet environment which is not good for anyone. in the short term, there will be business opportunities. but in -- >> the internet is bad conductivity and we are reacting by disconnecting. >> we are vulcanizing. that is not solving the problem.

that is grading challenges to scale, to interoperability, creates a challenges to the free and open spread of information. we need to balance that an economic benefit associated with that with the need for real and pragmatic approaches to better securing networks. >> bill, this takes us to a question we have received by e- mail from wonderfully, anonymous. [laughter] not the group, but somebody who doesn't want attribution to the question. asked by e-mail, do you think there is a need for a cyber weapons convention much like the npt? who should govern it and is there even an interest? every time i asked this question of someone in the u.s. government, they flee in the other direction. they are not at all interested in an npt for cyber, but then again, for the first 15 years

after the atomic bomb was developed, they were not interested in npt for the atomic bomb, either. i know this is one of your favorite topics. tell us what works and the analogy and what doesn't. is it even possible to have a treaty with a weapon that is not simply in the hands of states, but in the hands of terminal -- criminal organizations, terrorists, teenagers acting like terrorists, whatever? >> i will defer the end of this to chad, but what i said earlier was the way we need to approach this, the industry needs to do its bit, which means those of us that make the plumbing need to , all of us, need to be held to the same standard. that means we need to establish the standards best practices and disciplines that will then be certifiable -- all of us. service providers and data managers need to have their appropriate -- best disciplines and environment as well as more

transparent legal and revelatory regimes. this concept of an npt for cyber, that is in the third realm. that is were governments need to work out their issues and those issues may be as simple as, i want crèche or markets if you don't crush my planes. i don't know what those issues are, but they need to do that in the context of allowing industry to move forward commercially and competitively and to continue to innovate. >> this goes back to chad's points on attribution. the reason in the nuclear well -- nuclear realm the treaty's work, when one of them got launched, there was this neat little big screen that was down in some mountain of colorado and you could see you had 30 minutes before you were annihilated. there is no such screen for

cyber weapons, so you don't know whether or not an attack is coming, whether it is from a state, from an individual whether it is from your spouse. you don't know where it is coming from. tell me how you make this work. >> if remember matthew broderick in a great movie, it is this challenge which is the threat vector is fundamentally decentralized in dynamic. in this threat vector, by the way, 30 minutes is an eternity. if you have 30 minutes to respond, that is a long time. this is happening at the speed of light. thousands of attacks per second. what it means is that the old paradigm in the nuclear age of having essentially a command and control structure out of norcomm where there are two people in the united states that have the

launch codes, the president of the united states and the commander of norad, and they basically have authentication to launch in a very exercised method of responding, that hierarchy is antithetical to this threat. this threat is decentralized. to bill's point we have a situation where thousands of attacks are happening per second, there is no way the president of the united states can sit there and say -- it would be like me coming up to them every five minutes going, mr. president, mr. president, mr. president, what you want me to do? we have got to look at this threat vector and realize the human talent is not dominated by the united states government as david rightly points out. the weapons are not dominated by any particular government. the command and control ability to actually attribute the response -- there's no nice little plume that comes up. there is no clear ability to have a decentralized dynamic

response. when i think of government, decentralized and dynamic are not the first two words. >> tom, when i read your book, the nuclear analogies here drive you up the wall. [laughter] >> exploits, attack code, whatever you want to call it, is not created equal. there are hundreds of thousands of attacks per day. there are countless attacks. there's only been one cyber network we could take searcy. all most all computer breaches for espionage purposes are just microphones or cameras that gather information for someone else. they're not having any effect on the targets immediately. i think that is a very important qualification to make.

stuxnet is not happening at the speed of light. the development started in 2005. it was out in the wild in the first versions in 2007, then steadily improved effort versions until 2010 when it was discovered in june. this is the most sophisticated attack we have ever seen. so we need to take some of the statements about everything happening at the speed of light just with a little bit of -- >> it took us a year and a half to figure out who did it and how. >> dr. rid made an important point. when i say thousands of attack at the speed of light, there's a spectrum of attack. the surgical strike by a state- sponsored actor is the penultimate into the gamut of the spectrum of sophistication. i agree with dr. rid, those types of surgical strikes will happen less frequent.

but everything south of that, when you look at the commercial espionage realm, that is the bulk of the attacks. in that realm, to go back your question about what we need to do. the governments of the world are inherently systemically not dynamic and not decentralized, therefore, they are not the right answer to this question. the right answer to this problem is agreeing on what bill said earlier, let's get standardized norms of behavior and then let's empower the private sector who has in fact decentralized and dynamic tools to deal with this. it is much like analogy, you don't rely on the federal government, there are posses -- you have a local police force, nypd here in new york, you don't always need a big government solution, a local solution, and frankly, in this case, going back to the bank analogy, having a private guard who actually is there to respond to your individual company needs. as long as they meet

certification, the government doesn't have to solve all of our problems. we can in fact do it ourselves. only at the high end spectrum, with dr. rid mentioned, the ultra high-end sophisticated attack. that is the realm of state- sponsored government. you heard general alexander confess, got in trouble later, we don't even have our act together. cyber command has just now announcing it will have 13 offensive strike teams, but they won't be ready until 2015. if the calvary is not coming, we're all on her own, and we have got to have a global consensus of how we're are going have norms of behavior and then empower local police or cyber police forces just to handle this. >> chad makes a good point. while their organizing offensive subroutines and calling them that, somebody did stuxnet at the olympic games. they may not have been organized

as a team, but they had to operate someplace. so -- the question in the back? >> hello. we've seen recently how vulnerable the world financial system is too erratic and chaotic behavior. just how affordable are those trading systems? you mentioned the speed of light. it seems most of our financial system now is being run by computer programs. just how much chaos could be caused? we have seen how much chaos can be caused by a malfunctioning system. could this be deliberate as well as butterfly wing and chaos theory? >> the question here is, we have seen markets that know how to implode on themselves without any outside help -- [laughter]

we have seen the nasdaq shut down without any outside help. so supposing someone came along -- suppose came along and actually helped raises a question. tom, i think it raises another question for you, which is, most of us could not have imagined a that was this economically interdependent. if you take out his market systems, you cannot only take out one society, you can take out a whole bunch all at one time. we nearly did that ourselves with lehman brothers and bear stearns five years ago. tell us what the vulnerability is if someone was trying to do it deliberately. >> no doubt there is significant vulnerability. we have seen a few instances in the past couple of months. the steering electronic army hacked twitter account of the associated press and sent out a fake tweet and as a result, -- >> the tweet said the president

had been assassinated or shot at or something. >> something like that. >> it had a market effect. >> people can make a lot of money in a few minutes in this town. >> that's right. i'm not saying it was irrelevant, but it bounced back very quickly. then there was the technical incident which was also an interesting situation where a lot of people got a lot of nervous phone calls in washington, d.c., i hear. it wasn't an attack. just a quick point, what does that mean? if you look over the past couple of years, we have seen an interesting pattern. we're getting used to some cyber attacks. we're not really that nervous anymore about the website being down for a few hours. you read the "washington journal" instead. >> i have an exception to that. you ask bank of america and wells fargo, they are worried. it costs them millions of

dollars a minute when websites are down. with all due respect to dr. rid, we have seen the shift from theft to destruction. i.e., when you look at the attacks that are going on against wells fargo, bank of america, citibank, these are not attacks to steal money or intellectual property, these are direct attacks specifically for the purpose the gentleman said in the back, which is to shake the confidence of our system. if you think about on any given day, every bank is bankrupt. if all of us go to the bank tomorrow and take out our money, no bank can withstand that. it is a great question. i think that is politics by another means. it is an act of war. >> take another question out here. if not, we will go to one that is coming here. another anonymous. we don't know whether this is the same anonymous or a different anonymous. [laughter]

has a question for mr. plummer. is the only problem here your company has a chinese name? cisco has been known to help china build its firewall, the great wall. have you thought about changing your name to something non- chinese? would it make the slightest bit of difference? >> to the first part of the question, i think the balance of the challenge that we have faced is because we have a heritage in china. it is stunning to me sometimes to explain to someone that is a $35 billion company, trusted and proven globally, and of the $35 billion, one third of all the inputs into huawei gear comes from american suppliers. that is like $7 billion for the procurement last year.

it is stunning to me that people cannot grasp that. so, yes, great deal of it is just a fundamental misunderstanding of what it means to be an international company with the chinese heritage. as for changing the name -- >> is a chinese heritage or chinese heritage if you read the senate report and so forth, it has links to the chinese military because of where the founders of the company and so forth -- >> hogwash. it was not the senate, it was the house intelligence committee. i thought that might come up. i thought about bringing a stack about this tall of 20 page reports that rebut pretty much every little bit of information that was misrepresented in that report, but i didn't want us to be distracted. i will have business cards for anyone interested. no, really, it is, this is the asia society. that is why we're here right now. part of what we're here to do is

increase understanding across various different cultures. there is just a fundamental misunderstanding of what it means to be a multinational with a heritage in china. >> let me ask you the reverse question. when lenovo bought the old ibm, was there any similar concern in china that you are aware of that they were buying into systems to which u.s. had a backdoor? >> i don't really -- i can't speak for what -- i think the concerns were more on this side of the equation going through the process, but you also have to keep in mind the terminal, whether it is a pc or tablet or phone or what have you, has not attracted the same attention as the access network. >> if you think about the name toyota, my grandmother lived through world war ii and refused