John Steinbruner & Steven Bucci debate the effectiveness of international agreements on cyber security. February, 2013.
>> My name is Nate Smith. I'm a master of public policy, candidate here at the Ford School. As a student with an interest in multilateral security issues, I'm privileged to serve as the moderator for today's debate on the effectiveness of multilateral agreements regarding cyber security. Before, policy union debates are intended to bring an informed discussion of international policy viewed issues of importance and interest to the students of the Ford Policy School, the University of Michigan community and the wider policy world. It's a part of the Ford School's mission to educate policy makers in the future. The International Policy Center plans to host one more event in the remainder of this academic year, continue the series in subsequent years is to reach the educational experience of students bringing leading voices and key policy issues to the Ford school, and contribute to a wider and more informed discussion. Our debate today will be conducted in a fashion similar to a competitive forensic debate but with the difference that there will be participation by the audience. I'd like to welcome and introduce our participants. Dr. John Steinbruner, Director of the Center for International Security Studies at Maryland at the University of Maryland School Public Policy. His work has focused on issues of international security and related problems of international policy. And Dr. Steven Bucci, Director of the Allison Center for Foreign Policy Studies at the Heritage Foundation. A former Army Special Forces officer and Pentagon official, Dr. Bucci's work is focused on cyber security, special operations and defense support to civil authorities. This debate will be over the following resolution. This house resolves that the US should begin multilateral negotiations regarding cyber security to establish international standards and guidelines on the use of cyber means in conflict and for resolving international disputes regarding cyber security issues to prevent escalation in their use. Professor Steinbruner will be in favor of the resolution while Dr. Bucci will argue that only after the US establishes how to address US cyber security issues from the stand point of purely American interest should we pursue multilateral agreement. The audience can submit questions for our Q and A period. As you came into the auditorium, you received cards in which you may submit your questions for this event. We'll start collecting these cards after the opening statements conclude and we'll collect them until 6:30. A panel of professors and students will then collate and prioritize these questions. You're welcome to submit as many questions as time allows. Following the questions, our speakers will make their closing statements. After that we'll evaluate the results of the debate taking a second vote of the audience. And this is again using the I-clickers that you received when you walked in as to whether or not the resolution is passed. So once again, welcome to our debaters and welcome to our ongoing series of debates. And before we turn it over to our debaters, I'm going to take a quick poll. On the screen you see the resolution and I'm going to display the results here. There you go. So click on A for affirmative, B for negative and C for undecided. Looks like we have a pretty even split.
[ Pause ]
And I'm going to give you about 10 more seconds or so.
[ Pause ]
All right, looks like we have our results. So after the event, were going to take another poll in the same manner. And we're going to look at how minds have been changed [inaudible]. Now, before we hand it over to the debaters, I'd like to welcome Dr. Bob Axelrod who's going to give a few opening remarks on cyber security issues. Thanks.
>> So I just want to give a little background and context. You may have seen yesterday's story the New York Times that the United States has established that cyber espionage has been going on for several years at a large scale. It has been traced to a unit of a Chinese army and therefore the attribution seems pretty clear and the question that the article raised was, is the Obama Administration ready to call the Chinese out on this and it says that they scale it back or else, and then what would be the or else? So the cyber security issues are with us daily but the espionage issue is one that has been on the forefront of the news media but there's others that can come. Now, espionage is traditionally being dealt with by everybody is denying they do it and everybody doing it. And then everybody when they find some--somebody committing espionage, they typically will deport a persona non grata any officials of the other government and then arrest and prosecute anybody else. And then the government whose officials were declared persona non grata typically takes exactly the same number of officials on the other side and expels them. This tit for tat has been going on quite all throughout the Cold War and the numbers are always precise. But with cyber, it's not so easy because there's nobody in particular to expel or to arrest or to prosecute. And nevertheless, the espionage goes on. And from the Chinese side, it's clear at least that they are after three different kinds of things. One is industrial secrets. For example, they went after Coca Cola. You may wonder why. Well, it's when they were negotiating to purchase an agreement with Chinese software--soft drink companies. So there were millions at stake in that. They've also gone after military secrets, of course. And they're going after the [inaudible] there, we help them identify dissidents, for example, the reason they--apparently reasoned they've gone after Google and New York Times and Wall Street Journals are to find out in the newspaper case when they publish stories about Chinese dissidents, who was it that provided those names and what were they and they want to get inside of the reporters and things. But, of course, cyber issues could become very much larger than the espionage. They could become part of a major conflict either independently. Cyber activities being in the fore or combining as what the pentagon likes to call Connecticut Task. Connecticut Task are things that go boom. So those are physical attacks and, of course, cyber activity could be part of those as well. And in the past, we have seen them used by the Russians for example in two cases. One against Estonia where the--they were denial of service attacks and its still ambiguous as to whether Russian government was directly supportive of that or whether it was sort of cyber patriots within Russia who are mad at Estonia. But it was also down against Georgia when the Soviet's--remember when the Russians attacked Georgia. There was also attacks on their government and industrial system that caused some damage. The Iranians have also used cyber techniques. For example the hijacking of the American Drone and have it land in Iran where they could display it and presumably sell it the Chinese. And, of course, United States and Israel apparently have used what's called [inaudible] to interfere with the Iranian nuclear program. And it was a crossing of a thresholds in terms of actually sabotaging an industrial system whereas other things have been strictly within cyber domain. A major question is can we prevent cyber conflict from getting out of hand by anticipating what some of the problems are and acting in advanced to had those off by some kind of mutual understandings or agreements and that's exactly what the debate resolution gets to. How can we go about in a cooperative manner reducing the risk of major cyber conflict and if so, what has to be done to make that even possible to start down that road. And with that, I'll turn it over to our debaters and maybe you're going to moderate that.
[ Inaudible Remarks ]
>> I noticed that Steven has more minds to change than I do so I feel the pressure. But my answer to the question is, yes, definitely we should begin negotiations. But I want to specify with whom and for what purpose and set a little bit of context. The internet is clearly one of the most remarkable phenomenon that we've ever seen. It began in the early 1970's with four people who imagined a network of 100,000 main frame computers world wide and did not fathom what was going to happen.
^M00:10:07 They didn't understand the power of PC's and the consequence of what was going to occur, and as a result, we have basically what's become a spontaneous public utility that's engrained itself into virtually all aspects of life. And so we are in very, very serious ways dependent upon the proper functioning of the internet and anything that threaten it is a serious question. I do not think that we can negotiate protective rules about just everything. But I do think that we need very urgently to begin discussions about those things that we could have reasonable aspiration to be able to protect. So what I would exclude from us is sort of long sense sort of out of bounds, if you will, is the entire business of espionage which it's been a bonanza for intelligence agencies and marketing organizations and busy bodies of all sorts, and it's--the protection against espionage is up to the users basically and there's not much we can do about that. That said, though, I think that we do have good reason to worry about destructive actions against social assets that really could potentially harm our society and all others in very measured ways. And my candidates for these are power grids, financial service clearing houses, navigation services, health care services, emergency reaction services, that sort of thing. Social functions that everybody more or less believes shouldn't be taken off the board for legitimate targets of hostile attack. And so you can base at least instinctive principle that we should not be fighting about these things. We should be protecting these things. And I think--personally, I think power grids are the most challenging and important topic. They are in principle subject to intrusion and destructive actions. It's technically conceivable to have a massive disruption of the power grid. So my argument is that we should begin immediately to talk through the critical players in this regard, the Chinese and the Russians in particular about fundamentally prohibiting attacks on critical infrastructure targets, power grids in particular, to set the principle and then discuss how proceed to implement that principle by mutually supportive actions. The main purpose of this is prevent these major countries ourselves including for preparing attacks on power grids which we are currently doing and suspecting each other of doing. We don't want that to happen, it shouldn't happen but if it's not going to happen, we're going to have to workout mutually protective arrangements and establish a principle much more thoroughly than it's currently established and I will sort of stop early with that part.
>> Thank you, Doctor Steinbruner. Hello, Doctor Bucci [inaudible].
>> Good evening, it's great to be here. And as mentioned I'm trying to convince you that I'm not opposed as in, no, we shouldn't ever do negotiations on the international scale regarding cyber but that not yet and the reason I say that is this. Right now in the United States, we have huge differences of opinion between men and women of goodwill from all over the political spectrum not broken down along partisan lines that disagree about issues of security versus privacy. Is security and privacy really--are they really the opposite ends of the spectrum of these issues? Should we use regulatory frameworks that try and increase cyber security or should we use market measures to do that? Who should be the lead in this area? Should it be the public sector or should it be the private sector, some combination of the two? And again, this is not a republican versus democrat kind of deal. If you look at the bills that have been tried to gotten through and have failed, everyone of them has had bipartisan support by the people who wrote the bills and everyone of them has had a very strong bipartisan opposition against them because there are actually some honest disagreements about the best way to go forward with this. Before we go into an international forum to try and negotiate with other countries who have in some cases very different visions of the internet that we do, we need to figure out where the heck we think we should be? You know, I realize there might be some value with starting those discussions to help us come to those conclusions of where we should be and I think we should have a conversation but I think it should be a national conversation first then followed by the international conversation. Because if you go into a negotiation not knowing what is important to you, not knowing what is critical, not knowing what's negotiable and what isn't, you're not necessarily going to come out with an outcome that is helpful or positive for the nation. I just want to point out that there has been growing internationally a particular divergence between the United States, the western democracies that stand with us and other democracies of the world and the vision that we have of the internet which is generally looked at as freedom, free speech, access to all information that's out there versus countries like Russia and China and Iran and some other more oppressive regimes in the world who look at that and say, "That's wrong, we've got to control this stuff. That people should only have access to certain types of information. We should be able to close off our part of the internet from the rest of the world," and they use it as a method of population control. You must remember that technology like this is amoral. You can use it for very, very positive things or you can use it for very, very negative things depending on the motivation of the people who are executing those policies. I realized that some people particularly when they get into the privacy versus security debate, many people are more concerned about protecting their information from our government than they are from anyone else. And I understand that, you know, I don't want big brother looking over my shoulder either even though I make a point of trying not to do anything that might interest them. But I got to tell you, if you don't have some degree of security, there's going to be a lot of people looking over your shoulder and a lot of them are not going to be from this country. So, we do need to come to that conclusion as a nation, you know, this is America, we're never going to work out all the details but we got to at least get in a ballpark before we step out into the international Fora and start trying to negotiate with the other folks out there who I can tell you when they come into the negotiations will have a very, very firm, very specific agendas that they are trying to push forward. So again, I'm not a, no, like never do this ever in the world, but we need to go a little slow and I would rather see us not achieve an international agreement if in achieving that agreement, it's going to circumscribe the freedoms and the benefits of the internet not just for our citizens but for many other citizens in the world. Thanks.
>> Thank you, Doctor Bucci. Doctor Steinbruner, if you'd like to respond to Doctor Bucci's opening comments?
>> Yeah, I'm not proposing that we negotiate about everything. We try to regulate comprehensively all internet activities. I say that we should focus on those things where we have very good reason to believe we have very, very strong mutual interest even if it is not well-articulate or realized. I think we do know already, we don't have to have a big debate that we have a huge interest in preventing deliberately distractive attacks on power grids, for example. And that--that I would be happy if negotiations focused exclusively on that or I would add other things to this category, critical infrastructure, financial clearing house transactions, in particular, to which the international economy is extremely vulnerable. So the proposal is that we don't try comprehensive regulation of everything the internet does but that we try to block off extremely dangerous destructive actions that are technically feasible and for which there is no single technical solution that we need.
^M00:20:06 Secondly, I would say that we do know we have an interest in that, we do know that any meaningful action would have to be global in scope, so you've got to negotiate in order to do that. And I don't think you know, we can wait a long time before the US political system gets internal agreement on anything, really. But, there is pretty good understanding, I think I would argue, that that particular piece of it, we do not want to have destructive attacks on critical infrastructure targets. We have reasonable agreement on that and we--and we can begin negotiation and let me point out the way in which we form internal consensus is in part by discussing with potential partners or adversaries what it is that we mutually ought to do. So that's a way of driving our internal consensus. Until you have global protection, you don't have protection. So unless we can bring the Chinese and the Russians particularly on board with this principle, don't attack critical infrastructure targets. Anything we do is going to be ineffective.
>> Thank you, Doctor Steinbruner. Doctor Bucci, would you like to comment?
>> Can I sit here? Does that mess up the camera man? Okay. Okay, yes, we should participate in international discussions. I'm making a somewhat narrow distinction here between talking to allies, even talking to adversaries which is fine, it goes on all the time and in a formalized negotiating process that's out in the international arena. The reason I think we should participate in sort of more informal discussions of that nature is frankly, we do need to keep track of what others are trying to do to be able to see what these other block of nations that kind of has a different vision for the internet than we do and to protect our own reputation. If you don't come to the table, sometimes, you get kind of beat up by everybody else and the United States does have to guard against that. One of my main concerns with this is, well, in my heart of hearts, I agree with John about the importance of trying to keep these very destructive acts from becoming the norm. The problem I have with it is it's awfully darn hard to tell a difference between espionage probing and someone rummaging around inside your network just to steal your intellectual property or your data. You use exactly the same procedures to get in to do everything that you would use if you were going to go in there and do destruction. So it's very, very difficult, you know. I agree we need to exempt espionage because you're never going to control that, it's too ubiquitous, it's against the law anyway and everybody still does it. But the problem is, well, they're in there doing that espionage, how the heck are you going to tell a difference between that and when they leave something behind or at the time they get in there, they decide to, you know, metaphorically pull the trigger and do something destructive. Just getting the United States, China and Russia to say, "Okay, we won't do that," unfortunately in this world is not enough. They are the biggest players, they do have the most capability of any country out there. But I got tell you, you know, China can't control North Korea from doing nuclear tests. Russia doesn't seem to be inclined to try and keep Iran from supporting international terrorism, and the United States doesn't seem to be able to stop Israel when Israel thinks it's in their interest to do something. And, you know, these are three countries that are very closely related to those three big ones and there's a whole bunch of other folks out there that also have cyber capabilities. So, a laudable goal but I just don't think it's achievable and that's why I'm in no particular hurry to get out there and negotiate. I do want to say one thing real quickly. If you have not read John's paper, I don't agree with every single thing in it. It's really, really well-written and very comprehensive on this issue, so I would recommend it. He's probably too modest to say that, but it's really good.
>> Thank you.
>> Doctor Steinbruner, I wonder if you could respond to this notion of informal versus formal talks in discerning between internet freedom versus when you just got power grids security, things like that. What I'd like to do is try to get some sense of the texture of your different approaches to this issue with respect to those two dimensions, formal, informal allies, non-allies.
>> Well, what I would like to see happen is formal negotiations about a specific prohibition on destructive attacks on critical infrastructure targets. And so the agenda would be restricted to that. I would concede, however, as Steven is implying it, it may be very difficult to pull that off because the partners in particular and I kind of want to talk about the internet without also talking about political intrusion in their system and we're not likely to agree on that, we're certain not agree on that. Nor are they going to want to talk about cyber security without other security topics coming on to the agenda. So I would concede that it is not a trivial matter to get negotiations focused as narrowly as I've suggested and it may or may not be possible. All I'm saying is it's worth trying. Because in fact, the--I would say in reality, there is a mutual interest that we can play upon here. The three countries who are primarily involved in this, US, Russia, and China are preparing destructive attacks on critical infrastructure targets. I mean, we have to assume that that's going on. They haven't done it, however. And both--and all of them I think have some qualms about the wisdom of doing that. That seems to me would create a situation where we talk--have to talk right away before they have done it and try to establish the principle, thou shall not do what you could do. We are not going to be able to eliminate the possibility that, you know, the capacity is going to be there, we're not going to be able to negotiate that away. What we have to try to do is set a rule of behavior that says, this is out of balance, you don't do it even though you can. And you provide mutual reassurance that you're not attempting to do it and you collaborate to serve, enhance the protection of our respective systems in this regard. I will concede, however, that that's--you can't question whether it's practical to setup negotiations as specifically focused to that without dragging in other issues about which we are not doesn't need to agree any time soon and maybe it is not, all I'm saying is let's try.
>> Doctor Bucci, would you agree that he's narrowed out your point of disagreement here, which is that it's not practical to get them to talk about a specific--as narrowly focus the topic [inaudible]?
>> Yeah, it's going to be very, very difficult because again, I think, a lot of these countries have a set agenda, they've settled on it and, you know, they're--as soon as we say, "Okay, we want to sit down but we only want to talk about this, "they're going to come in and they might even say yes to that but when they get to the table, there's going to be a lot other issues that come up. You know, the thought struck me that, you know, cyber is difficult. It's kind of like the do use chemicals that, you now, have perfectly legitimate you know, civilian applications but they could also be used for something nefarious, building weapons, something like that. It's very, very difficult to monitor those things, you know, well, are they getting too much or they, you know, can we see that they're actually putting all those chemicals on their farm fields [inaudible] into their munitions plans. It's very, very difficult. Cyber, you can do a lot of good things with it but you can also turn around and do a lot of damage and cause a lot of mischief both to your own population and to the world at large. And it's really, really hard to monitor which one you're doing. And particularly, if you've already stipulated, we're going to let you do espionage or at least, you know, we're not trying to stop you but we're not going to go bomb you if you do that. When, you know, you don't know that it's destructive until it destroys something and that's tough, you know. It's not the same as we saw the launch and there's something coming over the polar cap so we now have, you know, an ability to respond. This is really stuff that frankly the humans are definitely the weak link in this chain because we can't respond fast enough to do some of these things. It's a scary field, and to be honest with you, all of you are the worst part of the security, me, too. It isn't the machines, it isn't even the software though we could get better with that. It's the humans and we just don't play the role that we should and it gives adversaries a way to come in and exploit it and they tend to take advantage of that.
>> Doctor Steinbruner, Doctor Bucci brought up a different argument here. He has pointed out that there is kind of a slippery slope between what we tacitly allowed espionage, these initial intrusions between that and to disable the power grid versus stealing, for example, IP. I think you'd agree. Could you address that one?
>> Well, it's certainly noted that there is European convention on cyber crime that declares as illegal particularly all the things you do either for espionage or for destruction, so it's already been declared illegal. And we are parties of--in some sense, in our convention, I think the Russians have, in some sense, exceeded to it as well. So already, there's the beginning of a discussion. And what I would emphasize is that Steven is correct that this looks like it's going to be difficult but that is not a reason to say our priority is impossible therefore don't try. And I do think that if we initiated a process trying to focus specifically on what I'll talk to is it's not clearly we couldn't pull this off. Yeah, we would have to fend off issues we don't want to talk about and that would be a problem. It's not clear to me there would be such an intractable problem that we couldn't come to terms on what we most have the greatest interest in and we--believe me, all of us do not want to see destructive attacks on power grids or financial clearing houses. Particularly, the ladder really does threaten the world economy if--And, so it looks like there are deep enough interest overcome, if you will, all the things he was rightly pointing to and at least we had to try to see if we could get agreement along those lines and you don't know until you've tried. The United States has a lot of leverage share if we initiate it because we are the big player after all. And that--and it's important for us even if we don't succeed to send the signal that this is the way we want the world to work, we do not want people preparing attacks or even conducting uncritical infrastructure. We want to set these norms because we need these norms and formal negotiation is a way of setting the norms even if you don't get final agreement.
>> Doctor Bucci, I wonder if you could address what some of the downsides might be to entering formal negotiations sooner rather than later. I would assume you see a certain sense of urgency in terms of preventing the attack from [inaudible], for example, or financial clearing house. But aside from the debate possibly dragging in other issues like internet freedom that we don't feel like addressing at the moment, what are the other downsides that you see, why shouldn't we do this?
>> The main reason is right now, we have more ability than anybody else and deliberately going into negotiations now and basically handing some of those abilities away, well, it sounds like a nice thing to do in the not so nice world of international politics, it's--I'm not sure if there's a lot to be gained from that. Frankly, I don't think some of these countries even if, you know, they sat down and sign an agreement that they would never do this stuff, that it's really going to stop them from doing it. So circumscribing our abilities and our options when we're sort of the wrestler are on top right now doesn't seem to make much sense to me.
>> Let me respond to that cause this really is the fundamental issue. We are better at it than other people. We're also more vulnerable.
>> And so we're more exposed and we're better. I think our political system is having difficulty accepting the principles that it is good idea to indeed, in some sense necessary to accept restraint in order to impose it. This is an instance where we have to do that and it is true that that accepting restraint, we will put greater restriction on ourselves in the sense that we have greater capability to attack than they do. I think it is overwhelmingly in our interest in this instance to do that and that's not the only instance. I mean, there are circumstances in which that principle, we do need to master that there are some things about which it's desirable to accept restraint on superior capability in order to impose restraint on inferior capability that nonetheless can cause us a lot of trouble.
>> Would you like to respond to that, Doctor Bucci, before we move on to audience questions?
>> I understand John's argument with that and while on an academic sense, I think it has a lot of merit. I'm not sure that in the real world, it plays out quite that way. You know, we have seen our negotiating skills with our previously with the Soviet Union and since then with the Russians and it hasn't always served us well. You know, we've had that desire, so, okay, we'll give a little bit more, we'll give a little bit more. And it doesn't necessarily work out to our advantage.
>> At this point, I'd like to move on to audience questions. I just got my first batch here and the first one is for Doctor Steinbruner. Even if Russia and China agree with us, the power grids shouldn't be attacked. How can we be assured that they are not appearing to do just that and likewise, how can we assure them?
>> Well, the declaration that you're not going to do it is the beginning. I mean, they will be preparing as well we be preparing to do it. That's not something we can prove since it can be done, they will prepare and we do, too, as to how we would do it. So the problem is how do you prevent people from doing what they could do and actually are prepared to do? The declaration helps, it sets the norm but I would go far beyond that. I would say let's establish procedures for a mutual protection to make it harder to do and the art here is to target this and not at ourselves particularly that a third party is terrorist, et cetera, who might do it to all of us. So let's establish mutual protection against this notion of third parties who might do this. To make it harder than it currently is, now, that would mean that we are constraining our own ability as they would be theirs but we're not going to be able to eliminate the potential for this attack. It's going to be there. What we have to do is regulate the behavior and the first step in regulating behavior is to establish a very clear norm of that.
>> Can I respond as well? Two points, one, just so everybody is clear, if you go any place else in America, we have a debate as to who the biggest threat is. Is it the Russians who are the most sophisticated, the Chinese who were sophisticated and there's a whole bunch of stuff going on or is it the Iranians who, you know, are not as sophisticated but have a lot more malice towards us. Everywhere else in the world, it isn't really a big debate. They all think we're the biggest threat because we have the most capability, and America can't think of ourselves that way but it's true.
>> How about the Israelis?
>> The Israelis are--well, I mean, some of their local competitors, we consider them a big threat but that has more to do with their kinetic capabilities than just their cyber capabilities. But the--we really need to realize that there's more folks out there in the cyber world than just the big countries. And it's really easy, you know, if you thought it was easy to do proxy warfare in a cold war using other countries and special operators and that sort of stuff, it's really easy to do it in a cyber world. I mean there is organized crime groups that get hired to do things and some of those have capabilities that rival a lot of nation states so it's--I just, again, I think it's a very laudable goal but I just don't think it's necessarily achievable.
>> Let me just point out that there's a benefit in that. We are all--three of the big players are subject to this, call it a terrorist threat or criminal threat. And it's useful to talk about mutual protection against that which is easier to talk about even though the effects of mutual protection against each other as well. There isn't any absolute solution here. The only question is can we do better than we're currently doing?
>> Just one last point on that. We've had one example of trying to do exactly what we're talking about here with the Russians. When the United States came up with the idea of missile defense, the more recent one not the ones when we're against the Soviet Union, and I was in the Pentagon and we brought the Russians in and we briefed them on everything we're planning on doing, where all the facilities we're going to go, we did everything but give them the technology. And we showed them, you know, was aimed at Iran and North Korea, it wasn't aimed at their stuff.
^M00:40:03 And, I mean, we've really went overboard, you know, particularly under, you know, a republican administration to try and make them as comfortable with this as possible. And they, you know, whether they bought it intellectually but rejected it for political reasons or whether they really just didn't believe us, I don't know, but they've rejected it and they've continued to reject it and they've continued to push back against it until today. And so, that model of offering that level of cooperation, that level of openness against what we considered a mutual threat, you know, 'cause the Iranians--well, they bought a lot of stuff from them, they don't necessarily like them anymore than they like us. They just want buying it.
>> I would argue that that's a different circumstance and it would take us several weeks to work through all the details of why it's different.
>> Okay. Doctor Bucci, the next question is for you and it sort of takes us a little bit farther down the [inaudible] path than we've even been so far. Nations--nations always resort to their own interest in the end. [inaudible] policy for the US to engage its allies on this issue fully understanding that if a resulting treaty will be obligated if doing so is in the national interest?
>> Well, I mean it's, I'm not necessarily sure that's a useful discussion, I mean, nobody ever has to follow a treaty, there isn't an international policeman out there who's going to say, "Oh, wait a minute, you signed the paper and now you really can't do that." You know, if in the minds of the individual nation state, they decide that that's no longer in their interest, yeah, you're going to blow it off and you're going to do what you think is right. But to be honest with you, we kind of try not to do that. I mean we've done it often enough and so other people have done it just as much. but we really try not to sign up for something that we know ahead of time we're not going to follow. So I'm not sure if we have absolutely no intention of following it that were--it really is good form to sign up for it which is not what you try and do. Circumstances can change after the fact but going into it falsely, I don't think we prefer to do that.
>> Doctor Steinbruner, would you like to address this?
>> Just a comment. We live in a world that is going to need global norms and this is one of the areas of many of our needs and we're going to need to learn to how to do it. I agree. It's--you shouldn't--we shouldn't--we wouldn't sign up to something cynically and say, "Yeah, well, it doesn't mean anything." We're not--that's not the way we operate or should we operate it but we don't have to be completely reassured that everybody will adhere to our standards in order to try to set the norm, it's a process, and sometimes it take some time and, okay, people violate the norm, we catch some and we bring them up [inaudible] as a way of strengthening the norm.
>> Doctor Bucci, you've addressed this topic a fair amount in your writings and so I'm actually going to address this question first to Doctor Steinbruner, definitely to give you a chance to respond. Doctor Steinbruner, how should the US continue its engagement and relationship with China given the mounting evidence of Chinese government involvement in attacks of US networks?
>> That's the reason for doing it, we want to back them off, these attacks, and let me say that as--I think Steven pointed out, if you're in China, you hear about--a lot about US attacks. And if--yeah, there's not a fair court to sort things up but if there were, I think, and people were counting attacks, if you will, the US initiates most of them. China may be second, may be third. If China is third then Russia is the second, that's--So everybody is doing it, it is the answer. And the fact that the Chinese are doing it is not a reason not to talk to them about this, it's the reason for talking to them.
>> Just, you know, first of all, when we talked about this little before we started, you know, that the idea of every cyber incident is really not an attack.
>> You know, that we use that term very cavalierly mostly because we've haven't ever really defined it well. So, every newspaper person, it sounds much more dramatic that we had, you know, five million cyber attacks this week than we had you know, probes and scans and other things like that. Mostly, these things really are at worst espionage. They're in there trying to still data or spies trying to steal data from everybody else. We also steal from our friends and our friends steal from us, so that they're not just our adversaries. The--one of the biggest differences with China is that China, like other centralized governments, support their economic interest with that information. You know, we don't go and steal China's economic secrets mostly because they're ours that they took in and applied but also because we don't do that. We don't use our Intel community to, you know, to prop up our businesses. That's just not the model we use. Other countries and some of them our, you know, Western European countries do do that. And so there's a little difference and that I guess the breadth of the espionage that goes on, they have government assets that are--is that me? Maybe it is me. They have government assets that are doing industrial espionage. We don't have so much that ours is this national security espionage in the more normal sense of it. So, yeah, where you sit, it kind of depends on how you evaluate this and if you were sitting in Beijing, you'd probably look at this a little differently than we do.
>> Would you like to say anything?
>> It is true that there's a big structure of institutional difference here and that the US Intelligence Community does not pass on its information in the US Corporation systematically for their benefit, and the Chinese do. And, you know, that's just an inherent difference in the way the two societies work. I think it's fair to say that we certainly gather intelligence information about Chinese economic activities for which we don't pass it on the IBM but we use it, okay, and so they focus on that. Both of us are gathering the same kind of information, we use it differently.
>> One other point, a lot of people don't really understand, you know. We always--I kind of laugh at the Chinese sometimes with their, you know, it's like the lady doth protest too much kind of stuff, but, you know, that China is the most hacked country in the world by volume, by several orders in magnitude, mostly because they use a lot of pirated software and things that don't get updated. So they're actually very, very vulnerable and they're doing it to each other because they've got a very large decedent community who's trying to get away with stuff and trying to protect themselves. I mean, they do have a lot of stuff and there is some evidence that other countries like to route their stuff through China because they know once--whosever following it gets to China, they stop. And--because they're, you know, everybody thinks of China as the big hacker country. So I'm not defending China by any means. They're--I think they're pretty egregious violators, but, you know, again it doesn't make much sense to get all sorts of moral outrage over it because we all do it. You know, our country does it, all of our allies do it, all our adversaries do it that, you know, you don't have to sneak in to the Pentagon with a bag and empty out a file cabinet anymore. You just have to have some really talented people with a keyboard and hopefully someone at our end doesn't something stupid which is usually what it is. It's not somebody malicious on our end. It's somebody ill-informed, I guess, would be a kinder way to put it.
>> On a similar note, and I'll direct this to you first, Dr. Brucci, should the US government require non-governmental entities such as corporations to allow government laundering of their networks in order to detect and to prevent attacks on those networks?
>> I mean, there's a lot of things that our private sector could do and our public sectors should do together to add protection to our systems. You know, we--the private sector gets beaten up a lot because they say, you know, they don't share their information when they've been hacked, they don't give all the data to the government because in a lot of cases those companies consider, one, it ruins their reputation, two, it's proprietary information that once they hand it to the government, it becomes eligible for [inaudible], suits so that their competitors can get it. But on the same side, the government frankly is really, really poor at sharing information it has with the private sector. So whether having the government monitor their networks directly is going to help, they've been doing that in a defense industrial base, you know, company sign up and say, yeah, we'll let you look at all of our stuff.
^M00:50:00 You give us intel so we can protect ourselves better and it hadn't help that much. You know, that, everybody always thinks monitoring the network is going to stop everything from coming in and unfortunately, it doesn't because this stuff is so innovative and so dynamic that you're not looking for certain things. You might catch some of the older stuff but the newest stuff that's usually the most effective gets in even with the monitors and all the defensive stuff in place.
>> Doctor Steinbruner, would you like to address this?
>> No, no.
>> Okay, move on. Why since we are the most capable country in the cyber realm should we not negotiate as soon as possible from a position of strength rather than when another nations become more capable. So, I guess what's the [inaudible].
>> Let me just comment. There's a lot of talk here about sort of negotiation from strength and [inaudible] tactics as if the outcome were determined by relative strength. Most of the time that's not the case. Most of the time the outcomes or durable outcomes and negotiations are determined by reasonable equity because that's what gets people to adhere to it. And so usually and sort of bargaining tactics and sort of leverage and all that succeeds in either speeding up or slowing up the outcome that is determined in terms of reasonable equity even between countries that are a very different assets. So I don't imagine any agreement that is going to lock in sort of relative or sort of protect relative strength. An agreement that has any meaning and enduring power is going to have to establish basic principles that protect everybody and that's the only thing you can really enforce.
>> Dr. Bucci, why shouldn't we argue from a positional strength?
>> Because I've seen the United States over the years negotiate and when we go into something in a position of strength we usually end up giving away more. So we end up abrogating the position of strength to one of--at best parity and in some cases depending on how bad the negotiated settlement is, we end up weaker than the people we're negotiating with. I'm not a real fan of arms control negotiations so if you haven't figured that out yet, I'll be upfront with it. I just don't think it's necessarily the best solution and in this regular, you know, like nuclear weapons and conventional weapons are a lot easier to come to some sort of an agreement as you count the darn things other than all the ones everybody hides. A lot more readily than you can with doing this kind of behavior while doing that. I'm just not sure this is doable.
>> But just let me point out, I'm not proposing that we negotiate about relative strength and trying to adjust it up or down. What I'm proposing is that we regulate behavior whatever the relative strengths are. And let me suggest we better to learn to do that otherwise we're in very deep trouble.
>> Our next question, I'll also address it to you Doctor Steinburner. If an agreement on cyber attacks is reached but a signatory attacks anyway, how can the agreement's punitive clauses be enforced given the difficulty of definitive proof. In other words, plausible deniability is pervasive in its environment. How do you enforce it?
>> One of the things you would--first of all let me say it is important to establish as broadly normal as you can even if there are violations. I mean, we have laws against murder. People get killed all the time. We nonetheless think it's important to have those laws. But I would say that an addition to just setting a principle, we ought to establish the practice and as part of it of implementing it by neutral collaboration and enforcement and in particular in forensic investigation of possible incidents. It matters quite a lot whether the respective governments are contributing or collaborating in doing forensic analysis of intrusion or whether they're not. So, the agreement would set up the--yeah, all the situation in which, not that it's not impossible to violate and then maybe encounter violation but it's a lot more difficult to do it effectively without getting caught. So the point is just to make it more dangerous to whoever who's doing it. And, you know, with enough work you can get pretty close to identifying responsibility. It is, you know, it is admittedly difficult but it's not completely impossible.
>> And keep in mind in any international relations type of situation, you don't necessarily have to have a level of proof, you know, like you have to have an American courtroom to declare somebody guilty. It's always going to be an assessment and that there's interest that get factored in. There's timing that gets factored in and that, you know, if we had an agreement like this and the signatories decided that country A violated it even if they didn't have enough proof to get it through, you know, an international court or domestic court. If they felt it was in our interest to take action to punitive action against that country, they'd do it. American's tend to think very judicially at least as a population understanding the leaders about these things and I think we really, we got to have that proof beyond reasonable doubt and it'd be nice but we don't always have that before we take actions in the international realm.
>> And your ability--your ability to take action depends upon the strength of the norm. You have a strong norm, you don't need sort of a definitive proof in order to enforce it. If people really don't think that the action is justified, you can do a lot of things even if your proof is little squirrel.
>> And the proof will always, but at least, I think of--for at least for the foreseeable future, we'll continue to be squirreling in this realm 'cause it's really hard to get that definitive proof and while our forensics capabilities are getting better and better, the techniques people use to obfuscate the responsibility are also getting better and better. So it's another area in the cyber that's chasing itself.
>> So with respect to the capabilities, we have a question here regarding how you guys might best enhance their own capabilities. And so Doctor Steinbruner, I'll address this to you first but I'd like you both to comment. What will be the best means of integrating private sector into whatever US in the international agreements might be negotiated?
>> One of the things I think that we ought to fairly seriously explore is for--operating systems, infrastructure operating systems that carry heavy load for internatio--that we ought to try to establish basically trusted bank whereby sort of source codes are deposited and then you can check periodically against changes to those sort of scopes as a way of detecting intrusion. And there's a lot of complexity associated with that idea. You have to be very sure about the source code in the first place and you have to be very sure the repository is trustworthy. It's not itself a source of intrusion. But that would establish a higher standard and protection against those things that are really critical than we currently have. So that's one of the things I think that we are exporting. The other idea that people regularly have is, okay, disconnect from the internet those things that you don't want. That's easy to say and very difficult to do It's very, very hard to disconnect any current operating system from the internet absolutely because the internet is so efficient. But nonetheless you can think about the possibility of taking the power grid off the internet in some sense and how you would do that and could you do it and if these are productive discussions to have.
>> Yeah, the idea of taking things off the internet, everybody always has this vision that there's just some switch somewhere we just flip it in and--but, you know, if your adversary's intent is to lower your capability and take away from you all the advantages that you gained by using all these digital means, you kind of did his job for him when you say, "Oop, there's something coming. Quick, turn it all off." Okay, he didn't have to hit you, you turned it off yourself. I mean its--that's--I mean its--its an unfortunately naive view of how it works and it's also kind of productive. And I know you're not suggesting that so I'm not being critical of you. But it's just--Right now, we are really, really good at so many things in the world whether it's military, intelligence, commercial because we have bought into this digital world a 110 percent.
^M01:00:04 And we're leveraging every bit of it we can find. We're using it even people that are relative luddites or, you know, you're still totally immersed in the cyber world. And it's really hard to get off of it. I mean, somebody once said they were talking about Cloud computing. And they said, well, that Gmail is the entry drug of choice to Cloud computing. And it was being really cute but it's--we're all addicted to this stuff, folks, to a greater or lesser degree and as individuals, as a society, as a nation. And it's really hard to walk away from it even for a little while. I know in Washington, we had Blackberry outage for a couple of days. And I mean there were people, they were literally jones about it, and they were shaking. They couldn't get stuff on their Blackberry on the metro. It's really an amazing dependence on the ability to work wherever you are to be in communications wherever you are. And when you loose that, it's hard and I've seen it in the military, we're really, really good at using that stuff. And when you--we've done exercises where you turn it off, you know, you simulate a cyber attack and suddenly you loose all that communications, you loose all that logistical capability or management of logistical capability. You loose all the commanding control, and everything stops, and finally the head general or admiral says, "Okay, you made your point. Turn all that back on and let's get on with the real training." And you realized, "Sir, don't you understand this is the real training because there are people out there that are going to do this against us." So it's just turning off the internet or unplugging things from the internet we're way beyond that at this point.
>> So, that's actually a bit the same to the next question which this particular audience member feels is core to this debate. And I'm going to address it first to Doctor Steinbruner. It seems there are two core questions. One, what should be impermissible even in war, i.e. Geneva concordance we have for POWs. And two, what should be impermissible outside on hostilities?
>> Outside of war, outside of our [inaudible].
>> Yeah. It's a very good question and the border line between war and not war is beginning to be an increasingly difficult question. What I would say is the reason for establishing sort of legal restraints is to stay out of war in the first place. And then I would concede that if you really get something that qualifies as war, fully declared and all that that most of these rules are in jeopardy including rules of war which are regularly violated.
But that doesn't mean that that doesn't undermine their utility, if you will, it just represents. So if you go--and but let me be a little be more specific. If we say thou shall not attack power grids, that's an act of war. It--and you--you establish that norm, it certainly discourages anybody from contemplating that because it defines that act as an act of war and it opens up all sorts of retribution as a consequence of that. So, my basic answer to the question is you set the norms in order to stay out of war. You would hope, of course, that they would contain any conflict that actually occurs but if we get war then, you know, there's a lot of destruction and this is part of it.
>> I mean, it's sort of the essence of deterrence. You have a declaratory policy, you tell people what is impermissible. In this case, I think that's a perfectly legitimate thing for a nation state to say, "You attack our power grid and we're at war." And don't matter, you know, we don't have to answer back with a cyber weapon system. We can come back at you with everything we've got. Now, there's new answers to that in our Department of Defense announced that a cyber attack would be considered an act of war. Now it neglected to define what a cyber attack was. I mean it was left deliberately vague so hopefully maybe you deter a few more things 'cause you don't necessarily want the bad guys say, "Okay, I know I can go all the way up to here and they won't come and bomb me. But if I go beyond that, I know their going to come after me." So you do leave some wiggle room there because that has an additional around the edge's deterrent turn effect. But you know it's--it comes down to them making an interest-based decision as well as to whether, you know, okay, we're going to see if they're really going to back this up because we think it's worth the risk to hammer them by doing that, And you hope it doesn't happen. I think, frankly, I think having a specific declaratory policy that you attack our energy grid in any way shape or form that we'll consider an act of war makes more sense to me than having a negotiation.
>> Well, there's a corollary to that is that we will not do it to you either if we consider it an act of war.
>> We're ruling that out of bounce. And, you know, that--that's way of--the point is to set the norm. How you set the norm, you can debate about how to set the norm. But it would be desirable to have sort of a legally and active agreement. This is the norm.
>> Thank you, gentlemen. We reached the end of our question and answer session. But we'd like to give each of you five minutes to give some closing remarks to sum up your ideas and leave us with a final question. So Dr. Steinbruner, we'd like to start with you. And you don't have to get up the podium.
>> Let me just say that there are deep issues were talk--I mean the cyber issue connects into a lot of other things as well. And cannot really in the end be separated from fundamental security relationships and all the interests associated with that. So part of what is behind what I'm saying is that we're living in world that is going to require more robust regulation, if you will, of some things than it currently has. And it is going to require sort of legally find security relationships among the major players in order to cope with mutual threats. Coming down the line in case you haven't noticed is the looming issue of global warming which although is controversial here is not going to be controversial forever. This is a very, very serious mutual threat. And that's going to change the security relationships of all countries over a two or three-decade-year period. And they're going to be driven into very intricate collaboration. And this is just one of the features of that. So what I'm saying here is that the recommendation of just talking about this is rooted in a larger situation in which we're going to have to learn to regulate our security relationships with countries that we have historically seen or like to see as enemies for mutual protection because we have overwhelming mutual interest looming here. And we have to learn how to handle it.
>> Doctor Bucci?
>> I just want to emphasize cyber threats are real, all right? It isn't hype, it isn't just, you know, defense contractors around the Northern Virginia area trying to get extra contracts from the government. There are real honest to God threats out there from nation states, from non-state actors, from criminal organizations, even, you know, they--everybody always laughs at the hacker, you know. It's that fat guy sitting in his mother's basement typing on his computer. Those guys still exist and they're frankly much more capable today than they used to be because you can just go online and buy stuff, I mean I could become a hacker and I'm not a tech guy. If I just went online to some gray sites and bought some tools. So the threats are real. The sky is not falling, however, all right? That, you know, the republic is not at risk today of collapsing under the way that the cyber attacks we're facing. It--it's--but what's happening does affect all of us. If you are like me and have either not much hair or the hair has turned to different color, you may take advantage of this and say, "Look, you know, it's not my thing. I'm just going to do what I do. I know other people are going to take care of it", that's the wrong attitude. You have to understand this problem. You have to get engaged with it. If you think that all the young people are going to take care of it for you, you're dreaming. The young people are very capable at using all these stuff and they have no culture of security, whatsoever. It's not a criticism, it's just a fact that's not important to them. So they don't think about the threats in the same way someone with that greater or less hair does it. So, you've got to have the mindsets of both together working to try and address this. If you don't understand the cyber issues that are out there, get the knowledge, dig in. The government has a wonderful program that it's close to put out awareness education and training, and I spoke with one of these senior people at DHS and I said, "Well, how's that going?"
^M01:10:08 And he said, "Oh, it's going really well. We have six meeting scheduled this year where the secretary herself is going to get out and talk to people around the country, 500 people in each venue." That's 3,000 people in the United States of America, that's not very many, all right? So, we've got to get this education out. We've got to make people aware 'cause this is the world we live in now. Your parents, our aged parent--our parents, the old--really old people, how do you think they'd get all their benefits from the government now? They got to learn how to go online to get it, I mean, and we're just getting started, it's all moving in that direction. So this is a real thing, it affects us as individuals, it definitely affects us as a society, and we need to get more astute and more capable at doing the right things so that we don't make it any easier for the bad guys that are out there who are trying to do us ill. You do have a role in it. It is not just an academic exercise.
>> Thank you both very much for coming here to be with us.
>> Mercifully, he did not do a poll.
>> That's right, he forgot to do that.
>> I'd like to thank our speakers again, Doctors Bucci and Steinbruner for coming here and engaging a thoughtful engaging discussion. I know I learned a lot. I think that's really widespread here. I'd like to remind everyone as they head out to get their M-cards if they have the iClickers and also I'd like to take one final poll, and if I can figure out how to do that. Oops, here we go. Technology, right? Okay, so if anyone wants to try voting out, there we go. Okay, so our resolution is here, so just so you can read it.
[ Pause ]
>> And looks like we don't have anyone undecided, so, that's good.
>> Oop, never mind.
>> It's both skewing [inaudible].
>> Well, once again I'd like to thank our speakers. Thank you very much. [applause] And I'd like to invite everyone to our last debate in the Ford Policy Union Series. It will be on March 26th on the topic of international drug treaties. And I thank you all for coming.