The Atlantic Council of the United States
Building a Secure Cyber Future: Attacks on Estonia, Five Years On
Welcome and Moderator:
Vice President and Director,
Transatlantic Relations Program
Senior Security Strategist, Office of Global Security, Strategy, and Diplomacy
Yesterday: The Successes and Failures of Prior Planning
Estonian Information System’s Authority;
Founder and Research Director,
Packet Clearing House
ICT4 Peace Foundation
Director, Cyber Statecraft Initiative
Today: Planning and Preparedness in an Age of Digital
Undersecretary for Defense Policy
Estonian Ministry of Defense
Counselor, Defence and Nuclear
Brian J. Peretti
Financial Services Critical Infrastructure Program Manager
US Department of Treasury
Gregory J. Rattray
Delta Risk, LLC
Senior Director, Office of Global Security, Strategy, and Diplomacy
Christopher M. Painter
Coordinator for Cyber Issues
US Department of State
Tomorrow: Adapting to Challenges Ten Years Down the Road
Chief Technology Officer
Bruce W. McConnell
Counselor to the National Protection and Programs Directorate Deputy Under Secretary
US Department of Homeland Security
Director, International Security Program
Location: Madison Hotel, Washington, DC
Date: Wednesday, 23rd May 2012
JASON HEALEY: For our event on Building Secure Cyber future. What we’re going to be looking at today is what will hopefully be the first in a series from the Atlantic Council in our Cyber Statecraft Initiative in partnership with Microsoft. So first, let me tell you about the Cyber Statecraft Initiative. We are about 1-year-old at the Atlantic Council to really be looking at the National Security in International Relations aspects of Cyber Space, and for us that means conflict, competition and cooperation and how we can build a secure Cyber future. So we’re very excited with this partnership with Microsoft. I see many old friends and new faces here. Also, Microsoft last night sponsored a get-together with Chris Painter, with the young professionals in Cyber Statecraft. So Microsoft got some of us together with some of the new generation that are coming up and that are looking at how to have their voices influence the debate on Cyber Statecraft.
Today, we’re going to be looking at yesterday, today, and tomorrow, and how planning and preparedness was able to help or could have helped more during the Estonian attacks of 2007. It’s been five years and we thought it was right to look back after five years and figure and to really look at the lessons for planning and preparedness.
Second panel is going to look at today, in the five years since those 2007 attacks, what have we learned for planning and preparedness, how are we better off today? And Andrew Cushman from Microsoft will be moderating that second panel.
The third panel is moderated by Barry Pavel of the Atlantic Council and is looking at tomorrow. We all know technology is changing. We all know that the threat and how the threats are trying to get at us in cyberspace are changing and how do our planning and preparedness need to adapt over the next five or ten years and how we’re looking on to adapt whether in private sector or within government. The bios of all of our distinguished speakers are in the packets that you received.
So when we call this building a secure cyber future, I wanted to just introduce what we meant by that. So far, we’ve only seen a small number of the possible conflicts that we might see in cyberspace. Any number of conflicts are possible and we only know the ones that we’ve seen so far. So when we talk about planning and preparedness, we want to think about what’s that full range of conflicts that we might see over the next five or ten years because the Estonian cyber attacks in 2007 and the one in Georgia a year later would indicate of what might be. So we would hope that we can get to a secure cyber future where it’s much, much easier to defend that it is to attack and we’re not there yet. But if we make the wrong decisions, we might end up in a place where it’s not just easier to attack than defend which is where we are today, but it’s much, much easier to attack and we end up with something like an Estonia or a Georgia not once every couple of years but once a week. That is a possible cyber future that we are facing that we obviously don’t want. So we are looking at this partnership with Microsoft to help all of us think about how do we get to that cyber paradise where it’s much easier to defend and how do we stay away from those worse possible futures where you see major attacks like Estonia and Georgia happening all of the time.
I want to welcome Microsoft and all of you here, and Jan Neutze from Microsoft. If you’d please come up and I know you had some remarks. Thank you again.
JAN NEUTZE: Thanks again. Thanks again very much, Jay. Good morning to all of you as Jay mentioned, my name is Jan Neutze. I am – I work in the office of Global Security Strategy and Diplomacy with Microsoft’s Trustworthy Computing initiative. And a few weeks ago, I saw Chris Painter open a meeting to a group of mostly legal professionals by stating that he was a recovering lawyer. And for some of those who know me, I think I can – entitled to make a statement that I’m a recovering Atlantic Councilman. But I think back then, it’s fair to say back then both cyberspace was quite a bit different and also the council was quite a bit different and its testimonies are really true, the leadership of Fred Kempe that the council now has a Cyber Statecraft Initiative. I think on behalf of Microsoft, I’d like to especially thank Jay Healey for his leadership and also to his team for putting together what we think will be a relevant and timely event.
As Jay mentioned, Microsoft is partnering with the Atlantic Council in an effort that is focused on building a secure cyber future and it is our particular pleasure to publicly launch this partnership today with what will be the first in a series of meetings and events focused on building a more secure ecosystem.
We’re also especially pleased to partner with our colleagues and friends from the government of Estonia in this endeavor. As you will hear today, Estonia really is a fascinating case study. They’re not just with regards to highlighting the shift from global adoption of the internet that will lead really to global dependence. And in its motivation and leadership I think, the Estonian government has truly demonstrated over the past five years its commitment to planning, preparedness and resiliency in cyberspace.
As we’re moving toward an environment in which cyber policy is actually driving security and public policy, we’re convinced that all of us can benefit from the lessons learned from the 2007 attacks. And so, we believe that we can really leverage the leadership that Estonia has demonstrated as a country, not just within NATO or the EU, but globally as we all strive to build, as Jay mentioned, better defenses, raise the cost of attacks and work on building effective norms of behavior in cyberspace.
Similar to the efforts of the Estonian government, Microsoft has been working hard over the last five years to build more secure products as well as to share our experience with the ecosystem at large. Microsoft’s Trustworthy Computing actually has just reached its first 10-year milestone following its inception in 2002 by Bill Gates. Since that time, we’ve worked with governments, with industry partners, with academia and think-tanks in really building a more secure cyber future through efforts ranging from our security development, the life cycle which is focused on building more secure products to bringing down some of the world’s most notorious botnots in cooperation with law enforcement and others. But despite our collective efforts, I think it’s fair to say that a lot of work remains to be done.
Even five years after the attacks on Estonia and much of this work will truly depend on building networks of like-minded communities, bringing people together including the owners and operators of today’s networks and underpin the internet, engineers, tomorrow’s innovators, and certainly, policy makers. Many of these like-minded communities already exist in the technical domain and one of our aims for today’s meeting I think will be to leverage those experiences and to work to connect them with the policy demand both nationally and internationally.
So once again, I’d like to thank the Atlantic Council, the government of Estonia and for all - of you for being here this morning and I look forward to a great event. Thank you.
JASON HEALEY: You even look like the Estonian flag. As Bill said, you’ve got the right tie. Great, thank you, if I can invite my first panelist to come up.
So while we’re assembling, our first panel – I will moderate. And we’ll be looking at – we will start with yesterday. Meaning, what happened back in 2007? What are the most important lessons for today? I will ask – I’ll start out just by going this way and asking you to start what you were doing in 2007, how you got involved. Maybe five minutes. And after that, then we’ll get into the other questions that you see on your agenda. Thank you very much.
JAAN PRIISALU: My name is Jaan Priisalu and I was working in 2007 working as the head of the bank’s information and security [inaudible] at the time. And we got the early warning from the [inaudible] forums and got scared that something is going. We didn’t expect that [inaudible] actually what the Spanish media was or what’s their reaction on the streets. So, if you’re hometown is actually on the [inaudible] and you cannot get home because there was – the center of the city is blocked by the police. It’s not really impressing. And…
JASON HEALEY: Jaan, I think we might have had – there are some of the people in back. I think we’re getting there. We’re adjusting the sound level. So you started out with – so you were with one of the main banks?
JAAN PRIISALU: Yes.
JASON HEALEY: And you were mentioning that it was – you had some – there is some tension between not just the cyber things but the physical things that were happening at that time. Okay. Please.
JAAN PRIISALU: And then we knew also that it is probable that the attack will come against the banks because the internet bank wall is not stable. Actually, they most [inaudible] usage of the internet and the dependence on the internet bank is really high because the estimation is that this time was that if they would lose the internet then they would need 50 times more employees it’s simply not a sustainable thing.
And the local Russians actually didn’t want the attack the banks because of the two reasons. First is that they still think that the banks are [inaudible] and the other things is that they fear of their own success if they’re actually their collapsing economy where they’re leaning. Then also it’s bad for themselves also.
Now the [inaudible] started to come against us on the 10th of May. The main event started in the 27th of April [inaudible]. The attacks started on the 10th of May in 9:42 in the morning. So, they lost what they saw was stable actually doing something in the midst [inaudible] lost the two months.
JASON HEALEY: And – but you mentioned that you did have some – that you did have some warning before they hit?
JAAN PRIISALU: Yes, of course. That’s knocked it all, their forums and not being current of the big things that are coming and go with somebody is preparing something that this is part of their defensive force.
JASON HEALEY: And I think that’s one of the things that over the course of the panel would like to come back to since we’re looking at planning and preparedness. But I think – let me talk to our other panelists first. And I’m sorry, just as I was sitting, my Microsoft – my microphone fell off so I didn’t get to do the introductions of the panel.
You have most of the names. You are hearing now from Jaan Priisalu who was with one of the banks at the time and is now the Director General of the main Information Systems Agency, Bill Woodcock of the Packet Clearing House. Unfortunately, Michele Markoff could not make it today so we’ve moved Eneken Tikk who is also going to be speaking on the third panel. I’m sorry. Eneken Tikk-Ringas, my apologies, who is also very involved in the event so she has very graciously agreed to speak up on the first panel as well as the third. Bill, maybe you can talk a little about how you got involved.
BILL WOODCOCK: So, the coordination inside Estonia was largely being handled by the Estonian CERT, the EE-CERT, which is run by a gentleman named Hillar Aarelaid whose name I’ve undoubtedly just massacred. And so he had a law enforcement background before coming to the CERT and was very well known and trusted within the Estonian government and within law enforcement. And unfortunately, that meant that he didn’t have the networking security background that some of his counterparts in other countries who would have come from that side did. And so at the time of the attack in 2007, there was no one in Estonia who was vetted into NSP-SEC, the cyber attack mitigation coordination body. And so, Kurtis Lindqvist who was the Swedish government’s NSP-SEC rep and I went to the EE-CERT to act as the liaison and to help the EE-CERT coordinate with CERT and internet service providers in other countries to stem the attacks.
So I was there in the CERT watching the screens with the traffic graphing on them as the attacks started to come in and as the screens stopped being able to register the traffic because the sensors were all overwhelmed. And then as the traffic graphs all recalibrated to make all the previous traffic look like a flatline compared to the traffic coming in during the attack. And as that got all mitigated down to fairly low levels over the course of the next seven hours between 11 p.m., the first night of the attack and 6 or 7 a.m., the following morning.
JASON HEALEY: And about when was that? What days?
BILL WOODCOCK: 27th. Yeah.
JASON HEALEY: The 27th of May?
BILL WOODCOCK: End of April.
JASON HEALEY: End of April.
BILL WOODCOCK: I guess. I’m sorry. I should have prepared better by now.
JASON HEALEY: No, no. Well, I’d like to come – I mean the dates are not important, but I think it’s interesting to talk about a bit about the response in the NSP-SEC and how you can plan and what things stood into that. But I think let’s come back.
BILL WOODCOCK: Yeah.
JASON HEALEY: Let’s maybe come back to that after we hear from Eneken.
ENEKEN TIKK-RINGAS: Yes. So I guess that it wasn’t [inaudible] have an opportunity to take Michele’s place in the panel after 2007. Now, when I - I did a seminar – I had three positions, [inaudible]. I worked with the Estonian Minister of Justice at the time as an advisor on the information level. But I was about to quit the position because I got more and more involved with establishing the NATO center in Estonia so that took more and more of my time. And then I was also still involved in the legal expert team that worked with the Ministry of Defense at that time.
I think a more important kind of aspect of 2007 was instead of where I was what I was or kind of how it all fit because first of all I was confident. I was confident because we have just finished our reports that we worked - a group of scientists that researched – had worked on for a year that analyzed the Estonia’s cyber defense capabilities and situation. So that was just finished. And so I was more as confident that as a legal expert as somebody who just entered the cyber security field, I more or less know what could happen at that time. I was actually very surprised because what happened was not what the team could have for a really kind of predict or foresee. And I was also surprised because especially from legal perspective, what happened was quite different from what I have anticipated as a legal expert.
And so then I was thinking. I was thinking hard because what was going on - all this labeling of attacks as cyber war one and their analogies that the Estonian government [inaudible] made [inaudible] explosion and cyber but this attack made me think as a lawyer because I was also responsible. I was responsible for giving an opinion – or kind of expert analysis on what does the whole situation mean for Estonia? So that was basically my situation [inaudible]. And one aspect to that, I was out of the country for one day during the attacks. I believe it was April of 2007 or something in Brussels. And then I also remember I was afraid. I was afraid because I had no communication back home whatsoever. No email, no [inaudible] phone but that was not the issue and all we did was communicating by email so I was not sure what happens - what has happened in the country by the time I get back there. So that’s one point that I have.
JASON HEALEY: That was very interesting. The – but you said that you had done this document and you had been putting in thought and the government had been putting in thought. One of my favorite quotes I believe was from Eisenhower was along the lines that “plans mean nothing, planning is everything,” that it’s the process of thinking about the bad things that can happen in how you expect to tackle them means more in the long run than having a specific actual plan that gets it right. How much do you think that what Estonia had done to at least be thinking about the possibilities? Had you ready for what was to come?
ENEKEN TIKK-RINGAS: I think you’re very right here that means Eisenhower could is right that…
JASON HEALEY: He is also a great golfer.
ENEKEN TIKK-RINGAS: It was a great coincidence in the way that many things came together at that time. I think the Estonian Ministry of Defense at that time mostly in charge of the cyber defense security because the main key feature for Estonia was to get this data center started at that time. That was a good coincidence that they ordered this report because as you say when writing this report, although may be a team of scientists did not really figure out what exactly is going to happen, [inaudible] definitely tell that how this all work into several different authorities people understand means actually worked together when the incident really happened. So I think there is a great portion of key people.
JASON HEALEY: Let’s follow up then – so with Jaan. You were at the largest bank. I’m sure you dealt with many kinds of cyber attacks prior to this. Did you feel the response plans that you had in place were helpful or was this just so different that…?
JAAN PRIISALU: From the bank’s point of view, we have - we have the plans ready and also exercised before. It was the [inaudible] for us and we have been doing this [inaudible] the exercises and crisis management exercises for 10 years. So the banks switched the operational mode and all the resources were actually went to the keeping – onto the sales but keeping the operations going. So not just the electronic channels we have changed the state but also the organization of the bank.
But from the other places, they saw this community have been working from 1998 already and some works, actually some things didn’t work. We didn’t actually realize before that CERT could really become the bottleneck if there is a massive attack.
JASON HEALEY: What would be the bottleneck?
JAAN PRIISALU: CERT.
JASON HEALEY: The CERT would be, the Computer Emergency Response Team.
JAAN PRIISALU: [inaudible] through the CERT will be the bottleneck. So it means that also that you actually must have some kind of network that is autonomous and that can fight back, recover documents and you are not actually creating this kind of artificial bottleneck by itself. We tried to do it during the event but actually the things that you haven’t exercised and tried before tend not to work. This hint of the international community is definitely different. But again, for them it was what they have been trying to do – they have exercised this cooperation before so that you simply have a new member [inaudible] but yes two lessons - the things that you have not exercised does not work and also that this is the conflict between the networks so other little systems will be choked on the point [inaudible].
BILL WOODCOCK: And to be fair, Estonia’s participation in NSP-SEC since that first time has been extraordinarily valuable and that the EE-CERT has been able to render assistance to several of the other eastern European countries and to Georgia and so forth so yeah. Again, the first time is always the rough one.
JASON HEALEY: And I’d like to explore this role of the private sector. So Bill, I’m talking to you. You had been outside of Estonia, you were brought in to be a conduit between the Estonian technical security and telecommunications people so they could say, “Look, we’re seeing… if I’m getting this right. We’re seeing attack traffic from this IP range. Please make this stop.”
BILL WOODCOCK: Right. So the mitigation relationships have reciprocal responsibilities to them and so someone who is outside of that circle of relationships cannot demand that work to be performed.
JASON HEALEY: Demand?
BILL WOODCOCK: Well, it’s – the relationships are obligatory, right? If something needs to be taken down, it needs to be taken down and there isn’t time for argument and that’s understood up front, so there isn’t a mechanism for arguing about it. You can argue about it later. So the problem is that if someone outside of this circle has a problem, they haven’t yet demonstrated any ability to reciprocate. They haven’t demonstrated that they’re capable of quid pro quo and they haven’t demonstrated that their forensic abilities for instance are adequate to correctly identify the traffic that needs to be mitigated or correctly identify the source of the traffic or do the attributions. So that was why two of us went as liaisons to vet the process that was occurring in Estonia and the practices and expertise of the Estonian CERT because there was no way in the middle of an emergency to make sure that they – to develop a relationship during the middle of the emergency, right. So, therefore, you’re going to watch and you assist and afterwards again when there’s time you can get that relationship formalized.
JASON HEALEY: And this is one of the important – one of the reasons why we thought it was important to start out with a panel looking at yesterday and what happened is that in Washington DC I feel like – when we said we were going to do an Estonia five years on, a lot of the response I got was, “Oh, why are you talking about that? Everybody knows what was important about Estonia. We don’t need to talk about that.” And I think a lot of these lessons like the ones that we’ve been hearing about here may not be that well known. You know, the role of the private sector that these people are – the network providers are demanding of one another to stop network traffic. Something that would be incredibly difficult to do and as we – and I’d like people to keep this kinds of thing in mind as we think about today and tomorrow, and how do we get to that future where defense is so much better than offense. It’s not necessarily going to be a government action that gets us there. It might be, you know, the defenders coordinating themselves in making things easy.
Eneken, can you either pick up on that point? Or if not, I’d be curious on legal and we hear so much about how the defender’s hands are tied by all these legal issues. You were working legal issues at that time. I mean, did you – did at any point you feel like, “Oh, I wish we would’ve looked at some of these legal questions better?” Or did you – do you feel like the defense was able to kind of accomplish what they needed?
ENEKEN TICK-RINGAS: [inaudible].
JASON HEALEY: Please, please.
ENEKEN TIKK-RINGAS: …sidewalk. First of all, I was thinking that I must have missed something in my law classes in 2007 because really, we were in a situation where we had a cyber war one going on and at the same time, to me as a lawyer, none of it makes sense. But at the same time, I was not able to make sense of it. You might [inaudible] and why because at that time, I didn’t know a lot about the kind of triangle of technology policy and law when it comes to discussing the cyber incident. And so, I was really confused at that time.
Now, I come to that - I think, Jay, something you know that what’s really missing in this panel in a way so far is what really did happen. Because with a further perspective from Jaan what has happened for a bank and we kind of – we have [inaudible] of cooperation and how the CERT got involved. But to me, I have to say I’ve written a number of kind of perspectives of case studies of Estonia and that it started making sense to me obviously years later of what really happened. And so, if you ask me what happened was that I would [inaudible] to what our president has said that what really happened was a coordinated attack against the country and that’s why many technical experts who are saying that nothing really happened - most kind of unsophisticated attack you can possibly have, you didn’t necessarily see the strategic kind of positioning of the situation which if you think what happened was that Estonia had a discussion of the situation in NATO. That has created a myth that Estonia [inaudible]. Why? Because we didn’t really have an avenue or even discussing what really have happened to our country and while I would say – emphasized that it was a tactic against the country simply because – and now it comes to what I experienced. As I said we have conducted about 40 interviews in the course of preparing this analysis for 2006 of how Estonia is prepared to handle something like this.
But what really happened was different from most of the things anyone had foreseen which was how we as prosecutors of this, as the CERT, as any Estonian critical infrastructure had [inaudible] would be attacked. Because the matter of fact, everyone was under the same attack that did – had nothing to do with their particular risk assessment and that changed the whole situation because that kind of – the assessment of what you do about it as well as even what the situation – the underlying situation has is they don’t really have a protocol to follow.
Now quickly going back to the legal aspect of it, now five years after, I would say that all the legal frameworks, basic legal frameworks we needed to deal with the issue we had at that time. The other question is did we understand at this very moment what to do about any particular aspect like the Russian corporation, the [inaudible] involved about the possible kind of diplomatic remedies that they would have against this, the country have – we have our concerns about et cetera, et cetera. So it happened so quick that at that time they just wasn’t able to make a lot of assessments.
JASON HEALEY: Now, we – I grew up as an intelligence officer and there is – and I think there is this feeling out that you can’t really predict cyber attacks. That they are speed of light and the best way to detect them is to stare down the wires and look at the evil ones and zeros. And I want to pick up on what you had mentioned earlier on that no, you knew this had been building and you might not have known the exact scale of it but that you had warning and you knew that something was coming. Was that a useful time? I mean, were you able to put emergency plans in place in those couple of days’ warning or how long was that warning?
JAAN PRIISALU: It was a couple of weeks.
JASON HEALEY: Oh, my God.
JAAN PRIISALU: But there is still – actually what you can do with a couple of weeks is that we have scheduled our – the change of the firewalls and perimeter in the end of May. So I calculated outright actually to bring this upgrade before but it wasn’t possible. So the only thing what we can do with it is that you are not trying to do – to whom the cooperation and what else you see their measurements. So basically on the network there are the things, the very short spikes with different levels of the things that are called measurements. So people are trying to find the true point or what is this kind of level of attack that they have to sustain to have an impact. So there is plenty of information before those kinds of attacks in the network.
JASON HEALEY: That’s incredible. Can I? Go ahead...
BILL WOODCOCK: Yeah. There were obviously each individual network was doing what they could to sort of estimate the impact and be prepared. Obviously, two weeks is a bit short for, say, ordering new equipment or training people on new technologies, but it is enough time to make some of the relationships that were called into play so people from the banks talking with people in government, talking with people in CERT, talking with people in the ISPs.
The CERT was able to do outreach among the internet service providers and get additional access to statistical information out of the ISP network equipment so that the CERT had in effect a console in front of them and was able to see an overview of traffic coming into the country across many different internet service providers and that was immensely valuable. That’s something that is not normally possible because the private sector doesn’t generally share that level of detail. But in the case like this where there was an emergency, it was known in advance. And that level of access could be temporarily accorded to the CERT, it makes perfect sense to do.
Likewise, law enforcement had a bit of time to work and one of the things that was, in my view, spectacularly successful was that law enforcement was able to apprehend the Nashi agents who were recruiting inside Estonia that were trying to drum up support for the attack among ethnic Russians in Estonia and so that wound up being completely unsuccessful. Had it been successful, the attack would have had a very different character.
JASON HEALEY: Nashi, the Kremlin associated Russian youth group – Russian nationalist youth group and I think this is very interesting because this – especially the Atlantic Council have been – we’ve been looking at NATO warning, a particularly NATO cyber warning. And again it tends to be dominated by technical, you know, of what can we do, you know, let’s interlink all of our intrusion detection systems between the ministries of defense that we can improve our warning. And here we are with the most significant, you know, the only time we’ve ever even kind of talked about article 4, article 5 for cyber attacks and we had two weeks heads up. You know, that’s time that the NAC and the other political bodies and the cyber defense management board and other groups could be planning and thinking about that and at least taking away the sting of surprise.
BILL WOODCOCK: And that’s not entirely unusual. To give a much more recent example, the anonymous attacks against root servers in the end of March, we had six weeks warning on that. We found out about that February 9 for an attack that occurred on March 31 which meant that, again, we’re able to be very very successful in mitigating it.
JASON HEALEY: Now, of course, criminals, organized crime don’t necessarily give heads up but I would bet for a lot of the most, you know, these political sensitive incidents that you would.
I’d like to start turning it to the floor for questions, but before I do, was there anything else that you felt that we haven’t brought out yet? Jaan?
JAAN PRIISALU: I wanted to say some comments also about the police site that they used their automation and crowd sourcing for resolving the case on the street also in similar way in the UK, they did it in London. So actually, this kind of network and involving of the network, this can work also in the traditional police work. They did very successfully.
BILL WOODCOCK: I think it’s also useful to sort of put this into perspective size-wise relative to Estonia as a country. This was not a very large attack relative to the internet as a whole. It was a kind of medium-sized attack for that time. Attacks of this size happen about every three weeks at that time. The very largest attacks were about ten times larger than this and would have been about once a year at that time, and the smallest attacks that anybody in mitigation circles would have paid attention to, it would be about ten times smaller and were happening two or three times a day.
JASON HEALEY: And today?
BILL WOODCOCK: Today, everything is about – about tenfold larger now than then.
JASON HEALEY: [inaudible] now this kind of thing is happening?
BILL WOODCOCK: Yes, something like this wouldn’t really - no, something like this wouldn’t make the threshold of response if it were to happen to today.
JASON HEALEY: And I bet I think that’s one of the things that led so many techies to say, ‘Oh, that wasn’t even interesting. That wasn’t very large,’ even though it involved heads of state and was very important politically.
BILL WOODCOCK: Well I mean it was an event of the sort that occurred about every three weeks at that time and got serious attention every three weeks at that time. But relative to Estonia, it was a large attack, and the state-on-state nature of it meant that it got a lot of attention relative to the sort of criminal-on-criminal stuff that was the vast majority of attacks.
JASON HEALEY: Jaan and then Eneken and then questions.
JAAN PRIISALU: I wanted actually to comment on this measuring the size of attack. I understand that techie people they are measuring the traffic. The bots themselves, they tried to save their energy and try to give the – enough traffic to attack so we feel are successful in responding. You don’t see the traffic.
BILL WOODCOCK: Yeah.
JAAN PRIISALU: And now we should measure this by the number of the bots and if today we had the botnet with the similar size, it would be still actually [inaudible].
BILL WOODCOCK: Oh, yeah. Yeah, yeah, yeah. Absolutely. Right. So the number of bots and the amount of bandwidth each bot has access to is like the multiplier that determines the overall size of the attack. Absolutely, so a medium-sized attack is a medium-sized attack. It’s just sort of all inflationary overtime. Yeah.
JASON HEALEY: Eneken?
ENEKEN TIKK-RINGAS: Maybe just to kind of one more emphasis is this aspect of relevant to Estonia because I think by today we have many more place and it’s not just Estonia. So we talk about Georgia and stuff, et cetera. And there is always at least two dimensions to kind of weigh things [inaudible] there are three. One is the kind of relevant to the country and what is relevant to Estonia and how Estonia handles it can be completely due to how relevant [inaudible] considers stuffs what they did about it. And that is not yet to make any conclusions as to legally, for example, if there was incidence were similar or not because it’s part of that assessment is the sovereign decision by a country how it handled this.
The other aspect is international one and that is what has, I think, created most confusion of Estonian think as what I’ve said we didn’t have much kind of comparison material at that time to figure out how do we handle something that is against the country but yet technically moderate than the kind of relevant for them.
And third, there is this entity level. Like, you know, who are at that time part of this incident that how they kind of are able or even obliged to do something that bothered you kind of coordinated which you build partnerships to actually make it go away.
JASON HEALEY: It’ll be interesting to hear in the next panel about what’s happened in the five years since. So we’ve got about 15 to 20 minutes for questions from the audience. We’ve got people with microphone so please raise your hand and please state who you are. In the back?
JORGE BENITEZ: Jorge Benitez from the Atlantic Council. I was hoping if Michele if you could elaborate on the comment you made about how, in attacks such as this, the technical experts sort of seen the damage has raised small and limited, but that doesn’t really address that there may be larger political and strategic impact that is greater? Is there a disconnect between the criteria and danger of threshold level versus response between the technical community and the policy community? And also if you could address Jaan’s – I’m sorry, Bill’s point about the critical factor of – there may be a lot of these and more advanced or intense criminal attacks going on everyday and much more frequent, but the fact that in Estonia and in other cases, state involvement or state control kind of elevates it beyond the technical threshold, if you could also address that. Thank you.
JASON HEALEY: Oh, a double question Jorge. Okay. And this is in fact Michele’s twin sister, Eneken, so…
ENEKEN TIKK-RANGAS: Alright, I actually rather Michele to take this, but – alright, now as – in my opinion, there still exists an enormous divide or kind of disconnect between a technical and a policy concept of a cyber attack, and it’s getting better and better overtime because kind of the three communities, the police people, tech people and, I’m a legal person, the legal people. They more and more realize that they can’t really handle anything without each other. So that means that over time they need to kind of agree what is going on and how to handle this.
Taking it back to Michele’s kind of field, let’s take the example of the UN discussions these days. The UN government, a group of expert that was set up first in 2005 to discuss the issue, then in 2009 and then in this year again. In 2005, they were not able to produce anything because the differences of understanding and policy between the key countries in this group, Russia, China and then the United States were just too big. Now in 2009, it was much more difficult not to say anything because we had had Estonia and we had had other incidence. But when you look at the report then what it really says is that they tried to speak but at the same time we are already handling the criminal and then also the terrorist aspects of cyber security.
And now, this year, they are faced with what they have kind of been able to get away for it for two times which is the kind of highest or the kind of most severe end of cyber threats because under those policies of the first committee where these discussions are held which is the disarmament committee. The only kind of meaningful outcome would be to say, ‘Yes, we see cyber potentially as a threat that would be of relevance to the Security Council and on collective security from international peace and security perspective,’ or ‘No, we cannot agree that this would be the case but if this would be case, a case one day then this would be the one, two, three things that we, the countries, would see as relevant to handling this.’ So I would say this divide is getting smaller but it’s nowhere near to consensus.
JORGE BENITEZ: Thank you.
JASON HEALEY: Thank you. Additional questions? I think one in the back there. Actually, let’s get – I saw David’s hand first here in the blue tie and then Kevin in the back, right.
DAVID HOWARD: Hi, David Howard. I just wanted to ask a quick question. Jaan, you had mentioned that you saw CERT as a bottleneck during the actual incident, I wanted to see if you could expand on that just so we have the backdrop for what’s the case back then as we learn about what’s the case going forward.
JASON HEALEY: Yes, so CERT is bottleneck.
JAAN PRIISALU: CERT was designed as the representative of the security community because this community actually as the network was formed before and it was designed in the way that the communication with the government must go through this body because government actually are very bad in communicating with the networks. They must actually have some kind of institutions. And the number of attacks with CERT actually was even to record was 174 I think. And – but there were much of those attacks that were never recorded that were actually repaired and most of the disphasement actually were never actually written up anywhere.
So – so - and CERT also they had to make the decisions and they made the decision actually to – the priority they made to respond instead of documenting, so actually there is very few of the documented things out of this attack. So they were simply overwhelmed and they became the bottleneck.
BILL WOODCOCK: It should be pointed out though that there are very few countries the size of Estonia that have a CERT at all and Estonia’s CERT, my vague recollection, is that it was about five people and they had roughly…
JAAN PRIISALU: Three, it was three.
BILL WOODCOCK: Three? Before? Okay. So at that time of the attack, they had laid on a bunch of additional staff brought in from ISPs and law enforcement and so forth and so that night there were about seven or eight people working, and they had gone to government a couple of days before for additional budget and had received three times their annual budget and an immediate approval as a line of budget to use to deal with this which is something that’s a quickness of response that would not be possible in many places and there isn’t a more appropriate channel than the CERT, right. The CERT was the right way to do it and they already had more CERT than most countries that size and they responded very quickly to bring more capacity online. That doesn’t change the fact that it’s still a bottleneck. You – when you’re in the middle of an emergency, you’d always prefer to have a bigger, better prepared force to deal with it.
JASON HEALEY: Okay. In the back right, please.
KEVIN RICE: Kevin Rice, Department of Treasury.
JASON HEALEY: You can use the mic so that we can have it for them.
KEVIN RICE: Kevin Rice, Department of Treasury, this question kind of hinges on the bottleneck issue and the role of government. With regard to the actual mitigation stage of the DDoS attack, does government help or hinder? So for example, is it better to bring in government agencies with their inherent governmental powers – force to better to mitigate the attack at the private sector level with the tier-1 ISPs service agreements, peering agreements, that sort of thing?
BILL WOODCOCK: What powers do you imagine that government has in this area?
KEVIN RICE: The government has a…
JASON HEALEY: Badges and guns?
KEVIN RICE: Badges and guns essentially. They have the ability to – what you said the government generally shows up at some point in this these events and says, ‘Hey, we’re the government. We’re in charge.’ Now stating that doesn’t necessarily make it so. However, as we see with the Estonia issue, article 5 was mainly about which would have had an entirely different level of connotation. I mean the governments have the ability to bomb peering points, but that is a somewhat short term – it’s a rather short term [inaudible] solution to a DDoS attack.
BILL WOODCOCK: So government doesn’t have any mechanism to deal with mitigation, right? Government doesn’t have any role there. They don’t have any control, any ability to influence the outcome. What they have is responsibility and abilities with regard to deterrents, right. So, law enforcement can go out and jail the people who were participating in the attack. That takes those people off the street and it servers as a deterrent to other people doing the same thing. In this case, it was a very effective deterrent to keep other people within the country from joining in on the attack, right. So that was a really critical piece.
The foreign ministry, for instance, has responsibility for going out, talking with organizations like NATO, talking with other countries and trying to secure alliances and secure, you know, their help next time if their agreement not to participate in such attacks against them, that kind of thing.
And lastly, the military is the backstop to that diplomacy, right. So those three roles of government are critically important but they have very little effect on any current attack, anything that’s actually happening right now, right. Those are all preventative measures against a future attack.
JAAN PRIISALU: So, when we went to – back to this government, the government role in the response then I would bring here actually the covenant level exercise as a result of what we’ve played together through this year and you simply do not have time actually to change the government or change the people. This is one thing that the thing actually escalates so quickly that you should use the same people actually responding to the situation. You don’t have the time to overhand.
And the other thing was also that in massive cyber incidents this crisis – cyber crisis will very quickly grow over into other type of crisis.
JASON HEALEY: Eneken?
ENEKEN TICK-RINGAS: Well, I would – I’m not sure I would agree with the government has now no means for mitigation. I think especially when it comes to cyber incidents that are targeting the country that was the case in 2007. Then government – another point of CERT is part of the governmental system when it comes to defining it broadly. But one thing that I think aided to making the incident stop sooner than later was also the Estonian government’s decision to invoke this issue in NATO, not article 5 but the issue itself to make a kind of public call out of discussing the whole situation. So I think there were aspects and there are aspects that government is in the best position to do also about an ongoing incident. And so I know it’s a different angle from kind of this direct technical mitigation response but especially when it comes to the political legal aspect of how to handle an incident then a government definitely holds certain stakes there.
And another aspect of mitigation or kind of the government’s involvement is – and this doesn’t go back to direct mitigation but we’re talking about the incentivising and preparedness than there are good examples of how governments – when they really realize the issue on their eventual role in it can increase the preparedness by really thinking of solutions like the year 2000 kind of situation in this country to find incentives for anyone to think ahead about how they will handle this particular situation or the big situation or how they will be part of the bigger mitigation mechanism when something goes on. So I just add that to the part of government.
JASON HEALEY: One clarification question then I’m going to sum so that we can finish up broadly on time, the – did Estonia – so we’ve talked about NATO and I don’t want this to become a NATO day. But did Estonia – we know they didn’t ask for article 5 which would have been collective defense. We know there were conversations in NATO. Was it officially, you know, did Estonia ask for a NATO for article 4 consultations within or was it just kind of informal consultations that may be happened to conform to article 4?
ENEKEN TIKK-RINGAS: That’s a perfect question for a legal perspective meaning Estonia did not invoke article 5, Estonia did not invoke article 4. And what Estonia did basically was that we used – Estonia did really was that our post of chief of defense at that time and our defense minister at that time addressed the issue in already existing four months of NATO – NATO as an organization, and of course – because it was that kind of topic and an emergent situation then there were more meetings called in NATO to discuss the issue.
Now from a legal perspective, neither of the articles was invoked. Now the question is could we have invoked, one might think there would have been sufficient ground to invoke article 4 where there are mechanism, but I don’t think anyone at that time thought about processes. They were more concerned with kind of the unfolding situation than being informed and then actually from NATO’s perspective you see the relevance of this – for the alliance. At this point of time and in the future and for Estonia collectively to make it stop as soon as possible.
JASON HEALEY: So one of the questions that we had asked here is, you know, what aspects of the Estonian cyber attack is the most important and what are some of the most important lessons for planning and preparedness? Some of the ones that I took down and then I just ask your comment to kind of close up the panel on these - was it’s different if it’s nation state on nation state than cyber crimes and other things that warning can be especially important for planning and preparedness and that the warning doesn’t have to be from the ones and zeroes, you can look at what the bad guys are doing and learn from that.
That even small amounts of planning and preparedness can make a big difference, but that really exercising before hand and really planning so you can spot these bottlenecks. So even a little bit is helpful but more is much much better.
And those are the four key things that I really took away from this. Is there anything you’d like to expand on or to add? That was just general question to the three.
BILL WOODCOCK: I think the relationships that the CERT instantiate are the single most important thing. That’s the thing that cannot be done in brief, right. You have to have those relationships in advance in order to be able to call upon them when you need them. You can’t establish them in the middle of an emergency and that’s what the CERT is for. It’s to create an organizational instantiation of the relationships that you’re going to need when you’re in an emergency.
JASON HEALEY: And I’d like to touch back in the December at the Atlantic Council had of Cyber 9/12 initiative to look at what happens the day after a big cyber catastrophe and in this point on relationships really came out and Bob Stratton who participated there pointed out that how difficult it is sometimes between government and private sector to do this because he said, ‘Look, so much of what happens in the private sector like NSP-SEC, like CERT it’s very flat. Whereas of so much of what happened in government is very top-down and very hierarchical and kind of secretive versus this very flat open sharing that can happen in private sector’ and those can really impede the conversations day-to-day but especially so during a response to something, so certainly one of the things to work on. Jaan?
JAAN PRIILASU: You’ve touched the service network thing that I wanted to stress also that in this conflict you are having literally networks against each other and all of the [inaudible].
JASON HEALEY: The what?
JAAN PRIILASU: [inaudible], it doesn’t do with the network. It’s not able to fight the network.
BILL WOODCOCK: The network is a peer-to-peer thing. There are many networks. They interconnect with each other. There is no inherent hierarchy through which you can command response.
JAAN PRIILASU: And the other thing is that the people are talking so much that why we haven’t heard about the cyber things and very good cyber war is the thing that you don’t see.
BILL WOODCOCK: Yeah.
JAAN PRIILASU: You simply think that you’re unlucky that all the things in the world are against you. That’s it.
JASON HEALEY: Yeah. And it’s interesting you said that so if – so a cyber war, you might not see. You just seem to be very unlucky. Really sounds to me – so I was an intelligence officer. I love learning about intelligence history and what you just described sounds so much of the German and Japanese experience of, ‘wow, they find all of our convoys.’ ‘How is it that the allies keep getting so lucky?’ So here we are now and when we’re finding ourselves on the other side of this.
BILL WOODCOCK: Well low and slow attack just looks like, you know, you’re being very successful from a PR perspective and very unsuccessful from a revenue and sales perspective, right, and, you know, that can just get worse and worse over time until you’re out of business, without you ever knowing that you were under attack.
JASON HEALEY: But a lot of adversaries. It doesn’t fit their plan to low and slow. Like for example in this case, low and slow would not have, you know, a lot of adversaries want to just come out and say, ‘Look, this was us.’
BILL WOODCOCK: Yeah.
JASON HEALEY: Eneken, any comment?
ENEKEN TIKK-RINGAS: No, I was just, you know, to pick up this lucky, unlucky in this part. When you look at the Estonian incident then actually you will realize Estonia was very lucky in very many respects at that time, like not to mention, the CERT was lucky to have prescheduled events [inaudible] Prague at that time that brought the community together, they were immediately – kind of in the middle of the right people they needed to engaged. [inaudible] was really lucky to, you know, just having conducted their – put together a team of experts to having discussions within NATO and having this analysis that more of us had also started a very good community basis for private public partnership.
And then one thing to take away from all this I would say that before coming here, I had a lunch with the Estonian defense league people and that said that in my opinion, it’s time for another Estonian case study. I’m 5 years late for five years later. And then we have discussions where some of the people said that, you know, ‘We’ve talked about so many times so what’s there to talk about it?’ But then I’d say that 5 years from 2007, there is so much more to talk about first of all.
And the other thing is that every time we study the case again and again, you will find things that are extremely relevant not directly transferrable or translatable to any other country conflicts but at the same time still valuable in terms of real life escalation of an incident responses, cooperation, et cetera. So I’d say, you know, in terms of the initiative that you’ve started yourself, Estonia would definitely be a case study to look at the end.
JASON HEALEY: And I do want to put on a pitch, the – so the Atlantic Council with Cyber Conflict Studies Association is very committed to this and we’re doing the first cyber conflict history book and as far as we know, there’s been no other project. There’s been no - histories to go ‘I’ll talk to these people. There has been no FOIA request. There has been no collection of this to put together. And if you think about, you know, we have people that – think about this, when people say, ‘Oh, we don’t have to talk about that case. It’s well known.’ Think about conflict in the air and the space. You know, I’m looking at Col. Evans and Tim and you know, we still go back and we look at big air campaigns and World War II or Vietnam and if you’re in the navy, you study Trafalgar and if you’re in the army, you still go back and look at [inaudible] and how did Hannibal get those elephants over the alps. You look at these incidents of tens of years, hundreds of years, thousands of years to find what’s still relevant today. And for some reason in cyber space, we say, ‘Oh. That happened five years ago. There’s nothing to learn from that.’
And I think as this panel is showing us, our wonderful panelists, there is still so much more to learn. We’ve only scratched the surface, but we’re still much smarter for what you’ve brought us through.
Before we say our thanks, I’m going to keep us on schedule so we will have 10 minutes for coffee and refreshments. And Andrew Cushman of Microsoft will bring – will kick us off from the second panel event at 10:20.
Thank you to our panelists.
ANDREW CUSHMAN: Thank you very much. My name is Andrew Cushman. I’m a director in the office of security strategy and diplomacy at Microsoft. I’ve been at Microsoft any number of years already with a varied career both in technical as well as in security and now in the policy domain. And I think it’s interesting to note that people who do security had a former life and that this is a new domain that attracts talent in interesting ways.
This panel is focused on today and the challenges that we face today with the benefit of hindsight and as a – to set up the discussion later about the future and how do we prevent cybergeddon.
With me this morning, we have Ian Wallace on the end and Brian Peretti, Greg Rattray and Jonatan Vseviov. I thought I might start with perhaps just a brief introduction from you. What did you do before you did security? And then also if you’re able and if you care to share rather than talk about how the threat landscape has changed, maybe some of the things that keep you awake at night in your current role and then offer you an opportunity to talk about some of the problems that you see that aren’t getting the – that you would like – that you think need attention at this point.
So Ian I think I’ll start with you, pass it right on to you to talk about your background and problems you might have us focus on.
IAN WALLACE: Thank you very much. I’m a policy wonk rather than a security expert to say and my background is in the UK Ministry of Defense where I spent a fairly significant part of my time involved in crisis management of one description or another to say. That is my routine to this and I think to answer your question slightly obliquely, from my perspective, is someone whose role it is to foster closer relationships between UK and the US actually on the defense side, but as well as on the issues ensuring that if there is an event we’re the best place to deal with it. Other people, including on this panel, a much better place to talk about the technical responses, but I think one of the things that we must not lose sight of is how we organize ourselves the best way to respond well to an incident is to have an idea how we are going to respond to that incident.
And I think there are few things [inaudible] one that we need to accept that we will necessarily make this up as we go along to a certain extent we can plan ahead. But one of the most important things is to be agile and learn from our mistakes. Second point is that governments are not going to be able to deal with incidents in this area on their own so we need to find out ways to remove the private sector and internationalize. However, the clever thing is internationalizing in a way that involves the private sector.
And third, I think we need to make sure that we don’t reinvent the wheel. Governments are actually quite good in crisis management. Sometimes they’re quite good at crisis management, so it would be wrong for a bunch of cyber experts within a room make a plan that when push came to shove, is actually completely different to how in this will be managed in reality and therefore, is completely irrelevant.
And so [inaudible] is educating [inaudible] on what cyber incidents look like and war gaming is part of that but there are many different ways you might [inaudible] and in that extends into international institutions working out which international institutions are ripe for what circumstance I think is something that’s important. NATO is an important institution but not everything goes well in cyber space [inaudible] fighting, that sort of thing.
ANDREW CUSHMAN: I think that’s an interesting comment about that. We are to some extent making it up as we go along and I think that that echoes the point that was made earlier the quote from Eisenhower that it’s not so much the plan as the planning exercise, the planning that’s gone into that. And I found that clearly at the Microsoft Security Response Center where it was good to have the plan on the self that you could pull down in reference but it didn’t necessarily contain the description of the exact event you were dealing with.
IAN WALLACE: Yeah. And I think it is hopefully the case that as we do that planning, you’re better at the planning that the second time and the third time as a result of that work. But it’s the learning that’s just as important as the planning.
ANDREW CUSHMAN: Brian, would you care to share?
BRIAN PERETTI: Sure. I’ll give you a little background of myself so I was a General Counsel for the House of Representatives Credit Union for about six and a half years, and moved into private practice for three years in a law firm, and then at Treasury for about nine and a half years.
So when I first graduated from law school, I was very interested in going as a computer law even though I didn’t have any kind of a background in it. I just find the area really exciting. So I sent out my resume to all the people in DC who are working on that, all six people. I got a phone call from one person and she said, ‘Brian, do you have an advanced computing degree?’ I was like, ‘No, I just think it’s really exciting. It’s, you know, the way things are moving.’ And the person said, ‘You know, this is just really a passing fad. This computer thing is going to fade away. You should be looking for something else,’ so then I went into banking. So it all kind of worked out I guess and I’m right back where I wanted to be in the beginning.
But from our side the way we kind of look at this is that this whole thing of cyber especially, attacks against financial institutions, is really about sharing information. We’ve really tried to push the public private partnership quite a bit to be able to make sure that the private sector knows who to contact within government. Government knows who to reach out to in the private sector so we can share and pass information back and forth.
If anybody believes that the government’s going to make a plan that the private sector is going to run with and be able to execute and be able to solve the problem when something happens which we know happens all the time, it’s not really going to be really – you’re living in some kind of a dreamland because that’s not the way it has to work.
Incidents are going to be on an individual-institution basis or maybe even across similar situation - institutions and then they’re going to have to be able to respond to that and figure out how best to be able to make that happen.
We’ve reached out a lot to the private sector to be able to start to figure out how we’re going to do this, who do we talk to, how do we make sure information gets back and forth so that in that way when something happens, we at least know where it’s going to be and who we are going to call. So just to the point of, you know, we can make big plans and stick them on the shelf and they look really good. I mean, that’s how I made my Y2K plan at my financial institution. It was a four-binder thing. It looked great on the shelf when the examiners came in. I just hoped they never look in it because there was no way it was going to work because that’s not the way people work and people operate. We need to be able to make sure we can communicate to those folks that we know how to be able make those connections. But then when something happens, we can reach back in within government or the private sector to be able to find the answers or at least find the right people who can work on the problems and then push it out to hopefully address and remediate whatever that problems is.
ANDREW CUSHMAN: Greg, go ahead.
GREGORY RATTRAY: Thanks Andrew. So I’ve always been in security. Three days out of high school, I went to the Air Force Academy, so one level or another, I’ve always done that security related things. The Air Force let me spend a lot of time in school so in the middle of my Air Force career, I went back to graduate school and started to write about cybersecurity so about the mid-90s, I started to just focus on cybersecurity and spent the last half of my Air Force career both in operational and policy roles related to cybersecurity with pretty much US focus and then started a consulting group as well as took some advisory roles with ICANN and the banking and finance sector since 2007. So, you know, approach the problem from having a lot of experience in the government and then some more recently some interactions with the private sector and advocacy for the private sector.
ANDREW CUSHMAN: So what keeps you up at night then?
GREGORY RATTRAY: You know, so what keeps me up at night is probably, you know, a couple of things at the systemic level, right, is the potential for the internet where people’s confidence in the internet whether they’d be business or individuals or governments for that matter, but mostly as a matter of protecting business and individuals that it isn’t a useful tool, right.
So you know, attacks on the financial system and I work with Brian. And, you know, from the private sector side, quite a bit that actually would degrade the confidence that the markets are having the right sort of, you know, what would you call it, the transactions when they occur or actually the right transactions in the close is right. You know, the types of things that they think can degrade confidence, the continued ability to access by criminals, private information that allows fraud to occur. I think we are reaching a tipping point where all the good around the internet and in fact that it’s a useful tool for individual and companies is coming in to question and we don’t want to go over that tipping point. So that’s probably the big level the thing that worries me the most and the types of attacks that would cause that to happen.
You know what? In the work I do with private companies in somewhat related fashion, they are focusing more on espionage and threats to their intellectual property and their data, and what we find is their data is everywhere, so it is very difficult to secure. So those are probably the things that keep me up the most at night.
ANDREW CUSHMAN: That is interesting because much of the conversation today and much of the conversation in these kinds of discussion forums is around state to state dialogue. And what you pointed out was – I didn’t hear you mention nation states in that. It was really about consumers and business. Any comment?
GREGORY RATTRAY: You know, and I mentioned this to you just before we started the panel. One of the things that concerns me about the frame is yes you have to look at what countries need to do, and to my mind, the country is – includes the government but it also includes the institutions and the people within a country. But our approach to cybersecurity especially sort of over the last, you know, four or five years maybe in part because of the country focused attack on Estonia has – that paradigm has become sort of overused or we need to think about sort of additional ways to look at, you know, how to mitigate the risks in cyber space, right. So, you know, Microsoft has a global diplomacy effort that doesn’t come from a government but is a company-based diplomacy effort. I think that’s the right paradigm.
You know, Bill talked about the network operators have a security group of their own that only to some degree revolves around – it doesn’t really revolve around. Maybe I think Bill pointed, governments don’t have much authority to direct what they do. So I think, you know, in Washington. You know, in an - in this sort of dialogue, we’ve got to remember that internet is operated primarily by the private sector and most of the stakeholders are outside of governmental organizations.
ANDREW CUSHMAN: Thank you. And Jonatan, for you now to give us a short introduction and perhaps suggest what you think of some of the problems that are in need of solutions.
JONATAN VSEVIOV: Oh, thank you. And much like Ian, I’m a policy person at the Estonian Ministry of Defense since 2008 and prior to that, I was at the Ministry of Foreign Affairs so for as long as can remember I’ve been dealing with policy yes indeed security policy but from both sides of the [inaudible] from the MFA as well as the MOD side and actually during or in 2007 during the attacks, I was stationed here at our embassy in Washington DC handling political affairs. So I can come back to that if there is any interest concerning my views.
During the first panel, Eneken, I think talked about the triangle – the important triangle of policy people, legal experts and technical experts. I think that was important back in 2007. It’s important still. I think we’ve gotten much much better at it, at least in Estonia. I think the challenge back in 2007 as the attacks were occurring at least from the Ministry of Foreign Affairs’ standpoint was that we knew that there were legal experts somewhere. We also knew that there were technical experts somewhere. We spoke a different language. We could not communicate directly with each other and that has become significantly better.
And in Estonia and I think also on the international stage, we have recognized back home that the government can do a lot of things but it cannot act alone when it comes to cybersecurity. We are the minority shareholders so to say, but – so we need to move from a whole of government approach to a whole of society approach when it comes to cybersecurity with creating institutions to deal with that. The voluntary cyber defense league as we call it an equivalent of the US National Guard. But that unites our cyber experts not only from the government but also from the private sector I think is of importance here.
And although the government is not the main player here, still I think is important, so we got to get our inner agency to work better. We have to have institutions that can respond if not for anything else then for communications reasons. We need to be able to talk to our people and to explain what is going on and that I think is of growing importance. And my final point as introduction, the mitigation of attacks probably requires networks as what was explained in the first panel. But the owner of people, the people who are affected by the attacks, our society wars back in 2007, they will not know to look those experts, those networks. The will look at the government and demand solutions and answers and they will ask where the government has been, what the government is going to do and what international alliances that we have decided to belong to, what they will do.
So, I think from a government perspective, we need to be able to provide those answers in times of crisis and indeed planning is everything. The plan is worthless as was explained in the first panel and that I think is where the government’s role at the moment is.
ANDREW CUSHMAN: Thank you very much. As we continue the discussion, I would like to have this be a less structured one after another and make this a – so if you have a comment that you like to share, please just inject right in.
As I listen to this, there are comments about information sharing and there are comments about the multidimensionality of the problem, technical policy, legal. And as I work in security, one of the things that I noticed is that the relationships are important to have ahead of time but it’s so often those are personally based trusted relationships. And so, a starting question is how effective are – must you have the personal trust there in order to make that work or is it organizational trust? Is that sufficient to make that work?
And then secondly, as we think about these different dimensions, policy, legal, technical, how is it that we talk – I talk often about like-minded communities and I think it’s easy to get like-minded communities within those silos within those dimensions. How is it that you bridge those communities? What – can we find a common motivation that spans those to ensure the confidence in the internet? So I throw those out as some questions for further deliberation.
BRIAN PERETTI: So, I’ll make a few comments on that. One of the things we find an idea of mainly with the financial sector is that a lot of times even the organizations within the financial sector don’t know who their counterparts are in other organizations. So one of the things we try to do is encourage those organizations who are or similar in nature who perhaps had the same threat profile to communicate and identify those other ones who look the same because we would assume that if somebody was going to do an attack against a depository institution that’s a large one or a small one or whatever size it is, other ones in that same threat profile may also be subject to the same type of attack. And the more which we’re going to have those folks talk to each other, at the end of the day we are probably be better.
If I expect – if, you know, if the assumption is they have to call me or somebody in Treasury to get an answer and the push it down, it’s going to take a long time and it just not going to happen in any kind of response time that’s going to be valid. So what we always try to encourage is to make sure that they know who their counterparts are that they speak to each other and that they not necessarily know exactly how their systems are setup specifically but at least generally.
So if they know, you know, our particular attacks coming from this way through, say, port 80 that you pass along that information to other folks who you know to say, you know, you got to pay attention to the stuff going on through there or whatever happens if it’s particular threat profile for the day.
So from our side, we also encourage a lot of people to deal with other groups out there who share this kind of information. We emphasize that from our side, the financial services sector, coordinating council, local regional coalitions or whoever is most appropriate for them to talk to so that in the end of the day they can at least pass this information and get valid information back.
We understand that the amount of information that comes out on any day regarding best practices, regarding any particular system is a lot. And when you start to have layered, multiple types of deployments of software within it, you’re probably going to spend more time just reading papers than actually doing your work. So as people can kind of chat with each other, figure out what’s the issue of the day and start to look to try to address that, hopefully we can make these things more secure and then be able to have a better understanding of how we can look toward the sector to be able to work with other organizations to make that happen.
ANDREW CUSHMAN: And do you find that that’s working? Because in some ways that sounds like common sense advice and it seems as though that make sense but the – I also wonder how successful that is.
BRIAN PERETTI: So we find it to be pretty successful, but you know…
ANDREW CUSHMAN: And other specific things that you do to promote that?
BRIAN PERETTI: Well, so what we do to promote that – so the issue is of course there’s turnover. There is something like 30,000 financial organizations in this country which I’m assuming a CIO or CISO is leading every day. And of course, when the new guy comes in or new girl, they take a while to get back up the speed, to be able to understand what’s going on.
So that’s part of the issue. So, you know, how do we get those things across board because even if you make an organization to organization base, somebody still has to read the document and that becomes part of the headache that’s out there of how to get it into the right hands to be deployed the right way while you have organizations that or necessarily going through change should happen all the time. So we find this successful as a way to get out. You know, it just takes awhile to make it happen.
GREGORY RATTRAY: You know, to build some on Brian’s comments because he and I worked again in a number of mechanisms related to the financial services sector which I think is a pretty – I don’t know if I want to say successful. Certainly, going in the right direction, trying to take and then you made the right point, I think it’s important that the trust that developed among a set of individuals including individuals in the private sector with the government and trying to expand that. But I did want to highlight some limitations, right, because I think that’s important.
You know, one of things is it’s tough to translate that into organizational trust particularly in the United States because of the litigious nature of our society and I think the US has a particular challenge in that to sort of legal constructs that want to keep the government and the private sector not at odds but at a distance are stronger here than in most places around the globe and every time we do these sorts of things that fundamentally influences the timeframe to get into a framework agreement or whatever sort of, you know, institutional trust that is built on the legal aspects.
The other thing I find is that, you know, when we’ve experience this in some of our exercise to the preparedness point, there is not that many people that have this trust and the same guy is on five different committees that when you run an exercise are all having phone calls at the same time, right. So, we’ve sort of got a capacity issue in that personal trust is embedded into few individuals and we’ve got to work on scaling that up.
And then, you know, turnover is a two-sided coin in that there’s a lot of government turnover as well and as these trust relationships keep built up, you know, we got to manage through the turnover, so a few comments in that regard.
IAN WALLACE: Just another side - there are two separate issues in some ways to it. One is how we manage a crisis. The other is how we avoid getting into the position where we need to manage a crisis which in some ways is to – in the essence of the strategy. And I think it is easy to focus on the former at the expense of the latter and the latter may be at least a from a government perspective, and yet that may be where a government can make its most important contribution.
And I think – and this is another example of us working this through slowly is how government can best, certainly in my country and this country where governments don’t really control and run the internet, how we can best contribute to that.
And I think it’s in some ways working or helping create a market place by which those conditions are set and I think over the next years that’s going be key to this.
JONATAN VSEVIOV: I just want to put our experience into context a little bit. Back in 2007, every [inaudible] came under a cyber attack, what’s important to underline here is that it was the society at large got – that was the [inaudible]. Not just a few government websites, not just a few websites of some prominent companies but major banks and newspapers, government websites and so on and so forth.
So as I said before when this happens, when you lose your internet access, when you can’t communicate with your colleagues or with your friends, with your family, you look at the government and they expect them to respond. Even if they cannot respond technically, you look for some solutions by the government.
Now, the landscape has evolved since. At least in Estonia, we’re reliant on the internet back then as a society. We’re even more reliant on the internet today. We vote online both on national elections or local elections, 99 percent of the bank transactions take place online. We do our taxes online and so on and so forth. So it’s not just a matter of communication and convenience, it’s a way of life in Estonia. If those come under attack, it’s a bigger problem than just a technical issue for technical experts in some banks or government institutions or private companies. It’s – it becomes a political question and eventually also a legal question.
Now trust is of importance. Trust between the government and private companies, trust between the government and its people, but also trust between government, between governments and societies.
I want to highlight a few points when it comes to the international approach that this thing has taken. The political world, the international relations were, back in 2007, was not used to discussing cybersecurity. We knew theoretically that this was important and there were academic journals that have highlighted that, as Eneken has said before, when 2007 happened, there were no consultations mechanism within NATO, with the European Union that we could use automatically. I think we’ve come a long way from that point.
What most governments and experts have recognized is that cybersecurity, cyber defense has become the so-called fifth domain of international relations. World war [inaudible] if you will. And if this is indeed the fifth domain, then we should – we better have the institutions and the capabilities that are necessary for our own defense in that domain.
NATO is not the only international organization but at least from our point of view, it is the ultimate international guarantee of our security. And I won’t argue that every member state with the alliance, all 28 of them belong to NATO not because of convenience but because of that very same reason, article 5 that is the ultimate guarantee for the United State, for Poland, United Kingdom, Estonians so on and so forth.
Now, NATO had not discussed cyber before 2007. It raised cyber its agenda prominently at the Lisbon Summit a few years ago and the road between Lisbon and Chicago has been, I would say, interesting and Estonia has been one of the nations is pushing for an ambitious agenda.
Two issues of importance have been solved. First, the conceptual issue of whether cyber is important for NATO as an alliance for governments as actors of the international state. I have not met a person or I have not heard a government speak with not agreeing with that. Yes, cyber defense is important. We have to do something about that.
Secondly, the question of article 5, our collective response and cyber, the interactional the relationship between the cyber and physically if you will. There were questions raised back in 2007 as to whether a cyber would be enough - a cyber attack would be enough to activate article 5 or even article 4 for that matter. I think that debate has been settled.
NATO has publicly declared that it does not limit its own activities when in it comes to article 5 [inaudible] of list of potential attacks that would constitute or not constitute an article 5 the attack, so we have kept the door open so to say.
The article 5 decision continues to be a political one and if the outcome of an attack is serious enough, then some members of the alliance have even argue that they would not limit themselves to a cyber response purely but agreed to respond in whatever way the deem necessary at that moment.
The discussion ongoing at the moment concerns the role of NATO vis-a-vie under international organizations. Ian mentioned that briefly whether NATO should have a larger role in the European Union, OSCE, the United Nations, et cetera, et cetera. And that debate is ongoing and I think the important point to make here is that NATO while being a military alliance is also a political alliance. It is the – there should be at least the preferred place allied governments to have political consultations in matters that affect their security. If that it is indeed agreed that cyber affects our security, then NATO should be at least the place for having discussions as to what role other international organizations and NATO itself should have.
From our point of view, NATO should have an ambitious agenda or an ambitious role in cyber defense as well. We’ve made that point before if this is indeed the fifth domain of international relations and war fighting, then declaring the NATO’s role should be limited to the defense of its own networks would be almost the same as if you are given an air force role should be limited to protecting airbases or the navy’s role limited to protecting naval bases. Now that’s easier said than done obviously, but the point that remains I think relevant that we should ask for NATO to have the relevant expertise and organizations and institutions necessary to respond or at least to advise our leaders when in time of crisis and we’ve made progress on that. I think we’ll keep making progress on that in the days to come.
ANDREW CUSHMAN: Greg?
GREGORY RATTRAY: Yeah. Andrew, I just want to make a point about trust across borders, right, and I’m avoiding the use of international because I actually think the organizations that are most significant are not nationally based and it gets back to Bill’s point, right. You know, most of the most – the most of the significant organizations that protect the cyberspace are, you know, cooperations between operators whether they’re ISP operator and network operator’s group and NSP-SEC, the main name system operators and a trust level in those groups are very high. The CERT community which does include governmental CERTs and non-governmental CERTs, you know, when they work on operational problems day to day, they build trust for some of the reason you articulated.
I think the fundamental challenges that sort of attention over the last three to four years in intergovernmental organizations in the global norms building and confidence building, themes that have come through which I think are great themes are how do we engage a multi-stakeholder approach that doesn’t have diplomats solely or in security officials around the table but does include people like Bill and organizations like ICANN or, you know, the right sorts of, you know, private sectors, creators and, you know, operators of the internet in these security discussions because they still think governments are shy about letting the private sector into the tent.
ANDREW CUSHMAN: Ian and then Jonatan, and then we’ll take a couple of questions from the floor.
IAN WALLACE: I just wanted to come in on Jonatan’s point really and bring in a point that Greg made, I guess. And first you say that NATO absolutely has to take cybersecurity seriously both for instance and because the wars in the future are going to have a cyber dimension and I think people recognize that. But cyberspace is, as Jonatan said, if you think of it as a domain, there a lot of things you can do in a domain. You can, you know, fight wars on the ocean but you can also take a pleasure craft for a sail.
And I think one of the challenges going forward is working out what different organizations have competence for in cyber and if we got into a situation where the NEC thought it was in control of the situation are the same type as the NSP-SEC was trying to deal with it, you have some cultural crash that could be very ugly.
And – so I guess my point, there is not to say NATO should be in, should be out, but working out which international institutions, organizations have competence for what.
ANDREW CUSHMAN: I think that’s a great point. I would add to that that one of the problems that we face is one of vocabulary and that there is lack of precision in some of the terminology that we use. And so that would be a great starting point I think in terms of – that would then add clarity to which organization might be best suited to deal with this.
Today, we talk about cybersecurity and that’s a fairly broad topic and people have many meanings that are attached to that.
JONATAN VSEVIOV: On that point, coming back to the triangle between legal, policy and technical experts. I think the same is true for international organizations. Now, some constraints in some areas, the important thing – I like the vocabulary point. I like it a lot. I think as we in Estonia found out in 2007, we did not have the same vocabulary. The policy people, the legal people and the technical people took a long time to get that vocabulary. We still challenged by it but we made a lot of progress.
When we talk about international organizations, I think we’re a long way behind – where some – the countries like Estonia are at the moment and the international organizations have a hard time talking to each other. The European Union and NATO are getting better and better at it. It gets more and more difficult if we include nongovernmental organizations and networks and international networks and so on and so forth.
So one of the things we’re going to do is we going to work towards this – a common vocabulary and a common format for those institutions, organization and networks to communicate with each other. And for that to happen, the critical precondition is that each and every one of those players has at least some level of expertise on the matter. For those is a matter of – a level of understanding as to what its role should be and we – I agree that we need to work towards that. And on the point of trust, domestically I think the role of the government is more or less limited to providing the format or the planning a – creating opportunities for individuals, nongovernment organizations and the government’s own experts to come together and establish or create, build on that trust.
The – I’ll come back to the Estonian cyber defense league, the National Guard type organization of which Jaan is the deputy commander was established after the attacks. The point is to create a format, an organization that can unite or bring together experts from the banks, from the internet service providers, from the government would provide them with the opportunities to get together with the opportunities to exercise, to train and so and so forth. This is what the government does. The outcome – the most important outcome I think even in a small society where most people know each other to start with is that we bind that group closer together in times of crisis. We can use that network, that informal network that has been created with the help of the government. And I think this is where the government’s role is most important domestically.
ANDREW CUSHMAN: So let me just follow up on two things, you know. Either so many times I can’t tell you how many times this has happened in which I’m talking to somebody about a particular threat or vulnerability, and it has been named something different by somebody else, and so we have all these nomenclatures going around without any kind of uniform way to be able to talk about it which causes delay and problems just sharing that information. So that’s a big headache that we always have.
You know, getting back to the point about trust. The internet was created based upon trust and connections. That’s the foundation of that and so we got to the larger extent the computers being able to do that. Now we have to work on the people being able to do that and if we can make – get that connection together to be able to share that information in ways in which we trust and understand whose going back and forth on both sides, that’ll be a far way to be able to help solve this problem.
ANDREW CUSHMAN: Terrific, thank you very much, stimulating conversation. We have a great panel of experts here. I see three questions from the floor already or comments. If you keep them brief, I’d appreciate it. There is a microphone right behind you.
And if you could introduce yourself, please.
COLIN CLARK: Good morning. Colin Clark, AOL Defense. Having just come from the NATO summit, I was struck as you were by the paucity of discussion about cyber. Why do you think – what is it simply overwhelmed by Afghanistan or was it something that the alliance just couldn’t get everybody on the same page, so they said nothing?
UNKNOWN SPEAKER: Well, I think we are more or less in the same page when it comes to the two points that I mentioned the importance of cyber and the relationship between the physical and the cyber worlds. The question was on the agenda. It’s in the declaration, perhaps not as prominently visible in the international media, but it was there. It was there – there were no major debates when it comes to cyber but at least it’s on the agenda.
Now one of the things we want to achieve in the years and months to come until the next summit is that we move the discussions forward. This summit was – when it comes to cyber, this summit was more about taking stock of what has been achieved since Lisbon. We have a new cyber defense policy in place. We have made progress in that. So we took stock of that, but next summit I hope we’ll be able to move the boundaries further.
ANDREW CUSHMAN: Ian?
IAN WALLACE: I was just going to add that I think part of the reason why is because cyber is not a contentious issue within the alliance. It may be that it ought to be as we work through some of these issues and there will need to be more discussions. But at the time when you have Afghanistan, decision making, ballistic missile defense, declining budgets and the need to manage capabilities among that, it wasn’t the crocodile places to [inaudible] I think.
ANDREW CUSHMAN: I’m going to – wasn’t in Chicago and I’m not that familiar with NATO and I’m not a government official but I will answer from a larger perspective which is the difference between an intellectual understanding and an emotional or a visceral understanding. I think that the Estonians are so passionate about cybersecurity because of their visceral experience with cybersecurity. And that I think many people intellectually understand the challenges and the importance of it, but that’s a wide gulf between those two positions. And that plays out – we had the similar issue at Microsoft is how do you help every product team understand without having to go through a Nimda or a code red, and how do you help every NATO nation understand without having to go through an Estonian experience.
So we do have a number of other questions. Veni, in the back here and I’ll get to…
VENI MARKOVSKI: Thank you, Veni Markovski and a couple of comments actually. First, I completely agree with somebody mentioning other organizations that are relevant in this area and the problem is that many governments consider that cybersecurity should be tackled only within international treaty organizations while there are many international organizations which are not treaty and they do an amazing job.
And I think the second question is related to what you said and I think you probably based it on the government’s experience about the dictionary of terms. It’s a good thing to build something like that but it’s also you have the possibility to become a negative thing. It depends how exactly these terms are defined.
So right now we have an effort between some nation and US organizations to create such a dictionary, I don’t necessarily agree with all the terms and in fact, the document that is produced is basically a lot of things to discuss on it.
ANDREW CUSHMAN: I think that’s a great point when talking about vocabulary and that is that you need common understanding of what – how you’re describing the problem but don’t get trapped into a straightjacket of definition. Brent, we have Eneken up here and has a comment or question.
ENEKEN TIKK-RINGAS: Thank you. I have a question of two parts and the first part goes to Jonatan so I want to ask you having been in 2007 as a Minister of Foreign Affairs and in the process after that, you’ve seen how the kind of international posture of Estonia has changed to a great extent from an international perspective. So we are part of the four countries who started the NATO cyber defense policy, et cetera, et cetera, et cetera.
My question though is what do you see is the value that Estonia brings to the alliance of the likeminded and what in your opinion are the most important avenues of Estonian-US cooperation that actually improves cyber defense and security nationally and then internationally?
And to give you a minute, I actually would follow up on a point that you made earlier, Jonatan, on the government’s role being [inaudible] that Greg also mentioned. So Greg and Andrew, if you say that the cyber diplomacy more and more opposed also in the private sector, the government role is somewhat overrated then what in your opinion would be this one thing that we would do differently immediately when we jumped from this whole of a nation approach to the whole of the society approach? So what would that be? Thank you.
ANDREW CUSHMAN: Greg, you want to – do you have any thoughts there or…?
GREGORY RATTRAY: Anybody supposed to go - I can go first, Jonatan, if you’re getting ready.
JONATAN VSEVIOV: Thank you.
GREGORY RATTRAY: You did it in 2007 by having, you know, Bill in the room in your CERT, right? I mean it’s being able to operationally integrate all of these, you know, connections that occur across the global internet to mitigate, you know, malicious activity. I mean I had some direct experience with the evolution of the Conficker worm where, you know, there was a stage of the evolution of that worm where the Chinese needed to take action. There was governmental dialogue that was going nowhere that the main system operators were able to call up CNIC who operates the Chinese top level domain and they blocked the appropriate domain names and that occurred in a period of 24 hours because in this case, ICANN had the ability to at least have the phone numbers to call the right people.
You know, if US CERT is concerned about a problem like that or if part of your national response is you got to leverage these, you know, less formal nongovernmental mechanisms. You got to figure out a way that that’s built into your response systems. So that’s the one thing I would do right now is to figure out how to make that bridge happen.
ANDREW CUSHMAN: I think that I’m big on the shared understanding and I talked about it from a vocabulary perspective. I would also highlight the shared motivations making sure that you can actually describe what the common interest is and why these different stakeholders from different silo departments should be operating to and acting together. It sounds simple and almost too basic, but those are the places where one needs to start.
JONATAN VSEVIOV: Well first, we have indeed been talking a lot about cyber in the international stage, but it’s not because we chose to talk about cyber. It is first because we want to share the experience that we had in 2007 but more importantly as a nation, I think we want to be in a position next time that would be better, more sustainable than it was internationally, legally, politically, technically than it was in 2007 and we want to make sure as we’ve experienced what it feels like to have once society come under a cyber attack, we want to make sure the next time we’ll be better prepared. And I’m quite confident as a policy person, not as a technical expert, that we are better prepared today internationally as well as nationally, but I want to make sure that we’re going to be better prepared to tomorrow. So that’s the reason why we’ve been highlighting cyber and the biggest added value that we can offer besides giving or sharing our own experiences is highlighting the importance of cybersecurity.
And it’s [inaudible] rather today that [inaudible] today that cyber is and should be on the agenda of NATO, of the European Union, or the United Nations. Atlantic Council should have events since cyber defense. There would be other think tanks dealing with cyber defense. It wasn’t that way back in 2007.
Comes back to the question of translation – translating between the policy experts in the policy world and the technical experts in the technical world, it was much more difficult back in 2007. I remember when we went to the Hill during those days in 2007 to ask for the help of the United States Senate and United States House of Representatives. They prepared and approved a senate resolution on the situation in Estonia that which is very supportive of our nation. And the most difficult thing for me back then as an Estonian diplomat, was to argue for cybersecurity. It was very difficult to get voting on cybersecurity into that resolution. It was considered to be a new, somewhat an unclear topic. People didn’t want to put it in. They considered this to be intelligence information that they felt were not suitable for a public resolution. So eventually if you go back and look at the 2007 US Senate Resolution then the way cyber is mentioned is to have ‘of our prime ministers,’ so it say whereas the Prime Minister of Estonia has stated that and that’s how we brought in cyber.
So back then and it was fiver short years ago in the policy world, highlighting cyber was much more challenging than it is today. That’s something that I think Estonia has been working very hard to achieve and we continue to work hard to highlight cyber be it in NATO pushing it into the declaration and so on and so forth.
On Estonian-US relations, I think we share the views on how cyber should be tackled politically and legally. There are a lot of consultation mechanisms in place between our two governments be it concerning our policies inside the alliance or vis-a-vie the council of Europe, the Budapest convention. Technical cooperation is on the increase as well. The United States is now member of the NATO Cyber Defense Center of Excellence in Tallinn. So I think we’re cooperating closer and closer when it comes to that.
And finally, I’m not sure this point can be made officially, so I’ll offer this caveat first of all. This is my personal observation. Estonia is a very small country. A country of 1.3 million people, but with a relatively advanced IT sector and a huge reliance on the internet and one of the added values that we can perhaps offer politically, legally as well as hopefully technically, though I’m not an expert on technical matters, not only to the United States as a bilateral partner but to the international arena in general is that we function to a certain extent as a laboratory when it comes to cybersecurity, the laboratory where you can test political and legal solutions. I think we’ve been doing that since 2007 not because of choice again, but because of the necessity and a lot of things that we have done I think we have been successful at, some things we’ve unsuccessful at. But we’ve been functioning as a laboratory and a lot of things that we’ve been trying out in Estonia have been interesting to other governments. So that’s hopefully one area where we can provide added value as well. Thank you.
ANDREW CUSHMAN: Thank you very much. We have run out of time. I’d – we’d like to thank the panelists for excellent commentary. This has been very interesting and to my mind informative. I would sum by saying that this is a multidimensional problem. We’ve talked about the triangle between policy, technical and legal. I think that it was mentioned earlier about from a planning perspective, I would say that this is not just a tech - this is a communication issue, this is a funding issue, this is also a technical issue.
And I would end with the comment again about Estonia remains – the event in Estonia remains relevant today because there is an opportunity to learn from that on an ongoing basis as you go back to it. But also, as Jonatan just mentioned, this is – there is a community of very passionate people here who are willing to push the envelope and to help us jointly find new ways of planning and of dealing with this.
So with that, I’d like to thank the panelists and move to the next, so thank you.
JONATHAN HEALEY: Great, thank you very much and as Andrew mentioned, we’re going to be going directly from one panel to the next to hearing from Chris Painter who’s going to get miked up now.
After Chris, we’re going to be having lunch, delicious products here from Virginia which is going to be outside. We’ll give you instructions but you can see we’ll be eating up here on the round tables.
Many of you probably already know Chris Painter, but we were so happy that he was able to do this today because the theme of today is planning and preparedness in looking it yesterday, today and tomorrow. And so we feel very glad to have Chris because he really represents all of those.
During the 2007 events, he had already been working cyber issues for probably 10 or 15 years at that point and played a role in the US government’s response during that time. In the time since, he has been very important US official and how to make sure the US can be ready and learn from those lessons and now in his current job, he is working with other nations and the US government for what we can do to make sure that we avoid those worst cyber futures and hopefully get to the best ones.
We won’t cover his formal bio that you all have that in you packet. It was my great pleasure to introduce Chris Painter.
CHRISTOPHER PAINTER: Thanks a lot, Jay. Well, it’s an honor to be here and I do. I remember well the events in 2007 and it seems like it was only yesterday in some ways and I do think, you know, I probably echo a lot of which you heard this morning that a lot has changed since then and some things haven’t changed. We’ve gotten much better in some things. We have, you know, quite a far way to go and others, and I want to touch on a couple of things.
One, how, you know, how this would reflect in terms of our abilities to do incident responds and where we then and where we are now? And that actually played a role in terms of what happened with Estonia and how the US reacted and what we did afterwards.
And two, you know, I think Estonia has, you know, deserves a lot – in the events in Estonia, actually were a watershed moment for a lot of reasons. You know, it’s one of those incidents and there have been many over the years that have raised the profile of this issue. Sometimes you have these incidents and they raise a profile of this issue for like 20 minutes while people think this is a big deal and then they kind of go away, but I think this one has had lasting power at least within different communities and I think it has build overtime. And certainly, I think kick started a lot of debate about what our vulnerabilities are, how we are – are we really organized to protect ourselves, could this happen to us, all things we talked about after this incident happened.
And kick started the discussion that later became, I think, a much more organized discussion in terms of what are the appropriate norms in cyberspace, what are the rules of road in cyberspace. And that’s, you know, along a whole wide range of topics from, you know, the political and military issues, you know, what is conflict in cyberspace, what kind of response do you have, what, you know, does the law act, does the laws of conflict apply, all things that really weren’t really thought about much at that point.
You know, I think there’s a lot of focus and I’ve seen a lot of focus and perhaps undue focus in the whole concept to cyber war. But I think we hadn’t really thought about the prospects of state-on-state or possible state-on-state conflicts back then and we hadn’t really thought about a lot of these issues even though we’ve been concentrating in cybersecurity for some time.
And you know, I – as Jay said, I’ve had – you know, I don’t know if it’s a privilege or curse of having a wide perspective of this area where I started doing this as a prosecutor back in the early 90s and still doing it now and just different parts of this, I’ve seen kind of the threat evolve over of that time where we, you know, certainly, in the early days we saw this sort of lone gunman hackers who were going in and doing it for their own supposedly intellectual edification although they caused a lot of damage and actually they often used it to their benefit, too. And then we saw organized crime getting involved and I think Estonia was sort of the next level of seeing another kind of threat out there that we really hadn’t thought kind of structurally about. And there was a lot of debate after that in a lot of different forms and I think that was a good think. You know, I’ll talk more about that in a moment.
I am as a former prosecutor and I apologize to those of you who’ve heard this joke but I’m going to tell it anyway. You know, I usually start things like this with a joke to kind of loosen the crowd up, but you probably are a pretty loose crowd already after this morning. But I’m a lawyer and I would tell a lawyer joke but the – I’ve learned over my life that the problem with lawyer jokes is that non-lawyers don’t think well - the problem with lawyer jokes is lawyers don’t think they’re funny and non-lawyers don’t think they’re jokes, so I will avoid doing that today and I’ll have a different kind of joke today.
So I want to partially make this, you know, from my experience coming through this but also brought it out into some of the things you’ve heard this morning or some of the lessons learned and really carry through in Jay’s conception of this meeting as past, present and future. The future is always unclear, but I think there are certain pointers that we can see for this.
The past, I’ll start with the past. Back when the event happened, you know, I think we’ve certainly been doing a lot of stuff in the US around cyber before this. Back in 2003, there was the cybersecurity strategy that came out of the White House which is a good document.
Like all documents, there were various compromise but I think a really good document but frankly, did not get a whole hell of a lot of attraction after the beginning. It may got some good ‘oomph’ when it first came out, but as time went on, this issue sort of slipped from people’s consciousness and particularly at a higher policy level and that’s always been a struggle with this area where you talk about cyber, you talk about cybersecurity and people like, you know, dash for the other room or jump under the table. They just start their eyes roll back in their heads and they were – you know, especially senior policy makers, this has not been something that they really latched on to and until relatively recent, I do think the Estonia event had something to do with raising that consciousness.
But, you know, we were – we had formed something called NCRCG which falls trippingly off your tongue. The National Cyber Response Coordination Group and it was co-chaired by DHS and it was in the Executive Secretary that was DHS actually [inaudible] was involved with other people who are involved at that time. And it was co chaired by them by DOD Mark Hall, and by me from justice when I was a justice.
And so we had this three chairs with the understanding this was our thought process that, you know, everyone likes to have organizational structures. We just have one person. We said, you know, this area the kinds of incidences you can have in this area could be different kinds of incidents, so it could be a major vulnerability where DHS, you know, has a huge role to play and they always have a huge role to play in terms of resiliency, in terms of recovery. It could be a law enforcement matter in which case you know justice would have an investigatory role or even in intelligence matter where there is an intelligence part of the FBI but also the types in the rest of the intelligence community or could be an attack on military networks or a military matter and so we need DOD.
And then we had all the other agencies that were part of this group and we met regularly. It was a good, I think, beginning but it wasn’t as strong as it could be and it has been modified since then and I’ll talk about that. But the idea was to have this group coming together at people who understood cyber and surging if there was a major incident and coming together and be able to make decisions. It’s always a balance do you stay at home or do you come to a meeting because the capabilities the bench just is not that deep in this area. It’s still isn’t and it really wasn’t that.
So how do you do that? How do you leverage these capabilities? How do you deal with all the things that we’ve seen in the number of exercises we’ve had in this area like information sharing and part of is how you deal with the international partners?
We tried but you know, we didn’t – it wasn’t war – I’d say it was less structured than it was episodic and as we were trying to do this. And this NCRCG group, just like all cyber things, was an important group, but again, the senior policy makers were like, “I’m not sure I understand that. What is that thing? I don’t know how to deal with that?” So it was performing an important role but I think it really hadn’t matured at that point.
But the interesting thing is it actually – the thing it did do is bring these different communities together in a way that could act fairly quickly but maybe not to scale. I mean, maybe in this incident it just worked because people knew each other and that is great. You had to have people working together. You had to have people having personal relationships that doesn’t scale and worked in this area.
And the other thing that I think that group tried to do several times but really wasn’t able to do as much as it should have is really pulling the private sector in a more organized way. So there were some challenges, international challenges, private, social challenges and others. But what ended up happening is the incident happened in Estonia. Mark Hall as the DOD person who actually at the meeting in NATO, he calls me up as the co chair I do the protocol we developed. I said, “Wow,” you know, and we talked – we had co chair called would also the DHS co-chair. We were all trying to figure, “Okay, how do we…” We [inaudible] to this in the US perspective and the two things coming through our minds, not surprisingly, are what can we do to help and what does this mean for us?
And so what we can do to help worked, I think, pretty smoothly. You know, again, not maybe the best structure in the world back then but it worked because what DHS did say very quickly start getting US CERT involved. What I did is I called Shawn Henry who just recently retired who happened to be in an executive retreat with Director Mueller who was having dinner with him and he said, “Hey, this happening.” And [inaudible] surge very quickly and get all these capabilities, you know, to start dealing [inaudible]. Remember the, you know, we looked at the profile of what the attacks were in Estonia. There were some servers in the US that are involved. It wasn’t the majority though, but there were some things that could be done in Conus and there were some things that we could do to try to assist the Estonians as much as we could with capabilities we had.
So, you know, I thought that generally worked well even though it was a little random in the sense that we did have structures, we did use those structures, but, you know, the capabilities hadn’t been fully tested or developed. One thing we found and I am very sorry, my colleague Michele Markoff, who works in office can’t be here today, she was going to be on one of the panels; unfortunately, she had a slight accident but she will be fine. But channeling Michele a little bit, Michele was at the State Department at that time where she still is, where I am now, and she – you know, the first thing she recognized is we don’t really have a good way to reach out to our international partners in real-time and deal with these things on a policy level. We don’t, you know, we had something that stayed in DHS had worked to create called international watch and morning network, Estonia wasn’t a member of the international watch and morning at work at that time so that didn’t really help. And the idea behind that group was to facilitate this kind of communications but it was still in its formative stages and, you know, it’s grown since then.
So we didn’t have that and that really, I think, illustrated that we did need to do more on that level. And you know, I think – so we had all these operational issues and I’ll talk a little how instant responses change in the moment. We also had the kind of issues of this incident illustrated for the first time possibly that we had to think about political military. You had to think about what all these means in terms of the threat as I said before and how we act to that. What does this mean? What does this mean in terms of our policy? Have we thought about what the implications are of this? Yeah, we hadn’t really thought a lot about at that point. We hadn’t really thought about what the rules of road or norms in cyberspace would be. You know, there were some dallying around about different things back then, but it wasn’t, you know, I don’t think we had seriously as governments, I mean, there’s a lot of academic literature as governments focused on this issue. We, you know, the US hadn’t concluded one way or the other at that time whether for instance internationally, humanitarian, what the law of armed conflict apply to cyberspace and what that means. We didn’t know what’s acceptable or unacceptable conduct in cyberspace, largely we’re still working that out but I may think that there was really [inaudible] back then.
And then just operationally, we didn’t, you know, it was interesting NATO and there’s been a lot of work in NATO since then. NATO didn’t really know how they are supposed to help member countries and how the NAC is suppose to help when something like this happens. How do you, you know, how do you help countries that are the subject to this? And so all those things – so I think the Estonians illustrated all these things and then there was a lot of various talks afterwards.
So you know, another thing called the Meridian process. There are a lot of processes out there. The Meridian process is senior decision maker. It was launched first back in the UK presidency of the G8. [inaudible] the UK presidency of the G8 and the EU, and that was about the time we came out with our critical infrastructure – information infrastructure protection principles that then became a UN resolution that talked about things that governments domestically should do. And Estonia had actually done a lot of those things frankly at that time, but other governments hadn’t.
But, you know, we had this Meridian process and everything I’d say and some of you have lived this, almost every conference you went to for the next two years. You know, Estonia was on the agenda. Estonia was the poster child of what everything and they would talk about how they reacted and they talked about what’s in the issues were and they talked about their dependencies. They talked about all these issues you’d thinks that you would learn from this and I remember one where they had this Meridian Conference in Sweden in Stockholm and they have this very odd setting. They tried to make this more exciting because, you know, conferences – all conferences are pretty much alike in some ways. And so, they tried to make it more exciting so what they did is they had various topic areas and they did speed dating. You know, they had – and they literally called it. You would talk about an issue for 10 minutes then you move to the next group and talk about it and you constantly move. And then, you know, it’s typically in these conferences they do. They went on drinking that night and then it was very much like speed dating. You wake up in the next morning. You don’t know where you are in the room that you don’t recognize. But I thought it was a really good discussion and the Estonians were there talking about what their experience was and why this actually mattered and why even though as what’s been said just in the last panel - even though they are a small country, even though, you know, they may not – there are things that don’t scale in terms of how other countries might respond to this. Given their dependence on networks and their advance state of dependence on networks and given some of things that they went through and how they mediated and [inaudible] the issues, it was a good lesson and it was also a good lesson thinking about these larger issues.
So I said, you know, the two things that we immediately thought about is what can we do to help and, you know, how does this affect us. So the other part of this that was driven right after this was for us to get together as this NCRCG and actually do a table talk and figure out, “Okay, let say this happens to us, what happens? Now, what do we do?” Now we’ve done host of exercises. Cyber storms one, two, three, and now the national level exercise. So exercises in cyber are not new but I think we really were focusing on could this kind of thing happen to United States? What are the dependencies? What will make a difference? And frankly, how would we respond? We know how we responded this time but how will we do it?
And that was I think a very interesting exercise as well. I think we largely concluded because of the kind of architecture in the US. It was unlikely this particular thing could happen, but other things could, and I think, again, to focus our minds on that. So that was some of the practical aspects.
On – so that was kind of the – that then and where we were then and I think we had made some progress certainly in a number of different fronts but we hadn’t really jelled very well and then since then, I do think there has been a major evolution. There is still a whole lot left to do, but I think there has been an evolution and a lot of that was triggered by I think the lessons from the Estonia event and one was I talked about the sinusoidal curve of policy makers paying attention to this. I think that’s over now.
I think we’re now at the stage where people are going to care about this. They’re going to continue to care about it not just in the US but in other countries. You have – I don’t know what the current number is. It’s over a dozen countries have cybersecurity strategies now which didn’t exist. Estonia did have one in 2003 I think or 2004. Was it really? They had one of the early ones, but many countries have them now which is important and including the US. Some have gone through a couple of different indurations of it.
In the US, I think we had continued to focus on the issue but not maybe as much as we should have until near the end of the last administration where we had something that many of you know the Comprehensive National Cyber Initiative, the CNCI which is a misnomer because it’s not in fact comprehensive. It didn’t have any well, any national component to it and it really didn’t have a private sector component on. But still I think evidenced that the US government was paying attention to this and in particular, in protecting private – of US networks which is a major step forward. I mean, I think it really did help galvanize that.
And then when President Obama came to office, I think the first presidential candidate who gave a cybersecurity speech anywhere, you give it out, you know, with [inaudible] at Purdue and then had his campaign hacked into. You know, you have him coming into office and one of the first thing he does is create this group which I was lucky to be part of with Melissa Hathaway and others to write the cyberspace policy review and look all of our cyber policy and I think that was significant.
And you’ve had an evolution not just from that document and the President coming out and saying something that the Estonians knew in 2007, but it’s something we hadn’t said really until a couple of years later where the President came out and said the cyber threats that we’re facing are some of the greatest economic and national security threats we face as a nation, and I think the Estonia example is particularly telling here because it is the economic. It’s not just national security, it is economic security. And so those were all sort of watershed events and I think – again, I think all of this was building on top of each other.
As far as the incident response, I think there has been a real evolution there, too. So the NCRCG no longer exist, rest in peace, but it has been replaced by, I think, frankly a more structured system and also something that’s part of a wider document – structure document called the National Cyber Incident Response Plan, the NCIRP also falls trippingly off your tongue. And that was developed very interestingly primarily by DHS but with interagency and with the private sector there from day one which is kind of messy but it was good. I mean, it was good having them there and the private sector is not just one monolithic thing. It’s a range of different interest, but having them there and having them frankly on the [inaudible] working together with government in response mode, I think that’s good. You’ve had other centers like the National Cyber Investigative Joint Task Force. The great thing about government is there is no end of acronyms that you can throw at things. And that’s been – you know, that’s an FBI-led group but it’s many different law enforcement and intelligence agencies working together. You have the NTAC. You have US surrogacy component. You have all these different centers who are now talking to each other more than they have and I think that was one of the key things is getting all these different capabilities talking.
You have – and I heard this in the end of the last panel. You have more than you have before, still needs work. The technical community and the policy community talking to each other and that is really important because people making policy without a good feel of what the technical aspects were and you had this breakdown a lot of different ways. The law enforcement community wasn’t talking to technical community. The CERT community and the law enforcement community really weren’t talking all that much. The economic community and the security community weren’t talking. All of those have gotten better, right? I’d still say there’s a way to go, but, you know, for instance, there has been a lot of law enforcement surge joint cessions and first in other areas where they’ve come together and say, “How we are going to work together to respond?” You know, the economic community who has a different lexicon for talking about cyberspace, internet policy than the security community cyberspace policy. I have actually gotten together and understood how these are mutually reinforcing concepts and how they can work together, so I think that has been important.
So, you know, I think incident response in terms of the incident response element, I think we are better off now than we were before. I do think that there is more to be done. I think these exercises always show that. I think part of the incident response framework is how we reach out to our international partners that’s still being built one of the things in my new job always state is helping to build that is part of the exercises being going through and making sure that we have both the – all of these are key. The operational cooperation between, say, US CERT and their counterparts, between the FBI and Secret Service and their counterparts, but we also have the policy coordination between these different countries and beyond just, you know, our very close friends and allies. We have to, you know, these incidents are going to affect everyone, so how do we get as many as other countries into the mix as we can.
So I think that’s all important. I think the other thing that I’ve seen is a real elevation, as I said, of this issue now as a major policy issue and especially this has been true in the international arena. I don’t see people as much running in the other direction when you say this stuff. People now get that what we’re doing in cyberspace is really going to affect the future in a major way, both in terms of economic growth and prosperity and innovation and social growth. So when you link it to that business case instead of just talking about security, when you say this is why we care about security because it enables these other things as we did in the international strategy for cyberspace of the US released which really talks about how we’re trying to build like a consensus in the world around, for instance, norms of behavior and how we can work together then you understand that this security part is really a critical part and I think there’s been a real movement on that. And I think that there has been, you know, a good deal of – you know, one thing is my boss, Secretary Clinton, said when she rolled out the international strategy. She said that these bucket of issues are various cyber issues are new foreign policy imperative. They work higher persistent and patient in creative diplomacy and then part of the diplomatic game is also the long game. How do we reduce risk by, you know, kind of inculcating these norms about getting people to understand and building a consensus around them. So I think that’s, you know, it’s more engrained as a foreign policy priority and is a national priority.
We’ve also seen a lot of activity in terms of NATO for instance. I mean NATO one of the things that came out of the Estonia event as I said is it wasn’t really clear how countries have worked together. It’s not clear how they approached that and we did a lot of work in 2008 on how that might work and so discussions of that. And then as you know, cyber has made part of NATO strategic concept which was I think, you know, during this administration which I think is an issue step. There’s more NATO is trying to do, they obviously need to secure their own networks. But I think as more this incident happens, I think NATO has a real role to play in it.
We had a statement in the G8 at the last year’s presidency – French presidency, the Deauville Declaration where the leaders made a page and half statement on the internet including security which has not been heard of before. I mean, you know, it was amazing if they were able to do that and I think that’s a good move. You had the OECD come up an internet policy making principles.
On the kind of crunchy bits, the kind of hard [inaudible] political and military norms, they had a couple, I think well – huge developments. One is, you know, we had these things called the group of government experts in the UN and this isn’t the first committee, the kind of arms control committee and the first time we have one of these meetings, it ended without anyone being able to agree to anything.
And the second time in 2010, there was a real major shift and this is a group of 15 countries and, you know, they – some part [inaudible] but it includes Russia and it includes China and it includes the US and includes a lot of other countries, Estonia among others. And they were able to reach a consensus on a couple of key things. One that norms in cyberspace or something we want to continue to articulate and the US feel this is not new norms. We don’t need new norms in cyberspace. This is – the cyberspace is in this whole different kind of thing. You can apply existing norms in cyberspace that applies across the board and I’ll talk a little more about that.
But also we should look at confidence building and transparency measures in cyberspace. So that’s – though somewhat modest, I think that’s a huge advance for that group to come up with this in 2010. Again, I think in part that was part by what we saw in Estonia that conversation was. And then you had the US and about 14 of those 15 – well, 13 of those 14 countries who are ready, I think, to say and the US has said this - Vice-president Biden has said this at the London cyberspace conference that international humanitarian law, the law of armed conflict applies in cyberspace. So that’s another, I think, pretty major issue that we think – we’re still trying to figure out how would it apply exactly but it applies. It’s like it does in the physical world.
So you had a lot of important developments and we’ve had a lot of work on these confidence building measures. We’ve been talking to Russia about emergency communications during crises that’s been I think really paying off, exchanging doctrine, how you can maybe have CERTs communication better, better law enforcement communication. There are all kinds of confidence building measures and the OSCE is also looking at this. So there’s been a lot, I think, of development. And I’ll just briefly close with what the future I think looks like.
You know, it’s hard to predict the future as I said, but I do think we’re at the precipice now where lots of things, every international forum is looking at these issues whether it’s a multilateral forum or regional forum or key bilateral relationship. Everyone is focused on this and so that creates huge opportunity, some risks too, but as everyone is looking at this. But it really means we have to step up our game substantially and we have been to engage and really try to shape this international debate, working with a lot of countries so I think and like Estonia who share our views and want to see innovation cyberspace is really open interoperable, secure and reliable which is what we said in our international strategy.
I think there’s a lot of – more work to do in norms. There’s been a good start in the London conference on cyberspace. The Hungarians are going to have their conference. I think there’s more work to be done on confidence building measures. I think that going to be a key part going forward in trying to build a more stable cyber environment. So I think there’s a lot to do and with that, I will close my other promise too which is that I apologize if you already heard this so if you heard this, sorry.
So why is it – it was a large open [inaudible] it’s a hacker joke. Hacker walks down the beach, finds a lamp and rubs it and predictably enough a genie comes out and the genie says, “Look, you know, you got three wishes but because you’re a hacker there’s no are strings attached. The hacker says, “Okay, I deal with it.” “What’s your first wish?” “I want a million stolen credit card numbers, class A, gold class credit card numbers.” The genie says, “Okay.” But then – and the genies says, “Well, the string that you’re – everything you wish for, every other hacker gets twice as much so the million credit card numbers you get, every other hacker gets 2 million credit card numbers.” So the hacker sees this and it kind of annoys him. I mean hackers are very competitive people. It just really kind of gets to him and the genie says, “Hurry up. What’s your second wish?” And so the hacker says, “Well, I want a Cray supercomputer,” so he gets a Cray supercomputer. But every other hacker gets a Cray supercomputer and Watson, the IBM computer the one on Jeopardy. And again, it just irks - and then the genie says, “Hurry up. What’s your third wish? I got to get back in the bottle and watch Larry Hagman reruns. What do you want?” And the hacker pauses, he thinks about it and says, “I like to donate a kidney.”
So, you know, the moral of the story is what we’ve seen in terms of the threat profile is growing all the time and our responses to sure have grown too but there’s a lot of work for us to do to try to keep pace with the various threats we’re seeing whether they be from criminal groups, from the potential terrorist groups, nation, states or others, and I think that there’s a lot of work to be done. There’s a lot of people in this room that are doing that work and I think you for that and there’s a lot of discussion to be had about somebody’s policy issues and I welcome that too so thanks.
JASON HEALEY: So hopefully we can keep you for a few questions here and of course, you’re welcome to stay for lunch. There is a delicious products here from Virginia.
CHRISTOPHER PAINTER: So I’ve heard, from Virginia?
JASON HEALEY: Exactly.
CHRISTOPHER PAINTER: [inaudible] when did Dallas airports started advertising Virginia as soon as you landed.
JASON HEALEY: You spent a lot more time in Dallas than the rest of us. So I wanted to kick of one question before we go to our audience here. If a – one of the things that we said was different about 2007 what we learned whether it was a nation-state and nation-state involvement. If we saw something on that scale again, may it’s not in Europe, maybe it’s in Africa or South America or Asia, and we see something that is happening to a country that is at least a friend of ours, what do you think would get – would happen differently today or next year? You know now we get cyber command, we’ve got you, we’ve got so much more that we didn’t have in 2007.
CHRISTOPHER PAINTER: So I think we’d have a far more regularized communications. I mean we now, you know, it depends on where the country is. We still haven’t succeeded and again, in communication in every country around the world and we’re moving toward that. But I think in a more structure way as I mentioned thought the national incident response plan for the US government to come together and say, “Well, what can we do to help and what does this mean for us more than we have before?” And from the State Department’s role, I think we have a much better way to reach out as a policy matter to lots of government and say, “What does this mean?” and also connect with other like the alliance and others since they will, you know, what does this mean, what are the capabilities, what should we do to respond to this? And I really think what that respond should be is still something that’s being discussed and talked about generally and that’s part of the debate and still going on. But I think we’re in a much better place now to react very quickly and to understand what this actually means than we were back then.
JASON HEALEY: If this – if there’s a crisis that worries us in the physical world, we might send the frigate offshore and we might have a, you know, the military would be involved in the signaling. A lot of countries think that we’re really active in signaling using the military probably more than we actually mean to be because of the people up there at [inaudible] in 32. How do you think that’s going to play into future conflicts? Whether it’s our actions or it’s whether how other perceived the action?
CHRISTOPHER PAINTER: Look, I mean – I think you have to – I think this has been said often. You don’t necessarily respond to a cyber attack with a cyber attack. You know, there’s all kinds of – there’s a whole range of options you have. And even our international strategy, we said the US is a victim of a major cyber incident and we can attribute it and we look into that point. That we can use all the tools in our tool shed including economic tools, including diplomatic tools and even including military tools as a last resort with presidential approval but that’s all in the table. So I think it’s something that again it’s going to depend on the incident, you know, this goes back to a lot of the discussion and there’s been a lot of discussion – there’s has been a lot of discussion where some of the - how many angels can you put on the pin which is, you know. Well, what is an active war in cyberspace and what’s not? I think it’s more fluid than that. I think we have to look at what are impacts, what does this mean, what’s the attribution and then what are our options? And I think our options would be the same with the physical world.
JASON HEALEY: And we’re doing the exercises and this is kind of point out. Okay, great. Some questions Bill? I think I know what he’s going to bring up?
Bill Woodcock: So just to – in a way just restate Jay’s question. In humanitarian disasters, we can give food aid. You know, when there is conflict, we can send peacekeepers. There are all kinds of situations in which the US and other countries are able to give concrete material aid. What is it that’s special about cyber where all we do is talk? Why is it that we can make threats but we can’t actually give aid?
CHRISTOPHER PAINTER: So I actually think we can give aid and I think even in Estonia example. What you had is you had various US agencies actually trying to provide assistance and you can provide aid in terms of technical aid and we’ve done that before. You can provide aid in terms of investigative aid. You can provide aid in terms of, you know, the talk. I wouldn’t denigrate talk as much as you just did because part of that is the diplomatic effort that you’re going through. So, you know, I think we will be on just having a bunch of people saying, “Oh, that’s bad,” you know. I think we actually are having people do some tangible things. It’s a little harder in cyber. You also have to look at the impact.
Let’s say you had a major cyber event that cut off the power somewhere, cut off food supplies. You know, we have all those tools that we’re using in the physical world which we could provide to, you know, country or countries that are affected too. So I mean there’s a wide range of different things you can do.
UNKNOWN PARTICIPANT: If it was starting to get [inaudible].
CHRISTOPHER PAINTER: Well, you know, the question is do they have the bandwidth in – I mean it really depends on the circumstances. Can you work with the technical community help? Maybe you can. I mean I think that’s one of the possible options. But you know, it’s hard just to give people bandwidth. Technically, you just can’t say, “Well, here is some bandwidth.” But the technical community can and the technical community can do a lot here, the government often doesn’t do.
JASON HEALEY: And if you watch the movies, what happens in the crisis is that we send in people behind enemy lines to take care of things. You know, it’s mission impossible of sort, so we send you. So okay, are there other…
CHRISTOPHER PAINTER: But I think - when we had some major – some major physical disasters, we send in help, you know, telecommunications and other help as we set up the telecommunication infrastructure, that’s happening now. So I can see that, you know, in time, moving over into the cyber world too because it’s the same [inaudible].
JASON HEALEY: Okay. And then I saw Jaan and I saw Tim and then Robert.
UNKNOWN SPEAKER: Thank you Chris for that very impressive overview. Just – I want to press you a little bit if I may on the CBM, confidence building measures, that you mentioned. You stated that the US had been in talks with the Russians and I think some other countries and that CBMs are obviously a major component of the upcoming GGE negotiations, is there something that you can add to that? And maybe going into a little bit of details.
CHRISTOPHER PAINTER: Yeah. So to me, there’s a range of different CBMs. There’s no magic to this. It’s what builds better transparency and confidence between countries especially when they don’t have that trust now. So, you know, and there are a couple of efforts underway. One is in the Organization for Security and Cooperation in Europe. [inaudible] experience doing CBMs in the nuclear world. Now cyber is not nuclear and we’re not even going to go down that path because, you know, it’s not. But some of the lessons, you know, when you a group that know how to do those kind of CBMs and think about them, they could be very creative in think about CBMs and maybe we don’t know about that we haven’t thought about.
Now here are some of the ones we thought about is changing military doctrines. So, you know, the US has the defense strategy for operating in cyberspace and recently the Russians have a white paper on their military strategy which is posted in Russian on their websites, it’s not a secret, and those were changed about the same time. That was, you know, we gave the Russians a little preview like a day before I think it hit to them this was coming. And so I think that was one.
Another example is how can you do appropriate CERT to CERT exchanges, you know, the indicators of threats and so that’s underway with the Russians. That’s one of the things that it’s built. There was a lot of complexities there but it’s something I think is important.
Another one is, you know, how do you build better law enforcement cooperation? Sometimes is just the understanding of what the rules are and what – how do you submit requests. That’s, you know, that can be easy but also it can be very difficult. Another is – and to me, this is one of the key ones, this idea of crisis communication. How, you know, if an incident raises to a national security level for either country and they need clarification and they’re trying to keep this perceptions or miscalculations from happening that could cause escalation in an incident, how can you prevent that? And then that’s one of the key parts of the confidence building measures.
So your crisis communication not necessarily easy because let’s just take the US for example. You know, the question always is who is in charge, who does what and you have a way of actually getting all the different parts of the US government to plan the space and appropriately plan the space to be able to do that kind of communication. I think we’re pretty much there.
But so with the Russians, you know, we’ve been working on how we do that crisis communication. One way is to use things like the nuclear risk reduction center which is something that, you know, it’s almost a misnomer now because it’s used for all kinds of things. It’s not just used for nuclear anymore, it’s used for like, you know, climate control and other [inaudible] we’re able to convey the pre-stage messages that are, you know, translated very carefully so there is no risk of misunderstanding and [inaudible] for all kinds of things. You could say for instance DHS could send a message saying, “We’re going to have a cyber storm exercise next week,” so the people don’t think this is almost like a military exercise, right? And cyber storm is not a military exercise but it keeps people started thinking, “Oh, what’s that all about?” So you get it out there first. Or it could be –we see this particular thing, we want more information about it. And then the two governments can talk in a very structured way. I think that’s going to be very important. I think that should be [inaudible] other governments. So that’s an example.
JASON HEALEY: Tim and then Robert and then the front row here please.
TIM MAURER: Tim Maurer with CSIS. I have a question with regard to the difference between cyber attack and cyber exfiltration and cyber espionage. So Georgia and Estonia have created a lot of attention at the international level and we are now applying some of the frameworks that we know from the military domain to cyber and there’s a lot we can build on. That does not really exist for the espionage realm where the norms and rules of the road aren’t really as well developed. Have some of those structures and mechanisms that have evolved through the last five years as a result of Estonia and Georgia now also been used to discuss what is now, I would argue, more pressing issue to cyber exfiltration because cyber warfare is more of a left hype low probability impact?
CHRISTOPHER PAINTER: I agree. I think, you know, I’ve mentioned at the outset. I think making sure you’re prepared if there is a cyber conflict but I think is unlikely to occur if there is not a physical conflict talking place. But I think that’s important. But it is a very low likelihood – you know, very low probability but high impact event and I think it often gets more attention than somebody thinks we’re actually facing which is a lot of the intrusion activity. And I think you have to disagree with it even an intrusion activity to some extent and I think that one of the key things is, you know, theft of intellectual property and what that means not just for American businesses but for businesses around the world and what the lesson learned from that. So I think yes you can apply some of those same concepts. You’re not going to apply [inaudible] and some of the things they talk about there, but you will apply diplomatic concepts.
You know, one of the things is you’re thinking about norms and there’s an example on money laundering that I think is somewhat instructive, not completely instructive. But if you build a norm about for instance that the theft of intellectual property is not something that state should be doing, it’s not permitted, and that becomes a norm that many in the community in most countries adhere to. Then if countries are outside that norm, they get isolated like any other norm and this happen on money laundering where a lot of country’s work is turning a blind eye to it and overtime it change. Not be sure the financial institutions help there too, but I think we have to be creative in thinking about how to move this norm forward, but that’s one example you take for it. And I do think that we need to address not just the possible problems like, you know, cyber conflict but the actual things we’re facing and part of that too is hardening the target. Part of it is doing better defensive job which we are doing and I think we’ve come a lot long way in that, too.
JASON HEALEY: Robert and then up here and then we’ll have to break for lunch. Robert Thomas in the back.
ROBERT THOMAS: Hi, Robert Thomas from BEA Systems. So this is going to be a question and I’m trying to formulate this. It’s in the realm of internet freedom and internet freedom as both adjuncts to the democratization pillar and American foreign policy, but also as a kind of an independent wedge to discuss issues of transparency and governess and openness. What I’m kind of thinking at, I’d like to heard a few comments about how that discussion is evolving and particularly, maybe some of the starker difference in international community about what an internet freedom or access kind of normative regime would look like given that some of nations are defining cyber security completely differently including I think some of the Chinese definitions really have to when it’s Russia but have to do with not undermining the government of a state and not using cyberspace in that way.
CHRISTOPHER PAINTER: Sure. I think, you know, I’d say two things about that. One, I know what you’re referring to there is this [inaudible] it goes to terminology too with the Chinese and Russian are fond of using the term information security and that means in part not just system security but destabilizing speech. And I think that impacts directly on the internet freedom agenda and I think the first thing I’d say is, you know, from the US perspective, I think it was critical that when you look at our international strategy, internet freedom is a core part of that. So we talk about economics, we talk of internet freedom, we talk about cyber security, we’re talking about cyber crime. The way I’ve always talked about this is a pyramid where you’re trying to achieve the internet freedom and free flow of ideas in economic innovation and growth and security and others of the base that gets you there. So they don’t have to be in conflict and they shouldn’t be in conflict. You should be able to have both. And that’s the US position that we’re taking very strongly and the Secretary Clinton had spoken about this as well.
Now you do have this alternative vision as you mentioned. You have with the Chinese and Russian have draft the paper in the UN, discussion paper, at this point, but assumed it’s going to be coming up in the fall this code of conduct and the code of conduct has lots of different elements. I mean, we process a lot of kind of older stuff in different ways. But one of the like noninterferences in states is, you know, kind of a thing that goes back 50 years. I mean you’ve seen in different forms. The idea of a more status control of the internet rather than the multi-stakeholder system, so rather than having industries, civil society and governments, it’s just governments and just, you know, governments may be not even acting collectively, and then this idea of really inhibiting the flow of information by looking at content in a more dramatic way. So obviously that vision is not a vision we want to prevail with a lot of people on defense, the G77 and other countries and it’s very important that we talk to them about that. So I think that is a real issue with something we’re very much focused on going forward.
I’d say there have been some really good developments. The OECD Guidelines, Internet policy guidelines, multi-stakeholder [inaudible] it’s the heart of those who talks about opening information and 34 countries signed off on that. But again I think that’s part of the vision we have to push and that’s one of the strengths of this international approach that we’ve taken is that we’re merging all these together and you just don’t have people talking back, “Freedom over here and security over here and not really bringing them together.”
JASON HEALEY: If you can make it really short, we’re about ten minutes over.
UNKNOWN PARTICIPANT: It’s short.
JASON HEALEY: We’re missing Virginia lunch, so…
UNKNOWN PARTICIPANT: There is a lot of discussion about the mix of kinetic and cyber responses in the event of some sort of cyber conflict or broader, but most of what the Chinese and, to a lesser degree, the Russians have done is steal our secrets and our ideas which are key to our economy yet we have not as far as anyone I’ve heard knows put a bullet into the head of one of the hackers who have done this or similar. There’s a lot of criticism in the Pentagon about whether we should fire some sort of shot across the bow of countries that continue to do this.
CHRISTOPHER PAINTER: So I think there is a lot of thing is going on. I think that we have look at what the threat is and we have to look at what the effects of the threat are and we have to look at our responses in every case. I’d say that, you know, I’ll just quote what my boss Clinton said recently and in China when we were there a couple of weeks ago when she said the whole [inaudible] intellectual property including trade secrets and business proprietary information is one of the huge concerns for the US and around the world and she said that China and US is two of the biggest actors in cyberspace need to think about what’s appropriate behavior and what the rules of the road are and, you know, we’re going to have frank discussion. And so I think there are, you know, there is the diplomatic part, there is the, you know, there’s other options, there’s economics issues that goes back to I said the international strategy. You have a range of different way to respond to things, but you have to respond appropriate to what the threat is and have a good sense of what that threat is.
JASON HEALEY: Thank you very much, ladies and gentlemen. So we’re going to take – I want to keep us – we originally have 35 minutes for lunch. I’d like to keep us towards that so let’s figure an ending at 12:35 and reconvening. The lunch is out here at the top of stairs to that can apply going – oh, I’m sorry, the difference of nation-states and how something that an event that might not be important criminal or technical could be incredibly important when its nation-states involve. So look at tomorrow and what we can expect for five to ten years and what that means for planning and preparedness. I now turn it over to Barry Pavel. Thank you very much Barry and so…
BARRY PAVEL: Thanks.
JASON HEALEY: Thank you.
BARRY PAVEL: Well, thanks. Thanks everyone. We should have no shortage of interesting issues to discuss on this panel which is the future of cyber. Ten years from now is basically might as well be 40 years from now but we’ll try to get a handle on it. Nonetheless, we have three very excellent panelists here who I’ll briefly introduce. The lead speak for five to seven minutes. I might ask them a couple followup questions and then we want to make this a discussion with all of you.
First, to my immediate left is Dmitri Alperovitch who is the Chief Technology Officer and co-founder of CrowdStrike. I just consider him the king of cyber threats, that’s how I think of him and I…
DMITRI ALPEROVITCH: Not in terms of [inaudible].
BARRY PAVEL: And I have no doubt he’ll live up to that again today. We have Eneken Tikk-Ringas who I think you saw earlier today, so I won’t go into her biography in detail, but she started the discussion this morning which I think she’ll continue to flush out a little bit in the context of the future challenge and then I just met and had a nice conversation with Bruce McConnell who is the Counselor to the National Protection and Programs Directorate in the Deputy Undersecretary Office of the Homeland Security Department. He has one of the more interesting business cards I’ve seen in government where his title is cyber plus strategy and we should find out what the plus really means in this discussion.
So no shortage of issues, but just to cover a few of them that I’m interested in and that you saw on the agenda, what are the chances of cybergeddon if you see Jay Healey’s paper on the five futures of cyber conflict what might that look like, is it overdramatized. I get this question everyday as I’m sure all you do. How might cyber threats combine and more with other technology threats, bio, nano, and more conventional forms of cyber threats that you might be more familiar with? These are questions I think we have to pose if we’re looking out in a ten-year timeframe.
And then more importantly or perhaps equally important is how should states and institutions and people get a handle on these future challenges, how can we best prepare, how do our current strategies prepare us for the world that’s coming, and then if they don’t adequately give us a hedge portfolio, how do we need to adjust those capabilities and strategies to deal with what we think might be coming.
The only thing I know for – I know two things for certain about this panel. One, it’ll be very interesting. Two, we’ll undoubtedly mix some important things that come in the year 2022 but we want to try get there nonetheless. So without further ado, I think I’ll turn to Dmitri to give us his sense of the range of threats that we might want to be anticipating in ten years.
DMITRI ALPEROVITCH: I was saying to Bruce earlier that we actually have these panel here because we can talk about whatever we want and no one can contradict us because in on the future, right? No one has the answers. I just spent a lot of time thinking about the use of cyber particularly in warfare and the development of cyber weapons. I actually think that there are some real complexities in the use of cyber weapons that do not make them an ideal military tool. If you think about cyber weapons and compare them to conventional methods of warfare, they’re typically single use, right. So if you use a weapon such as [inaudible] for example and ultimately, that it is discovered, you can no longer reuse those vulnerabilities effectively and have to recreate that capability in some other fashion.
There’s also blowback issue. If you have an interesting zero-day vulnerability and some physical or a virtual system that you’re trying to exploit, well, it’s likely that your own systems particularly in private sector as well as in the government are also vulnerable to it and you are – of course, you have issues of do you want to patch yourself and potentially alert the adversary that this issue is now known and they are going to patch it themselves. Or if you use it, you run into the risk of the adversary is going to discover it and use it against you.
The other problem that I think is probably the biggest problem in cyber is BDA, how do you do battle damage assessment and its difficult enough doing it in the physical world but certainly when you’re doing it in cyberspace. Can you really have confidence that the impact you were trying to achieve was actually inflicted on the adversary particularly if the adversary can use a wide range of [inaudible] deception and another capability is to actually distort you of what is happening.
And I think for those reasons and others, cyber is actually in my view can be limited primarily to the realm of intelligence collection which is a fantastic tool and has been used for exploitations on a daily basis today by nation-state adversaries both in the national security space as well as in the commercial space, and it’ll also be used for covert action such as Stuxnet.
And for those purposes, I think we’re going to continue to see evolution of those capabilities. But I’m not actually sure that we will see attacks like we have seen in Estonia in the future that will actually raise the level of strategic impact and certainly if you look at Estonia, their capabilities have improved dramatically since that event in 2007. And it has become a more and more difficult to actually take a country off the internet through virtual means alone and quite frankly, if that is the goal of a nation-state adversary, it is much easier to use physical destruction to target cable [inaudible] to target internet exchange points and other physical infrastructure through bombing campaigns or other covert action and achieve [inaudible] you’re actually taking them offline is much, much easier to do than cyberspace. And will that ultimately result in a much greater difficulty for the country to actually bring themselves back up.
But whether a nation-state would actually want to employ that technique in warfare, I’m not certain because at the end of the day, the intelligence that you can derive through cyber exploitation is so enormous that it’s not clear to me that you would ever want to turn off that nation-state internet because it prevents you from actually trying to exploit them for information gain in warfare. So I think that there is a great deal of complexities when you think about the types of attacks when we see particularly in nation-state [inaudible] actions. And we need to start to thinking through them and evolving our defenses and our approaches in terms of how we can react to each one of them separately. I think we need some talking about cyber and as a big, you know, mythical term and start talking specifically how are you going to deal with exploitation attacks, how are going to deal with destructive attacks both in virtual space and physical space, how are going to deal with integrity attacks which I think are actually most nefarious attacks that we don’t pay enough attention today.
If going to try to achieve a strategic impact on a victim, I would want to do an attack that is stealth that modifies the data, modifies their systems in a way they cannot detect and can potentially be very long lasting and can cause considerable damage overtime. If I just do disruptive attack, they’re like they are going to rebuild, bring themselves back up online, fix whatever vulnerability I used to get in and the battle continues. If I am able to modify their databases, modify the state of [inaudible] for example, that starts to give me very strategic advantage [inaudible].
So that’s my brief view on the future of cyber threat.
BARRY PAVEL: Thanks. If I can just ask you a couple of followup questions before we turn to the other panelist, so Jay’s paper sort of painted the future in this area from paradise where everything is trusted, everything is reliable, everybody cooperates to cybergeddon where nothing is trusted, you know, this integrity issue, nothing is reliable and there’s constant disruptions of access to this. It sounds like you’re more in towards paradise and away from cybergeddon. What I heard from you was a little more – some evolution of these types of threats but nothing discontinuous and nothing on a strategic scale.
DMITRI ALPEROVITCH: I think I’m probably somewhere in the middle. I think that we may live in a world where there no secrets either in governments or in the private sector and anything can be accessed and retrieved. I think that we may be in a world where integrity attacks are very insidious and you need to start thinking about resiliency and backups [inaudible] how to take those systems offline and actually ensure the integrity. But I don’t think we will see a cyber 911 or cyber Pearl Harbor.
First of all, achieving physical impact in cyberspace and particularly impact on human beings, killing people is incredibly hard and certainly doing that in a target matter is nearly impossible at least today and I don’t think those analogies suit us very well. So I’m somewhere in the middle. I think it’s going to be a dangerous terrain, but I think we can look through it just as we look through various other threats that have popped up over the centuries.
BARRY PAVEL: Okay, thanks Dmitri. Mr. McConnell, do you want go next in terms of what I think you’ll address? I think it’d be better if you [inaudible].
BRUCE MCCONNELL: Thanks. I just want to comment to Dmitri’s point. So what I want to say is which is that I agree completely with the point of view with nation-states if you think about actors – non-state actors who may have less to lose and why not that they can [inaudible] onetime thing that they don’t care about blowback may be a different calculus. Obviously, we’re not there yet. It doesn’t appear in terms of capability but...
So I think ten years is a long time but we are talking today on the fifth anniversary of an important event so things do stick around as they say. What happens on the internet stays on the internet for a very long time. And so, you know, I think it’s not impossible to think about ten years from and I think it’s important that we do so.
So what I want to talk about is kind of the role of the institutions in managing this issue going forward because you look at the world today, there are five billions that my boss, Deputy Secretary Lute likes to talk about. There are five groups which over a billion people or about a billion people actively identified with being Chinese, being Indian, being Catholic, being Muslim, and being on Facebook. So something is changing. Something is changing, alright. And so that’s kind of the basis for my point.
So what do we want out of governments? We want them to be competent and in this area that means need to be able to scale, we need them to be responsive or agile particularly in cyber and we need them to be accountable. So what we have today is kind of a mix of things and if you look at the way people are institutionalizing trust, it’s not as much as it used to be in the nation-state. So I learned a new in German a few weeks ago, Wutberger which means angry citizen. This is neologism that is being used in Germany because just like in many other places, there are a lot of citizens who are angry kind of in a way that it’s not directed at anything in particular but it does definitely impact on the ability of people to institutionalize trust in government and particularly if they are unable to scale, if they’re not agile and responsive that you can’t hold them accountable, those things undermine net.
So on the one hand we have government who are stepping into the cyber realm and the questions of how to manage this issue globally, obviously somewhat slowly and so there’s conversations earlier today about, you know, extra in a larger level institutions like NATO and why aren’t they moving faster and whatnot. At the same time, the real work of securing the internet and managing these incidents on a day-to-day basis is handled by a lot of informal private sector somewhat public private trust groups that are based on, you know, personal relationships and kind of esoteric technology and technical knowledge.
So you have kind of two ends of the spectrum in terms of the institutions that are out there trying to deal with the problem and, you know, more or less effective in different ways and you have the Budapest convention and everything like that. So what’s in the middle between those two things? So we have one example so which is ICANN right. It’s a multi-stakeholder model and I think of ICANN is the Wright brothers’ airplane of the future international organizations because it like if you saw the Wright brothers’ airplane, you would say, “Well, this has got some interesting things but here is five things or ten things that are wrong with it and why it won’t work and it’s impractical in a way. It’s hopeless.” And you can say some of those same things about ICANN and yet the Wright brothers’ airplane was the future of the aviation industry. And so, I think we need to collectively think about what kind of institutions can be created that have the characteristics of what we want governance institutions to be that use and involve the net the five, you know, the billion on Facebook and everybody else to help us protect ourselves because we can – this is not something as we all know here, that can be done on top-down basis. Cybersecurity is a very distributed problem. There are things that have to be done centrally. Nation-states do have a role but I don’t think we’re going to in a way move – we’re all just moving today, be able to rely on nation-states and on international organizations that move even more slowly to solve the problems at the scale and agility that we’re going to need them.
So my request is that – my prediction then ten years from now - I’m an optimist, so we will have a bunch of different versions. We’ll have the Curtiss Jenny. We’ll have the – you know, we’ll be out of the biplane era. We’ll be into – I don’t know if we’ll be in the jet engine era yet of international governance institutions that bring together a lot of different kinds of people and work in different ways and we’ll have worked out some of those things in cybersecurity where one of the leading issues, one of the first places where we’ll test those models globally because we’re already doing it.
BARRY PAVEL: Thanks. Just a question and so – I mean, you focused I think on [inaudible] institutions like ICANN. Will there be any sort of self-forming mechanisms…
BRUCE MCCONNELL: Certainly, there must be self-forming mechanisms, right. So a lot of the things that we have now that are working at the operational level really are self-forming and there are alliances of like-minded people who are trying to make things happens, so I absolutely agree. I think we have a lot to learn from complexity theory in this area and that that can teach us that some interesting life forms will spring up in this environment that we – is hard to predict what those are exactly going to be. But I think that’s a good – I appreciate that point.
BARRY PAVEL: Okay. And then the [inaudible] that always comes in my head is so if there’s mechanisms forming to strengthen governance in a collective fashion, will there be mechanisms forming to reduce governance in a collective fashion? And how – and maybe it is just something to discuss later but how will that…
BRUCE MCCONNELL: Being like anonymous for example?
BARRY PAVEL: Yes, so how will that place play out? And having been in Chicago, we felt anonymous closely last weekend.
BRUCE MCCONNELL: Yeah. So you have anonymous, you have organized crime, many groups like that which are – but you have also the long history of communities developing on the internet in the academic community and whatnot’s. So I think there’s hope there, but I agree with you. It’s not a clear path and there will be competition.
BARRY PAVEL: Right. So if we have ICANN, there might be ICANT. I thought Jay would appreciate that.
JASON HEALEY: Thanks very much and now Eneken, would like to give us the benefit of your thoughts?
ENEKEN TIKK-RINGAS: Yeah, I was trying hard to single out things that I won’t be able to mention so – I will start actually with something that takes me 15 years back and so there was – when I started doing IT and law – that was late 90s, and I read an article written by Frank Easterbrook and he wrote an article titled ‘Law of The Horse’ and he said, in 1996, that we’re developing a trend where we are finding this area of cyber law and that more and more people – students in law school will be studying the cyber law but he said over years, that will take us to a situation where we have cyber lawyers who don’t know a thing about other areas of law and then we will have cyber all over the place. And a cyber law to take care of it whereas actually touches upon every element in society. And this article was rejected by the community at that time. And I didn’t understand it at the time and now I say it makes perfect sense meaning that a cyber lawyer cannot do a thing because cyber is all over the place.
Now, that leads us, in my opinion, that has led us to sort of natural competition. A competition between international organizations because they have their niches but cyber is all over the place. It’s too difficult to figure out who’s in charge. A competition among – between the areas of expertise – not only between different lawyers with different background but also between techies, policy people and so – it’s difficult to make sense who is in charge, who should tell others what to do. And last but not least, for example, the dictionaries because everyone uses the wrong vocabulary. And that’s no wonder then – we look at back at this 2007 Estonian we think they’re like – those guys had two weeks of heads up, techies had – they had seen it before so for them the two weeks’ notice was not a big thing. For strategic people had they known what they know today, that would’ve been a huge time to do whatever. Just that was five years ago so we didn’t know better.
Anyway, I think that’s why we need to approach 10 years from now and I think hopefully 10 years from now we will have a lot more – a lot less generic discussions on cyber because we all already realize that cyber is an empty word. It can be fully loaded or it can be fully empty. Depending on what do you mean. Do you mean DNS? Do you mean – do you mean cyber crime? Do you mean – what do you mean if you say cyber and cyber security? And so I think this event already is a very good example of an event where you bring people together and actually hear something new that is not completely generic.
So I also think that 10 years from now, we will have a lot better remediation of these incidents and we will have it a lot better because as Chris mentioned earlier, we already realized that there is not more than one avenue of remediation. He mentioned actually military. But he also mentioned economic and diplomatic. But there are even more because in cyber, social is one great avenue of remediation. And so would be intelligence and law enforcement so there are so many ways to take that sometimes it confuses us and so we’re not able to find the right one even after five years after Estonia.
And I think in five years from – in ten – five whatever years from now, we will be in a sense much more like-minded meaning that today we’re building like-minded coalitions. And we’re somewhat reluctant or actually only starting to deal with dislike-minded or kind of less-like minded countries.
But I picked up a quote from – or something that the equivalent – the Russian equivalent of Michele Markoff, their lead diplomat on cyber setting in [inaudible] and he said ‘well, we have all the time to talk these days because nothing is really hitting us’ and if you – you know – we believe you then that might continue for a while but he said also that we were talking about an asteroid to hit the Earth you know ten years from now. We would not be talking about the Finisians or the lack of them, we will just act. And I think ten years from now we will have a lot more ground to actually act based on this planning that we do even though the plan may not work out but the phase of kind of the – procedure of getting there is helping a lot.
And to wrap it up, somebody said no secrets. Was it – anyway, I am just recalling my master’s thesis which I wrote on informational self determination actually about privacy. And the underlying kind of thesis there was that the actually the less secrets a person has the more freely the person acts. So maybe, maybe that kind of – no secrets will not be a bad thing after all.
Alright, so I think that’s would give the overall compilation of things that I wanted to mention and thank you
BARRY PAVEL: Well, thank you. So for you Eneken or for any of the panelists, the question that comes to my mind is we’re right now living through a period where there is massive state-sponsored exfiltration of data from other governments as well as from private sector companies. In a sense, in my view, sort of upsetting the international economic and security order – I mean, there’s no other way to think about it, so what do you think is the future of – will we be seeing that ten years from now? Will there be legal mechanisms or more cooperative approaches to stopping that or will that just continue? Or is that impossible to tell?
BRUCE MCCONNELL: I think if it continues, the way it has been going right now, ten years from now we’ll have a very different [inaudible] cyber space – something clearly has to be done about it. I actually think that these solutions don’t necessarily rely on cyber space. There’s a wide range of diplomatic, economic, and other pressures you can bring upon the culprits of this activity with China to get them to stop. But i think espionage in a national security realm will clearly continue. It’s been going on for thousands of years and cyber is a great force multiplier in attempt into conduct these types of activities and I think that for military campaigns for national security strategies that will remain a major issue of how do you live in a world where nothing is – nothing is private.
BARRY PAVEL: Thanks. So...I’m sorry.
ENEKEN TIKK-RINGAS: I was – sorry...
BARRY PAVEL: Please...
ENEKEN TIKK-RINGAS: I was just thinking maybe somebody else would say – I would say again as a lawyer, you know, purely from legal perspective, we have certain legal areas that are there to protect our information. And I would just bring the example of data protection meaning whether we like it or not, it’s there to protect our data.
One of the kind of center principles of data protection is whoever has data – especially when it comes to personal data. Just bring it as an analogy, whoever has the data, has a legal obligation to make sure that this data is not stolen. Now we haven’t had that for years and what I’m saying here is that the law is still the same. The situation has changed and when it comes to espionage then one thing whether we like it or not, is that under international law there is no good remedy but the reason for that is we always wanted it to be that way because we wanted nations and states to be able to make decisions for themselves, how to deal with national security. And that’s the reason why there is no kind of legal – silver bullet to that; whereas, there are national responses. But when we think even of wiki links, then I think that we need to be really critical and practical about the first responses to situations like this which is first what are the real options to protect information.
UNKNOWN SPEAKER: Just [inaudible] because I agree that the solutions to these problems don’t necessarily rely on cyber space that you have to use all the tools, diplomatic and others to – they have conversations about norms. But that we can’t wait until we agree on all the norms so we have to move out on that but I do agree that to some extent – you know, there’s our concept of attractive nuisance. So you know if you just leave your convertible parked out you know, on the street in a bad neighborhood with the keys in it, you know, you have some responsibility there if somebody steals it. And so same kind of thing. It’s right now – it’s pretty easy to steal this stuff and so...we do have some due diligence on the protection side.
BARRY PAVEL: A very good point. Not always be followed but it’s an excellent point. So we’ll take questions now. And Mr. Nelson?
MIKE NELSON: Mike Nelson, Georgetown University. I’ve been very involved in the internet society here in Washington through a feat of incredible bad planning. We had a session this morning on cyber security 2020.
And four really good speakers looking at some of the sacred myths of cyber security and I won’t go through all of the ones that we slayed this morning but the ones that really got the most attention were in the area of identity. Tens of millions of dollars – hundreds of millions of dollars are being spent on establishing Mike Nelson is Mike Nelson.
And in this session this morning, we said that a lot of that is missupplied. We should be spending money focusing on what my attributes are, what my authorizations are but not necessarily what my DNA or my finger prints are. Give me something that let me tell the world that I’m over 50, I can drink, I can smoke, I can vote but don’t bother to tell everybody who I am and this is the way to decouple some of the security concerns of my identity.
So I guess I’d ask the question in ten years, do you think we’ll finally get identity right – we’ll have us a cheap, easy to use secure system that will actually work around the world because this is fundamental to getting this whole problem fixed. If we can verify who’s getting into systems, we have much better chance of keeping the bad guys out.
BARRY PAVEL: Obviously a question for the panel but if you could also sort of draw the implications of that or the relative utility of continuing to use cyber as a commercial and economic enterprise – I think that would be helpful. So future of identity.
UNKNOWN SPEAKER: I don’t think so. I think it’s very challenging problem. And to be honest with you, it has limited impact on cyber security. I mean very few attacks in the real world today actually attempt to compromise authentication scheme. So even if we had – well that was the way that got into our [inaudible] was not by compromising the RSS security. So that’s what we’re ultimately after but – regardless of that, I think that the fundamental problem is that we have all abilities you know, hardware and our software, they will forever remain there. I mean we fundamentally do not know how to build secure systems. It’s incredibly challenging task and our systems are actually becoming less secure as they’re becoming more and more complex. And even outside of the supply chain issues, which are enormous, you have issues of when you have a thousand people working, and bring something together, the likelihood that there’ll be vulnerabilities in the [inaudible] of these different components are pretty high. And I think that’s a situation we’ll have to live with for the foreseeable future.
ENEKEN TIKK-RINGAS: I think also this kind of discussion of identity and attribution to extent something that Chris said – or correction Chris was asked like how do we aid these days when it comes to cyber war so we aid the countries financially or economically but I was thinking like you know, we can’t approach this issue like if somebody has a cyber problem, let’s just aid them by taking their computer away. And so I think the aid situation here parallels to the questions of I think in ten years from now, we will just have a better understanding how to live, how to cope with limited attribution. And those who really have an issue of attribution have done something about their systems. You have more kind of controlled identity. And then so it can be one kind of – one opens-it all solution for the whole society in a way.
UNKOWN SPEAKER: Can I just make one comment?
BARRY PAVEL: Oh yes.
UNKONWN SPEAKER: I don’t believe attribution is an issue today. I mean there’s a question of how much attribution do you need, if it’s the level that you’re looking for is a [inaudible] law proof then yes, of course it’s very difficult. But if it’s the level you need to make a political decision to respond, that’s a very very low level. And all you have to know is who benefits from that information and some attributes related to who you may think is behind it. And that’s typically enough to make a political decision to respond so...in most cases of the cyber attacks we deal with, you know very well who’s behind it and who’s benefiting from that information. It may not be enough to prosecute them for it and certainly if you deal with nations and states that’s not something that you’re looking to do but it’s enough to have an affect [inaudible] with them and bring pressure on them as a result of this activity.
MIKE NELSON: Sure I wouldn’t disagree with that any of that, any of these points. I think the identity question may be broader than just stopping cyber attacks, it’s about competence and trust. And I think an example of an emerging institution in this area might be eBay so eBay you know does not come to a binary decision whether or not you are Mike Nelson. They come to a level of confidence that you know, you probably are Mike Nelson given where else you’ve been on the net, where you’re coming from, you know, what other information you have or enough to know to make a risk-based decision that okay we can give you these privileges and I think you know, if we start thinking about that way then if you have a low threshold of need then you got it, and if you need a high integrity – a high integrity conversation where your big financial transaction then you’re going to want a higher level of confidence.
BARRY PAVEL: Great. A question in the second row up here.
UNKOWN PARTICIPANT: Hello. My name is [inaudible] but I wanted to ask them from Bruce that in ten years definitely our living space will be much smarter. So we have a smart home, smart houses, smart roads, whatever. And it’s clear that the current ways of dealing with the cyber security doesn’t scale – what do you think actually – how would this operation will look like in ten years?
BRUCE MCCONNELL: How which operation?
UNKOWN PARTICIPANT: All – smart living space.
BRUCE MCCONNELL: Living space?
UNKOWN PARTICIPANT: Yeah.
BRUCE MCCONNELL: You mean like for example, smart refrigerators and things like that?
UNKNOWN PARTICIPANT: The internet of things.
BRUCE MCCONNELL: The internet of things?
UNKNOWN PARTICIPANT: Everybody has a [inaudible]
BRUCE MCCONNELL: Yeah. So we just recently issued – the [inaudible] just recently issued a bullets on health devices implanted in other ways and you know, they’re all being connected to the some other things that are being connected to the internet. And I guess I would agree with this gentleman here that we don’t know how to build these things smartly or securely but we could at least build them with some awareness of security issues so I recently did buy a refrigerator and decided not to get the one that have – had the internet connection on it. So I think that’s we just keep exposing more and more attack surface. Now, you know, so you take out my house and you know, it’s minor inconvenience for me but if you look at smart grid or the hacks that have been shown with [inaudible] on cars and automobiles just like – you know, it’s a playground out there. So I don’t know what it takes. You know, we had the wake-up call at the nation state level right in Estonia and Georgia, and but it was a wake-up call, you know, at the industry level, I don’t know what that is yet.
BARRY PAVEL: Thanks. Questions? Yes. Fourth row.
UNKNOWN PARTICIPANT: [inaudible] CSC, this may be more in the area of a comment but if you want me to put a question mark on the end – I think the vision that has been formed by the US government and key folks in the private sector can be summarized with three major initiatives; one is the overarching vision which I think is the cyber ecosystem effort that DHS released in March of 2010 – it’s a bottom up effort – automation, interoperability and authentication. It is a vision for a bottom up. It is consistent with the US government policy on ICANN, a mulitstakeholder model. The second is end stick building on Mike’s point about identities closely related to authentication piece of the cyber ecosystem effort. The third is the effort and it’s really two parts; one is the FCC and the IS piece best practices – sharing of information about botnets and the very very important role of ISPs that if we need to share information better so that they know who they have to go back to to enforce the agreements between ISPs. If there’s malicious traffic coming from somewhere so we need to marginalize folks, we need to force them into ISPs that aren’t trusted so organizations can decide this is who we’re going to trust, this is who we’re going to let in.
The parallel effort is the effort of DHS to White House commerce in the private sector on the botnet information sharing initiative. The private sector’s boot been doing the bulk of the work in cooperation with arena folks at commerce and that is the principles for information sharing on botnets that has been developed by a broad coalition of private sector groups. And that idea of sharing information they can feed in the automation, they can feed in the operability, they can feed in the – enforcing the norms of conduct of private entities to help us protect ourselves. I think it sets a pretty darn good vision of where we might be in ten years.
BARRY PAVEL: Any comments from the panel and also from the audience because that was a very I thought, coherent and important intervention that does give you a sense of rather optimistic sense I think of the way that the internet is moving towards.
UNKOWN SPEAKER: I’m actually on issue of cyber crime – I’m actually pretty optimistic. I think that there’s a lot of progress been made both on the technical side but even more importantly on the law enforcement side and the diplomatic side are actually getting nations to agree that this have to behave as an acceptable and to start prosecuting groups even in places like Russia and China where the governments are starting to look very carefully what is happening on our backyard and that a lot of these groups – they sort of had a blind eye, too, in the past and now starting to engage in this type of activity pretty incessantly within those countries causing quite a bit of [inaudible]. So I think in those areas there have been a lot of arrests and a lot of really great prosecutions of organized criminal activity and individuals and I think in ten years, cyber crime will always be with us just like regular crime, the level of impact I think will be measurably reduced.
ENEKEN TIKK-RINGAS: I would just take up this optimistic note once again. I think there’s a lot today again to be optimistic about and botnets were mentioned. And I’ve recently looked into a few botnet studies, botnet cases that have been resolved then by Microsoft – by the Spanish government, by the Dutch government and etc. etc., and so there is at least in this particular field we have so many lessons learned that would tell us not only what we can potentially do but also single out these few things that really pose an issue to dealing with for example, botnets. And I think the same goes for other fields meaning that if we really want to know what is a problem in ten years from now, actually in a year from now, we still need to start by looking back at those cases that had been tried instead of and then it goes back to 2007, we learned that a lot that we figured will be an issue in resolving things and it didn’t become an issue in the first place. But instead we figured, small things that we never would have come up at as a government, as experts, etc. that really didn’t kind of sound the way we hoped them to be. and so there is a lot of case studies out there to take a closer look into and one thing about sharing information or studying or learning from others experiences that right now we’re in the middle of exchanging best practices, that’s the kind of trend that we’re following and then many organizations go for that. But I think even more important is the step where we’ll be able to share worst practices. That means to really openly talk about at least among like-minded about those things that haven’t worked out so far. Because national pride here comes to play which is no nation really wants to tell another nation that ‘uh, yeah, we did that and it didn’t really work out’ so instead we still kind of keep promoting all those models that we have set up. If we look at the other side, that information would be so much more valuable.
UNKNOWN PARTICIPANT: Thank you very much.
BARRY PAVEL: I think we have time for one or two more questions – if anyone has any? Yes, over here.
RAYMOND BARROW: Thank you, Raymond Barrow, at the Reporter. A question for Mr. McConnell. You talked about international government – international governance and I’m just wondering if you think how US government policy might be willing to embrace – a sort of international coregulation because [inaudible] those willing to say ‘play ball with’ – other examples like the International Criminal Court is whether or not the US is willing to say ‘I’m going to give up some kind of sovereignty in the area?
BRUCE MCCONNELL: So I just would like to say a couple of things because I think we’re running in different direction – so one thing I’d say is, you know, we’ve been actively promoting successfully the accession of the Budapest Convention were not – you know, we weren’t the first adopters. But we got there and so we’re very excited about that – Dmitri’s point about cyber crime. I think the point that Ene made about the botnet code of conduct is a place where you’re also seeing if not you know, a reduced reliance on national sovereignty in particularly legal matters, you are seeing a much more cooperative approach involving the industry and you know, working on a – increasingly now on a multilevel bases to kind of come with a hybrid solution that doesn’t put it all on governments at any level to deal with the problem. So I think where all countries are you know, some distance away from formally yielding up a lot of sovereignty but obviously in some countries, more than in others and in different areas as we are talking about state run internets earlier. But I think there’s some hopeful signs there.
ENEKEN TIKK-RINGAS: I have to be honest, I admit I was thinking about something else.
BARRY PAVEL: We have time for one more question or one more thought. If not, I’ll turn it over to Jay Healy. Well, thank you all three of you for some very thoughtful and a bunch of...
JASON HEALY: Thank you for joining us today ladies and gentlemen. Today, we look at [inaudible] a secure cyber future. We looked back, starting out with Estonia 2007 and looking at some of the lessons. Looked at today and here we look – we finished with some great panelists that helped us think about ten years on from today.
The results of this is we will work with Microsoft to publish an Atlantic Council issue brief that has some of the findings and some other thinking that will partially reflect what was said here but we don’t want it to just – to only talk about the things that were here because we find those tend to be more cloudy for people that weren’t sharing the event with us to understand so we’ll make sure that we add in some additional material to help make the most of that.
As we mentioned, with this partnership with Microsoft, we hope to be having several of these events over the next year that are looking at how we avoid the – how we are trying to get the best future of some kind of cyber paradise for defenses much better. But more importantly, how to avoid the worst because what we don’t want is to be – striving so hard to get the cyber paradise that we swing and we miss the ball and we end up with one of the worst. So we think it’s probably the best thing to try and do and avoid that worst kind of future.
We said we would finish up at 1:30 and we’re just hitting that. And we said we would give you a nice full belly, and hopefully we did that. And we promised you an interesting day with great speakers, that would give you some ideas and some contacts that hopefully you’ve never heard before, and I think our panelists really did deliver on that.
So thank you very much all the panelists.
Thank you very much again to Microsoft and Andrew, do you - Jan do you want to close this up?
UNKNOWN SPEAKER: Okay thank you.
UNKNOWN SPEAKER: You’re doing a fine job.
JASON HEALEY: Great. Thank you very much. And I have to say I was hoping that we’ll have more time to hear about Microsoft and botnets and security response because I think that’s one of those good ways to get us to feature but that’s going to have to be for the next event.
So I hope to see each and every one of you at that next event. And you’ll be getting an invitation from us.
Thank you very very much.