THE ATLANTIC COUNCIL OF THE UNITED STATES
INTERNATIONAL ENGAGEMENT ON CYBER:
ESTABLISHING NORMS AND IMPROVED SECURITY
PANEL 4:
NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY
PANEL CHAIR:
FRANKLIN KRAMER,
STRATEGIC ADVISORS GROUP,
VICE CHAIR, ATLANTIC COUNCIL BOARD OF DIRECTORS
WEDNESDAY, MARCH 30, 2011
WASHINGTON, D.C.
Transcript by
Federal News Service
Washington, D.C.
FRANKLIN KRAMER: Thanks very much. Everyone who’s here sticking out the entire day certainly deserves a drink. We will try not to stand between you and that drink for too long. (Laughter.)
I want to just make a few points and then get to the panel, because the panel has a whole lot to say. You saw what the title is, you know, national and global strategies. And I’d like to leave you with a couple of questions to think about as you hear each of the panelists.
The first is, when you think national and global, are we just talking nation-state or are we talking something beyond that? Non-state actors, entities like ICANN, businesses? Whose strategies are we talking about?
Second point is, is a good national strategy the same as a good global strategy? And that probably depends on whether a country or an entity is thinking about something you might call a global public good, as opposed to an enterprise or an integrated good just for the entity itself – the difference between, if you will, growing the pie and getting the biggest share of the pie.
Third question is, strategies for what? What are we actually trying to talk about? Are we talking about use? Are we talking about protection? Free speech? Economic growth? Stability? And do all the arrows point in all the same direction? And if they don’t, which is almost always the case with any set of issues, how do you prioritize and value the different parts?
Fourth point is, can you really have just one strategy or do you have to break it down into sub-elements? Is it the same thing, for example, to think about defense and other security issues as it is to think about strategies for business? Are the issues of national security the same as the issues of crime? And what about, again, the (use ?) sets of issues?
We heard a little bit – little dispute here – I don’t know if John Nagengast is still here, but Mike Hayden, John, whether or not there was a market failure. My own view about that is, of course there’s market failure. There’s always market failure. That’s not a surprise. All that really means is what you learn in economics 101, something about economic diseconomies. You don’t really have an enterprise having the same issues as a nation as a whole. That is not a surprise. It is a market failure. Maybe John and I are just doing definition. Doesn’t mean the companies aren’t doing well; just means that their job is not to solve the larger problem for the country.
So then the question becomes, OK, if that’s right, how do we solve it? And a lot of discussion already about public-private, et cetera, et cetera.
What hasn’t happened here, and it regularly doesn’t happen – I spoke at Black Hat, and some of you heard Jeff at lunch, who founded Black Hat, whatever. Black Hat, pretty much technical discussion. I was the only policy guy, and gave a keynote. Here it’s pretty much a policy discussion, no technical parts.
It’s a mismatch. We need – I used the words and – before, we need a wonk-geek interface. I’m a wonk. Jeff’s a geek. We need to have people talk about that, because we need to figure out what are the policy ramifications of some of the geek sides of issues. So what are the – you know, for example, if you think using safe language is a good idea and it has some value, et cetera, et cetera, how do you put that into a policy framework? Or should you?
Or we heard a number of discussions about botnets, what Microsoft can do, other people about what ISPs can do. Well, there’s a technical part as to how you do that, and then there’s a policy part about who should do it, who pays, what are the liability issues, what are the ramifications. How do you put those together?
We heard a little bit about resilience – way too little, as far as I’m concerned. But if you create systems that have, so to speak, a gold standard and the like, where do you have to put it? Do you – and who pays? Do you need to put them with – for example, into the industrial control systems of your critical infrastructure? And is that a problem that a company CEO should care about?
I had a CEO say to me, well, I understand why I should protect myself against criminals. But why should I protect myself against a nation-state attack in China? Isn’t that what the government? Well, that whole public-private partnership and what the strategy ought to be I think are the questions.
So with that, let me turn it over to the panel. We got a great panel. Michele, if you want to start it off; Mary Beth; Gao; Alex; and then Jim, of course, will finish, because Jim can do anything. (Applause.)
MICHELE MARKOFF: That was a great introduction, but I’m not going to talk about any of those things, so. (Chuckles.)
MR. KRAMER: That’s always what happens when I raise issues.
MS. MARKOFF: (Chuckles.) I hope you’ve all awakened and had your cookie and your water. And I’m going to talk from the vantage point as a diplomatic practitioner. And I’m on the front lines of the international cyberengagement piece. And from that viewpoint, it’s very clear, if the last two weeks have not made that clear, that cyberspace has created a powerful new dimension in an already restless world where an – the international environment is increasingly complex, dynamic and, for many states, highly destabilizing.
So traditionally reserved and unresponsive governments are literally shell-shocked at a technology that enables powerful and rapidly changing coalitions of citizens to challenge them, even as they themselves struggle to harness information technology for traditional statecraft. And recent events will only serve to heighten that unease.
And it goes without saying, much of cyberspace use is productive and promising, where instant communications melt barriers between cultures and give voice to the previously unheard, where the web opens untapped markets and has become an economic driver of dramatic proportions. But much use is increasingly threatening.
From where I sit and what I do, most notably in the last few years is the rise of a significant nation-state threat and the first efforts to project traditional forms of state-on-state activities, including conflict, into cyberspace. And certainly General Scowcroft talked somewhat about his views on this, and so did General Hayden and others. And while some have argued, and may continue to argue, that cyberspace is a borderless global commons and that sovereignty is a quaint, 18th-century notion, I would venture that you should think again: that cyberspace begins and ends with a server sitting on someone’s sovereign territory, and that it will be states that will have to act in this arena.
After Estonia in 2007 and Georgia in 2008, the fact that some number of states have military or other network operations programs is hardly a revelation. Hardly a day goes by now that states aren’t reportedly either engaged in searching unprotected information for advantage, stealing intellectual property for commercial or intelligence purposes, monitoring enemies or pre-positioning tools for an as-yet-unplanned battle, or even subverting the IT supply chain.
So it’s hardly a stretch to imagine that state actors with significant capabilities could turn cyberspace of the near future into a free-fire zone where exfiltration and disruption are the rule, public confidence is diminished and governments are increasingly concerned that their national security is threatened. Even the command and control over forces may be in jeopardy, with potential consequences that cannot be easily ascertained in advance.
Moreover, the unique attributes of information technology make the response strategies anything but straightforward. And I’ll repeat the basic mantra of cyberspace that you’ve heard in one form or another today: our inability to attribute identity to an attacker in real time or with high confidence renders most deterrent strategies futile, since most decision-makers will require both high-confidence attribution of the identity of an attacker as well as the sponsor in order to respond decisively or even to go so far as to accuse another state.
The potential to use skilled criminals as witting or unwitting proxies for cyberdisruption, which I believe will be an increasing trend, further complicates attribution, offering a state actor total plausible deniability.
So ultimately, two options emerge for decision-makers, both of which are undesirable: Decision-making paralysis or simply lashing out blindly.
So while the lack of attribution and the multiplicity of threat actors make Cold War forms of deterrence inapplicable, some modest forms of deterrence may be possible through a variety of overlapping, mutually reinforcing strategies, which include better defenses, nuanced declaratory policies, and what I intend to discuss today, establishing norms of acceptable state behavior in cyberspace.
So in designing an effective strategy for this threat environment, our challenge is to figure out how to foster an international system where like-minded states coalesce around generally agreed norms of acceptable behavior in cyberspace, finding economic and other social benefit in a predictable, stable environment, with a – and with a stake in opposing those who would destabilize it.
So let me be clear first what I do not mean by this. I am not talking about an international treaty instrument, but rather envision, as a general model, the Proliferation Security Initiative: a voluntary regime whereby like-minded states so deplore the destabilizing threat of WMD proliferation that they act together to prevent it.
In essence, what we must envision is a system or model of cyberspace stability, and provide the incentives for the international community to engage in the conduct needed to maintain it. Disruptors would be penalized through collective response and hopefully deterred to some degree by that prospect.
And I would just, as an aside, say that this is not – you can analogize to the Cold War period. After the invention of nuclear weapons, deterrence did not rise up over a day. What we did was inculcate the Russians with our views of what would, in fact, create a retaliatory response. We need to do something similar now.
This will not be an easy task. Over the last few years, the international community has become increasingly polarized in its approaches to cybersecurity writ large. Over the last two years, Russia, aided by China, has strenuously wooed the non-aligned – which are the G-77 states, which are not 77 but now 132 – in a collaborative approach, actively promoting a universal treaty instrument with a triad of elements. They would propose an arms-control ban on what they call information weapons to denote the fact that content such as mass propaganda would be covered. They would impose sovereign controls over politically destabilizing speech, or what they call information terrorism, which would affect the Uyghurs, the Chechens and others. And they suggest a cybercrime instrument sometimes they refer to as “CEO Lite,” which would be less onerous than the Budapest convention.
Taking this polarization into account, the U.S. in 2010 began to advance a vision of a normative framework for state-on-state behavior in cyberspace in a United Nations First Committee–sponsored group of governmental experts. And we sought to define common ground that might address fundamental concerns about state-on-state behavior in cyberspace.
And at the first meeting of this group of 14 nations in Geneva, which included Russia, China, India, Brazil, U.K., France, Germany and other – Israel, the Russian chair asked questions that many countries are asking: What are the rules of engagement in cyberspace? How is the U.S. likely to behave? Who should be held liable if an individual in our territory does damage to your territory? Are industrial information infrastructures legitimate targets?
So the U.S. position was designed to address these concerns, as well as others, by establishing a foundation for what we hope will become a consensus view among all like-minded states on the basic norms of behavior that pertain to cyberspace, in the context of conflict or hostilities.
So the U.S. contribution to the U.N. group divided norms of behavior into two categories: those domestic steps that we say national governments should take systematically to defend their national information infrastructures – what Anakin Teague (ph) would have called the “duty of care obligation” – and those norms of behavior that apply to state-on-state activity. The former we had stressed for years, but we had never articulated those norms that we, the United States, believe apply in the context of hostilities.
So in the GGE, the U.S. put itself formally on the record as stating that, notwithstanding the unique attributes of information technology, existing principles of international law serve as the appropriate framework within which to identify and analyze the rules and norms of behavior that should govern the use of cyberspace in connection with hostilities. In particular, jus ad bellum and jus in bello.
Thus, the United States has stated internationally that the same laws that apply to kinetic warfare apply to cyberspace.
Importantly, we also noted the limits of our current understanding of how such principles may apply, since it may be difficult to reach a definitive legal conclusion whether a disruptive activity in cyberspace constitutes an armed attack, triggering the right to self-defense, and that much additional work needs to be done in this area.
Nevertheless, we stated that, under some circumstances, a disruptive activity in cyberspace could constitute an armed attack.
On self-defense, we noted that the right applies whether the attacker is a state or non-state actor, and that states are required to take all necessary measures to preclude their territory from being used for cyberattack purposes.
With respect to jus in bello, as we interpret these principles, they would prohibit attacks on purely civilian infrastructure, the disruption or destruction of which would provide no meaningful military advantage. And in addition, the potential for collateral damage would have to be assessed before attacking a military target, just as it is when using kinetic weapons.
We also addressed, newly, the concept of the use of proxies – that is, the witting or unwitting non-state actors that act on behalf of state or other non-state actors and afford them plausible deniability as a subject that creates new challenges for states that must be addressed.
And then lastly, the U.S. suggested that over time steps need to be taken to address issues that could be problematic during conflict: the ambiguity of rules of engagement; the possibility of misperception, leading to escalation; and the general lack of predictability of state behavior through some thought-out confidence and risk-reduction measures.
Quite unexpectedly, 13 of the 14 states present, including Russia, were supportive, to one degree or another, of the U.S. vision of international cyberstability based on generally agreed norms of state behavior. Only for China at that time was it a bridge too far. Ultimately, however, we emerged from the GGE with a short, modest, but valuable consensus report that points in a fruitful direction for further collaboration. Key among the recommendations was that there should be further dialogue to discuss norms pertaining to state use of information technology in order to reduce collective risk and protect critical national and international infrastructures and that further steps include consideration of confidence-building, stability and risk-reduction measures to address the implications of state use of information technology, to include national exchanges – to include exchanges of national views on its use in the context of conflict.
This has had far-reaching implications so far. U.K. Foreign Minister William Hague’s speech at the Munich conference last month proposing a conference on norms; the French, the Germans and others; norms has now become a subject for discussion, as it should be.
We have no monopoly on the best ideas in this area, and the U.S. will continue to pursue eliciting views from states in a variety of different multilateral international forums. There will be another GGE in 2012, at which we hope to unveil a further development of the U.S. position. We’ve had a very productive bilateral in the last three weeks in Moscow with the Russians where we have actually agreed on certain confidence-building measures, including crisis cooperation and communication measures to CERT activities and other things which had heretofore not occurred.
So we are hopeful that we are being able to shape the international environment in a way that we, the U.S., can lead, and think is a useful track forward.
And thank you. I will stop there. (Applause.)
MARY BETH MORGAN: Good evening. Thanks for sticking with us. My name’s Mary Beth Morgan. I’m with the Department of Defense OSD policy cyber office. And it’s a pleasure to be here today. I’d like to thank Georgetown and Catherine for her great efforts in organizing this. I think over the course of the day a lot of the issues and the level of complexity has really been brought out to this – to these challenges that we face in cyberspace.
And a great deal of them, or all of them, really, are what we’ve been thinking a great deal about at DOD, our concerns, everything from deterrence and declaratory policy to supply-chain risk management to how we can better work with our private-sector colleagues so that we can provide for better cyberdefense writ large.
So today I’m going to keep my remarks fairly brief so that we can get into the question-and-answer period. And I just kind of want to give you a broad brush from a Department of Defense perspective of how we look at the international engagement piece.
For DOD, as this conference really has demonstrated, you know, in cyberspace, a risk to one is a risk to all. No one nation has a hundred percent complete situational awareness at any one time of what’s happening in cyberspace. So if we as a department are to be successful in defending and providing enhanced security in cyberspace, we must build international partnerships both bilaterally and multilaterally. And it has to be a U.S. government effort and a whole-of-government approach if we’re going to be successful. So we’re very closely working with the Department of State as well as DHS as well as the national security staff.
Given the importance of cyberspace to the department’s – to our ability to conduct effective high-tempo military operations in the 21st century, Secretary Gates tasked our office with developing a comprehensive strategy – cyberstrategy for the department. I’m pleased to say we’re in the final throes of coordination on that within the department, and it is up to the secretary’s office for his review and hopefully approval in coming days. And this is a critical aspect of how the department will kind of organize, resource, train and equip itself going forward.
Service members assigned around the world, whether it’s at the Pentagon, from Stuttgart to Afghanistan to Japan, rely on resilient, reliable information and communication networks with assured access to cyberspace. The department runs some 15,000 networks with 7 million devices, serving some 2 million users around the world. When I first came into my position, I was told that DOD networks are probed roughly 250,000 times an hour. And when I heard that, I thought, I’m sorry, you misspoke, or I misunderstood. No, that number is correct. So as you can see, our challenge from a departmental perspective is great. And it’s a great microcosm of what we’re facing writ large as a nation and as a world.
So as we’ve worked to develop our strategy, a key foundational element of that strategy is engaging international partners of all kinds: nation-states, private sector, and, most importantly, in the multi-stakeholder forums that help govern and develop the architecture for the Internet.
As I stated earlier, cyberrisks and challenges demand new international partnerships to mitigate them. Risk in cyberspace is not accepted; rather, it can be transferred in the blink of an eye. And we are only as secure as the weakest link. We believe that engagement with our friends and allies promotes shared awareness, which leads to enhanced early warning and ultimately and over time can enhance and enable collective self-defense in cyberspace.
Bilateral and multilateral exchanges inform our common understanding to address these challenges, effectively priming discussions on norms of behavior in cyberspace, which Michele was referring to. We must work with our partners to develop these international norms, and we need to look for ways to develop confidence-building measures that serve to minimize the miscommunication that can lead to escalatory behavior.
In an interconnected world, situational awareness cannot stop at the boundaries of our networks. Only by working together can we increase our knowledge and ability to anticipate threats, vulnerabilities and intrusions. The speed that defines cyberspace will not allow us to face the new challenges as they arise. We must put mechanisms in place today so that we can respond to those threats in real time tomorrow.
One example of our efforts is at NATO. Our close collaboration with fellow member states will increase cybersecurity awareness across the alliance, harden the NATO networks and thereby provide a stronger IT infrastructure for NATO activities and operations.
Beyond these traditional military partnerships, we’re also looking to embrace new approaches to how we develop these – our international engagement. What this means in practice is that when we engage friends and allies on cyberdefense and cybersecurity, we are doing so with our colleagues from across the government. Cyberrisks imposed on sectors beyond defense – such as transportation, finance, critical infrastructure – and the dynamic nature of cybersecurity requires us to have close cooperation with our interagency partners. A whole-of-government approach, we firmly believe, provides foreign partners with a more comprehensive understanding of each of our department’s efforts and underscores how those efforts are complimentary and serves to reinforce our overall U.S. cybersecurity goals.
For instance, we coordinate very closely with the Department of Homeland Security and other agencies when we work with foreign partners to explain the difference. It’s important to note that, while DOD is responsible for the .mil domain, DHS is responsible for the .com and the .gov. But in the event of a large cyberincident, DHS may request assistance from the Department of Defense. And given the department’s role in providing defense support to civilian authorities, we must build these close relationships with our interagency partners in order to be prepared to assist if and when called upon.
So to help prepare and plan for such contingencies, the DOD and DHS signed a memorandum of agreement last fall to exchange experts that will help streamline in – real-time communications and coordination between the two agencies. We’re still at an early and a nascent stage in doing this, but this is a very important step forward if we’re really to be prepared moving forward.
It also demonstrates the U.S. government’s robust activities to our international partners, especially as DOD works to promote shared awareness, early warning, and this concept of collective cyber self-defense.
Turning to the topic that the third panel covered a little bit, in the globalized economy – and, in particular, the globalized information and telecommunications marketplace – it provides another huge challenge for the department. Engaging also means engaging with the private sector, and we have to factor that into our international relationships. Not only is our cyberinfrastructure owned predominantly by the private sector, but a globalized supply chain means that more and more of our key capabilities and technologies that we as a department and a nation rely upon are coming from overseas. For instance, the proliferation of counterfeit components will require multilateral efforts to reduce risk and assure quality. Continued and enhanced engagement in the multi-stakeholder standards bodies is also important to the future of cyberspace and ensuring interoperability.
There’s large questions surrounding how we as a government and a department can work with the private sector to share information on a real-time basis. And in John’s presentation he highlighted that, of the problems of the legal aspects of government and industry sharing that information. So that’s a challenge that we’re trying to work through with our colleagues from DHS as well as the Department of Justice.
So in sum, the challenges in cyberspace that we’re facing are cross-cutting and dynamic. And we have to be agile and we have to work across and through the traditional stovepipes, whether in DOD, across the U.S. government, as well as with the international community. And we have to find new ways to develop creative solutions.
Thank you, and look forward to your questions. (Applause.)
FEI GAO: Good evening, everyone. Thanks, Georgetown and Atlantic Council, to have me today. However, I am not expert on cybersecurity, so I only can do a general view on China’s policy on cybersecurity.
The first: In past 10 years, China’s Internet growth really fast. Its growth, about 10 times in the number – in the terms of number of the Internet user. The total number is about 457 million people use Internet now. And 90 percent of people, they are broadband Internet user. And the Internet penetration rate is also getting higher, especially in the (east ?) coast and the west Uyghur autonomy.
Chinese life right now, more and more depends on Internet. Different – (inaudible) – already established their government website so the people can easily access this website to have some government service. And also, in past few years, online business increased very fast. And more than 40 percent middle-sized and small enterprises right now has reached the Internet.
And partly because China’s Internet developed very fast, there are some – also leads to some – (inaudible) – and problems. The more Internet user, the more troubles in Internet. And it’s also – faster growth means it’s very hard for the Chinese cyberpolicy to catch up with such fast growth of Internet user. And the switch of broadband also means increased range of things the people can do online, both something good, both something bad.
And Chinese enterprises right now, really totally new. And the garment enterprises, they like the experience to cooperate with other to deal with the new challenge.
And a lot of people have talked about, if you track the hack attack, you can find a lot of hacked attack come from China. But actually, China also biggest victim of hack attack. In 2007, on December, there is, according to the statistics, the bot-infected things in China is twice more than United States. It’s about 1.6 million computer with software, the bot infected.
And sometimes the hack attack from China actually – the hack may be not in China. They only use some slave computer to attack other country or other computers. And according to China ministry of public security’s statistics, 80 percent of computers in China have suffered botnet attacks. And more than 95 percent Internet server experienced different kind of hack attack. And on September 2009, three thousand five – more than 3,500 were suffered malware attack. And more than 200 of them are government website.
And in China, the cybersecurity facing a lot of challenge, both domestic challenge and external challenge. Domestic challenge partly because the most – more than – it’s about 60 percent of Internet user are under 30 years old. So this age, people, they like to challenge the authoritarian, different kind. So some people, it’s very easy to find some hack program to learn. And also, for the young generation, I still remember my generation, when we came to the university or the school, that they arrange a lot of class for us to learn computer. But now, the young generation – without learning anything, but they can use computer, even – easily become a hack.
And external challenge also really serious. In most botnet cases in China, the controller was found to be locate(d) abroad. And moreover, more than 80 percent of the cyberattacks targeting websites of China government agencies came from overseas. And today’s China facing some dilemma on cybersecurity issue. The first is – it’s a balance between the economic and the technology innovation in cybersecurity. Because the technology elites, they dislike more and more restriction against the free flowing of Internet. So how to keep the balance between the security issue and the economic development and the technology innovation issue, that’s pretty difficult.
The second is the political development on the cybersecurity. As Chinese, we cherish the Internet: provide opportunity for us to develop our own civil society and to provide opportunity for China to develop our democratic system. But the question is, the cybersecurity (getting ?) serious if the government involves, this precise, as well not good for the civil society development. Not good for future democratic construction.
The third is the international communication and domestic stability. In – actually, in China, we know we’re facing some international challenge. But also, the biggest challenge come from our domestic society. Because China is still developing country, so many contradictions in our own country. So sometimes, especially in some – China also suffered some terrorist issue. Some group in China is a terrorist group, but in United States maybe not. So how to balance the international communication and the domestic-security issue is also another challenge.
For this reason, in China – China’s policy towards cybersecurity, there are a lot of weak points, I think, although China already has more than one hundred laws, regulations, on the different – on the national and local departments level. But today’s China still hasn’t systematic cybersecurity strategy.
Today’s China, it’s very clear we also look hard at cybersecurity, because the Internet play more and more important role in China’s economic development and political development. So how to make sure the (safe ?) of Internet – of Internet is also very important; I think is already in the agenda of China government. But the – but the question is, different government department only focus on different issues. The – there is no coordination among them. I think in the future, policy construction is very important – (inaudible) – trying to coordinate different department of the government, coordinate their policy, and also develop laws and regulations – of course, also including technical standards, and continuously intensify their efforts on network security to deal with network security problems.
And for the last, about the China’s policy towards international cooperation. China’s policy is very clear. In China – China’s strategy is development. We know, as the biggest developing country, our country has a lot of troubles, but how to settle this troubles, both politically, both economically? The only way is to develop our country – not only develop our economy, but also develop our political system, and also social system. And in cybersecurity respect, I think it’s very clear: China and other countries, especially United States, both two countries, we experienced military conflict and political dispute, economic dispute for pretty long time. And it’s very clear, in the future, for both of our two countries, facing the same challenge. And we have the same common interests in the cybersecurity – in the cybersecurity respect.
So I think for China’s policy, it’s clear, to cooperation, to make the (safe ?) of cybersecurity is our priority. China and the United States, we already experienced some kind of military race. We cannot spread that to the cyberspace. So I think that there is no other choice, only cooperation. Thank you. (Applause.)
ALEXANDER KLIMBURG: So good afternoon. I don’t really care what anyone says; being the penultimate speaker on such a long session is really quite a challenge. So I’m going to have to speak very, very quickly to cover a lot of ground. If I go too quickly for some people, please ask me afterwards or maybe we can catch up on questions.
First of all, I can’t skip what I think is an essential introduction. Everything in cybersecurity, in cyberspace is marked by ambiguity. We don’t even have a common way of spelling cyberwar, let alone a definition. If this doesn’t tell somebody something, then nothing will. We have no common actors. Between non-state and state, there’s a world, a galaxy of different actors that can sometimes be both things at the same time. We have no common definitions in terms of whole of nation, which we’ve been talking about all day. Even whole of government sometimes doesn’t even mean the same thing.
Information warfare? Ask three specialists on cybersecurity about information warfare and you’ll get four opinions. Cyberpower, which is – which is actually the – one of the things I’m talking about today, has been actually defined a bit better, but that’s also not completely clear.
The only thing I’d like to say is that cyberpower is not information warfare, in my opinion. And just to remove one personal ambiguity, I am speaking today as a member of an Austrian think tank and not as an advisor to government, so everything I say is, of course, my personal opinion and not the opinion of the Austrian government.
I also want to put – point one other thing out while I’m at it, is that sensibilities are not, also, always the same. So while my research might appear slightly offensive to some parties, no offense is, of course, meant. This is just what my research has led me to.
Cyberpower was defined recently by the National Defense University, so we actually got quite a bit further in the last two years. Just to be very brief, cyberpower has two definitions, and according to the definition that Frank did, first of all is a warfighting domain, which he talked about very often today, but also, it’s also something that works across the instruments of power. The instruments of power can be diplomatic, informational, military, economic.
And for me that’s a really interesting question. How does it work across these different instruments of power? Because that’s not something we’ve talked about very much at all today. I think one of the things we have talked about, however, are things like whole of government. Now, whole of government is something that comes from a public-policy point of view. So this is not international-relations theory. This is public-policy theory. And this has been around for about 15 years. Whole-of-government approach, for instance, has given birth to interesting concepts in stabilization operations or conflict-prevention operations or other good stuff that’s been around in the security frameworks for about 10, 15 years.
For instance, there’s something called 3D approach, defense, diplomacy, development, for those people who have been to Afghanistan. The whole-of-system approach has also been defined. That is, for instance, the joint horizontal effort of national and international actors working in conjunction across international borders.
A comprehensive approach in NATO, for instance, is such a – such an example; but also the 3C approach, which is very popular in the international-aid community. That means coherent, coordinated, complementary, yeah?
And finally, we have the whole-of-nation approach, which has been mentioned a couple of times today, but surprisingly has never been defined. It’s not – it hasn’t been defined anywhere. Australia has one definition as part of their resilience strategy, and Singapore has a very different definition. And trust me, they have nothing in common with each other.
What happens when you take this type of public-policy theory and you try to superimpose it on, for instance – by the way, I call that boots, suits, sandals and spooks. But that’s just my own personal definition.
What happens when you take these types of approaches or theories and you apply them to cyberpower? So I believe there – we have three dimensions to cyberpower. The first is integrated government capability. This is the whole-of-government approach. This is the center of – the center of gravity here is government departments. And the effect we’re looking at achieving is coordination.
Such an example could be, for instance, a – the national cyber incident response group, for instance. That’s one example of coordination. It has to be cross-departmental to succeed. The integrated systems capability applies only to organizations that are broad. So it’s cooperation across international borders, and the center of gravity is going to be international frameworks and legal agreements – for instance, the convention on Europe cybercrime – the cybercrime convention, for instance – but also, for instance, the FIRST group. That’s the Forum of Incident Response and Security Teams.
So this is international collaboration outside of government, but also within government.
Finally, there’s integrated national capability. This is the whole-of-nation approach. And the center of gravity here are non-state actors. So this is – this includes criminals, academics, religious and ideological groups, but also, of course, independent businesses, which we’ve heard a lot about today. But they’re only one bit of non-state actors, in my opinion.
They also especially include, in my view, very importantly, the civil society. And the effect that we’re trying to attain here is cooperation. So if, the big question for me is, whole-of-nation approach to cyberpower depends on the cooperation of non-state actors, how exactly do you achieve this cooperation as a government?
Let’s start with China. So China, from my point of view, in – has, as part of its major topography, one particular issue. It has the fastest-growing Internet population, as we saw beforehand. It has over 400 million users, nearly 500 million users, 50 million blogs. And the netizens – so the people of the net – are probably also the biggest security concern to the Chinese communist party.
It is the biggest issue in China security that I’m aware of. It’s not a big surprise it is also the only area where, for instance, dissent can be expressed in any particular way; it is the only way. It is also quite difficult to control. As everybody is aware of, there is – there are very comprehensive security programs in China to deal with internal communication of content. That’s why it’s often controlled, content control. But it’s not very effective in achieving all of its objectives.
So what you need to do is you need to basically coerce – or co-opt, excuse me. You need to co-opt these actors into being part of your system. And there’s different ways of co-opting actors. You can have paid bloggers. There’s a national PR emergency bill that basically allows up to about 10(,000), 20,000 bloggers to be put on the payroll of the government, and in times of emergency they’re supposed to be able to – they’re supposed to follow orders from the government and effectively help the government in their psychological operations.
There’s the national defense reserve forces, which is a program that’s been around for 20 years, which basically means that most students that are part of a technical university are automatically also part of some type of military organization. There are information-warfare militia units, which are not the information-operation militia units. They’re a different kettle of fish. They’ve been around for quite a while, and everybody’s heard of them before. And of course, the PLA hacker competitions that everybody’s heard about, which very often, supposedly, feed into these information-warfare militia units.
Now, in my opinion, these competitions and these units and all these programs are not really there to wage aggressive warfare against the west or anybody else. They’re mostly there to deal with a perceived internal security threat. So it’s actually a big make-work program, if you will, and the people who suffer happen to be abroad. Because the main thing you’re trying to accomplish, you’re trying to keep these people busy.
A vignette that I won’t be able to offer right now but which you can look up yourself is a guy called Wicked Rose and a network crack program hacker group. Time magazine did a very good article about them two years ago. They can be Googled, and it will give you an insight into what really one of these information-warfare militia units looks like, what their relation with the government is, and why you probably don’t have to be really worried about them.
Second of all, Russia. Russia is said to exercise network control as part of their whole-of-nation approach. The first feature I would – I would raise is that they have probably the most techie population in the world. It’s been – it’s been talked about beforehand. They have a very, very educated technical population, and it’s also, unfortunately, given rise to the most active cybercrime groups in the world. Forty percent of all cybercrime in 2007 was down to one single cybercrime group, the Russian Business Network, which doesn’t exist anymore. However, they do have a lot of copycat groups, which are called RBNEs, so little RBN groups.
However, the most important level is – important question is, how does the Russian government engage with this very wide and diverse and capable group of non-state actors? In my opinion, it’s through coercion. The ownership of the media is something that – well, basically, Jeff Carr basically mentioned beforehand as something that troubled him beforehand. Digital Sky Technologies is a very large company that’s very close to the Kremlin. They own 10 percent of Facebook, besides a whole bunch of other big Internet media companies. And you can also imagine that they sometimes exercise control over these companies. ISP networks in China – sorry. ISP networks in Russia are forced to implement Swarm II (ph) legislation – Swarm I, Swarm II (ph) legislation – which basically means that every Internet bit – every bit of traffic in Russia is copied and ends up at the FSB. It’s also very expensive to do that. So if you’re not able to actually pay for this technology, then they can get you to do a whole bunch of other things.
There’s also political proxy groups, such as Nashi, but also such as the Eurasian Youth Movement, that have been – supposedly been active in attacks on Estonia, Georgia, Ukraine, a whole bunch of other countries. And there’s just the general relation of the intelligence community to cybercrime and the so-called hacker patriots.
There’s a general tradition in Russia that is best expressed in a vignette that actually Jeff Carr and I dug up about two years ago, which is a – which was basically the recruitment of Anton Moscol (ph). He was one of these patriot hackers who was – sorry, hacker patriots, who was contacted by the FSB, and they tried to get him to cooperate. He turned them down and then he basically posted a blog about his experiences. It’s quite interesting reading. Unfortunately, when Intel Fusion (sp) went down, I think we lost the translation as well. So I’m not too sure if you can find it online anymore.
Finally, about the United States. So I always consider one of the major features of the United States to be that the vast majority of cyber – and I really mean the vast majority: 80 percent, 90 percent – of cybersecurity is non-state, and it is never going to be state. And we’ll – and it will – has to be convinced to happen. You cannot legislate 80, 90 percent of cybersecurity.
This is – this is an issue that we constantly overlook when we’re talking about the political aspects of cybersecurity. It’s mostly outside of any kind of conventional political form. You have to engage with it. And there’s different ways of engaging with it. And the first level I see in a non-state group is the critical infrastructure protection, or, in the U.S., Critical Infrastructure Key Resources Group, which includes also the defense industrial base; also contractors and other people who have a formal relationship with government that’s usually marked by security clearance.
We also have a second level, which includes McAfee, (Sandia ?), Microsoft, all the other companies whose job it is to effectively deliver security on the Internet. But then you have level-three groups, which is technical civil society, which includes the Internet Engineering Task Force, the open-source developers, and all the white-hats that we’ve briefly talked about but not actually talked about in any depth today.
And finally you also have a bunch of policy and groups that – like ICANN, which is effectively a policy group, but also think tanks and other lobby organizations that play an extremely important role in maintaining overall cybersecurity. None of these people really have featured in any big way in any type of program. And it makes you wonder what we’re missing out, here. Because it’s quite clear that 60, 70, 80 percent, at least, of cybersecurity depends on these actors.
And just as a test, how many people have heard of Kaminsky, Daniel Kaminsky? Can I see a short – OK, most people. Thank God, really. So if you don’t know how – who Kaminsky is, please Google him. There’s a very good story on Wired. There’s also a good story about how Kapela and Pilosov saved BGP that’s also on Wired, and also why Shawn Carpenter lost his job. Sean Carpenter was a guy at Sandia who basically helped reveal Titan Rain attacks to the – to the public. I’m not saying that the government didn’t know about titan rain attacks, but he definitely brought it to the media attention, and he got fired as a result.
I want to just briefly also just explain what I mean, again, by integrated national capability and why the civil society can be such an important part of it. Civil society delivers one important thing, among others. That’s attribution. Everything I’ve talked about beforehand has been based upon research that was done in the public domain by volunteer groups.
Estonian 2007 attacks was researched by the U.S. Cyber Consequences Unit. Georgian and Ukrainian attacks was researched by Jeff Carr and his group. The Russian Business Network has been subject to a whole bunch of studies by professionals online. GhostNet – “Shadows in the Cloud” has been done by Information Warfare Monitor. And Stuxnet has been done by the Cyber Security Forum Initiative, among other groups as well.
Now, by publicly delivering plausible attribution, these guys lift the cyberveil and they help solve the attribution problem. This is certainly complementary, in my view, to U.S. and European policy. Now, you might argue that the level of attribution that these guys can deliver is not really – not really effective. It’s not really good enough for Cruise missiles. But it is good enough for CNN, and I believe that’s what’s mostly – what’s most important in cyberpower.
So I’m going to actually conclude – well, I’m going to conclude in – about – in one minute. The – what I want to point out is that liberal democracies depend on non-state sector completely for cyberdefense. But they also depend on – depend on it for cyberpower. This is in Internet governance. This is in open-source development. This is in a whole bunch of other areas.
Finally, legislation and cash can get you somewhere. It can cover basically level one, CIP, critical infrastructure, key resources. But for everybody else, voluntary cooperation is going to have to remain voluntary. Volunteerism is situational; it’s not institutional, and depends on a state – precedes legitimacy of action. And legitimacy depends on the overall inward soft power of a – of a state. And this is not nationalism, and this is not legislative fiat, but it’s reputational power.
And you only have basically one choice. You only can either coerce, co-opt or convince the non-state into cooperation.
Thank you for your time. (Applause.)
JAMES LEWIS: Well, you guys are really hardcore, and I appreciate your sticking around. And I have a 412-slide PowerPoint deck, which I’m going to read in – I’m going to read in a monotone, right? No, actually, I’m going to do it in – the Marxist perspective on cybersecurity. But since it is cybersecurity, it’ll be Groucho, right?
I want you to put one word in your head here, the maybe one word you could take away with – actually, two words you could take away. The one word is cacophony – if I could say it, you would know what it is. But it’s a Greek word that means a lot of noise. And so what we’re seeing now with cybersecurity is a lot of noise.
The other word, and I’ll come back to it, is transition. And I thought to myself, you know, it’s the end of the day, I’ll talk fast and I’ll go quickly. And so I wanted to read a prepared statement.
Since the private sector owns 190 percent of critical infrastructure, if we strengthen public-private partnerships to improve information-sharing and situational awareness, it will empower innovation and risk management in the cyberecosystem. (Laughter.)
Thank you. Thank you. I ask you, ladies and gentlemen, what more is there to say, you know? (Chuckles.) And the answer is, quite a bit, unfortunately, because we’ve been saying that sort of nonsense now since about 1998. It doesn’t work, right? So where are we? And I want you to think three transitions here. The first is, we’re in a technological transition: how people connect to the Internet. It’s going to be mobile and it’s going to be managed. And last year was an interesting year, because it was the first year that pads outsold PCs. How you connect will be different, and it’s going to shift the locus of security, right?
Second thing I want you to think about is the pioneering American ideology, the way we saw the Internet, right, and the way we thought about governance, right, and the way we thought about the role of government and why it should be limited. You heard all that. The pioneering American ideology is collapsing, for two reasons. One, the Internet isn’t American anymore. And two, it doesn’t work, right?
So even we are having a hard time sort of keeping the boat inflated, with so many holes in it.
Finally, you want to think about the extension of sovereignty. And other people have talked about that. There are clearly borders in cyberspace, right? Governments have figured this out. They’ve figured out that all this stuff they heard about how it was going to be a self-organizing global commune – we’re the Internet community, we deliver – (makes snoozing noise). (Laughter.) You know, come on. (Makes slapping noise.) Oh, I’m sorry, I must have dozed off. (Laughter.) It’s over, right? (Chuckles.)
And so governments are moving into cyberspace, and they’re doing it, some of them, in a very obtrusive fashion. Others are not. So the issue for us, and the one that – this panel’s been a little unusual because we actually talked about the topic we were assigned – (laughter) – but how do we manage this transition? We’re in this big transition. How do we manage this transition to an Internet that will have a greater role for government without losing the values that we cherish? And a guy named Stefandre Holsteune (ph), who works at the Marco (ph) Foundation, he said something to me that was very interesting. He said, look, it’s clearly not a commons, right? That’s delusional. But the values behind the commons – openness, access – those are worth thinking about.
And so don’t think of it as a commons, but think of the values we cherish. And how do we preserve those values? How do we preserve those values in this period of transition and in a period where – and something that hasn’t come up so much – where the other guys all fear us, right? Another acquaintance of mine said that to foreigners, we are the borg: You know, prepare to be assimilated. And they – you know, when we say things like “dominate,” it has a reaction. And so one of my – when I advise DOD, I say, you know, it’s OK to want to dominate. Just don’t say it. Right? (Laughter.)
But – (chuckles) – so that’s – no, we would never do that. Trust me. Right?
So the key political issue, right, on the international side is what I would call the big trade. And there was a quote by the president of Russia that didn’t make the Western press, and I was a little surprised by it. It was in the Russian press. And what he said is, see what happened with social networks in Tunisia and Egypt? They’re going to do that to us next.
That’s an amazing quote, isn’t it? So when you think about that, what we’re basically asking some of our opponents in cyberspace to do sometimes is we’re asking them to commit suicide. And we’re always a little surprised that they don’t go along with it, you know? (Laughter.) Come on, is this such a big thing to ask? Right? Because there’s a(n) implicit conflict here, and there’s a real political risk to authoritarian regimes.
And so the deal, as Michele could tell you or Frank could tell you, any of these guys could tell you – the deal that they want is, we’ll deal with you on military risk and espionage and cybercrime. You deal with us on the political threat to our regimes. And that’s going to be a very hard deal to broker. We will have to deal with it.
And I think that when we think about this, the solution probably lies in thinking about sovereignty, in thinking about governance. For me, these are issues where only the government, right, will be able to lead, right? And so you hear the private sector will do this, the private sector will do that. The private sector won’t do it.
I’m going to beat five minutes. You watch this, right? (Chuckles.)
We need to think – as Jeff Carr mentioned today, we need to think about how do we build consensus among governments. You heard some good presentations on how far apart we are. I know from the thing that Michele led at the U.N. – it was a three-week meeting. One entire week was spent fighting over the title, right? What do we call this? And they couldn’t agree. So there’s a hint, as we’ve heard, right?
But how do we build consensus? And that will require leadership from governments. How do we articulate the vision of this new consensus that will not be the old pioneering nonsense about government, non-government actors and communal action and voluntary stuff but will do something where states preserve the political values that we cherish? This is now a global institution, and maybe it’s time for it to grow up, right?
It’s a global – it’s – pardon me, it’s a global infrastructure, and maybe it needs global institutions. And when you say institutions, that does not mean the ITU, right? (Chuckles.) But it does mean agreement on norms, some kind of consensus, a place to work together, none of which exists. And so when we think about the international problem, that’s what we’re going to have to deal with, right?
Security and governance are irrevocably linked. And one of the things that we’ve heard today is, you know, as we improve at the sort of lower-end things – you know, Windows 7 is better than Windows XP – you’re not going to eliminate the high-end threat. The people who did Stuxnet are going to beat anything that any company can come up with.
So at some level, we will need to address this as a governance issue if we want to really depend on this thing and realize its full potential.
So I have some requests, and that’s what I’m going to end on. We are in a period not only of transition; we’re in a period of cacophony, where everybody and their dog now has a white paper on cyberwarfare or something. And a lot of them are better than the stuff I write, so I’m not being critical. I mean, that’s a low bar.
But do me some favors, right? First of all, let’s try and be more precise in our discussion here. And I’m as guilty of this as everyone. We all say cyberweapons; there is no such thing. Everything is a cyberattack, right? Everything is not an attack. Can we be a little more precise?
The second thing is, can we bring in data, right? We use analogies, we use stories, we use anecdotes. We use myth, we use legend, we use fairy tales and magical thinking. How about a little data, right? So when people talk about things like market failure, OK, I can measure that, you know? Let’s start measuring this and let’s get real data.
And one of the things that’s happened in the past few years is we now have the ability to collect real data. And that will change the cybersecurity debate. You can (help ?).
Finally, do me a favor: Lose the blinders, right? Because we tend to think – you know, people still approach cybersecurity in this way that comes out of the 1990s. I don’t see any solutions.
Lose the blinders, right? We need to rethink our ideologies. Cyberspace is not that unique, right? We are returning to the norm where the states, initially baffled by this new thing, have figured out how to deal with it. And this will become largely a state issue for me, and we will have to deal with that. so do me a favor. Think about all these things. Think about how we improve methods in the debate here. And maybe we can make some progress in the international realm.
I have some more jokes I wrote down, but I think I’ll skip them, so. (Applause.)
MR. KRAMER: Floor’s open for questions, and the shorter your question, the quicker the drinks.
Q: My name is Randy Ford (sp). I’m with Raytheon. Mary Beth, was interested, you talked about international engagement, you talked about DHS, you talked about Justice, you talked about NATO. And just exactly like the deputy secretary of defense’s article in Foreign Affairs magazine last fall, you didn’t use the words diplomacy, and the Department of State was never mentioned. So I’m –
MS. MARKOFF: She did mention –
MS. MORGAN: No, I did mention the Department of State.
Q: Well, deputy secretary of defense didn’t mention Department of State or diplomacy or foreign policy in his seminal article last year.
You talked about whole of government. Now, I’m just kind of curious, who’s in charge of the foreign policy of cyberspace for the United States? Is it Department of State? Is it the Department of Defense? You’re talking about going off of international engagement. Michele’s talking about bilats with other countries that get into arms-control-type things. So where’s the connection? How is the U.S. government – this whole-of-government – tell us where that’s actually – where does – where does the connectivity take place, and where can we understand where the dialogue is and the liaison and so forth is actually happening?
Thanks.
MR. KRAMER: I’m going to have Michele and Mary Beth talk at the same time. (Laughter.)
MS. MORGAN: (Chuckles.) We’re that good. No –
MR. KRAMER: Why don’t you go ahead, Mary Beth, but then, Michele, jump in.
MS. MORGAN: Yeah, no, I mean, I think that’s a fair question. But clearly the State Department is – charge of foreign policy for the United States government. We work this issue in an interagency process. Through that process, DOD is part of that team and helps and assists State Department on whatever it needs in this area. The elements that Michele was discussing have large impacts and we have large equities in what’s going on. So we’re part of that interagency team, just as we are on any other type of traditional engagement that we have as a department.
Now, as a department, we maintain military relationships around the world with our colleagues in the ministries of defense. As we do that, the State Department is always connected and informed of what is going on.
So, you know, the emphasis of the deputy secretary’s Foreign Affairs article was kind of the larger thought piece. It was – it was not meant to say that diplomacy isn’t important. We believe that it’s important, to the – to the point that one very large aspect of our strategy is international engagement. And it very clearly states that that is with the lead of State Department, with us there.
And there’s going to be areas where we as a military, our mil-to-mil relations are going to be able to advance with certain friends and partners. And I’ll let Michele –
MS. MARKOFF: Yeah, I would add – I would add as well that the basic U.S. submission a year ago to the GGE really represented a categorical jump-shift in U.S. policy. It was a policy where we did not talk about state-on-state activities, political-military activities in an international context at all. It was through collaboration between OSD and us that we actually came up with the basic position that we were able to put forward, that talked about the law of armed conflict, international humanitarian law, and affirmed this. It went through a big interagency scrub and a White House scrub. It was truly, I believe, an interagency document. And both in the GGE, in Moscow bilats, wherever we go, I have my trusty OSD colleagues –
MS. MORGAN: (Chuckles.)
MS. MARKOFF: – with me. And that’s not just OSD. I have Justice, I have the intelligence community, I have others. It really is a very, now, I believe, effective, collaborative approach. And it is allowing us, actually, to evolve our positions much more closely and with much greater alacrity, especially the norms issue. It’s a huge step to think where we go with the notion of norms post-IHL.
We will have – somebody talked earlier – there will be a new international cyberstrategy which will have some key pieces, but that won’t answer all of the mail in the pol-mil context. And I believe it will be through collaboration with OSD is the only way that we’re really going to be able to move forward effectively.
MR. LEWIS: Let me throw in a quick note here, Frank, which is that I do talk to some of our larger foreign opponents, and what I hear from them routinely is, oh, we’re so envious. Your interagency process works so well. Right? (Laughter.)
MS. : Yeah.
MR. LEWIS: And from their perspective – so it’s all relative, you know? It looks – inside the baseball diamond it looks messy, but from the outsiders, we’re the borg.
MR. KRAMER: Question?
Q: Yes, thank you. I’m Vinny Markovsky (ph). I’m speaking in my personal capacity as a cyberexpert who happened to be, eight years ago, with Michele Markoff, Chris Painter (ph) and others at the first southeast European international conference on cybersecurity cooperation.
And I see that there is a big progress. We were held – we had this conference in Bulgaria; now we have it in Washington, D.C. But the topics – if you guys go to cybersecuritycooperation.org, the presentations are there, and they sound as if they were written yesterday, except maybe what President Medvedev said. And I want to thank Jim here, because the issues that we are discussing what’s going around the world, but we are actually – we didn’t hear except probably from the – from the gentleman from China, who is a Fulbright scholar, so obviously he spent some time here, what the others are thinking about this cybersecurity cooperation.
And I would like to hear, actually – I mean, and putting in brackets: It’s very good that women are now in charge. Hillary Clinton took the – kind of the lead to – (inaudible) – our national – I mean, cyberambassador. And –
MR. KRAMER: What’s your – what’s your question?
Q: Question is, what do you think actually will be – will happen with – (inaudible) – international cooperation? How are we going to bring the other countries on the table?
MR. KRAMER: Well, do you want to take one? And then Jim?
MS. MARKOFF: Sure. Well, we have a – we – with what we came out of of the GGE, it really framed the issue. I believe that our close allies and actually some of the other countries of the 14 that were in the GGE have thoroughly bought on to the notion of norms as a way forward. We are going to discuss this with our allies and PfP countries in the context of OS – in the OSCE in May. We will use other multilateral opportunities to develop this. We will go back to the UNGA this fall with some new ideas, maybe a new resolution.
I think there’s a lot of ways where we can socialize these ideas and elicit from other states their own ideas, because I don’t think we have a monopoly on all the good ideas in this area.
MR. KRAMER: Gao Fei, would you like to jump in there?
MR. FEI: Yeah. I think from China’s respect, China really encourage different kind of cooperation among the different countries, both bilaterally or multilaterally. And China and the United States, we already have a bilateral talk about the Internet, about cybersecurity cooperation. And also, China very – China emphasize the new implied form to start the deep research on cybersecurity, because the technology develop very fast. So how can – really start or substance cooperations? That’s very important; needs an expert to research first.
MR. KRAMER: Alexander? Yes, sir.
MR. KLIMBURG: As somebody who has – who worked with – actually, with Michele three years ago on the – two-and-a-half years ago on the OSCE floor, where I was with the Austrian delegation, I think it’s – things have changed a lot, from the international perspective, especially from the European perspective. The United States a couple of years ago was not really willing to engage with other countries on their capabilities; was more willing to have their – have other countries develop their own capabilities. And now there’s much more talk about working together on a cooperative level.
For instance, what happened also in Mexico is – was a sea change from the European point of view. The Europeans previously were always for internationalization of the entire Internet governance issue and were kind of resistant to calls to maybe – maybe ICANN is the best of a whole bunch of bad options.
And people changed their minds. They changed – people changed their mind because we discovered that we do have common values that were more important than wishes, that we have to work together on these issues. And also, the present discussion on rules and norms of behavior, that also is a very new development. The United States was not willing, I think, to go down that track three years ago. They are now.
And from the European perspective, that is definitely, definitely welcoming.
MR. KRAMER: Next question?
Q: Good evening. My name is Sean Canuck (ph). I’m a U.S. national security analyst. In one of the panels this morning, General Hayden very simply accepted the fact that nation-states will try to steal each other’s information in cyberspace. My question, very simply, is do we also have to accept that nation-states will try to forward-deploy cyberwarfare tools in each other’s territory?
MR. : Go ahead, Jim. Go ahead.
MR. LEWIS: You know, I think that – we’re just going to – this – we tend to overstate the effect of cyberconflict and cyberwar. And so – you know, some – we all know there’s a famous statement from someone who said, it’s like nuclear war. It’s not like nuclear war. But it is a new way to attack opponents. It is a new military capability. Right now I think we could say five or six countries have advanced capabilities. Another 20 or 30 are trying to acquire advanced capabilities. And it’s on the path that airplanes were on, you know? Everyone will have this capability, and everyone will plan for its use. But I think they will be careful to try and observe the thresholds, implicit or otherwise, set by the law of conflict, which you, of course, know very well, and that is that doing reconnaissance, planning, developing the capability, all perfectly legitimate. Actually intruding and planting something on someone’s network, potentially a violation, something that crosses the border into the use of force.
So I don’t think we’ll see it. I think we’ll see a lot of sniffing around, as we already have. And I’ll think – I think we’ll see the capability. It will be part of wars in the future, but I don’t worry so much about that.
MR. KRAMER: Can I jump in? because one of the things the U.S. did was to put forward the notion, accept the laws of armed conflict. One of the elements of the laws of armed conflicts is the law of mine warfare and naval mines. (Inaudible) – it’s illegal under mine warfare doctrine to put a(n) active mine into somebody else’s territorial waters. You can decide whether or not that’s an analogy that you like with respect to cyber. It’s just an analogy. It’s Jim’s point; I just want to make it a little more specific.
The second thing is that if – and I think it’s important to say this; it’s been said a couple of times – if one thinks back to – it’s now, I think, about 13 years when we all got the first use of Google, right? The Internet’s changed a lot. I will be extremely surprised if it doesn’t change a lot in the next 13 years. It’s a bad idea to straight-line the concept of the Internet or cyber or whatever you want to talk about. And so that may change the set of opportunities, both from a warfare point of view, from an international point of view and the like. Everybody has to think today, but straight-lining is not a very good way to predict the future.
Q: Yes, good evening. Thank you for your panel and your – the discussions. I was wondering – you know, as we try to formalize a global strategy in cybersecurity, what I observe locally is that we don’t seem to have – we don’t seem to have a local – a U.S. cybersecurity strategy. And I believe the cybersecurity act has not been passed as yet.
So I was wondering if you have any comments on the progress made on those two areas locally, so that it’ll enable us to speak with one voice as we go onto the global stage. Thanks.
MR. LEWIS: Our government colleagues will take that one on first. (Laughter.)
MR. KRAMER: (Chuckles.) If I understood the question correctly, there were – there were two parts. One, whether there was legislation passed, and two, the ability of the government to speak with one voice. Is that correct?
With respect to the legislation, I think you heard this morning that the congressman who’s – who is the – either the key or one of the key people in the House said that he thought there was a good chance that there would be cybersecurity legislation. What I don’t think anyone knows yet is what the content of that legislation would be, whether it’ll be broad or narrow.
The White House is thinking about broad, but they’re not sure. You could see a much narrower kind of approach that might just affect the critical infrastructures. It’s not clear.
With respect to the ability of the government to speak with one voice, that’s never happened before. (Laughter.) But it’s doing better. And I – without trying to have Michele or Mary Beth say what, in effect, they’ve already said before, which is to say, they do work together closely, and that the White House actually now has a coordinator, and DHS and DOD have actually signed a memorandum of understanding – it’s not a surprise that there are multiple voices in the U.S. government. The issue is whether they can coordinate them effectively. We have pretty good people trying to do that, and if it’s all right, I’ll just speak for you and say you’re working hard at that issue.
MR. LEWIS: Remember we’ve got the 60-day review as well, which is still – you know, it’s still sort of a good plan to work off of.
MR. KRAMER: Right.
MR. LEWIS: So we have gone through another iteration. And I know it took 120 days to do the 60-day review, and maybe that’s a hint.
MR. KRAMER: Well, and the CNC and the like.
Next question?
Q: My name is Walter Girassic. I am lifetime student and observer. (Laughter.)
Through the history, we had classical, industrial and political spies. And today we have cyberspies. My question to you: The spy agency across the world, from Russia KGB to CIA to other, do they have any agreement that they will not use cybertechnology to spy on each other? And what we going to do with the youth, young men and women who are highly qualified and they do not have a jobs? They will find somewhere to go who will pay them highly, salary, and work for someone who is really unfriendly to world community.
Thank you.
MR. KRAMER: Jim, you’re a former – you’re a former, so you can answer the spying question better than the current people.
MR. LEWIS: What? (Laughter.) No, I’m actually – of course there’s no agreement on not doing anything. And the answer where the young people go – well, in Moscow they go to the – work for the government. So, you know, one of the things that would be a benefit of having a better articulation of governments and values and norms, all the things you’ve heard from Michele on down, is it would put boundaries around the degree of espionage and make it a little more normal. What we have now is an unusual situation where the U.S. in particular, because of political choices, is amazingly vulnerable. And when that changes, I think you’ll see espionage under control.
MR. KRAMER: Next question.
Q: Hi, my name is Rebecca Lewis (sp). I’m an attorney here in Washington. I’ve read and heard anecdotally from military personnel that I know that one of the biggest, if not the biggest, cybersecurity threat is social engineering. And I was just wondering, maybe for Mary Beth or the rest of the panel, if you could speak specifically to what the U.S. is hoping to do in that area.
MR. KRAMER: I think we should hear from the U.S., but I’d also be interesting in hearing the Chinese view, if you’re willing.
MS. MORGAN: What do you mean in terms of “in that space”?
Q: I guess I’m just thinking of stories I’ve read about thumb drives being picked up, infected thumb drives, or military personnel maybe leaving computers unguarded.
MS. MORGAN: Yeah, the notion of kind of the malicious insider, the ease of thumb drives and DVDs. And, you know, then there’s the social media sites that are also another attack vector, that if you’re a military personnel and you’ve got a Facebook page, hopefully you’re not putting your uniform where you’re located and all of these other things, because it’s another way that actors can find out information. So it can create an operational security risk when you’re engaged in kind of the Twitter and the Facebook world. You have to think about what is your cyberidentity and what’s your cyberprofile that’s out there. It doesn’t mean that folks can’t use it. It’s just you have to be thinking that it’s not this anonymous space: that you and I, you know, are talking privately in a room, closed door. When you put that out there, anybody can see it and anybody can hack into those elements.
The notion of, you know, thumb drives and DVDs – we at the department unfortunately have had a lot of experience in that in the past year. And those are new techniques for adversaries and threat vectors to come at us. So we’ve had to look at our internal policies of how do we do business. I can’t – if I’m traveling with the secretary of defense, I can’t use a thumb drive anymore. I have to take – I have to do other things to make sure I have all the files that I need to support him when I’m traveling. That’s just an example.
But there are real operational impacts when you’re downrange. When we do certain tasking orders or flight combat or weapons systems, a lot of that is cyberenabled. And so there are real – when you say you can’t use a thumb drive anymore, for me, OK, I’ll work around. I’m writing memos and papers and, you know, trying to get things done within the building. But there could be a uniformed military person in the area of hostility, in Afghanistan or Iraq, that’s dependent on that, because that’s how they load things into their weapons system that they need to use.
So when we have to take action against these new threat vectors, we have to consider all the ripple effects that come into play. And it’s nowhere near as easy as people think it is. And oftentimes we don’t know until, you know, something’s promulgated and then somebody raises their hand and says, but wait a minute, I really need this. And then how do we exempt or how do we mitigate that and deal with it at the same time?
So it’s a huge, huge challenge. And the Facebooks and the Twitters of the world, when you’re dealing with a military force that’s much younger and much more computer-savvy, is used to being online, it becomes a morale issue. But then there’s also the operational-security issues that we have to take care of. And it’s a very difficult set of choices and management that we have to deal with.
MR. : I just – sorry.
MR. KRAMER: Gao Fei, would you like to talk about the Chinese?
MS. : Oh, sorry –
MR. FEI: I have no idea about that. (Chuckles.) About the Facebook, or – ?
MR. KRAMER: Yeah.
MR. FEI: Actually, I don’t know how to use the Facebook. (Laughter.) And in China, I never heard about that. Just some my friends send the link of Facebook, but I’m very locked into – (inaudible). (Inaudible) – I only use the Internet to search some academic articles or some – use that e-mail.
MS. : It’s a time suck. (Chuckles.)
MR. FEI: You know, I never – (inaudible).
But as I know, in China, the Facebook was blocked because – (inaudible) – war that China – China, if – you see, China has a strategy for separate security. It’s a negative strategy – negative defensive strategy – (inaudible) – war. And some Chinese people, they are very like to – if you are some pretty famous person, they put everything online. Everybody can see your family, your godfather, your father, what – type in the name.
So the Chinese government dislike that, and – yeah. So partly for this reason, I don’t –
MR. KLIMBURG: I just want to quickly pick up on the question, because I think it addresses a much larger issue, which is, in Europe and the U.S. and the Western world in general, there are a lot of complaints about how intrusive, for instance, legislation is becoming; how much – how the government always wants increased information from us, and how we have to be aware of Big Brother cap. And nobody really thinks about how much benefits we’ve actually derived from this new openness already in terms of Facebook, in terms of social media, in terms of the Internet overall. And some of this new openness and some of the benefits that have come from this openness is – are going to require changed behaviors. And some of these behaviors will be voluntary, and that means, for instance, not being – doing stupid things online. And some things will have to be mandated by government.
MR. KRAMER: Last question.
Q: Hi. Thank you for letting me ask my question. My name’s Amanda Palleschi. I’m with Inside the Pentagon, and my question’s also for Mary Beth. You had mentioned that Secretary Gates is planning on signing a comprehensive cybersecurity strategy in the next coming days. If you could – if you could come up with maybe the one or two most important things that you expect that strategy to be able to do to kind of move us forward in terms of different agencies working together, working with our international partners, that sort of thing, if you had to say what the two most important things that are going to come out of that would be, what would they be?
MS. MORGAN: I think what the strategy that we’ve, you know, developed, and once it’s signed – so I have to preface all of that, that it’s still pre-decisional, until the secretary signs it. But I think what the strategy does is, it’s the first time ever that the department has put together a comprehensive strategy. So in a way it’s hurting all the disparate elements of the department and vectoring them into vectoring their energy. So it will help the department better organize, train, and equip, and be prepared for its operations across, you know, the spectrum, whether it’s military, it’s business operations, as well as intelligence activities.
But it’s a way for us to ensure that we’re organizing in the right way, that we’re training in the right way, that we’re resourcing in the right way. And it provides a flexible structure so that as this environment and the strategic context changes over time, the department can change and develop over time. It’s a great challenge. I mean, we’re a huge department. So herding the cats has been part of the challenge in doing this, of getting everybody’s perspective and bringing some level of organization.
So I think that’s a real key use to all of this, is it gets everybody on the same page and moving forward together so that we do have a more strategic approach to this area.
Q: And I’m assuming U.S. Cyber Command and the various forces within the services were involved and that they’re included in the spectrum as well? OK.
MS. MORGAN: Absolutely. Absolutely, as were our interagency counterparts, in taking a review, absolutely.
MR. KRAMER: Right. The Siamese twins in the interagency are on my left. (Laughter.)
Well, we’ve reached the end of our time. All of you deserve enormous congratulations for sitting upright in your seats. I understand that there is going to be a reception. Catherine will let us know exactly where we’re going and what we’re doing. But I thank you very much for the panel. (Applause.)
MS. : Thank you, guys.
If you don’t mind just staying for one minute, because I’m going to take about two minutes and wrap up, tell everyone what to do.
Today’s conference has certainly been both comprehensive and informative, thanks to the insights of our panelists, the leadership from the panel chairs, and the questions and topics you all have raised. At Georgetown University, we strive to better understand the issues facing the global community, while providing a forum for continued dialogue and debate.
This conference has certainly achieved its objective of promoting such discourse among policymakers, academics and key industry stakeholders in cyberspace, as we continue to grow more interconnected.
I would like to thank Spirostine Moulitsas (ph), senior vice president for the university, for his continued support and vision for the cyberproject, and Dr. Chris Joiner (sp), the director of the Institute for Law, Science, and Global Security.
I want to extend a sincere thanks to the Atlantic Council members who played a key role in today’s event: the council’s president and CEO, Fred Kemp (sp), vice chairman, Frank Kramer, and Damon Wilson (sp), the council’s executive vice president.
Also want to welcome to the Atlantic Council Jay Healey (sp). Jason Healey’s (sp) currently teaching his class here on campus. He will be the new incoming director of cyber statecraft initiative at the Atlantic Council.
I want to recognize Matt Angelo (sp), whose hard work may go unnoticed but never unappreciated. (Applause.) Lastly, today’s conference was a success mainly because of the work done every day by all of the panelists. Their contributions today and their daily dedication to the advancement of cybersecurity for the global community is truly significant and remarkable. So thank you.
Video of today’s proceedings will be available online at lsgs.georgetown.edu. We’ll push out e-mails to everybody who RSVPed so you’ll know it’ll be available.
The Georgetown University Journal of International Affairs will be publishing a special issue based on today’s conference. It will include the proceedings from today as well as individual articles submitted by participants. I encourage you to consider submitting an article.
Thank you all again for your participation today. It’s been a long and productive day. And in the words of a good friend of mine, Professor Tony Aaron (sp) here at Georgetown, it’s time to rock and roll.
Please join me in Dahlgren Quad for a reception – it might be a little chilly – and the chance to maybe relax a little and talk among friends and colleagues.
Thank you once again. And thank you – (inaudible). (Applause.)
(END)