THOMAS GJELTEN: So I'm Tom Gjelten and I'm a national security correspondent at NPR. And I do a lot of reporting on issues in the cyberdomain. So it's a privilege for me to be able to moderate this discussion today and help introduce this important report. You know, I've been to a lot of these CFR meetings. I usually get stuck way in the back somewhere. And one of the special privileges of being the moderator is you get really a front-end seat. (Laughter.)
You know, it's become a cliche to say how revolutionary the development of the Internet has been, how it's transformed communication, commerce, political organization, crime, intelligence gathering, even war fighting. And this development has occurred so fast that governments, lawmaking, our institutions have not had time to adapt to it. And this lag, this developmental lag, of course, has been accentuated by the very decentralized nature of the Internet. It hasn't needed any superstructure to evolve.
But a technology this powerful will inevitably attract the attention of regulators, legislators, governments -- especially those with authoritarian inclinations, and that makes it all the more urgent that we think carefully about how to defend the Internet. We're at this critical moment, and the Council on Foreign Relations should be commended for focusing on this issue at this time.
And speaking of this time, I mention that, for the benefit of my fellow journalists and for people watching on C-SPAN and those of you in the room, I am going to make sure that we at least touch on some of the current news, ranging from Ed Snowden's revelations to the U.S.-China Summit that just concluded in California -- both of which raise issues that are relevant to the material that we're going to be discussing today.
You're all familiar with the two co-chairs of the task force. John Negroponte has one of the most distinguished records of public service in America today, having been ambassador to the United Nations, a director of national intelligence and deputy secretary of state; and Sam Palmisano knows something about the technology world, having served as chairman of IBM. And I just found out today that Sam has been, over the course of his career, to China 35 times. So he can lend a lot of expertise when the issue of China comes up. And we have Adam Segal, the -- who is the director of this task force, and Adam is one of my own go-to sources for all things related to China and cyberissues generally.
So welcome to all of you. And I'd like to begin with each of you sharing sort of your favorite point that you have taken away from your deliberations on this task force. One point that you would like especially to drive home to this audience with respect to this task force, let's begin with you, Sam.
SAMUEL PALMISANO: Well, I think the most important thing that I took away from the taskforce is what the origins of the history of the Internet are and how, I think, in many ways applies to the future. Because the Internet itself is open and collaborative as a technology. So most technologies, if you look at their origins, were created by an individual company, and that company did very well economically during that period of time and then governments got involved. IBM's history got a thing called the mainframe. Microsoft, you could argue, was client-server model, et cetera, et cetera. It happens with a lot of technology.
But the importance of the Internet, it was open, collaborative. Academia, key government agencies, industry worked together. And there are informal groups on standards and compliance and the like and that everyone complies with.
But I do -- I mention that because as the task force recommends, as you try to defend this model, the key to defending the model is the open dialogue and collaboration. If you shut down the dialogue and the collaboration, you run the risk of balkanizing this wonderful technology. And obviously there's trade-offs in any of these discussions, but the task force came to the conclusion that we need bodies to steer but not necessarily overcontrol.
GJELTEN: Ambassador Negroponte?
JOHN NEGROPONTE: Well, I guess one of my takeaways from this exercise, as I reflected on the different challenges we face in defending the Internet -- and I think this is a great title, by the way, and we got that kind of feedback from others that we visited around town -- is that however technical the -- and scientific the Internet may be, that in the end, geopolitics also has quite a bit to do with all of this and that some of the problems we -- in fact, all of these topics, open, global, secure and resilient have a political and an international dimension to it, not the least of which is a subject you promised us that you would come back to later on in the conversation. So I guess that would be my main observation, that there is a significant international and geopolitical dimension to this. It's a very powerful technology.
ADAM SEGAL: Well, after struggling over all the recommendations in this task force, I will take the view of a parent, which is, I love all the recommendations equally. (Laughter.)
But I will say, what I -- what I think is most interesting for the report and for the task force and for the council more broadly is that there were lots of players that came up in the writing of the report that the council normally doesn't think about. Private companies we talk about, but individual users -- users in other countries -- think tanks in other countries that are helping shape the Internet there, and a whole, actually, age cohort, right? We were -- we were very underrepresented on the task force -- in fact, completely underrepresented with anyone between the ages of 20 and 30, right -- so the main shapers of the -- of the task force of the Internet and moving forward.
So how do rethink what traditionally for the council has been a very simple problem of who do we talk to? Will you talk to the Ministry of Foreign Relations? You talk to the Ministry of Defense? How do we think about -- how do we address these new constituencies, and how do we think about how this -- most of the users coming online are going to be in the developing countries? How do we reach out to them?
GJELTEN: I'd like to sort of unite some of the points that you've all made. One of the promises, it seemed to me, of your report, is that we can defend the Internet. And Sam, as you said, this was a technology that originated in an open system. It originated in the United States. U.S. agencies had a tremendous amount to do with it. But now, given its power and its reach, is it presumptuous for you to think that we here in the United States can devise policies that are going to defend the Internet? As Ambassador Negroponte says, we're now talking about something with tremendous geopolitical and international ramifications. Is it going to be up to us to defend the Internet?
PALMISANO: Well, I think the way we should think about it is, first off, who -- you need a role in the defense of Internet. So who could lead in the role? And one of the things we recommend that if you're going to be credible in leading in the role -- because you'll be one of many members participating just like we do in the engineering side of the Internet. So if you're going to be credible -- if I draw the analogy to the engineering -- if you're not capable of engineering, it's hard for you to have a role in the participation of the standards or the evolution of the standards.
So if you or a government -- if you're not credible, right, it's going to be hard for you to lead or to convene, you know, people that think your way, to have influence. And so therefore -- and we recommend this in the report -- that if the United States wants to assume a role of leadership, it has to lead itself first before it worries about leading the rest of the world. And there are lots of recommendations in the task force about what we should be doing here domestically to take care of our own role, and then hopefully convince, conjole (ph), persuade countries and leadership that think the way we think, that align with our interests to come along with us.
I think it'd be very, very difficult in today's environment, given the nature of the -- just the technology itself, for anyone to control it. It's just pervasive now. It really touches everyone everywhere, even in governments that tend to be more authoritarian and restrictive. They have great challenges from their perspective in managing the technology, so it's gotten to that point where it's been part of the world's ecosystem of how the world functions. But I also think on that line, there is lessons of history.
And what -- and you have lots of immature technologies that, when they become pervasive and touch society, governments have a role. If you go back to the origination of computer science and computing, or mainframes, you know, at some point in time, when you began so -- such a large participant in society and the economy, in IBM's case, both the Justice Department and the EU decided they had a role, right, as much as Watson -- you know, the Watsons founds that offensive; it happens all the time. PC, it happens all the time.
So this is -- I know it's -- this is broader in many ways, you know, because there's billions of users on the Internet. There's 450 or 500 million users of PCs. There's billions of users of mobile phones. So in many ways, it's much more pervasive, but it has to follow a similar pattern. So if you're going to be a nation that wants to have a constructive role in persuading others to conform, comply, collaborate, you need to kind of lead yourself first. And we recommend that in the task force.
GJELTEN: Well, let's put this in as -- keep this in practical terms as much as possible. Ambassador Negroponte, I don't know if you've been following the debate at the United Nations over the last -- going back almost 20 years, right, over what the international role in governance of the Internet has been. It's been quite a -- it's been quite a tussle, hasn't it?
NEGROPONTE: Right. And there's been pressure from parts of the international community to make the Internet -- try to bring it into some kind of a top-down governance approach. We've, I think, until now, successfully resisted that. And there is still acceptance of the existing mechanisms of governance of the Internet. But I think we're definitely under pressure. And that's one of the points that the report refers to.
We're under pressure to broaden the participation in that governance. And I don't think that's hard to accommodate. And as we speak, there are steps taken daily to do that, to bring in more third-world participants, to empower and enhance the capabilities of other countries to benefit from the Internet.
But I think the idea of multistakeholder, basically bottom-up kind of approach to the Internet is still intact, although under some threat from this very phenomenon that you talked about.
GJELTEN: How do you empower those stakeholders to assert their stake?
NEGROPONTE: Well, I -- one of them is to increase their capability so that they can use and understand the Internet better. I think that's probably as important as any. The other is, I think you'll see, around the world, as our societies move forward, a growing middle class everywhere around the world, including a place like China which is, at the moment, pressuring for greater control of the Internet.
But I think they have -- and centralized control -- but I think they have elements within their own society that get it with respect to the Internet and its freedom and its importance to the realization of the potential of human beings and of business enterprises who will be a force that are more aligned with us, shall we say, than they are with their own government in the future. And one can hope -- one can hope, reasonably I think, that eventually that point of view will prevail.
GJELTEN: You know, in August of 2009, the six member states of the Shanghai Cooperation Organization -- that's Russia, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan and China -- approved a(n) accord talking about information war. And they defined that as a confrontation between two or more states in the information space, aimed at undermining political, economic and social systems, brainwashing to destabilize society and state.
So I think that is a good indication of the way some authoritarian governments see some of the exchange of information. They really see the -- you know, the Soviets used to talk about something called ideological aggression, but isn't this -- Adam, isn't this the background of what, you know, advocates of free and open Internet are up against, these governments that see free and open communication as potentially subversive to their interests?
SEGAL: It is. And it's been one of the problems -- one of the reasons why we've had such difficulty finding common ground with the Chinese and with the Russians because, as you pointed out, they talk about information security, which is the protection of these information spaces. We focus on cybersecurity, the protection of networks and routers and all these other things.
There does seem to be some slow progress on that front, though. I think if you look at the Obama and Xi summit, the take-away is the kind of agreement that we do need some norms and rules of the road as we -- as we move ahead. And also this weekend at the U.N., it seems as if the Chinese have finally agreed to consider that the laws of armed conflict and international humanitarian law will apply to cyberspace, so --
GJELTEN: Right, something they've resisted for a long time.
SEGAL: Something they've resisted for 14 of the 15 last meetings. So the fact that we're getting some agreement there suggests that we can temporarily put the information security, cybersecurity things to the side. But it's clearly one of the main motivators for China and other authoritarian states.
GJELTEN: Sam, have you seen a big evolution in terms of the way China is willing to talk about the Internet security issue?
PALMISANO: Yeah, I have. In fact, I was just there three weeks ago. And I was there with the State Department this morning. I was talking to Bob Hormats, my old friend. And in -- just to kind of exchange notes. And we both were seeing a similar change with the new government being formed. And it's very logical.
I mean, if you -- and you -- when you look at the challenges of the new government that's being formed and their necessity to expand beyond their regional economy -- you know, the 7, 7.5 percent GDP growth is not enough to maintain employment at the levels they think are societally acceptable. I mean, probably very good by our standards, but by theirs, not acceptable.
And so fundamentally the way that they can solve that problem is to engage the world economy, not just as a manufacturing hub, but truly engage the world economy. As they think about engaging in the world economy -- and I had these conversations three weeks ago -- that means they need to be more innovative, they need to be more creative. Oh, by the way, that means -- called intellectual property. I means sell through the Internet technologies.
I met with a state-owned enterprise. It means you don't like being hacked either, right, because if you have -- you know, who do they hack, the guys with the money or the guys with the IP? I mean, why else would you hack someone else, other than for national interest, right? So you either want the money or the intellectual property or you have some other purposes that John's the authority on more so than I. (Laughter.) I'm the economic world.
NEGROPONTE: Which I was happy to speak about very freely. (Laughter.)
PALMISANO: I'm with you. I'm the economics side of the -- this. No, but -- so you -- we met with a lot of the folks. And you saw this change very, very quickly. And I think -- so therefore, you know, I would think of it as, having been there many, many times over the past 30-35 years, I would think that this was an opportunity to engage. It's not now the opportunity to hold back or be cautious.
Now's the time to engage in these dialogues and these discussions and put things on the table that are in mutual self-interest of both countries, not just in one party's self-interest because, needless to say, like in any negotiation, if it's one-sided it really won't go anywhere. But if it's mutually beneficial, then I believe there's a chance for progress.
I was -- I came back and I -- as I mentioned to my good friend Bob this morning -- I was -- I was stunned, because I was just there June -- you know, and the old government was still in power last June. And so the difference is rather dramatic. And you can see it not only in meetings with the government, you see it in meetings with the leading academic organizations. You can see it with the state-owned enterprises. You can see it with what they call the POEs, the privately owned enterprises.
So there's been a very spirited and enthusiastic discussion on why they need to engage the world economically. And then therefore, that lends to some of the things -- I think it lends to a forum to have a discussion to address some of the concerns.
GJELTEN: Well, I'm curious how much leverage that gives the United States and other countries. I mean, for -- just to take one example. China appears to be very anxious to invest in the United States.
PALMISANO: Yes, they are.
GJELTEN: We just saw this example in Smithfield Foods. And I was -- I saw a figure the other day that it's -- Chinese investment in the United States is now something like five times what it was just five years ago.
PALMISANO: Of a very small base, but yeah, right.
GJELTEN: Of a small base, but still, does -- but each of those Chinese investments, or most of them, have to be approved before they can go forward. Does this give us some leverage? Could you, like, incorporate, you know, some demand that China respect intellectual property as a condition of particular investments?
NEGROPONTE: Yeah, but I mean, why don't we broaden the question for a moment and make the point that this has to do, in a way, with what kind of world and what kind of relationship the United States and China are going to have overall if you look ahead 10, 20, 30, 40 years. Do we want it to be some kind of a zero-sum game, ala the Shanghai Communique that you referred to? Or do we want to look for the sum and -- summation of what we can contribute to each others economies on a collaborative basis?
I mean, it's a really a kind of a fundamental question, whether you're talking Internet, environmental issues, the world economy, whichever, because if we have -- and Henry Kissinger raises the point very often -- what kind of world order are we going to have? If we have a divided world order of some kind, you can see that it's going to lead to no end of complications and neither side is going to be able to fully realize its potential.
So I think what -- the encouragement I take from the meeting between the two presidents this past weekend is it seems to me there's a search on to find a way that we can work together collaborativly so that we can, each of us, most fully realize our potential.
GJELTEN: Let's talk now a little bit about some security issues, which are really tough ones. You know, all of you who are familiar with sort of the history of Internet policy are familiar with the attribution problem, the problem when you're -- when you're trying to defend against cyberattacks, the difficulty of identifying the source of attacks. This is what's called the attribution problem.
And the former director of national intelligence Mike McConnell said he favored reengineering the Internet in order to make it possible to attribute attacks more carefully. But if we talk about other governments -- China, for example, or Russia, or any other government -- do we want them to be able to attribute activity on the Internet, or that going to jeopardize the anonymity of Internet users? I mean, isn't this kind of a two-edged sword?
SEGAL: It is, and I think -- (laughs) -- the report is clearly cognizant of that trade-off, right? We talk about -- you could identify everyone, and then you'd reduce anonymity and you'd probably, perhaps, reduce the possibility that something like Tunis or the Egyptian spring or other types of events would occur.
GJELTEN: Because those guys would not be anonymous anymore.
SEGAL: They would be -- they would not be anonymous. It does seem to be that attribution is perhaps less of a problem than it's always pushed out there to be, right? So in the sense that General Alexander and DNI Clapper both said, well, for a major attack, something at the level that was widely disruptive, that was going to take out the power grid, there are only a few actors that could do that -- nation-states, probably China, Russia and couple others. And in those cases, we would have a pretty good sense of who would do those attacks.
The more challenge becomes everything below that threshold, which is most of what we're seeing. But clearly, the Defense Department wanted to send the signal that we're getting better at attribution when Secretary Panetta made his speech last fall where he said we're getting better at it. And that was clearly, probably, targeted to the Iranians for these attacks -- for distributed denial of service attacks and other disruptive attacks that are below there.
But I think you're exactly right. We don't want to live in a world where everyone is completely known on -- in cyberspace. And the task force is certainly not taking that position, that we're promoting that. We think that, you know, the U.S. has a lot of gain from an -- from an open Internet where -- that is secure, but where people have the freedom to communicate their ideas and to organize if they need to.
PALMISANO: You know, without having to share all that from an attribution perspective, there are ways to better manage threats or issues when they occur. There are much better ways to do it than we do today here. And there's a term we call information sharing, which is in the recommendation.
Because if you look at the major participants -- major participants in the Internet -- the technology companies, the communications companies -- I mean, they see these patterns well in advance of, perhaps, it becoming a problem. And if they were allowed to share the information -- with the appropriate authorities by the way, whomever that happens to be, defined by government, and do it in a way where they weren't exposing themselves to any type of legal action, you know, kind of in a constructive way to solve a problem, not that some would call, oh by the way, yeah this problem occurred and they took your credit card so now we're going to have a class action suit against you because you told whomever -- FBI, NSA, whomever -- that you saw this pattern. And so now you're liable, right? I mean, that's why people don't -- tend to hold back, because they're worried about the trial lawyers, quite candidly.
So -- but if there was a way to share that information, because there are people who are seeing the patterns before the problem occurs. And one of the thing we recommended, we called it information sharing, if you would allow the information sharing to occur and, with the appropriate government authorities who obviously have the authorization to participate in this, we could at least anticipate and get ahead of some of the problems.
Back to the emerging countries and the like, we also argue that one way to get them to see it from our point of view is make the argument on economic development. And I believe the study -- Adam, correct me -- that the Internet today is, like, 4 percent of the worldwide GDP, on its way to, say, five or six over the next 10 or 15 years. If they could see it as economic development, right, then they'd be open to ideas of information datasharing so that they could participate in this global economy.
It just wouldn't be the cloud services of an Internet-born company selling to them. They could become the Internet-born company selling to others. So there are ways. You know, some refer to it as economic diplomacy. There are ways to get them to have an interest in defending and making sure it's secure and resilient and dealing with some of the bad actors out there.
GJELTEN: But I think we -- everyone agrees that our online presence right now, with respect to critical infrastructure, is undefended. And isn't it true that private industry has not stepped up -- now, is just a matter of fear of liability -- but isn't it true that private industry has not stepped up to the responsibilities?
PALMISANO: That -- no, that's completely incorrect. Private industry has stepped up, and they act in their own self-interest. That's what private industry does. That's what we do.
So to say that -- I mean, my own company is heavily defended and we spend a lot of money doing it. Now, the question is then, well, how do you think share all that and participate? So now people argue some elements, like the technology industry maybe is more advanced than others -- telecommunications, banking, financial services -- and people do complain about some of the, say, utilities.
GJELTEN: Utilities is what I was thinking.
PALMISANO: Utilities, right. And utilities aren't as heavily invested, right? But the answer then becomes we would -- the task force would recommend you need to put mechanisms in place that makes it in everyone's economic interest for that to occur, not mandate with a heavy hand you must do certain things.
The problem with the mandates, they won't work. For those of us that have been involved in the discussion of the mandates, when you look at it just purely from an engineering technology perspective -- not from a policy perspective but purely engineering, it won't work. And all you're doing is telling the bad guys how to get in. So in many ways it's like giving them the combination to the vault, right? That's what you're doing.
So it's not about -- the reaction to this has been more about if you're going to do something where it's top-down versus collaborative, like the Internet, at least do it in a way that would work technically. And if you could define something that would work technically I think you'd have people that would be open to that. But that's part -- I mean, it's easier said than done, which then leads to -- since it's very hard to do, why don't we collaborate without a heavy-handed approach?
And so industry's argument has been, let's collaborate without a heavy-handed approach. Policymakers sometimes feel that they'd like to put somebody in charge to mandate through either, you know, legislation or executive order, mandate the question that we've asked is, OK, as you see mandate, mandate what, and will it work? Or are you just exposing us to greater risk because you're telling people the combination to the vault, right?
GJELTEN: Well, I'm guessing we'll have some responses to that argument from the audience.
Before we go to the audience I've got to sneak in a couple of sexy questions or I'm going to lose my audience here. (Laughter.)
The task force report advocates -- and I'm going to ask you about this, Ambassador Negroponte, because you're a former director of national intelligence, and directors of national intelligence generally don't like transparency all that much, I think it's fair to say. Nevertheless, your task force advocates more transparency about the possible offensive use of cyber weapons. Are you comfortable with that recommendation?
NEGROPONTE: Yes, I am, because I think what we're saying here is that just like in other types of warfare using other types of weaponry, it's important that there be an understanding of what they can do, how they are used. One of the things we ask in our relationships with other countries like China, for example, is for more transparency in how they prepare their military budget.
I think the greater openness you have, the less chance there is of some kind of miscalculation or misunderstanding, and particularly -- and let's -- there's no doubt about it that the Internet and that cyber is an element -- can be an element of warfare, right? It can be a tool of warfare.
NEGROPONTE: It's a tool of warfare. So just like with other tools of warfare -- nuclear and so forth -- you need to have a dialogue between nations about how they're used, why they're used, even if you want some kind of rules of the road of what's off limits and what's on limits. But I think that dialogue, yes, needs to begin. That doesn't mean that you're revealing secrets about what you know or anything else.
GJELTEN: It just seems to me as a reporter that the U.S. government hasn't been very anxious to talk openly about its possible use of offensive --
NEGROPONTE: Well, but, I mean, there's probably transparency and transparency. One of them is to have this discussion amongst the potential users. And maybe you start small and then you expand further. But, I mean, initially you ought to talk at least among -- I would have said amongst the cyber powers -- China, Russia and so forth.
And also we mention in our report, and we recommend, a cyber alliance. I think we need to work closely with our NATO allies and others, talk about under what circumstances would we use this kind of weaponry, if at all? And again, I think that requires a certain degree of transparency.
GJELTEN: So as former director of national intelligence, how do you assess this cascade of links we've had in the past weeks about the intelligence community's use of surveillance tools to track what's happening on the Internet?
NEGROPONTE: The use of warranted surveillance, completely legal, and not really that new as far as I can tell. I'm trying to find out exactly what's new. There's nothing certainly conceptually new as compared to what we've been doing a number of years earlier.
So how do I assess it? I find it shocking that somebody with clearances and who signs a confidentiality agreement to then turn right around and reveal publicly that kind of information. I think it's utterly reprehensible and I hope the individuals -- individual or individuals concerned get punished for it.
MR. GJELTEN: What's the population of people that have the kind of clearances that put them in a position to disclose information like that?
MR. NEGROPONTE: There's some kind of trap in your question there. (Laughter.)
MR. PALMISANO: He's doing his job.
MR. NEGROPONTE: But, you know, I doubt however many thousands --
MR. GJELTEN: Thousands.
MR. NEGROPONTE: -- of people, or even hundreds of thousands, who have top secret SCI clearances in our government, there aren't necessarily thousands who have access to that particular kind of information. My sense of it, without having inside information anymore, is that that's a pretty darn restricted program and access to it was probably very, very restricted indeed.
MR. SEGAL: I'll just actually --
MR. GJELTEN: Yeah, yeah.
MR. SEGAL: I'll link it to the task force.
I think, one, it echoes to the point that Sam was making, which is information sharing now is going to be a much harder legislative push, right? We clearly -- mistrust of the NSA was high beforehand and it's going to be even higher. So CISPA-like bills are going to be harder to push through.
The second is what we see, especially in China, is an already kind of in-built assumption that U.S. technology companies were in bed with the U.S. government, right? When you read writings from the Chinese about cybersecurity they'll say, well, you know, we are 80 percent dependant on U.S. companies for this and 70 percent on this, and of course these companies all have back doors for the NSA.
So no matter what happens with these findings, that perception is going to be widely reinforced in China. And so their efforts to keep U.S. companies out, to increase procurement standards from U.S. companies to require U.S. companies to reveal their source code, all of that is going to happen. So for U.S. companies abroad, the operating environment is going to become much, much worse.
MR. GJELTEN: Well, we've rambled all over the place in this half-hour, and that was, I think, kind of necessary in order to at least get a little bit of a sense of the sweep of this report, which is really very impressive. But it is your chance now to sort of focus in on issues that interest you.
In particular we're going to invite you now to join in the discussion. We've got microphones. Please raise your hand and then once you're called on wait for the microphone to come to you. Speak directly into it and give your name and your affiliation. And please make it a question and not a speech because I'm sure there are a lot of people that want to take part.
Q: Thank you. Bill Nolte from the University of Maryland School of Public Policy.
I'm intrigued by the title of your report. And my question is, do you see the four adjectives in the report as really being linked to each other in a way that success in one depends heavily on success in --
MR. PALMISANO: -- that would happen to be. So I think they are in many ways connected, and that's how we've thought about it throughout the task force.
MR. GJELTEN: Holding that program up; that was a smart move. (Laughter.)
Q: I thought they'd be attracted to the report. (Laughter.) Alan Raul, Sidley Austin.
I think you did speak about not wanting to mandate from top-down, but do you think the fact that we have not had a comprehensive privacy statute in the United States, the inability to enact cybersecurity legislation and our hands-off approach to the Internet -- which really, I think, has led the world for many years, do you think that creates a bit of a policy void that doesn't let U.S. interests advance as they should be?
PALMISANO: Well, I would start with, we need a strategy. I hate to say that. It sounds so mundane. But what is our strategy, from a perspective of the U.S. national interest? If there is one with regard to the Internet, I've not seen it. I've been involved in multiple committees so I might not be knowledgeable of it, but is there really -- what is the strategy? I mean, in many ways we go to the dark side of the Internet. And clearly privacy is the dark side of the Internet that needs to be addressed.
No one would -- no one would -- I think at least in this part of the world -- disagree with the fact that there are many issues around privacy, not just national security, protection of children and the like, that we need to have policies around. But I would do it in a strategic context, you know, of that, right? I mean, it's not so simple to just say, well, we'll tell kids they can't use it: You can't use the Internet until you're a legal age when you can drink, at 21, right? Then you can use the Internet.
I mean, that's not going to happen, right, but there could be rules of the road, parental guidelines. There's all sorts of things you can do beyond legislation, as we have in drug awareness and everything else, so kids do understand the implications associated with putting all their personal lives up on the Internet, because there are bad people out there.
I think we need a strategy, and that strategy -- many times my -- this is a personal opinion, but -- and we discussed this in the task force -- it gets overwhelmed by national security and underwhelmed by personal and economic interests, right? And we tried to accomplish in the task force a balance between national security and personal and economic interests -- commercial as well.
So we tried to maintain that balance in the recommendations. And I do believe -- because if you err on the side of national security, you can become very restrictive on the open architecture of the Internet, which is not its origin, how it was designed from the beginning.
So we really -- I'd start with the strategy -- now, the reason why, having been involved in some of the legislative debates, that I'm more comfortable with the Internet model versus -- which is open collaboration and people solving the problems in their own in a way that works, but it's in their own self-interest versus the mandatory top down, is because the technology moves so fast, and by the time you get to the legislative process, assuming that it was really good -- so I won't be judged not on how effective our legislative process is, but let's assume that it's world-class, Six Sigma, the best you could have anywhere in the world, right? (Laughter.) Making that assumption you still would be too late. It just moves too fast. So you really can't, you know, right?
I mean, you know, I understand why you could make the argument for political reasons why you need to do these things and do whatever statements or orders or whatever, but the technology is not going to wait and stop. And it's not just going to be done here, you know, because it's done all over the world, and there are really smart people all over the world that are working on these kinds of issues.
So my point being is that's why I really do believe we recommend in way kind of this collaborative structure or center to bring people together. I really find that if there was a set of mileposts, of strategic guidelines that kind of set the rules of the road -- which is I think something that could be done through policy so we know when, in John's world, it's just -- you know, it's an act of war or it's just a minor, you know, offense like minor theft or robbery in the bank -- I hate to say that's minor, but compared to an act of war it's certainly different -- where there were some mileposts or some guidelines where then you could form this collaborative approach, I think there's hope to solve some of the problems.
I really don't think they can be solved legislatively, and I only make the argument as looking at it from an engineering technology point of view. It just goes too fast and the skills are global. So there's almost nothing you can do here to stop it everywhere else in the world. And whatever you do everywhere else in the world will come here because it's an open Internet.
GJELTEN: Yes, sir.
QUESTIONER: Thank you. Davis Robinson, Crowel & Moring, and former legal advisor to the Department of State.
I'd like to ask my old friend John Negroponte, has the Internet made the ancient craft of espionage and counterespionage -- has it made it harder? Has it made it easier? Or has it made it both?
NEGROPONTE: I think it's made everything faster. I think that's probably the one thing that's happened, the rate at which information moves around.
But the other thing I'd say in terms of analysis, which is after all the end product of an intelligence process, you have to look at an awful lot more information. So how do you sort the wheat out from the chaff and distill things down to what you really want the decision-makers to know?
But on balance, I think the Internet and modern technology have made intelligence far better. And I think particularly with respect to the integration of information on the one hand and the ability to use it on a real-time basis on the other, both those key elements of intelligence and of operational activity have been improved dramatically by the advent of information technology and its progress.
GJELTEN: Right here in front.
QUESTIONER: I thought there was someone else.
GJELTEN: No, it's your turn.
QUESTIONER: Diana Lady Dougan, CSIS and Cyber Century Forum.
I can't help but remember -- and I'm going to do part of this to John because we know from past experience that so much is economic and political, not just technological. And so I wondered a couple of things. You've already referenced the fact that you didn't have any young people on your task force. In your report did you make any recommendations relating to getting at the culture of it's cool to hack, and how to get young people to realize that this is another form of stealing?
And the second question is the degree to which you review the many treaties and laws that are on the books related to intellectual property, trade, copyright and other things.
And I would make a third question and comment, and that is, you know, the United States, Canada and Europe, and just a few countries in Asia, walked away, basically, from the agreement in the ITU in Dubai. And so we have a lot of homework, and I don't know what you -- what references you made to that, but that is a really serious demonstration of both our arrogance and naivete.
GJELTEN: But the ITU model -- correct me if I'm wrong -- sort of didn't exactly conform to the multistakeholder vision that you all have advocated, right?
PALMISANO: That's correct, although my understanding is that the ITU agreed, a number of years ago, that we would continue with the current governance of the Internet while we debate these other issues. So I think that's why the current system is still in force. So that would be one point.
One of the recommendations the commission makes -- and, Adam, you may want to chime in on this also -- is that we better prepare for the ITU meetings and do it a little bit more beforehand because the last big session in Dubai we only appointed our delegation head at the very last minute. I gather the next meeting in 2014 will not be one of these large-scale meetings. And we already have the head of the delegation in place in the Department of State.
But anyway, more attention to the ITU and preparation for those negotiations.
Adam, do you want to --
GJELTEN: And, Adam, answer the point also about the cultural issue.
SEGAL: Yeah. So, I mean, working backwards, I mean, 55 countries refused, so it wasn't just us and a handful. It was 55 countries refused to sign. But I take your point. We have more work to do.
And the taskforce suggests a three-pronged strategy, and the first John mentioned, which is engaging the ITU earlier, but the second is to reinforce these multistake mechanisms that already exist to bring developing countries into it -- so the Government Affairs Committee of ICANN and the IGF, the Internet Governance Forum, which are not really being used in the way that they could be because lots of developing countries don't know about them; they haven't sent representatives before; they don't have the resources to go there.
And then a third is to search for an alternative forum, right? So there's lots of people who think there should be discussions outside of the ITU on cybersecurity, where we need to have more development capacity building.
On the young people thing, it is a problem for the council broadly, but I do think we're talking -- (laughter). No offense, anyone in the audience or up here. (Laughter.) But I think two things are going on. One is we do talk about a -- we do identify a hacker ethos but not in the negative way that you brought out, which is everything is free, but in the positive way of let's hack this system and make it better, or let's build something ourselves.
And how do you get those types of people to come do government service, right? How do you involve them both on the defensive side and the offensive side, right, because it's not all just stealing and downloading music. It's also about, you know, the guys who created Tumblr and Facebook and all those things, right? They all think of themselves as hackers, right? You go to Facebook, there's a big sign that says "Hacker" up there.
So how do you get them to contribute? And part of that is we have an idea about a cyber service, right? How do people think of themselves as a kind of esprit de corps elite group that are involved in this government work? But the other is, how can the council engage smaller start-ups in California, in the Washington area, in Route 128, who would traditionally be outside the scope of the council? How can we engage them and have them be involved in these policy decisions?
GJELTEN: I'm curious. Speaking of that hacker culture, I mean, the taskforce is critical, for example, of the development of people that develop and sell zero-day exploits and back doors, but those happen to be really important tools in offensive war, and I happen to know that the NSA is actually looking for people that have those skills. So I'm sort of curious about that disconnect here. I mean, are these people who potentially are really serving the American interest?
SEGAL: Well, I should have added that we actually have a hacker on the taskforce, right? So Jeff Moss --
SEGAL: -- was a hacker. He started DEF CON, which is one of the biggest conferences for hackers. And now I don't think anyone thinks that Jeff Moss is playing a negative role, right? He is the chief of security for ICANN and he serves on the Advisory Committee for the Department of Homeland Security for these exact issues.
I think on the proliferation of malware, we actually see this an interesting place for government-to-government discussions, right, because this is one of the areas where the China and the Russians, at least for malware focused on critical infrastructure, on energy sectors, they don't want these things ending up in the hands of al-Qaida or nonstate actors either. So these are difficult conversations, right, but how can you kind of bring them into this space?
NEGROPONTE: As the NYPD would say, we flipped him, right? (Laughter.)
SEGAL: Yeah, we flipped him. We flipped him.
GJELTEN: Well, you definitely want those guys on your side.
In the blue shirt there.
QUESTIONER: Thanks very much. Peter Evans with General Electric.
I also like the title very much, open, global, secure and resilient. My question is, is how did the council -- the task force grapple with the metrics around that? How do you measure this? And what is the goal for achieving or knowing that you have achieved any one of those points, even if they're, you know, independent of intricately connected? Thank you.
GJELTEN: Adam, that seems like a question for you.
SEGAL: Yes, it does.
PALMISANO: I'll jump in and maybe you can elaborate.
But I would say one of the -- one of the -- I think it's a great question and I think one of the thoughts the council has is to find ways of continuing some of the work that has been launched here, because I think clearly -- right now Adam is the cyber force of the CFR, so the CFR needs to do more work on this. There's obviously need for follow up. We found very enthusiastic response everywhere that we had meetings, including out in Silicon Valley. So I think this is -- in fact, I think you're raising the kind of issue that could be an important element of follow-on work.
SEGAL: Yeah, I don't actually have much -- that's a great point. I think, you know, for open there are places you go to, right -- Freedom House and other places that measure Internet freedom, but secure, resilient probably less so. But that's a very interesting point.
QUESTIONER: Thanks. Doug Mackey, Georgia Institute of Technology, former Australian Department of Defense.
I was wondering whether you think there's any hope for China and the United States to collaborate on global Internet security, and if so, what sort of mechanisms could get that going? Thanks.
PALMISANO: Yeah, I mean, I'll talk to the hope, and maybe my colleague, who knows mechanisms, better than I -- Ambassador Negroponte -- can comment on mechanisms, but I'll give you a few seconds to think about it.
I really do think -- the reason why I think there is hope for collaboration in this area is because of where both countries are at this point in time. I mean, they're at a point where they see the need that in this area there should be some constructive dialogue that they can work together on, that they could, I think, be viewed as leaders of the world, not kind of laggards of the world.
So it's in their interest to kind of come together. And this is something that they could collaborate around, that things like security and privacy are subjects that are very, very difficult to say you don't want, you know, right, and they could make progress.
I also -- as I mentioned earlier, I'll just give one little historic point. You know, countries have had industrial policies ever since countries have existed. This is new. It's industrial policy in the economic sense. And if you look at the people who tried to steal IMB's trade secrets over time, they've moved around the world. You know, I could give you examples of Japan, I can give you examples of Korea, I can give you examples in Russia, and I can even give you examples of some Western European countries but you might find that offensive. (Laughter.)
So what happens, you know, right? All of a sudden those countries emerge and develop economically and create their intellectual property, and therefore, you know, there's not the same goal of trying to take others in that process. So you look at kind of where we are, and this is my sense that if China is going to become more of an innovation economy and not an industrial economy -- I mean, somebody putting tops on bottoms in Guangzhou is not really that unique, right? But if they create some intellectual property around some process that really is that, they're going to have the same goal as all the other peoples who are innovators have. And then therefore there's going to be this natural collaboration.
That's what's happened. You know, IBM is a hundred years old but, you know, I was there 40 before I retired. But if you look at this history of these things that we wrestle with, that's normally what happens over time. GE is older than we are -- I'm sure same observation. Our colleague is nodding his head. So I think, you know, we get to this point, and then you begin too -- through all the WTO, bilateral trade agreements, all those mechanism -- but John is much more expert than I am to comment there.
NEGROPONTE: Well, you asked about mechanisms. Obviously the bilateral one is one different fora, perhaps depending on the particular issue that is before us. For example, one of the recommendations we made in the report is that the stealing of intellectual property over the Internet become a regular feature in future trade agreements, it already is. I mean, there's always an intellectual property chapter, but maybe you can shape them in a little more detail to deal with the Internet. So I think it somewhat depends on the specific issue.
GJELTEN: In the back there.
QUESTIONER: Gregory Ho from Radio Free Asia. This question is for Director Negroponte. Since recently, the NSA lead story, the main character, Mr. Snowden, is now in Hong Kong under China's sovereignty. Since he has great deals of high-intelligence capability, do you afraid that China would -- like the (NYPD ?) do, flip him into helping the China -- (inaudible)? (Laughter.)
And this is the first question. The second one is, do American has the capability, by checking where he is, and have you sent out your guys -- (laughter) -- I mean -- not your guys -- the NSA folks to Hong Kong to persuade him come back to the U.S. instead of turning himself to the Red China? Thank you.
NEGROPONTE: Yeah, I -- first of all, with regard to your first question, I just think we're going to have to wait and see what happens here. The one thing I have heard on the news is -- I've been reminded that Hong Kong does have an extradition treaty with the United States. And one of the things that the -- when Hong Kong became reintegrated into China, it retained many of its own features of local rule, right? One government, two systems, one country two systems kind of approach to things. So I think we'll just have to wait and see how that plays out. But obviously, in the United States -- I just assume that we have a strong interest in being brought back to the United States so he can be brought to justice, and I'm sure we'll do whatever we can to accomplish that.
GJELTEN: Do we have a question that can be answered very briefly? Because we're almost out of time.
Yes sir. Now, you've got to make it brief.
QUESTIONER: Thank you. My name is Pat Contreras, State Department. Looking ahead with the upcoming trans-Atlantic treaty -- the investment partnership that we're going to be engaging in -- negotiations with the EU -- to what extent can we expect cybersecurity and IPR to be involved in these negotiations? Thank you.
SEGAL: So the task force pushes that they should be front and center, that the free flow of data should be an important part of all of our future trade agreements. We do see the emerging cybersecurity standards in Europe possibly being a trade barrier -- a trade -- at least -- not a trade barrier, but at least a -- different trade restrictions in the different constituencies may cause problems for U.S. companies moving forward.
You know, depending on where this NSA thing goes -- you know, what's going to happen with safe harbor and other data provisions -- I did see some stuff from this morning about EU parliamentarians saying we need to reconsider it. So I think those are the issues we're going to have to look forward as we -- as we -- as we go up.
GJELTEN: I think we ought to wrap it up here. We do promise that you're going to be out of here by 1:30, and that time has now come. I'd like to thank our panelist, Adam Segal, who is the project director for this task force, ambassador John Negroponte and Sam Palmisano. Thank you all very much. (Applause.)