THE ATLANTIC COUNCIL OF THE UNITED STATES
INTERNATIONAL ENGAGEMENT ON CYBER:
ESTABLISHING NORMS AND IMPROVED SECURITY
WELCOME:
CATHERINE LOTRIONTE,
EXECUTIVE DIRECTOR,
INSTITUTE FOR LAW, SCIENCE & GLOBAL SECURITY
KEYNOTE ADDRESS:
LIEUTENANT GENERAL (RET.) BRENT SCOWCROFT
PANEL 1:
NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE
PANEL CHAIR:
GENERAL (RET.) MICHAEL HAYDEN
WEDNESDAY, MARCH 30, 2011
WASHINGTON, D.C.
Transcript by
Federal News Service
Washington, D.C.
CATHERINE LOTRIONTE: Good morning and welcome to Georgetown University. It is an honor to have such a distinguished group of speakers and participants with us today. Your attendance today is evidence that engagement on cybersecurity is a priority for many stakeholders around the world. Both the Institute for Law, Science and Global Security and the Atlantic Council are pleased to bring you this conference, which comes at a very important time for the international community.
The Institute for Law, Science and Global Security was established at Georgetown University to promote teaching and research in the areas of international law and international relations, and currently hosts the university’s Cyber Project. With an increasing demand for policy development in conjunction with legal analysis of cybersecurity measures, in 2006 the institute added the Cyber Project as a major element to its work.
The Cyber Project draws from the diverse expertise across the university, and focuses on the academic and policy components of cybersecurity issues that are related to both private and public sectors, foreign and domestic. With the support of our co-host today, the Atlantic Council and the council’s Cyber Statecraft Initiative, we are excited about the prospects for continued dialogue on cybersecurity as a key issue for the global community. The council’s initiative focuses on finding international consensus among like-minded nations on challenges in cybersecurity and provides thought leadership on how to integrate cyber as an element of national power for the purpose of international cooperation.
Our venue today, Gaston Hall, is no stranger to significant debates concerning the hardest problems of the day. On November 25, 1919, Father Edmund A. Walsh stood on this very stage and announced the creation of the School of Foreign Service – speaking just five months after the end of World War I. The creation of the School of Foreign Service here at Georgetown University marked the recognition of the need to equip our future businessmen and official representatives with the necessary knowledge and training to effectively solve the problems of tomorrow.
As discussed here in Gaston Hall that day in November of 1919, the definitive lesson from World War I was the realization that, in the words of Father Walsh, the world constitutes one huge family, whose interests are common and whose members are interdependent. What a valuable byproduct of that world tragedy – and still relevant today as we speak of cybersecurity. Today, as in 1919, the Georgetown University community joins hands with commercial, industrial and governmental interests, foreign and domestic, to seek the fulfillment of our joint obligations in the international community to improve cybersecurity for all.
Just so no one thinks that Georgetown University is all about work and no play, this stage has also been the platform for much more entertaining moments – according to the students – with artists ranging from Dizzy Gillespie to Bruce Springsteen having played on this very stage.
Drawing on the experience of government practitioners, industry representatives and academic scholars, this event brings a multidisciplinary international approach to the challenges of cybersecurity by drawing from legal, technical and policy fields, foreign and domestic. Our lineup of panelists and participants in the audience today include representatives from international and regional organizations as well as national governments, countries from almost every continent, directors of government agencies, academic experts and industry leaders.
To begin today’s conference, I am delighted to introduce Lieutenant General Brent Scowcroft, who is one of the nation’s preeminent authorities on international policy. His distinguished career has included posts as assistant to the president for national security affairs in both the Ford and George H. W. Bush administrations. He also served as military assistant to President Nixon and as deputy assistant to the president for national security affairs to Presidents Ford and Nixon.
While in the military, General Scowcroft held positions in the organization of the Joint Chiefs of Staff, headquarters of the U.S. Air Force, and the office of the assistant secretary of defense for international security affairs. Other assignments included faculty positions at the U.S. Air Force Academy and the U.S. Military Academy at West Point, and assistant air attaché in the American Embassy in Belgrade, Yugoslavia.
General Scowcroft serves on a variety of boards and organizations, including as co-chairman of the Blue Ribbon Commission on America’s Nuclear Future, the University of California President’s Council on National Laboratories, and as president of the George Bush Presidential Library Foundation, and a chairman of the International Advisory Board of The Atlantic Council of the United States. He is also a member of the board of the Gerald R. Ford Foundation, and the George C. Marshall Foundation, as well as the Center for Strategic and International Studies, among others.
I came to know General Scowcroft when he was serving as a chairman of the President’s Foreign Intelligence Advisory Board at the White House. He hired me in 2002 to be his general counsel for the board. Those years in the White House were trying and challenging times for the U.S. – and the world. It was during the hardest of those years that General Scowcroft showed the world what it was like to be a true leader when the challenges seemed unsurmountable.
I watched the general every day, and I took copious notes as I did not want to miss a learning experience – something I wish my students did in my classes. Over the years, he has taught me how to be a better thinker, lawyer, policy analyst, problem solver and a better person. I am honored to have the opportunity to work for him. I am humbled that he calls me his friend. And I am happy he is opening this conference today, because I believe there is no one better suited to begin this dialogue on the importance of international engagement to improve cybersecurity. It is my great honor to welcome General Brent Scowcroft.
(Applause.)
LIEUTENANT GENERAL (RET.) BRENT SCOWCROFT: Good morning. Thank you very much, Catherine. I should sit down right now; I can’t improve on those words. I have to tell you, I sponsored Catherine for her Ph.D. dissertation – it’s the best thing I’ve ever done. I want to begin by congratulating Catherine, Georgetown University and the Atlantic Council for bringing you all together today. From what I have been told about it, we have the best and the brightest here of the cyber world. I wish you luck and success in your deliberations.
Those of you who know me probably wonder why I was asked to keynote this morning. After all, I think almost certainly I know less about the cyber world than any other person in the world except maybe the photographer there. (Laughter.) I consider myself successful when I have a harmonious day with my laptop and BlackBerry. I have a little granddaughter who is about two-and-a-half years old and we’re about on a par in the cyber world.
But I don’t think it requires technical expertise to understand the national security implications of what is going on in the cyber world today. I think it’s little short of amazing to think that in the space of two decades or so we – and I here mean not only Americans, but most people around the globe – have come to depend upon cybercommunications.
Consider for a moment how much of what we’ve come to rely on in our daily live have a cyber component. Cyber controls the distribution of electric power. It provides the backbone for financial services. It helps guide us to our destinations through GPS. It allows us to obtain cash in ATMs. It – to use credit cards to buy goods and services and trade stocks, even without leaving our homes. Thanks to cyber, we have more data stored and available for our instant use than any previous generation in human history. Cyber permits us to communicate instantly around the world. It gives us access to libraries of information at the push – touch of a key.
And yet, through these same mechanisms, we are also – have become very dependent and very much at risk, because these same cybermechanisms which enable can, as you well know, be used by malicious actors – common or syndicate criminal, cyberpatriot, terrorist or a hostile intelligence or security service – to steal identities, funds, data, manipulate information, deny us access to the sinews of the life we have come to depend upon, and ultimately to threaten the very safety and health of society as we have come to know it today.
And this is not just an American problem. It is an international problem and it is becoming a universal problem. We probably are in the lead because of our technical development and the use of cyber because it makes things so convenient. But everybody is going in the same direction.
And I’m very encouraged that today you’re meeting to try to develop ideas and mechanisms which may allow these kinds of issues to be worked on cooperatively on an international scale, because I fear that we – and by “we” I mean “everybody” – are lagging, and that both on the national level and certainly on the international lever – level, we are neither adequately organized to compete with the threat nor are we keeping pace with the advance of the threat.
Let me speak to the Americans in the audience for just a moment. On the national level, dealing successful with cyberattacks requires a unique public-private partnership. This is not only true of the United States, but I want to concentrate on that. It’s unique because this means a government-private sector cooperative, which is pretty unusual for us. One part of our government – the Defense Department – is already pretty well advanced in detecting and defeating threats to its network. The civil sector of the U.S. government lags behind, however, and needs to overcome parochial prejudices and divisions and cooperate with DOD so that dot-gov is protected as well as dot-mil.
And, simultaneously, both parts of our government need to work together with industry to protect those critical societal services known colloquially as dot-critical infrastructure. And this partnership also needs to focus on how to build resiliency into critical functions in order that, if there is a cyberattack from whatever source, the affected sectors are able to recover quickly and thereby minimize any social disruption.
Internationally, we need to work along the same three lines: defense, civil government and critical infrastructure with like-minded nations – and I’ll get to the point: We all should be like-minded nations in this regard, to help build defenses and resilience and to learn from them about alternative or different approaches they may have taken to achieve the same goals.
We need to develop a set of norms – rules of the road, if you will – on how to deal with cybercriminals and cyberterrorists who are operating with their – within their or our national territory or who are operating remotely through servers located in their countries or on American soil.
Finally, there are two additional topics for international consultations. The first is how we can convince all responsible governments that we’re all in this together and that we should act together in a cooperative manner rather than in a confrontational, deterrent-like manner to deal with this issue.
The time is soon coming when all modern states, their economies, their infrastructures, and their societies will be more or less equally dependent on cybersystems and more or less equally vulnerable to cyberdisruptions.
You know, we’ve long wanted an interconnected world. Well, now we’re going to have one. So now’s the time to begin thinking about how to engage state actors to determine how to build a web of interlocking obligations. Should the mechanism be treaties? Rules of the road? Or in either case, how can adherence to what has been agreed be verified? Some will say none of that’s possible and that we would reveal too much about our own intelligence capabilities if we challenged another state about a cyberattack on its source. That isn’t necessarily the case.
And I want to turn to a – an example which many people say is not relevant, but I think is, and that is the arms control discussions we held with the Soviet Union during the Cold War.
I think there’s something here that is reminiscent of the Cold War, and that is nuclear weapons were the first threat to world society as we know it. We came to realize that nuclear weapons could destroy the world, and cyber let loose has the same capability to destroy our societies if it is not controlled.
When nuclear weapons were first incorporated into the American arsenal, we considered them primarily just bigger and better weapons. Our first strategy involving them was massive retaliation. That is, we were going to substitute nuclear weapons for the conventional arms that would have been necessary to hold off a Soviet invasion of Europe. So they were just – they were just another weapon. It took us some time to adopt policy to the path that Bernard Brodie set forth very early in his seminal work on the nuclear age. He said the nuclear weapons’ role was not in war-fighting, but their role was to prevent war. So, too, the international community needs to consider what the sole – what the role of cyberweapons should be now and in the future.
In the Cold War, the United States and the Soviet Union were implacable enemies. What we knew about them, and vice versa, what information we wanted to protect about our forces and so on, are in many ways similar to our cyber situation. Both sides wanted to protect information about the capabilities and vulnerabilities and it took a long time for us to agree that, even in the light of the deep suspicions we had about each other, we needed to talk, we needed to develop some rules of the road so that a mistake would not precipitate a nuclear holocaust which could destroy civilization.
There are eerily similarities in the – in the – to the present time. We had no idea how to go about nuclear arms control to start, and we’re still learning. We have not reached a point – there are now those who say, “Well, we need to get rid of nuclear weapons.” We don’t know how to do that, we don’t know what the world would be like, but we’re feeling our way through this nuclear path.
Can we do the same about cyber? In many ways it’s more daunting. It’s more thoroughly ingrained in our society, as I’ve said, between government, industry and the individuals. I don’t know, but I think it’s time for us to start. And multiple levels of engagement: track one, track two, track one and a half. We should remember that engagement is a process, not a point solution.
We also need to consider what we would do if the cooperative engagement track doesn’t work. In other words, we need to think about how to prevent cyberattacks, if we can’t convince governments that it is better for all concerned to cooperate.
In that same regard, we need to determine what our red lines may be with respect to cyberattacks and owning up front that the difficulties in attributing firmly the origin of a cyberattack is daunting. What constitutes the cyber equivalent of an attack on vital national interests? Every government which possesses a cybercapability will want to use it to its own advantage. But certain cyberactivities and certain cyberattacks should be clearly understood to be off-limits.
How do you go about determining what that might be? And how do we communicate to the international community the gravity of cyberattacks on these vital interests? This is not just a game, as it appears to be widely considered at the present time. What do we do if these red lines are crossed anyway? And crossed by whom?
There is a great deal of noise in the popular press: We should respond to any cyberattack against a critical infrastructure target with a major cyberattack of our own.
Remember, like nuclear weapons, these are weapons which, if used, can destroy large elements of society as we know it. That places a great burden on preventing such attacks in the first place. And I hope that’s part of why you’re here.
In a way more reminiscent of the situation we face with nuclear terrorism today, rather than classic deterrence, I have to ask you: how confident are we that we can prevent all American hackers and cyberpatriots from attacking other nations? And what does that tell us about other country – other governments’ ability to do the same thing with their hackers and cyberpatriots?
Let me live you – leave you with that thought. I wish you much luck and success in your discussions today. I’m counting on you, and so is my granddaughter. Thank you very much. (Applause.)
SHAWN HENRY: Thank you so much. I’m really pleased to be here at this incredibly wonderful university, a great institution of higher education. I appreciate Catherine Lotrionte and her leadership in putting this together, and the privilege and honor I have to be here today with this distinguished panel of true subject matter experts. I understand we have many, many representatives from around the community, both in government and in the private sector in the educational area, and we really appreciate you all being here.
I’m going to take just a little break from our schedule here. General Hayden is running a little bit late, but when he comes he’ll jump in. And what I’d like to do is just to provide some brief comments, and then each of our speakers will provide an overview of their area of expertise, and we’ll start an engagement with the – with the audience.
First, I’d like to introduce our panel here. To my immediate left, Congressman Mac Thornberry, United States Congress House of Representatives, from Texas, and chairman of the Armed Services Subcommittee on Emerging Threats and Capabilities.
To his left, Wing Commander Thomas Parkhouse, the cyber security staff officer from the Ministry of Defence in the United Kingdom.
Lieutenant General Charles Croom, retired, vice president of cybersecurity solutions at Lockheed Martin and the former director of the Defense Information Systems Agency, DISA.
And then, Mr. Richard Roberts, the head of information security branch from Interpol.
And Mr. Shawn Bray, Deputy Director of Interpol here in Washington, D.C.
My name’s Shawn Henry. I’m the executive assistant director with the FBI with responsibility for all of FBI’s criminal and cyberinvestigations.
It was very interesting to listen to General Scowcroft and his overview of the cyberthreat. And I don’t know that it’s that important to get into that specifically, because I think he really did paint a very high-level overview and understanding, and most of the folks here really recognize that.
But I can tell you, in my personal experience, looking at the threats day in and day out, at both a – at various classifications levels, so threats are significant and real, and they continue to grow. And our ability as a nation, and as a world – as General Scowcroft identified, it’s not just a United States problem – is critical to the continued success of our society. I believe that.
One piece I’ll note from his statement was the – equating the cyberthreat to the nuclear threat from the ’70s and ’80s, which I think is absolutely on point. The one point that is drastically different, though, is the attribution. If a nuclear missile was launched, our satellites would tell us exactly, within seconds, where that came from. And we have hundreds of thousands of cyberattacks launched on a daily basis with little to no attribution, which is really a remarkable difference in that analogy.
So what I’d like to do is ask each of the speakers to provide you a quick overview, and then we’ll take questions from the audience. We’ll start with Rep. Thornberry. (Applause.)
REPRESENTATIVE MAC THORNBERRY (R-TX): Well, I appreciate the opportunity to be here, and I appreciate Georgetown and the Atlantic Council hosting this conference. Being a member of Congress, I need to keep things simple. And besides, you’ve got plenty of smart, experienced people on this panel and in the panels to come.
But just to start with basically a simple question, which is, to me: has technology and cyberspace presented a new, fundamentally different kind of challenge to national security?
I think you heard General Scowcroft answer that question in the affirmative. I think it’s also in the affirmative when it comes to crime. It’s also in the affirmative when it comes to espionage. It’s also in the affirmative, by the way, when it comes to political activism. I guarantee you, every person running for office is doing fundamentally different things with their campaigns than they were just a few years ago.
So, if it’s a fundamentally different kind of challenge, the second question is: are our laws, policies and regulations keeping up with this new challenge? And I think , on this question, there is virtually unanimous agreement that in the United States, and to different extents, around the world, we are not. And yet, while we fiddle, our vulnerability continues to grow.
And yet, to – and so that means we need to take action; to take action means going through the political process. And I guess my primary point today is that we can’t let the perfect be the enemy of the good, considering that whatever happens with laws and regulations and policies, even if it doesn’t go through Congress, or if it does go through Congress, has to have a political component factored into it.
Obviously, we’ve got significant challenges in doing that. An attack could be crime, it could be vandalism, it could be political expression, it could be terrorism, it could be a cyberattack. The problem is, you don’t know what’s happening at the time it is occurring. And yet, for our government, and I suspect for other governments, different agencies are responsible for dealing with each of those different kinds of attacks.
We’ve had two hearings so far this year in my Armed Services Subcommittee just asking the question: what is the responsibility of the Department of Defense to defend the private sector in cyberspace? We think that the answer is pretty clear if we have a fleet of bombers coming to bomb the Houston Ship Channel. It’s not so clear if we have a fleet of packets coming through cyberspace to disable those same facilities.
And so some of these fundamental questions have to be dealt with.
A second challenge, of course, as Shawn just mentioned, is the difficulty in attribution and the effective absence of geography causes all sorts of challenges when implementing our laws, and when dealing with basic concepts such as deterrence and retribution.
A third challenge is, in the United States, we certainly have a good, healthy dose of American skepticism, with more government power knowing more about our lives and intervening into some of the most personal part of our lives. And in cyberspace, whatever we do has to be decided ahead of time, because it happens at light speed, so the rules of the road have to be in place before it actually happens. And that affects the amount of trust we are willing to give our government, of whatever agency, in what – in dealing with our privacy and other sensitive information.
We have different expectations of privacy than, I think, others, and that makes setting international standards on some of these issues more challenging.
A fourth area of concern is that to deal with cyber, obviously you have to have a sort of cooperation and interrelation between government and private industry that I won’t say is unique for us, but it is certainly unusual for us. And that presents its own set of challenges.
So, the point is, whether you look at these items, or a dozen others we could list, some sort of political calculation – political, I don’t mean partisan, I mean taking the sentiments of the people and our political institutions into account. It is tempting, I know, to get everybody in this room to agree on the master plan to deal with cybersecurity. And we could all go in the back room and we could trot out a 2,500-page bill, and we could ram it through Congress. But then, we might have to grant a thousand waivers in the first year exempting a variety of folks from ever having to comply with those provisions, and meanwhile everybody in the country is becoming more and more disillusioned that we have a clue what we’re dealing with to begin with.
Now, we’ve been down that road in other fields, and it’s not a good way to proceed procedurally and it’s not a good way to proceed substantively. But steps are important. We can’t let the perfect be the enemy of the good. My personal view is that some steps we can begin to take now include looking for encouragements for private industry to elevate their level of cybersecurity – looking at a toolbox full of carrots and sticks that would help encourage greater emphasis on this problem at the highest levels of private industry.
Secondly, I think we ought to look at facilitating the use of the tools that the military uses to defend military networks to defend critical infrastructure. And there is a pilot program along that line which is just beginning.
Third, I think we need to examine and update a whole variety of laws which have not kept up with changes in technology. Melissa Hathaway, in her review at the beginning of the Obama administration, identified dozens of laws that have not kept up with the changes in technology.
And I believe it’s our job in Congress to go through, one by one, looking how we can update. Some will be more controversial than others. Some with be more helpful than others. But as we go through those individual laws, I think we can help, again, elevate the general level of security which we face.
The speaker of the House has asked me to coordinate an effort across all committees to see that something gets done on cybersecurity. I think he sat through one too many intelligence briefings to believe that we can continue to go with business as usual, having just about every committee in the House – and I’m sure the same is in the Senate – but just about every committee in the House having some responsibility for cybersecurity, and as a result nothing has happened, year after year after year.
So something – I am optimistic that I think something will occur this year in Congress. I think it needs to – we need to acknowledge that the free market alone will not solve our cybersecurity issues but whatever we do should be consistent with free market principles to allow that private sector innovation to continue. Congress should try to raise standards without setting standards which will be an obvious target for the hackers to target in on. And we certainly ought to look for examples where government can lead by example – too often, it has not done so.
But I also think that everyone should be flexible about legislative vehicles, whether it’s one bill or whether it’s a dozen. The important – again we can’t let the perfect be the enemy of the good – the important thing is to take some action, as General Scowcroft was describing with nuclear deterrents – feeling our way along, step by step, moving out in the right direction. I think we’re doing to do that this year in the United States. And I think on an international level we can make a greater contribution there as well. So I’ll look forward to your questions. Thank you.
(Applause.)
WING COMMANDER THOMAS PARKHOUSE: Good morning. I’d like to echo the words of Shawn and the congressman in thanking Catherine, the General for opening, and I’d also like to echo the congressman’s words. My name’s Tom Parkhouse, I’m a member of the Royal Air Force in the U.K. I’m currently working in the Ministry of Defence and as of Friday I will be part of our cyberpolicy unit that forms up as the funding starts for our national cyber program.
Briefly this morning – before we get into the panel questions, which I’m really looking forward to – what I’ll do is I’ll briefly outline our national cybersecurity program, which I think will – you’ll see has lots and lots of parallels with what you’re doing here. I’ll talk very briefly about what we’re doing in defense, and if we want to get into that in the panel discussion again I’ll work from that. And then I’ll sort of go a little bit off-(piece ?) and take my life in my hands by coming up with a few of my own ideas on deterrence and international norms. Probably with the – I’ll say now – with the aim of provoking some questions – provoking some discussion and seeing where we go from there.
So the key messages from the U.K. at the moment on cybersecurity is that we believe that with the U.S. – and with most of the nations here represented – we have a common perspective and we’re recognizing that this is a priority area. Cyberspace is vital for the prosperity of the U.K. and it is vital for our way of life. It brings opportunities to business and to our population, but, as has already been said here this morning, it brings threats – threats from cybercrime, threats from espionage, threats from terrorism and potentially threats from warfare – all of which must be addressed.
Last year in October our government announced 650 million pounds of new money – whatever that is – to bring about a transformative national cybersecurity program. This program was derived from – or brought into highlight by our strategic defense and security review and in our revised national security strategy. Cyber was recognized as being one of the top four national security threats, alongside terrorism, natural hazards and major accidents. And, of course, it won’t be lost that for two of those cyber is actually quite possibly a major part of them.
The program is going to be managed and brought together by our Office of Cyber Security and Information Assurance – which itself was created after the issue of our first national cybersecurity strategy, which was issued now almost two years ago. Interestingly, the issue of our national cybersecurity strategy didn’t make the headlines in the press in quite the way we expected because unfortunately its announcement coincided with the death of Michael Jackson. (Laughter.)
As I said, OCSIA, the Office of Cyber Security and Information Assurance, has been charged with overseeing, prioritizing and coordinating the centralized funding and implementation of the cyberplan. And how these measures that have basically now been funded and are going through business cases at the moment – how these things are going to fit together will be subject to a revised national cybersecurity strategy that’s going to be published in the next few months.
The key points – and again, I don’t think these issues will be lost amongst you – is that we absolutely accept that cyberspace is complex. That is the heart of why this is difficult. And therefore, improving our cybersecurity requires a multifaceted approach which is going to involve all government departments, all government agencies, working in close cooperation with industry and academia, and of course our population.
The types of things that are covered in our cyberprogram include tackling cybercrime – this is – this, we see as probably the most insidious risk at the moment. Our minister of security has emphasized that she sees this as the most insidious risk – the thing that the population is most likely to suffer, and therefore most likely to make it scared of using computer systems – taking advantage of our online services – is cybercrime.
And we’ve just announced that we’ve doubled the staff focusing on cybercrime in our police department. But, you know, hidden underneath the banner of doing cybercrime is actually making sure we have a clear definition of what we mean by cybercrime, because these days almost every crime has a component that involves a computer – be that the coordination of the crime, be that in the inception of the crime, be that in the surveillance for the crime, be that the research for the crime.
The second sort of pillar of our approach is reducing our vulnerability to cyberespionage and state-led threats. And again, we’ve got to get to a point where we understand what is the information of national importance – how are we protecting it? And this is not – this is not particularly a conceptual argument, but actually an argument of organization, because even once you’ve identified what information is important, you’ve then got to be able to track it. You’ve got to be able to track its movement between departments, between agencies, out into industry, out into subcontractors, out into the – what you would call the mom-and-pop business – I’ve said that right? – or what we call the small- or medium-prized enterprise – small- or medium-sized enterprise.
And particularly – that’s all right when it’s top down, but what about when it’s bottom up? So there’s lots and lots of work to be done there.
We have got to do – and this is going to require international effort – far more on our situational awareness. You’ve got to be able to describe what it is that’s going on. You’ve got to be able to show the population the risk. You’ve got to be able to show politicians and parliament the risk.
Close to the home for me, we’re establishing the defense cyberops group, which I’ll come into in a bit more detail later – the critical infrastructure is obviously in there. We’ve got to get the approach to be coherent – lots and lots of good work going on everywhere – but we’ve got to make sure that, again, it’s not seen as a vulnerability and how that vulnerability propagates. It’s actually about how you deliver cross-government capability, national capability, and looking at it from an alternate perspective.
All of this is going to require close partnership with the private sector and with other governments. Our prime minister has met with industry; he’s had them round for – the key members of industry, and not just cyberindustry, but broad industry – had them in and asked them, you know, how they see this as going and how we can work, you know, together with industry.
And then, the final pillar, which is probably one of the most important, is improving our national skill sets, education and awareness.
Very briefly on the defense cyberops group, let me just talk about some of the developments on our capability here. We are – we have now put into the public domain that we are working to develop tests and validate the use of cybercapabilities as a potentially more effective and affordable way of complementing our delivery of our tasks. We have said that we will always act in defense of our national interests in this area. We are – the defense cyberops group and the defense element of the plan is bringing together how we improve our capabilities, how we mainstream this in defense, how we make sure our organization’s specialists are right, and how, once our program ends, how we make sure this becomes part of normal business.
As I’m getting time warnings, I’m very quickly going to just move on to the few things that I wanted to throw out there for the discussion: deterrence. Really, really important subject, lots to talk about. There are many lessons we can learn from the nuclear deterrence debate, I’m quite sure. But as somebody whose, you know, humble backgrounds was as a cop, I also think that there’s a lot we can learn from the crime prevention environment as well.
Crime prevention doesn’t sit alone. It relies on investigation, prosecution, punishment, rehabilitation as allies. It’s about tailoring it to circumstances. But crime prevention has to deal with multiple actors, full and varied ranges of capabilities. It has to deal with very, very different levels of intent and ambition. It has to deal with those actors having different aims, in terms of the effects, or the things that they achieve. It has to deal with people who want to create fear, who want to destroy things, who want to have financial grain – gain, sexual gratification, surveillance of future stuff. So, crime prevention is a really – is a good model to be looking at as well as nuclear deterrence.
The second thing, I just want to say, on developing international norms – and I obviously note the fact that the U.K. is hosting an international intergovernmental conference in the autumn, and I note the comments that William Hague made at the Munich security conference about a month ago – you know, international norms is going to be hard work. Cyber, as I’ve said before, is complex, and it’s built on a quickly shifting set of definitions, concepts, policies, technical skills and just technical change. So – and those changes are not synchronized around the world. So, international norms are going to be really, really difficult in doing that.
And sort of the final thing I’ll say is about macro versus micro. International – this is personal view – international norms are going to be one thing to create – to states, transnational bodies, multinationals and everything else – but international norms have to also be about the individual. They have to be about the user, be that user, you know, the average person who is just at home doing their business online, be it about somebody who might be criminally motivated, be it about the young person, the juvenile, who is starting to test the boundaries of their world.
One – but one – and so we’ve got to get this macro-to-micro thing right. In the U.S., you have local policemen who deal with local issues. How are you going to deal with those same really tiny issues when they’re being affected across the world?
I’m going to stop there. I look forward to the discussion and I’ll promise to keep my comments in the discussion shorter than my comments now. (As short ?). Thank you.
(Applause.)
LIEUTENANT GENERAL (RET.) CHARLES CROOM: Well, good morning – and good morning, General Hayden. I thought I had missed the fine print that we could do this panel virtually. But no, you’re here, and so we can’t.
I must admit I’m a little bit edgy and nervous this morning being back on a Georgetown University campus. I’ve never really excelled on university campuses, but I am sitting next to a distinguished congressman – thank you, sir – and it is a little disconcerting though that the FBI is on my right and Interpol’s on my left. I didn’t speed too much coming in here this morning.
Well, how many folks have been to cybersecurity conferences before? Yeah, it’s – so over the weekend, I was really concerned about, well, what can I possibly say that’s new and different? And I’m sitting there Sunday morning watching the snow fall on the cherry blossoms, and I was wondering to myself, well, did cybersecurity really cause this too? This climate change? I don’t know. But I did get the opportunity in that cold morning to read an article that is the theme of this presentation. The article was the “Rise of a Cybered Westphalian Age,” written by Dr. Demchak and Dr. Dombrowski, taken out of the Strategic Studies Quarterly in spring of 2011.
Now, I didn’t go to Georgetown, so the reason this article intrigued me is I had no clue what the Westphalian age was. Any hands on that? Well that – yeah, see you’re smarter than I was. The Treaty of Westphalia, 1648 – what could that possibly do with cyber? You know, it ended the Thirty Years’ War, right? So, if you didn’t know anything this morning, you know that. It also ended the Eighty Years’ War between Spain and the Dutch Republic.
The treaty resulted in the first really modern diplomatic congress, initiated a new political order in central Europe based upon the concept of a sovereign state governed by a sovereign. So that was the first 15 pages, and I’m still wondering, well, what’s this got to do with cyber?
Well, there were a lot of conclusions out of this treaty, some of it dealing with religion, but I’ll just skip down to – it also was a general recognition of exclusive sovereignty of each party over its lands, people and agents abroad to include the fact that a sovereign state had the responsibility for the warlike acts of any of its citizens or agents.
Well, that might apply now as we see cyber movements coming out of countries to other countries with no one held responsible. Well, we’ve wondered about this. You know, the cyber – is it a global commons? Is it the fifth dimension, as the military would say? Air, land, sea, space and cyber? Is it the frontier? Is it the Wild West? Well, just a side note – the White House came out with a policy statement in the last few days that clarified that totally. It said it’s not a cyber domain, it’s not a war-fighting domain, it’s not a military domain, it’s not an operational domain, but it is cyberspace. And so that’s now what they’re going to officially call it – really to take, I think, the military out of that definition . A neutral term, cyberspace.
Well, no frontier lasts forever, and no freely occupied global commons extends endlessly where human societies are involved. Sooner or later, good fences are erected to make good neighbors. And so it must be with cyberspace.
So that’s the theme. Fences, borders – does that really add value to cyberspace? Well, let’s talk about that.
Today, we are seeing the beginning of border-making process across the world nations in cyberspace. All states, in one way or another, will reach out to control what they fear from the Internet, to control their borders, protect their citizens and their economies. We kind of see that today in China as they’ve stood up their Golden Shield; Australia, with the ISPs; perhaps the U.K. a little bit.
Well, in this Westphalian world, virtual borders and national cyber commands are normal elements of a modern cybered government. Well, why is this? Well, frontiers, if you think about them, particularly as our American Wild West, are places of conflicts: poorly governed, lightly populated, where people grab and go in a lawless nature.
Being able to grab control is one hallmark of a functioning state, i.e., passports, custom controls at our own borders. When states cannot protect the capacity of this – the capacity of the state falls into question by those feeling threatened.
After a Westphalian peace, the nation-state became the dominant form of social organization, codifying and enforcing rules, institutions, norms by which they interact with each other and the international society. For the last 362 years, we have been creating conditions supporting this gradual hardening of borders among states. I think there were good reasons for this.
Let’s think about cyberborders. Cyberborders allow a distinction between forces defending the borders, i.e., military, and those protecting the individual citizens inside the nation from attack, i.e., police. Without borders, it’s difficult to define what those missions are. If cybersecurity is a mission involving military-like actions repelling attackers, well, cyberborders will have to be determined to guide when and where these actions can occur. Attacks across borders will become state responsibilities, whether or not the state approves or guides attacks.
In closing, let me just say that today, we will cope with the emergence of cyberspace similar to the way we cope with any new frontier. Over time, cyberborders and emphasis on nation-states will enhance stability and security. Good fences make good neighbors. What has been carved out over centuries in the concrete world is not all that undesirable for societal stability, economic returns and international security in cyberspace. This transition, of course, seems to still lie ahead of us.
Thank you.
(Applause.)
RICHARD ROBERTS: Distinguished guests, colleagues, ladies and gentlemen, good morning and thank you for inviting me to participate in your conference here today. This wonderful setting, Gaston Hall, has a rich history of serious debate and quality discussions, and I very much hope that I can contribute to the upkeep of that tradition this morning.
My name is Richard Roberts. I’m the head of the information security branch of Interpol –or, more precisely, the Interpol General Secretariat.
It’s going to be fairly tough, but I do hope that in just 10 minutes, I can explain to you a little more about what Interpol does, what Interpol is, and how Interpol can assist in ensuring cybersecurity on an international scale.
(Inaudible) – work.
Let me start by explaining very briefly what Interpol does.
Contrary to what you might in the movies or on television, Interpol is not a clandestine organization that runs around arresting people on sovereign territory or conducting covert missions or anything else of that nature. Nothing could be further from the truth.
What Interpol actually does to facilitate police cooperation on an international level.
In addition to what you might be aware of in terms of the Interpol wanted notices, we provide training capacity building to law enforcement domain; we provide operation support to investigators – for example, criminal analysis; we provide conferences and seminars, closed-door conferences, for specialist task forces; and various other programs that assist the global law enforcement community to prevent and detect serious international crime.
But not only that, we host and we share amongst the Interpol community unique global databases of criminal and police information using Interpol’s secure global police communication system.
And Interpol does this all over the world, even when no political or diplomatic relations may exist between countries.
We bring the law enforcement community together on an international scale. Essentially, we connect police for a safer world.
What is Interpol?
Well, Interpol is an organization of member countries, 188 of them, who decided to work together in the field of international police cooperation. Think about that – in a world with, more or less, 200 recognized countries, Interpol can be used to communicate at any time with 188 of them. In fact, Interpol is its member countries.
Member countries coordinate and cooperate through a network of national central bureaus, including the National Central Bureau of Interpol, Washington, right here in D.C.
The logistics of such global cooperation and facilitation, the support, the tools, databases, are all provided by a sort of headquarters entity, known as the Interpol General Secretariat, and it’s based in France. There are several of their offices around the world. The General Secretariat is headed by Secretary-General Ron Noble, and is staffed by a diverse, multinational, multicultural, and multilingual workforce. This workforce has no active law enforcement role on any national territory. They essentially provide support to the Interpol organization – to our national central bureaus. It is the national central bureaus that perform the work on the ground, whereas the General Secretariat develops and operates the organization’s shared assets.
Essentially, the national law enforcement communities of every Interpol member country operate independently, but under the umbrella of Interpol, respecting national sovereignty, jurisdiction, and legislation. Every member country operates a national central bureau, and the national central bureaus finance and resource Interpol. National central bureaus are staffed by citizens of the country on whose territory they are located.
Now, that’s a little bit of useful background, but this is, after all, a conference about cyberspace, cybersecurity.
So let me tell you that Interpol has long been involved in supporting cybercrime investigations and assisting the law enforcement community on a global scale. In fact, Interpol financial and high-tech crime, which includes cybercrime, is one of Interpol’s priority crime areas. And I apologize for the small, small writing there.
But what does Interpol actually do in this area?
Well, here’s some examples. Interpol produces regional trend analyses using its regional cybercrime working parties. We maintain an IT crime manual for law enforcement investigators. We work with certain vendors to counter different threats: for example, the threat of zombie networks and botnets that could be used to attack critical infrastructures.
We’ve established a 24/7 network of national contact points for cybercrime issues in 120 of our member countries. We work with a number of organizations: the G8 high-tech crime group – excuse me – the International Organization for Standardization, ISO, the Forum of Incident Response Teams, and the European Network and Information Security Agency, are to name but a few.
And we host international closed-door conferences and seminars on this subject for specialist audiences.
As you can see from this slide, we have in the past arranged many training workshops and seminars. However, these tended to be fairly small events, and either focus highly on technical issues, or were very broad.
But recently, we’ve expanded our work program to engage much more widely on cybersecurity matters. For example, the last event that Interpol hosted, the first Interpol information security conference, co-hosted by the Hong Kong police, was held in Hong Kong, China, in September 2010. Saw almost 300 participants from 53 countries as diverse as Rwanda, Saudi Arabia, the U.S., France, China, Mauritius and many, many more. We also had representatives from Harvard University, from the law enforcement community, from private corporations, NATO and other international bodies.
And despite the diversity of the actors involved, the conference came together as a whole to make concrete recommendations. Concrete solutions to problems were found, and like-minded people from around the world built relationships that will help them to fight cybercrime, protect critical infrastructure and ensure cybersecurity. In essence, we can see from these recommendations that countries are asking for more assistance to build their own capacity in cybersecurity.
But as first responders to incidents, our member countries, the law enforcement community in our member countries, want to be better able to contain incidents, to stop the attacks in real time, as well as being able to prevent and detect the perpetrators of cybercrimes in a somewhat slower time.
And they’re asking for the global law enforcement community to develop standardized tools and techniques that will assist their investigations.
And in part, based upon the recommendations of the last conference, Interpol is trying to enhance its role to better support member countries on cybersecurity initiatives. Interpol expects to be able to develop cutting-edge solutions to some of the toughest cybercrime challenges through its new Interpol global complex that is currently being established in Singapore. This initiative aims to tackle the shortage of expertise that plagues even the most developed nations. With this global complex, we hope to build much-needed capacity in this field, in particular, building computer forensics capacity by establishing a digital forensics laboratory and associated training programs.
Essentially, Interpol is looking to merge the domains of cybersecurity, digital forensics, cybercrime investigations and information security into one global cybersecurity-focused function.
But all of this takes money, and diverts resources from other crime areas. And this is why, in order to maximize the value of this initiative, the Interpol secretary-general is seeking funding to better equip and develop this program.
Ladies and gentlemen, the chap in front of me here is telling me I have one minute left. So just let me remind you that Interpol is a network that already exists. It’s a proven quality, and it’s frequently used to engage internationally in many crime domains, including cybercrime and other serious crimes.
Of course, law enforcement is but one piece of the larger security – sorry, excuse me – law enforcement is but one piece of a large cybersecurity paradigm. But it’s one that’s frequently overlooked.
Being able to prevent, detect and ultimately prosecute cybercrimes is a fundamental building block on which to build a secure cyberspace and that will ultimately ensure the security of critical infrastructure and the world’s citizens. Interpol has many partners in this field. It’s already built an international engagement network that can be leveraged by member countries.
So why not develop and use Interpol more frequently as one of your mechanisms to support international cybercrime investigations, and to help ensure a much more secure cyberspace?
And although not a magic bullet, the use of Interpol really should be one part of any comprehensive national cybersecurity strategy.
Now, I know that many of you are wondering how I can – how can I leverage Interpol? How can I access Interpol’s services, programs or support and this global network? Well, it’s very simple, three letters: NCB, your National Central Bureau. Your National Central Bureau is the door, the portal, to access all of Interpol’s services.
And with that comment, I hand over to my colleague, Mr. Shawn Bray, deputy director of the Interpol National Central Bureau here in Washington. Thank you.
(Applause.)
SHAWN BRAY: You know, when you get down to speaking, you’re toward the end of the panel, you kind of hope to ride that wave, and then Richard gets up and dispels the entire myth of Interpol right before I step up.
So with that in mind, let’s cover a couple of points he raised that I think are salient to the conversation this morning.
And the first is the phrase “where diplomatic relations do not exist.” We’ve seen this time and time again, and it sounds like it’s counterintuitive, but really, this communication system works on a regular basis.
All right. I was going to forego the PowerPoint, but –
What we’re finding out is, this is becoming a general and institutional method for international communications among law enforcement. This is the accepted method, they pass information routinely through us, at the NCBs, the National Central Bureaus – here it’s known as Interpol ,Washington; in the U.K., Interpol, London; Interpol, Ottawa, and so on and so forth.
What this does is afford us an opportunity to communicate in real time across the I-24/7, the Interpol communications network.
It gives us an incredible multilateral outreach – 188 countries instantaneously and securely. Most of you have probably seen the colored notices – red notices pursuing fugitives in the international community. However, bilateral communications across that network are where we make our bread and butter. It’s us dealing one on one with other law enforcement agencies in other countries, or multilaterally among a group of agencies working on a similar case or investigation.
If we look at the findings of recent cyberexercises over the past few years, they underscore the need for reliable, well-placed and tested means of communication in a crisis.
There are other forms of communication that are certainly in use. Richard mentioned the G8 and the 24/7 network – I believe there’s 58 countries in that right now. Obviously, the network of CERTs around the globe. And certainly there are regional concerns as well. But this is the only truly global network for these purposes.
The NCB represents the nation’s law enforcement Interpol, and often facilitates the national and private partnerships of that nation in the world community through Interpol. The NCB streamlines the flow of information and is the singular point of contact for all business.
Interpol, Washington’s mission is quite simply to be the statutorily designated U.S. representative of Interpol on behalf of the attorney general.
We facilitate international law enforcement cooperation and have done so since 1938 when we first joined. We’re codified under Title 22 of the U.S. code, and Title 28 of the code of federal regulations.
Again, quite simply, it’s our responsibility and our mission to extend U.S. resources into the international community, and that’s U.S. resources from over 18,000 law enforcement agencies around the country. And we put those into 188 member states.
The management structure of Interpol, Washington allows us a unique opportunity to examine the breadth of the Department of Homeland Security and the Department of Justice. In fact, we are co-managed. The director is currently a member of the U.S. Marshal Service, the Department of Justice; I am from the Department of Homeland Security and ICE.
This also gives us incredible access to the rest of the U.S. community –Department of State, Department of Defense, and certainly state and local resources — by having liaison offices in all 50 states, another 13-14 major cities, and of course all of our territories. So we can put information quickly and appropriately in the right at the right time.
The U.S. NCB supports these communications on a 24/7 basis, 365 days a year. We see nearly 18,000 messages a month: inbound traffic accounts for about 14,000; requests from overseas, 4,000 as U.S. requests going out.
Most cyberefforts that we see right now are currently tied to ordinary crimes that have been now transcended and committed online. We’re talking about scams, IPR issues, phishing, child pornography, harassment, and certainly humanitarian issues such as threats and suicide.
Most of the requests we get are specifically tied to attribution: preservation of log information, subscriber information, notice and takedown requests, and certainly locates on fugitives.
So how do we apply that? How do you access that information, if it’s law enforcement for law enforcement? Well, you start again by contacting the United States National Central Bureau. I’m going to give a couple of quick email addresses and a fax, and then I’m on a roll. He gave me five minutes – that means I could finish up five minutes early here.
So with that in mind, if you hit interpol.washington@usdoj.gov, that goes straight into the command center. Again, they will triage that information, get it in the right hands at the right time. They get information into the hands of the – across the federal government and they can drill right down to a local cop in a local shop.
We also have a fax number that’s generally open to the public: 202-616-8400. Now, we obviously maintain a lot of public and private partnerships and we continue to do so, and we certainly encourage you, if you have any issues you believe we can assist with, to reach out to us. There’s never been a question of too small – or certainly not worthy of comment or assistance. With that in mind – like I said, I promised to keep this brief and I will turn it over to General Hayden.
(Applause.)
GENERAL (RET.) MICHAEL HAYDEN: Well, good morning, and I am Mike Hayden, former director of NSA and CIA, and apologize for being late. I think we’ve all come here to learn; I’ve certainly learned a great deal already. For example – don’t assume that you can allow yourself two hours to get from McLean to Georgetown – (laughter) – on a day in which Congress is coming back from a 10-day recess.
This is a fascinating topic and one that deserves great study, and you can already tell from the commentary we’ve heard so far this morning that each of us are kind of picking up a relatively familiar lens through which to look at this new thing. And we’ve heard a law enforcement lens – if you get me talking too much, it’ll be the lens of armed conflict, based on my military experience. We’ve already heard suggestions of sovereignty being perhaps a useful lens – the treaty of Westphalia – and then of course there’re a whole bunch of adherents out there that think of this as a global commons, as an area that is characterized by the lack of borders.
I think we’re picking up the familiar lenses because this thing is so new. It is so different. It is the most disruptive thing for our species since – and when I have to fill in that blank the one I hit up on is, since European man’s discovery of the Western Hemisphere. I can’t think of anything that has changed so many things, so completely and so rapidly – cyber domain has – in our history – has to go back to the Age of Exploration.
By the way, I said that to bunch of folks in Las Vegas at the Black Hat conference a summer or two ago and they seemed to accept, yeah, it’s pretty dramatic and that wasn’t a bad analogy, until – (inaudible, audio break) – one gentleman approached me after it was all done and said, that was a brick shy of a load. That he actually thinks that this is more like mankind’s development of language in terms of how much it will affect not just our external environment, which is kind of what my analogy suggested, but man’s own cognition, which is what he suggested.
So here we are, with something that’s moving very rapidly, really big, tremendous implications and we’re struggling to cope with its meaning. I have sat at a small office 17 blocks east of here with small group of folks where we had a cyberproblem and a cybercapability to deal with the problem, and absolute indecision, because we lacked a coherent policy framework in which we could place that which we were proposing to do. We simply weren’t comfortable with the precedent we may or may not be setting.
As I mentioned, former director of the National Security Agency, I know the fourth amendment very well – protect Americans against unreasonable search and seizure. It began on my watch, as we began this struggle. I know it’s continuing on Keith Alexander’s watch. What constitutes a reasonable expectation of privacy on the global network in the 21st century? What is the American social contract with regard to that question I just proposed to you? And I think the answer is, we have no idea. This is so new and so disruptive.
Even this whole question of, what is this space? The questions are so fundamental. Charlie mentioned the domain. And coming from the Department of Defense, I mean it just rattles off the tongue – land, sea, air, space, cyber. It’s a domain. Frankly, the paper that General Croom referred to that said we will no longer call it a domain was so stark and so – it’s going to sound uncomplimentary – contorted in its logic, so that we would not use the word domain, that I still think that this may be from The Onion – (laughter) – rather than from the West Wing.
We have to fundamentally decide as a people what it is we think of this new thing. I’m going to use the word domain because I haven’t figured out what else to call it. And if you look at – if you look at American pronouncements with regards to this new thing, frankly, the only one who has begun to speak definitively about it has been the secretary of state. And if you look at this as kind of a binary choice – and that may be a false choice but bear with me – between free intercourse and free movement – the commons – and the need for security, the secretary of state keeps shading over this way.
Now, look, I understand that freedom of movement in the cyber domain is not mutually exclusive with security, but they don’t really come to the merge real strongly either. And that one can indeed be it at the expense of the other. So those things that we may want to implement for our own security, I think at the highest policy level we’re reluctant to do so because we legitimate that tool for other nations whose intent for using it is beyond security. It’s for censorship.
And so what General Croom, I think quite correctly, lays out as a workable theory, the application of Westphalia to this new domain – you have others who will point immediately to that kind of movement and call it the Balkanization of what is naturally a human universal generalized space in which we should work.
These are really fundamental questions and sessions like this help develop the national dialogue which one would hope would lead to the national consensus as we move forward. In any event, it’s exciting to watch, and it’s certainly game on. And with that I will stop, and it’s now your turn to question and to comment on what’s gone on before. Thank you all very much.
(Applause.)
There’s a microphone there and we’re looking forward to your comments and questions.
Q: (Inaudible, audio break.)
GEN. HAYDEN: It sounds like it’s – that question has a bit of a martial air about it, so with my DOD experience I’ll run at the first cut. The thing that strikes me about that – and I’ll get specifically to the question in a minute – but the way you frame it, I think, brings up a very interesting point. We are incredibly sloppy with our language when we talk about this thing. We very facilely describe anything unpleasant that happens to us on the Internet as a cyberattack, and I have to tell you, those who are actively involved in doing that on behalf of American security have much more narrow definitions of what constitutes attack.
Let me just say about the taxonomy very quickly, you’ve got – you’ve got cyberdefense, I think we’re familiar with that. Cyberexploitation, and for whatever purpose that might be — industrial espionage, state-sponsored espionage – it’s just stealing data. Then you have cyber disruption. There I’d kind of throw in Estonia and Georgia where it’s kind of a cyber-on-cyber attack, and the victim of the attack was the network.
And then finally you’ve got Stuxnet, and I view Stuxnet as being really, really groundbreaking in terms of this taxonomy of what happens on the net. Here’s a cyberattack whose effect was not just a cybersystem. Here’s a cyberattack that actually created – if you can believe what you read in The New York Times – that actually created physical effects. That it actually created physical destruction through cyber means. I think that’s crossing the Rubicon, and sets in motion a whole bunch of questions, other questions for which we have not yet developed answers. And I’ll stop; others, I’m sure, will have comments.
REP. THORNBERRY: Well, and I would just add I think a lot of folks had their oh-my-goodness moment with Stuxnet because, as General Hayden said, it’s not just destroying data in a computer or disrupting the operations of computers, it is physical consequences outside of the computer, which takes it to a whole different level. And so I think a lot of eyes are being opened.
The only other thing I’d mention is read the L.A. Times yesterday. Physical consequences in a water treatment plant were an exercise, but it was easy to have the effect of changing the chemicals that went into the water. So I think we’re just beginning to have all our eyes opened as to the physical manifestations of what could be done and therefore how vulnerable we are.
WING CMDR. PARKHOUSE: I think what’s interesting about Stuxnet and the related high-profile-style incidents is if the incident itself is obvious to the general population or if the victim themselves goes public about the incident, then there is a large population out there across the world that has the intent and the capability to investigate it to the best of their ability and to publish what they find.
And therefore, as the perpetrators of something like that, you may not be relying on the well-established norms of the state – in terms of what’s said and published, and everything else – you may be dealing with lots and lots of small- or medium-sized thrown-together organizations, forums, whatever – that themselves will do an investigation, and you don’t know where that’s going to go. So I think – (inaudible) – that’s what’s been interesting about GhostNet, Stuxnet and everything else. It’s that the citizen-journalist, the citizen-investigator, is out there and they’ll make sure that perpetrators, those are also held accountable or at least – at least talked about.
Q: A very quick follow-up survey. Could you fill your – raise your hand if you think that that attack would have been legal for the U.S. to do under U.S. law? (Laughter.) OK. (Laughter.)
GEN. HAYDEN: No, whoa, whoa, wait. It would have required a finding from the president and, under espionage law, Title 50, I could see circumstances – and I’m not saying that these circumstances existed – but I could see circumstances in what such – in which such an action would be well inside U.S. law and the president’s authority.
Q: Hi, my name’s Juan Ricafort. I’m an undergraduate senior here in the School of Foreign Service with the science, technology and international affairs program.
My question is about the applicability of Westphalian or military domain models to cyberspace, specifically, how do these models reconcile the fact that one of the most important and distinguishing and, some would argue, valuable – characteristics of cyberspace is that not only was it created by humans, but it is still being created by humans.
For example, when we came out with Web 2.0, social media – services like Twitter – I would say that, in a sense, we pushed the boundaries of cyberspace or we created a new subdimension of it. I would say that this is partially somewhat different than other frontiers that we’ve dealt with in the past. And my question is, if we put up fences to tame this frontier in the way that we did with the Wild West, for example, do we risk decapitating the openness and generativity of the Internet and cyberspace which are part of what make it so valuable and worth protecting in the first place.?
(Inaudible, off mic.)
LT. GEN. CROOM: I’ll start with it. Thank you for the question, not that I have the right answer. First of all, reference it being man-made, seems to me to make it even easier to establish gateways that traffic can move in and out. Two, we see examples of Australia, for example, with their work with their own Internet service providers, which are the gateways into the Australian local area network – let’s call it – where they can control this stuff.
My personal view is there’s no reason for botnets. Our Internet service providers see that type of activity, they can eliminate it. I believe our government needs to work with our Internet service providers, establish them as gateways and have them eliminate much of the garbage that comes into our nation, and I think other nations can do the same. It won’t impact privacy. We need to provide some protection for those ISPs, as they do that. But I don’t see any reason why that can’t be done and be a first step.
GEN. HAYDEN: I take your point about the nature of the Net and of the five domains. The first four were made by God, and frankly, I thought he did a better job than we’ve done here. There’s another inherent characteristic of this fifth domain that makes it more difficult for folks who’ve kind of been at work where Charlie and I have been, inside the armed forces.
I’m creative enough to either know an historical example or to imagine a future example in which future conflict in one of the other domains is entirely contained in that domain: Battle of Gettysburg, land domain; Battle of Britain, air domain; and so on.
That’s by definition not true in the cyber domain. And that’s actually one of – remember those — mentioned those sit room meetings, where you’re trying to figure out what to do and it has policy implications – it’s easy to think of this as a video game. But when you take any action in this domain, this fifth one, something happens in one of the other four. There is a physical effect even if it’s on a server, and that server is in someone’s currently sovereign space. And that adds an additional complication, an additional distinction between this domain and the other four.
Q: Thank you.
LT. GEN. CROOM: I would add – seems to me all the domains are different: land, sea, air, space, cyber. In the sea we have laws of the sea to provide control and some guidance and governance. General Keys was mentioning to me this morning the example of the FAA. As we travel through air space, we have rules that dictate our use and govern our capabilities through that. So it seems to me if you want to protect citizens right, a good economy, you’ve got to have a minimum set of governance to allow that to happen. Thanks.
Q: Thank you.
Q: Good morning, my name is Patrice Lyons. I’m an attorney in Washington, D.C., and I’ve worked with the folks that brought you the Internet; I was counsel for – oh, almost 30 years now – Corporation for National Research Initiatives. I’m sensing a little — problems with definitions from person to person, as you were talking.
Now, for a lot of years, we’ve been doing research on management of informations expressed in digital forms, and the information can be of a wide variety, whatever you choose to express, and it’s capable of being represented in digital form. And you can secure things at that level, and it moves beyond sort of the port-specific-type DNS systems of today. That said, I also go to a lot of meetings in other countries, especially United Nations gatherings on Internet governance.
I’m finding it troubling trying to understand – and that’s one reason I came today – why we need the concept of cyber when we’re really talking about digital information and managing that information.
Some will say, well, you know, it’s behind our firewall. Well, if you’re using the Internet technology – the basic technology or its logical extensions and follow-ons – then it would be considered part of the Internet even though it might be disconnected. So wouldn’t it be troubling trying to set legal norms and, as a lawyer and having worked with United Nations’ groups, to try to have another parallel universe under some other label? Now, it’s just a general observation; I appreciate your reflections.
WING CMDR. PARKHOUSE: I think – in developing the U.K. definition of cyberspace, and we’ve worked closely with allies on that – one of the key – the key facets of the definition has to include its interaction with the social space – the interaction with people – and I think that’s a really, really important part of it. And cyberspace is actually – is characterized by it being almost a mirror of our life. You know – and I think, therefore, you can’t just treat cyberspace as a technical issue and therefore having technical remedies to it.
So, that said – and then it’s like all these things in this area – I’m not completely disagreeing with – you can make steps in the technical areas, but that’s not the whole problem. The whole thing is this is actually, you know, replicating society and it’s the – it’s replicating the interconnectedness of society. It’s replicating the dependency in society, and I think when people are using sort of the phrase “cyber,” that they’re using “cyber” to represent that set of opportunities and risks.
Q: But that’s actually my point. You’ve actually made my point very well, and the gentleman from Interpol – he said some of the things that come along. I started as a copyright lawyer. The notice and take-down – it is actually that dimension, the human dimension of interaction – what you do with the technology, not so much as the technology itself, the technology would be enabler. So I agree with that, but I’m still troubled by why you have to have a different label. But I think I’ve made my point.
Q: Roger Kuhn, science adviser to the United States Navy Fleet Cyber Command, commander 10th Fleet. I guess this question is primarily focused at the congressman. Given the fact that some people would contend that the joint military concept was not established until the establishment of Goldwater-Nichols legislation, would you contend that in order to facilitate interagency cooperation with those very many three-lettered agencies there needs to be a Goldwater-Nichols two?
And if that thinking hasn’t been – come about within Congress, would there need to be some breach or some kind of tragedy, like the hostage rescue debacle associated with the Iranian crisis, to necessitate said legislation?
REP. THORNBERRY: There has been a fair amount of discussion about Goldwater-Nichols two taken to the interagency level. And really, it has come about in my experience not so much when talking about cyber but when talking about our efforts in Iraq and Afghanistan – how do we get all of the agencies to bring their resources to bear so that the military doesn’t have to do everything, essentially.
And there’s been a fair amount of frustration about that . As I mentioned in my comments, I think cyber is, however, a stellar example . You don’t know what you’re dealing with, whether it’s crime, espionage, terrorism or warfare, as those packets come hurtling through cyberspace.
But, I’m also – having been involved in creating the Department of Homeland Security and various other – and also the DNI office – I also don’t think organizational reform is the end-all, be-all, and sometimes it even sets you back a little bit. I still think creating the Department of Homeland Security was a good thing to bring those 22 different agencies all where they can be working off the same page rather than scattered all over the government.
But I don’t see a massive cyber agency to deal with this; that just crosses too much. So we do have to get, in my view, more coordination stemming from OMB, GSA – kind of those crosscutting agencies that help the government improve its own cyberspace. But we’re going to have to have it where Department of Homeland Security works with Cyber Command, works with FBI, others, in order to be as effective as we want our country to be in cyberspace.
I don’t know whether that needs a Goldwater-Nichols two but it darn sure means we can’t live in stovepipes, and we can’t make turf protection the end-all, be-all – which is part of which has prevented action in Congress over several year period.
MR. HENRY: I’d add that while certainly there’s a lot of room for improvement, and we can always do better, there’s actually been quite a few successes with – in the interagency process with the coordination between the intelligence community, FBI, DHS, DOD and others. There’s been quite a bit of success.
Some of the other speakers earlier talked about criminal aspect of this – the criminal element in terms of prevention. But a lot of the collaborative efforts among the community has allowed us to collect intelligence and share intelligence with the private sector to actually prevent some of these – some of these attacks.
So while there’s always room for improvement, there’s actually been quite a bit of success in the interagency process, particularly in the last three years.
Q: One final question. General Hayden talked about the uniqueness of the fifth dimension, so that if something happens in cyber it affects the other four dimensions. As a scientist, I characterize that cyber covers every medium that can support the propagation of electromagnetic radiation. As such, given its electronic warfare capability, would you characterize an F-35 fighter, for example, as a cyberweapon?
GEN. HAYDEN: Sounds like a military question. (Laughter.) I’ll start and ask General Croom to move forward.
It begins to get fuzzy. But when you think – but when you think of the capacities we’ve put aboard F-35s or even F-22s in addition to everything else it is, it does become a really capable node on the network. And it’s useful and – no, it is useful to think about it that way.
Sorry to be long about this, but – OK, go back to – let’s do signals intelligence. All right, and we used to – we used to think of collecting those signals from earth being somewhat different than collecting those signals from space. That’s a very 20th century, industrial age way of looking at the problem. I think the 21st century way of looking at the problem is that that is a unified network and the fact that one happens to be in orbit is an interesting fact – but not compelling – in terms of how you consider it. We’re kind of moving in that direction with some of these very capable platforms now – that in addition to what it is they began life as, they’re now nodes on a network.
Q: Thank you.
Q: Hi, Neal Pollard, adjunct professor at Georgetown – until recently I was a U.S. government officer. I have a question for the whole panel; I welcome your perspectives in each of your current or official roles. In my understanding in the evolution of Cyber Command, General Alexander now wears two hats – both Title 50 intelligence officer authorities at a very, very senior level and also Title 10 combatant commander levels.
What opportunities or benefits do you see deriving that are truly new from such an arrangement – again from all of your perspectives – and what issues do you see that ought to be managed or that arise from this arrangement? Or is this something that’s really not new?
LT. GEN. CROOM: All right, thank you for the question. I think it’s just an evolution of maturity of where we’re going. Prior to U.S. Cyber Command we had offense and defense split – I was the commander of the defensive side, the JTF-GNO; the JFCC network warfare was under General Alexander. We all believe that a good defense contains an offense, that offense informs defense. and I think to facilitate the ability to better communicate and to better tie those together the U.S. Cyber Command was created.
Along with U.S. Cyber Command came a structure underneath U.S. Cyber Command that we call components. Army, Navy, Air Force and Marines bring their own capabilities to that so there is a formal military structure – command and control structure – that I think not only is wiser because it can inform each other but can also act faster because it’s better streamlined.
GEN. HAYDEN: I was – I was the JFCC-NW commander, which was the forerunner to Cyber Command when Charlie was – the defensive squad at DISA. So I totally agree with how he’s drawn the picture. That said, I think we’ve set in motion a dynamic, one that I support, but one that has byproducts. All right, General Alexander now is a four star – because he is Cyber Command commander, not because he is director of NSA. And NSA – the National Security Agency – produces about half the intelligence America gets in any 24 hour period.
There will be a dynamic that General Alexander’s character as a Title 10 combatant commander will consume more and more of his and the entire structure at Fort Mead’s energy as time goes on. Perhaps just reflecting my own background, one needs to be careful that one sustains what used to be done and used to be called full-time day work at Fort Mead, which is an intelligence function.
I would be surprised if we ever again – since the director of NSA and the director of Cyber Command are now the same human being – I would be surprised if we ever again see a career intelligence officer in that job because the Cyber Command, four star, Title X function will become increasingly dominant.
WING CMDR. PARKHOUSE: I think one thing that I’d add to that is that in terms of the national capability, it is all on a continuum. And I just, you know, I think – many people would disagree – but just add in the crime bit, the law enforcement piece is also on that continuum. And you’ve got to have a smooth integrated system that can move through law enforcement, intelligence and the war fighter, if you’re going to tackle this problem effectively.
REP. THORNBERRY: And that – as we were talking a while ago, we can’t live in a stovepiped world, the world is not neatly divided into Title 10 and Title 50, so I think this helps break down some of those walls, where the information you receive on one hand can be used to defend right then, rather than going through an inter-agency process. I think that’s positive.
Q: (Thank you ?)
Q: Champa Soyza, from the School of Continuing Studies Technology Management Program here. I wondered if you can comment about the difficulties of bringing to task criminals where the cybercrime originating countries – where it’s not a crime to do, for example, hacking and so forth. I imagine there’s a lot of difficulty, you know, when crime goes across international borders. And who would be, you know, the body to be responsible to assign, you know – bring these people to task?
MR. HENRY: So I – from the FBI’s perspective – it’s a great point. Almost every case that we see at this point, and that – just let me preface it by saying, in the FBI, I wear two hats: I’ve got a criminal responsibility under Title 18, but I also have a national security authority as well against foreign intelligence services and terrorists. But from – specifically from the criminal side, much of what we see has some international nexus, and we work cooperatively on a regular basis with a lot of nations in sharing of intelligence, and sharing of information that allows us to be (actioned ?) and to actually have a mitigation on the adversary.
Regardless of whether it’s a crime in a foreign country, a crime against U.S. interests is a crime here in this country. Now, that certainly creates some concern, because you may not get responsiveness from the host government.
The FBI, with our legal attaches, we’ve got representatives in over 60 countries around the world. We work very, very closely throughout the international community to bring our resources, the USG resources, to bear against our adversary.
I’ve also found that, in the last few years – five years, perhaps – many countries have actually changed many of their cyberlaws. There’s been great coordination at the international level, in the European Commission and elsewhere – many international venues – and countries have started to change their laws because they see this as an emerging threat. It’s not only a problem with their citizens attacking U.S. interests, it’s a problem with their citizens that are attacking their interests within their own nations, and they see the reciprocity and they recognize the impact on their economies from the growing crime problem, where criminals who have traditionally worked in the physical world have migrated their tactics to the cyber environment, and that they’ve got to keep pace with that emerging threat.
So we’ve seen some great cooperation, great international coordination. We’ve actually deployed agents into five or six foreign police agencies, specifically to work these cybercrimes. Coordination is done with the FBI, with Interpol – we’ve got some of our agents that are deployed at Interpol with the Department of Homeland Security and others. But there is a, I think, a very big, growing coordination in international environment.
WING CMDR. PARKHOUSE: Great point. I think that the – this is one of the challenges of international (norms face ?). You know, just as the Council of Europe Convention on Cybercrime, you know, recommends, is that every nation needs to have a similar law that outlaws what you’re talking about. And nations have to have the capability to deal with it, especially when it’s down at the, you know – and this was sort of set up at the podium as I was rushing at the end – especially at the point of when it’s small, when it’s those first crimes that people start to do, those precursor thing, activities that people start to do. Nations have to actually focus in on that before it starts becoming an international problem.
Q: I’m Josh Burgess (ph), work as a cyberintelligence analyst for a miscellaneous government contractor. (Laughter.) We’re seeing with RSA and HBGary that everything is getting, you know, much more in the open. Cyberattacks are becoming much more prevalent, and they’re not – they’re not against little things here and there where they’re attacking, you know, government contractors who provide cybersecurity. So we’re moving the level – you know, in Air Force terminology, we’re moving beyond BDU-33s; we’re talking about Mark 84s at this point – heavy weaponry being dropped. What point are we going to start attributing, you know, at least announcing that we know who this is that’s attacking us, and start making a move towards, not mitigating it, but, you know, make a move towards doing something back?
REP. THORNBERRY: Well, I think that’s what we’re trying to move toward, and using some of the tools that the military uses to defend its own networks to defend other (networks ?). And critical infrastructure is what most people say we ought to start with. But it is exactly the sort of question you posed that I posed at some of my hearings.
So, for example, if Visa and MasterCard start getting attacked because of decisions they made regarding WikiLeaks, does the government have responsibility to help protect them from those sorts of attacks? And again, I think, we just haven’t grappled with some of these questions, and we are kind of inching our way that direction. So, for example, the pilot program that is just beginning would begin to defend some of the defense industrial base, using those kinds of tools. And then we have to look at all our – are our laws and policies consistent with defending U.S. companies and interests when they get attacked through cyberspace.
So I don’t pretend that we have all the answers, but I do believe, as your question implies, we need to be moving out, trying things, taking steps in the right direction to provide greater security.
MR. HENRY: I think it was Gen. Scowcroft who talked about defining the red lines, which is one of the major issues that was identified in the Comprehensive National Cybersecurity Initiative, and that is a critical policy issue. How do we define the red lines?
We talked earlier about – I did, and General Scowcroft – about the nuclear issue, and then we knew who our adversaries were: if there was a missile being launched, we knew who the adversary was and it was very easy to respond.
The attribution is a very, very difficult part here, and while we do have attribution in many attacks, the response that you – sounds to me that you’re recommending or suggesting requires almost certainty in a – prior to a response. And that is a very, very difficult issue, but it certainly is something that’s being discussed right now in the broad USG.
Q: Thank you.
Q: Hello, my name’s Mike Zebrelein (ph). I’m a digital investigator, also with a (cleared ?) defense contractor, which is a, you know, a very important element of our national defense, national security.
I want to key on – key in on the last word of the title of this panel, and that’s “deterrence.” I’d like to ask the panel why you think, over the past the eight to 10 years, deterrence has utterly failed with regard to the Chinese hacking threat pillaging our country’s innovation.
And what type of measures do you think would be effective enforcing our will on adversaries to ensure that that deterrence actually works. Would it be something with regards to challenging foreign denials of hacking attacks by actually providing our attribution intelligence and essentially shutting them up in proving to them that we have the knowledge of their activities? Or would it be such as, we’ll suffer through attacks and move instead from cyberdefense, which has failed in my opinion, to retribution-style attacks where we incur consequences, either from a political, technological, or economic means of employment as a way of deterring these attacks? Because right now, as a digital investigator, I see a tremendous amount of things, and in – as a personal citizen and a, you know, a member of this country, it’s extremely concerning to me and it makes me worry about our future in the next 20 years.
GEN. HAYDEN: I’ll jump in very quickly. There’s a lot of things to mention. I’ll just mention two.
One, deterrence, already suggested, depends on attribution. Attribution is devilishly difficult in this domain.
The second, most of which you’ve described, I would put in that box of stealing data: exploitation as opposed to bringing down networks through creating physical destruction.
Generally what I say when people bring up really malevolent actors – you asked of the Chinese – in stealing reams of data, I kind of respond more as the former director of the National Security Agency, I have to say – not that there’s anything wrong with that, OK? (Laughter.) CSIS did a study among first-world citizens with regards to who they feared most in cyberspace, and mostly had to deal with that one box – exploitation, the stealing of data. China was high ranking but not at the top. We were.
And so I guess what I suggest when folks bring that up is, adult nations steal information from one another, and steal my secrets, shame on me, not shame on you. It requires greater defense on our part.
Q: Don’t you think – don’t you think, though, that the term “stealing data” – don’t you think minimizes the impact that this is truly having on our economy? It’s gone beyond military and government but pervaded into our commercial sector as well.
GEN. HAYDEN: I don’t question that at all. Fundamentally, nation-states steal other nation-states’ information; it is accepted international practice.
Q: Well then, I guess the question would be, then, (what would be ?) deterrents?
GEN. HAYDEN: Oh, let me let other folks comment, OK.
REP. THORNBERRY: Well I guess I would say I’d think this is an area which I would perhaps classify as protection of intellectual property rights, where there could and should be greater international cooperation. That doesn’t mean you’re going to prevent every theft of information coming from wherever – and attribution is obviously a key problem here – but I do think, as the global economy has evolved, that through the WTO or some other mechanism, there has to be ways to put greater international norms and greater protection on intellectual property. And I think this is a way – this is one of those areas where international cooperation could be fruitful. Not that it’s easy, but it could elevate the standards a bit.
Q: Thank you.
Q: Hi, I’m Ellen Nakashima with The Washington Post. And I’d like to take us back to the Stuxnet case, which I think is a great case that we could even do an entire panel on. It’s sort of the red line moment; I think it helps us – could help us clarify some of our policies and our thinking. So my question is simple. If a Stux-like – Stuxnet-like attack were to occur on us and centrifuges were being destroyed, would you consider that an act of war? And if so, what sort of response would you advocate? And I’d like at least Generals Hayden and – General Hayden, maybe Congressman Thornberry and anyone else to weigh in please.
(Laughter, cross talk.)
GEN. HAYDEN: Me? (Laughter.) What was the question? No. (Laughter.)
Ellen, I wouldn’t begin to try to determine whether or not one would consider it an act of war. I just wouldn’t.
Q: Why not?
GEN. HAYDEN: No, I don’t have the legal background to make those kinds of – to make those kinds of distinctions. I’m sorry, there was another element to your question.
Q: If you did consider it an act of war, what sort of –
GEN. HAYDEN: Oh, no, I understand. The answer is, I don’t know. And the reason I can say that with some authority is we have no national declaratory policy with regard to this kind of activity against us. And frankly –
Q: Should we have one?
GEN. HAYDEN: Absolutely. Absolutely, and we should make it very clear I missed General Scowcroft’s comments but apparently he talked about red lines. In my comments I talked about – this is so new the big ideas haven’t yet formed.
I think a very good first step would be a national declaratory policy as to how we would consider – and then fill in the blank – but one of the blanks would be physical destruction caused by cyberactivity. And my instincts are the national policy should be we would consider it to be the same as physical destruction caused by physical activity. But we have not yet said that.
Q: Thank you. Congressman?
REP. THORNBERRY: I think that’s true. With the attribution problems that we keep talking about – if you can prove who did it, if there is physical destruction – then my inclination – trying to not be a lawyer here –
Q: You are one, aren’t you?
REP. THORNBERRY: I’m a recovering lawyer – (laughter) – and it’s been a long time since I really practiced law. But my inclination is if you cause physical effects in the country through cyberspace or dropping a bomb – the same effects – then it’s a similar sort of activity. But again the point I mention on the hearings that I’ve held this year is because I don’t think we’ve grappled with these questions.
What do we consider an attack, or what is an appropriate response; what is our policy for dealing with such things –
Q: What degree of attribution do you think we should have?
REP. THORNBERRY: Seventy-six?
Q: Seventy-Six point five? OK. (Laughter.)
REP. THORNBERRY: Yeah.
Q: And is there any type of response that you would rule out, or would you favor –
REP. THORNBERRY: No, I’m on the never rule out options team.
Q: Nuke them?
REP. THORNBERRY: So don’t rule out options – and the rest of the story is, mostly likely in an incident it’s not the only thing going on in the world. There are – there is another context to put this cyberevent in, and so part of the challenge is to look at that broader context and where this event fits in that.
And this requires some subtlety, a lot of information – best you can get from your intelligence organizations, although they may not have all the answers for you. And again, breaking it down by stovepipes is not the way we’re going to be able to deal with this. So I think that is some of the challenge that not only our government but other governments are going to have in the days ahead.
Q: OK.
GEN. HAYDEN: We’re going to be able to take only one more question.
Q: Thank you.
Q: Good morning. My name is H. T. Narea, and I’m a recovering investment banker. (Laughter.) So I understand the feeling. I spent about two decades at J.P. Morgan Chase but am having a very nice experience being an adjunct professor at the graduate School of Foreign Service here.
Given that background, my question is: In terms of the financial industry, which, as we’ve seen in the past few years, it is part of national security for this country, the interaction that a Cyber Command may or may not have – or should have – with respect to what goes on in the financial industry where a lot of it is really a digitized exchange of information crossing many, many borders – thousands, millions of times in any given second around the world.
And wondering what kind of policy the U.S. has with respect to that. Having seen your very clear statements yesterday on “Andrea Mitchell Reports” – which I appreciate, thank you very much – I certainly want to hear from you as well.
GEN. HAYDEN: I’m sorry – I mean, what are you specifically asking? (Chuckles.)
Q: Specifically asking is, what is our currently policy with respect to the – we’ll call it generally the financial industry – obviously being a very strong cornerstone of our economy – in terms of the cyber world? Simply because – far ahead of other industries, really – it has existed in a cyber environment for a much longer time.
GEN. HAYDEN: Yeah, OK, a couple of generalized observations since you threw the question specifically at me. Number one, I’m pretty comfortable with the statement: The market has failed. Market forces alone have not convinced American industry to do sufficient things to protect themselves. The best reasoning I can give you is by analogies. Last year in government we’re dealing with Somali pirates – an amazing thing in its own right – one of the first questions asked in the Situation Room was, what’s the private sector doing? And the answer was, the private sector’s paying $20,000 to Lloyds of London per hull and getting on with their life. In other words, they were accommodating the problem rather than attempting to deal with it.
Frankly, I think that’s a fairly accurate description of what the private sector is doing with regard to cyber threats. We are hampered in doing what you suggested by, I believe, overclassifying cyber-related information – not just in government, but in the private sector. In government it is truly classification, and this may seem odd coming from a former DIRNSA – director of NSA – but I think it’s badly overclassified within government. But industry is no better. Industry doesn’t share information enough to write – and industry, sometimes illegitimately, sometimes not so much, is reluctant to share information with the government.
If we’re to arrive at common actions based upon common policies, there has to be a common understanding of the problem and that requires far more transparency than exists today. So my first suggestion would be to open up the gates with regards to transparency.
(END)