Sign New Mexico Banking Memorandum Of Understanding Secure

Industry sign banking new mexico memorandum of understanding secure

good morning or good afternoon depending on where you are or possibly good evening my name is elizabeth brawl i'm a visiting fellow at aei working on something called gray zone defense and i have discovered over the years that it's that gray zone defense sounds a bit gray or rather so it's a bit unknown to many people and that shouldn't be so because it's incredibly relevant today um and not just gray zone defense but more specifically gray zone aggression because lots of countries are experiencing it uh whether uh they notice it or not and um that's why we we are uh hosting this event today to to uh provide an introduction into gray zone defense gray zone aggression and defense uh what gray zone aggression is uh who is being affected by it and what we can do about it and um it's even though the the the subject or the the the uh the um well the term may not be very well known uh i can give a secret way which is that everybody is being affected by gray zone aggression so just to give you an example three years ago um ukraine was hit by a phenomenally powerful computer virus that took down airports hospitals virtually every single government agency banks retail companies and so forth and that virus then traveled on from ukraine to hit lots of other companies worldwide for example it hits mask which is the world's largest shipping container company um we rely on it for virtually everything we consume it's just we don't know about it because who of us has ever been to port to to receive whatever it is we need we all depend on mask it hit merck which is as we all know an american pharmaceutical giant it hit mandalay which is an american snack giants and it hits a fedex european uh subsidiary and so forth lots of companies were hit even though they themselves um are not hated by any specific country but this is where we are today where where gray zone aggression which is forms of aggression that take place below the threshold of armed conflict are happening with great regularity one can almost say every single day and where they affect companies especially in our countries here in the west and ordinary citizens as well so uh and we should shouldn't forget that gray zone aggression of course includes this information which is something that i know americans have been greatly concerned about at the very last least since the 2016 election um so it seemed uh not just it seemed it is a very good idea to discuss what constitutes crazy integration what's happening in different areas in industry in politics in an infrastructure and to do that i have been joined by three fantastic experts um from different walks of life um so i'll introduce them alphabetically and we'll start with helene gallin who is she leads something called the willis research network which is the research arm of willis house watson which is one of the world's largest insurance brokers and why insurance brokerage on on an aei call you might ask about national security well in the insurance industry is on the absolute forefront in watching and trying to figure out what to do about this aggression because if when something goes wrong insurance companies pay then we have paul johnson who is the chairman of the swedish parliament's defense committee and in that capacity he is in charge of trying to determine where defense money should be invested obviously the government has an opinion too as is the case in most democracies but parliament has a very very important role in determining what the right strategy is and whether the government's plans make sense and we should i should also add that in sweden uh defense investments are very much or defense spending very much happens on the on the basis of consensus between all parties represented in parliament so that's why paul sits in a very important post then mark montgomery who is the executive director of the cyber solarium commission um which is a commission bipartisan rather i should say non-partisan commission appointed by congress comprising congressional uh members of congress senate and house federal leaders and then the the the secretariat is led by marcus a former u.s uh navy officer rising to the rank of rear admiral and if if anybody on this call hasn't read the cyberspace salary commission's recommendations they are fantastic and really show what can be done in the bipartisan or even non-partisan fashion to keep the make the country safer because as we all know cyber attacks are part of gray zone aggression and and they affect the us and other campuses every every single day so with that i'll turn the floor over to paul followed by mark and then helen so over to you paul thank you very much elizabeth and great to be with you from stockholm and say a few words about grayson aggression and how we dealt with it in sweden feels very appropriate as i look out the window as you know elizabeth sweden in november is permanently gray so we are definitely in a gray zone but to be serious i think our approach to grayson it's bound to to be shaped also by our geographic proximity to russia we are currently exposed to a multi-dimensional threat situation which includes a combination of military and non-kinetic thresh and vulnerabilities at the same time thus i guess my first point would be that we don't really have the luxury tissues where we allocate resources between mitigating risk associated with grayson or building up the armed forces we just simply need to do two things at the same time unfortunately as you also know the the risk of armed conflict in europe has increased during the last decade we also know that elements of what we associate with grace zone would be connected also to an armed conflict in the run-up or in the early stages of a conflict i'm thinking for example about cyber attacks and this information operations so when you're working on securing the states you need to keep two ideas in your head at the same time i guess that would be my introduction when it comes to to uh to the allocation of resources uh of course much of our thinking has been shaped about the the about grace zones about the illegal annexation of crimea small ground small green men popping up on crimea and russia's aggression against ukraine however i would say that the world has grown considerably more complex in 2014 in at least three ways it has become much more digital it has become much more obesion and considerably much much more chinese let me explain the last point there but i think that the basic line is here that you see these grayson methods being used and i think they are pretty much symptoms of the fact that we're back to a stage of great power rivalry again between the great powers has also outlined in the us national security strategies from a swedish perspective i think that main perpetrators are well known it's about china and it's about russia let me also be very clear that this is not a threat this is a challenge that we're dealing with 24 7 on a daily basis i think it's also fair to say that it's growing exponentially especially due to the very rapid digitalization process that we're undergoing also when we build on our intellectual heritage on approaching uh grace on aggression i think we withdraw some lessons also to our total defense concept as you know we used to have a military and civilian defense uh civil defense very much about the whole of government endeavors i think that's also very much the case when you approach grace on challenges that you need the whole government approach i think it's also uh fair to say that the more prepared you are to handle an armed attack against your society the better you're actually equipped also to handle these kind of grace zoned events and i think the third point i would make on grayson and total defense is actually to look at finland and finland is considered a little bit like the shining city on top of the hill these days when it comes to to handling gray zones and hybrid threats i think they're advancing their ideas very vividly within the eu and nato and they're of course home of the eu nato center of excellence against hybrid threats i think we have much to learn from finland because they also have a total disadvance concept and also focusing quite a lot on resilience now briefly going back also to your excellent paper elizabeth i will try to be a little bit more concrete on how we handle some of the challenges connected to greystones in sweden particularly subversive business practices disinformation campaigns and cyber attacks and in all these three cases i think that we have a very similar approach we've been working on reviewing organization or adopting new legislations we've been establishing new government agencies we're working more on our interagency process and we're working more in cooperation with other countries and other organizations first on subversive business practices it's well known that sweden is a large recipient of foreign direct investment particularly from china i think the challenge is when those investments are directed into our critical infrastructure we used to have a potent legislation up to 1993 then we abolished that and for a while went a little bit what i call happy-go-lucky we realized during this pandemic with where we have seen an increase in these hybrid aggressions that that was unsustainable so we quickly mended our legislation to to provide a better security uh so we can actually make calls against uh illicit foreign direct investment into critical infrastructure we also mandated our export control agency to be in charge of of reviewing foreign direct investment into critical infrastructure and that's also appointed the point of contact vis-a-vis the eu in this case i think actually what you should keep in mind also is that the european commission has done a lot of good work on this a year and a half ago there was about half of the eu member states who actually didn't have any legislation at all in place in order to to meet this challenge and the eu commission is actually pushing us to get better better legislation which is of course increasingly important due to the economic ramifications of the of the kobe 19 and and what will follow from that secondly going speaking a little bit about the mounting challenge of disinformation campaigns i think it's rather systematic it comes both from russia and china we are actually revamping an old government agency for psychological defense who's going to be tasked with handling this challenge or this systematic disinformation operations that we are exposed to it's about identifying analyzing and also being able to respond to such operations this agency would work in close cooperation with our intelligence and security service i think it's vital also to have the capability both to identify and to attribute where these kind of operations are originating from in addition we're also working closely both with eu and nato we are people stationed at the stratcom east at the eu external action service and we also have people at stratcom nato center of excellence in riga which we learn quite a lot from finally on cyber i think it's well known also for us that the advanced persistent threats are increasing in strength and manage exponentially the paradox of sweden is that we score very well on digitalization we tend to be early adopters of technologies at the same time we don't score so well on cyber security which means that you have a lot of vectors that you can actually attack and we are rapidly catching up on cyber security one way about the going is that we looked from the british side where they have the cyber operation center we're trying to to adopt the same kind of structure into sweden where eight different agencies are going to be pooling and sharing their their their resources i think that the brits got it right when they also talked about the safe marketplace uk which is means that you need to work very closely in cooperation with the private sector section sector when you deal with cyber security in addition i think that the eu is an networking security directive and this directive has also done good things to push member states to for example adopt cyber security strategies mandatory incident in reporting and higher network security so for a small country like us it's important to work in cooperations with others finally uh three short notes uh on how to go about and rise education uh when you're exposed to grace on aggression i talked about legislations institutions and international cooperation you need a whole government approach to this when you enhance your resilience in your society secondly it's pivotal to have situational awareness i think in order to identify prepare and respond to grace on aggression and finally which i think we're going to be talking a little bit more about further on but it's this private public partnership which is really crucial because so much of your critical infrastructure this space is in the hands of private companies so you need to have this flow of information between those sectors but i'll stop there thank you thank you paul and you brought up an aspect that i hope we'll discuss um uh much more in the in the uh q a s uh section of this uh conversation and uh on that note please feel free to start sending your questions uh as soon as you as you think of them and i should also mention um that this is again an aspect of gray zone aggression that doesn't seem like a big deal but in accumulation is a big deal um strategic acquisitions by by companies based in foreign countries and obvious obviously that's uh acquisitions international acquisitions are the lifeblood of the globalized economy but when one particular country or particular countries exploit the openness of other countries that's why we have a problem and that's what's happening now which is why a number of parliaments um including the swedish one are looking at better regulation along the lines of um of ciphers which is obviously the the u.s regulator and um paul maybe very quickly if you can mention uh if you can tell the listeners what happened to three cutting-edge swedish space technology companies was it last year yeah yeah it was of course we have a strict export control for very good reasons and this is also something we cooperate with the eu they have something called the eu military list and without getting too into much details this was uh technology that they weren't allowed to export to china and what happened was that a chinese company actually bought them uh he was based in sweden i think that really made us aware of the unintended consequences sometimes of this foreign acquisition as well and now we're rapidly moving to get good legislation so things like that will not emerge again but it shows some of the vulnerabilities that that we weren't really prepared for exactly so to summarize the the companies couldn't export their technology to china but there was no uh there were no regulations in place to prevent the chinese company from from buying them which is what happened and we have to remember this is dual use technology so very much a national security issue and i will pass the floor as it were the digital floor to mark now thank you elizabeth real pleasure to be here um look as we talk about the gray zone the cyberspace layering commission that uh that i'm the executive director of we really grew out of senate and house concerns about the gray zone senator and assass senator mccain uh congressman langevin all had concerns that they could see deterrence wasn't working throughout all of cyberspace the traditional u.s national security response wasn't working uh throughout all of cyber space now look it was working at the high end countries nation states were executing large-scale cyber attacks on our critical infrastructure turning off the power supply there the idea that we had both cyber and non-cyber tools to respond probably you know was still working but really countries had found that they could uh threaten u.s interests without triggering escalation in the gray zone and you know there's a lot of examples there's the chinese theft of you know 24 million government personnel records from opm you know really uh over a 15-year period the theft of more than a trillion dollars worth of um intellect al property unrealized gdp growth due to intellectual property theft um you know we saw it with russia with cyber enabled inf uh information operations campaigns against our elections in 2016 and against some of our european uh partners and allies elections in the 2016-2017 time frame we saw it with dpr north korean attack on sony or even going back a little further iranian attacks on um our banks in the 2012-2013 time frame so a lot of examples out there where people are operating below the level of a use of a us response uh in the graze in the cyber gray zone so we sat back in in one of our tasks that we got from senator mccain was come up with a strategic approach to prevent this kind of you know significant cyber activity and we came up with kind of three additions that you had to put into your in addition your to a traditional deterrence of imposed cost you know deny benefit um and uh and try to reach a shared agreement and that was the three ideas were that first we had to improve our defense you know it's for the united states is an uncomfortable thing the europeans have had this problem for 50 or 60 years but our adversaries weren't close we had 4 000 miles in the atlantic 6 000 miles pacific good neighbors in canada and mexico we didn't have to worry geography gave us a lot of protection well cyber removed that geography so we actually needed you know our critical infrastructure is now at risk and and the way i kind of looked at it was you know the um the availability of tools is increasing exponentially the networking of our systems is increasing exponentially and our investment in cyber security was kind of linear and it best with a slight upslope so these two risk drivers were increasing exponentially your risk mitigator is at best you know slightly linear you're introducing a lot of risk in the system so that geographic issue the introduction of risk we really needed to improve our defense of our critical infrastructure except the united states hadn't really undertaken in in 60 or 70 years um that led to the second kind of big issue we determined which is that 85 of that infrastructure is owned by the private sector operated by the private sector not gov or dot mil so to speak um so we really needed to build an effective public-private collaboration now look you can go all the way back to 1998 i worked at the white house when we produced presidential decision director 63 we said exactly that but we really didn't mean it and in the five sequential reports by the federal government that we needed to build public private collaboration we didn't really mean it we didn't put our level of effort into achieving it a lot of it had to do with the idea that the real problems done were just criminals and that's a private sector problem and we tended to not really address this but i think there's a recognition now that we have to address this public-private collaboration and then finally we realized that we needed to be able to operate you know our our systems in the grave zone more effectively um we need to improve the offense i'll pick up on that and say the same nda that authorized um the commission also authorized uh cyber surveillance and reconnaissance as a traditional military activity that really opened gave the authorities that cybercom would need when you combine that with the department of defense's defense cyber strategy for 2018 which emphasized the ideas of defend forward and persistent engagement ironically the same week the white house released a national cyber strategy didn't even mention this but department of defense very aggressively mentioned it but the white house did come through with something called national security presidential memorandum 13 that has become the organizing methodology for conducting offensive cyber operations in the gray zone so yet authorities from the from the um congress a strategy from the department of defense and then the process set up inside the white house we actually did really significantly improve in 2018 early 2019 our offensive capabilities so we could match our i guess our offensive capacity because we're able to match our capabilities the 130 plus teams at cybercom with a credible intent to use them so to me that begins to introduce deterrence back into this if used properly to confront the adversary behavior at its source um this kind of what's called persistent engagement uh practiced by u.s cyber bank made a difference but one of the things the commission says you got to step back for a second and not just use these military tools so advocated persistent engagement advocated defend forward but said defend forward is more than just these military tools it's also economic tools sanctions against individuals and companies and uh countries that uh that operate uh you know conduct militias activity uh in cyber in the gray zone um it's about law enforcement increasing the funding to our ncijtf and fbi task force that looks at these cyber issues increasing our number of indictments of uh malicious actors overseas increasing our number of mutual led uh our cyber attaches uh from six i think to eventually 20 is what we're trying to get to so we have more of our of our of our professional presence overseas in embassies and then finally diplomatic you know having uh we're recommending an assistant secretary of state but also a more aggressive engagement by the united states both in international forum but also with with our coalition of the willing those partners who are willing to work with us to identify and attribute more rapidly the malicious activity and who did it i mean it's still a problem when i think on this georgian the most recent russian intervention and cyber incident in georgia you know done by the russian government the u.s and uk were excited that they attributed within 90 days you know that's not really timely you know we still need to really work on that attribution so we had to work that offensive side the other two big aspects from the um commission were these uh defensive things we need to be better organized we recommend a national cyber doctor provide that strategic leadership in the white house to integrate the interagency and then build that public-private collaboration alongside a strengthened says a cyber security infrastructure security agency at the department of homeland security which run by chris krebs now together we think those two can help build the executive branch side of the public-private collaboration we're also recommending that the inside the white house we do better planning ahead of time for events and have a better initial response now watching the pandemic we actually wrote a white paper said look what the pandemic teaches you the pandemic is a non-traditional national security emergency a cyber attack is a non-traditional a cyber attack on your homeland is a non-traditional national security emergency if we've learned anything from covet 19 is that pre-planning building relationships ahead of time having an effective initial response and then having your recovery uh you know your long-term recovery those are critical and so having that kind of leadership in the white house would have been effective in covet 19 and will be effective going forward in cyber if we have that national cyber director and then finally where um we made a we made quite a few recommendations on how to build the infrastructure for private public-private collaboration um and i think a lot of these are going to be in the next national defense authorization act the one that will be approved in the next couple weeks um so the infrastructure will be in place for the biden administration to begin to build that public private collaboration but it's going to take investment because we've we've had this epiphany four or five times in the last 20 years but we haven't had the you know the strength of character to complete it we're going to need to do that it means having a cloud you know a a federal uh information sharing center that the federal agencies share with and then share with the private sector what what types of threat uh not you know threat factors we're seeing um it's about having a joint collaborative environment of that data being pushed back and forth not by email but but actually by you know in real time it's having a joint cyber planning office where we work with the private sector about how to build a more resilient redundant recoverable infrastructure when there's the inevitable successful attack and then finally it's about better creating a better cyber ecosystem and this is where the insurance companies come in we think we need to have a bureau of cyber statistics so we can have a more effective amount of information and data for underwriters and others to help to have to provide a better product to um you know to the private sector in in in to in the insurance companies and we think that that will help you know kind of right raise the tide of cyber rise the tide of cyber security kind of writ large across the government while these the the infrastructure republic collaboration really targets the high-end infrastructure that the government relies on um and it's uh executing its day-to-day mission so cyber station commission kind of looked at all those issues but it all emanates from a challenge in the gray zone and the inability of our traditional national security uh apparatus to deal with it and so i think if we implement these in the next national defense authorization we'll be in a lot better position you will be and and other countries can learn from the the commission's recommendations as well and we should mention that the reason that that there is so much activity in the gray zone now today is that uh our countries nato and its allies uh are are pretty well set up militarily they may not be perfect but they're very good and so there would be high cost uh enormous cost to anybody uh attacking a nato member states or or one of their partners but in the gray zone it's unclear exactly how uh an attack it would be punished and at the moment they are not punished at all apart from a little bit of us and british and other allied offensive cyber capability and that's where our challenge is uh but at the moment the gray zone is extremely attractive and um the reason uh well the reason we know that it's attractive is that it's continuing and continuing to grow um and i should also say uh the the case that i mentioned previously uh not petya that ended up uh bringing down so many really vital companies in the west um it's it's really interesting to see how that case then turned out because it illustrates where we are today uh one of the companies ended up where they wanted to claim on their insurance and virtually all insurance has a war clause that says in case of war uh these conditions well your policy doesn't apply because obviously in the war all bets are off and this company claimed on their policy and uh their insurers said well this act was a tribute to a foreign country it's a an of a hostile country in this case russia it's an act of war so your policy is is not valid and so here we have this case about what constitutes war being fought out as it were by two private companies at the court in illinois and that really illustrates where we are today uh helen on that note over to you thank you elizabeth and uh thank you very much for inviting me to join this panel and to uh paul and mark for dropping a few hints which i'll pick up on um because gray zone aggression is very relevant for the insurance sector and for the private sector as a whole and it can have very serious consequences financial increased uncertainty and reputational damage so in the next few minutes i want to look at a few examples of disruption i want to consider how insurance can help organizational but also societal resilience but also consider the the limits of insurance and in this situation and how we need dialogues like today to reimagine insurance in the gray zone world now let me start with three examples to convey the the range and scale of impact on the uh private sector and you know you've mentioned that example already um elizabeth in not petya showed that no industry sector is safe from cyber attack any organization can end up as collateral damage beyond the intended ukrainian targets a number of multinationals were affected maersk merck mandalays and and that's you know that's only looking at companies starting with m other letters of the alphabet were affected too now another example is an emerging trend in the maritime space satellite communication interference gps jamming especially in waters close to conflict zones and in 2017 for example um the captains of several vessels operating in the black sea reported that their gps was placing them uh at an airport 25 miles inland of russia so it's not ideal if the ship's officer can't know the vessel's position and speed and going into waters uh subjected to sanctions can also invalidate your insurance policy uh although that might be the least of your concerns if you make it safely back to fault now final example if it's not bad enough to see your data and your i.t systems compromised cyber attacks can also create physical damage stuxnet is probably the best known industrial control system malware but even before in 2008 a pipeline in turkey exploded after cyber criminals hacked into its control systems and not only is malware proliferating but we're also increasingly vulnerable to these attacks i mean look at us spending our lives on zoom and relying on the internet of things for all aspects of our lives so in that context how can insurance in particular cyber insurance help a cyber risk is not simply a technology risk it often comes down to people risk and people really represent the largest source of data breach claims we've looked at data cyber claims data and it shows that employee negligence or malicious acts uh account for two-thirds of cyber claims of cyber breaches and so that this vulnerability can be fatal if you get caught into the gray zone and an interesting example in july 2019 the u.s coast guards issued a safety alert following a cyber incident which had completely debilitated the computer systems of a large container ship heading for new york and their investigation with the fbi concluded that one the ship's computer systems did not contain any antivirus software two the crew had common login details and three portable data storage devices were routinely plugged into the the ship's computer systems without any screening so very poor cyber hygiene so insurance solutions can play a key role in mitigating the impact of cyber threats because healthy insurance markets typically incentivize the the right behaviors so to get insurance and to get better premiums organizations are encouraged to improve their risk management and to reduce their vulnerabilities and as an insurance broker we don't just arrange cyber insurance we do a lot of work upstream to help our clients adopt a better cyber hygiene to reduce their cyber risk and in the end the risk for society as a whole so that sounds great but this approach has a few limits the cyber market to start with is very small at 2.5 billion dollars of premium this is 0.03 of the global insurance market so this is tiny and why is that well uh i think mark you alluded to that uh insurers don't like ensuring what they don't understand what they can't quantify and so more data more understanding of uh cyber occurrences cyber claims and and modeling can in particular help determine what kind of insurance what kind of cyber risk can be ensured uh now and and future now insurance is also based on the principle of mutualization so it works well when premiums the premiums of the many pay for losses incurred by a few but for systemic risks like cyber like pandemic when the whole system can be impacted this logic falls over and insurance may not be viable another limitation of insurance is the small prints the fine print exclusions uh many traditional policies uh exclude losses if caused by a cyber attack and in some cases the the policy may be silenced on whether losses arising from cyber risk is covered or excluded and that potentially gives rise to uncertainty and lawsuits and we call that sile t cyber and it is as worrying as it sounds to insurers and finally elizabeth you've alluded to that insurers have their own gray zone and there's a serious ambiguity in how insurance policies treat state-sponsored cyber incidents some property and casualty insurers declined to play to pay the not petya related claims invoking their work uh exclusions and you know the ongoing lawsuit between mandalay's and their insurer um you know will be very interesting to follow a great deal hangs on the outcome of this case so does that mean it's time for uh insurance to be reimagined in this great world this grey zone world we rely increasingly on technology and so it's not a surprise that there is an increase in cyber incidents across sectors and the current really small cyber insurance market is inadequate and you know we're working hard to to widen that market but there are clear lessons from the covered 19 pandemic as mark alluded to exclusions are unpopular they're misunderstood and they create uncertainty for consumers and the damage insurer's reputation the pandemic has also shown that insurers don't have infinitely deep pockets and they cannot pay for all the damages and and so government backstops may be necessary to support the private insurance market so for now the uncertainty attached to the gray zone continues to inhibit the the development of cyber insurance markets and uh this is not something that the insurance sector on its own can solve and it really requires discussions across the public and private sector and this is why and i want to thank you again elizabeth for continuing to promote this this kind of debate on these challenges and for offering a safe place for um new ideas to be aired thank you thank you very much well that's that is the point of a think tank to to pro to bring together the best thinkers and practitioners so they can uh explore well present and uh build new ideas based on on on what they hear from from their peers and and not just from their peers within the same sector but uh across society and it's especially important when it comes to grazing which can obviously uh strike any part of society and and we should add that there is really no limit to to what which which tricks our adversaries can try against us because uh it's the only limit is their imagination and i i'll just mention uh two seemingly ridiculous examples you remember a couple of pranksters russian pranksters called senator graham a couple of years ago and asked him uh something about the kurds and got him to say things that uh that he thought he was uh well he thought he was speaking to a turkish official but in fact these were russian pranksters who sort of pranked on behalf of the russian government uh they have a habit of calling all kinds of nato officials and get them to say things that that um in in hindsight they probably wish they hadn't said um and then we have uh things like the acquisition a couple of years ago of grindr which is a dating website for for gay people and then when it was acquired by a chinese company the u.s regulator syphilis thought nothing of it and and it wasn't even on cyphus's radar because cepheus deals with national security not dating apps and then they realized that that may be a national security problem if if the chinese government through this chinese owner gets access to to the data on grindr and so syphius in a very unusual turn of events forced um a sale of or divestment of of a grinder so we have lots of questions coming in i'll start with with one for you paul and i should also mention that paul is on the latest episode of on the on the cast podcast uh talking about sweden's new defense budget which is a a phenomenal increase 40 percent uh over the next increase of the next uh four years including a doubling of civil defense spending so very big step there um proposed by the government so the question for you paul from emmanuel torres um author of well author of a book as well but here's his question would you agree that the success of the swedish total defense concept can be morphed into pan-atlantic nato eu approach to countering hybrid threats or is uh sort of the total defense the result of a very particular swedish culture that would be difficult to apply to other countries and total things we should remember is the defense developed by sweden during world war ii and then perfected during the cold war of involving all parts of society and keeping the country safe uh the armed forces doing their part but the sigma as the rest of the country doing uh civilian tasks so over to you paul well thank you for that question i think that the whole concept of civil defense might be hard to both export and to to re-establish in sweden i think there's two things that are very different from when we did this with a very serious intent up to the 1980s and that is first now things are much more digital so that the digital arena is something that changed uh changed the nature of civil defense quite a lot the other thing is of course now most of the aspects connected to critical infrastructure is actually in the hands of private not public com private actors so i think the re-establishing of the of the private public partnership is really really crucial for civil defense these days i think that nato has done some good work on civil defense and predominantly on on resilience they work on something called seven baseline requirements where all allies are are about uh expected to work on issues related to critical infrastructure transport energy things like that uh which i think will lessons learned from that could could also travel well into other countries so there's certainly elements of it i know then hamilton for example also talked about forward resilience that you work with allies and partners also in the vicinity in the eu also strengthening their resilience so some elements of it can i think can be exported i don't foresee being as comprehensive as it was uh back in the days of the cold war because now we have a completely different world but certainly some elements of it as well i'll stop there thank you paul and here's a question for uh mark from travis cotton at the institute for defense analysis you mentioned persistent engagement and defending forward what do you believe should be the cyber security and infrastructure security agencies role in working with the us cybercom and defending forward since it has defending the homeland mission it's that's a great point you know one of the things that's unique is that we've done a great job because it's funded through dod and dod has a pretty consistent large funding stream the u.s cyber com command cyber mission force has about 6 000 on net operators there is a and then they're organizing 133 uh mission teams or so there isn't a an equivalence to that in the homeland security department called the hurt teams uh homeland security incident response teams uh but their numbers are you know probably one to two percent the size of uh cyber mission force in terms of on that operator so clearly we need to invest more in there i i do think the homeland sec the hurt teams and scissor teams need to be operating generally in blue uh infrastructure in other words in u.s infrastructure and not going overseas because i think you start to cross over authorities called title 10 and title 50. now that doesn't prevent military forces being seconded over to domestic agencies and operating under different titles in title 10 which is military and title 50 which is intelligence but operating under homeland security and uh titles as they do support say the response to a um to a natural disaster like you see the national guard and sometimes active duty military supporting um when we have a hurricane or a um earthquake kind of thing so there are ways to do to flow one way which is the military forces coming into a domestic situation but there is not a way in my mind there's not near enough capacity or capability to flow the other but i do think that we need to build out these hurt teams and our recommendation i believe we made an appropriations recommendation to increase their budget to about 40 million it had spent at about eight or nine million a year for these hurt teams and it recently been increased about 24 million and we're asking to go all the way up to about 40 million and then over time increase it further because you're going to need more and more of these teams where the private sector where the government's helping the private sector one thing i'd mentioned um i think it was paul mentioned the advanced uh persistent threat teams if if if an apt team from a from uh from china or russia targets a u.s company or a non-us company in the united states it is not realistic for that company to defend itself alone you know over a sustained persistent campaign from a nation state and so the government's going to have to have a capability and capacity to support that defense and whether that's domestically you know at the point of attack um or at the point of you know the attack being felt or whether it's forward um trying to um get you know damage or um or obvious or mitigate the attack infrastructure being used by the russian government or contractor thank you mark um helene a question for you um well it's for me as well but i'll um i think you're a better position to answer as an industry representative so here's the question uh given her current high complexity and multiple dimensions of the nature exercises framework encountering hybrid threats do you agree that involving industry c level executives and eu officials is something compulsory or optional in the to the success to the success of modern warfare training and so i believe this question was um asked by manuel torres as well and so manuel um i've actually just published a paper where i proposed something related which is uh joint uh military industry gray zone exercises which would obviously be uh defensive in nature because it would involve industry but they would practice gray zone scenarios which at the moment nobody practices so companies um have uh every every company in fact conducts crisis management exercises but that's a tactical scenario so what would happen if if a factory burned down or if our engineers in in uh in the particular country were taken hostage by militants and so forth but uh the industry leaders are realizing that uh that gray zone threats and forms of aggression affect their companies too but they they can't hold gray zone uh exercising exercises in isolation because it's obviously not just about their companies and so my proposal is for joint uh industry um and military grace on exercises and that idea is actually at the moment being implemented by a nato member state so i'd be well many of us will be following them uh their uh um their work closely uh to see how they implement it and so others can learn from it but helen over to you do you think it would be a good idea for for nato to involve uh to invite industry leaders to participate in existing nato exercises yeah definitely and you know we've we've been following your um you know the the things you've published and and uh argued about and on this topic with much interest definitely uh i think that closer collaboration um with the private sector would be very welcome both for preparedness uh but also to help the maybe the insurance the insurance sector develop more products uh so preparedness and it's quite obvious that better prepared companies uh who are managing all these this infrastructure that is at stake or you are going to be at the front front line of response it will pay off if they have more information to to to be more resilient when something happens but it's also important to to have a more ongoing dialogue so that we improve the understanding of what this threat is understand a bit more the uh the frequency the modes of attack so that then we can build better databases and better models to try to to grasp what this threat is and then to see how we can maybe build uh more uh you know more insurance solutions around those those threats thank you helen uh lots of excellent questions here here's one uh i'd like to to post to uh paul first and then mark from jeff brancato northeast ohio cyber consortium since so much of the vulnerability surface open to cyber tax is critical infrastructure owned by private by the private sector banks investor and utilities shipping and transport systems what recommendations does the panel have for better engaging and integrating uh industry-led collaborative efforts so and that's not just the us uh phenomenon it's it's in in every liberal democracy today most uh companies uh in well most critical national infrastructure companies in the wider sense including retail are privately owned and the government has very little power to tell them what to do yet if they uh if their operations are disrupted it is a very serious issue so i may be able to uh paul first then yeah just very briefly well there's a symbiotic relationship here between within the private and the public sector of course development of the technology that we that are in the hands of the the public sector directly need is being developed within the private sector and the know-how but some of the threats and risks and the knowledge i think is in the private sectors you need the flow of information from the private sector to the public sector at the same time of course you also need this your security service and intelligence community need to have the ability also to share information and here i think you have to to grade the different companies due to what they're actually doing you know if they're working on on particularly sensitive things or if there's just a just a general service provider or something like that you need to grade it the british model they have something called the traffic light protocol where they have specific designated companies that they can share information with uh that can be very sensitive and those companies also have the necessary infrastructure within their companies how to handle classified information so i think the grading of information and how you share information in the flow between the private and public sector is really crucial on this matter very quickly from you because i have another question for you as well yeah i just quickly said i agree with everything paul said and i think what we really have to do is make sure that the intelligence community's collection prioritization is being influenced by the private sector historically it didn't like i said before uh before cyber protecting the national criminal infrastructure was not something we had to do day to day so we didn't prioritize our intelligence collection to look for malicious activity being aimed at our private sector now that we recognize that is the case we actually have to allow the private sector to influence the national intelligence prioritization collection framework and that's going to be hard the intelligence committee is not excited about that opportunity and we're going to have to probably push it through legislation to get it done interesting um here is a question for all three panelists and and so uh with eight minutes left uh if you can have a sort of a one minute go after all of you because it really applies to everybody on this panel could you explain and discuss evidence opposition by some tech companies to legislation requiring closer cooperation between government and the tech industry and that question is from roger coachette at rgc rjc associates so maybe starting with you helen um do you have a take on why tech companies are so reluctant to work more closely with the government in in on on grazing issues and maybe cyber security yeah i guess they're a bit caught in between doing the right thing and then perpetuating uh systems and you know and openness and uh behaviors that uh that are critical to their business models um so i guess no we we need some uh role models uh someone who take the leap to say there are some red lines there are some uh you know some key principles that uh need to be factored in our you know their own systems and i guess that would put some peer pressure for for others to follow but i think it needs it it needs a champion uh i don't have necessarily the tricks to convince them but we just need one and the trick if you introduce legislation is that uh once legislation is in place and it becomes a compliance issue then companies will do the minimum uh to comply with the law so that wouldn't be the the perfect solution either uh quick answer from you paul um well i would assume that goes back to the debate you had a few years ago about prism and the sharing of data and so forth and and how their platform economy would engage into the into the intelligence community and that was sensitive what i think that you really got to write them what you're working on right now is this defense innovation initiative where we open these offices in silicon valley and boston and huge and trios to spin in technologies and that means that you you try and you really need to try to get on board this big platform's economy to also work for the purpose of national security and but then you have to handle the data with the integrity and for the right course i'll stop there is it the same uh does sweden have the same dilemma that tech companies are reluctant to work with the government i mean obviously bearing in mind that no canberra has the tech sector like like the american yeah well we we have big platforms economies like or you know where the home of spotify and klorna and uh and skype and so forth and we have ericsson at the same time we work closely with them on some issues but that we never put pressure on them to to share business intelligence or something like that so i think we have a quite effective good working relationship there one issue is where it's really important to have a good cooperation is on cryptation i think that's really really crucial and that's also identifies the national security interest and not to have a strong public private partnership on those matters thank you paul over to you mark so i would just say that uh you know the government does a pretty good job about talking about the burdens we want to put on industry probably what industry would like to see is discussion of the benefits so that benefit burden balance is we the government needs to do a better job of describing you know are you going to get some kind of liability relief if you agree to a minimum level of security and information sharing and um i think that's where the next step for us we we got the obama administration went pretty far in executive order 13636 that kind of they had a section nine describe the critical function uh the the companies that really are critical functions of the u.s economy and we need to include everyone in there including the technology companies moving forward probably in legislation so that the companies know it's a persistent perpetual u.s commitment of benefits and burdens and i think that will go a long way to improving the situation and if i may add i think uh exposure breeds um willingness to cooperate and and the the challenge we have had across the west uh over the past 30 years but hasn't seemed uh hasn't been uh a problem really is that there is very little understanding in civil society about national security simply because national security hasn't hasn't uh been a problem hasn't posed a problem to our daily lives and in fact has been something we could almost forget about it was something that's the armed forces and the wider government looked after and now where the grace on aggression all of that is changing and it's becoming incumbent on all of us to to do our part and the question is then what is my part as a citizen what is my part as a company who should tell me what to do is is it up to me is it up to my doing the right thing for the country or should there be legislation and and how should that be who should decide what the appropriate level of responsibility is for for uh citizens and for companies and so all of that is is happening as we speak those conversations uh more in some countries and in others but it's it's happening everywhere and so it will be extremely uh interesting not just interesting it will be vital to see the progress of of these conversations and and actions uh and as uh as i mentioned uh with with regards to gray zone exercises involving industry that's a case where one native government just took immediate action and it's beginning to implement it so um and then the good news is that we as western countries liberal democracy have liberal democracies have lots of allies to learn from to trade best practices with trade ideas with so even though we are vulnerable because we are open societies we do have that phenomenal advantage of friends who we can not just work with but learn from so that leaves me with the the sad news that where our time is up and uh i think we have had some fantastic insights here from mark helen and paul uh from from different geographical areas and from different subject areas and i think all have highlighted how relevant and uh really urgent uh the need uh or how how relevant um grace on aggression is and how urgent the need to address it is because we are affected by it all of us whether we know it or not so thank you very much for listening in thank you for your interesting and and uh insightful questions and we'll have many more of these events so please keep checking back and and thank you all thank you to the speakers and see you soon