Defending an Open, Global, Secure, and Resilient Internet

Thursday, June 6, 2013

The CFR-sponsored Independent Task Force report, Defending an Open, Global, Secure, and Resilient Internet, finds that as more people and services become interconnected and dependent on the Internet, societies are becoming increasingly vulnerable to cyberattacks.

Independent Task Force reports are consensus documents that offer analysis and policy prescriptions for major U.S. foreign policy issues facing the United States, developed through private and nonpartisan deliberations among a group of high-level experts.

ANYA SCHMEMANN: Good afternoon, everyone, and welcome. I'm Anya Schmemann. I'm director of CFR's Task Force Program. And it's my great pleasure to welcome you to this special event today to release the report of the Independent Task Force on U.S. Policy in the Digital Age: "Defending an Open, Global, Secure and Resilient Internet."

This task force was chaired by John Negroponte and Sam Palmisano, who join us today, and was directed by CFR's senior fellow Adam Segal. Cyber issues have obviously dominated the news headlines recently. Cyberattacks are of increasing concern to the U.S. government and U.S. companies, and the United States has broad and significant interests in the cybersphere. The open and global Internet is increasingly under attack from multiple directions, from state and nonstate actors alike.

This task force met over the course of a year to consider the broad range of challenges and opportunities in the cybersphere.

Let me say a few very quick words about task forces before I turn to our distinguished panel. Task forces are bipartisan and independent. CFR takes no institutional position on issues. The task force members are responsible for the content of their reports, and each member participates in his or her own individual capacity. Task force reports are consensus documents, meaning that the members endorse the general policy thrust and judgments reached by the group, though not necessarily every finding or recommendation.

The task force members are listed on the back of the report, and we thank them for their contributions. A number of them have joined us here today, including Elana Berkowitz, Captain Pete Garvin, Eugene Wong, Anthony Lee, Neal Pollard. Thank you all for being here, and thank you for what you did for the report. Many others, of course, were involved in this effort, and I thank all of those who contributed, especially our very hardworking staff. We also thank the Markle Foundation for generously supporting this project.

I'm pleased now to turn things over to Jacob Weisberg of The Slate Group, who will guide our discussion today. Thank you.

JACOB WEISBERG: Anya, thank you. Our panel today is -- needs very little introduction: Ambassador John Negroponte, former director of national intelligence, among many other distinguished titles; Samuel Palmisano, the former chairman and CEO of IBM; and Adam Segal, who directed this task force and is the Maurice Greenberg senior fellow for China studies here at the council.

This is a terrific report, and I highly recommend it to all of you. I have only one stipulation, which is it starts out with an extremely daunting list of acronyms. (Laughter.) And you should skip that because it will put you off a report that in -- once you get into it, is extremely well-read, and put in plain English, which, in this -- in this field, is not a given, as I think especially crucial.

But I want to start out talking about China and cyberattacks, because it's probably the biggest item in the news today. President Obama meets tomorrow with Xi Jinping in the evocatively named Rancho Mirage, California. And I'd like to ask both of the co-chairmen, what should his agenda be in relation to cyberattacks? What should he be asking the Chinese to change or to do?

JOHN NEGROPONTE: Well, let me start by saying, first of all, thank you to Anya and to Adam for having shepherded us through this process. They provided an awful lot of support to the work of the task force. So I think, speaking for both Sam and myself, we're very grateful for that, and to all the other members.

On the question of China and the president's meeting tomorrow, I mean, I think I'd open the conversation -- rather than boom, we know what you've been doing and knock it off, and if you don't, here's the things we're going to do -- I mean, you can have that conversation if you want to, but I think you've got to think through about whether that is really the best way you're going to achieve what it is we want to accomplish, which this report says: We want a global, resilient, open and secure Internet.

And I would say the most important part of that is the open part, the part that involves freedom and the freedom of our companies and our citizens and our people, not only of the United States but of the entire globe, to realize their potential to the fullest. I mean, there's a huge new era here and a huge opportunity presented by the Internet and by modern technology to realize a greater potential for the people of this globe than before.

So my comment to Mr. Xi Jinping -- I would start by saying, look, do we want to have a global order, or do we want to sort of split this place into several different dysfunctional pieces?

And we really feel that we'd being both best served if we try to strive not only in area of cyber but in many other areas as well -- global warming, you name it. There are many global issues.

And so I think I would open with that and perhaps one could get to the rest of the conversation later on. But I think it's do we want to try and work towards a global order where we cooperate together, try to reach some common view of how these issues need to be managed that serves the best interests of us all.

WEISBERG: Some say that we're -- we get agreement on that principle, that the Chinese are carrying out hacks, cyberattacks on the Council on Foreign Relations, on The New York Times, on IBM. I mean, this is a fact of life for anybody who has anything to do with China. How do we get them to stop?

SAMUEL J. PALMISANO: Well, I think the best way to approach it is -- I'm building on what John was saying -- I guess I want to add my thanks to everyone that make the chairs look pretty good in the report, because obviously we weren't the intellectual capital, we were the coordinators, but -- so thank you, everyone on the task force.

But no, I think I would add -- which we say in the report -- you need more of a multistakeholder level of engagement. I don't think the way to make constructive progress is government-to-government only, because you need to be -- have people that have their own self-interest engaged in the process. And if you look at the Internet, it has evolved because there were open standards, there were ad hoc committees, but everyone was acting in a collaborative way around their own self-interest. That became the Internet standard. And there was government involvement, university involvement, presidential candidates claimed that they founded it. I mean, there was a lot of -- (laughter) -- but there was a lot of multistakeholder interest, and I believe that, you know, you need to expand beyond government-to-government, because that has a scope which is necessary but not sufficient to solve the problem.

A lot of the interests are economic. I mean, we talked about cyber Pearl Harbors and things, but a lot of the impact in the short term is economic, and the people who have the most to gain or lose economically is the business community. And if you could expand the dialogue to engage people who have a vested interest other than broad policy debates or an academic point of view, you'll get a level of -- my experience, you get a level of pragmatism that gets to solving problems versus just large, broad debates that always tend to occur in any kind of government-to-government kind of negotiation, because it gets politicized. It's inevitable it will be politicized.

MR. : Yeah.

PALMISANO: And so you don't get to the pragmatic level where you can -- you can agree on standards of information sharing, so that you could see when there are these cyberattacks and both governments could participate in solving the problem versus just sort of making claims to each other in the media.

WEISBERG: So the term "cyberwar" is thrown around a lot, sometimes loosely. Are we right to view this as an issue of war? And should we look at a framework for improving it as a negotiated arms treaty framework? For example, is the -- are -- were nuclear disarmament talks and treaties the right framework to think about some international process for preventing the worst form of cyberattacks, government-to-government attacks?



NEGROPONTE: -- cyber clearly can be a weapon of war. It adds a new dimension. It's considered now a new domain of warfare. There's a command, a new Cyber Command, that's been created. So clearly it's in the arsenal of capabilities that could be used for the purposes of warfare.

But I think in terms of priorities, and I think the report says this also, that's probably not the area of most immediate concern to us. We do believe there ought to be a dialogue on that subject, and that's something that needs to be developed over time as we go forward, but that the more immediate issue is the one that Sam was referring to earlier, which was the theft of intellectual property and that kind of cyberespionage on commercial capabilities.

PALMISANO: And John, I think it's important -- Jacob, if you think -- if you look at the kind of history of industrial policy, you know, IBM's been around a hundred years, and everybody in the world has tried to steal our stuff. So today it's the Chinese. We could take you back to the Japanese, the Koreans -- I mean, we can go back -- way back on this thing. We can go with post-World War II and the Germans. I mean, so we can take you through the world industry of industrial espionage, at least from a technology lens, you know, point of view. And so the point of it being that, what you say, well, how did these issues get resolved?

Now, it's -- I would argue it's easier today than it was back then because of this open access to the Internet and all these documents (doing ?) digital, which they weren't; you know, they actually had to do things like steal your computers and take apart your source code, and they had to real work, versus just, you know -- (laughter) -- you know, real work versus get in there and just go -- get in somehow through your firewall and then just start downloading all your design, or whether its weapons systems; in our case, large supercomputers, whatever.

But the point how they got resolved was fundamentally that the countries got to a point where they had to defend their own intellectual property. They had to cat in their own self-interest. So when they had to act in their own self-interest, collaboration began.

Now, of course, over the interim, you want, as a -- as a -- from a -- from a business perspective, you want to be able to go someplace. You want to be able to go to your government or to your ambassadors or to your -- you know, your associated organizations to support you when people are doing these things; you want to have an international court of arbitration you could go to, which we all had to go to, you know, I -- to get through some of these issues.

But fundamentally, the way your worked your -- over time, how they worked themselves out, they don't occur today -- we're talking about other countries -- because it's their industrial policy. I mean, that's all we're dealing with here on these thefts. This is industrial policy. It is their industrial policy. And I've actually had government leaders when I lived overseas in Asia tell me it was their strategy to steal our stuff, so don't take it personally. (Laughter.) So, you know -- so we would say -- no, I'd say, well, we're offended by that. And they'd say, well, I can understand that, but remember, this is our -- we need to catch up; sounds familiar. I mean, this was 30 years ago. Have to catch up. How can we catch up? You guys invented all this stuff, so we have no choice but to steal it. So anyway -- we engineer it, excuse me.

WEISBERG: So there was -- there was a -- there was a piece in The New York Times in Sunday by former Ambassador Huntsman and Dennis Blair summarizing a report they've just put out on some of these issues, the trade -- stealing trade secrets. And they said, somewhat shockingly, that companies should have the right to hack back. So I wonder if either of you -- well, Sam, if you can tell me what that would mean, and is it a good idea.

PALMISANO: I really don't think it's a good idea. I -- really -- I mean, I don't -- there's an -- when I retired from IBM, there were 207 engineers and scientists and mathematicians. And that's a small little army. I guess it's a few troops, right? We wouldn't want to launch them back, you know. We rather have -- we'd rather have them do the work for the company and not -- get into all these kind of, you know, counterattacks and those sorts of things. And I really don't think it's in the company's interest.

And the other side of side of it is -- I mean, it's not in the company's interest of the people -- we serve our clients, et cetera, et cetera; it doesn't fit in our agenda, let's go attack other companies. But the other side of it, quite honestly, is -- I mean, companies -- we really need a system of rule of law. I mean, we need rule of law. We need international rule of law. We need standards, you know, right? We all have to operate within -- in boundaries. I mean, I understand when you're an entrepreneur, and you hate that. I got it, right? But when you get older, you need it, you know. So it's just a question of -- (inaudible) -- you know, right, you know -- like, health care is more important in my age than it was when I was 20, so it's really relevant now that I'm in my '60s. But so -- but the point being that we -- for the corporate world to function in an international global basis, we need rule of law, and you can't have companies making up their own guidelines, you know.


PALMISANO: John, you probably know more about this.



NEGROPONTE: -- just answer part of that for a second. I mean, I -- also, I mean, I think would add, and I'm sure Sam would agree, that we don't want to delegate as a government this power or function to the private sector and basically leave our relationship with country X, Y or Z hostage to the behavior of people who are not part of the government itself.

But let me just also add, you might ask yourself, well, OK, well, what do we do, constructively, to deal with some of these issues? And I think one of the key recommendations of the report is that in the case of hacking, and particularly of theft of intellectual property, we believe that those are issues that now should become a standard feature of our trade negotiations. It ought to be a standard element of free trade agreements going forward.

And I think that's one area, and it's the commercial area, where we do have a lot of leverage in terms of access to our markets and opening opportunities to other countries to export their goods to the United States. And we ought to find ways to put these kinds of issues right into our free trade agreements.

WEISBERG: So I want to get into that trade issue in a second, but I don't want to let go of the military, government-to-government issue. And Adam, I want to bring you in, in part to represent the members of the task force, some of whom are here and some of whom aren't.

But there was an interesting conclusion that the threat is less the cyber Pearl Harbor scenario -- that is, the devastating surprise attack -- and more a corrosive -- number of smaller attacks. Why did the task force reach that conclusion?

ADAM SEGAL: I think we see the ability to launch a sudden disabling strike as being limited to a number of nation states, probably Russia, China, Israel, maybe a couple of others. And in those situations, a type of deterrence is probably going to stand, right? It's not likely that China or Russia are going to launch an attack out of the blue. If they were to consider one, it would probably be in the context of an already tense military situation in the Taiwan Straits or the South China Sea. And in those situations, the U.S. has made it clear that they believe that it has the right to respond to a cyberattack in any way it sees fit, through cyber means or through diplomatic means or through military means. So those capabilities right now are fairly limited to state-based actors.

The real issue we see now are the type of attacks that seem to be coming from Iran, which are mostly disruptive, right, on the financial services and seem to be slowly inching up to destructive. So if you look at the attack on Saudi Aramco, where 30,000 computers were basically turned into bricks, that ability is -- seems to be proliferating.

So the threat really is how do you deter these other nation states, which are not deterrable in the classic sense, and how fast does the capability proliferate? Because we see a growing black market for malware, for malicious software, and that is spreading very quick. As Ralph Langner, who discovered -- one of the first discoverers of Stuxnet, which was the attack on the Iranian nuclear facility, said, you know, the first Stuxnet was really hard. The second Stuxnet isn't hard at all because you just download it.

WEISBERG: So -- well, Ambassador, the United States clearly cooperated in that attack. The degree of our involvement versus Israel's is still a little ambiguous. But do we claim for ourselves the right to launch cyberattacks, or is that a weapon that we should forswear in the context of some negotiated global agreement?

NEGROPONTE: Well, I think it's like just about any other consequential military capability. I think yo have to utilize it in accordance with the laws of war and the existing international conventions. So I don't think that there's anything that makes cyber different from nuclear or conventional artillery or whatever.

WEISBERG: Well, when you look at it in terms of the laws of war, though, it's a gray area, to say the least. And I guess the question is, should -- and please, anyone else weigh in here -- should the goal be to negotiate the non-use of these weapons? Are they more like conventional weapons that we're going to use sometimes and don't want to prohibit, or are they more like nuclear weapons, where the goal is for no one to ever use them?

NEGROPONTE: Well, I think -- first of all, we're clearly into a new era here. We have been for the last, whatever it is, 10 or 20 years. This is something we're going to be discussing for a long time in the future. And clearly we've got to come to grips with the military dimensions of cybercapabiilty. But rather than outright talking about a treaty at this point, or a convention or whatever, it seems to me what we've got to get going first is some kind of really meaningful dialogue between the militaries and the military thinkers in each of these societies about the consequences of all of this. I think we need to do it with China, with Russia, we need to do it with our allies, with our NATO allies and others.

SEGAL: I think its an important point that the ambassador already mentioned, is that the United States has come out and said we believe that the laws of armed conflict apply in cyber, right? That there is a principle of neutrality, that there is distinction. And the Chinese and the Russians have not agreed to that yet. The Russians are seemingly moving closer. The Chinese have basically said, no, we need a new treaty for cyberspace. So that creates a great deal of chances for misperception, right? What we might think is off limits for an attack, the Chinese may see that as a perfectly appropriate attack.

And so I think the issue is arms control is very unlikely, right? You -- I mean, I -- you -- we -- you can't control my computer upstairs -- (laughter) -- and if I have a thumb drive, I basically have a weapon. So that type of traditional arms control is not going to happen. But we may be able to agree on some type of norms, rules of the road. That will have to develop over time.


Sam, China in particular restricts the Internet for both trade advantage and political reasons. And this report talks about using the WTO, using international trade agreements as a way of pushing them to open up. But don't we quickly hit a point where the conclusion is on trade, sure, but on politics, no?

PALMISANO: Well, I think, you know, in all of these areas, I mean, China is going to act in its own political self-interest. So we're somewhat, I believe -- I just got back from China two weeks ago -- I believe that we're somewhat naive to assume that they wouldn't act, just as the U.S. wouldn't act in its own self-interest. So I think -- so if you break it down into those components, clearly, that's why this multistakeholder model.

The Internet -- open Internet for commerce is every bit as important to a Chinese company as it is to an American company because as they expand beyond their domestic economies, they need the reliance upon this open Internet. So you will have a natural stakeholder, even a state-owned enterprise, who has a -- will have an open view of what's required from a commercial perspective. The other thing I left with was an observation -- and I -- this was my 35th trip to China, so I've been there a few times, since I lived in Asia.

NEGROPONTE: Means you're very well-known there.

PALMISANO: (Chuckles.) For lots of reasons, not always good, John. (Chuckles.) Anyway -- but the orientation, at least of the government officials I met with, was much more in this area of engaging the global economy. And there's a great reason for it, because they can't get the domestic growth that they require through an export-driven manufacturing economy, and so they need to go engage the global economy, and they need to drive productivity, which means they're going to have to use advanced technology, the Internet, to drive productivity, and they're going to have to engage the global economy. And this came from the government leadership; it didn't -- not only the business community.

So I think the timing is better now to engage them in these kinds of dialogues, and then -- but do it from the orientation of -- you know, to expect, what, the second-largest economy in the world, a very proud society who've invented great things over their -- you know, over their entire history to say, we shouldn't have an opinion, is, I think, somewhat arrogant on our part.

WEISBERG: So when we go to the WTO to complain about the blocking of Google, it's really a gesture. There's no hope that that's going to -- that -- (inaudible) --

PALMISANO: Well, their standard -- I mean, you have to begin with the process, right? And you have to engage the process.

You know, I found something fascinating this time. You know, you have a hard time searching on Google in China, but you can go on Yahoo and find anything you want. (Laughter.) So do you think their policy is working, Jacob?

WEISBERG: Yeah, well, I assume that's because Yahoo has agreed to some level of filtering of --

PALMISANO: No, it's because Yahoo has a joint venture with a firm called Alibaba. But my point being that, you know, it -- some of these techniques that governments employ are very limited in their effectiveness, because when I had to -- I had to find some information about some clients I was visiting with. And you're right, I went to -- I'm not embellishing; true story. I went to a Google search, looking up -- because I don't have a big staff with me anymore -- (laughter) -- like the old days, so I went --

WEISBERG: You do your own (third shift ?), yeah. (Laughter.) It worked better that way anyway, yeah.

PALMISANO: (Inaudible) -- now it's me. I go -- I did a Google search, you know, right, and everything came back, you know, blocked, right? Server could not be found. So I went on Yahoo -- I said, I'll go on Yahoo and do a Yahoo search -- everything, you know?

So my point of that is that, you know, a lot of these things that governments try to employ in this environment aren't effective. The world has changed. And that doesn't mean they're as sophisticated and aware of the technology changes that have occurred, but I also -- but I do believe that they will -- be an understanding that they're going to have to adjust and adopt (sic). And I would use adjusting -- I view adjusting and adopting (sic) as a chance for collaboration and progress, right, versus for the opportunity to kind of just yell at each other, because yelling at each other, although it's newsworthy, and it will -- believe me, I guarantee you, all the news coming out of this big conference won't be one of constructive dialogue; it'll be one of yelling at each other, but it doesn't make progress. And if the two largest economies can't make progress together, well, that's not good for those economies. It's not good for the world economies. It's not good for society.

So I really would kind of propose, and the report says this, that we engage in an open -- like the Internet itself is -- it's open, it's collaborative, it's multistakeholder, no one really controls it, you know, right? Quite hard for governments -- all governments, by the way -- to have -- get comfortable with that, which is why they're a little bit afraid of it. But you apply that model to this and I think through it -- through that architecture there's a chance for progress.

NEGROPONTE: And we have an ally, in a way, on our side also in the growing middle class in these emerging markets. After all, the -- much of the economic growth of the world is coming from the emerging markets -- China foremost among them. And they have a huge growing middle class who, I think, probably shares many of the values that we've just been talking about here.

WEISBERG: Let's talk about this interesting question of who runs the Internet. As you said, Sam, its responsibility is diffused, it's fundamentally not the government in certain ways. But there are standards that are set by a combination of legacy U.S. government controls -- ICANN and the Commerce Department -- growing out of the fact that the Internet was invented here, and then some sort of loose, non-rulemaking but standard-setting organization, which I don't quite understand, that sets technical standards.

Is that sort of satisfactory going forward? Is the overall governance and standards, rules of the road on the Internet, adequate to the world we live in now? And anyone can take a crack at this. Adam, you can start as well.

PALMISANO: Oh, I'll -- yeah, I'll start it, but this is one you will not have agreement on.


PALMISANO: I would say, to where the Internet is today, it was appropriate and it was very, very successful because the engineering communities of the world -- and the academics; when I say the engineering community, it expanded to the university systems as well as their research organizations -- got together and created this wonderful thing years ago with DARPA and University of Michigan and some other folks. And it expanded to the research facilities around the world and became what it is today.

And that was -- its governing bodies were really much that kind of a model. You get in by being smart and collaborating and providing your intellectual property. That's what it is. You know, that's how it runs itself. But once they make a decision, everyone complies. Compliance is voluntary but everybody does it because it's in their own self-interest because if you don't comply, you're not going to be out there doing well. So you comply -- or your products get adjusted, et cetera, et cetera.

I think it's no longer sufficient because -- and today, given the sophistication of the model, what's happening is it's touching too much of society today. So it's at a point of -- and you can go through -- not to bore you with technology history -- but you can go through the evolution of all technology standards, it gets to this point, you know, where we do it -- voice got to this point.

Things get to this point, right? Natural resources will get to this point where you have to have some mechanism broader than just, you know, kind of a rogue group of folks getting together and splitting up the rights -- the mineral rights or whatever it happens to be. In this case, establishing the technical standards.

So for lots of different reasons -- for issues associated with commerce, the ability for information to flow across borders should not be restricted. You know, that's kind of where we are because commerce today is multiregional -- mostly global, but at least multiregional. And the small businesses are more advantaged than large in that dimension. So it's very, very important.

It touches too much of society. I mean, children -- everybody's on it today. You know, you can't just say, we'll let those things go on. It's OK that people do bad things to kids, let's look the other way. You can't. You know, it has to be addressed. And it's also become a tool for various organizations -- rogue nations, whatever -- to operate in ways that aren't constructive.

So I think it needs to be elevated to a broader -- and I wouldn't -- you can draw the analogy when you talk about nuclear, I don't think it's really nuclear, per se, because it's just too pervasive. It's too inexpensive to participate.

WEISBERG: There was this meeting last year in Dubai towards the end of the year where there was a sort of challenge to this -- the existing regime of Internet governance, where a majority of the countries had an alternative the United States voted against. What's that -- what went wrong there and how should we be -- how should we deal with countries who see this as a -- fundamentally a matter of world governance and equal rights?

NEGROPONTE: Right. And I don't think there's yet a meeting of minds. And what Sam describe I think is right. There's a -- there's probably an increasing pressure to introduce a bit more regulation into this. But I think we still -- and I think that's the philosophical thrust of this report -- we defend the more open multistakeholder and less structured model and try to -- and we think it's wise to try and minimize the degree of intervention to -- as much as possible but recognizing that maybe some of that will be necessary.

So clearly, for example, in the area of security and defense of, say, intellectual property or, again, some of the other obnoxious behavior that can occur on the Internet, you've got to think of ways to do that. We've got certain governmental institutions in our own country that probably need to be strengthened somewhat. You see this happening now in the Department of Homeland Security, which has got much more capability in that area today than it did, say, at its inception. But when it comes to the ITU debate, I think the United States still will continue to resist the idea of a top-down management approach of the Internet. I think we will continue to advocate as much of a bottom-up approach as possible.

WEISBERG: Yeah. Before we open up to questions, I want to raise one more subject, which is how well the United States government is organized around these issues. And Adam, I gather one of the places where there was not a complete meeting of minds on the task force is whether there should be a U.S. cyber czar, whether that kind of role makes sense.

SEGAL: You know, I think the task force reflected a tension that's been present ever since this issue got elevated in the U.S. government, which is that everybody wants to keep, as Sam described it, this kind of decentralized, distributed process that matches the Internet itself. At the same time there's a feeling that the decentralized distributive process means that we have a lack of focus and a lack of strategic thinking, that there's just too much going on. At one point there were 19 different government agencies dealing with 24 different international organizations on cyber issues. And so there's constantly this tension between, well, do we -- do we concentrate that power, or do we continue to distribute it. And the task force, as you said, was of two minds of it and basically said that yes, we'd like this decentralized distributive process, but we also think there should be more strategic thinking about it.

WEISBERG: Yeah, Ambassador, as someone (speaking ?) not here for the task force, where there was disagreement, but as someone who's worked on the inside, how well is the U.S. government doing in cooperating internally around these issues? And what do you think? Should there be one figurehead for all these issues?

NEGROPONTE: Well, I've always been a little bit leery of the czar approach. They seem to come and go depending on the topic of the day or year. I mean, I can remember all the way to President Nixon's time, and we had energy czar, if I remember correctly at that time. And then you go on and have different kinds of czars. But I think what you really need to do is institutionalize awareness, proficiency. We propose the idea of a cyberservice as something that people -- that we might want to think about. We've got to institutionalize and embed proficiency in these issues in the different government agencies that have responsibilities, whether it's the DOD, the Department of Homeland Security, the Department of State, obviously, because they're involved in a lot of negotiations, the Commerce Department, which has a pivotal role and so forth. So more than a czar or some -- one person you can sort of draw and quarter if things don't go rights, I think more important is to make sure that the capability is developed perhaps across the entire spectrum of government.

PALMISANO: You know, and we also (comment ?) in the report that this why we need this information sharing, because if you aren't going to centralize, then if you have this decentralized structure John alludes to, then you have to have the ability to share the information across interagency -- and there are restrictions on what can be shared within the law, so it's not like it's just human behavior they don't want to share -- as well as you need to reach out, again, to the portions of the business community that touch a lot of these elements when issues occur -- I mean, the technology companies, the network providers; there are a lot of people involved in the inner infrastructure that also have lot of information and knowledge about what's going on. This is why we call out the need to be able to share in a -- in a constructive way the information and avoid, you know, the trial lawyers because you could -- you could see where if you shared the information, that just opens yourself up to more suits if companies already don't have enough at this point in time.

WEISBERG: We want to share more with ourselves and less with the Chinese.

PALMISANO: Well, no. It's interesting, though, when you get into an international crisis -- when interests align, you know, why wouldn't you want to share with the Chinese? You know, I -- and I think it's a well -- a point worth discussing. Interests will align. There will be a point in time in history where these two nations' interests will align. When those interests align, wouldn't you want to be able to share, at some level of government, versus how you learn about people sharing today -- because it's open, they can all look at each others' stuff, so they share unofficially? I mean, wouldn't you really like to have a back channel?

So I believe, if you stand back from it and get out of kind of this tit-for-tat, day to day, who gets the political points in a statement -- the soundbyte, and you look at it in time -- and John's point, when the middle class is emerging the way the middle class is emerging, you're going to want the ability to share across country borders. You're going to want the ability of people of aligned interests in the world to be able to collaborate in a standards-based way that has the association of rule of law so you know what the behavioral standards are. And I think we're going to see that, because it moves so fast. We'll see it in our lifetime.

WEISBERG: I'd like now to open it up to questions. If you have a question -- you all know the rules; please wait for the microphone, state your name, make sure it's a question. And I should point out, we have several members of the task force, I think, clustered near the front row, and I'm going to give them special priority if they have questions, and they may even be exempted from the stipulation about statements. Yes, looks like Binky Worden (ph) there.

QUESTIONER: First off, thanks very much to the task force. It's a -- it's an important moment to look at Internet freedom around the world. And I just wanted to push back a little bit against Mr. Palmisano's comments in relation to China, and suggest that instead, focusing on building ties with the government, which, obviously, we're going to be doing in Sunny California, but to also not lose sight of building ties with the Chinese people.

And I would say, for example, that the -- that Yahoo! has the access it does today in China because it gave up Chinese citizens for more than a decade-long prison terms.

WEISBERG: Could you frame this as a question? (Inaudible.) (Laughter.)

QUESTIONER: The question -- so the question is, how do we build ties with ordinary Chinese people who are concerned about Internet censorship? You have access to English language returns; you don't have access to Chinese-language search results, and for example, the New York Times Chinese language site is blocked as a result of David Barboza's reporting on the central government. So I would ask, how do you build ties to ordinary people who are, in fact, the Internet users?

WEISBERG: And I think that -- I think that's mainly a question for you, so -- (inaudible) --

PALMISANO: That's a very good question. Actually, I don't -- I don't view it as a pushback, I view it as a constructive piece of input, because clearly -- I mean -- and John mentioned this -- I mean, the society is emerging to have the same desires that everyone has as they merge into the middle class. So how do you connect?

Now, I'll answer through it kind of in -- my lens -- this is economic. You know, you have to understand -- you know, I'm a businessperson for 40 years. I don't have John's wonderful background. But I think, from a business perspective, the way you connect is providing things to those people on the ground -- the services and products and things that they would appreciate it, and then, in many cases, give them access to what a lot of us have. And then you can connect in a very, very real way.

At the same time as you try to do that, you know, you need the collaboration of governments to allow you to be able to operate. And my only point is -- on that is, China's no different than anybody else was at a point in time, because we've dealt with all these issues. IBM is 102 years old, so we've dealt with all these issues. It's just a point in time.

But you just work through it, and the way we've worked through it -- when there was great controversy between the U.S. and Japan, there were two guys that formed the Asian Society. One was John Rockefeller, and the other was Tom Watson, Jr. of IBM. And then they believed that if you could get business to business and people experiencing each others' products and goods within the countries, you could make progress at a government level. It turned out to work.

So if we apply that model here through the lens of business, there are ways, because most global businesses operate within the international norms and standards of the world. So if we all operate in China with whomever you happen to be, we're going to operate within those norms and standards, not necessarily local policies.

SEGAL: Let me -- let me just add that the report also talks about some of the more traditional approaches to this issue. So how do you get the anticensorship technologies into the hands of users in China? There are of course technical problems, right? You can't scale for everybody that wants to use them, but how do you use the funding wisely to do that? Also, looking at programs like the Internet Fellow Freedoms, right, how do you bring Chinese activists to the -- to the States and train them in those -- use of those technologies and other social networking devices, which the State Department is doing, which we are supportive of.

And I think to feed into the larger point about the U.S. is -- you know, there's no policy that's necessarily going to solve this problem, right? We have this problem with our European allies. They have different views of what should be allowed in and what should be posted and everything else.

But the stronger argument is made, is once, as you said, local users seek their interest align in the same way. And so one of the organizations we talk about is the Global Network Initiative, the GNI, which is trying to reach out to foreign companies to help push these -- push these agendas, which, when the council says, you know, building an alliance for these -- for these issues -- we're talking state and nonstate actors. And so I think we're trying to be -- for the council in particular, especially sensitive that we're looking at a whole range of civil society groups that would normally fall out of our focus for these foreign policy issues.

MR. : Yeah.


QUESTIONER: Winston Lord, International Rescue Committee. What does the report say or what would you say about the issue now before the Congress in legislation, namely the cooperation between the business community and the government on cyberdefense?

MR. : Yeah.

WEISBERG: Ambassador, do you want to take first crack at that?

NEGROPONTE: I think that's the one area where we come out in favor of some kind of legislation that would mandate the possibility of greater cooperation between the private sector and the government, in connection with the protection of intellectual property, and also deal with some of the liability issues that have arisen in the past.

But maybe Adam can expand on that.

SEGAL: Yes, so the -- essentially the task force supports a legislation that would allow for two-way speedy information sharing, so dealing with all of the issues of liability and privacy and data protection.

But we are in support of a legislation that would look like what is being considered in Congress right now but would have stronger protections for privacy and narrower definitions for cybersecurity.

WEISBERG: Yeah. Sam, just for context here, what's the scale of economic loss here? I mean, did we have any sense of how much American businesses would lose?

PALMISANO: Well, it was sized in the report that intellectual property theft was between 4 to 5 -- 4 percent today of the GDP. Is that what it was, Adam? Do you recall? It's going to 5 percent over the next 10 years, I believe -- 5.7 (percent).

SEGAL: The IP commission report uses the number 300 billion.


SEGAL: We use 150 billion. And the range is from .5 to .1 percent of the GDP.


SEGAL: But as we also point out, these numbers are completely soft.

WEISBERG: Right. That represents the value -- the notional value of what's stolen, not what would be bought if it weren't stolen.

SEGAL: That's part of the problem, right?


SEGAL: So what are you measuring? (Laughter.)

MR. : Yeah. OK. Right. Right.

SEGAL: Are you measuring what is stolen? Are you measuring how much it costs you to protect it? Are you measuring how much it costs you to resolve the problem?

So all of these issues are really problematic.

WEISBERG: Yeah. More questions.

Yes, sir, in the back.

QUESTIONER: Hello, Jacob. Mike Moran with Control Risks. We've all seen these things they have at the rental car companies when you're in their parking lots and you try to drive out the wrong exit. There's teeth that will destroy your tires. (Laughter.) I'm assuming that's a tested legal precedent; this is legal.

Why wouldn't a company be within its rights to put some kind of a honeypot in its security -- it -- in its computer systems which, if downloaded, maliciously, would disable whoever did that?

PALMISANO: So I would argue the more sophisticated technical approach is without honeypots. I mean, if -- what companies can do to monitor what's going on today -- there are a tools that exist -- I mean, you know, everybody pretty much uses them in the financial industry and telecommunications industry and the like. But the key is the monitoring of the -- of what's happening within your network and what's going on between your -- behind your firewall. So you don't have to really set traps for people. You can see what's going on and prevent them from taking your information or taking your credit cards, whatever it happens to be.

So I think there's -- in the technology itself today there's a more -- there's a -- there are approaches today that are reasonably good. They're not going to be perfect. I'll share a statistic with you which I -- everybody will find alarming, I'm sure. You know, most of the serious damage that's done to a company is because of someone inside the company, not outside of the company. Eighty percent of the time -- now, my data -- again, I've been out of IBM for a while, so my data's old, but at that point in time, 80 percent of the time its an insider, not an outsider. I know we spend a lot of time talking about outsiders, but the biggest problem if you're a company are the people that work for you. And we have disgruntled employees, something happens in the workplace, they have access to all the information. It happens in government as well, John, as you will recall.

NEGROPONTE: Well, then that's another reason the report actually dwells quite a bit on the whole issue of counterintelligence.

PALMISANO: Right. Exactly.

SEGAL: And also, part of the problem is I'm not going to directly steal it from your computer to my computer, right? I'm going to take over someone else's computer first, then take it from your computer, put it on that third computer and then put it back to mine. If you have that -- you know, beaconing or destruction or whatever happens, it's that other person's computer who's probably going to be damaged. Then you've broken the law. So that has become the issue of where you can -- who you can attack, who you can destroy. And most of the computers that are being used for these attacks have already been hacked. They've been taken over by somebody else.

WEISBERG: At the same time, Adam, just to interject here, we face the risk of overcriminalizing or overpunishing intellectual property theft, in particular. We had the backlash against the SOFA legislation and people who -- the Internet community is very concerned about the chilling effect on creativity, on people who are sort of on the right side, you know, exploring security risks as a problem, not posing a security threat themselves. How do you deal with all that?

SEGAL: Well, one of the things we do talk about is that there needs to be some reform of the Computer Abuse Act so you don't have this overstretching, right? So for people who are hacking -- or penetration testing, right? That's the legal side of it. And they are not -- you don't have this overreach.

WEISBERG (?): (Inaudible) -- problem.

SEGAL: Yeah. But you have this issue that right now -- you know, these laws were written in the '80s and they haven't kept up to pace with where we are now.

WEISBERG: Sir, in the -- right there, yes, in the light-colored suit.

QUESTIONER: Thank you. (Name and affiliation inaudible.) My question is regarding social media. We have seen the effect in the Arab Spring. We may be seeing something in Turkey. Did you talk in the task force about openness in this connection? And what kind of conclusions did you come to?

WEISBERG: Ambassador --

NEGROPONTE: Well, I mean, you mention Turkey. I was rather shocked to hear what -- what, some people were being arrested today for their use of social media. But I don't recall -- Adam can --

SEGAL: We do. We talked about the issue of the video on -- what was it, the anti-Islam video that was posted on YouTube, and how the U.S. is going to have serious issues about how we're going to address openness.

But it gets to the -- I think part of the question that Sam raised about what we're going to need here is some type of transparency and predictability. We're going to expect that countries have different standards for what they take down. A lot of the companies now -- you know, Google started it, but now Facebook and Twitter and the others do -- will every quarter put up who requested -- governments that requested things be taken down and under what provisions.

And that type of at least transparency is something that the task force is pushing for. It's unlikely there's going to be a one-size-fit-all policy that fits it. It's going to be up to the companies in particular. But we're hoping that we're going to see more of this transparency on the decision-making that the companies are taking.

WEISBERG: On the aisle, yes, right here.

QUESTIONER: Hi. Gordon Goldstein, Silver Lake Partners. I'd like to follow up on the question about the conference in Dubai. I note from the roster that there are a number of us in attendance here today who served on the American delegation to the WCIT conference in Dubai and watched it collapse in fairly dramatic fashion at the 11th hour. There is on the horizon another set of meetings and multilateral negotiations that are a follow-up to the WCIT conference on Dubai. There's a major conference in 2014 in South Korea.

My question is, did the task force address some of these forthcoming multilateral negotiations? And did the task force propose any recommendations about how the United States government should organize in advance of those negotiations and engage with the private sector?

NEGROPONTE: Well, one of the things we say is that we should elevate our attention to the ITU. Another point we make is that we need to form our delegation earlier. Particularly, we need to -- if we're going to pick a new delegation head, that person ought not be put in place just a few months before the conference takes place. These are long, complicated -- any of us, those of you who have worked in these complicated multilateral negotiations, know how much preparatory work goes into them. So that's another recommendation we make. And I think there may have been others.

PALMISANO: And there was one more on the economic side, John may recall, where we say that we should reach out to some of the countries that were opposing our position and make the case or educate them on -- I mean, they sometimes don't have the resources or don't have the skills, so therefore, they're taking a position without, you know, having the resources to actually take a different position.

So we make the case that we should educate them, do some work for them and why it's good for their economies, why it's good for their society, middle-class, et cetera, et cetera, to participate in this economic growth. That was the number, it's 4 (percent) to 5 percent of the GDP. In the report, we call up -- it's 4 percent today, Internet commerce going to 5 (percent) or 3.7 (percent) going to 5.4 (percent), whatever it was. But they want to participate in that economic growth, and it's good because their people can engage, was the other dimension to it. So it's both organization and trying to make a compelling argument on why they would be on our side of the issue.

WEISBERG: It's a -- it's a very good question, but it's not clear how much authority the ITU has. And I guess it's a question, policy question for us -- do we want to promote the idea that they have policymaking authority, or do we want to resist it, I mean, to put it in stark terms?

NEGROPONTE: Well, this is up for grabs in a way. In some of -- in some sense, depends on what the course, the content of the negotiations is, and to what -- to what extent we can reach a meeting of the minds. But we're going to go to these meetings, the ITU's going to call, you know, convene them. And so it's conceivable, at least, that somewhere over the horizon, there actually might be some kind of a convergence.

But we're obviously not at that point now. We're more in a defensive mode, and we're out there to defend our vision and our interest.

But either way, we need to be well-prepared for the ITU meetings. And one of the things you could do is get a -- head a delegation in place early on.

WEISBERG: Yeah, I saw a number of more hands in the back. Was there -- yes, right there. I'm pointing at --

QUESTIONER: Hi, Tara Maller, with the New America Foundation.

I was curious if you -- if I could hear your thoughts regarding the use of something like the State Department's Foreign Terrorist Organization designation, standards or state sponsors of terrorism list. If something like that could be developed with regards to cyberattacks that reach a certain threshold or groups that are engaging in cyberactivity to a certain threshold, what do you think sort of the implications of doing something like that would be?

NEGROPONTE: I guess my question would be, if you could be sure you know who's actually doing it. I think one of the real difficulties with regard to cyber is the whole question of attribution. But if you could get to that level of certainty, then maybe there's some artifice that could be created to -- along the lines you suggest, I don't know.

But attribution turns out to be a hugely important issue in all of this, how we exercise the right of self-defense, whether we can carry out attacks or ought to consider preemptive attacks when we're certain we think there's an attack coming our way. But all of that, to me, the thing that really gives you pause is the attribution issue.

WEISBERG: Question up here in the front.

QUESTIONER: Paul Richards from Columbia University.

How can the intelligence community manage the potential of the Internet as an information resource when people in that community often have to work with rules that prevent them from having open electronic access to open sources?

(Scattered laughter.) (Cross talk.)

NEGROPONTE: We created an open-source -- I mean, we have an open-source directorate in the office of the Director of National Intelligence. It was -- the foundation of it was FBIS, the Foreign Broadcast Information Service. We doubled the budget of our open-source activities in the intel community during the time I was there.

QUESTIONER: (Off mic) -- people sitting at their desks are often not allowed to have open access to --

NEGROPONTE: Well, I don't know. I did when I was director of --(laughter).

MR. : I see Neil's thing that is not true.

MR. : Right, that Neil, yeah.

QUESTIONER: Yeah, I spent way too much time surfing the Internet when I was in Dylan's (sp) office. (Scattered laughter.) They -- you have open access when you're at the -- (inaudible) -- and there are certain things you ought not to do -- sorry, Neal Pollard, PricewaterhouseCoopers, and a member of the task force; formerly intelligence officer, currently PricewaterhouseCoopers and member of the task force. But when I was in the intelligence community, you had open access to the Internet just -- I mean, if you wanted to, you could pay your bills online. It was discouraged, but you could. You had the access. But I can also tell you -- I was 15 years in the counterterrorism community -- extensive and very effective use of open-source materials for the mission.

WEISBERG: Yeah. More questions? Yes, in the second row.

QUESTIONER: Joan Spero, Columbia University. You mentioned that one of the key strategies is to use trade negotiations. And I wonder if you could elaborate a little bit on that, and particularly given the fact that the Doha Round has more or less collapsed. And do you elaborate on what kinds of rules you would like to inject into the trade negotiations?

WEISBERG: You want to take a shot at that?

SEGAL: So the TPP has some discussion of data and free flow of information, but unfortunately, much of the TPP is happening in secrecy, so it's hard to know for sure what is being discussed. But that's one of the places we're talking about. Also, the -- moving forward with the EU-U.S. trade agreement, free flow of trade information, data, is going to be a massive issue on that. The Europeans are revising their data privacy and protection standards, which could cause huge amounts of problems for U.S. companies, depending upon what the requirements are there. So those are all being discussed, and those are all areas where the task force suggests pushing forward.

QUESTIONER: But outside the WTO.

PALMISANO: Outside the WTO, in bilateral agreements -- so it's part of KORUS. The Korean-U.S. Free Trade Agreement has a data provision, and we suggest that any other future bilateral relations also have it.

WEISBERG: I think we have time for one last question. And if no one has one, I have one. (Laughter.) But I don't see a hand. My question -- my last question is about the technology of repression, which is something the report deals with, American or European countries that have exported these technologies that, in some cases, have been very effective as surveillance tools for dictatorial regimes trying to prevent free expression and protest. How do we deal with that? Do we restrict it legally? Is there some kind of voluntary agreement? What's the way to handle that?

PALMISANO: I'll come at it from a technology point of view. Maybe John wants to come at it from a more regulatory point of view. The challenge associated with this -- there have been restrictions on exports for very, very long period of time. It's a collaboration of Homeland and State Department in the United States, and it was always defined around some engineering or hardware standard.

The problem today is the software that people are using -- it's dual-use. You know, it's not -- it's not designed strictly for the military or for the secret agencies, the Secret Service kinds of agencies. It's open-sourced. So a lot of the stuff that they're using is available on the Internet; it's just open-source technology that people can download and use. So it's a much bigger challenge.

There are, I think, areas where there are some very, very sophisticated tools around data analysis and those sorts of things that are done uniquely for people who have the need to know -- I'm going to choose my words carefully, John -- (laughter) -- but fundamentally, you know, as we all know from our own lives -- (chuckles) -- but those can be restricted. But most of what's being done today, which makes it really hard, Jacob, is the stuff that's just open-source. It's out there on the Internet. They download it. They modify it. They make adjustments to it. I mean, they have smart kids in all the same schools we have smart kids in -- (scattered laughter) -- so, you know, right, that's pretty much what's happening, which -- it's a great challenge.

So they -- we do argue in the task force -- I defined the problem -- we argue in the task force a light touch, because you don't want to restrict commercial opportunities on any dimension, but at the same time, it's very, very hard -- you could even measure the hardware definitions, for example. I mean, they used to use a hardware definition that basically was -- that you could not export to an unfriendly nation, but it was less technology that was in your kid's video game machine, you know, right? And if you put a hundred of them together, you had a supercomputer, so if you bought a hundred PlayStations, you had a supercomputer. But -- so the restrictions really weren't enforceable. So that's why the task force sort of argues is you can't really enforce it, and a lighter touch to how you approach it.

WEISBERG: Anyone else want a last word?

SEGAL: I would say, actually, this is a good platform for what the council hopes to do with the task force as we move forward, because one of the issues that Sam raises with the surveillance technology and the ones that are used for authoritarian regimes is that, you know, one of the things we talked about in the task force was know your customer, right, so putting some of the responsibility on the companies to know who they're selling to and taking some responsibility for that. That's easier for IBM to do, although it's still hard. But IBM probably has a hundred people around the country -- around the world that are doing that. For a small start-up in Silicon Valley that has five people that are working on a new technology, that's much, much harder to do. And so bringing those people into the discussion is one of the things that the council wants to do as we move forward -- technology companies that are traditionally outside of those channels of policymaking.

WEISBERG: I want to close by giving one more blurb to this excellent report and asking you to join me in thanking our panelists. (Applause.)







Top Stories on CFR

Burkina Faso

Putschists in West Africa should not interpret initial popular support for coups as an indication that citizens no longer desire responsive, accountable governance.


The Chinese government’s increasingly aggressive diplomacy has hurt its image in much of the world. It’s unlikely to improve anytime soon.

United States

Richard Haass, president of the Council on Foreign Relations, sits down with James M. Lindsay to assess how the Biden administration has handled foreign policy in its first year in office.