CyberThreats & The Economy

New Strategies to Secure Our Economy from Cyber Depredation BRIEFING April 9, 2013

Rachel Ehrenfeld, Ph.D. Kenneth M. Jensen, Ph.D. Editors

Copyright 2013: American Center for Democracy

The American Center for Democracy/Economic Warfare Institute is a New York-based nonprofit organization dedicated to tracking and analyzing economic threats directed against the United States and other Western democracies by state and non-state actors. More information about ACD and EWI may be found at http://www.acdemocracy.org and http://www.econwarfare.org American Center for Democracy/Economic Warfare Institute 330 W. 56 Street, Suite #24E New York, NY 10019

POST-EVENT REACTIONS FROM PARTICIPANTS

The conference was just a terrific, lively exchange, from which I learned a great deal and I am sure the other attendees can say the same Were very grateful to the American Center for Democracy for helping us pull the event together, and I hope we can do more of the same in the future. Daniel Polsby, dean, George Mason University School of Law "It was good fun and a remarkable set of panelists." Stewart Baker, panelist, Steptoe & Johnson, former assistant secretary for policy, DHS Very nice work by you in pulling together a first-rate event. What a line-up Steve Chabinsky, panelist, senior vice president of legal affairs and chief risk officer, CrowdStrike, former deputy assistant director, FBI Cyber Division "It was really excellent and a surprisingly large number of peopleI didnt anticipate was how entertaining and candid most of the speakers were!" Christina Ray, panelist, senior managing director for market intelligence, Omnis The ACD/GMU conference on cyber threats was eye-opening. It highlighted threats that reach beyond the theft of government or industrial secrets, illustrating threats to our whole economy. And it showed that defense will require mobilizing not only private sector vigilance but the deployment of cyber know-how outside government to respond to these threats. When America is threatened, we won't find security in government alone. Jeremy Rabkin, panelist, Professor of Law, George Mason University

Special thanks to the cosponsors and hosts of our April 9, 2013, event: The George Mason University School of Law and The George Mason University Center for Infrastructure & Homeland Security. Also, thanks are due to panel moderators Dr. Mark Troutman of the Center and Professor Nathan A. Scales of the School of Law.

CONTENTS Executive Summary6 IntroductionRachel Ehrenfeld, Ph.D., Director of the American Center for
Democracy and the Economic Warfare Institute.........................................13

Introduction of Rep. Mike Rogers

Michael B. Mukasey, Debevoise & Plimpton, former Attorney General of the United States, Member, Board of Directors, American Center for Democracy..15

Keynote Address
Rep. Mike Rogers (R-Michigan), Chairman, House Special Selection Committee on Intelligence17

Cybersecurity: Engine for Growth or Economic Anchor?

Mark Weatherford, Deputy Under Secretary for Cybersecurity, Department of Homeland Security..31

Key Elements of Energy Security

R. James Woolsey, Chairman, Woolsey Partners LLC, former Director of Central Intelligence, Member, Board of Directors, American Center for Democracy...37

Cybersecurity and Economic, Financial and Market Warfare

Christina Ray, Senior Managing Director for Market Intelligence at Omnis, Inc. 43

Cyber Where Time Marches On and Progress Doesnt

Michael B. Mukasey, Debevoise & Plimpton, former Attorney General of the United State, Member, Board of Directors, American Center for Democracy....51

How the Attribution Revolution is Changing Cyberthreats

Stewart Baker, Steptoe & Johnson, former Assistant Secretary for Policy, Department of Homeland Security..57

Passive Cyber Defense and the Laws of Diminishing and Negative Returns
Steven Chabinsky, Senior Vice President of Legal Affairs and Chief Risk Officer, CrowdStrike, former Deputy Assistant Director, FBI Cyber Division..65

Retaliation in Cyberspace: Lessons from the History of War at Sea

Jeremy Rabkin, Professor of Law, George Mason University School of Law.71

EXECUTIVE SUMMARY
On April 9, 2013, the American Center for Democracy/Economic Warfare Institute held a briefing entitled CyberThreats & The Economy: New Strategies to Secure Our Economy from Cyber Depredations. The event was cosponsored and hosted in Arlington, Virginia, by the School of Law and Center for Infrastructure & Homeland Security of George Mason University. This was the second in a series of briefings on economic threats to the United States. The first, Economic Warfare Subversions: Anticipating the Threats was held on Capitol Hill on July 9, 2012, under the sponsorship of Sen. Jon Kyl. Transcription of it is available on the ACD website. PRINCIPAL INSIGHTS Cyberattacks on government, public and private industries in the U.S. have caused enormous financial loses and untold damage to our national security. Untold, because often hacking victims in both private and government sectors either are unaware, are reluctant to report (or underreport), thus making it the perfect tool for economic warfare. Indeed, the Defense Science Board public report noted that China has compromised the United States' most advanced weapons systems. While the report understandably didnt list the weapons, it failed to mention the companies whose systems were hacked. The report warned that the U.S. military is unprepared to win a cyber-conflict. Wrong policies, lack of foresight, budgetary constrains and bureaucracy that shackle the Pentagon, do not apply to the private sector that is able and eager to counter cyber attacks. Their hands are tied because the U.S. law forbids such actions. Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, our keynote speaker, noted that the Internet accounts for one-sixth of the U.S. economy today and that 80 percent of U.S. cyber networks are in private-sector hands. Rogers believed (at that time) that there was a good chance that his proposed Cyber Intelligence and Protection Act (CIPSA) would be passed by Congress and signed by the president despite the failures of 2012. The event was on the eve of the House mark-up and passage of its version of the bill, which turned out to be dead-on-arrival in the Senate and was also objected to by the White House. Accordingly, the United States has yet to take the first step in cyberdefense: government and private sector information sharing on cyberattacks. Cybersecurity On the question of whos responsible for protecting from and remedying the effects of cyberattacks on the economy, Mark Weatherford of DHS referred to our status as that of Constant Remediation. When the private sector is attacked, its each and everybodys responsibility to take the necessary

measures to prevent further attacks. When the government is being attacked, it is supposed to take care of the problem. They seldom work together. More than one panelist, but most especially former Director of Central Intelligence R. James Woolsey, noted that state sponsors of cyberattacks are of two sorts: rational actors (such as China) and not-so-rational actors (such as North Korea and Iran). The presence of the latter means that U.S. cyberdefense has to be ready to protect us against all cyberattacks. R. James Woolsey presented a complete (and horrifying) picture the U.S. electric grid vulnerability to cyberattacks. Identifying 18 critical infrastructures in the country, Woolsey noted that all of the others in country depended on the status of the electrical grid. If a substantial portion of the grid were knocked out by cyberattack, or an electro-magnetic impulse (EMP) attack, remediation could take years. Such a circumstance would return the United States, not to the preInternet 1980s, but to the pre-electricity 1880s. By his estimate, the prolonged absence of electricity would likely mean that two-thirds of our population could die. Woolsey also pointed out that, apart from state public utility commissions and the Department of Energy, no one is in charge of Americas 3,500 public utilities and no one is responsible to protecting the grid. The Department of Energy only regulates transmission (but not distribution) and the state commissions do essentially nothing to protect the grid. Americas public utilities in toto commit less research and development per year than the U.S. dog food industry. Unlike the U.S., Russia, China, Israel and Britain, for example, are hardening their grids against attack. The U.S. does not because, in Woolseys opinion, No one is in charge. Christina Ray, cited PLA officers Colonel Qiao Liang and Colonel Wang Xiangsui, from their book Unrestricted Warfare: So, which [of many unconventional means], which seem totally unrelated to war, will ultimately become the favored minions of this new type of warthe nonmilitary war operation which is being waged with greater and greater frequency throughout the world? Financial War is a form of non -military warfare which is just as terribly destructive as a bloody war, but in which no blood is actually shed. Financial warfare has now officially come to wars center stage. This quote goes a long way to answering those critics who regard cyberwarfare and economic warfare as exaggerations. Former attorney general Michael Mukasey noted that we have laws against crimes, and at least a comprehensible if not a comprehensive way of applying them. We really dont have either in the cyber sector; and, in his estimation, weve made no progress over the past decade. Mukasey also noted that, in May

2011, the White House issued a document entitled "International Strategy for Cyberspace," subtitled "Prosperity, Security and Openness in a Networked World." He remarked, I think perhaps a further subtitle for that document, after prosperity, security and openness, might be pick two out of three, so long as the two aren't security and openness. And then theres the way the document ends, with the pledge that when we do act, it will be in a way "that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible." The U.S. government is interested in the dot-mil and dot-gov segments of the Internet. Mukasey cites Cyber Command head General Alexander, as saying that when he saw a threat to the dot-com portion he thought he had little authority to do more than say - to himself and others in the room - ouch, this is going to be a bad one. In the U.S., the situation regarding cyberdefense is not unlike that besetting our war on terror. Just as we cant decide where and how to try terrorists, we cannot decide on where responsibility lies, with the government or the private sector: Witness the Senate and White House rejections of CIPSA. Former assistant secretary for policy at DHS Stewart Baker pointed out that theres been a revolution in cyber attribution, that is, in our ability to find out exactly whos hacking. It is not possible to operate in cyberspace these days without leaving little digital bits of your DNA all over cyberspace. It's just like Pigpen. We've got this cloud of data falling off us whenever we move around in cyberspace. Meaning, hackers are traceable. Baker encouraged taking the attribution opportunity: I've been trying to popularize Baker's Law, which sums up the attribution opportunity this way: Our security sucks, but so does theirs. That's what we need to remember. The hackers are no better at securing their communications and their data than we are, and we know we're bad at it, right? Baker again: The attribution revolution creates an enormous set of options fo r policy makers. Many people know what attribution 101 is. You've got all the people who've been compromised up on that top line. Then the command and control server which tells them all what to do and receives all their reports about the information. Then headquarters takes that information from the command and control and ultimately passes on to some final customer who actually is going to use the information that has been stolen. If we can break down that set of information, we can start penetrating each of those steps along the espionage trail. We can go from attribution to, not deterrence, but retribution. Bakers basic position was that deterrence is impossible without retribution first.

 One way to look at where we are now, as Baker noted, is according to the following analogy: You know how much help you're going to get from the police if somebody steals your bike: They will tell you how sorry they feel about it, and they will tell you what kind of lock you should buy next time for the next bike you own. That is the treatment we're getting now from the FBI and the CIA when they don't have the ability and don't have the resources to do the help. According to Baker, the ability and resources exist in the private sector. It is instructive to call our current response to cyberattacks passive defense. As CrowdStrikes Steven Chabinsky notes, the entire emphasis is on the vulnerability of the victims and not the actions of the perpetrators: It's absolutely incredible how much cost today is borne by individuals and the private sector in trying to defend their security with little to no return on investment. It's incredible the amount of time, effort, opportunity cost that's going into a failed strategy, and how our response to that continues to be information sharing efforts to do more of it. We keep blaming the victim. Chabinsky likens this to the police sending a locksmith if someone breaks into your front door. The current passive approach to cyberdefense actually makes the problem worse. According to Chabinsky, That's what we're doing here, because every time we have our businesses spend more money on security against targeted attacks and raise the bar to this level, guess where the well-resourced, very capable organized crime groups and nation-states bring the threat? To a higher level. Its like building a 20-foot wall around a house when thieves can easily buy 30-foot ladders at a hardware store. Retaliation and retribution in cyberspacein other words, cyberoffense as the only conceivable approach to cyberdefensewas generally approved by conference panelists, but none more than George Mason University Law Professor Jeremy Rabkin. He noted that the 2012 Defense Authorization Act, said, "Congress affirms that the Department of Defense has the capability and upon direction by the President, may conduct offensive operations in cyberspace to defend our nation, allies and interests." And then the Senate said, Wait. No, we can't just say that. We've got to add, 'Subject to the legal regimes the Defense Department follows for kinetic capabilities, including the law of armed conflict. This meant that consideration of cyber retaliation and retribution should be reconciled with the law of armed conflict and, therefore, effectively neutralized the approval of cyberoffense. Considerable attention is being given when dealing with conflict in cyberspace, to such things as the Geneva Conventions and what the Red Cross has said about the laws of war. According to Rabkin, Pretty much the Red Cross view of the law of armed conflict is this: it's how Switzerland would have fought the Second World War--if it had actually been fighting. Post-Vietnam, Additional Protocol I of the Geneva Convention became something of an international norm.

That protocol has it that in armed conflict only military objectives must be involved; nothing must harm civilians or civilian objects. This, Rabkin called utopian and wholly at odds with how the First and Second World Wars were fought by the Allies. In those instances, we instituted blockades that sought to punish our enemies economically. These certainly harmed civilians and civilian objects. Non-military retaliation for aggression is hardly new. It dates from the Middle Ages at least and is enshrined in the Article 1, section 8 of the U.S. Constitution, which deals with war at sea. There, the Constitution authorizes the granting of letters of marque and reprisal. According to Rabkin, we don't need to be at war. Our government can grant letters of marque and reprisal separate from a declaration of war. In the early American Republic, when it was impossible to fight the enemys army or navy, such a letter allowed private ship owners to attack the commercial navy of the enemy. Were letters of marquee and reprisal used to take the offensive in cyberspace, they, like those concerning the sea, their message would be clear: Youre aggressing, were retaliating. Maybe something less than kinetic battle would convince you to end the aggression. According to Rabkin, there's no good reason why we shouldn't use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. It is insane to allow the Swiss to tell us how we fight our wars, and it's doubly insane to have the Swiss tell us how to fight cyber conflict, which mostly won't rise to the level of war and is something Switzerland knows even less about than actual armed conflict. Further, he says Is cyber more like naval war--where we disrupt the enemy's trade and communication, without exempting commerce just because it's owned by civilians? Or is cyber conflict more like a land war, where we send tanks into enemy territory and then say to enemy civilians, Stay out of our way and we'll stay out of yours? I say it's more like naval war, so what is permissible in naval war should be applicable to cyber conflict. While Rabkin was the only panelist advocating a modern, cyber version of letters of marquee and reprisal, all generally agreed that the U.S. government should at least authorize private sector counter-hacking which would otherwise be illegal. Moreover, the general conclusion was that the private sector has the will, fiscal means and technical ability that the government may never have. Concluding this briefing are notes by former assistant Secretary of Defense and ACD/EWI Board Member, Richard Perle, (who was unable to attend): "Would it make sense for us to approach the Chinese with the following proposition: We know what you are doing and we insist that it stop. If it doesn't, you should understand that we can do to you what you are doing to us. We don't think there is much to be gained by stealing your intellectual property (it's mostly

ours to begin with) but how would you feel about the publication of your intergovernmental communications made available to your own citizens? In any society governed as the Chinese govern theirs, the threat of disclosure could be a very powerful deterrent. I suspect that at some point we will begin to hear proposals for a treaty or treaties, or an international convention aimed at creating norms with respect to cross-border intrusions of all sorts. I hope we will resist the temptation to hope that such an approach offers any substantial protection. What it is more likely to do is compromise sensitive information that we are sometimes able to keep secure, and invite the foxes into the chicken coop. The worst prospect of all would be a cyber version of the Non-Proliferation Treaty--a universal convention based on the premise that any country willing to sign up should have full access to advanced computer science from anywhere in the world. We've been down that path before.

INTRODUCTION
Rachel Ehrenfeld, Ph.D., Director of the American Center for Democracy and the Economic Warfare Institute

Threats to the U.S. economy have been a longstanding concern of the American Center for Democracy and led to the establishment of its Economic Warfare Institute. Before 9/11 we had done extensive work identifying who and what funds terrorism against the U.S. and its allies, and what were the methods used to deliver the funds. The 9/11 attacks on the World Trade Center and Osama bin Laden's repeated calls to hit the U.S. economic interests at home and abroad refocused our efforts to look for indicators of such potential threats. We have identified many, which at first glance are not associated with cyber. But since the world has become more digitalized, our state and nonstate adversaries have increasingly used the internet not only to secretly communicate with each other, but also to inconvenience, harass, and harm us. Cyberespionage, including stealing manufacturing secrets, patents and other intellectual properties, identity theft, fraud of all sorts, and even market manipulations have become more and more prevalent. Cyber has become the lifeblood that runs our communication, electric grid, transportation, aviation, banking, industry and commerce, our military apparatus, hospitals...everything. To increase security, we have been advised to store information in clouds, yet another set of computers. If one day the system goes down, the damage would be irreversible. We will be left in the dark--with no records to reconstruct and replace what we have lost. The predominant attitudes in the U.S. do not consider preemptive measures as the best defense. They don't even consider in-kind reaction, because cyber attacks have not yet left the streets littered with dead bodies, in a way a massive

bombing or a detonation of a dirty bomb would. It is clear to me that unless the U.S. upgrades its cybersecurity fast, and acknowledges massive cyber attacks as warfare and offense as the best defense, the cumulative affects of cyber attacks would soon undermine the public's confidence in the government and destroy our economy. Richard Perle, former Under Secretary of Defense, and a member of the ACD Board of Directors, presented the following questions: "How can we deter acts of cyber aggression in peacetime and what should we be positioned to do in the event of a major cyber war, or a major cyber attack, launched in the midst of a conventional conflict? If recent press accounts are even half-truths, the United States government and its public and private institutions and businesses are the subject of continuous electronic intrusion, sometimes to steal valuable intellectual property--including secret data--and sometimes, perhaps more worrisome, to plant menacing software for subsequent destructive purposes. We know this is going on and, presumably, we have considerable knowledge of who is doing it. So what can--what should--we do about it? China is frequently identified in the press as one of the most egregious hackers, draining corporate data-bases and government agencies of valuable information--and worse. Would it make sense for us to approach the Chinese with the following proposition: We know what you are doing and we insist that it stop. If it doesn't, you should understand that we can do to you what you are doing to us. We don't think there is much to be gained by stealing your intellectual property (it's mostly ours to begin with) but how would you feel about the publication of your intergovernmental communications made available to your own citizens? In any society governed as the Chinese govern theirs, the threat of disclosure could be a very powerful deterrent. As for the wartime scenario, I certainly hope that we are positioned to take the offense as well as erect defenses. Perhaps the panel could comment on this. Finally, I suspect that at some point we will begin to hear proposals for a treaty or treaties, or an international convention aimed at creating norms with respect to cross border intrusions of all sorts. I hope we will resist the temptation to hope that such an approach offers any substantial protection. What it is more likely to do is compromise sensitive information that we are sometimes able to keep secure, and invite the foxes into the chicken coop. The worst prospect of all would be a cyber version of the Non-Proliferation Treaty--a universal convention based on the premise that any country willing to sign up should have full access to advanced computer science from anywhere in the world. We've been down that path before." The speakers have prepared to address Perle's questions and then some. Their spirited discussion and intriguing suggestions would be soon available on YouTube and on our website.

[From prepared remarks.]

INTRODUCTION OF REP. MIKE ROGERS

Michael B. Mukasey, Debevoise & Plimpton, former Attorney General of the United States, Member, Board of Directors, American Center for Democracy

It is a pleasure and a privilege to introduce Mike Rogers. He is the Chair of the House Intelligence Committee, which is the House's principal panel responsible for authorizing and funding and overseeing the execution of the Intelligence Act of the United States. He is the rarest of creatures particularly in the Washington area, a person who moves things in a bipartisan, nonpartisan way. He got three of his intelligence projects passed the House. The last one went through on a vote of 386 to 28. You can't get a majority like that for the Flag Day Resolution, and it mattered that he got it for an intelligence budget. He's also taken the lead on critical cyber security issues, including cyber security legislation to help better protect this country against the constant onslaughts that you just heard summarized by Rachel [Ehrenfeld]. In fact his bill is going to markup tomorrow, and I'm hoping that you can hear some[thing about] that today. This is not the beginning of his public service. In addition to having been a commissioned officer in the United States Army, he served his country as an FBI agent, fighting organized crime in Chicago, and then was elected to a position in senate in 1995. He was elected to Congress in 2000. He represents Michigan's

8th District. It's my great pleasure and honor to introduce Mike Rogers. [Edited from transcript.]

KEYNOTE ADDRESS
Rep. Mike Rogers (R-Michigan), Chairman, House Special Selection Committee on Intelligence

Thank you, Your Honor. I appreciate that kind introduction. I'm not sure that I want to say anything to change what you're thinking of me right now. I appreciate the opportunity to be here and take a few minutes, and I don't want to go long. We have some very, very distinguished panelists, and I wish I could stay for that. I just wanted to talk about a few things. I first got on the committee in 2004, and got my first classified briefing on cyber activities in the United States and around the world. It was one of those things that is something that we might want to pay attention to, something that could become an issue that we can't handle, and unfortunately exponential since that day. It grew worse and more complicated and is an issue that is a serious threat to our national security that America is not prepared to handle. It is amazing to watch, even just the last couple of years, about nation states--whether one would argue or not, rational actors--North Korea, Iran developing and building their cyber capability to not only ... well they're not [just] interested in espionage, let's put it that way. They are interested in attack and disruption. And we have non-rational actors who have that capability. I worry about this every single night after we go through our daily prep

debriefings on new policy decisions during the course of the day. This is alive and well, and we are in a cyber war, and we just don't know it. It's that bad. I just happen to have come back from New York, talking to a few folks-- somebody who should know better and who didn't was someone who was involved in a small venture capital company--had heard some of the rumblings about cyber security. Now, this is somebody who's investing (it's a small fund) about a-billionand-a-half dollars. They went back and said, you know, just for design, we check our systems to see, so they brought in a security company and found the Chinese had been on his network, probably (they've estimated) between six and eight months. This is a small firm when it comes to venture capital firms in a city like New York. Cyber intrusion is so prolific, so dangerous and so bad. We had better do something now, or on my recollected watch, we will destroy the economic prosperity of the United States. I don't say that lightly. We have several different realms now: you have to get to reams of political hacktivists, people who are trying to make a point, Anonymous. You have individual criminals; you know the guys with the bunny slippers in their mother's basement, who are all trying to break into your account, steal a few bucks. Organized criminals, internationally, who are well trained, well schooled, many of them former intelligence officers from places like Russia. Then you have cyber espionage, that the Chinese are engaged in, with which there is no comparison in history of the amount of economic wealth that they have stolen from not only the United States, but other innovative economies-Japan and Germany and South Korea and France and Great Britain--and the list does not stop there. If you have something of value, they have geared their military intelligence services to configure a way to make it a priority to steal intellectual property, to bring it back to China, to "repurpose" it, develop it and put it into the market. That is a horrible competitive disadvantage for countries like the United States who are so heavily dependent on innovation for the national growth. One of the things that we have to do is begin to protect ourselves first: so this is how we do it. As the chairman of the Intelligence Committee, it's my job as the director to tell you to be on these folks and say, "what do we know about X, we need to fill in a little Y." We need information about these three things, so we push them, and they come back with their proposals, and they go out and do their work around the world. They go out and find out what bad actors are doing in the cyber arena. They bring that information back, and we use that to protect our data mill networks. Candidly, our data mill networks are very well protected, probably the best in the world. The problem is about 80% of all of the networks across the United States are private networks, and so we are prohibited from sharing that information with the private sector in a meaningful way so that they might be able to protect their own networks. I was an FBI agent in Chicago. If somebody called me and said, "hey there's

going to be a home invasion at 123 Street tonight at six o'clock," I am morally obligated to do something about it. I will contact the local police to show all our calls to make sure that that person doesn't get through the front door and cause some harm. Think about what this cyber activity is. It is no different than a company willing to pick up that 911 call and say, we are under attack and we need some help. So what we've said is "listen, [we need to] do all of this talk about offensive capability and developing an offensive capability in the United States"--and we have lots of debates about that, believe me, all worthy debates. None of it means anything if we cannot protect our networks here at home. Candidly, we are not ready to protect our networks here at home. Talk about Chinese espionage: that last string, those were a cyber attack. We have several nations that have used it, Russia clearly in Estonia, 2007. You recall when they tore down Lenin's statue, [the Russians] were a little miffed apparently, and they used a very aggressive cyber attack on a submarine-severe damage, shut them down, scared them to death. One of the most vocal advocates of the government's assistance in protecting networks you'll find is Estonia, and I highly recommend to meet the ambassador, she'll school you well on the threats of cyber security. They also used it in prepping the battlefield in South [Ossetia] before they went into [that part of] Georgia, so they had a very aggressive cyber attack, a disruption of their electric grid, their financial services network, then they sent in the soldiers and the tanks. We know that nation states, including China, by the way, have this capability and are eager to put them into their arsenal. Now there's one thing about this Russia and China are not likely to go after--our financial services networks, [that's] not likely unless we are in direct conflict. They're rational actors as to the consequences of that kind of very destructive behavior, and I argue the Chinese wouldn't want to go after our financial services networks: we owe them too much money. You have those rational actors. Here's where it gets concerning: we should be concerned that North Korea [,which] showed, about a month ago, that they had the capability to go in, and they attacked a financial institution in South Korea and did some damage. Probably not where the other nation states are, but it shows they have a growing investment in their ability to conduct cyber attacks that have real consequences. Iran, clearly has exponentially gotten better and is learning everyday, but if you're not familiar with the Saudi Aramco case, I would recommend that you get familiar with it. It shows what a nation state can do when it sets its resources to attack a single business to cause destruction and harm to that particular establishment. They attacked Saudi Aramco, a very important energy company in Saudi Arabia, the largest company in all of Saudi Arabia that does all their transactions and clearances--financial transaction clearances for the country when it comes to oil and gas. Think about this: you had, say, ten thousand computers. You show up to work

that day and seven thousand of those computers don't work anymore, and everything that was on those computers is gone. You can't reboot them, you're not going to find it again. It's gone. You can't even turn it on. It is a paperweight on your desk. They destroyed thirty-thousand machines in the attack on Saudi Aramco, thirty-thousand. Here's where it gets interesting, they also went in and manipulated data. Instead of Mike Rogers owing Saudi Aramco $100, they had it turned around the other way. They manipulated data, they destroyed data and then they destroyed machines. The scary part was [that the telecommunications network almost caught fire. It's still vulnerable. I don't think that was by design, I think that was just by propagation of this particular mode of attack. They almost shut down and destroyed certain pieces of equipment in the telecommunication sectors of private companies that were operating in that particular region. It doesn't take too much, if you understand common communications, that [something like that] can hop, pretty quickly, not only from across the Middle East or across continents, across oceans and get to a place like the United States. If that doesn't worry you enough, imagine that. We now know that, according to public reports, Iran has been lapping at our shores and probing our financial services institutions. Not with their best stuff, their best stuff was we believe Saudi Aramco Plus, but they were just trying to find vulnerabilities in our financial services networks. Is that a problem? Imagine a bank, that does say eight-trillion, nine-trillion dollars in transaction clearances a day, gets attacked and the data is lost, the machines are broken, and we have what we would call chaos occur. They know it. They're not a rational actor. They're corner unbalanced, at this point in the world, isolated clearly, and they're on the offense. This is a huge problem. It is not Orwellian, it's not Hollywood, it's today. The problem is most people at home don't have any understanding of the impact and how it might affect their lives. Trust me, if you have money in a 401K account, you will be in that. If your check, for those Federal employees ... some of these banks clear a whole bunch of Federal transactions, stops coming ... And your Social Security checks can stop for a period of time. Try to imagine going back and reconfiguring that in a timely way to get people their checks. So, you can compound this pretty quickly and get to a place where chaos is the reigning [condition] of the day. Here's why I know this is going to work, and here's why we have to have this today. The Internet is one-sixth of our economy today. If we want to maintain the economic engine, I would argue the freedom engine that the Internet has brought to not just us but the world, means that people have to have faith that it works for them and not against them. If you want a free and open Internet, we better take

some steps today to make sure that we can protect it and maintain the confidence that, when you use the Internet, somebody's not stealing you blind. Imagine that happens at a bank, and it happens at your bank, and it happens every time you use your credit card, you pretty soon will stop using the Internet as a means of commercial transaction. I can't imagine what we would look like, if we started withdrawing from the commercial aspects of the Internet. I think it would be a horrible outcome. What we did is we stepped back, quickly, my ranking member and I, a Democrat from Maryland, he's a prosecutor and former FBI agent ... We figured we could talk the same language. I would say the FBI does the work, the prosecutors get all the credit. We'd probably have a marriage made in heaven here. We sit down, and we start with a blank piece of paper. We said, no let's not bring anything to the table. Let's go out and let's talk to Silicon Valley. Let's talk to the high-tech industry folks, let's go to New York City and talk to those folks. Let's talk to the privacy groups. Let's talk to the end users, and try to figure out what is the narrowest, least intrusive, nongovernment mandated way that we can provide cyber security information to the private sector so they can protect their own networks, very simply. Well, we came up with a whopping thirteen-page bill. I know some of you are aghast at that. Right? I was going to put on that a four hundred page amendment, just to show you all I was serious. Nothing in it, but just weight. So, through time, we've been working with those players. Last year, it passed in a bipartisan way, mainly by people who were exposed to the real threat of what's happening out there in the real world when it comes to cyber. This year, we have been bringing members down. I call it a "holy mackerel briefing." You come down, we expose members of Congress to what the real threats are in a classified environment. Why we can't sleep at night, why this is a relevant problem, why more nations are themselves investing in the capability to do this kind of thing, because it's so lucrative for them, and how we can take a very narrow small step to do something about it. Let's share the secret sauce, that information that we collect overseas, that really nasty, malicious source code, and share it with the private sector, so that they can protect their networks. And when you're at home on your computer, you don't have to worry about somebody stealing your personal identity. We can make it a little more difficult for them to be successful. And vice versa. You know, probably the biggest misperception about this whole thing is that your National Security Agency, or your CIA, is plugged into the domestic Internet circle, if you will. It's clearly not. It's illegal for them to do it. We monitor that very closely. They would have no benefit to themselves to do that. They are not on a

vested network. This wouldn't change at all. All it does is say, well you want to help the private sector when they get hit. What happens is a private sector company gets hit with something very complicated and very nasty -- and by the way remember -- I could be a mid-sized company trying to fight off a nation state like China. You're going to lose that fight in a cyber war, I don't care how good you are. If you get a thousand people getting up every single day with the sole purpose of getting into your system, guess what? They're going to get in your system. And when they got hit with something, what we said is we'll give you as much as we can on the mail order side, and you shoot something back that says, this is the 911 call I was telling you about. This happens in real time by the way. Nobody really picks up the phone. If they have to pick up the phone, it won't work. Their machine sends that nasty piece of code to folks who understand it. They look at it, and they can go back overseas and find out where it came from.Just as you call a detective and they come and catch the burglar that's in your house or outside your house, same system. But it happens in real time. It'll happen a hundred million times a second, and to give you an idea of why that's important, the average credit card in your wallet, that company will get hit three hundred thousand times today alone by bad actors trying to steal--credit card companies, three hundred thousand times today. I talked to one agency that got hit six hundred million times last year, one company, six hundred million times in one year, a huge process. What we're doing tomorrow is we're doing markups, that's the legislative jargon for taking a vote, working amendments on the bill in the Intelligence Committee. Again that does that very narrow simple thing: have the government share what it knows and when you get hit as a private sector only if you want--100% voluntary. You share that malicious source code back with the government so the government can take it and try to figure out who the perpetrator is, and build those signatures into its network so we can stop him from robbing us blind. As it is, it's happening everyday. So, we're looking forward. if I haven't depressed you enough already, I can take a few questions. Audience member: I'm on the cyber economic espionage front. If we're a system of, a nation of laws, rule blocked, we have governmental information that we know that X hundred billion or trillion dollars worth of electric property will be stolen, why can't we not use our court system to go through the process, repeal false judgments, and start decrementing the debt we owe to the people who are violating our laws? Mike Rogers:

Because we are members of the WTO, there are companies that choose that route. It is just not successful. If you have a company who is using it's government military intelligence services to steal information for the sole purpose of building it's economy, you can tell that the rule of law is not nearly as important to them as we would think. It works in a system where both parties believe in the rule of law. You go to court, some win, some lose. Right? That is just the way that our system is. If you respect that system, it works fantastic. If you don't respect that system, it will hardly work at all. There are efforts underway to try to raise the pressure on countries like China. And remember that they have to grow 7% a year, just to maintain their social programming. Growth ... you know we'll be lucky if we hit 2% this year for a profit. If we're really lucky this year, we'll have 2% growth. So, you imagine that they are not great innovators, but they have shown they can be great, well I won't use the word, but they're taking a lot of stuff. Right? They can take that stolen material, and it helps them fulfill their need. By us filing a charge and doing it that way, I don't believe it'll work. I believe that by raising the pressure dramatically, this should be the number one, number two, and number three bilateral discussion on any issue we talk about with China moving forward. We've got to get them there.

Audience member: You're talking about what your committee is doing, what cooperation are you getting from the Senate and from the administration? Mike Rogers: Part of the problem is last year, we got caught in the election cycle, so we got the bill out of my committee too late. This year is better,and we are much better aware, because you cannot open the paper today without another example of a cyber theft, a cyber intrusion, a hacking. That helped. Unfortunately, that helped build awareness in both voices. The good news is we're having a constructive dialogue, so far with the White House and a constructive dialogue in the Senate. We're going to get a bill by the end of this year that will get on the President's desk and get signed. I believe that. We are right in the middle of the making sausage part of that whole thing, and our goal is to protect privacy, civil liberties. Let people understand exactly what the bill does. People must have faith that this thing is not intruding on their lives and won't work, we need to make sure that that's right and it doesn't intrude. It's not a surveillance organized event. So, we're going through that process now, and we're going through this education process. If you know a member of Congress, I highly recommend you call them and say whatever you do for, you better get out there and start fixing it. This is a great opportunity to do that.

Audience member: Because we're private citizens, everything we really know about the Chinese attacks is from reports like GrossNet. Private citizens got into their command and recall servers and figured out what they were doing and learned a lot about the perpetrators MO. We can't do this just with government resources. You're under a lot of pressure, and I fear from the Second Amendment that basically says we're not going to give any additional authority to private sector guys who want to investigate who's attacking them. Can't we find a way to make sure that we have leveraged some of those resources? A lot of people are worried about this. Mike Rogers: You're talking about the hacking back provision of the bill. I do worry a little bit about cyber vigilantism, because if you're not at the top of that spectrum, you can get a bomb for sure. Same audience member: We need this really badly. Mike Rogers: Absolutely. One of the things that we didn't want to do is get into establishing new law by allowing people to participate in stealing, stealing back or hacking back. However, that being said, in an information sharing regimen, it empowers the government to know more about what's hitting the private sector, because we sometimes don't know. If we don't catch it overseas, and you don't call the FBI, the federal government does not know what business has been hacked, which is part of our problem, why we're trying to get a handle on this. Most people think that the government is sitting on the Internet, listening to all of that. It doesn't happen. So one of our challenges is how do we entice businesses to cooperate back so that we can find these new signatures out there? So the government cannot do it without the private sector. It is impossible. The private sector cannot do it without what the government knows. I'll guarantee you it's impossible. Even your best CIO who tells you, "we've got a handle on it. We know exactly who they are, no problems", my argument is find yourself a new CIO. Because we know for sure, the last estimate I heard from our intelligence services was that we would know almost 40% more on malicious source code that's laying on the shelf than the private sector even knows exists. Imagine the value of having that protect every network in America, but all you've got to do is get in the right. If you know what you're looking for, you can find it. That's the beautiful thing, but this stuff so sophisticated, so complicated, you have to know what you're looking for. That's the benefit of sharing that we hope gets away from the need ... because what you're going to do is have somebody make the mistake of bringing down a business, with at the most unintended consequences

can be very very serious. I will tell you that the good news is that the government is getting better about catching on to how they do it, the signature based-task, but it's difficult. That may take you through five or six countries of a hundred different cities before you find out where that thing was written and sent. That's the challenge, and I would argue knowing what we know on our side, even some of the best private sector companies wouldn't have the ability to track it all the way out. Some can, a lot cannot. My fear would be those, a lot that cannot, could cause more harm than they do good. So that's why we're kind of at where we're at. Audience member: What role do you see state and local governments in this cyber policy? Mike Rogers: Obviously the criminal part of this is important. We're dealing with, as the intelligence chatter, we're worried about what threats come in to the country from overseas. I think it's not limited to that. We have criminal problems here in the country. Part of that sharing needs to be from federal to local and local to federal as well. And the more we know and find out in a classified setting, the more you can stop. The goal is, can we make it so hard and so difficult as we move forward? Can we make it so hard and difficult that it's not worth trying and investing as much money as they are in training a legion of cyber attack warriors and intellectual property thieves? And that's what they're doing. But how do we make that so it has no dividend? And right now, there is no consequence. That's the problem. So, that's why we need to see this sharing regime between them [the federal and state and local governments]. And then state and federal, state and local would be heading out, trying to hopefully find those criminal elements that operate within the United States, conducting crimes here. The FBI is going to be a part of this as well. Audience member: In your markup of the bill, do you intend to address at all DLS attacks on 911 Centers? Mike Rogers: Well, we wouldn't do it specifically by institution. You would hope that local units of government would participate. This again is all voluntary. There are no mandates in this whatsoever. I don't think that would work. You'd hope that they would participate. The FBI, I will tell you, is getting better and better and better when it comes to the forensic cyber crime part. There are discussions about how do you try to stop it before it hits. That is a much more difficult proposition, and one that we wrestle with quite a bit, based on what the FBI's duties and assignments are here in the United States.

We hope through this sharing regimen you can get a lot of that. And here's the other benefit: when that 911 Center is hit, God forbid, if you have real time sharing capability and you're part of that loop, it is much easier to use the capability of say the FBI, which has this growing cyber capability to find them quickly and have somebody hauled off in handcuffs and put in jail. They're risking people's lives when they do that. It's pretty sick of them. Audience member: We know, at least some of us know, the Iranians have been targeting and hacking second-tier government contractors. Do you believe that there should be a cyber security standard in order to get a government contract? Mike Rogers: The problem is you don't want to be exclusionary. And you want to find, to me the best and most cost effective way, to allow those companies the outlet. So, in the first part, you're going to see this anyway, but while it's not only in some of the defense contracts, that "yeah I have at least these element," I would be very reluctant to have a legislated standard that starts to get the government into setting the standards, through rules about what their secure network looks like. That's the other side of our argument: a lot of people are pushing that. I think that's a disaster. By the time you do the rules it takes eighteen months. Guess what? Your threat matrix is completely different by the time you're finished. You have companies trying to beat the standard that doesn't beat the threat, because it's happening today. A) I think it's a waste of money, and B) I don't really want government regulating the Internet. I think that would be a disaster. So, where we're at is a discussion. I'll tell you what's interesting, coming out of New York over the weekend, is now these venture capital firms are starting to realize that they don't want to invest in a company that is exposed to the vulnerability of getting all of that intellectual property in which they invested stolen. So now they're putting as part of their contract of investment their own standards of what those networks should look like. Honestly, if you have the private sector and these folks who are exchanging money saying, "Hey, this is important enough for us to say, 'You want our money? Your system has got to look like this.'" Perfect, that's fast. They don't have to go to the government for permission. They can set their own standards, and when it changes in six months, you can change with the threat matrix. I think that market force is starting to kick in by the sheer volume of loss to economics in this, and I think it's going to have a great outcome. I'll just take a couple more questions, if I can. Andy Cameron with Augur-Nexus: In the War on Drugs, we found out that banks were a big part of the problem with the money back and forth. In cyber warfare obviously a lot of these groups

denied state sponsored funds are getting funded somewhere, and banks are involved in this. We've been talking to people on Wall Street. They want to figure out who they should be dealing with and not dealing with, and try to give bad banks bad ratings and such, is there an economic bent to this? Mike Rogers: On the fence, if you're talking about people trying to launder money or if you're talking about ... or did you just say that bankers were on drugs? Did I understand that? Cameron: But there are banks that are literally funding corporations in China and Asia that are knowingly ... Mike Rogers: I see what you're saying. Cameron: Is there a way to get Wall Street more involved in a proactive list by management? Mike Rogers: Again, I think the driving force is this sharing regime, and I do think there's going to be a parallel track here. The only reason that I talk about the defense part is because we're so far behind. We haven't even, you know in the old saying of the day, we haven't hired one soldier or one rifle yet to protect our networks, and there is an invasion underway. Right? We're way behind target. We have to fix that part. The second part and the parallel part that I understand is equally important is where we gain the support of Germany and Japan and South Korea, other innovation economies in the world, getting absolutely killed, is where we start putting pressure on China directly. The Mandiant report was important because it named names, that was really important, and the Chinese hate that, and so what we're going to do is we're going to name more names, and we're going to start ramping this up. I argue that we ought to look at trade issues when it comes to companies that we have determined have stolen intellectual property, repurposed it, and put it in the market. I'm a passionate believer that, I guarantee that, that will definitely get their attention. And again, we have to start putting into place things that take away the benefit of stealing this property and repurposing it. We had one American company, a well known manufacturer, that had their property, the blueprints for their products stolen. That product is now in production in China. Twenty-five thousand American manufacturing jobs, one company. I didn't talk about it, because they were afraid of the brand or afraid of announcing vulnerabilities. They don't get out there and wave a flag that they'd

been hit, but that's the kind of thing that's happening. There's another company that actually came to us. They had a company named American Semiconductor, that went into China to do a joint venture, and has technology or had technology that would allow windmills and solar to be converted to the grid. Right? Had this patented technology. The Chinese government stole it, all of it. They went from a company that was valued at 1.8 billion dollars monthly, that's worth about 170 million today. They are no longer doing business in China. The number-one company in China doing that business is the company that stole it from him, that he did a joint venture with. And I wish that I could tell you this is a rare thing. It happens again and again: there's a line around the capitol building of companies willing to come in and tell us in a classified setting. I've got my whole frontal property portfolio gone. I've never seen anything like this, where we are jazzed, and our blood pressure isn't up. I mean it's unbelievable. I'm getting all worked up... Audience member: Okay, I also have your permission, we also have that, but we also have to go back and practice, create a number of programs to make this thing difficult to do-like, liability, privacy, competition amongst companies who already have cyber protection, plus education rules about information, how do we do that? Mike Rogers: If we don't have liability in the bill, he was just saying, this is a hard problem to work, because you have liability issues with sharing information, and you have, my fear would be, this unwieldy cooperation of competition between companies, and so, yes, we put liability protection in the bill, and again we did that because it has to be in my mind a voluntary process. We don't want any mandates telling people, "you must give us information, or you must cooperate." We don't do that in the ... well we did do it in the FBI, but it was only in the hardest cases. We did, we built in liability so that they can share, and remember this still has to happen in a classified way. If you just put all of this open, on the open Internet, take that source code, change enough of it, and it's in. I mean this is complicated stuff, so that's what we look at. So, what we tried to do is, you'll push it as far upstream in the system as you can. Your Internet service providers would likely be the first members, I would guess that would join. You share with me, and I'll tell you what we're catching on our system that's really nasty, and we'll build a better system together. And we think that's what happens. Then you'll have that next tier of very capable IT companies. If you're a small company in America, you don't want to build a SCIF (Sensitive Compartmented Information Facility], and have to meet all the standards of having and maintaining a SCIF, and have the people for compliance for the

SCIF, just to share information, if your ISP provider is already getting it. Right? I wouldn't spend the money. That's where we think we get the value on that downstream. Somebody was talking about supply chain. That supply chain is very vulnerable, that's how we think that we can help the supply chain, before it ever gets to the network, or personal office network, it has to go through that ISP provider that is sharing classified data. Thanks everybody getting involved in this discussion. It is very, very important. [Edited from transcript.]

CYBERSECURITY: ENGINE FOR GROWTH OR ECONOMIC ANCHOR?

Mark Weatherford, Deputy Under Secretary for Cybersecurity, Department of Homeland Security

I focus today on two issues related to cybersecurity and the economy: The first is the role of government in working with the private sector with respect to cybersecurity The second is how the United States might use cybersecurity as an engine for economic growth. The first issue is a question many of us in government have been asking for some time and that is, "What's our Role in Cybersecurity?" I've only been in the federal government for about 18 months but have sat through quite a few meetings where we've explored the question and I can assure you, it's not a trivial or easy discussion. Historically, the mission of the Department of Defense is to provide the military forces needed to deter war and protect the security of our country. Doctrine however, seems to be shifting to anticipate, or at least consider, that the next big destructive act facing our country will involve information technology. Here's a couple of things to think about: What is the role of government in a toxic waste spill where a community is endangered? The government typically monitors the situation but

the private sector does the work. What is the role of government when a hurricane destroys miles of highvoltage transmission lines that supply electricity to our cities and the result is physical and economic suffering? Government often plays a more active role like during Hurricane Sandy but we typically monitor the situation while the private sector does heavy lifting. What is the role of government when geomagnetic storms or solar flare activity create coronal mass injections significant enough to damage electrical transformers that then cause widespread power outages - perhaps for months at a time? How about if that same transformer damage if it is caused by a HighAltitude Electromagnetic Pulse from a warhead detonated miles above the earth's surface? These are two completely different issues requiring the same mitigation steps by the private sector, but I assure you that expectations regarding the role of government are different. Who is responsible for hardening the transformers? Who is responsible for maintaining a supply of spare transformers? These things are made mostly overseas, can take up to two years to built, cost millions of dollars, and not easily transportable? Closer to home and more timely, what is the role of government when an cyber-adversary launches a Distributed Denial of Service attack against the banking and finance industry which threatens the banking industry's ability to satisfy their customers? Several days every week? This is something we know a little bit about, but it still isn't clear-cut. DHS and other government agencies like Treasury, the FBI and DOD have been working with the Banking industry for the past nine months on how to mitigate and respond to these attacks but is there a threshold? What is the government's role if that threshold is crossed? One of the significant roles of government is to share threat and vulnerability information with the private sector. This kind of information is frequently synonymous with Intelligence Information, which is often - too often in my opinion - classified. As most of you probably know, classified information is only shared on a "Need-To-Know" basis with those who have been vetted and granted a security clearance. This creates a conundrum for the government because there are a lot of people in the private sector who could benefit from "Need to Know" information. When I worked at NERC, I'd get into conversations with government organizations who, because I had a security clearance would brief me on

these scary things threatening the electricity industry, but then tell me that I couldn't share it with the electric utility companies who actually run the systems. Our philosophy at DHS is different because while we have cybersecurity responsibilities for the civilian federal government agencies, our primary constituents are those private sector critical infrastructure companies across the nation. It's something we call a "Duty-To-Share" versus a "Need-To-Know" and we do everything possible to get threat and vulnerability information into the hands of people who need it. So shifting gears, my second point is that I think there's an opportunity for the Unites States to consider how cybersecurity policy, and the investment in technology that supports the policy, could be a catalyst for economic growth. First, we have to recognize where we are today in our capabilities versus the cyber-threat environment. Security has always been a "throw it in if you have time and it doesn't cost anything" issue during system design and development. It's never really been a priority and consequently, we are in a constant state of rebuilding of our infrastructure. I was reading about the Hubble telescope a while back and I thought it might serve as a crude, but related analogy. Hubble was funded in the 1970s and launched in 1990 at a cost of about $2.5B. As most of you know, they almost immediately discovered that the main mirror was too flawed and required repair if they were going to be able to get anything useful from the project. The Hubble servicing mission followed in 1993, just three years after launch, and cost about $1.1B. This is the security business today. The vendor market around bolt-on security is proof of this constant rebuilding, and while there is certainly some economic value to this market, we'll never achieve the kind of security I think we expect from a nation of innovators. These aren't just maintenance issues like changing the oil in your car - we expect to do that. What we shouldn't expect is constantly fixing software defects and faulty applications. Almost all of our critical infrastructure systems have security flaws that could have been corrected during the initial design. The problem is, most of these systems were put in places decades ago. There are still turbines in Dams, substations in the power grid, and industrial plants in the manufacturing sector that were built 20, 30 and even 40 years ago. This was way before there was even a cybersecurity issue to worry about. Since that time, these facilities and systems have been connected to, and are dependent upon, this very vulnerable thing we call the "Internet". This requires companies to conduct extensive vulnerability analysis and then, either mitigate the vulnerabilities, or apply compensating controls like network segmentation, isolation and other wrap-around security measures.

 Of course they can also choose to upgrade and replace the systems entirely but this is incredibly expensive and something not many companies want to do when there are years left in the life cycle. These kind of capital investments are typically only made every decade or so in many sectors. This is where we are today - in Constant Remediation. We are making systems work with, metaphorically, a bunch of broken parts. This Remediation creates jobs but this has only limited impact on the overall economy. This is where the next big thing, or Cybersecurity 2.0, can elevate the United States and actually distinguish us from other nations as a safer place to do business. Cybersecurity 2.0 is when we begin to design security into every critical infrastructure system, to make the United States the safest place in the world to develop and host systems and applications.. Just like "Safety" in a manufacturing plant is everyone's responsibility, good security design will become habitual and an expected performance measure. After the significant remediation in our existing critical infrastructure is completed, and it's going to take a few more years, standards for good security design and development will guide a new generation of product differentiation. This is when all of the new Cloud and Mobile applications and services will become safer. And in case you haven't been paying attention, Cloud Computing and Mobility ARE the future. In a November 2011 Harvard Business Review article, Andrew McAfee called Cloud computing: "A deep and permanent shift in how computing power is generated and consumed. It's as inevitable and irreversible as the shift from steam to electric power in manufacturing, which was gaining momentum in America about a century ago." So here's a Question? How do you feel about banking and hosting your financial information in a country where you don't know what security policies and controls govern the infrastructure? Would you feel better about doing that same business in a place where the policies and systems have been specifically designed, implemented and are regularly tested to ensure they have effective cybersecurity practices and controls in place? What about your healthcare information? How about the rest of your privacy related information? I think people in other Nations and companies in other countries will feel the same way and chose the more secure place. There's very little disagreement that the next generation economy is already information-based and becoming more-so every day. That means we can't - CANNOT - continue to treat security as a bolt-on after-thought. It must be designed and built into everything, and I

think that can become a differentiator for the US economy. Made in the USA will mean something! Software will be developed with secure coding, Systems will be designed to natively encrypt and protect data, and our Hosting facilities will have threat monitoring and continuous diagnostics and mitigation built-in to create the most secure facilities in the world. Security can be profitable!

[From prepared notes.]

KEY ELEMENTS OF ENERGY SECURITY

R. James Woolsey, Chairman, Woolsey Partners LLC, former Director of Central Intelligence, Member, Board of Directors, American Center for Democracy

I was about ten years old, my father and I were going fishing one day. I went in to find him in our living room in Tulsa, Oklahoma. My father, a lawyer, had spread out on a card table a whole lot of yellow pads; he was taking notes and putting slips in the books and so forth, and I said, "Dad, what are you doing?" And he said, "I'm really sorry that we're going to have to put off the fishing trip. I'm getting ready, since I'm now expecting to go to trial on Monday, and I need to get a lot of work done." I said, "Well, what are you doing right now?" "I'm figuring out the opposition's cleverest strategy." I said, "Why do you do that?" And he said, "Because it's not only the opposing case that you think you'll likely be facing, but the strongest, most powerful, cleverest, sneaky and crafty thing that is possibly imaginable that you prepare for. Figure out how defeat that and then you're more likely to win. Well, I thought that that was kind of an interesting approach to debates and lawsuits, and I've always tried to follow it. Let me suggest an approach a bit like that with regard to cyber security. Today, Kim Jong Un, Ahmadinejad, and some of their buddies in other countries like China like to steal money from us over the Internet, and that's a serious matter.

We have to protect ourselves and deal with all such important issues. But for some of them, their objective may be a lot worse than that, say destroying us. Now a common way of discussing these latter sorts of existential issues is to say of somebody--fill in the blank: Kim Jong Un, Ahmadinejad--that is not crazy. If they tried that, then they'd know we might go back and attack them or even, you know, use a nuclear weapon, and since they're not crazy, we have little to worry about--they'll be deterred. Well, the problem is that there are at least two kinds of crazy I once wrote a paper on Hitler's diplomacy. I can assure you that although his objectives were absolutely hideous (to conquer Europe and rule it for a thousand years as an empire and to kill all the Jews), his skills as a diplomat were superb. From 1933 to 1939, Hitler had the chancelleries of Europe eating out of his hand. He was as good as Metternich. It is not inconsistent for a sociopath like Hitler, or Kim Jong Un, or Ahmadinejad, to have a crazed, evil world-destroying objective, but still be a crafty dude. We have, I think, lapsed into a mode of thinking about the Kim Jong Uns or the Ahmadinejads that they can be treated like your average Soviet leader. Let me be clear about what I mean when I say that. I kind of miss the Soviet Union, but only in a sense. I spent a lot of years trying to figure out how to deter them, what kind of weapons systems to buy to defeat them, and how to spy on them. But I also negotiated with them four times. Sometimes my Soviet counterpart and I would get really intense at a meeting, but then we'd go out to dinner together and after a couple glasses of wine, we'd start talking about our families and maybe trade some Jewish jokes. And sometimes in the negotiations we could then kind of make a few things work. The Soviet military kept Fidel Castro from persuading the Soviet Government to use a nuclear weapon during the Cuban Missile Crisis. We now know from the materials released that Castro badly wanted a nuclear weapon used during the Cuban Missile Crisis. Why? Because he wanted to destroy the United States. But he would have consequently also destroyed Cuba, right? Well, yes, but did he care? Not that much. A Soviet Navy Captain stopped his small flotilla from using a nuclear torpedo during the Cuban Missile Crisis, something that could have set off nuclear war between the U.S. and the Soviet Union. So bless the more or less common sense of at least some Soviet military people. They didn't really want to die for the principle of "from each according to his ability, to each according to his need." They wanted to remodel their dachas, their country homes outside Moscow. So we got used to dealing with an enemy that was very bureaucratic, and would allow its economy, which we substantially outperformed, to wither away. And they produced a Gorbachev, who was a pretty decent guy. The enemies we have now, I would say, Kim Jong Un and Ahmadinejad and those around them, are quite capable of creating a lot more tension than what we ordinarily had with the

Soviets. They appear to be quite capable of Hitler-like thinking, behavior, and objectives. Now if they were thinking about attacking us, using my father's approach, as described above, what might they do? Well, first of all, they would notice that the United States has eighteen critical infrastructures: food, water, electricity, natural gas, financial markets, and so on. All seventeen of the others depend on electricity. If the electric grid goes out, not just for a few days as in super storm Sandy, but for months to years, we don't have stockpiles of things like transformers--it's not just that your lights would go off. You couldn't pump gasoline at the filling station, because the pump is electric. You couldn't get food because the food delivery system depends on things that are electric in one way or another. You couldn't get water, because the pumps don't work. You would not be back in the 1980's, pre-world-wide-web. You would be back in the 1880's, pre-electric-grid. I doubt very seriously that we have enough water pump handles and plow horses and seed to function in a 19th century economy. So the estimate on what would be the result of the grid's going down for a substantial period of time, let's say a year or more, looks at the possibility that you would have two hundred million of the three hundred million people in the United States dead, because the agricultural system that we have is highly technological and feeds all of us, while only two percent of us work on farms. The end of that system means lots of people starve. In that post-electric future we would not see more than about a hundred million people surviving in a non-electrical, non-networked country. So, we are talking about the ability of an Ahmadinejad or a Kim Jong Un to seriously consider, if he hated us as much as Hitler hated the Jews, the possibility of taking down the grid, or at least a big chunk of it, for a substantial period of time. It could be something more devastating than some scenarios in which nuclear weapons are used. An effective attack by a few nuclear weapons might destroy several cities. And while that would kill a large number of people, it's probably not going to fundamentally undercut all of our infrastructure. So what about the possibility of North Korea or Iran or somebody else hacking into the grid and taking it down? Well, the way that I feel about the electric grid is kind of bipolar. It's true, the National Academy of Engineering said not too long ago that, in a way, it's the most remarkable invention of the 20th century. It's a just-in-time system, and, generally speaking, except when there's a big outage such as from Sandy, it's given us the electricity that we need, so in a sense, it's really remarkable. On the other hand, the electricity grid has been, from the first instance, and it is now, highly fragile. It was first put together in the beginning of the 1880's, and because Tesla won out over Edison, as an alternating current system, which makes long distance transmission possible. But it is a just-in-time system, so if any part of it

is interrupted a lot of things can be thrown off. It used to be, in the time of childhood or even young adulthood for most of us, a simply-operated system. If you were at a utility in Idaho, and you saw some kind of outage developing that made you need some added electricity, you would pick up the phone, probably something with a dial that hung on the wall, and you'd dial long distance to folks at a utility over in Washington State. You'd say, "Hey, we're going to need a boost here in about thirty minutes. So, can you help out?" "Yeah, we can, we can do that. We'll work it out and give you a call." But after a while, with the coming of the computer, it was not a couple of guys on the phone but computers communicating on unique software that some local vendor had sold them so they could communicate a bit faster than they could on the phone. It would have been pretty hard for any outsider to get into it. Then in the mid-1990s, we got worried about Y2K, so as we fixed that problem, we started basically putting the electric grid's control systems on the web. About the same time we basically de-regulated electricity, and let it be bought and sold on an open market. So you now have an open market all over the country, on the web, with a lot of very standard software, and the control systems are ones that lots and lots of people know how to hack. And so we now have a system, important parts of which can be disrupted relatively easy. I'll use one example: the Department of Homeland Security cleared some information to go on CNN about three years ago. I don't think it should have been cleared, but it was and it was all over the web. It was a pretty simple hacking maneuver. When you have a spinning machine, at sixty cycles, and you want to put another machine into the mix, and you need to synchronize it, instead of putting them so they synchronize properly, what you do, if you're a hacker, is turn off the control of one of the machines. One of them then spins very much faster than the other because of the torque, and then, within a few seconds or so, you put them back together again. The spinning one then destroys the other. It was on a demonstration up in Idaho three years or so ago. There are other relatively simple tricks. Who's in charge of the electric grid? Clearly somebody must be. Not really. There are fifty public utility commissions that are sort of in charge of electricity in each of the states. They are more or less run predominantly by retired utility executives in each state. There are not very many of them that are up to date with respect to new research and development in electrical matters. A Former Deputy Director of ARPA-E in the Department of Energy told me a couple of weeks ago that if you take research and development done last year by all threethousand, five hundred American utilities and add it together, it is less than the R & D that is done by the American dog food industry. There is very little interest in the industry in dealing with these problems. There is a tragedy of the common problems with these utilities. Each essentially says "If I

stockpile transformers and my neighbor's utility goes down, he'll probably take me down too, so that stockpiling will turn out to have been a waste of money, so I'm not going to do anything unless everybody has to do it." Who would everybody be? Certainly not fifty public utility commissions. How about the Department of Energy? They have a small electric office and no authority to regulate transmission. What about the Federal Energy Regulatory Commission? Not really. They can regulate transmission but not distribution. Why don't we have a national energy strategy? Because nobody's in charge. We are in a situation where a whole set of electricity issues--substantive and organizational--is extremely troubling. Now, since I've been so happy and optimistic, let me leave you with one other--I'm afraid--rather difficult problem. We've heard about EMP (Electro-Magnetic Pulse). Apparently it's the case that, about once a century, we have a very large solar event--it's called a Carrington Event--and there's a huge electromagnetic pulse, naturally caused. The last time we had a very large one was a century and a half ago, in 1859. There were just a few telegraphs around to show what happened to electrical equipment, but everybody is quite clear: It was a devastating electrical storm. There have been lesser events that were still quite devastating to more modern electronics. There was one in the 1920s that was reported in Russia and to a limited extent, in the Western Hemisphere. As far as man-made EMP events are concerned, open-air nuclear detonations sometimes occurred from 1945 until 1963 before the atmospheric test-ban treaty took effect. There were not many transistors in the early '60s, and vacuum tubes aren't affected by EMP, but by looking at the effect of those open-air tests, both the Americans and the Soviets came to the conclusions that a storm of the sort that occurred in 1859, or a comparable powerful nuclear explosion, particularly at a very high altitude--could be absolutely devastating to electronics. The Russians, the Chinese, now the Israelis and the British, are all getting their electrical systems protected against electromagnetic pulse, whether caused by the sun or by a nuclear explosion. We're not, because nobody's in charge. One final point. It's possible to create such a pulse with the detonation of a relatively simple nuclear weapon. It doesn't have to be sophisticated; it just has to go off a few hundred miles above the target area. So, we have, to put it mildly, a very major cyber problem with the grid and at the same time we have a solar and a nuclear explosion problem. The electric grid is vulnerable in more than one way and we have not done a responsible job in taking care of it or the rest of our infrastructure. We've got a lot of work to do, and it needs to be done quickly. [Edited from transcript.]

CYBERSECURITY AND ECONOMIC, FINANCIAL AND MARKET WARFARE

Christina Ray, Senior Managing Director for Market Intelligence at Omnis, Inc.

The global financial markets are the virtual equivalent of the US power grid; each of these two networks whether physical or virtualmay exhibit both the fragility and robustness that are the characteristics of a HOT (highly optimized tolerance) system and therefore be high-value targets in a new paradigm of warfare. We know that the financial markets are one of the battlefields on which future wars will be fought. We have been told so: for example in a 1999 book titled, Unrestricted Warfare, (literally, warfare without bounds) written by two PLA officers Colonel Qiao Liang ad Colonel Wang Xiangsui, and translated from Chinese.

As they stated, So, which [of many unconventional means], which seem totally unrelated to war, will ultimately become the favored minions of this new type of war the non-military war operation which is being waged with greater and greater frequency throughout the world? Financial War is a form of non -military warfare which is just as terribly destructive as a bloody war, but in which no blood is actually shed. Financial warfare has now officially come to wars center stage. In that same book, the authors posited a number of economic attacks, including an attack on the World Trade Center and an attack by Bin Laden. 9/11 was an instance of economic and financial warfare as well as a physical attack: in the days following 9/11, Bin Laden explicitly bragged about the loss of market capitalization the attacks had triggered.

The Intelligence Community is well aware of the links between economic warfare and geopolitical risk. As described in the O/DNIs Vision 2015, Each driver and trend independently produces unique changes and challenges; those points where factors intersect often reinforce and amplify the effects of change and create a series of unpredictable threats and risk that transcend geographical borders and organizational boundaries.

To understand its vulnerability to cyberattack, it is necessary to take a systems view of the global capital and commodities markets. The global markets are chaotic (strictly speaking, in a state of deterministic chaos), which is not to say that their behavior is random. Instead, like an amusement park Tilt -a-Whirl ride, they obey the laws of physics (or economics) even as they jerk and spin. Specifically, they exhibit the characteristics of a complex, adaptive, and selforganizing system. The global markets are complex and adaptive, in that they change in response to either exogenous forces or to changes in their environment. They are self-organizing, in that market mechanisms and activities permit the spontaneous generation of order in a complex, adaptive system. For example, a market economy is self-organizing, whereas its opposite a command economyis not. Such adaptation might result in a self-correcting process that attempts to maintain the current state. Or, conversely, it might instead require the system to jump to an entirely new state to find a new type of stability (i.e., exhibit emergent behavior). The danger lies in the fact that this new state might be considered catastrophic by some observers.

Some systems are more robust than others, and like the power grids, the financial system and be both robust and fragile because of their highly-optimized tolerance. For example, because of market activities such as location arbitrage (e.g., buying one security in New York, selling its economic equivalent in London) the global markets are highly interconnected. Transactions are the message packets between markets venues, causing the markets to be in a continuous state of evolution. And transactions in high-frequency trading (HFT)that is, trading using computer-based algorithms without human interventioncan occur in as little as 100 nanoseconds. So, such evolution to a new and dramatically different state can be virtually instantaneous. In the past weve experienced relatively benign instances of contagion in the US markets. So-called fat finger trades may have been manually triggered when, say, a human trader entered an order to sell 10,000 futures contracts instead of 100 in a thin market in French Franc futures. The Flash Crash of May 6, 2010 was a more dramatic version of the consequences of a similar, benign trigger (attributed by some to an unusually large order in e-mini S&P 500 contracts by a mutual fund) in a market already nervous about the Greek credit crisis. On that date, the Dow Jones Industrial Average plunged about 1000 points (about 9%). Although it recovered from those losses within minutes, massive losses occurred. Similarly, on August 1, 2012 a "technology breakdown" at Knight Capital Group caused a major disruption in the trade of about 140 stocks and losses to Knight of over $400 million. Net-centric warfare may be both literally and figuratively accurate in the future. If such disruptions can occur at the hands of benign actors, they might be able to be deliberately engineered by adversaries of the US. The recent interest in storing big data and development of the means to perform sensemaking on such data may give adversaries an enhanced ability to identify points of vulnerability and fine-tune attack mechanics in the financial network.

The nature of a cyber-attack on the markets would be different from, say, a denial of service attack in another sector. For example, although there is now in -line risk management for HFT (that is, the size of an order is checked against risk limits before being sent to the electronic exchange), a cyber-attack might attempt to disable such risk systems and allow a large, illicit order to trigger a cascade of large market movementsperhaps to such a degree that they interfere with the functioning of the markets themselves. Similarly, an adversary might use cyber espionage to determine highly confidential trading positions by major market participants, giving them the ability to profit from their knowledge as well as enhanced intelligence that might be utilized in a cyberattack on the markets. These are the types of scenarios that keep me up at night. As a framework for risk mitigation, I propose that economic and financial warfare be joined by a more explicit classification: that is, market warfare. The table below1 shows a number of hypothetical attack scenarios, classified as economic, financial, or market warfare (some may be fit more than one classification). The market warfare scenarios are specifically designed to trigger a cascade in market prices.

The good news is that its possible to plan for systemic failures (for example, by building excess capacity into the system). And, a new field called MARKINT or market intelligence is a variation on SIGNINT or signals intelligence. In its broadest sense, MARKINT refers to the acquisition and aggregation of data from the global markets for purposes of sensemaking. The global markets may contain indications and warnings of either system vulnerability and/or nefarious intent in their behavior, and we can use the same big data analytical methods (e.g., machine learning) to convert data to information to knowledge that might aid in national security.

Source: Extreme Risk Management, Christina Ray, 2010, McGraw Hill/

[Edited from prepared notes.]

CYBER WHERE TIME MARCHES ON AND PROGRESS DOESNT

Michael B. Mukasey, Debevoise & Plimpton, former Attorney General of the United State, Member, Board of Directors, American Center for Democracy

I have to tell you that I drafted these remarks before I became aware that Chairman Rogers would be joining us today, and I can think of no better example than Mike Rogers of the kind of public figure we need to help get us serious about dealing with cyber threats. This is probably about the fifth or sixth conference of this sort - devoted to analyzing cyber threats and strategies for meeting them - that I have attended since I left government, either as a participant or as a spectator. Of course, that does not count the two I attended while I was attorney general, or the numerous meetings I attended that were addressed to this problem in what seems the bygone days of 2007-2009. To be sure, there have been successes in cracking this or that cyber attack some launched domestically but many originating abroad - and even arresting some perpetrators, usually youthful. We have cooperated across national boundaries, through the G-8 high tech crime group, which includes more than 50

countries, and perhaps even more remarkably across bureaucratic boundaries within the government, and there has been some cooperation between the public and private sectors through a Cyber Fusion Center in Pennsylvania that brings together private parties and government investigators to collaborate in solving breaches and detecting cyber threats. However, I think it is also fair to say we are no nearer to dealing comprehensively with the issues presented by the danger of unauthorized entry into and use of our computer systems than we were a decade ago. That is not to say that there is necessarily a comprehensive approach that would work - comprehensive being one of those words that often makes me wish I did not live in a state with restrictive gun laws. after all, we haven't come up with a comprehensive approach to crime, and that has been with us since the Garden of Eden. But at least we have laws against crimes, and at least a comprehensible if not a comprehensive way of applying them. We really don't have either in the cyber sphere. That is not to say that we are short on pronouncements. Back in May 2011, the White House issued a 25-page document titled "International Strategy for Cyberspace," and subtitled "Prosperity, Security and Openness in a Networked World." I think perhaps a further subtitle for that document, after prosperity, security and openness, might be "pick two out of three, so long as the two aren't security and openness." The document, although it is entitled a strategy, really doesn't purport to lay out ways of achieving the desirable outcomes its title suggests. For example, a page and a half of the 25 pages are devoted to defense, which is said to consist of dissuading and deterring; dissuading is achieved by developing strength at home and strength abroad; deterrence by holding out to criminals the prospect of investigation, apprehension and prosecution, and to larger scale hostile actors in cyberspace the promise that, "when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The document then goes on to list the means as "diplomatic, informational, military and economic" - with the assurance that all options will be exhausted before resort to military, that the costs of inaction will be weighed against the costs of inaction, and that when we do act it will be in a way "that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible." It seems to me small wonder that after that document was issued in May 2011, Defense Secretary Leon Panetta received a letter in July 2011, signed by both the chairman and the ranking member of the Senate Armed Services Committee, reminding him of his obligation under existing law to address and define the policies and legal authorities necessary for the Pentagon to operate in the cyberspace domain, and saying that that obligation had not yet been met. There have been attempts at making the abstract goals of the White House

paper concrete, but not noticeably successful ones. In 2012 there were attempts to expand existing legislation that criminalizes computer hacking so as to give the federal government the lead in setting performance standards for protecting sectors of our infrastructure, to try to strike a balance between security demands and privacy concerns by providing for information sharing between the federal government and the private sector with liability protection for those who do share such information, and to increase penalties for violation - all of which went down in flames under fire from both the right and the left - indeed, went down twice in the senate. In the private sector, those who make a living from existing laws, and from successfully extending those laws to frontiers for which they may or may not be suited, have been busily at work. Cases filed in the wake of data penetrations have established that if a company is arguably negligent in its data security policies, and a plaintiff suffered actual damages as a result of a data breach whether for example as a direct result of identity theft, or from having to take steps to avoid such theft when there is a credible reason to fear that it will happen - the plaintiff has a claim. When the issue of impact can be proved on a class-wide basis without the need for individual fact inquiries, then data breach cases can be maintained as class actions. But when someone has simply been put in fear by the prospect of a breach, and either negligence cannot be clearly shown or imminent damage cannot be made apparent, for example because it can result only from the speculative actions of an unknown third party, then such items as credit monitoring costs cannot be recovered. Just as an aside, there are those who think that the supreme court decision recently in Clapper v. Amnesty International, which held that fear of prosecution for material support of a terrorist organization cannot confer standing to sue, somehow raises the bar even further in data breach cases. I am not among them. I think that case is fairly easily confined for policy reasons to the national security category, and is unlikely to have wider ramifications. Are we notably further along now than we were two years ago when the leadership of the Senate Armed Services Committee figuratively stamped their Buster Browns on the sidewalk and demanded a clear statement of policies and legal authorities? Of course, we are two years further along, and events have a way of not stopping whether we have policies in place to meet them or not. The Chinese are continuing to engage in not only economic but also propaganda and even military warfare over the Internet. They have hacked into the computers not only of private industrial corporations in search of information useful to them economically, but also into the computers of journalists at the New York Times and the Wall Street Journal in search of where those publishers and others are getting their information about China, and what that information is, and into the

computers of the Pentagon which they bombard by the tens of thousands of times each day. Recently, a company called Mandiant issued a detailed report with which i am sure many of you are familiar, that identifies a particular unit within the People's Liberation Army - Unit 61398, located near Shanghai - as an advanced persistent threat of the highest order - APT1 - and describes its prolific conduct from servers in 13 countries that has managed to compromise more than 140 organizations and shown the ability to steal from dozens of organizations simultaneously and in a coordinated way. For those who have not seen it, I recommend looking through it, although not if you plan to go to sleep soon afterward. We have also seen our own government remarkably, perhaps improvidently, take at least partial credit for introducing a computer virus into the uranium enrichment facilities of Iran, with the result that centrifuges spun out of control and destroyed themselves even as their computer monitors continued to show that the centrifuges were operating normally, notwithstanding that we have also taken the position that if any foreign power acted in the cyber domain in a way that caused physical consequences, we would reserve the right to respond with kinetic force. We have also disclosed recently that the Defense Department will add 4,000 people to Cyber Command, which until that cohort arrives has fewer than a thousand, and that that unit - Cyber Command - will pick up a national defense mission to protect critical infrastructure by disabling would-be aggressors. And there is as well a report that the administration has decided it has the right to strike first when it perceives what it believes is an imminent danger of serious cyberattack on this country. I welcome both of these steps. As to the first, I recall a meeting with General Alexander, who directs Cyber Command, in 2008, when he said that his mandate ran to the dot-mil and perhaps to the dot-gov segments of the Internet, and that when he saw a threat to the dot-com portion he thought he had little authority to do more than say - to himself and others in the room ouch, this is going to be a bad one. It even got to the point where some commentators were suggesting that the government create a secure, closed Internet for those agencies and functions with national security ramifications - sort of an Internet in the fashion of a hospital bed with side rails - and leave the rest for the Facebook and Twitter enthusiasts. I think the impracticality of separating even military and governmental, let alone civilian sites like utilities and universities, made it apparent that that dog simply won't hunt. As I said, the administration's more forward-leaning view of how it must deal with cyber threats is a welcome change. But even as we applaud it, we should be aware of the danger, as was pointed out by General Hayden in an enormously perceptive article, that we are backing into a situation not unlike where we stand

in some ways in the war on terror. Just the way we keep getting wrapped around the axle in trying to decide where and how to try terrorists, and are unwilling to take any newly captured ones to Guantanamo, and are torn between civilian courts and military commissions, and cannot bring ourselves to develop a coherent strategy for capturing and interrogating suspects, but seem to have had little hesitation in launching lethal drone strikes, which are much neater and do not present the nasty problem of where and under what conditions and for how long to confine someone, or whether or not to try them and if so in which jurisdiction, so too in the cyber realm we had, as I said, two proposals for giving coherence to the government's approach defeated under attack from both the right and the left. A proposal for sharing of information between the private sector and the National Security Agency was not even considered, and in any event faced the threat of a presidential veto if it passed. The National Security Agency and Cyber Command, both headquartered at Fort Meade, certainly could work out a coherent role for both in setting standards for domestic networks and policing them, but people running around in fright-wigs conjuring images of Big Brother prevent that from happening. I like to think I am as protective of my actual privacy as the next fellow, but I recognize that whenever I venture on the Internet to look at something, or order something, or communicate something, note is taken somewhere and my act frequently generates if nothing else at least an invitation to look at or buy similar things. All of this is fairly harmless; it is generated not by people sitting in offices conducting surveillance of me, but by electrons. So what! Our responses to cyber threats, whether those threats are realized in actual attacks or not, will be governed by the same general rules of engagement that apply to the use of conventional force - is the use of force necessary; is it particular to the realized or potential threat; is it proportional - and these standards may even be possible to maintain in the cyber domain, although I would suggest that the shutting down of an electrical system that served a military target but that also served a civilian hospital would present difficult issues, but we want to be able to do more than respond to actual or potential threats. In order to build a robust system that can disclose and discourage threats, or maybe even avoid them entirely, we need a frank conversation about what the government can and can't do. And since proactive measures are pretty much off limits for the private sector, in part because of the difficulty of detecting the source of attacks and threats and in part because anyone who considers launching even what looks like a justified countermeasure is at risk of violating the law himself. The danger and the disorder of the cyber domain has caused it to be described frequently as the Wild West, but at least in the Wild West the good guys could also carry guns.

It seems that the time is overdue to get a sheriff and an authorized posse, and maybe even a school marm or two to teach us the rules. [Edited from prepared remarks.]

HOW THE ATTRIBUTION REVOLUTION IS CHANGING CYBERTHREATS

Stewart Baker, Steptoe & Johnson, former Assistant Secretary for Policy, Department of Homeland Security

I'm going to talk about the good news here, because I think we are a little behind the times in thinking about some of these cyber problems. There is a revolution going on in attribution, and the Mandiant report is a good example of that, and the revolution, properly understood, is going to change our policy options. The question is whether we're going to seize the opportunity to use the policy options that we are being provided by the ability to attribute some of these attacks that we're beginning to discover. Now, this is from a larger presentation that I do about attack and defense that begins more or less, since every general in the Pentagon seems to be waiting for the lawyers to tell them what they can do before they come up with a cyber war strategy. Well, I've got a JD, so I'll give you a strategy. Let's start with the attack part of our strategy. That's what everybody likes to hear about, and of course the next problem is who we're going to attack, at which point people start to wring their hands and say, "Oh, dear, we don't know who's

attacking us! It's so hard, it's so hard!" It's not that hard. That's what we have discovered. As I said to Chairman Rogers, we've discovered that not because the CIA has told us, not because NSA has told us, or DHS, but because brave people got into command and control servers that were owned by the Chinese -- got in and looked around and told us what they found. They found a hell of a lot. They found the hacker's girlfriend's pictures. They found phone numbers and QQ addresses and a whole bunch of stuff that allowed us to determine who was attacking us. That's because it is not possible to operate in cyberspace these days without leaving little digital bits of your DNA all over cyberspace. It's just like Pigpen. We've got this cloud of data falling off us whenever we move around in cyberspace. I should have said this is going to be the "Huffington Post" version of cyber security. You get a little bit of fact and you get a fair amount of opinion and you get a strategic amount of cleavage. [laughter] So, what are these digital bits that we leave behind? Here's one. [laughter]

So this picture was put up on a site of law enforcement agencies that had been hacked by Anonymous. In leetspeak this says, "You've been pwned by wormer & CabinCrew-Love you bitches!" The rest of the picture speaks for itself. It turns out that this was taken with an Apple iPhone. And unbeknownst to the guy who took it, it very helpfully included the geographic coordinates of where it was taken. The FBI went to this suburb of Sydney and as they say, "Obtained a positive identification of the subject." Apparently, the Secret Service is not the only law enforcement agency that's having a great time abroad. [laughter] They then discovered that her boyfriend lived in Corpus Christi, Texas; he is now serving a year in prison for his attack. And just to make this G rated, he has married the subject of the photo. So it's turned out well for everybody. [laughter] That's kind of an unclassified view of attribution. I've been trying to popularize Baker's Law, which sums up the attribution opportunity this way: "Our security sucks, but so does theirs." That's what we need to remember. The hackers are

no better at securing their communications and their data than we are, and we know we're bad at it, right? Let's start taking advantage of the fact that we can find out all kinds of stuff about the people who are attacking us.

This creates an enormous set of options for policy makers. Many people know what attribution 101 is. You've got all the people who've been compromised up on that top line. Then the command and control server which tells them all what to do and receives all their reports about the information. Then headquarters takes that information from the command and control and ultimately passes on to some final customer who actually is going to use the information that has been stolen. If we can break down that set of information, we can start penetrating each of those steps along the espionage trail. We can go from attribution to, not deterrence, but retribution.

Come on! That's what we should be doing. We can expose and isolate nationstates, show that they are engaged in activity that will embarrass. That's a great opportunity.We can impose sanctions on spies. Why not say, "We are designating you a specially designated national hacker?" We already have specially designated nationals for blood diamond traders. Really, that is not our most important national security problem. What you have here is a couple of people whose pictures were actually taken with their home PC cameras by counter hackers who were investigating the attack. We can identify these guys and impose sanctions on them individually. This is my favorite story here. One of the hackers actually had a blog. One of the hackers who did the United States government serious, serious damage had a blog that he was running under a pseudonym in which he complained the site of the "Prison Break" TV series complained about how horrible his life was. How bored he was out in the suburbs, and how much he yearned to break free of the prison that his hacking unit had imposed on him. I thought to myself, "Wow! We could figure out who these guys are. They're so bored. We'll offer them a million dollars and an S Visa to come to the United States. The first one gets a million dollars. The second one gets a $100,000. The third one gets $10,000. Everybody else gets indicted. [laughter] Prison break

meets prisoner's dilemma. We could do it tomorrow if we had the nerve. We could deny visas to companies who are hiring these guys. We've seen Tencent, which apparently actually hired one of the hackers who attacked United States government agencies. We should be investigating that hacker and saying to the company, "You know, if you want to come to the United States, do business here and have visas to come here, you need to cooperate with our investigation." We aren't doing that, but we could. Then finally, to my mind the ultimate goal is to find the guys who are actually using the data. Governments are not using most of the data they're stealing. They're probably giving it to state-owned enterprises so that those state-owned enterprises can go out and do business successfully in the West -- where we can reach them and prosecute them. If we can establish that a foreign company got stolen information, if we can find that information inside their crappy, unsecured networks we can prosecute them. That will change everybody's view about how much fun it is to engage in that activity.

So, last point. What's the role for private companies? You know how much help you're going to get from the police if somebody steals your bike: They will tell you how sorry they feel about it, and they will tell you what kind of lock you should buy next time for the next bike you own. That is the treatment we're getting now

from the FBI and the CIA when they don't have the ability and don't have the resources to do the help. But the private sector is willing to spend a lot of money to find out who's attacking them. We should help them to get the kinds of information that's necessary to bring a criminal action against the people who are attacking us. That's what we need. Instead, what we're getting, and I think even from Chairman Rogers, is a classic government response. "We can't actually help you with your criminal problem, but we can make sure that you can't defend yourself."
That can't be the right answer. We've got to find a new approach that relies on the capabilities of the private sector as well as government resources.

[Edited from transcript.]

PASSIVE CYBER DEFENSE AND THE LAWS OF DIMINISHING AND NEGATIVE RETURNS
Steven Chabinsky, Senior Vice President of Legal Affairs and Chief Risk Officer, CrowdStrike, former Deputy Assistant Director, FBI Cyber Division.

It's time we turned our cybersecurity efforts towards "Active Defense." Our current efforts, geared towards "passive" cyber defense, are fixated on continuously monitoring and patching systems. Passive defense does not work and will never work against serious cyber threats. The concept doesn't work well in the physical world and we should expect no different in cyberspace. My talk is about both diminishing and negative returns. I would like to suggest an alternative. I was with the FBI for 17 years, and for the last 15 years the strategy of the United States and globally has been to work with the vulnerability mitigation side. This includes the Department of Homeland Security, for example, and private sector. And it has really strayed away with the folks who are going after the threat actors: the FBI, CIA, NSA, in conjunction with the private sector. I want to show you why what we're doing isn't working. Why it will never work. Why it doesn't work in the physical world and how we should expect no difference here. It will take just a very brief introduction to a qualitative discussion of risk.

Then we're going to charge through, I think that if the balance is really good, and it's going to lead back to this slide. [A slide from a previous presentation was up on the meeting room screen. It shows the front wheel of a bicycle locked to a rack. The rest of the bicycle has obviously been stolen.] When I say "passive defense," I'm talking about looking at your vulnerabilities. Looking about your defenses. How you mitigate the fact that you are penetrable. Your systems are penetrable. Someone can break in. That's all we keep hearing. There's this focus on the victim. It's absolutely incredible how much cost today is borne by individuals and the private sector in trying to defend their security with little to no return on investment. It's incredible the amount of time, effort, opportunity cost that's going into a failed strategy, and how our response to that continues to be information sharing efforts to do more of it. We keep blaming the victim. So let's talk about this. Risk has three components to it. There's only three levers to all of risk. Threat reduction, vulnerability reduction, and consequence reduction. That's it. There's a classic formula that doesn't do much quantitatively, but is very good qualitatively. It's risk equals threat times vulnerability times consequences. This, strategically, is very helpful to recognize. It's a multiplication, not because you get big numbers at the end which justifies a big budget if you're the chief security officer. That is not the reason for it. It's because multiplication has a quality that addition doesn't. That is, if you multiply something by zero, you zero out the formula. It means that if you could get threat down to zero, it doesn't matter how good vulnerability or your consequences are because there's no risk. And that plays its way out. Bring all the vulnerabilities to zero. Makes no difference how big a threat or consequences there would be. Same thing, of course, on consequences. What you see in the physical world is that vulnerability mitigation makes really good sense against opportunistic threat actors. Meaning they don't care if they target you or they target someone else. So, you lock your door, you don't keep your keys in the car. Because if someone wants to break into a house, they won't break into your house if you have a decent lock. If someone wants to steal a car, they might not steal your car if someone else has the keys in their car. But what's very interesting is as soon as there's a targeted attack -- meaning that it's not the same to the bad guys -- it's not a crime of opportunity. They want you. They want your house, your place of business, your intellectual property, which is not fungible. You will find that in the real world, we move to threat deterrence. We put alarms

up on houses and businesses. We put cameras up. What those say to the bad guys is the following, "We're not going to spend any more money on vulnerability mitigation." We're not going to try to make it so that we have doors that you can't break into, windows that you can't open and you can't smash through. So that you can't dig a tunnel through the ground, that you can't rappel through the sky to get onto my roof. Forget it all. We're going to concede this ground to you. You can break in, but now it's not about me anymore. Now it's about you. I'm going to put up an alarm now. I'm going to put up a camera. I'm going to detect who you are and we are going after you now. It's threat deterrence. When you're monitoring something, if the alarm goes off at 3:00 in the morning and the monitoring company calls you, they say, "Sir or ma'am, your front door was just broken into, but don't worry. We have the locksmith on the way." How absurd! We've got the police on the way. In cyber security, that intrusion detection system is going off every single minute and the response has been to send a locksmith. How absurd! It's absolutely ridiculous. It doesn't work. It will never work. It will never work against targeted attacks. We have none other than the National Institute of Standards and Technology that stated to chief information security officers, "you will get so many alarms that you're just going to have to prioritize which ones you need to look at." Can you imagine the world where if you had cameras and alarms and you call up the police and you say, "Well, there's one guy that came to my house, he's got a chain saw. The next guy had a rifle. The next guy had a battering ram." They say, "Well, which one would you like to look into?" That's if they're even talking to you at all. The shift, this notion in cyber that we've decided that it's about vulnerability mitigation and we've given up on threat deterrence is absolutely why we're in the state we're in. Sometimes you cannot build the defenses that are necessary. You hear the statements that everybody is being intruded upon, small, medium, large businesses hacked. Google, Microsoft, Apple, Facebook, RSA. If these guys can't keep the bad guys out, where does that leave most of our country? We've got dissident groups, newspapers, small and medium businesses, which, by the way, do most of the research and development in this country. They're all being broken into, left and right. For some reason, we keep telling them, "You know what the government's role is going to be? To give you more information to better protect yourself." It will never work against targeted attacks. It can't work. But they keep putting in

more money without return on investment. That's called "diminishing returns." What are negative returns? Negative returns are when you actually make the problem worse by your reaction. That's what we're doing here, because every time we have our businesses spend more money on security against targeted attacks and raise the bar to this level, guess where the well-resourced, very capable organized crime groups and nation-states bring the threat? To a higher level. It's very inexpensive to create a better offense than a defense in this dynamic area. It would be similar to thinking about this building and how expensive it would be to create a 20-foot brick wall around this building. Think about how much money that would cost, and how cheap it would be for me to go to Home Depot or Lowe's (I don't have sponsorship yet) to buy a 30-foot ladder? That's what's happening every day. We keep going to industry. I'm talking about regulation. They're asking, "What's the incentive for people to follow a framework of regulation?" The incentive would be to show that it works. The incentive's not tax incentives. The incentive is to actually show that the security actually will keep out persistent actors, but, barring that, we're having all types of crazy discussions. Sometimes you need to go after the threat, and that's where Stewart Baker's point goes in. We have a resource in this country that are not being used for threat deterrence. It's called the private sector. When you talk about the private sector doing anything other than vulnerability mitigation, people start getting anxious. They start talking about vigilantism. That's nonsense. Forget vigilantism. Forget retribution and retaliation out of the private sector. The private sector can do a lot hand in glove with the FBI, with the military, with the NSA, with the CIA, in ways that are quite stabilizing, that are not retribution. We know what that looks like in the real world. We know that if you're on an airplane and someone is charging the cockpit door there are three ways you can respond. You could sit in your seat and do absolutely nothing, and you can have this conversation with yourself. You could say, "My lawyer--I'm actually not really afraid of that guy--but my lawyer said, 'If I tackle that guy, it's assault and battery. If I then hold him in place, it's a kidnapping,'" which is all true. So better not to act in that circumstance. Unless you think -- that this is just an example -- "That's different. That's defending life." Same thing is true if there was a purse snatcher who's running down the street and someone yelled, "Hey, stop that guy! He's got my purse! He's got my wallet!" Same thing. You could see everyone just standing there. That's not civic responsibility.

Then you have the opposite end of the continuum, where everyone says, "Hey, this is a good time to beat somebody up!" You run after the guy, charge him, you get him, you kill him. That's it, and then you leave. Both of those are wrong responses. The center is where you need to be, where people stabilize the situation, because sometimes the private sector is the only one with the capability, resources, nimbleness. The fact is that they are on scene more likely than the government. The fact is that in our country, we don't have our government everywhere. They [the private sector] are on scene, and they can stabilize the incident. They hold the person in place. They return the property, and then they hand the guy over to law enforcement. We know that's how it's supposed to work. But we haven't been able to bring that into this cybersecurity world. Until we realize that at the end of the day, when you're talking about advanced threats, it is about threat deterrence. When you talk about advanced threats, putting more money into vulnerability mitigation is escalatory and has negative return. The private sector in our country, especially when you think about transnational businesses, they have the resources, the capability, the global reach, but are lacking clear authority. The government has clear authority, but is lacking the resources, capability, and global reach. These two sectors have to work together. We've got to change this paradigm. A colleague of mine, Melissa Hathaway, recently writing in Georgetown's Journal of International Affairs, started with a quote from Darwin, which I thought was very important. Sometimes you have to go back to the basics. If I were to say "Survival of the ...," you'll all say "fittest." That's how you're all going to fill it in, and we're all wrong. It's not the fittest that survive. It's not the strongest. It's not the wealthiest. It's not those who think they're the smartest. It's those who adapt the best. We keep applying the old failed models and putting more and more money into them thinking that somehow will make it better. We've got to change this paradigm. We've got to right this risk model. We've got to forget about adding more costs to the victim. We have to stop blaming the victims for their security. They're not to blame. The bad guys out there are to blame, and we've got to shift toward threat deterrence. [Edited from transcript.]

RETALIATION IN CYBERSPACE: LESSONS FROM THE HISTORY OF WAR AT SEA

Jeremy Rabkin, Professor of Law, George Mason University School of Law

Attorney General Mukasey said at the beginning of the panel that the Obama Administration is basically down to threatening retaliation. That the Obama Administration is threatening retaliation is our only response. I have to say "if only." [laughter] And then just now, Steve Chabinsky said, "Forget about retaliation. Forget about retribution." Wait, no. Those are good. I don't want to forget about them. I don't mean to disagree with proposals from anyone on the panel. But I do want to broaden the range of options on the table. Two years ago the then vice chairman of the Joint Chiefs of Staff, General Cartwright, was testifying before Congress on this issue, he said, "Well, if it's OK to attack me and I'm not going to do anything other than improve my defenses every time you do attack, it's very difficult to come up with a deterrent strategy." Right. So then after that, people made a fuss. I think probably Congressman Rogers was one of them. In the 2012 Defense Authorization Act, the House put in this line: "Congress affirms that the Department of Defense has the capability and upon direction by the President, may conduct offensive operations in cyberspace

to defend our nation, allies and interests." That was really good. And then the Senate said, "Wait. No, we can't just say that. We've got to add, 'Subject to the legal regimes the Defense Department follows for kinetic capabilities, including the law of armed conflict.'" So now we're having this debate about the law of armed conflict. What does it allow? Most of the time when people say "the law of armed conflict" they are thinking, "Oh, the Geneva Conventions. Oh, what the Red Cross says." Pretty much the Red Cross view of the law of armed conflict is this: it's how Switzerland would have fought the Second World War--if it had actually been fighting. [laughter] Or they mean that utopian fantasy from the aftermath of the Vietnam War, Additional Protocol I to the Geneva Conventions. That basically codifies the restraints that the Third World wanted to impose on the armed forces of the West: if you must fight, don't hurt anyone. That gave us what's now seen as the most fundamental principle in the law of armed conflict --I'm not making this up-the "principle of distinction," which is when you do engage in armed conflict, you must only target "military objectives." You must do nothing to hurt civilians or "civilian objects," otherwise known as "stuff." I won't give a long presentation on the history of war. Let me just remind you that the history is different from this theory. Actually, unlike Switzerland, we in the United States were fighting in the Second World War as also the First World War. And we didn't actually fight those wars by Red Cross rules. It's in the First World War that we launched this phrase, "economic warfare." The Allies implemented that by trying to stop anything from going in or out of German ports or neutral ports where, if cargoes were landed, things could by shipped by land to Germany. We did not think, "Well, this blockade will only hurt the German military." We very well understood the blockade was squeezing the German economy. We knew it would affect German civilians. We did that deliberately. The term "economic warfare" arose in the First World War, because that sort of comprehensive blockade was more ambitious than blockades in previous wars. But striking at the enemy's trade was not a new idea. In fact, you see the earlier idea in the United States Constitution. It's totally forgotten now. It ought to be remembered. There's a provision in Article I, Section 8: Congress has the power to declare war, but then it also mentions "and to grant letters of marque and reprisal." They list that as something separate. You don't need to be at war. You can grant letters of marque and reprisal separate from a declaration of war. Why letters of marque and reprisal? Because the Framers already had experience with this tactic.

It really hurts your enemies if you hit their commerce. And if you don't have the wherewithal to actually fight his army or even his navy, you just authorize private ship owners to go out and attack the commerce of your enemy. Who were the private ship owners they authorized to do this? Well, some of them were people just engaged in commerce with their own ships, who could mount guns on these merchant ships and turn them to attacking enemy merchant ships. Others had more immediate experience. They had previously been pirates. But the point is we gave them a license and said, "Go to it, attack the enemy's ocean commerce and you will hurt them." The reason why the Framers had this very tactic in mind when they drafted the Constitution is that the colonists had embraced this tactic during the American Revolution. We didn't have a navy. We still wanted to hit back at Britain. John Paul Jones, hero of the navy, was basically raiding British commerce. He was mostly not fighting British warships. He was mostly attacking British commerce, which is a way of saying to the British, "Do you really want to continue this?" Now, let me just add a few quick things and I'll be done. I am not saying everyone ought to be allowed to hit anything and everything. I'm saying we should think more imaginatively about what targets are reasonable to strike. We certainly don't want to risk killing a lot of people. But there's no good reason why we shouldn't use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. It is insane to allow the Swiss to tell us how we fight our wars, and it's doubly insane to have the Swiss tell us how to fight cyber conflict, which mostly won't rise to the level of war and is something Switzerland knows even less about than actual armed conflict. At present, though, there are a whole lot of people writing about rules of cyber conflict and many of them are not Swiss. It was mentioned earlier that Estonia freaked out when they had a series of cyber attacks a few years ago. They complained to NATO and NATO leaders said, "Well, we can't retaliate but we've got to do something to show concern." So they cranked up a study. There's a NATO "center of excellence" in Tallinn. They recruited NATO experts on the law of war. They're all lawyers. Some of them are very serious people. I don't mean to denigrate them, but they do what lawyers do, which is think up objections to doing anything. So they have produced a 200... Steven Chabinsky: I object to that! [laughter] They have produced a 200 page manual, the Tallinn Manual, and it takes basically the Red Cross view, which is, "Oh, yeah. Cyber weapons. Yes, of course. But don't hurt anyone. Well, don't hurt any civilians. Don't hurt any civilian's stuff, either. You shouldn't be viewing cyber attacks as anything that attacks commerce." This, I think, really makes no sense.

I want to mention two things. One, we still have the idea that in a real war, we would use the navy to impose blockades. That is in the U.S. Navy Commander's Handbook. We don't even now follow the Red Cross view of the law of war when it comes to planning naval actions in war. Is cyber more like naval war - where we disrupt the enemy's trade and communication, without exempting commerce just because it's owned by civilians? Or is cyber conflict more like a land war, where we send tanks into enemy territory and then say to enemy civilians, "Stay out of our way and we'll stay out of yours"? I say it's more like naval war, so what is permissible in naval war should be applicable to cyber conflict. And the second thing I say is we all should learn from history. Letters of marque and reprisal didn't even start in the American Revolution. The practice started centuries earlier, when medieval kings said to merchants, "Oh, foreign raiders took your stuff? Sorry. But our barons aren't equipped to get it back for you. And we don't have a real navy, either. So you have permission to attack the foreigners and get your stuff back yourself. And by the way, if you can't find the actual person who took it, take it from someone else of the same country, and then they'll get the idea not to allow their people to do this." What a great tactic that is! [laughter] We should be thinking about that. Not anyone attacking at random, but people who come to the government and say, "I have some idea who this is." We should have some procedure to authorize counterattacks. At the very least, to authorize counter-hacking which would otherwise be illegal, such as hacking to find out and detect exactly who launched attacks on our systems and why were they doing it. Stewart Baker's account of hacking-back--that was all fabulous. But I'm relieved those people haven't been noticed by federal prosecutors, because what they did is now illegal, I believe. [laughter] So we ought to have a way to authorize these things and say, "You're authorized to do this kind of thing under these limits and good luck to you. If you enrich yourself, that's fine, because people need incentives to fight and fight hard." This is why letters of marque are provided for in the Constitution. And that provision worked really worked well when it was used - in the quasi-war with France in the 1790s and in the War of 1812 against Britain. Finally, I want to mention this last fact, a fun fact. The National Security Agency is supposed to be responsible for our cyber strategy. The head of NSA is also Commander of Cyber Command. I don't know what they're doing exactly. But I know that Symantec, a private computer security firm, has an annual budget that's about the same as the NSA's. And Symantec is just one company out there. There are a lot of others thinking about cyber defense. Microsoft, which has been somewhat active in this field, has annual revenues that are ten times the annual budget of NSA. So there are vastly more resources, not just in the

private sector, but in the private cyber security sector. We do rely on private security elsewhere. There are now more private security guards, actual hired human beings with guns and such, than there are public police in all jurisdictions in the United States. We should find ways to encourage many more cyber security activists to get involved--probing, checking, investigating cyber attacks. And then authorize some in some circumstances to engage in retaliation. Or at least help the government to find targets. I agree with my predecessors on this panel--we can't rely on government to do all this by itself. My main point is, we didn't start out thinking we could put all our trust in government, even in serious conflicts with foreign powers. We should remember that--because we seem to be facing serious conflicts in cyber space now. [Edited from transcript.]