tv [untitled] September 6, 2016 8:01pm-9:16pm EDT
campaigns against governments and businesses allegedly originating from china. in hong kong in the lead up to last sunday's legislative elections, government agencies were targeted by cyber attacks originating from china. similarly, taiwan has been hit by chinese hackers on a nearly daily basis since the may inauguration. its ruling party has become a frequent target of cyber attacks as part of the campaign to obtain information about the party's policies toward mainland china and its views on independence. in southeast asia, countries with competing claims to the south china sea have faced a string of cyber attacks coinciding with times of heightened geopolitical tensions. furthermore, this july after they rejected beijing's claim to
the sea, flight information screens and sound systems in major airports in vietnam were hacked to spread messages disputing. around the same time, many, many key government websites in the philippines were knocked off-line in a massive distributed denial of service attack. the geopolitical implications of such disagreements spilling over to the cyber realm are significant. likely they will continue as tensions simmer in the region. therefore a closer look at all of this is key in understanding our policy choices and options ahead. today we are honored to have a great group of experts discuss how the regions geopolitics drives cyber campaigns and how the public and private sectors can better avoid falling easy prey to hackers. sam sachs will moderate today's conversation with william glass,
bob manning and denise young. before we start, i would like to voice my sincere appreciation to the economic and cultural representative office for their continued engagement and support of the council. without further ado i would like to thank our media partner as well from the christian science monitor for joining us today and with that, the floor is yours. >> thank you very much. [applause] >> thank you very much investor huntsman. it is my honor to introduce the distinguished panel today, we have william glass a children's analyst who previously worked with the u.s. government, denise
jones, deputy director of strategic technology program, previously an advisor to darpa and also worked with u.s. industry and software space and an expert on technology innovation, also robert robert manning, a senior fellow here at the atlantic council coming from the dni, the state department policy planning office and regional issues. with that, let's dive into the conversation and i will welcome our panelists to come up and we will begin the discussion. >> i thought we would begin today first by talking about very briefly the four main pillars of chinese cyber and i would like to look at economic
end social motivations as well as the geo political foreign dimensions, the military aspect and domestic information control. these are all overlapping but very important pillars of the way that the chinese leadership is thinking about it cyber strategy. i wanted to first begin with the topic that is timely as ambassador mentioned. we are coming up on one year anniversary after the obama cyber agreement last year. my colleagues here will has done a lot of excellent work looking at the repercussions of this agreement and in particular, how cyber activity over the past year has been impacted by this agreement. i wanted to first open up this discussion by asking will to share some insights on what we've seen in the past. >> thank you for having us. i can't take credit myself for what we released back in june. it was a whole slew of us working long into the night, but i will summarize for you a
couple couple of the key points that we found. we looked at the holding of our data that we have from various sources, engagements from collection out there on the internet and we wanted to see what impact the agreement between president obama and him had had over the past six months since it was signed. long story short, we saw a dramatic decline decline in activity that we have seen for recognized compromises of corporate networks that we can trace back to chinese organizations or china sponsored groups. something on the order of more than 80% going down. in order to get there, we looked at approximately 262 different compromises that we saw, we looked at 26 different countries, we countries, we looked at 72 different groups that we suspected emanating from china overall.
it's not to say that the chinese groups are necessarily gone, they are still out there, they're still active and they're certainly going after some particular industries that are less voluminous but more targeted about who they're going after. some are particularly hot topic areas. so we wanted to say something about what we had seen, there are probably a number of factors that went into the decline that we saw and it's our contention that the agreement that was signed between president obama was just one of the several events that contributed to the decline. >> thank you at the moment, right before the announcement of the cyber agreement last year, i remember here in washington, everyone, there was a lot of buzz because everyone thought that the u.s. government was on the verge of coming out with sanctions against chinese companies for the first time that they were associated with
cyber enabled espionage. at the last minute, this delegation came and all the sudden the sanctions were off. since then there has been a lot of discussion about what are the policy tools that the u.s. government has in terms of influencing and deterring chinese behavior. i wanted to ask the panelists if you had any thoughts moving forward, what are the tools that you think the u.s. government should consider if we want to keep on this trajectory? >> i think it really depends on what kind of cyber activity you want to deter. it's not useful to just talk about deterrence in the cyber realm from this perspective because were talking about a lot of different activity. cybercrime can be really difficult to deter because it's easy to access its capabilities, easy to, it's cheap to acquire, the infrastructure to do this
kind of stuff. law enforcement is not set up well to prosecute or identify these people and investigate them and bring them to justice. that's an area where the tools to deter that type of activity, we need a lot more development and we need to improve. on the other side of the spectrum, what were looking at catastrophic cyber attacks, we could argue that we have deterred those types of things because of our conventional military capabilities. if you attack our power grid and bring our power grid down, we have many other options on the table to retaliate. so when people talk about building a cyber nuclear bomb, i think a lot of folks that are new to the issue have sort of used that example, it's not particularly useful. we wouldn't necessarily respond
to a catastrophic cyber attack using a cyber capability. a lot of the tools that the u.s. government has used in response to espionage, cyber espionage, damaging cyber attacks has actually been outside the private realm. in part because we don't want to set a bad precedent. we don't want to condone this type of activity. it's a slippery slope. that's why we have used things like sanctions and indictments, we've used diplomatic action and accommodation of all the above really to deter this type of activity. >> do you think sanctions are still on the table? as it possible that the u.s. government will still report another in the next u.s. your to? >> i would certainly keep it on the table. yes, i think that's very possible but everyone is waiting
to see, has the deal actually had an effect? will mentioned the data that we've seen and a lot of folks are saying that the chinese are getting better and they're getting more covert. they are switching from the pla in terms of conducting a lot of this to parts of mms which are better at covering their tracks. there's also some discussion that it's possible that the chinese are seeing a diminish return on the espionage because they want to climb the value train in terms of industrialization. they want to be providing goods and services as the higher end of the value chain. stealing blueprints, stealing ip doesn't necessarily enable you to develop that internal capability. they have announced biotech, big data, ai as key areas where they want to grow their industrial capacity and capability.
>> it's not as easy to steal that type of information. you have to train a lot of rhythms and do machinery. it's a totally different technology development process. >> one of the findings from a recent report that your involved with argue that why we see a decline in traditional hacking activity we saw more of an emphasis of usually partnership with western firms to leverage technology transfer. can you comment on that trend? >> that goes back to what she was just talking about, there is a certain limit to which you can drive value. you actually need the people who know how to build. i think part of the reduction we might be seeing is somewhat of an attempt by the chinese side to say look, were a skill this back a little bit and try to build a more friendly environment for western companies to come to china and
feel like they can invest a significant amount of money or make partnerships or provide the expertise that these companies want. if there's too much of a perception that they are international property that has cost these companies hundreds of millions of dollars over how many years, if if they have a feeling that's going to be suddenly erased or stolen from them, they will be less likely to make something of a partnership like that. this could also be a recognition that they're getting less bang for their buck in terms of stealing it and it's better to invite them to come to china and form research partners to get the value that way. >> any advice for western u.s. industry on how to engage in the market in china but also protect yourself from this threat? >> so i spent some time with the forensic analysis guys and they're the guys that go out to companies when there's a problem and do a friend forensic analysis to determine who stole what and what happened.
they always say they advise people to operate under the assumption that you are breached there used to be a perimeter model where you could set up a wall and a moat and you could pretty much keep everything out. now it's probably not going to be as effective. steve got to be able to say you have to operate under the assumption that there's some bad guy in my network. what do i have to do to make sure i can mitigate the damage that's caused once were inside. there are various strategy that we can do, i won't get into them here but there are options out there and there's kind of a growing up that needs to occur and for companies operating in the asia-pacific, some of our responders put together what we call a report that we put together earlier this month. we found the averaged well time
for a cyber espionage act or inside a network in is around 520 days. in the united states it's about 146. so europe into a greater extent the asia-pacific are a couple years behind in recognizing the threat that they face, understanding that they are very skilled at getting in and a lot of time network security is pretty lax by itself so the fact that these groups are able to stay inside a corporate network for 520 days, bordering on two years, the amount of technology and information or proprietary stuff that can be stolen during that amount of time is extremely high. >> i will pivot away from the industrial espionage angle and i want to talk about information technology policy in china. this is an area where i think we've seen a rapid buildout of laws and regulations. can any of the other panelists tell us about what you are
seeing in terms of china's efforts to build a governance regime? >> i think it's part of a larger trend that i find a little disturbing in that the markets are closing in their coming up with all sorts of devices, regulatory and otherwise to squeeze out and build national champions of their own firms, particularly gone after it firms, apple and others and there's still some back-and-forth about trying to get them to back off some of these legal devices they've come up with, but it's a troubling trend because i don't see how they get from their to the so-called market-driven reforms that they claim they want to
implement. i think it's a big, a larger problem for them and it's a larger problem in the overall u.s. china relationship and i think on the sanctions, as i recall one of the reasons they came around was they were really stunned that our attribution capabilities that we identified which office and the poa was doing it, who was doing it and we went on the facebook page for the guy who is doing it so that must've kind of woken them up and wondered what else we can do i think there are some basic tools inform policy and those are the fundamentals. i prefer threats. many instances, i think the stakes for them in the relationship for 600 billion-dollar your trade relationship so there's really
limits on how far we can go on this. >> what we see in china in the policy space is sort of industrial interest and security interest. i think china, just like any other country has legitimate security concerns about the product that they buy and the services they procure. when you look at the design and implementation of the laws in the regulation and the policy that they are pursuing in the space, i think, at least from my vantage point that the underlying motivation is really to advance their domestic industry. even though they have these legitimate security concerns. this is very obvious when you look at their five-year plan and
the former head of the cac, his various speeches, when you look at their longer plan, this type of ideology is reinforced across the board. i think there are probably three trends that are worth noting in this space in china and the first is that there is a sort of expansion as well as a centralization. you see that across the military, you see that across the intelligence apparatus as well as the civilian government. they have fought a number of laws, number of new regulations specifically to do this. i know there were at least 15 different entities across the pla that were involved in cyber until the recent reforms. another area where you see.
[inaudible] that along with state localization and content will continue. i don't see those activities diminishing. you see a great example of that in the recent cyber security law where you see a broad expansion into other sectors, additional 30 review and requirements and also a lot of the definitions. [inaudible] the reviews that they undergo have gotten more unambiguous. that leads to the third trend and that is that chinese cyber security laws and policies are intentionally ambiguous. they do this for reason. it provides great flexibility
and it provides the government with the discretion to determine how to enforce things and whether to enforce things to their advantage. and also as some analysts has said, it shields them from w tl complaints as well. a lot of the laws aren't finalized or if they don't have guidance, it's harder to bring dispute. >> i think it's easier to look like. [inaudible] last year there was a lot of resistance to the banking sector regulation and the chinese government said but we extended these laws and for a year they hadn't been implemented in ways that create disadvantages to
u.s. companies in those sectors. i think that victory at this point is something that they need to be looking at in itc regulations but i wanted to talk a little bit about the military reforms in china and the point you made. they have taken sweeping reforms of the command structure and i think there are two schools of thought about what the implications of this has been within cyber activity. one is that it has caused some paralysis in the pla and that may be why we saw the slowdown in activity but the other is that it is from a more targeted approach. i think you've done some look at these uniforms. can you comment on this? >> sure it's interesting stuff when they came out and said we have this new strategic support force in its way to do cyber things and information warfare and other technologically relevant skills that they had.
but then that was it. we didn't hear much about it "after words". so as details started to come out, they gave his speech the other week about how it needs to be a driving force that can support other services and a strategic rocket force. it will be really interesting to watch where this goes. as they mention there was a wide array of organizations within the pla that had a cyber component. two what sam just said, there is some slowdown but once they figured out it will be a really interesting thing to watch. the command stood out in october 2009 and they are
expected to have all 133 teams ready in 2018. that's a nine-year spread. if we can apply some similar timeframe to the chinese, we should expect the strategic task force to get going by 2024. i don't think will take them out long. that was one of the factors that we looked at when we wanted to figure out why we wonder been seeing some of these declines and if there's a huge bureaucracy that's also tightly controlled that's reorienting itself and eliminating people's jobs and you have an anticorruption drive going on where pla is derived from commercial benefit from some of the things it was doing it, if those things have been stamped out there's a lot of commotion going on and that could be what we are seeing. >> i think this touches on the centralization of these different actors. there's a misconception about the political system which is
that cyber strategy has always been quite centralized but meanwhile you have all the different actors in the pla civilian industry and academia, i wondered if the panel had any thoughts about the cyber funeral in china which is not new anymore, it started in 2014, to really take the lead on the cyber initiatives. any thoughts about the creation of this entity will mean? >> it's okay if not, these are tough topics. >> you actually offered a piece on this. >> is not very fair for us, she actually offered it through. [inaudible] maybe you can answer that question. >> sure, things.
so my assessment is that the cyberspace administration of china has become a version of the most powerful entities in the political bureaucracy in china. at the same time there are some internal battles that are being sorted out and are not completely over. you have the ministry of public security that has played an important role in driving these policies and studying the cyber security agenda. i think that turf war between the two is still playing out. we thought play out in terms of the cyber security law and the highlights on the one hand you have government that wants to clamp down on digital information and the hardware and software involved but you also have a government that wants to create national champions in the technology space and promote entrepreneurship and innovation. i think that is being hotly
debated right now. it's an open-ended question about who's going to emerge as the more influential player. >> i have a question, who do you think is the delineation of roles between cac and the new site security association of china and the new standards organization to 60? >> the cyber association of china is an industry group that was established this spring under the cyberspace administration in china. it's essentially a party sponsored industry association, it includes not only prominent government entities, it includes research institutions as well as members of the chinese industry
and the most important technology members. so far there are no foreman members involved in the mandate is to strengthen cyber security in china as well as to grow as national champions and go out and compete globally. it is still a little too early to figure out how exactly, what its its influence is going to be within the broader cyber governance regime. i think we are going to need to watch and see when the final draft comes out in these other regulations that are still pending. are they going to have a voice? i think they are always aligned with the government agenda on these and that's not always true. cross-border data flow for
companies like ali baba who want to go out and compete and don't want restrictions on dataflow. that's something we will have to keep an eye on. >> the cac is in charge of it or something he used to say which was the concept of cyber sovereignty and that was the idea that a country should be allowed to control the internet that are inside that country's borders and nobody else should tell them how they're going to run it. obviously it's a great, great concern to the chinese and they want to make sure they know exactly what information is flowing in how much money this family hasn't things like that. the internet corporation for assigned names and numbers as an organization that was set up in 1998 to govern, some of you know this but when you typing google.com and figures out what address that is. there's been a lot of debate
since 2013 when they decided to let everybody know what the intelligence community was doing. they said wait a minute, the united states government has control over the system. i don't like this. this is a terrible idea. a lot of those were legitimately concerned, china and russia and a few others. [inaudible] most other international agreements when it comes to telecommunications. the issue with that for a lot of people including the united states government is having it as a un body would allow governments to assert undue influence if they overreach the level of security council issue we could be in really big trouble. fortunately, the u.s. government announced that it is supporting
the complete privatization and it will come out from under the department of commerce. it will be this organization does not run by any government whatsoever. it's kind of a victory for those of us who like to have free information flow on the internet but the same with cross-border flows and certain companies have to be connected to the world of economy to make money so there's probably a disconnect for the government wants to have more control over the internet addressing some things and others want to say we actually like this for work you have an ability to have information go wherever you want to make more money. >> thank you. i think in internet governance is a topic that gets us into a broader, it's a pillar that we haven't touched on yet which is for form policy and china's role in the region and globally and
cyber has a pool and not. i know you've done a lot of work is there anything you would like to add? >> i don't know if it's much that i can add but it's another arrow on the quiver so to speak. [inaudible] they have been using it to be disruptive at getting their message across but i also think as you mentioned, we had a meeting with them and it's the smiling face that they want to engage, they want to talk about cooperation, codes of conduct and that sort of the.
i'm reserving judgment on it, but i think all the things that you talked about our evidence of a work in progress. it's not clear where the ball is going to land. i think the more pressure we put on them probably the better in terms of what the results will be. i think in terms of industrial espionage that are probably being more discrete and discerning rather than the full court press they've done in the past. i don't think it's over and i think the overriding goal is still modernizing the chinese economy and i think the concern is that they put forward an agenda where the market was supposed to be the determining factor and that seems to have
fallen by the wayside in the state is clearly the determining factor. we reform what we are hearing about which is consolidation so we can you corrupt state bigger could have an impact. >> you talked about cooperation and code of conduct, are there areas for collaboration for cooperation in the cyber round with china? >> i think there is room for more detailed codes of conduct. i don't want to draw on algae too far but there is an analogy to nuclear deterrence and both sides agreed not to attack the critical infrastructure.
i don't know how else you could apply that type of logic to this. i think the more china develops more vulnerable it gets and there's this mutual vulnerability that cuts across the whole strategic relationship in china and it took us about 20 years with the soviet union before we had our framework and we are in the early stages. it was a whole range of strategic issues where we have no understanding of china whatsoever. you can think about how bad our relationship with rush is but we still have some predictability from her arms control agreement that we've made in the past and they don't have anything like that with china. it's all very uncertain and i know the u.s. government for a long time pushes that dialogue
and i'm just noticing in the traffic of chinese think tank coming through here, one very senior. person came through here recently and i was trying to lay out for them the rationale for developing a strategic framework and they all looked at me like i was smoking something and this guy comes here now and says where's your strategic framework. i think there's a curve and i think it will take a while and i think cyber is part of that larger strategic framework that we have to develop and i have any illusions about that happening. >> i just let him make one comment on the norm on agreeing not to attack each other's critical infrastructure. if you read the fine print, he says during peak time. i think it's safe to assume that if you are attacking each
other's critical infrastructure that you are somewhat in war. you are talking about. >> i'm not sure that the value of that particular norm if were going to call it a norm at this point. i think it's a step in the right direction but it's obviously attenuated by that condition. >> the chinese have an ongoing dialogue where they are trying to establish a standard operating procedures in terms of when there is a crisis and when you need technical assistance and who you call and what are the hotlines and what are the methods to exercise that communication. i think that's helpful. at the end of the day there was a real sticking point between the u.s. and china who are making a lot of progress on the
topic of internet sovereignty. it's a fundamental disagreement on whether or not states have sovereign rights over the internet and the ability to control the type of data that flows over the internet, how it secured and regulated and that is the biggest barrier to making progress. >> i wonder how sustainable a chinese policy is if the overall goal is to have a knowledge-based economy, how do do you do that and have complete control over everything? i think there's going to be at at -- i don't know how that's gonna come out. so far everything's going the wrong way toward more control. if your chinese decision-maker and a provincial.
[inaudible] you're afraid to do anything. they'll do a correction campaign if they don't like what you're doing. >> i want to take a moment to open the floor up to questions from the audience. we have touched on a lot of different topics, but any questions? >> i'm with the atlantic council, thank you panel. i would like to reverse the bidding, assuming this was a conference held in beijing on cyber espionage, the reason i asked that question is because on some of the boards that i set on, some have joint venture with china.
it's competition from the united states and europe and from disgruntled employees. when we report this to legal authorities we get a big shrug. how would you compare chinese hacking with domestic hacking in terms of being a menace? >> i would say that falls in my lane. >> certainly, let's back up, the u.s. is one of the only countries that has a specific law on the books or norm on the books that they will not conduct commercial espionage. virtually every other country does this or is suspected of doing so. certainly, given the attribution challenges that some people have had, there is a possibility that competitors might say i'm gonna go higher this company over here
break into my competitor over there and make it look like the chinese did it, boom, wonderful, despite that being highly illegal there were some pretty's death penalties for doing so but you have to prove that it occurred and make burden of proof is high but in cyberspace there are so many opportunities for running false flag operations to make it look like something else did it and coming to a level of evidence that can stand up in court is extremely difficult. you have to look at the agreement that was between president obama that said were not going to support espionage for commercial purpose that benefits other firms. there you have a violation, but i think it's challenging to do so. criminal actors have gotten extremely good. they have like that what some of the nations groups have done, the way they've organized themselves and they have walls
on the keyboard and the rise of digital currency decline is one that everybody knows about and has made this a wildly profitable enterprise to be undergoing. it's interesting the way the big claims and mining and storage goes on in china. there's plenty of opportunity i think you're right in saying that the nationstate actors get more press in terms of total volume of damage, criminals are probably doing more.
>> other questions? >> i have a question about the supply chain. there was an issue with the routers. i know the hacker could get a corporation for 100 days for their cause. i will bet you there is a lot of routers that have been compromised. has that been addressed? i don't even think we know what is compromised. how has that been resolved because there were so many of those routers? thank you. >> i'll pick that one up. >> so the national counterintelligence and security center is the organization in the united states government that handles supply chain security. i don't know if anybody has read go sleep, it's a book that's
making its way around the beltway. basically it has to do with compromising digital technology that goes into fighter jets and destroyers and then summary can turn it off whenever they wanted to. suddenly the missile system is a giant paperweight. so it is an issue, the amount of technological hardware that we import is massive, long time ago the decision was made that it was more economical to produce computers and microchips overseas rather than in the united states. now now we are living with the consequences of that decision and we have to recognize the problem, develop some sort of structure and framework to deal with it and monitor where these things are coming from and make sure it's all written down somewhere. it's no doubt a big challenge.
>> since no one else is asking, this may not be relevant to this issue, but right now the big cyber issue seems to be russian intervention in the u.s. election. would anyone like to comment on that? >> i think this is a pretty run-of-the-mill political espionage activity and i'm sure this is a pretty well-informed crowd, folks know that in terms of political campaigns, they are fair game in terms of espionage. it's the release of the data that was collected to wikileaks that sort of influences the recollection that it's obviously more concerning. putin was interviewed by bloomberg a few days ago where he said, he denied
responsibility. he said this is a public good, why are we even debating who actually conducted this attack and what's your focus on the fact that the hackers did something good for society? so i think that is a pretty good indication that there are probably they are probably involved in there probably behind it. >> this type of stuff is really hard to deter. figuring out how to respond to it is really difficult. the administration is still trying to figure out how to respond and they are looking at a lot of different options trying to working those options out.
one of the biggest challenges is attribution, not because they haven't determined that it is the russian, but, but because they don't know how to publicly provide that attribution. so people always talk about attribution has gotten better but it's not reverse engineering code in looking at forensic data but it's using all different source of intelligence. there's the sources and methods problem there. that's why we aren't able to fully attribute publicly, and to do in a top of like indictment or sanctions, we need to have public attribution, official attribution. we need to have all of this evidence and sort of articulation of how we acquire that evidence. that's a problem. i think there is multiple layers to this in terms of coming up with the right response, what is an appropriate response, i think
the russians are very difficult to deter, much more difficult than the chinese. also the attribution problem. not because we don't no, but because of the question of how to publicly attribute. >> i could give you a more technical view and that is that the russians are significantly. [inaudible] they didn't want us to know who did it. they very well could have done it. the fact that they used tools that are probably used by other intelligence services to break in to this means they were careless and didn't care that we would know or they wanted us to know. the fact that they came up with this two-point oh and it's the two-point oh version of the guy who supposedly claimed that he found hillary clinton's private server, there are just too many different things that it almost seems forced in order to say were coming up this persona out there on the internet. were not really expecting you to believe that it's this guy, but
if you do it's too bad for you and so, looking at this and saying they want us to know that we have all of this information in all of these capabilities, deterring physical russian forces, we know how to do that. we haven't figured out how to do deterrence in this other domain that were not particularly comfortable with. its information flow and were supposed to be all about every buddy doing everything however they want and to feel like were going to restrict the somehow or counterattack in some way is something that were prepared to do yet. >> good evening my name is james conlon. my main question is i know over the past 30 years in the u.s.
research and development funding has not been on par with other countries in europe and asia pacific area. i was wondering if you could tell me and for everyone if this area in the u.s. that we can improve on to improve on cyber security and get ahead of the game, whether it's just funding or focusing just on this and enforcing security and things like that, if you could touch on that, that would be great. >> this is an issue that i've been looking at actually. when you look at innovation in cyber technologies, you will find basically a handful of technologies that in practice is that have been in existence for well over a decade.
how do they deploy or implement those practices better, faster and cheaper? that's what all the companies compete on. investors are investing on some of the new technology and start up and they are looking at companies that can do a better, faster, cheaper. that's great that also misses the underlying root causes of the problem. there is not enough private money going into funding the development of technology that could have game changing affect on the internet. that's the role of the government in some way because it's harder to recognize a return on your investment in a. of time that you can justify making that investment. you have organizations that are making investments in the space. the r&b space is the value of that and after you developed the prototype, after you have developed an elf of a product,
using government money, it's almost impossible to transition that into practice. it's already difficult to transition that to government. we need to focus on efforts to bridge the technology value of that. i would argue that government should take up page out of a playbook about how they're investing. when you look at how they operate, they are looking at the teams of people. do you have a person on this team that knows sales, do you have a person person who can get you access into the marketplace. if you're building a product team, not just getting the smart people to develop the technology
that's what we need to do with government-sponsored r&b program and how do we put together smart people that develop the product but make sure it's exactly transition to government, customers and the private sector. you you are right that r&d spending has gone down, it's not an easy thing, people just they we should increase r&d funding. if you look at the r&d spending compared to the cold war, it's a fraction. we are not in that type of environment anymore. we have to think differently
about solving this problem. that would be my advice. not necessarily increasing funds but bridging that technology transfer and building smarter more versatile teams. >> it's interesting because the chinese government is having the same discussion around the 13 five-year plan where they've come up with a list of strategic industries that are targeted for more support and investment in r&d. the question is how is this plan really going to help the two innovation. they are thinking about how can we take it to the next level and commercialize these technologies those in china are thinking through that same challenge. it will be interesting to see how people on the u.s. side and the chinese side, how we grapple
with that same issue. >> i am unaffiliated but i'm a former software developer. my question is about open-source technology and transparency. do they give an advantage to the attacker or the defender or is it level the playing field or does it have no impact on whether it's easier to defend or attack? >> i would say there's a rigorous debate about that right now. there's one school of thought that would say open source technology that everybody can see the backend code, everybody can get the wisdom of the crowd in finding bugs and vulnerabilities and that's were all computer problems stem from in the first place. the other side of the argument is that everybody knows the code. if there are bugs then people can't necessarily find them fast
enough it becomes easier for would-be attackers to find a particular vulnerability that they could build a tool to exploit. software code is getting longer and longer and i think i saw mercedes-benz add that said this car had ten times as many lines of codes as the apollo commander. first of all, have that much code in a car is a little scary to me. the fact is this stuff is getting longer, the number of man-hours that it takes to go through and find problems in an open source forum, they actually give the benefit to the attacker who is going to sit in his basement or government facility and look through that code all the way through. where as if it was a proprietary and hidden like microsoft windows, it would be much harder to find those problems. >> that's the problem, the issue of responsibility. some open source code is reviewed by a lot of people. there's a lot of interest in that. then there are many libraries that don't get reviewed for bugs or vulnerabilities because
nobody's being paid to do that. there's actually discussion about maybe through dhs or some sort of fund that pays vulnerability resources to go through libraries and look for vulnerabilities and develop patches. the answer is not so binary, i guess is what i would say. >> in the front right. >> thank you. thank you for coming today, i'm a freshman at the george washington university. thank thanks again for taking my question. one of the biggest pushes in the technology industry is quantum computing. they're sticking about $600 million of investment in both china and the u.s. also many startup firms and google for quantum computing. is there any chance that this will raise the stakes of the current engagement between the
u.s. and chinese governments or will it just keep the stakes were they are right now except it's just a higher tier of technological advancement? >> what you think? there is a race to acquire quantum computing capability everywhere. i would say the most cutting-edge developments are taking place in parts of this government and this country that do not get reported on in the news and where the budgets are not necessarily made transparent. i think it would be very difficult for us here sitting on the stage to articulate where that sort of pecking order, how that is and how we would compare. i think the u.s. is probably the leader, i hope it is. the chinese claim to have launched a quantum satellite, a quantum communication satellite
a couple weeks ago. they did launch that satellite, but it doesn't have the full suite of capabilities that you would need to really fully call it a quantum medication satellite. i think it's the next first step in there will have to be a lot of research and development where they get any real use out of it. : and that encryption issue silicon valley with both against washington and beijing in a
certain way. i would be curious your thoughts about the end of the second issue, we will have a new administration so what would be from your perspective. >> i don't think we are going to do anything on an encryption until there is a real incident. to directly tie it to the use of the encrypted communications platforms. i don't think there's an appetite for the industry and i
don't think we have very good sensible solutions right now either. they've been talking about the need to gain access to the encrypted messaging platforms for a number of years now. they've put together a legislative proposal that they were going to push on the hill and they decided not to push that agenda and it's the same talking points being used right now but they decided not to push that proposal because something else happened. the disclosures have been. so they essentially took that and decided to wait. i don't think that we are going to do anything because we don't frankly have really good solutions right now.
no one has articulated a framework that could actually work domestically and internationally. so until we have some real proposals people can evaluate the lawmakers, lawyers, companies, it is hard to make any real progress. that said there are a lot of wildcards including china and other countries where there's a huge market for mobile and that is the future for the mobile industry china and india. with the next administration should do this is the least icy the recommendations first and foremost they should do a better job of protecting how it works.
they need to learn from the private sector in terms of how they manage security for the federal government. we've had this debate about hacking later on and i don't think that a is a way to descrie this problem. what we need to do is to figure out how to enable companies to provide for a better defense. and that's not necessarily going out and breaching other organizations, networks and stealing their data back. back. back. but it may be some other types of activity that are operating in this legal area. a lot of companies have concerns
about. in the pilot program it was the first of its kind and now it is a mainstream topic. it's what every industry sector is investing in and a lot of it dates back to the defense department's efforts to sort of cutback this activity. it helped establish the legal vehicles they needed help them build a lot of the relationshi
relationships. i would say we ought to consider getting some critical companies together and possibly under the dod umbrella that said. they provide for the more effective thoughts. >> a follow-up because the chinese are watching the debate quite closely. any perception was coming down the pipeline in the encryption policy? it's not a big surprise. >> there's certainly pressure to change it.
in china there is an encryption wallaw in the commercial encrypn product. it is highly regulated. i'm going to set that aside. there is smart phone and encryption or device encryption where the new national security law applies. for all smart phone companies operating in china they have to adopt an encryption standard. the detail details have gotten h public reviews so there's still concern thathere is stillconcerf a backdoor that the folks haven't necessarily been able to identify yet publicly.
obviously i think the big question that people want answered is what about apple. while they continue to be able to sell their products in china and offer products on the platforms? i don't know the answer to that but i know that when you look at chinese smartphone messaging application usage, you see that message is actually a tiny percentage of the user base in the vast majority of what people use to communicate when it comes to the mobile platforms and those do not offer any encryption. when you look at the type of users in china that own smart phones, it is a very elite and highly educated group of people not necessarily those individuals and the government
most interested in cracking down on. these are people that can afford to buy it. flying under the radar right now they are not creating a significant cult of the government. when they do, that might change. >> any othe >> any other thoughts on the encryption in china? >> of the debate in the u.s. has been either you give up all the key is to encryption there are a lot of useful applications every time you shop online and want to send an e-mail. these are things we take for granted that we don't think to say the encryption is fundamentally a like blaming the
technology of somebody that uses it in the helpful debate. we can't read the encrypted pieces and if we can install some sort of image capture will pick up messages you can get around it. so, fundamentally banning encryption i think is a dangerous road to go down. they look at the u.s.. the u.s. companies can no longer
complain you have the kingdom all of our devices and all the things that but they want an argument anymore, so whatever the u.s. policy is to get what they want to. that may be another avenue that you need in the law enforcement functions so right now the iteration in terms of government access to data for law enforcement access is about encryption. i think the next iteration is about law enforcement hacking activities and government activities. that's the direction that we are moving. so the administration could also benefit from thinking of little bit more about how to govern the activity. >> we have time for two more questions.
>> i was wondering if you can comment on the cyber operators in the training and general and their best cyber actors come from the community with cyber criminals and that they've been taught and conscripted into acting for the government does china utilize the same services and the pay differential between the private and public sector >> i think i can comment on that. >> i think you know more about it. one more question.
there wasn't a whole lot they te on some of the other issues. there is a smattering of global issues the counter narcotics and counterterrorism, a number of other policies that are somewhat limited to the chinese are cooperating on the fundamental u.s. china relationship was not reduced as far as i could see it as needing. i find the chinese behavior a little more confusing. it's what they had with obama so you would have thought there might have been an interest in