Director, The Perfect Weapon; Principal Director and Producer, Ark Media
Senior Advisor for Homeland Security, Center for Strategic and International Studies; Former Undersecretary responsible for cyber and infrastructure protection, U.S. Department of Homeland Security; Member, Cyberspace Solarium Commission
Editor in Chief, Wired Magazine
Panelists discuss how cyber became the weapon of choice for nonstate actors and states alike. Directed by John Maggio and based on the book of the same name by David Sanger, The Perfect Weapon explores the rise of cyber conflict as a primary way in which nations now compete with and sabotage one another.
HAASS: Well, thank you and good afternoon one and all. Probably for some of you it's good morning—for still others, good evening. More important, I hope everybody is safe and healthy and well. This promises to be the perfect meeting for three reasons. One is it's called the "Perfect Weapon," a book by that name written by David Sanger, who is with us today, and a movie by that name, a documentary by that name directed by John Maggio who's with us today to discuss it. We've also got Suzanne Spaulding, who held a senior position in the government on homeland security working with these issues and actually understands them, unlike me, and Nick Thompson, who is wired in every sense of the word. So you're in extremely good hands. Secondly, and this is not really a spoiler alert for those of you who haven't either read the book or seen the movie, but it really explains where we are and how we got here with the case studies of what the United States and Israel reportedly did vis-a-vis Iran, but also with Iran, with North Korea, with Russia, with China, with what's going on now with the vaccine. It really sets the stage for a conversation about a truly important issue. And in some ways, I actually think I grew up in the age of arms control, where you had a technology that was introduced and then through arms control, to some extent, regulated. I actually think this is orders of magnitude more complicated given how much more centrally involved these digital and internet-type things are with everything in our lives—the number of actors, we're not talking about bipolarity, we're talking about almost infinite polarity, how dynamic it is. And it's in some ways, unlike arms control, which is a fairly regulated, defined world, this one is stunningly unregulated.
Indeed, I would actually say in terms of its importance, it might be the least regulated domain of international relations, which then sets enormous challenges for these individuals and for anyone involved in this call for American foreign policy. What is a strategy? What does it look like? What kind of rules ought we to want to set up, given that we have, in some ways, very competing aims ourselves or interests? How can we set up rules given the divergence of behavior and interests around the world? What can we do, what should we do when it comes to protection? What about playing offense? What about defense and so forth? And so the film essentially tells us where we are and how we got here, and what it does then it tees up exactly this conversation, which to me is a perfect Council on Foreign Relations conversation about these important issues. So I want to congratulate again David and John for a documentary that they're coming out in about a week on HBO. With that, let me also thank Suzanne for being here. And Nick, over you, sir.
THOMPSON: All right. Thank you so much, Richard. I'm Nicholas Thompson, I'm the editor in chief of Wired—I am your presider today. David Sanger, national security correspondent, senior writer for the New York Times, the author of The Perfect Weapon. If you watch the film, you are very familiar with his voice. Suzanne Spaulding is the senior advisor for homeland security and international security programs at the Center for Strategic and International Studies. Prior to that, she worked on all these issues at DHS, you also saw her in the film. And John Maggio is the producer, director, and writer who made the film.
So we're going to have a fantastic discussion about the film, about some of the questions it raises, and then have the policy questions that Richard just raised. So let's get going. John, I want to start with you. As the editor of Wired, I spend my life in this frustrating question of how to make visual narratives out of dramatic stories that mostly involve skinny people sitting at keyboards. And so, you did a great job of this, provided a lot of information, it's visual, it's fun, it's exciting. Tell me your philosophy of how you structured the film, and how you balanced providing the right information and not boring people to death.
MAGGIO: Well, thank you. Thank you, Nick. Thank you, Richard, for having me. You know, it was a real—it is a conundrum especially with the density of information that is in David's book, which is, you know, a phenomenal book. And so that was obviously the first sort of hurdle I encountered was I don't want to do a bunch of guilty keyboard tight shots and have lots of code. I think I told David in the beginning this isn't a film about ones and zeros, this is a film, the hallmark of many of my films, it's about capturing people emotionally and I knew there were victims in this quote-unquote "cyberwar" that most people don't know is going on under their noses. And my initial instinct was let's find those, you know, really like, you know, reaching out to Seth Rogen weirdly was one of the first things, you know, I thought was like, huh, this would be a sort of unexpected thing. But this is somebody who paid a pretty big price for the cyberwar that was going on. So that was the initial kind of instinct was let's reach out to people in the campaigns, let's reach out to people, you know, John Podesta was on the list, obviously. People who've been really affected by, you know, were the casualties of this cyberwar that's going on.
Initially, as is the case with a lot of films that are going on right now, I had planned on traveling and embedding with the campaigns and kind of traveling with them to see what was going on within that. That I felt would bring a kind of very personal component to the film. And you see in the film, actually, we were with Biden in Nevada when he said that Putin's coming after him, you know, we were getting little great little bits like that. But when COVID hit, our best laid plans were sort of obliterated. So we had to really turn to the people who were storytellers. You know, the trick in a lot of this kind of storytelling is not to make it a kind of animated TED talk, but to find those people, those characters that we can attach to emotionally, who can tell a story from beginning to end, you know, and not just give us information and to feel lectured to. So a lot of it, Nick, in short, is in the casting, really if I could put it that way of the film, finding those good storytellers. And also with this information too is, you know, the people who will tell you about the offensive stuff, which David can talk about, is very difficult. I mean, David hears from all sorts of anonymous sources in his reporting for the Times, but those people won't go on camera and tell you that information. So we had to rely, and I did greatly on David, to suss out a lot of information. So, to your point, thank you for saying that. I pulled it off, but it is definitely a trick. It's a balance.
THOMPSON: You know, you had wonderful storytellers in there. You know, [Christopher] Krebs talking about staying up all night at the end, right, and [Dmitri] Alperovitch, like tracing the Chinese hacker and finding the hat and then like zooming in on the dorm—that was just marvelous stuff. So, good job on that, that was great. David, let me start with a question about both the beginning and the end. Right, so the film starts with Stuxnet, and it ends with Zarif talking about Stuxnet. And the premise seems like the United States started the cyberwar, right? We did the first one. Or we and Israel did it and so therefore, it's kind of our responsibility. But is that right? If the United States hadn't done Stuxnet, would there not have been a Sony hack, would there not have been an IRA operation? Is it really true that we opened Pandora's box or is this going to happen anyway?
SANGER: Well, this would have happened anyway. But I think we altered the level of escalation. Let me just start first by just thanking you and the Council for having us here. Richard, in particular, because after he read the book, he helped inspire the idea of doing a documentary. And Suzanne, who's been a guide to all this. And John, I thought really did a magical job. As you can imagine, when you've got an author who's got like a book full of hundreds of pages of all this, and John saying, yes, the first thing we're going to have to do is figure out how to go tell these stories in a film-capable way, you get what turned out to be both a little bit of tension and really great partnership. And I think he did an astounding job of putting this all together. And because of people like Suzanne in the film ,we were able to really put a human face on it.
To your question, countries who are attacking the United States in modest ways prior to Olympic Games, which was the codename for the U.S. operation on Iran, but once Olympic Games happened, something happened that Barack Obama had predicted in the Situation Room, which was once it got out, he knew it would get out, he didn't think, I think, it would get out as quickly as it did, or with the kind of tracing of how the decisions went back to him and President Bush. But he said once it got out, every country in the world will use the fact that we used the cyberweapon against Iran, to go justify all kinds of things that they want or would go ahead and do anyway. And that's precisely what happened. And so you saw the escalation. After Olympic Games, the Iranians went first after Saudi Aramco—took out thirty thousand computers at the world's largest production capability. That as the movie describes to you, they came after the financial industry in the United States, they came after the Sands Casino following the owner of the casino's suggestion that maybe we should just drop a nuclear weapon in the Arabian Desert and tell them that Tehran was next. And what do you know, the next thing you know, his workers go into the Sands Casino and the hard drives had been wiped. So we are in a pretty rapid escalation. And I think one of the things that John really captured very well was how this is speeding up. And then once we created U.S. Cyber Command and the National Security Agency put Cyber Command in as sort of the military equivalent of it and raised its status—what's happened? Every other nation in the world now has its own cyber command, and cyber is built into every military plan.
THOMPSON: Which makes the world more complicated but gives me and you lots of more stories to report on.
SANGER: That's true. Yes.
THOMPSON: Suzanne, let me ask you a little bit about that because one of the things that was striking to me about the film is that Stuxnet is this incredible hack, right? Ocean's Eleven-type stuff with big screen, centrifuges. monitors—it's amazing. And then all the hacks that come after it that are described in the film, kind of like high school stuff, right. They're super damaging, you steal somebody's emails, right. You run a bunch of kind of fake ads. Why is it that we haven't seen that kind of super sophisticated hack, is it because only the U.S. is good enough to do it? Is it something else has changed? Why is that?
SPAULDING: So let me also start by thanking the Council for having this important conversation and thanking John for telling this story in a way that the public can understand and will be interested in, something that policymakers, you know, we've been trying to do for many, many years. And thank you to David for consistently trying to tell this story over time in his very careful and really excellent journalism. So thank you to everybody. And thank you, Nicholas, for moderating this panel and for that question.
So the first thing I want to say about Stuxnet that, I think, gets lost a lot in the conversations— and of course I'm only talking about what's been publicly reported and asserted, and the claims and allegations that David includes in the video without confirming or denying the accuracy of any of it—but that we did, you know, in the last several years worked very hard to establish norms around the use of cyber peacetime norms around the use of cyber, including a norm around not attacking critical infrastructure upon which a civilian population depends. And I think we, you know, we were accused of hypocrisy by a number of folks in that context because they attributed Stuxnet to U.S. and Israeli actors. And I do think there is a distinction to be made there, between, you know, going after an enrichment facility that was pretty clearly intended to develop a nuclear capability, and for example in 2015, Russia's attack on Ukraine's electric grid that brought down power for a quarter of a million people in the dead of winter two days before Christmas. Those really are different things, but I appreciate the question in terms of sort of the sophistication of that attack and what we've seen since. And you know, I do think, people often bemoan and often asked me if we are behind China and Russia, for example, in cyber, and what I always say is, defense is always harder than offense—for everyone—it is the nature of the beast. And so, but we are very good at offense, and we are very good at defense. And so whether it is that the situation has not arisen, I mean, I do think we have begun to normalize this norm around destructive cyber activity, though Iran and North Korea don't pay attention to it, right. What we've always said is they have greater destructive intent, but fortunately they do have less capability. Their capability is improving all the time. But at the moment it is below China and Russia. China and Russia have tremendous capabilities, but they have incentives not to engage in destructive cyber activity. And so I think that, too, could change at any moment, depending on the geopolitics.
THOMPSON: And they have an incentive not to engage in it because they know that we would retaliate proportionally?
SPAULDING: And because I think they actually, particularly China, I think, really does have an interest in being viewed to some degree as a reasonable player on the world stage. And they think that cyber espionage does not undermine that status. They think cyber espionage is fair game—industrial espionage is part of their national security. And so when it got really hot around the post-OPM breach, you saw them enter into an agreement to refrain from that for some period of time. That was a reputation issue for them. That is a motivator for China. It is less so for Russia, and I think we are much more likely to see—if one of those two actors is going to break out in a more aggressive cyber way, we're already seeing it with Russia with regard to election interference, I think they are less bound by these sort of emerging international norms.
SANGER: Nick, in the course of this reporting on this, a good source at the National Security Agency, a public official, has said publicly a few times Russia is the hurricane in all this and China is climate change. And I think that the concept he was trying to get across here was that the Russians have every reason to be disruptive as they are in other non-cyber realms. And so in the cyber world, you know, they cruise through the Atlantic with these submarines that basically have giant scissors in front of them to demonstrate they could cut the undersea cables and basically black out 95 percent of our internet traffic, if they wanted to. How do the Chinese operate? They're laying new cables all across the Pacific, because their long-term strategy is let's dominate the sphere here. That's two very different ways to go at the problem.
THOMPSON: Absolutely, that's has several great images in that answer. Let's get to the question of how we resolve this, right. So there's this wonderful moment in the film, about fifty-nine minutes in David, and you said the volume of attacks is escalating, the sophistication of attacks is escalating, and the debate about how to deal with it is becoming more confusing. And so what I want any one of the three of you to do is to help us lay out what the United States should do. Suzanne, you've already given one terrific proposition, which is that we should continue to abide by set and talk about norms over where you can use cyberweapons and where you can't. But what else does the United States government need to do to make sure that cyberwar doesn't escalate, become massively confusing, and is relatively contained as we go into a dangerous future with hurricanes and climate change?
SPAULDING: So the Cyberspace Solarium Commission on which I served and came out with this report in March. In fact, that was the last public event before we all went into lockdown that I attended was the rollout of our report. We talk about a strategy around the layered defense and really what it's about is a deterrence that's based on altering your adversaries' cost benefit analysis. So there's the, you know, and the cost is imposing consequences, and it's raising the costs of doing operational activity. And then really important is reducing the benefits that an adversary can derive, and that's has to do with building resilience and redundancy, both institutional resilience, operational resilience, and frankly, cognitive resilience.
But on the cost and position, which David in the piece, you know, hint at and get at, I think there are some key things that need to precede—we need to focus on attribution, you can't impose consequences if you don't have clear and good attribution. The stronger your attribution, the larger your toolbox, right, the greater number of tools you could reach for, and that requires a greater interagency focus on that attribution. We do need to develop more tools; we need to be able to ratchet up gradually and ratchet back down. And that also highlights another weakness in cyber, which is that we don't really understand the escalation ladder as well as we need to in cyber, it just hasn't been as developed, it usually happens through experience. And so there's a lot of reticence built around concerns about where escalation will go and our relative lack of strategy with regard to coming back down that escalation ladder. So those are just a few of the areas I think we really need to focus on.
MAGGIO: I think too, Nick, something I wanted to point out that you'd mentioned earlier about the kind of high school nature of the attacks against this country, which America is clearly just uniquely vulnerable to because we have a public square, because it's easy to sow disinformation, and as we say in the film, to hack your brain in a way that those tools aren't as effective in authoritarian regimes where people don't have that freedom to express themselves to have free and open discourse. So really, I mean, you know, not to put too fine ahead of them, but it is a perfect weapon in many regards. And I often in the making of the film, thought back sadly to 9/11, you know, nineteen guys with box cutters, you know, it changed our world, and we're still dealing with that. And I think that these kinds of attacks now, I mean, I don't think we have a clear idea of who's mucking with the debate now in discourse, in the fear of a rigged election, and how all that stuff is manifest. I don't know how to de-escalate from that. And I don't know what our responses, I mean, I don't know how we use those cyber tools effectively in a defense.
SANGER: Nick, just to build briefly on what John and Suzanne pointed out, the good news here about those sort of amateurishness hacks is that so far, each one of the major powers has recognized that there is a limit that they don't want to go beyond. And they're willing to go take out a casino or go after a dam in suburban New York that had no water behind it, or something like that, that would not likely result in us sending, you know, B-2s over their territory. The problem is that that line is poorly defined. And as Suzanne says, we not only don't know where it is on the way up, we also don't know how to take the air out of the balloon when it all goes down. And that's why in the next three weeks, one of the things to look for most carefully is the fear of perception hacks. You know, you don't need to take out the whole voting infrastructure in the United States, you just need to take out three or four counties in Wisconsin or Pennsylvania or Minnesota or something to create the impression that the Russians are throughout the system or somebody else's throughout the system. And we've now had a dynamic that's gotten more complicated, because the president himself is out saying that this election will be rigged, which aids the perception that it is rigged even if they're just a few elements to it. So if you add in to this complex mix of how you deter, the problem that you don't really need to do very much, you just need to appear to be powerful in it, then it gets really complicated.
THOMPSON: This is fascinating. So we're developing a pretty good framework here, right, we need to figure out attribution, we need to figure out how to ratchet it up, we need to figure out how to ratchet down, we need to bring cognitive resilience, we need establish norms about proportionality. And now let's get to another thing that both you and Suzanne have talked about, but that is implied in John's answer and your answer, which is, what if there was less to hack here because we were more open? Right, John Podesta's emails would not have been valuable as a leak had they been published already, which of course John Podesta wouldn't want, but you get the idea. Maybe a better example would be if more information was publicly available about our elections and how they were being processed, some kind of penetration would cause less chaos and fear. Explain this idea about being more open and having that be effectively a deterrent.
SANGER: Well, let me take a free shot at this, and Suzanne and I have talked about this a lot. I don't think anybody wants to open up your entire emails, I certainly wouldn't want yours, mine, or any of ours. But the one thing that I think we could open up on is what our cyber strategy is, what our capabilities are because my sense is that we've stepped on our own deterrent capability by wrapping our cyber powers in so much secrecy. Now, it's no surprise we're wrapped in secrecy—this is a weapon that was developed by the intelligence community and what do you know, intelligence officers are secretive. But there's more secrecy than there was even around nuclear weapons, as Richard was discussing in the comparison at the opening. And that's dangerous because if we can give a better sense to adversaries of what the United States can do to you, and how well we have managed to go build up our defenses so that an attack wouldn't be all that effective, then I think we will have the basis for better deterrence. And the very fact that you don't see U.S. Cyber Command out talking about what they could do in this election season, other than in Vegas to generalities, I think is actually worsening the problem.
SPAULDING: Yes, I agree. You know, we have long known that we have over-classification in the intelligence and defense communities, and it is harmful, and for the reasons David said, in terms of our deterrent capability. But also, you know, again, I've spent number of years as the undersecretary of the Department of Homeland Security where we were very aware that we had to work jointly with folks outside of the federal government, whether it's state and local government, private sector, and they needed to know the information that we had and so there are real harms there. You know, I can remember actually sitting in deputies committee meetings when I was still in the administration, where we would have a conversation about something and everybody, you know, was implicit that this was all going to stay secret or explicit that all this was going to stay secret. And I would ask, you know, how convinced are we that our adversaries don't know this information? Wouldn't this information be important to get to, for example, let's say critical infrastructure owners and operators, even if we assess that our adversaries don't know this for how long? I really believe that the shelf life of secrets, generally speaking, is vanishingly short. And I wrote a blog in 2010 entitled No More Secrets, which talked about the fact that, you know, a transparent world is coming out as full steam ahead. And this was in 2010, that all of the reasons that it costs too much to hold on to secrets meant that we had to start to understand and figure out how to operate with fewer secrets, right, with the less assumption that we were going to gain competitive advantage by having a monopoly on information as if our adversaries or competitors couldn't find that information on their own, right, and at what cost. And that we needed to train to fight in the light. If you trained to fight in the dark, you could have the lights go out or turn off the lights, and you would have the advantage against your adversary. If we train to fight in the light, if we work on learning how to operate in a world with fewer secrets, in a world in which we can learn to live with transparency, we will have an advantage over our adversaries. And we have a great leg up as a democracy, because democracies depend on transparency. And our adversaries—Russia, China, North Korea, Iran—depend on secrecy. They are absolutely dependent on keeping secrets from their population. And if we figure out how to turn on the lights, I think we'll have a huge advantage.
THOMPSON: That is a perfect note to go into our audience Q&A and to say that appropriately enough, a reminder, this is all on the record. And if you have any additional secrets, if you work at the CIA or the NSA, as many of our audience members do, you can just send me a chat through Zoom with that information and I will happily publish it on the internet. So we are now going to have a brief pause while we learn again how to submit questions, and then we'll go to audience questions.
STAFF: We will take our first question from Fred Hochberg.
Q: Thank you and I had a chance to watch the film last night, it was spectacular and chilling. So my question is, it doesn't tell you—I may be totally wrong, it doesn't appear that Stuxnet and the degree that Iran was advancing on nuclear power was as well-known when we tried to put forward the JCPOA. And watching the film, it's hard to understand why people would object to that agreement because they were so close to a nuclear capability. And yet, we had enormous pushback to President Obama, Secretary Kerry, and others about the Iran agreement. So could we have done a better job of publicizing just how risky it was and would that have made a difference? I'm just trying to retrace history and thinking about how we go forward. Thank you.
SPAULDING: So David, I was going to let you take first stab at that, but listen I think it's not clear that that would have resulted in less pushback against the agreement. What I've always thought is interesting about the discussion around arms control agreements—and I used to be the legal advisor at Central Intelligence Agency for the folks who worried about weapons of mass destruction—is that there was always this argument that, you know, you can't enter into arms control agreements, whether it was with Russia or anybody else, because we don't trust them. And I always thought, you know, actually, if you really trust someone, you can shake hands, you don't need a written agreement. You enter into written agreements with people because you cannot rely on trust. It is precisely the people that you don't trust that you need to work through these agreements, and obviously the issue, it becomes one of verification. But I'm not sure that the folks who were pushing back against this didn't appreciate how close Iran was to developing a nuclear capability. David, I don't know if you see that difference.
SANGER: So Fred, good to hear from you. So first of all just on the timeline here, Olympic Games began 2007–2008. The code got out and raced around the world in 2010. I can't tell you how many front-page stories we wrote about that. The revelation of President Bush and President Obama's direct involvement in it, I put into a book called Confront and Conceal that came out in 2012. So that whole history was pretty well-known, at least to people who follow this stuff, long before they got into the negotiation of the JCPOA. And you could argue that one of the reasons the Iranians felt compelled to negotiate was that they realized that a combination of sanctions and sabotage were teaming up against them, and they weren't going to be allowed to move ahead to a weapon and that Stuxnet was part of what drove them to the negotiating table. Now that we've pulled out of the JCPOA, I think the big problem going forward for either a second term of President Trump or for Joe Biden would be, what do you do to bring them back to the table now? Because at this point, they've concluded that they've seen what we can do in a cyber way. They've obviously begun to build up defenses. They've built their own cyber capability, and they probably feel a little bit less vulnerable now than they did at the time that they signed the agreement in 2015.
STAFF: We will take our next question from William Drozdiak.
Q: Hi, Bill Drozdiak with McLarty Associates. I wanted to follow up on the earlier conversation about transparency as a potential weapon to be used by democracies against these authoritarian regimes. We're all concerned about Russian meddling in the current election. Is there, what level of retaliation against Russia would be most effective? Should we use, for example, information about the notorious corruption of Putin and his cohort of cronies, and basically broadcasting, spreading that information out to the Russian population as a way of embarrassing the Russian autocracy? Could you offer some suggestions as to how to temper the retaliation against those who try to interfere with our elections?
SANGER: John, do you want to do the first shot at that and one of us can come in.
MAGGIO: I mean just from, you know, what I've picked up in your reporting and in my research on the filming, we do feel a bit handcuffed with that kind of retaliation and autocracy—like they just will lock down the internet, they will lock down. These are not open networks; the same weapon doesn't work in reverse. And I do think with regard to the sort of lack, you know, wanting less secrecy on this side of things, you know, I would take polls at dinner parties when I was making this film that nobody even knew that we had something called Cyber Command in this country. I mean, it sounds like you know, Space Force to a lot of people. I do think we could do a lot more to let people know that we are over in other countries rattling cages. But again, I don't think there's an easy answer to the offensive side of this thing, short of another critical infrastructure kind of attack to wake up the countries that are attacking us with disinformation. It's just not a weapon we can use. So I don't know, I know that Facebook did have some, in Russia did have some effect on Putin with information about his business dealings, but it was, you know, perfunctory at best, I think.
SANGER: Bill from your own time in Europe and dealing with Russia, you know that if the Russian people were suddenly told that Putin has got a bunch of oligarch friends who are, you know, funneling money to him that he's keeping in Swiss bank accounts, they would probably not be super shocked. So I'm not sure what those revelations do. And Putin would turn around and say, gee, I'm reading in the New York Times about all these tax returns for Donald Trump, you know, so, you know, he would do his best to try to equate the issues. And as you just heard from John, the problem is we're the most wired country in the world, and Russia is nowhere near as wired. So doing a counter cyberattack would be a modest benefit. You did see in the 2018 election, Cyber Command pushback against the Russians with specified specific targeted attacks on the Internet Research Agency and on the GRU, the Russian military intelligence agency. And I suspect that as time goes on, we'll learn more about what they're doing in 2020 along those lines as well.
SPAULDING: So I have a slightly different view on the potential impact of, you know, making it clear to Putin, that one option we are considering is revealing information, evidence, facts about his corruption. There were, in fact, and I think it was after the Panama Papers were publicized, that there were in fact protests, there have been some, you know, not insignificant protests in Russia against the corruption of the regime. Now, you know, they obviously, it's not clear how much impact they had, but I do think that it worries Putin. He's watched the color revolutions; their military strategy doctrine talks about tapping into the protest potential of the population. You know, we view protests as a sign of healthy democracy, but for an autocracy that is so brittle, that is incapable of change, protests can be an existential threat. And so I think while we may believe that it won't really change much in Russia, I think Putin is nervous enough about it that I think it could potentially have some deterrent impact.
STAFF: We will take our next question from Jan Lodal.
Q: Hi, am I unmuted now? Can you hear me? Okay. David, you know for a long time, I've been focused on the question of attribution, and so forth, and have argued that we couldn't make an internet that was fully attributable. You would not have some of the openness that you have now. And some people wouldn't be able to use it for some of the things that they could do. But you all talked about attribution, and I guess my question is, isn't it the case that we really have to step up to that issue at some point and realize that the internet as we have built is easily hackable? And unless we make some changes—you know, this is not the right appropriate place to discuss the details of what those would be—that this problem is just going to continue to get worse for us and make it more difficult both to get the benefits of an open internet and also the damages that we've seen.
SANGER: Jan, good to see you. And the answer to this question is the internet was never built with security in mind. Remember, when it began in its smallest form, it was among a group of academics who knew each other. And so the best comparison that I can think of with this is how we initially built roads, you know, we had dirt roads, they had no shoulders, then we moved on to paved roads, but we didn't have good ways of exiting and entering to them, we didn't have seatbelts. And what we've done over time is we've rebuilt the road system for safety. 5G gives us the opportunity to begin to rebuild the internet for safety, but that means that you want to know pretty much who's on it at various times, but you also want to be able to encrypt the content so that your banking transaction isn't open to everybody on Earth. Part of the difficulty here is that the Russians and the Chinese have figured out that if they argue for perfect identity on the internet, that when I sign in, or Suzanne signs in, or John signs in, that we know exactly who's on. Yes, that would begin to make it a safer place; it would also make it a lot easier for them to hunt down dissidents and shoot them. And so we need to go find this right mix where you've got enough attribution and identity to know who are the malicious actors, but not enough to allow the authoritarian states that want to use the internet as a symbol of control, a method of control, to be able to go do so.
MAGGIO: Yes. Now, I agree with David on that, but I was thinking about, you know, a movie that came out last year called The Great Hack about Cambridge Analytica, and it speaks to the, you know, like, I think just culturally, that we've gotten so much more used to our information being out there. You know, Facebook was built as a way to aggregate your interest for marketers. And I've always assumed that my information has been sold left, right, and all over the place. And I think we either have to understand that we live with more transparency, and we're more vulnerable in that way, or lock it down. David has in the past talked about a kind of, you know, closed network, you know, almost like a Berlin Wall in the World Wide Web, between the East and West. And I don't know if we're going in that direction, or how that will work, but, you know, these are really important questions that I hope the film brings up. It's like, how do we protect ourselves from this?
STAFF: We will take our next question from Joseph Nye.
Q: I want to, before I ask my question, I wanted to say to John Maggio, I was amazed at how you were able to turn Sanger's prose into something that is visually beautiful. But no, seriously, it was an excellent job, and I've already told David that. I wanted to ask the question, though, about Russia. About ten days ago, Putin gave a speech at the UN about inviting the United States to a serious dialogue on a set of norms for dealing with cyber issues. It was dismissed very quickly in Washington and nobody took it seriously. I've written that at times, we might think of restoring something like the Cold War-era Incidents at Sea Agreement, where we don't look for an arms control agreement because it's not verifiable, but we do have a discussion in which you say, here are red lines, if you go too far this way, or too far that way, not either of us is going to be able to manage the unknown escalation process that Suzanne referred to, and therefore there is grounds for discussion on that basis. Do you see any indication, David or Suzanne, do you see any indication of any seriousness in Washington about this? Maybe it's impossible to get serious before November 3, but as we think into January and beyond, what are the prospects for actually doing something with the Russians, or is this just another Soviet/Russian-type propaganda ploy and we are proper to dismiss it?
SANGER: Well, great question, Joe. And thanks for your comments about the movie. For those of you in the audience who don't know this, Joe taught me this stuff from the time I was eighteen years old on, so if there are any flaws in my analysis, it's entirely his fault along the way here. And once again, Joe, you've asked just the right question, and arms control agreement is, as you've written so well, is not going to work in this sphere. You've got states, you've got criminal groups, you've got terrorists, you have teenagers, all with access to cyberweapons and, you know, teenagers don't sign treaties. But the Incident at Sea concept is a really good one because, you know, we have a hotline set up to try to de-escalate for nuclear events, we have all kinds of ways to try to de-escalate on the ground, and we don't have it in the cyber world. The thing we have to navigate around for this is that most of the cyber actors, of course, are in the private sector. So when you call up the Chinese and you say we see an attack amassing here, and then Xi Jinping could say, "I don't know anything about it, and it could be some kids down in Shanghai playing around." So we need to figure out a way in which, once you're trying to manage these events, you can integrate the private sector into it. And we never had to do that in the nuclear age or even with naval forces. Suzanne?
SPAULDING: Yes, you know, Joe, great question. Of course, I do think, again, if we get a new administration, I wouldn't be surprised to see these conversations being renewed. As you know, in the Obama administration we did do something that I think a lot of people thought was unthinkable, which was we entered into discussions with the Chinese to try to move forward and develop some confidence-building measures, right. And I spent a lot of time in Beijing—and flying, you know, back and forth, they came to Washington, we would go there—developing a hotline which we had established and tested, it having actual workshops and tabletop exercises where they came and we walked through, you know, if you came to us with something of concern, you saw sort of that red flaming ball of cyber death, you know, coming, you know, how would we communicate, how would we handle it, and hearing their descriptions about how they're organized and how they would do it. I mean, there really were steps being made toward the development of some confidence-building measures with an understanding that things might happen in cyberspace that would harm both of us, and that was sort of the starting point. And then we did go to Moscow and have some very initial preliminary discussions to see if maybe we can move forward there. So I, you know, I think a lot of the same characters, if you will, are going to be back. And if we have a new administration, and I can see some of that, discussions about how we might renew and try to move forward on some of that.
SANGER: But we haven't detected much effort by the Trump administration to do so. They're still struggling to get New START renewed for five years.
SPAULDING: Yes, and I think it's hard, you know, I think it is harder for them. And listen, we go into these things with our eyes open—we, China, and Russia are approaching these issues and the internet, etcetera, from very different places. The starting point with Russia was that, you know, we make these distinctions between peacetime norms, and what you might be able to do in a conflict. They have a starting point is there's no distinction between war and peace and cyber. With China, we would go in with the idea that, you know, there's a difference between industrial espionage and traditional, you know, national security type of espionage and cyber and, you know, their position for the longest time was no, there's no difference there. So, there's real challenges.
STAFF: We will take our next question from Ian Smith.
Q: Hi folks, I'm Ian Smith with the cyber policy office at DHS headquarters. Thanks for this talk. How do you change the equation on the predominant Chinese malicious activity, IP theft for commercial gain, cyber espionage of other sorts? How do you effectively apply meaningful consequences to impose a cost when the problem is really a slow drip death-by-a-thousand-cuts strategy, by applying a credible threat of retaliation to the potential for a more discreet, disruptive, or destructive attack on critical infrastructure? Can you really move the needle at a lower level in any way, or do you have to have at the highest levels of government negotiations tied up with other national security issues? Or do you just have to work on the defensive protective cybersecurity side of the equation? Thanks.
SPAULDING: Well, Ian, you know, again, we did manage in 2015 to get President Xi Jinping to agree and sign up personally that governments should not steal sensitive business information to give their private sector competitive advantage. And that, again, was that distinction that we make between industrial espionage for competitive advantage and traditional, you know, national security espionage that they had always denied. And what the leverage that we used to make that happen was the impending visit by Xi Jinping to Washington and his desire for a, you know, big ceremony on the South Lawn of the White House unmarred by the imposition of sanctions against China for its industrial espionage and theft of trade secrets. And so again, I think you have to look at each country and what motivates them, but it really was, I thought, a striking evidence that Xi Jinping cares about reputation, cares about his image on the world stage. And the pomp and circumstance of that, I mean our assessment is that was what really gave us the leverage to get that agreement. Now, that didn't mean that they were agreeing not to steal our trade secrets. And in fact, what we saw is that their non-cyber efforts to steal our innovation and our business information proceeded apace and, if anything, it picked up, and certainly when this administration came in not too long after, we saw the resurgence of cyber.
SANGER: I'd only add to that, that after Suzanne's work—great work negotiating that—the Trump administration, I think, didn't build on it the way they needed to, in part because it was an Obama administration creation. You almost never heard them refer to that agreement in public. And so the Chinese realized that they could go back and they moved this stuff from the PLA to the Ministry of State Security. To some degree, and I think that the problem of dealing with theft, while unresolved, is sort of the problem of the last decade. And that if you look at the two big conflicts in the cyber world in the past year with China, they're actually the reverse—they are 5G and TikTok. In 5G, the problem was that we're worried about the Chinese laying the infrastructure that will then get routed back to Beijing and that infrastructure could be cut off in time of war. In TikTok, for the first time, we're trying to regulate a Chinese invention coming into the United States and getting into the heads of a hundred million Americans. That's a very different problem than regulating something that is leaving the United States illicitly to go to China. So we have to be ready to go play the three-dimensional chess here. And it's a quite different problem now than it was even four years ago.
Q: Right. Thank you.
STAFF: We will take the next question from Steve Wallace.
Q: Yes, thank you very much. Steve Wallace, I run a company called the Omanhene Cocoa Bean Company, and I'm calling from Wisconsin today. And, John, I thought it was brilliant, maybe it was a footnote, but I thought it was intriguing in the movie when you had General Nakasone in his testimony. My question really is, how difficult will it be for the military to pivot from maybe its traditional focus on weapons acquisitions, conventional hardware, and personnel training, given the number of lobbyists and political beneficiaries in various states, to pivot from that to dealing with cyber problems? And do we have, is there sort of a hardware bias within the military? And I guess the follow up question is, is the military indeed maybe the best place to put our cyber response as a world threat when we were treating it like conventional warfare? And is that well placed? Thank you.
MAGGIO: Thank you for the question. I wanted to explore that exact circumstance because it seemed to me there's a whole new way of training the army, you know, we're not going to send them to Parris Island to boot camp, we need to send them to, you know, coding classes. And, you know, in China, they pick, you know, from a very young age, they're picking the youngest people from you know, kindergarten up, you know, to be training to become cyber warriors. In Israel, one of the places we wanted to get into was the exact same thing when, you know, when you're doing your service, they pick the brightest minds to come in and become cyber warriors.
I think in America, most of our brightest minds sometimes, obviously want to go to Silicon Valley and cash in. I was lucky enough to meet some people who were working for the government, who had formerly worked for the government, who felt that they wanted to lend their skills to the government, do their service, and then go into private industry. But I do wonder about that same thing—who is training our cyber warriors? I saw General Nakasone, who we tried desperately, David can tell you, also worked on trying to get an interview with, but he's, you know, obviously, a remarkably secretive person, very nice guy, saw him speak early on in the conference, and he was talking in patriotic terms about recruitment, recruitment for the next generation of cyber warriors. He uses that kind of language. And unfortunately, we couldn't go to Israel or China because of COVID, but I do think there's something there that you've picked up on that it will be interesting to see. You know, when I when I think about the Obama administration's use of drones, in fighting remotely, I think that there will be a new kind of groups of battalions of cyber warriors in our future for sure.
THOMPSON: David or Suzanne, you want to jump in on that?
SANGER: The only thing I would add to that is that we have the additional challenge that there is this tension between Silicon Valley and the military. That's quite clear. You saw it at Google when the Google employees had a bit of an uprising over the development of an artificial intelligence system that would help with the accuracy of drones. And big as an issue is that seem to Google, it's pretty tiny one within the vast space of what we're developing on the way of cyberweapons. So one big difference between now and the Cold War is that during the Cold War there was no question that IBM and that General Dynamics and others would work for the United States government and do this. For Google, for Microsoft, for Facebook, for others, they are American-based companies that have grown up in part because our system so breathes those companies, but their customers are all over the world. And they don't want to be seen, understandably, as units of the U.S. military or intelligence.
SPAULDING: Yes, and so I think a couple points that flow from that. One is, you know, their ability to help the government with understanding threats and defending against those threats. You know, they have tremendous capability there, and that is one of the reasons that Congress and the executive branch have made Department of Homeland Security's Cybersecurity and Infrastructure Security Agency a central point of interaction with the private sector and that the Cyberspace Solarium Commission recommendations, were all about strengthening and building up CISA's rolling capability. And the other thing that flows from the comments that David has made is that you do need to consider now that the private sector is a part of the battlespace here. And that is not something that DOD is used to. And so we all believe that we need to be able to respond with alacrity to cyber threats that are coming at us. But it is really important that we continue to take into account that there are significant private sector equities at stake when we're contemplating and using offensive cyberweapons. Retaliation, as we've seen in the past, is likely to be against the private sector.
THOMPSON: Well, on that note, all of you in the private sector, it's two o'clock, better to get back to your jobs and set up your two-factor authentication. Thank you very much for joining today's virtual meeting. Thank you to our fantastic panelists. Please note that the audio and transcript of today's meeting will be online at the CFR website. Thank you very much and have a great afternoon.