Return to the event page for “International Engagement on Cyber: Establishing International Norms & Improved Cyber Security”






Transcript by
Federal News Service
Washington, D.C.

GREG RATTRAY: Morning, everyone. Everybody’ll settle in, get relaxed, you know. The first session was great. You know, hopefully we can keep that up on this panel and, you know, really want to keep the dialogue going, though. We do ask, with the first panel, a lot of speakers, try to keep on time. I’m going to introduce the speakers and then I’m going to make a few remarks myself and, you know, hand it off down the row.

So this morning’s panel two is comprised of Major General Koenraad Gijsbers – how close, sir? (Inaudible, off mic.) Good enough – from the Ministry of Defense at the Netherlands where he is the CIO and also has a national role in terms of cybersecurity.

Eneken Tikk, who is the legal advisor to NATO Cooperative Cyber Defence Centre of Excellence.

James Mulvenon, vice president of Defense Group Incorporated’s Intelligence Division, also chairman of the board of the Cyber Conflicts Studies Association.

Jeff Carr, Founder and CEO, Taia Global, and author of “Inside Cyber Warfare.”

And Andy Purdy, the Chief Cybersecurity Strategist at CSC and the former acting director for the National Cyber Security Division at DHS.

Our panel is entitled, “Cybersecurity, Economics and a Healthier Ecosystem.” Having worked with the panelists some, we’re going to cover a wider range of topics than that, but I do want to start off with some remarks to hopefully frame the dialogue. And really, in some ways, I want to start off with thanking Georgetown and the Atlantic Council for sponsoring the event and make sure that we try to keep the focus up on the notion of international engagement and, you know, forming norms. I think this is something that’s essential. You know, I hope the dialogue here stays on the international engagement and even the global nature of the problem and hopefully the remarks I’ll start with will help do that.

You know, I’m responsible for the fact that – I’m not responsible for that slide up there, which is probably not the right slide for this time – this time in the presentation. Could we try to get the slides I present – provided – up there? Let’s see how we do. I’m responsible for the notion of the ecosystem and the health aspect of the panel’s title, working with Catherine, on the event. And really I want to, you know, laud her bringing together such a distinguished group of people.

I’m saying a number of very positive things at the start because I’m intending to spend my 10 minutes saying a number of – hopefully – pretty challenging things that are not at all meant to be negative, but I really have some significant, you know, concerns in the sense that we need to put the right lenses on the problem, and I think General Hayden, you know, talked about the fact that we’re using comfortable, traditional lenses. And I’m concerned that we’ve actually got ourselves in a place that needs to change dramatically if we’re going to make progress, and I’ll make my remarks really on three portions of that.

So I know there’s some people in this room – one person is probably a close friend of the individual in the upper right-hand corner of that slide, who just looked at me – who knows that that’s Jon Postel. One guy used to run the domain name system for the Internet until the late 1990s. I make that point because the Internet was not designed for security.

Guys like Jon and Steve Crocker, who’s in the room, work a lot on trying to make the system more secure at a technical level, but we need to recognize that we’re working in an ecosystem that inherently was, you know, designed to connect people and be open. And I think the most important comment was made in the last session was made by the Georgetown student who tried to challenge the panel with the fact that this thing is vibrant and essential globally; security is a means to the end, not the end. So if we really – I want to start the discussion, at least my remarks, from that proposition. We talk about ecosystems a lot with cyberspace; we really need to start to live that talk and I think there’s three implications of that.

First, cyberspace is going to be risky. We want it to be risky. We want it to be open and interconnected. And then the question is, how do you deal with that fact? You deal with it by being the most effective risk manager. You compete. You don’t try to hunker down behind borders, you know, lose the advantages that cyberspace and the Internet have provided for us. You really want to get out there and try to understand why you’re using cyberspace, secure yourself as much as you can, manage the resilience aspect of the fact that you’re having to assume risk, and you’re going to win by making the best decisions about risk assumption that you can, not trying to make yourself completely secure.

Again, security’s a mitigation and a means to an end. It’s not the end, and I think competition is really going to be about effective risk management and resilience. That’s what – that’s in an ecosystem how the most effective organisms emerge. That’s how the most effective competition in business occurs, and I think we have to deal with the fact that in cyberspace, you know, that’s going to be the essential character as opposed to letting ourselves, you know, really focus on threat and security. Certainly, to risk-manage, you’ve got to understand your threats. And you’ve got to understand the controls that you can use for security, but we really need to focus on risk as opposed to threat.

The other – the second real concept I want to throw out to the group is response. And really response – and if I could get the next slide – response in the ecosystem is really about the conditions for multiactor collaboration, and most of those actors are in the private sector. Defense in cyberspace will not be dominated by governments.

Lots of discussion is about national policy and cybersecurity policies in order to, you know, to improve cybersecurity, but cybersecurity is conducted – and I do have a background as 23 years in the Air Force and working with General Hayden, and having a national policy role here in Washington for a few years in the middle of this decade – but governments will conduct certain sorts of activities, but most of cybersecurity – and certainly the defense of cyberspace – is going to be conducted by a collaboration of a number of the actors on the bottom of that slide.

I do want to mention the fact that this slide is a result of work I’m doing with a person named Jay (sp) Healey who’s also here. And Jay and I have been working a lot on looking at nonstate actors, which are usually considered from the kind of mindset of how threatening – and it’s true – cyberspace can make, you know, nontraditional actors, but are really missing the point that the most important aspect of nonstate actors in cyberspace is how ISPs collaborate with CERTs, collaborate with university researchers who actually understand where botnets are. And they share that information, at times work with the government, at times don’t work with the government, and actually remediate those threats. I use two examples. People here are better than I am at the first one.

Estonia was defended through a collaboration, you know, mostly of ISP and network operators that helped mitigate the botnet attacks that were prevalent, you know, in that event. The other event which myself and others in the room – Paul Twomey, who’ll be a lunch speaker – participated in was trying to mitigate the growth of the Conficker worm a couple years back. It was really a collaboration that crossed over a hundred countries, included collaboration with the Chinese, the Syrians and the Iranians.

And that was conducted – and had to be conducted – through private sector means because that’s where the technical people knew each other. The domain name system operators know each other in operational level and they could pass information that allowed them to try to slow the spread of the worm.

There’s also a downside to that story in the sense that that cooperation is hard to sustain over a long time and the fact that the worm morphed in a way that was not controllable through that collaboration when it went to peer-to-peer kind of growth. But the collaboration that worked almost had to occur outside of the governmental realm because it had to cross borders that aren’t easy for governments to cross, in terms of collaboration on cybersecurity globally when over 110 countries were kind of part of the necessary response of their country code top-level domains.

The third point – and I’m also getting close to my time already, and I want to set the right example – is cleaning up. Can I get the last slide? We really need to think about different models. We’ve started to hear this – certainly the leadership of Microsoft’s talking about a public health model, DHS just put out a paper in the last few weeks, talking about a resilient and healthy ecosystem – we need to look at public health and the environment as models for how we improve the ecosystem as a whole.

We’ve started to learn how to do this globally in realms that are similar, you know, to some of the challenges we face in cyberspace. I really, you know, challenge everybody to think about how we form a World Health Organization in addition to how we do treaties and law enforcement collaboration. All of those are important, I’m not saying one replaces the other, but we really need to think about an ecosystem and actually do the things it takes to manage it – an ecosystem – effectively if we’re really going to get ahead of the cybersecurity problem.

So, with that, in the interest of time, I think I’m out. I’m going to hand it over and have the first speaker talk.



So thank you very much, it’s actually great to be here. I heard some good news about the Netherlands already, had the Muenster peace in 1648 – (laughter) – you know, we teach you a lot, to be honest.

But the – we are going to talk here in this panel about economics, and of course the Netherlands has a great history of promoting economy all over the world. Actually, the start of — already in the 16th century where the East and the West Indies Company sailed over the world basically only to achieve one thing, is get richer in the Netherlands, but that’s – that is what was promoted.

What we have learned is that economic prosperity really comes with stability and security. So if you want to look at the issue of cybersecurity and economics you really need to have – to my opinion – a broader perspective on security in which the economy will be able to flourish if it’s going well.

So I have basically looked at the elements of national power to look at the security of a nation, and if you look at the different elements of national power you see they’re all affected by the cyberspace. If you look at the diplomacy – I don’t have to mention WikiLeaks here – but of course it very much affected the power that you could reach with diplomacy. If you look at the information or the social factors, that’s clear it’s at stake. In the military we really have to be better, and we are – as a military – being threatened, but we need to be able to keep the capabilities of course up. And the same comes for economic power.

So all these elements that traditionally were safeguarded – you know, we thought we had them, we could develop them, we could use them – that’s not automatically anymore the case. I think that is also an element that makes the world different with the cyberthreat that we see at the moment. And it’s not only nation-states that is the issue, because we all know that, for example, botnets can be developed by anyone. It’s on the Internet; you can look it up and do it. If you look at who nations use to be an actor on the Internet, it’s basically hacktivism. Have people that are promoted, supported or whatever to be able to do things to become cyberprivateers on the internet. So that’s very difficult to grasp. It’s very difficult to get to them.

So if you want to safeguard those instruments of national power, that’s not enough. You can also use them to be able to get this ecosystem healthier and — based on the global commons of Internet. And that’s important; the Dutch – European commissioner, Mrs. Smit-Kroes, she explained actually that 50 percent of the economic development of Europe is result of ICT – 50 percent – which means that a lot of it is at stake if you don’t safeguard that very well.

We believe this is not only a responsibility, of course, for the private – for the public sector, but the private sector, who owns all the infrastructure, or at least 95 percent of the infrastructure, has a really major role. And that’s the reason that we in the Netherlands have just developed a new cyberstrategy, but what is more important , actually an action plan. You know, we don’t want to wait; we want to take action in 2011. That is basically what is in the plan.

First of all elements in the plan is that we believe that the government – the government should be a promoter of trust in e-commerce. But the private sector needs to get its work done – they need to get more security and secure sustainable consumer trust in the cyberspace. Of course, that’s a responsibility for the consumer itself as well; it’s not only the private sector that has to do that.

But that means education, training, promotion of the elements that have to be developed and standards if necessary. We are quite reluctant, actually, to use standards too much, but if it’s needed then it needs to be done. So the government must effectively combat cybercrime, and you can only do that if you link to all those organizations. That is part of it. We’ve seen Interpol, police, whatever.

The third elements is that innovation is essential because the opponent is innovating faster than we are – so innovation needs to be implemented, and private sector is actually much better at innovation than the public sector is. So that is another reason why the cooperation with the private sector is vital. In the strategy we announced actually that in this year we will develop three new elements. We already have the cybersecurity platform CPNI.NL, which is a ISEC (ph) – multiple ISECs (ph) come together to share information of the vital sector – the banks, the whatever – on a secure level. That CPNI is an important organization that will increase its work.

In the cyberstrategy we are going to – we actually — we will set up a cyberboard, a national cyberboard, which is led by both public and private sector. So the leadership is by the national terrorism coordinator as well as the CEO of one of the major ISPs. So it’s a combined effort of the public and private sector and is responsible to the government directly.

And lastly, we are going to set up a cybersecurity center that will combine actually all the players in a coordinative role. Everybody will do its own, but they are all in the same house. And it’s not only civil – public and private – it’s also civil and military. My own center is part of that as well. So we are linked into that. And we believe that the armed forces can help there because the armed forces are actually pretty good at innovation and improving technology. And in the Netherlands, for example, I am the CIO of the Ministry of Defense but they actually appointed me to be the chief information security officer of the whole government because they think, you know, a soldier knows how to do that.

So that’s what basically we have been doing, and as a result of that we believe that because of the cooperative effort amongst borders – over the borders of the different organization is vital to get the cybersecurity right and is vital to get the economy growing. Thank you.


ENEKEN TIKK: It’s good to be back. Some people ask if I live here now or in Tallinn.

So I’m going to talk about – I’m going to talk about the rules today. And the country where I come from is mostly famous, these days, because of the 2007 cyberattacks that the Estonians have blamed on Russia. And if this is true, then Russia is the country that more or less created the job for me and four other lawyers working at the Cooperative Cyber Defence Centre of Excellence, because the 2007 attacks certainly triggered the activation – the activation of the center, which existed as a project already since 2003.

And I’m talking about it because I want to kind of give you the perspective I’m talking from. My mission – the center’s mission — is to enhance NATO’s cyberdefense capabilities, and my mission is to lead the legal and policy project to support NATO’s and the allies’ cybermission.

And that means that whatever we do at the center sort of needs to be balanced in terms of what we suggest as legal and policy solutions to the cyber problems. And it’s not possible to be an expert of 28 nations’ – plus partners – legal systems. So that means we deal primarily with the international law and conceptual thinking of – on the international legal scene.

Today, I’m here to address what has been addressed by some people before me, and these are the rules of the road, and maybe a social contract, and maybe also global concern about lack of regulation.

And to tell you the truth – I think I started attending cybersecurity legal conferences about three years ago, and the question that constantly keeps being asked is: Do we need new legal – new regulations on international level?

And I didn’t know the answer to that question. And one thing I did in order to be – say something about it: we started this research about what is currently, how much is currently out there that deals with legal and – cyber issues from legal perspective. And there is 400 pages of regulation that deals with cybersecurity on international level. We didn’t stop there. Then we started looking into: Do we also have case law? And there is 1,300 pages of case law dealing with cybersecurity on international level.

And the relevance of that is that we can’t say that on international level we are really missing something crucially. To prove my point, I – we did something else. We did something we call the 10 rules concept. And by the way, the – three or four others of this concept sit in this room, or stand or sit in this room today.

And so, I’m going to talk about the rules that are actually supported by the existing legal framework on international level.

And the point of talking about rules – and I know there is a challenge, sort of imposing rules, right, at the time where many people ask questions – but this is one of the – part of the – one of the (point ?) section. In this discussion of the – just the concept of 10 rules is about offering 10 solutions to 10 most challenging legal issues as a starting point for figuring out if the rules, if the existing law as it is, is good enough to take us where we need to go.

And so I’m not going to address all of the rules in very detail. All I’m saying is that the point of the concept is start discussion.

And discussion in the fields such as, for example, territoriality. Many say that cyber is a global concern, so we shouldn’t even bother to impose national laws on this. As a matter of fact, this is half-truth because, as Estonian case, Georgian case, many other cases recently have shown, we don’t even have appropriate responses on national level to deal with the full spectrum of cybersecurity reaching from, yes, internal breaches through cyberwarfare, and in touching up on cybercrime and national security (and other ?) cyberactions.

Then the second rule is about responsibility. And, if we like it or not, on international level there is – exists significant amount of law about how do we hold states responsible. And the principle is, if something is launched – is a cyberattack is launched from a national – from a nation’s territory, and the attribution is there, that first state will be held responsible for about this – originating from its jurisdiction.

Cooperation. Well, cooperation seems to be a common-sense rule, because due to the – due to the risk, due to the threats, due to infrastructure, we need to cooperate not only between nations, but also between governments and private sector, between different subject matter experts such as lawyers, military, policymakers, all the other people.

And cooperation, therefore, is not just a common-sense rule, but again, to look for the law, the existing law that supports cooperation, we can look at the NATO Treaty, for example, where Article 4 is – which is a bit less famous than Article 5 – talks about consultations and cooperation whenever the territorial integrity or political independence of nations is threatened. Similarly, such provisions exist in cybercrime convention, for example.

Self-defense, which is the topic of the fourth rule. It’s heavily debated area. But again, from legal perspective, we have a very clear rule. If – everyone, first of all, everyone has the right to self-defense when facing a clear and imminent danger. That actually occurs on two levels. From an international perspective, we can engage in self-defense when we are facing – when a country is facing an armed attack. In cyber world, that means an equivalent of an armed attack. What that is is not actually a legal question. And the person who made that clear to me is also in this room today.

So – and there is – exists another concept of self-defense which is now from criminal law, which basically says if somebody points a gun at you, you can defend yourself. That means that hacking back actually has a legal remedy if it’s justified in defense of an ongoing or upcoming attack.

Data exchange. Why I’m bringing up this topic: from legal perspective, there is a rule that many of us don’t necessarily like. And the rule is, first of all, data – especially in the European countries, but this is a concern worldwide – can be transferred to third countries under very specific circumstances. And as a matter of fact, today it is problematic to transfer IP addresses out of – outside of the European Union from European Union. That means, basically, information exchange about the incidents between NATO and European Union extremely difficult.

If you like – don’t like the rule, there is one way to get rid of it: That’s changing the rule, or making an exception. And that needs to happen on national level and can happen on national level.

The sixth rule is about duty of care. Again, it’s an old rule, nothing really new, and the point here is that we have exercised duty of care under legal regulations for ages. We know that if somebody processes personal data, this person needs to secure that data. We know that if you provide e-commerce services to consumers, you need to make sure that the appropriate securities is delivered.

Early warning is a seventh rule, which is about, actually, a Lithuanian case in 2008 where an ISP chose to inform its clients about an upcoming cyberattack, and thereby brought us back to, for example, the information – public information concept, which says a nation is obliged inform its citizens, its subordinates about the threats to their property, life or health.

Then, two further rules. Criminality, which is very well known to this country because about 10 years ago, the U.S. started – a bit more ago, the U.S. started to – discussions and they invoked the cybercrime convention. Now, we’re basically entering the second round of cybercrime convention where we just need to adjust the criminal policy in nations to actually use the same vehicle for politically-motivated cybercrime.

And the last rule in this package is the mandate rule. And the mandate rule is, again, an old truth, which says that every international organization, every public authority functions under its mandate, within the limits of its mandate. And it’s my suspicion that today, many international organizations have overlapping mandates and have gaps between their mandates. And that makes, in my opinion, many countries this day not the wisest subscribers to international legal framework.

Thank you.


MR. MULVENON: Thank you, Eneken.

My name is James Mulvenon. Every China specialist has to have a little red book. (Laughter.) Let me begin by saying thank you, first and foremost, to Catherine Lotrionte. You know, I go to a lot of cyber meetings in Washington, but this thing is clearly on a completely different level and that’s a real tribute to her and her energy and enthusiasm for this.

By way of introduction there’s nothing better, I think, than my Twitter profile. It just says: China, cyber, intelligence, craft beer and Michigan football – but not necessarily in that order. (Laughter.)

I want to make three quick points today that – related to this topic of which Greg and I and others have been deeply engaged, it seems, for a long time. The first is that – is the battle is clearly joined for the future of cyberspace, both at the state and nonstate level.

I mean, I have a vague memory in the past of a time where John Perry Barlow was writing about how governments had no authority in cyberspace and this was going to be, you know, a completely new domain without sovereignty. I remember a time when our worries about intrusion sets were Chinese hackers taking down the public webpage of and Taiwan hackers putting Hello Kitty animated logos on Chinese government websites. I mean, that was – that was the sum total of the gravity of our concern. You know, oh, halcyon days.

But we’ve clearly seen the evolution of this network from basically a fun, interesting plaything to the key linchpin of the global economy, some huge percentage of our GDP in innovation and dynamism. And all the dependencies and interdependencies that go along with that. We’ve also seen a shift, in my view, from a government perspective, of a benign toleration of this area for playing around to one in which there is a very determined effort on many levels, I think, to – what I call the re-sovereigntization of the internet.

Now, I was an author of a global commons study at CNAS with Abe Denmark and Greg and Jay Healey and others, so we clearly were arguing about whether or not cyber was a global commons, and it clearly had very different features than some of the other global commons.

But some very important facts, I think, that a number of governments have worked up to in the last five to 10 years as these dependencies were created, which is the fact that every node, every server, every router is in the sovereign boundaries of a nation-state. Even every submarine cable which traverses the so-called commons is owned by a private company or a public company which is then subjected to the incorporations and laws of the state in which – the nation-state in which it was incorporated.

In other words, the entire architecture we’re talking about – there is no part of the physical, technical architecture that is not bound up in traditional, legal notions of sovereignty. And as such, governments then say, well, we have these enormous security problems and we have this enormous percentage of our innovation and economy that is riding on this – we need to reassert our sovereignty.

But at the same time you have this countervailing trend of the WikiLeaks and the Jasmine revolutions impeding and saying, well, no – for a long time this was a – this was a place where we could enjoy privacy, we could enjoy anonymity, we could talk about how we like to run around in the forest and paint ourselves blue and shoot bows and arrows at people and do all those things that we wanted to do on the network. Don’t impose authentication and encryption and signatures – don’t force us to go to true name, you know; you’re taking something away from us.

And that was certainly a message in the Middle East, which is: This Internet, this Twitter, this social networking environment, this belongs to us. This does not belong to the governments. And yet the governments were saying, we have kill switches. You know, we’re going to tell Vodafone to just turn it off.

You know, and so this – in my view, the battle has finally been joined for the future of this. And on the one hand you have the Barlowites who say, you know, that just because the architecture is bound by sovereignty doesn’t mean my actions are bound by sovereignty, and on the other side you have the Benthamites, you know, who really want to have the panopticon; they want to build the perfect prison. And we see countries all around the world building an increasing mesh of a surveillance state with biometrics and CCTV and network surveillance.

I mean, for those of you who haven’t seen the video that the Dubai general director for state security put out about the Mossad kill team that went in and killed the Hamas guy in Dubai, what was astonishing about it to me was the extent to which in such a short period of time they could piece together an entire video narrative of every single member of that kill team coming into the country, surveilling the recon teams at the hotels, the kill teams getting off the elevators – all because of this ubiquitous CCTV surveillance state that have been put up. And that is increasingly the norm.

My second point is, as a China person, I have to talk about the fact that in many ways the Sino-U.S. relationship is a microcosm of this conflict that I’m talking about. We all know about the intrusion set, we all know about the militarization of cyberspace on the Chinese side and the relationship between that and the standing up of CYBERCOM and everything else.

And Jim Lewis, under whose wise leadership I’ve been participating in a U.S.-China cybersecurity dialogue – we’re beginning to have a conversation with the Chinese side about some of these issues. But what it’s really surfacing is how in many ways we’re on opposite sides of many of these discussions.

The U.S., through its benign sponsorship of ICANN and other organizations, I would argue, is a status quo power in many ways in this discussion. And very uncomfortable with some of the elements of this re-sovereigntization, although in other areas, counterterrorism and others, we certainly have sought to exploit some of those – some of those relationships for the benefit of U.S. national security.

I would argue that the Chinese government by contrast is a revisionist power in this environment. Whereas we favor globalization, they’re pushing a centrally planned form of mercantilism that seeks to use IT standards globally as a trade weapon, rather than allowing, as we have in the past, IT standards to develop through a relatively apoliticized process involving IEEE and ISO and others. The Chinese side views this very much in the process of developing indigenous innovation from a central planning perspective.

The Chinese government has made it very clear that they have no use for the Internet Governance Forum and would love for the authorities of ICANN to be transferred to the International Telecommunications Union under the U.N., which is obviously a state-based forum, that would give less voice to the nongovernmental organizations and other pesky do-gooders, in their view, that would seek to maintain these zones of privacy and anonymity on the network.

My third point would be that while it’s easy for us to continue to focus on the latest outrage in the intrusion set, if we want to think strategically rather than tactically we really need to move to what I’ve been calling the long game. And the long game is really the things that are going on where we’re more or less engaged that really are going to define what the architecture looks like in 20 to 25 years.

Many policymakers here in Washington I think have finally woken up to the dilemmas we face on the supply chain side with regard to information technology products – again, I’m not a military historian but I’m trying to think of another example in which in a new dimension of warfare, one major adversary is completely dependent on the supply of the weapons of that domain from another adversary.

It’s as if during the Cold War the only source of uranium in the world was in the Soviet Union, and we were negotiating to trade with them for uranium so that we could build nuclear weapons with which to target them. The fact that every electronic device in this room is made inside the nation-state of a country that has clearly shown itself to be a major nation-state cyberadversary to the United States, either at the espionage or at the military level, is very troubling and yet there are no easy solutions because, again, of our embrace of globalization versus their revisionist embrace of neo-mercantilism.

Second would be, and related, is export controls, which we have sought in the last couple of years under this White House to reform – but to reform in a way that allows greater trade rather than looking at some of the issues that we’re talking about. We continue to struggle with the Chinese side on the CFIUS issue. You know, I personally if I’d been a Chinese trade official I probably would not have tried to allow Huawei to buy 3com as a first foray into Chinese ownership of major U.S. companies – as watch the entire U.S. government going into paroxysm with the idea of Huawei owning infrastructure and technology in the United States.

But even at a higher level, the Internet governance issues that I mentioned with regard to whether we continue to support the ICANN model or whether we want to move to a more state-governed model like the ITU.

And then finally, the longest game of all, the use by the Chinese side of IT standards as a trade weapon, the pushing of inferior technological standards that have already been rejected by IEEE and ISO – but nonetheless using their market access and leverage to force multinationals that are assembling and building their equipment inside of China to integrate them with these – with these inferior standards as a way of distorting the very development of global IT standards. And then all of the corresponding downstream implications of that for either the strength or the weakness of the architecture we’re trying to build.

So those are my three points, and I look forward to the Q&A. Thank you very much.


JEFF CARR: Hello. This is really a sort of mind expanding experience for me, because when I was writing “Inside Cyber Warfare” I referred to James’ work, which is – and he’s one of the best in the world at what he does, and also Eneken’s work on the legal issues surrounding the attack against Estonia. And unfortunately I’m not – I don’t know everybody else on this panel – but it’s – but it’s – Catherine did such a fantastic job. And thank you so much for inviting me to participate.

I would give you my bio but I can’t tell you the names of any of the people that I actually work with, so there’s really no point in doing that. Although you’re welcome to – I think there’s some generic sort of thing on the table outside. I will tell you that I’ve had the distinct pleasure of having my blog at Forbes killed by the – probably the most powerful man in Russian Internet industry with a single phone call to Forbes. And that was all it took.

I also had the unique experience of being the subject of a spear phishing campaign against U.S. government and military employees when I wrote a blog post about how Russia was – Russian hackers were sending out a spear phishing attack. Normally sent for financial gain, this time sent for obvious espionage reasons to U.S. government employees. Within 24 hours a new spear phishing attack went out under my name saying, beware of this spear phishing attack. (Laughter.)

Just two weeks ago I got an email from someone who I mentioned in my book, another Russian entrepreneur who actually set up the domain. This was one of the command and control points for organizing Russian hackers to attack Georgian government websites during the Russia-Georgia war of 2008. He was – he owned the business which sold the domain name.

Which brings me to one of the points that I wanted to make today, which is cybersecurity and economics. That platform at wasn’t hosted on a Russian server; it was hosted on a U.S. server, a company called SoftLayer Technologies in Plano, Texas. Plano is also the home of The Planet.

Well, between The Planet and SoftLayer Technologies they host significant amount of malware that’s distributed by foreign actors, malware that can be done for any number of purposes. And I was hoping that when the congressman from Texas was up here this morning that someone might ask about this very touchy problem, which is, we have many, many U.S. companies, some of the biggest in Texas, but California, Michigan, other states as well, which are making millions of dollars every year by selling services to foreign actors without any verification of credentials, without any verification of the way that they make their payment.

You literally today could go online, buy a server at The Planet in the name of Barack Obama, charge it to whoever happens to be sitting next to you’s credit card, and you’d be online in moments. So this is a very, very serious national security issue because we are hosting within our own country the platform by which attacks are being conducted. And there’s – there doesn’t seem to be the political will, because of the economics, to do anything about it.

Unfortunately, it doesn’t really stop there. You all know about Huawei, obviously I’m sure everyone in the room knows that name, but how many of you know about a company called Huawei Symantec?

Well, and that’s essentially why I wrote the short paper that’s available outside or via email. Huawei Symantec is actually a joint venture that was set up, 51 percent ownership by Huawei, the headquarters are in China, and they’re literally in the security business. They provide security architecture, security hardware and they sell it under – it is its own company, HS.

You can go to their website,, and find some really incredible stuff. For example: Huawei Symantec Technologies, a leading provider of network security and storage appliance solutions to enterprise customers worldwide.

Well, if the name Symantec – and I know Symantec is a sponsor, Catherine; I’m sorry, I didn’t know Symantec was a sponsor when I wrote – when I took this tack, no offense for those of you that are here that are employed by the company.

But attaching your name to a Chinese company’s name that’s selling security solutions benefits the Chinese company. It gives credence; it gives a certain sense of security. There’s a 2008 corporate briefing deck prepared by Huawei Symantec, it’s available online. On slide 12 it specifically calls out that the company is going to be building China’s first laboratory of attack and defense for networks and applications. And that is a direct quote.

I would love to have some more detail about how Symantec is helping the Chinese government build a lab that has to do with attack and defense. Could be perfectly innocent, but at the very least, it’s questions like these that need to be called out, you know, and companies need to be more forthcoming.

And if you’re an information security leader, like McAfee or Symantec or RSA – the recent attack against RSA, it could be catastrophic, nobody really knows because they haven’t been forthcoming even to their own customers, at the least the ones that I’ve spoken to. They haven’t really been forthcoming about the depth of that attack.

And it’s why? Because it’s about economics. If you lose money, board of directors might get sued. If the board of directors gets sued, then you’ve got a shitstorm. You are – nobody is going to walk away from that.

And companies are making decisions based on economics today that are putting substantial risk to U.S. national security interests. Speaking of Huawei Symantec, just recently — this is within, I believe in March, in the month of March – they formed a new partnership with a company called Force10 Networks. Force10 Networks is a U.S. company; they sell to the U.S. government. Specifically, reading from their website: “Force10 Networks sells products to defense, intelligence and civilian agencies.” Well, they’re going to be selling Huawei Symantec devices and hardware.

So prior to my coming here I sent them an email, I sent the contact – I found their press release, they had contact information, turned out to be a senior director of the company – I said: I’m speaking here today; I’m very concerned about this relationship that you have with the Chinese firm and particularly that you’re selling to U.S. government, intelligence and military customers. And what are you doing to vet what you’re selling?

And the response was, one, we are in full compliance with whatever the current laws are. I mean, that’s a pretty much a standard CYA response, you know, we’re in compliance. And two, we’re not doing any engineering, we’re just selling, we’re just marketing. As if somehow that is less, you know, serious.

So when Huawei is blocked by buying 3com or when they had to walk away from 3Leaf, or when the NSA told AT&T they’d lose government business if – well, sort of lose government business – if they consummated a deal with Huawei, and Huawei realized it needed to change its strategy, it came up with this really brilliant strategy, which is, sell though U.S. companies to U.S. customers.

I mean, it’s – and you all don’t even know, nobody – and that’s the – a friend of mine really sort of created CFIUS. I mean, he didn’t create it, but he built it up during the Bush administration. I sent him a copy of the paper to review and even he didn’t know about it.

I don’t want to stay only with China, because it’s really not just a China issue. Russia has its own way of doing this sort of thing. And the predominant player, as an example, is Intel. Intel has been doing business in Russia for a long time, they’re currently with a – they have a lab, and I am terrible with pronunciation so I’ll give you the – it’s the – NNGU is the name of the lab – or it’s the abbreviation for the lab.

It’s basically part of a department of radio physics; it’s at a Russian university. The lab itself is in a building that’s – everyone knows is controlled by Russia’s federal security services, the FSB. The lab is performing research which is of critical interest to the FSB. Again, this is very well known. And the research is overseen by an individual, a Russian scientist, who has performed work in the past for the FSB.

So there’s literally no question that this is a lab with absolutely zero security when it comes to protecting their source code, their research, whatever it might be that’s proprietary to Intel from the Russia security services.

In addition, Russia has this unique law that was recently passed. It’s Article 15 of the FSB code. And I’m going to read it to you the human – this – we did a human translation just to make sure it was accurate – but basically it says that any physical or legal body in the Russian Federation – this includes a foreign company that’s doing business in Russia, like Intel – that’s rendering mail services, telecommunication services of all kinds including systems telecode, confidential satellite communications, are obliged under request of the FSB to install into their hardware additional equipment and even code, and to comply with the request of the Russian government to do that. And this needs to be, in my opinion, addressed as well.

My time is up. Thank you, Greg, for letting me know. And I’ll look forward to your questions.


ANDY PURDY: It’s a pleasure to be here. Time will tell whether we’ve been in this conference before. I think what we’ve heard so far is a good sign.

There are thousands of points of light promoting cybersecurity in the United States, but still we as a nation are failing to protect American national security interests in cyberspace. If we continue to do what we’ve been doing, although we may prevent the day that there’s a digital Pearl Harbor threatening the United States, if we don’t act we will lose the intellectual property, we will lose the competitiveness of the United States to our competitors, our adversaries. We must take a more strategic approach to these issues.

There are some heartening examples of people leading the good fight, and I’ll miss some of them, but Greg Rattray’s efforts, Paul Twomey’s, Tom Kellermann’s, Jim Lewis, Melissa Hathaway, Charlie Croom, others. We have to stop having the same conversations over and over again. We must learn what is the reality of the risk that we face, we need to articulate what we as a nation need to worry about and what we need to do about it.

We have not articulated the strategic national priorities of the United States. We have not set goals, objectives and milestones so that we can track progress, we can measure success. We have not done it. Our nation, our Congress, our leadership has not stood up and made it happen. I’m encouraged by some of the thinking – the DHS paper that Greg Rattray talked about, “Enabling Distributed Security in Cyberspace,” that Phil Reitinger lead, the ecosystem approach – that to me is the roadmap that we as a nation, the public/private partnership, have to go down to drive real progress.

But we have to look at the challenges that we face and the terms of what are the opportunities for us in the way cyberspace works to drive real progress. But in terms of our national interests – and I understand we’ll have the international strategy for the United States will come out very shortly. Hopefully it will promote the national interests of the United States..

Our colleague mentioned a national cyberboard. We have too many thousand points of light. We can’t focus on what we need to worry about and what we need to do about it. We need to articulate those strategic priorities and have a steering committee made up of representatives of the government and the private sector to set those priorities, those goals, those objectives and those milestones so we can track progress. We can achieve success, and we can facilitate accountability.

We talk about the comparisons to nuclear war. The fact is, there are norms of behavior in cyberspace now that we have to use. Let’s not just jump to the arms control model of governments imposing solutions. Let’s look at, let’s learn from those norms of behavior that ICANN and others have been trying to use. Those relationships between customers and the host, between customers and their Internet service providers and between the ISPs.

When I was at DHS, we had an instance where China CERT would cooperate in investigations that we did. We had examples where ISPs in China – and I’m told this has continued – ISPs in China will cooperate when there are requests to identify malicious activity. Eneken talks about her point too about responsibility. We’ve got to use the current norms of behavior, the responsibility, because if an ISP is told there’s malicious conduct, they’ve got to do something about it. And that is the thing that we’ve got to build on in terms of the existing norms.

We’ve got to start gathering information, not just sharing information about the bad guys. We’ve got to share information about where the attacks are coming from. And we have to look not just at the question of who is ultimately behind those attacks, because that’s tough. We have to look at the enablers in cyberspace. We have to shine the light of day and gather the data to identify those enablers, and focus: Are they on the side of making us safer, or are those enablers that are on the bad guys’ side? We need to make them choose sides in cyberspace and we are not doing that.

Our efforts to be reactive – yes, we need to do more reactive things like the response to Conficker, more reactive things in terms of law enforcement. But we need to come together and say, look, this ecosystem approach – we have to bring the government and the private sector in a true partnership because the private sector needs to do a lot more than identifying cyberincidents that they can complain about.

The private sector needs to be part of an effort – and the best model I know of is the Financial Coalition Against Child Pornography – where law enforcement, Internet service providers, financial institutions, came together to develop a strategy. We need a cyberstrategy against online malicious cyberactivity that tries to address and identify a roadmap for addressing the frequency, impact and risk of malicious cyberactivity, and we use and focus on the enablers to help us do that. We look at the absence of requirements, the Kumbaya aspects of the public/private partnership, and the same things holds true for the malicious activity piece.

For the public-private partnership – I was in another session yesterday where people were saying, oh, we need to share information better. We need to tear down the obstacles for sharing. Oh, well, the private sector now has a seat in the NCCIC, the National Cyber (sic) and Communications Integration Center. No, we need to say for the National Cyber Incident Response Plan, what are the requirements for this nation? What’s the information we need and from whom? What are the obstacles to get them? And let’s set the path to get the information that we need.

Years and years are going by, and we haven’t gotten the information for the common operating picture of the United States. What are the capabilities we need to be able to share, public and private, for the analysis to understand? What are the capabilities we need for a response and for recovery? You look at what the telecom industry did with government after Hurricane Katrina. We need that in cyberspace to understand what is necessary for the key sectors of our economy for situational awareness.

What is necessary for our ability to analyze, to understand what’s happening? What is necessary for us to have an effective response against the most significant threats to the United States? And what is our ability, as requested by the Business Roundtable in 2006 and never – and it never happened and nobody ever looked at it again – hence the need for a national steering committee. The idea of what are the requirements, the capabilities and the contract vehicles if there’s a major disruption in the United States as to how we’re going to bring the capabilities that this nation needs back online. Those kinds of requirements are absolutely essential for us to drive significant progress in helping to address the risks to the United States. Thank you.


MR. RATTRAY: I think with that passionate statement, we’re ready for some questions.


Q: I’ve got an easy question. I’m John Mallery, a research scientist at MIT CSAIL.

So when I think of cybereconomics, the first thing I think about is, how do we incentivize what I call the IT capital goods industry to produce higher assurance systems in an environment in which most decisions are based on cost considerations, which they can be measured, and we have poor metrics for the cyberassurance side.

And I guess the other small detail is that if we look at the current industry and look at the host – there’s an interesting quote by Paul Karger, one of the top security people in the United States, who recently died – where he was looking at the current Internet and said even the best systems that we’ve built in the past, like Multics, were not secure enough to put in this environment. And yet the ones that we have put in this environment have had standards which have been reduced due to, really, industry pressure. So that’s kind of the environment – how do you prevent the business models from exporting end security, which then we’re all dealing with? And this is pretty much focused on remote access. The key penetration factors we know how to get rid of, we know about privileged escalation, so I just ask the panel in general if they have some thoughts on incentives and how we might work that.

MR. RATTRAY: John, that was a challenging question especially since we actually don’t – I think have every – any economists up here. I’ll take a stab, but Jim’s – you want – did you have something?

MR. MULVENON: Yeah, well, I would just – the thing is, we were discussing norms earlier, and I think there’s an economic linkage to one of the norms that’s being bandied about that I think is important at least to raise again for discussion, which is the norm that says that whether you’re a company or you’re a university or you’re a country, that you’re responsible for remediating the hostile packets that are leaving your boundaries.

And that if you’re told by a responsible CERT that there are hostile packets emanating from your network, that you need to remediate that, and if you don’t, the economic remedy for that is to be dropped in the peering relationships with others until you do.

And if you’re a company and you’re dropped – this is Woody’s idea from Packet Clearing House, give credit where credit’s due, you know, one of the wizards that helped fix the Estonia problem – he said, look, if a tier one provider is dropped in the peering relationship because they’re refusing to remediate the botnet or whatever that’s operating in their network, they will cease to be able to guarantee bandwidth to their commercial customers and they’ll go out of business. So they have an economic incentive to actually clean up the swamp in their own network.

Now, some people would say, well, that would require deep packet inspection, it would invade user privacy. But they can just as easily turn around and say, well, that violates your user terms of agreement. You’re not allowed, you know, we didn’t say you could run a botnet on the server that you’re leasing from us.

And so that’s a linkage in my view between – it doesn’t address John’s question about technology side, but it does address the network dynamic. It links a norm, you know, which I think is a very powerful idea of a norm, to the economic underpinning that makes it a market-based policy solution and therefore potentially viable in an environment where so much of the infrastructure is owned by the private sector rather than controlled by governments.

MR. CARR: Also, just quickly, the entire information security industry is broken. There’s really no other way to describe it. Companies are spending more and more money on security, breaches keep getting bigger and more dramatic. The companies had to build an industry, an anti-virus, IDS/IPS, firewalls, every other type of security that you can imagine – all of these are not fulfilling the mission. And nobody is holding them accountable.

So I think that probably the first step is to hold the information security company accountable for what they delivery.

MR. RATTRAY: Just a quick thought, and Jim, I’m glad you distinguished – I mean what you discussed, and I completely concur with is, you know, economic incentives around network – you know, behavior on the network as opposed to what I’m going to provide as a very unsatisfying answer to John’s ( question on, you know, the security of the technologies.

I think two things really limit that, right? First is, the complexity of those technologies I think make them very difficult to secure. You know, the millions of lines of code, the dynamics by which they interconnect, you know, makes it hard to run down everything securely. I’m not a technologist or an economist, but my sense from 15 years of the ecosystem getting more and more difficult to secure with more and more money going into secure coding and engineering – it’s just the dynamics are difficult at the technical layer.

The second thing is the economic incentives to connect are just huge. We’re going to mobile banking. Is that secure? No. Is there money to be made? Hell, yes. Which is the dominant economic incentive? The bank security officers, I tell you, are scared but their CEOs, their CFOs and their marketing guys are like, if we don’t go there our competitor will. Prove to me that the risk of not going into mobile – I mean, not going into mobile banking affects my bottom line. They can’t. They can see the economic incentives to go there, they know the code’s not ready, they know the technology’s not ready, but the drivers are forcing them there.

And I — you know, John, I just don’t think we’re going to make a lot of progress in the big picture, the 25-year long view that James talks about, through technology. We’re going to have to manage risk and we’re going to have to be resilient as a consequence.

MR. PURDY: I do think there’s a missing piece in terms of technology that we as a nation really ought to take advantage of. And that’s idea of creating an innovation sharing initiative that looks at the incentives from the other side. Make it easier for people who are consumers to find really good technologies.

So if you can share information on the security requirements and what – to what extent the technologies can meet those requirements, there will be continuous process of improvement. And you look at some of those efforts of NIS (ph), with the enterprise risk management, the continuous monitoring, those things really tie into the ecosystem idea. And it also ties into the idea of you can make it easier for the folks who run enterprises to manage those enterprises and save money while they do it.

MR. MULVENON: I mean, I’ve got 14 AV programs running in my company network, each of which usually finds 10 percent of the malware. That’s ridiculous. (Chuckles.)

MAJ. GEN. GIJSBERS: There is – is it working? Yeah.

There is another issue though, because you know, it’s interesting that you all talk about rules and whatever, and norms, but I think if people don’t buy it, it’s – you know, if people buy the stuff that’s not good enough because it’s cheap, it will not be improved. So I think it’s really an issue of the awareness of the users. It’s not bad enough.

For many companies we see that in the Netherlands, that the awareness of, you know, the economic effect of not having good internet protection, good connectivity in their networks is really, you know, this is the cheapest way to do it. And they don’t see the impact is still there. So I would suggest that making clear what the risk is that they run both to the customer, the civilian customer at home, as for companies is an important piece to be able to improve it.

And I don’t think rules will help too much because – especially in the European, you know, I can buy Internet stuff from all over Europe. I don’t have to go to the Netherlands. I can go to Belgium, to France, to Germany, to whatever. It’s the — so I think you really need – the economic principle needs to be there.

Q: Good morning. I’m Gladys White, I teach cyberethics here at Georgetown in the liberal studies program. I’d like to thank the entire panel for a wonderful set of presentations, but my question goes specifically to Dr. Mulvenon. You struck a contrast between Bentham and Barlow, and I’m assuming you were talking about Jeremy Bentham. Could you elaborate a little bit on the contrast that you were referring to and its implications? Thank you.

MR. MULVENON: Sure. I struggled with whether I, you know, should go for the easy one and just say Orwell, but the problem with – you know, the John Hurt movie is one of my favorite movies and, you know, they’re all destitute, right? It’s the – it’s the poverty of socialism in the movie, so this is not a dynamic – whereas the Chinese believe that they can create a dynamic in which they can have economic prosperity and a surveillance state at the same time, so that’s – you know.

But Bentham was all about efficiency, and this – you know, so it’s an incomplete metaphor. But the panopticon – and this room is a panopticon for me. Particularly the guy back there with the camera, because as – those of you who’ve seen his design of the perfect prison, it has the tower in the center with the tinted windows, and then the cells are all in a circle around the tower and there are large windows on the outside, so that none of the prisoners can see whether the people in the tower are looking at them but the guards in the tower can see the silhouettes of every prisoner. So it’s the perfect prison.

And it’s very much like the telescreen in “1984” or the various surveillance devices they had at RAND when I worked there to make sure that we were all reading shelling (ph) every day and doing all the things we were supposed to do – (laughter) – contractually. But the – you know, but it really gets to this idea of how the Chinese set up their surveillance system because it – you know, you read in the paper all of this incredible FUD (ph) and mythology about Chinese Internet censorship.

And you could just as easily insert Saudi Arabian, Burmese, whoever you want to put in there – that somehow there are 30 (thousand) or 40 (thousand) or 50 (thousand) or a hundred (thousand) or 200,000 Chinese people staring at screens. But in fact, the elegance of how they set up their censorship system, in a perverse way, is that they set up an environment where people are encouraged and incentivized to self-censor and self-deter because they don’t know whether the telescreen is on. But they have to act as if the telescreen is on. That’s the beauty of their model.

And so – and then random sporadic enforcement with very, you know, egregious punishment that then sets in motion the whole “sha yi jing bai,” “kill one to warn a hundred,” or kill the chicken to scare the monkey kind of dynamics internally.

Whereas Barlow was very much a libertarian model that said, you know, we just want information to be free and everything else.

Q: Thank you.

MR. MULVENON: No, my pleasure.

Q: Good morning, my name is Dave Smith. I’m the director of the Georgian security analysis center in Tbilisi, Georgia. I’d like to thank all of you for wonderful presentations. I have a couple of questions that I’d like to direct to Mr. Carr, who for those who don’t know is sort of a hero in Georgia.

Mr. CARR: (Laughs.)

Q: So – (chuckles) – Mr. Carr, first of all, I’d like to ask sort of a specific question. You alluded in the brief time that you had to obviously the collusion of the Russian government, particularly the FSB, with various organized crime networks. There is a famous or infamous one, the Russian Business Network. I wonder if you could say a few words about sort of what happened to them, how did – did they morph into something else, what indications do we have that the same guys are doing the same things in another guise.

And the second question is just to follow on some of the discussion that we’ve had here, some of the remarks made by Dr. Mulvenon, and Mr. Purdy, and you alluded yourself. We have a situation here where we’re not going to have like-minded nations around the world. The gentleman from Interpol this morning was talking about 188 countries, but those 188 countries aren’t all going to cooperate on this. You’ve just named two who are particular culprits, and those are really big countries. And we’re talking about state involvement here, we’re not talking about hacktivists – hard to prove, but we’re not talking about patriotic hacktivists here.

How then shall we be saved? What would you recommend to the international community of, let’s say, those countries that are like-minded? What are the steps legally, financially, even militarily, if you like, or extending the military into cyber? What should be we thinking about? What should we be doing about this?

Thank you.

MR. CARR: (Chuckles.) Well, that was a – that’s an easy question. (Chuckles.)

So, the RBN is a (course ?) constant curious organization. In fact, my colleagues and I suspect that – well, we believe that they’re still operating, but not under the name RBN. But the, you know, the infrastructure, the bulletproof hosting, is all still intact and, in fact, we suspect that they’re headquartered in the Netherlands currently. So, the – but again, it’s a theory, you know.

We also believe what – and this is, I think, a key point – is that they’re equally comfortable operating in China and in Russia. So a lot of times, when you see Chinese IP addresses being used in certain types of attacks, it could easily belong to an RBN, or a former RBN organization, not necessarily China. Bottom line, though, I think, is a – they simply have become a part of Eastern European organized crime or Russian organized crime.

Regarding your second question, the – I don’t have a lot of hope for the – for the – for the Internet as it is – as it exists today. And the bottom line – my bottom line advice, when I’m asked to speak on it, is that in order to protect your critical infrastructure, you really need to sort of start from the ground up and have a dedicated – a dedicated network similar to what maybe is being used by CERN or other particle accelerator labs. It’s built with secure code, it’s built with secure practices, there is a trusted supply chain involved. You really do need an – and that network would be a – would require a high degree of access, of security in terms of access, completely separate from the World Wide Web, you know, that we have today.

Short of that, I don’t have any hopes of seeing these problems get resolved.

(Cross talk.)

Q: May I just ask a quick follow-up question about the RBN people, in their new incarnations in – with East European crime network and the Netherlands and China? Are the connections with the security services in Russia, particularly with Prime Minister Putin, still there?

MR. CARR: Oh, yeah. That’s the handshake deal that’s been around for years and years, and most people who follow Russia would agree and say it’s a sort of a brotherhood of convenience. If you – you help us, we help you, and otherwise we leave you alone. So yeah, I think it’s still a big part of Russia’s planned – and that’s why they won’t sign on a – any international law enforcement treaties, Russia won’t sign.

MR. RATTRAY: I wanted to provide a perspective on, you know, working with the Russians and the Chinese, and the – that there is an – I think there is a lot of opportunity for collaboration.

I just came back from the Asia-Pacific CERT meeting which has 18 countries and 44 computer emergency response teams. There – the Chinese are there with the Koreans and the Japanese and the Australians, and, you know, A, they collaborate very well. But one of the most interesting aspects of it was to watch the Japanese, the Korean and the Chinese team go off to sign a second – you know, to draft a second version of a cooperative agreement they’ve had since 2005 to share information on political hacking, which occurs all the time between those countries, so that those incidents don’t escalate international security incidents, and – the CERT teams are trusted to go, yep, that’s just the political hackers going at it again over some territorial disputes so that the governments – and believe me, Japan and China are not allies – when it comes to a national security situation, they find a space for collaboration.

I guess – I’ll also make the comment that they did this all in English. So when we think about cyberspace, we might think that that’s a good thing in that the lingua franca of cybersecurity is English. The challenge for us is, they know what we’re thinking; do we know what they’re thinking? Because I certainly couldn’t have figured out the conversation of what was going on in any other those teams at that table, so –

MR. MULVENON: I would also say that the cooperation between like-minded countries is also a key point – part of the norm I described earlier. I saw Michael Markov (ph) earlier, who was the Sir Edmund Hillary of international cybernegotiations, and, in terms of harmonizing countries’ laws and things so that we could extradite people and we could – we could have parallel discussions and make sure those organizations are set up, and yes, it is easier to do with like-minded countries, with the European countries, with NATO and other people.

But if you set up, if you have that norm established within that group, which is a pretty serious economic block, and then the knowledge is that, you know, that you want to invite people into that norm, that they just – here are the rules, here are the things you have to adhere to, here are the laws you have to harmonize, here are the organizational structures you have to set up, here’s the POC list we need, such that it becomes increasingly valuable from an economic perspective to be in that club rather than outside of it, that you don’t want to be the leaderless Afghanistan sanctuary, you know, for terrorism, you know, you want to be the place that’s recognized as part – as inside that norm circle.

And that’s how you incentivize people to come into the norm. It’s because they see who is already in it. And so, starting with the easy cases, starting with the countries with whom we have like-minded concerns already is the way to, then, sort of create the snowball effect, in my view, to push that norm.

MR. PURDY: There’s also a system of enforcing the norms, so that, if people don’t play, you can stop letting them play. You don’t keep them from (playing ?) from anybody else. As part of the ecosystem concept, the idea of saying, if somebody is going to abide by the rules, they’re going to have special kinds of privileges. If they’re not going to play by the rules, you’re going to get more scrutiny to what comes in. So, for example, a local area university – we have – it’s not just protecting ourselves or launching an attack against somebody. A major university in this area, blocked all email traffic from that university, because the university was not taking seriously cybersecurity. And if you have certain countries that don’t take it seriously, we can, in effect, blacklist, or we can whitelist – you know, countries, ISPs that do cooperate. That’s part of our arsenal and that’s part of an arsenal that we’re not – we’re not using adequately.

Q: Hi. My name is Amanda Pulaski (ph). I’m a reporter with – inside the Pentagon. And I just had a really brief question for – I’m not going to say your name right, I’m sorry – but Ms. Tikk, you talked about NATO Article 4, and I understand that in international circles there’s sort of a debate between whether Article 4 or 5 should be applied to cyberwarfare scenarios, or both, and I was just wondering if you could maybe speak to that, and shed a little light on that, or what your perspective is on that issue.

MS. TIKK: The legal perspective to that issue is pretty simple, actually. Article 5 is the only one of the articles – and actually, the one – the article that is applicable, potentially, to cyberwarfare, simply because it’s applicable as a trigger of collective self-defense, in case there is an armed attack against one of the allies.

The thing is, in practical world, that means that today, up to – up to now, we haven’t had the opportunity to even discuss the applicability of Article 5, because we haven’t really witnessed those incidents that we have so far witnessed. Have not reached, or present to the threshold of a cyberarmed attack.

Now, Article 4, on the other hand, is applicable throughout the spectrum of cyberthreats. That means potentially also to cybercrime. So if NATO countries see that there is a particular type of cybercrime, or certain issues that are not, for example, faced, or solved by other international organizations such as EU, and they need – they want to consult and then cooperate to make data exchange or investigations tighter between them, they have the authority to do so under Article 5 – sorry, under Article 4. And the same is also true for cooperation that goes for incidents of cyber –national security relevance, that, again, do not reach the threshold of an armed attack, but they are types like Estonia, Georgia, that trigger a kind of play at national security limits.

Q: Thank you.

MR. RATTRAY: All right. We have time for one more question and probably a brief answer or two.

Q: I’ll make my question quick. Again, my name is Juan Ricafort and I’m a student here at Georgetown.

I guess we’ve heard a lot today about deterrence, retaliation, attribution. My question is about something we haven’t heard a lot about, which is resilience, and hearing, specifically, Mr. Purdy’s and Dr. Rattray’s comments about the need to look at this as an ecosystem and reducing vulnerabilities – the ability to recover and to control the amount of damage that is done by any incidents that are executed on the system. It seems like a lot of what we’re talking about here is sort of this emergency management idea of building systems that are resilient and are able to recover.

I was – my question is, should resilience be the central pillar of national cybersecurity strategy? And if so, what can we do to maximize that resilience? Thank you.

MR. RATTRAY: I will agree with you that I actually do think resilience is probably the most important pillar. It’s got to be as part of an overall strategy, but certainly the logic I laid out is, you’re going to have challenges, you’re going to have disruptions, you need to be resilient in response to them.

I think there’s two layers to that. You can improve the overall ecosystem’s resilience by removing, you know, some of the threats, the botnets, that the system as a whole, as it gets healthier, you know, I guess it’s implied it’s more resilient as that regard – in that regard. But every kind of – down to the individual layer, but certainly at the enterprise layer, more of cybersecurity has to be about agility and response, and probably less on the notion of, you know, castle walls, and preventing bad things from happening.

(I don’t ?) know if others – I’m sure others have perspectives that –

MR. PURDY: I would just add the issue of online theft of intellectual property, I would add to the resilience. The action by nation-states and by nonstate actors who are proxies working for nation-states is a huge problem that’s not being addressed adequately in this country.

MR. MULVENON: And I would just say, finally, that there’s been a major mindset change, which I think is a positive thing, which is one from, you know, higher walls, deeper moats, wider minefields, from one – particularly within people I deal with in DOD – a recognition that it, you know, that we have to have whatever the buzzword of the day is: defense in depth, active defense, fight through the intrusion, fight through the attack.

The old SOP was just to simply take the network offline and go through with a nit comb looking for Trojans and backdoors. Well unfortunately, that impedes the mission, it fulfills the adversaries’ objective. We have to operate our networks like I operate mine, knowing that there’s potentially compromised hardware and software inside the network. That I – you know, this goes to John’s question about technology. I know there is compromised hardware and software inside my network. Whether I create virtual encrypted enclaves, whatever I’m doing, I have to be able to operate within a compromised network. You know, we can no longer entertain the fantasy of having a clean network.

And so that’s where resilience, to me, is absolutely critical, because that’s the only way to operate that kind of network is through resilience priorities rather than perimeter security.

Q: Thank you very much.

MR. RATTRAY: All right. I think we have to bring this to a close. I’m sure it’s late, we need to go get lunch, so we thank the audience for a very interactive session.