Sign Illinois Banking NDA Secure

Industry sign banking illinois nda secure

hi welcome I'm Suzanne Spaulding I am senior advisor at the Center for Strategic and International Studies where I lead the defending democratic institutions project over the past year I had the honor of serving on the cyberspace solarium Commission and today we are going to be talking about that report its recommendations and its relevance to our current pandemic we had hoped to be bringing you this program from Austin Texas we were scheduled to be part of the South by Southwest event which sadly had to be canceled this year we I thought about piping in music to start us off here today we weren't quite able to make that happen but but there's a wonderful Austin band called asleep at the wheel and their drummer for those of you who are fans you may know this their drummer's name is David Sanger and we are privileged to have with us today David Sanger David Sanger who is the chief correspondent and senior writer journalist with the New York Times he has in his 36 years of writing for the New York Times a won numerous awards including three Pulitzer Prizes for teams on which he's played a key role he has lots of accomplishments he's written a number of books the most recent of which is the perfect weapon war sabotage and fear in the cyber age which I highly recommend he is a 1982 graduate of Harvard College and currently co teaches with Graham Allison a course entitled central challenges in American national security strategy and the press at the Kennedy School of Government our David Sanger does not as far as I know play the drums we are also privileged to be joined today by my esteemed colleague on the cyberspace Stellarium Commission Congressman Jim Langevin Island congressman Langevin was elected to the House of Representatives in 2000 he's a senior member of the House Armed Services Committee where he is the ranking member of the emerging threats and capabilities subcommittee he's also a senior member of the House Homeland Security Committee he has long been a leader on national security and particularly on securing our nation's infrastructure from cyber threats he was a co-founder of the congressional cybersecurity caucus and I first worked with congressman Langevin years ago on the center for strategic international studies Commission on cybersecurity for the 44th president which he co-chaired he also co-chairs the bipartisan congressional Career and Technical Education caucus where he is a strong advocate for increasing access to training and improving the skills of young people so that they can make the most of their talents and particularly in areas where employers are looking for skills hence he is a strong supporter of improving our cybersecurity training he was elected to the Rhode Island House of Representatives in 1986 and in 1994 he became the youngest Secretary of State among his other accomplishments his leadership resulted in reforms to Rhode Island's outdated election system so another area of expertise on an issue very important to us today we are really thrilled to have both of you here and with that I'm going to turn it over to David who is our moderator well thank you Suzanne and Thank You congressman for joining us and sorry we're not all doing this in Austin when I first got the invitation to join you guys in South by Southwest I called Suzanne I said clearly they had invited the wrong David Sanger they met the local one but she insisted that that while he was fabulous on the drums that for an hour-long conversation on cyber that no they were going to actually go with that with with with the loser of the two so congressman let me start with you for those who have joined us today and may not know much about the cyber solarium how it was modeled on the Eisenhower Silurian project which was part of developing our Cold War strategies he just tell us a little bit about what the Commission was and to the degree you can just try to touch on the main conclusions of what I have around as a probably 300 page printout of the the final report sure well David thank you great to be with you thanks for moderating today and along with my colleague on the sub-saharan Commission Suzanne Spaulding it's great to be with Suzanne again we had indeed all hope to be together in person at South by South buy-in in Texas it would have been a great opportunity to to be with many of the attendees there and speak about this in person I've been trying to get in South by Southwest Conference for years and schedules just have not lined out because of congressional votes and this was a one time that was going to work out and I was so excited to go there and as fate would have it it just did not work out just by a whisker unfortunately so I hope to take a rain check and be able to be there in a future event but being on the this hilarium Commission and participating and the robust dialogue and discussion and debate to device it was so meaningful among my most meaningful experiences in the 20 years that I've been in Congress and quite frankly it's the way that Congress should function very welcome but unfortunately it doesn't but we had that opportunity at the Commission and as you mentioned it was designed on the premise of the concept of the the Eisenhower projects Larry when Stalin passed away President Eisenhower recognized that our strategy in dealing with the Soviet more geared toward young with the person and with the country and so he tasked his national security team to divide up into three groups and they basically had to argue and develop positions around three strategies one which was confrontation second was dismantlement third was containment and they argued their position before Eisenhower and President Eisenhower being the final arbiter eventually as history now knows we chose containment in a guided us policy our spending a strategy and going forward for several decades well we the Congress has recognized that the country the United States needs a much more comprehensive strategy for protecting the United States in in cyberspace we will never again see modern warfare for example without some type of a cyber component to it makan tree that invented the internet we make most use of it but we're also most vulnerable to its its flaws or security loopholes and security was never the internet never builds with security in mind and so we recognized Congress recognized creating the type of the Times Square and Commission in DAA that we needed an overarching strategy so basically we we came up with the three major concepts if you will that would shape behavior and the second would be to deny benefits of our adversaries and the third would be to impose costs on our adversaries and and basically there were six pillars within this this whole concept is construct these findings the first of which was to be informing the US government structure in organization so one of our key conclusions there was creating a national cyber director a senate-confirmed national cyber director that both policy and budgetary authority next reform of the government structure would be creating a select committee on cybersecurity right now there are some 80 different committees and subcommittees and Congress that can can claim jurisdiction to cybersecurity in some way shape or form it is it is beyond frustrating that when you want to introduce a bill you have a hearing or you want to move a piece of legislation through Congress that it moves so slowly because of all these we multiple jurisdiction claims and so we and also the Congress really lacks right now the expertise the cyber expertise so by creating a survival against cyber you would have members that we develop cyber expertise as well as staff that would further develop cyber expertise and that would be the primary focus of cyber legislation and oversight so you could better coordinate oversight in cyber security but you'd be able to move much greater agility and and effectiveness if you had one one focal point in the same way that the Congress created that the House chromis what committee on intelligence and the Senate Select Committee on Intelligence during intelligence reform back in the 70s the second pillar is strengthen norms and non military tools so basically that would be for example creating an Assistant Secretary of State for cyber to leave your cyberspace security and emerging technologies so this is working more with our international partners and in working with establishing international norms of what is responsible and not responsible behavior in cyberspace and being able to call out entities that violate those laws the third pillar of the six is promote national resilience so the looking at that the consequences of cyber incidents and how do we lessen those consequences if the bad thing happened how do we reconstitute and get up and running more quickly so thinking about in terms of continuity of the economy planning the fourth pillar reshape the cyber ecosystem to a greater security so when you get a boner ability of cyber incidents and and how do we quantify what gets us to stronger cyber security and one of the things that is really a glaring omission if you will from the discussion is being able to quantify what is better technology more cyber security so creating the idea of creating a a Bureau of cyber statistics would be an example so that if we employed a new cyber technology but say two factor authentication how much more cyber security does that actually make an entity sometimes we have a gut feeling right now what it makes us more cybersecurity but we don't really know and this would to help to develop those metrics the fifth or is operationalized cybersecurity carburation with the private sector basically countering cyber threat actors and and also designating systemically important critical infrastructure we call it's icky systemically important critical infrastructure to identify those entities that have a unique position in our in our in our country that if they were attacked if they went down there not only with the business entity I have a bad day but the country would have a bad day so developing a close relationship with them more collaboration and and trying to make them more resilient and then finally that the sixth pillar is basically preserved and employee military instruments of power and basically looking at strengthening and resourcing us Cybercom in a posture review making sure that we are updating work that they're doing and make sure they're properly resourced but basically it's a it's the you would get the the is the balance of cyber protection teams the national mission teams and the combat mission teams correct so that's just by way of example so broad overview that's what that's the the findings of the Commission there were some 75 or 80 recommendations in the Cyprus query Commission report many of which are going to be accompanied by legislative proposals and we're working to incorporate some of those many of them hopefully within the National Defense Authorization Act right the distinct privilege of chairing the intelligence and emerging threats and capabilities subcommittee and so where we can put these in my mark or in the full committee mark we're going to do that other ways we're looking to get the sign-off from other committees to allow us to offer an amendment we NDAA I need to include more recommendations some of them are it was short medium and long term goals but they're all important and I was so honored to work with such high caliber quality people like Suzanne Spaulding historian and expert in cyber in her own right and the other commissioners that were part of the effort again that the the dialog and discussion was was rich and and debate was just excellent the way the Congress really should should function and I was proud to be a part of the effort and I believe this is an actionable report I give great credit of course to senator angus King and comes from my calendar to co-chairs of the Commission I should have probably started with them and they recognized me reference and mark Montgomery our executive director and all of the staff that that helped to move us along and shape this this report we could not have done this work without their leadership and their deep involvement so I'll stop there and and great to take some questions terrific so I've got a few for both of you and then of course we're gonna open this up to the audience and they were should have instructions about how there submitting their their questions along the way so um Suzanne let me turn to you on a word that kept coming up in congressman Langdon's conversation and its resilience and it's an interesting phrase because it gets to one of the key issues of deterrence you can deter by causing a country to pay a price but you can also deter them by making them think that the attack simply isn't worth it that your resilience is good enough that you would not accomplish your goal even if you managed to hack into a system turn off the lights affect the markets whatever it is that that the effort was can you talk a little bit about that and of course what we wouldn't have asked you in Boston but can now is what have we learned about national resilience from the first couple of months of dealing with kovat 19 a different kind of threat but one that gets to some of these same issues of how able the country is to sort of take a hit and then pick up great thank you David first of all let me fix something I meant to do at the outset which is to give those instructions for how to ask questions because we do look forward to answering your questions and you can ask them at any time throughout this program by going to the CSIS events page and many of you are coming in through that Vince page but some of you are on YouTube if you're watching this live go to the events page and there should be a button there that says ask live questions here click on that and you'll be able to type in your question we'll be collecting those and answering them once David has exhausted his questions or we let him know that he'd taken up too much time that's right they're already pouring it excellent all right well I'll try to be brief then so that we have time to answer your very good questions and those from our audience yeah zillions is one of the is one of the issues that has always been very near and dear to my heart I think it's incredibly important and from my days as the undersecretary at DHS responsible for what is now known as cyber security and infrastructure security agency or sisse resilience was a critical part of what we did and one of the recommendations first recommendations in our resilience pillar in the report is to make sure that sisse is fully funded resourced and has the clear mission and authorities to do that resilience work and critical to that is risk assessment and risk management right so you you can't really be prepared to recover from and minimize the impact of significant cyber incidents unless you've done the analysis to understand what those threats and vulnerabilities are and what consequences they can produce and then as you look at how do we become resilient against that threat you look at all the ways in which you can mitigate though that impact those consequences and the consequences we care about are not just consequences to the IT network right it's to the functions that that network and those assets and systems enable and and so we looked at that you know requiring a multi-year five-year risk management cycle in which you do the assessment of your risk and you look at all the ways to mitigate and then you assess how that mitigation worked and start again and and clarifying sis's rule is the nation's risk manager really that's a key function there but we also looked at resilience so that the continuity of the opera' of the economy that the congressman talked about but we also talked about elections in that context because one of the key areas that we've got to focus on now is that again in election in our election security we're going to do everything we can to prevent malicious cyber activity for example but we have to recognize that someone doesn't even have to be successful with regard to malicious cyber activity they can simply claim to have been successful and if we haven't thought hrough the ways in which we mitigate the primary harm which is undermining public trust in the legitimacy of the process of our elections which goes to that fundamental peaceful transfer of power doing that risk assessment helps us to focus in on what is the consequence we care most about it is undermining that trust so if we want to mitigate that risk obviously we're going to try to make sure that we've got our cybersecurity ducks in a row so that we can minimize the likelihood of successful cyber activity but really we want to make sure that we've got an audit trail this is what paper ballots is really all about mail-in ballots are by their nature paper ballots but this is an area in which we we need to look at the resilience of that system to protect and preserve public trust in that system and that also goes to public trust in our institutions generally so public resilience against pernicious messaging one of the things that raised questions about the legitimacy of the election in 2016 was obviously disinformation and information operations some of them cyber-enabled so how do we mitigate that consequence and so the Commission looked at that and made a recommendation for building public resilience both through media literacy but really more broadly through civic education and civic engagement again look at the consequence we worry about from disinformation targeting our institutions elections the justice system which I've been working on for the last several years it is to get the American public to give up on democracy to give up on those institutions and civic education is a way of reminding people about the importance of democracy what our institutions are all about what are our aspirations for them and importantly how can they be held accountable how can Americans how can individuals help hold those institutions accountable and why they should not disengage but but reinforce their engagement to be informed and engaged citizens to preserve a healthy democracy Colvin has made that even more important David because with Colvin creating the imperative for looking at how we conduct elections and keep Americans safe jurisdictions all across the country are making decisions about changes in their election system those changes are often being challenged in the courts if we have allowed declining trust in our institutions we are going to find that people don't trust the officials who are making these decisions that's problematic we will find that people don't trust the courts that are resolving these issues and we may find ourselves in a situation in which for example in November if we have closed elections in races and courts are asked to resolve these disputes that some segments of the population simply doesn't accept their opinions and then we're in big trouble so resilience becomes critically important Suzanne I just want to drill down on one thing that you raised and it actually matches up with a question we have gotten in which was about what are the main cyber threats for the election in 2020 and what do you see about any attempts from Russia and other players so you mentioned the the pressure to come up with some different ways to go vote post Tobin the most obvious one is mail-in ballots even if you're not absentee in other words do with the equivalent of an absentee ballot but when you're in in state one of the concerns about that goes back to something that happened in the days when you were still at DHS which was of course the Russians got into the registration systems of many of the states we know about Illinois in Arizona that discussion that there may have been in 39 or all 50 of the states but the number doesn't really make a big difference what does make a big difference is that your registration system becomes all the more important if what the state is doing is mailing a ballot out to every registered voter right if somebody's gotten into that registration system you could introduce those doubts that you were just discussing very early on so tell me how much does how much are you worried now how much how good a job do you think in terms of resilience we have done at hardening the registration systems so I think significant progress has been made on hardening the registration systems but I think it your example David highlights the importance of getting these things resolved early time is such an important aspect here one of the reasons that corruption of voter registration databases which is what we were worried about in 2016 when we saw the activity around voter registration databases is that people show up on Election Day and are turned away because their name has been removed by a malicious actor or the Spelling's been changed or what have you and there's very little time then it's election day for people to remedy that if and one of the things that we we are worried about and that we've seen so far for example in the Wisconsin primary situation is when decisions have to be made or are being made at the last minute there is very little time in sufficient time to address and deal with the problems that come up in that case for example the fact that balanced ballots were taking too long to get to people and we're going to get back by Election Day the same is true with your example if if someone goes in and alters of voter registration database and removes names for example or moves changes addresses and people are informed early on that they should be receiving ballots now right or very soon you know well in advance of election day and they don't if there is time they can go back to the Secretary of State's as to their election officials and say I should have gotten a ballot I didn't get one why not so detection is one of the one of the ways in which we can be resilient and address problems but if we in this case it would require time and that's what I'm very worried about I'm worried these things are going to take too much time to get resolved and won't be put in place with enough time to address problems that may arise well thanks um congressman looked at go back to you on some of the points that that you raised early on there as well and I really wanted to focus the most on the question of how what how a pandemic has made you think differently about the national the way we support national security issues that don't immediately fit within an easy military or intelligence budget so what we've discovered in the pandemic SEF was that we had poured a lot of money into thinking about how you would deal with a bio weapon that was released in the United States but not all anywhere near as much about a naturally occurring one that came out of all wet market or you know teenagers at spring break or something like that in cyber it strikes me that we have done a huge amount of funding for US Cyber Command and NSA we don't know exactly how much was some of it is buried in black budgets but we have a pretty broad sense of that and yet the report makes clear that since 85 percent of the targets are in the private sector and so forth that we are very scattered shot in how we spent money on defenses outside of the government's purview so pick up a little bit on how your thinking is changed on that issue sure so there are there are two things that I would say the the the koban 19 crisis the we find ourselves as highlighted a at least several things but that are sort of related to cyber and you think of how important it is to have a coordinated response cohesive strategy and you know a point person if you will hoping to bring that all together and that's one of the reasons why I am such a big advocate of a national cyber director it's one of the the glaring holes we have in in terms of a you know somebody being in charge of response and being able to bring together all the the elements of both the government response as well as working closely with the private sector but beyond that we need to look at continuity the economy as a is a major loophole or some of those already left unanswered and that's why contrary to the economy planning is such a an important recommendation in in the the findings of the software commission report you know get if if kovat has shown us anything it's that preparation and planning are really important in preparing for a catastrophic event one of those relevant recommendations against this conjugative economy planning so this idea that you know we take stock of our national critical functions and establish a framework that really plans for how to prioritize restarting or recovering core functions in a crisis so it would identify areas that we should invest in resilience and backup and for example one here is do we really need to invest in secure systems or Orbach like analog because risk destruction so catastrophic are taking those things offline and having them isolated you know what are you know such the data is so critical to restarting the economy that we should basically explore additional backup systems with allies for trusted partners so if kovat is taught us anything is that we need a point person we need a cohesive comprehensive strategy in response that needs to be exercised and it needs to be thinking about in terms of how do we in critical core functions it went down in our economy how do we restart and and so you want to think those things through just a jerk playing you through four responds to Kovac 19 we also need to think through in terms of what areas of the a of the country priorities if there ever a cyber incident of significant consequence okay um Suzanne let me take for you a question that is coming in from mark Friedman of in Barry I he was directing this specifically to you but others can put in there their thoughts as well congressman this question is in the push to secure that critical infrastructure that both you and the congressman we're talking about how come the government and industry assure they have visibility into their entire network perimeter and those of their critical suppliers and happen these organizations maintain accurate asset inventories in the cloud it's an interesting question because visibility is limited domestically and then of course if the visibility you need is abroad you can imagine how US Cyber Command or the NSA might have it through their technical means and persistent engagement but it would be very hard necessarily for the private sector to be able to be out in to save the land of foreign suppliers and so forth so what would you say that Mark's question yeah so the Commission did talk about what you know one of the things that we fell back on repeatedly was reaching for the market as a solution whenever we possibly could with the sense that that a market is generally more effective and efficient than than the government at bringing about the right kind of behaviors and and yet we understood that the market is failing today and one of the reasons that the market is failing today is because largely failing today is because of a lack of information and and so as and part of that is information with regard to supply chain right that kind of visibility and transparency that you're talking about and that the questioner raises is important if we're going to ask folks to make wiser risk management decisions right about how to manage their supply chain they need information in order to be able to do that and so the report does talk about that it talks about the role that the government can play in we've always you know kind of try to avoid picking winners or losers in the marketplace but particularly with respect to those national critical functions there is discussion in the report about the role of government can play in pointing people toward you know supply chain visibility security and vendors right the importance of making sure that we understand our foreign dependencies and so we've got some recommendations with regard to Sofia sand even broadening that and the and the mechanisms within departments and agencies to look at our foreign dependencies and to and to move toward we talk about an industrial base nest real strategy with lowercase letters because that industrial policy can mean so many different things to people but what we talked about in the report is looking at our foreign dependencies and making sure that we have secure and reliable supply chains and and again a number of areas in which we recommend that the government provide more information to the public and require in some instances more information from the private sector and particularly that is true with regard to what the Congress referred to is sickie systemically important critical infrastructure which I think we all agree is a rather unfortunate acronym but we put it is one of many in the cyber world yes this you know this notion that there are elements of our critical infrastructure that are particularly systemically important for sustaining these national critical functions and that that relationship needs to be a two-way relationship so they might have a privileged if you will relationship for example with the intelligence community but they might also be required to provide information to the government okay congressman we had a question from my friend Harvey rich cloth of the American Bar Association who says many thanks for the good work for both of you and he asked what is the best way to establish international norms in cyber in your view given the state of the U n GTE another one of those awful acronyms and all this but it's the U n a group of experts who have dealt with this stuff let me piggyback on Harvey's question and see if I can make it harder which is to say that if we're going to have international norms which is to say you know we all agreed that we won't mess with each other's power systems or we won't measure mess with each other's Emergency Medical Response or we won't mess with each other's water systems or something like that or election systems and I think you probably get a few Americans to sign up for that yeah that means that the US intelligence community NSA Cyber Command would have to basically say what they were willing to give up because all of our plans involve if you got into a conflict being inside the infrastructure of another country so I'd like you to ask answer Harvey's question which is what's the best way to establish norms but also whether your experience on the Commission led you to believe that anybody in the intelligence community of the defense community is actually willing to say okay we are willing to deny ourselves of X targets or tools in order to make those international norms work so let's draw the distinction here between intelligence gathering and understanding information and having situational awareness from actions that would be been something so offensive in in peacetime yeah I'm not naive to think that government's Oregon's sudden stop intelligence collection activities it's understanding the world around us that actually makes us safer right I mean if you have perfect fidelity and understanding of your enemies or adversaries actions and you know whether they are peaceful or malign majeste your behavior is when fear kicks in when you don't know what those intentions are that the consequences can escalate and and a negative things can happen spin out of control quickly so I'm not I'm not suggesting that governments are going to stop intelligence gathering and being out there what I what I am saying though is that we can agree to international norms that we're not going to attack each other's critical infrastructure of critical functions and in peacetime and so and therefore we need to we need to look at in time of wartime comfort we all recognize that the gloves come off and that you know that the country the United States would always do whatever is necessary to detect the American people so that calculus is not going to change guys are engaged in this report or anything going forward but what we can say is that we we expect responsible actions behavior in in cyberspace and when those those norms are violated we need an international community need to come be able to come together quickly call up bad behavior and impose consequences at and you know it's really a humbling place without choosing but it doesn't necessarily have to be a yo know offensive cyber action it could be a sanction the indictments or what-have-you but being able to act with the agility act quickly and responsibly we can have enough information to call it that after it is important and out although this is not sign related oh look at the people poisoning that happened in in Great Britain and you know there's a situation where we didn't have perfect information about who perpetrated that activity but the international community using all-source intelligence and collaboration came together very quickly and said the Russians did that that's irresponsible that is not reaction that we are going to tolerate on our soil and and the international community collectively call up the Russians and responded with with sanctions we need to have that same type of mindset we talking about maligned cyber activity and in cyberspace Damon I would just add of course exactly right the that despite this the skepticism reflected in your question about whether the military C would ever agree to you know sort of unilaterally disarm if you will that we were leading I mean you know when I was at DHS I mean the administration was leading the global effort to try to get agreement around these norms one of which as the Congress said was not attacking critical infrastructure upon which populations depend and these were peacetime norms right and that was a really important distinction but but that was an administration position you know that that I think I can say the I see in the military you know we had lots of interagency discussions about this and the decision and the agreement was yes we can support this you know pushing for these norms so so I think that's important to recognize but we haven't that much and not only at the at the during the Obama administration there was some an initial agreement at the at the UN that fell apart later on in part because of Chinese and Russian disagreements and during the Trump administration when there were even vague sort of standards were put out by President micron during the hundredth anniversary of the end of World War one we saw a number of countries and a lot of companies signing up to them but the two democracies that did not win the United States and India yeah well it requires you know the the right direction from the White House congressman one of the questions that has come in has been on a specific threat which is North Korea which you look at this comes from Connie Kim Voice of America who asked how much of a threat you see for North grievin though its capability is not as great as China's or Russia's and how is Congress in the u.s. plan to counter or deter North Korea's cyber threats um as I look at what's happened in the past couple of years it's interesting how innovative the North Koreans have been just as a symbol of what a small power that doesn't have a lot of money to spend but is highly motivated can go do and we've seen their entries into manipulating with cyber currency markets we've seen their ability to fake out the international banking system and get into the Swift system as well and still a fair bit of money that way um as I know that when you had your commission sessions in some cases you worked specific report doesn't tend to be very much but talk a little bit about what we've learned from the North Korea experience so the it goes back to what I've said it many times that you will never again see modern warfare or conflict or these types of operations that happen in the future without some type of a cyber component and you know our two oceans you used to give us a great security if you will because of the distance between us and our our enemies or adversaries that has now forever changed and it's just as easy to detach someone if you will or carry out an operation from someone in that room that is to do it half a world away and when you're talking about certainly nation-state capabilities they are they are significant and certainly north Korea has invested heavily in disruptive and mind and/or offensive cyber capabilities and as of Russia and China and Iran as well as other nations but those are the kind of the top four that give me the the most concern and of course not only developing these these these tools that could be used against us to Thomas but but also the working with proxies that they could work with proxies to carry out some type of what kinds of cyber al great operations so look we need to and we talked about this basically in the in the Silurian report but being able to use all assets of national power to deter or respond to malign cyber activities and look it sometimes it might be cyber on cyber but it also could be in indictments it could be sanctions and that's why this is again one of the key findings of report calling for more involvement in cooperation with international partners the international community to promote responsible state behavior in cyberspace that's why it's so important that we create an Assistant Secretary of State for cyber and and lead a new division if you will this Bureau of cyber space security and emerging technologies and this would eliminate the reverse of the elimination of the decision held by Chris painter who's the top cyber diplomat at state before by doing these things that's how we work collaboratively and we we promote responsible state behavior in cyberspace and and punish bad actors when when they may don't act responsibly um Suzanne I you've heard the congressman twice talk about non cyber responses to cyber events he mentioned indictments which the US has done against Russia China Iran and North Korean actors he mentioned sanctions which we've done in the cyber arena against North Korea Iran and Russia and yet I think there is a sense right now and correct me if I'm wrong that while these were designed to improve deterrence that we know how much of a scorecard to show as a result that you know after those Russian indictments the Russians have come back after the North Korean indictments the North Koreans have continued to mess in cyber current in crypto currency areas and and other territory this all gets to your debate about how you deal with gray zone action so um did your thinking on this change any over your time on serving on the Silurian Commission so you know we did talk we talked a lot about that deterrence is not working below what you know sort of whatever you think that threshold is for kind of use of force but in this gray zone determine deterrence seems not to be working and a big part of that as you know as we started our discussions a sense was so that a big part of that is that the adversary is not feeling any consequences so big emphasis on imposing consequences I had a lot of discussion about that one of the and I and and and there's a fair amount of that and I'll come back to it in the report but one of the things that I thought was interesting both the evolution of my thinking on this but I saw it more broadly the members of the Commission you know the Commission of course was a creature of the National Defense Authorization Act in the Senate Armed Services Committee I think it's fair to say in congressman you can disagree if you saw it differently but I think it's fair to say that we started out with a very much of a look at the adversary how can we think about imposing consequences we need to deter cyber activity you know punch the punch the bad guy in the nose and a lot at a number of our first first few meetings was all focused on that over time I think there was an increased appreciation for a recognition of the need to move beyond just consequences and really focus on protecting the ecosystem and on millions because our ability to deter the actor by simply raising the cost ie imposing consequences is limited so as I start with that I think it is easier to think about imposing consequences that might limit the appeal for private and private individuals proxies to continue to work with States and I think that is really the primary advantage of the law enforcement approach is potentially limiting the ability for example of those private actors cyber criminals who might loan them their services out to States to get to their villa and the South of France for example and and so we do talk about strengthening the ability of the FBI to use use that use its tools but but there is a limit to the degree to which we can impose consequences we think that it's important to think about deterrence however not in the traditional terms of nuclear deterrence where you have a binary a situation you've either deterred your adversary from using a nuclear weapon or you haven't and that's pretty stark it's pretty obvious to see in cyber of course what we're talking about is something that we know is going to continue to go on but where you look to reduce the level of activity or the severity of that activity and that's the kind of deterrence that we're talking about and one of the most important things that we highlight and David your questions have gotten to this as well is that in order to have an effective deterrent strategy you have to look at individual actors there's not going to be a comprehensive strategy that's going to deter them all North Korea is driven by different motivations and can be leveraged in different ways than Russia or China and so one of the things that we call for and there is a much more robust campaign planning process for developing very specific strategies for deterring malicious behavior in cyberspace and I think we have to be realistic that you know what we're part of what we're trying to do is to get them to move off of some things they're going to continue as with China we got China for some period of time to reduce its activity in cyberspace to steal sensitive business information to help its companies but their activity to steal sensitive business information in non cyber ways was not reduced at all and so we need to understand their back if you believe what you read in there are times they're back and looking at that seats yeah exactly and they're going to listen so that goes again to understand their motivations they are going to do what they think they need to do first reform us to stay in power and we need to be realistic about that and then we need to look at okay how do we keep them out of the things that would harm us the most and so that's why if I could jump in here David and say we need to ensure that we are raising our cyber it defences strengthening our cyber defenses so that we are ostensibly then imposing costs on our adversaries by spending all this time Efrain resources trying to get in to carry out whatever mine cyber activity that they're looking to carry out but they're getting little to no benefit out of it and squandering resources on their part getting a little nothing in return for it and so strengthing I defense this has to be a key going forward again right now with the country that makes most even what use of the internet but grows and post subject to its vulnerabilities we want to cut up now that that that that that window if you will in that gap between what AB C's is doing right now in getting out of it and and how we strengthen our defenses so that we got stronger going forward congressman Lee just pick up with you on one last question because I see we're just down to the last few minutes of this so there are a lot of congressional commissions over the years and presidential commissions and some of them turn out to be effective and bring about big changes I would say the 9/11 Commission certainly certainly brought about major changes you can argue about which ones of those were effective or not but there's certainly women I can name some other commissions and won't where the report sort of got filed away you've tried a different strategy here which is to operationalize a report with very specific recommendations of things to go move into legislation much of it into the NDAA the Defense Authorization Act because you know the president's gonna sign the NDA is the question of what you can actually get into it 40 sides that right but my question to you is first of all given the given Congress's somewhat shortened attention span in the midst of Coe bid and the economic recovery and all that how does that impact your strategy and secondly Suzanne wisely because everything Suzanne says I find is pretty wise makes the distinction that you should not use the nuclear analogies here for deterrence something you and I have been talking about for many years and yet I find among your colleagues it's the first thing out of their mouth when you ask a question for somebody who has not served on the slurm Commission who has not thought about these issues as much um so how effective do you think the solarium has been at educating the rest of your colleagues in Congress so I think it is definitely raise the bar and it has definitely helped to educate more members but remember there are 435 members of the House and hundred members of the Senate and each had their own areas of of interest and priority my job has been to I focused on on cyber for more than a decade now to try to raise the level of awareness and and expertise and interest in in cyber for colleagues and and staff and you know we've succeeded to some degree but unfortunately I think the the main reason for the enhanced awareness of cyber vulnerabilities is because of the many threats that we face the high profile hats and intrusions that have kind of recurred so the awareness level is is high right now I think that the solarium has helped to better educate members and and more dude that he died but will we're going to be holding congressional hearings there's already been a hearing this happened in the Senate we're gonna be doing our thievin if it's virtually on the on the on the house side very pleased again we have four members of Congress who are deeply committed to seeing these sub recommendations enacted over the the short medium in the long term but I'm looking for a ways to see as many of them in an act as possible if my experience in Congress and my experience at the Kennedy School at Harvard taught me they told me nothing it's them that is making a good public policy has three elements as I have often said which is you have a problem you have a solution and the window of opportunity and those three don't often line up easily or quickly but when they do we can need to be able to push your initiative across the finish line and we are using because the the vehicle the ndaa to announce some of those proposals as you pointed out it's very likely that that will be signed into law by before the end of the year its 1553 is running now that the NDAA has been enacted so i confidence that we're gonna really success for some of these things that others will move through in other ways but by the way the the kovin a 19 crisis unfortunately has provided a window of opportunity that we need to learn from and and that we will use this time to do things like hopefully push through things like IT modernization so one of the things that you see is a problem for states municipalities they have antiquated IT infrastructure and so incentivizing and supporting funds and and encouraging States to modernize arriving at the infrastructure again moving to the cloud so that they can handle both surging to accommodate the need for enhance services for example you've seen the in her the stories about unemployment insurance where people have not been able to get online haven't been able to get the UI in a timely manner it's because they just states can't handle that bubble of sort of applications coming in right if stay were had their their data in the cloud and their systems the cloud it could easily ramp up they could easily handle a surge in need and in a response that they need to have to accommodate citizens requests for support so these are the types of in other way it enhances security right if we want to encourage data move to the cloud IT organization but you also need to have a certification process to know that that the cloud infrastructure is secure and that's going to be on the part of the kind of structure providers to make sure they're making and for every extra pair to to secure their the cloud infrastructure but hese are there there are we have great proposals here and I think a window of opportunity to push through many of them and collectively we're going to do our best I know that thinking ahead the commissioners are committed to that the members of Congress are committed to that and I see real prospects for success in the near future well Suzanne we are not out of questions but we are out of time I'm afraid so I'm going to turn this back to you for your closing any closing comments and spare you guys having to sit through my efforts to learn I would be a drummer and thank you both for for such a great conversation David you for terrific moderation moderating there's nothing nothing moderate about David except his wonderful skills and and congressman thank you and I want to echo your thanks to our wonderful bipartisan really nonpartisan leadership of Senator angus King and Congressman Mike Gallagher and our outstanding staff at the Commission and I I will just close by saying that I really look forward to the time when the three of us can get together for some Texas barbecue even if we have to do it in Washington DC I want to thank everyone who joined us for this discussion and and take care of Stacy [Music]