tv Discussion Focuses on Cybersecurity and the Asia- Pacific CSPAN September 7, 2016 12:14am-1:33am EDT
on sunday, october 9 washington university in st. louis hosts the second presidential debate. leading up to the third and final debate between hillary clinton and donald trump. taking place at the university of nevada, las vegas on october nineteenth. live coverage of the presidential and vice presidential debates on c-span. and vice presidential debates on c-span. listen live on the free c-span radio app. watch live or anytime on demand on c-span.org. firstname.lastname@example.org you watch our public affairs and political programming anytime at your convenience, on your desktop, laptop or mobile device. go to our home page, c-span.org go to our home page, c-span.org and click on the video library search bar. type in the name of a speaker, sponsored the bill, or event topic. review the list of search results and click on the program you want to watch. refine your search with the
search tools. if you're looking for most current programs and you don't want to search the video library, our homepage has many current programs ready for your immediate viewings such as today's "washington journal" or the events we covered that day. c-span.org is a public service of your cable or satellite provider. if you are a c-span watcher, check it out on c-span.org. last year the u.s. and china reached an agreement on cybercrime. computer security analyst discuss the effect of this agreement on attacks coming from china and u.s. china relations. the atlantic council hosted this one hour 15 minute discussion. >> good afternoon everyone and welcome to the new school year. i told my daughter said early this morning walking them to the bus really early. i am john, chair of the atlantic
council. we're delighted to have you here this afternoon. today's event, the art of cyber war, cohosted -- are part of the councils theories. a broader effort to examine ongoing affairs and relations. i would also welcome all of those who are watching online. i encourage you to join the conversation on twitter using the # ac cyber. last september president barack obama and chinese president reached an important agreement to curtail commercial cyber espionage. while many initially doubted the effectiveness of the deal, recent reports by the private sector and the department of justice indicate a sharp decline and try these cyber attacks against u.s. companies over the past year. china's neighbors in the
asia-pacific region, however face a different set of realities. over the past year alone the regions remarkable pace of economic growth, territorial disputes, an increase in military expenditures have all been factors in numerous cyber campaigns against governments and businesses allegedly originate originated from china. in hong kong in the lead up to last sunday's legislative elections, government agencies were targeted by cyber attacks originating from china. similarly, taiwan has been hit by chinese hackers on a nearly daily basis since the may inauguration of the chinese president. its ruling party, has become a frequent target of cyber attacks as part of a campaign to obtain information about the party's policies toward mainland china. and its views on taiwanese independence. in southeast asia, countries
with competing claims to the south china sea have faced a string of cyber attacks coinciding with the times of heightened geopolitical tensions. furthermore, this july after a tribunal rejected beijing's claims to the sea, flight information screens in sound systems in major airports in vietnam were hacked to spread messages and disputing the decision. around the same time, many keep keep government websites in the philippines were knocked off-line. that was in a massive distributive denial of service attack. the geopolitical implications of such disagreement spilling over to the cyber realm are significant. they're likely to continue as it tensions simmer in the region. therefore, therefore, closer look on all of this is key in understanding our policy choices and options ahead.
today we are honored to have a great group of experts discuss how the regions fluid geopolitics drive cyber campaigns and how the public public and private sectors can better avoid falling easy prey to hackers. sam sachs will moderate today's conversation with william glass, bob manning, and denise. before we start i would like to give my sincere appreciation for the continuous engagement in support of the council. and our center. without further and do, i would i would like to thank our media partner as well, from the christian science monitor for joining us today. with that, sam the floor is yours. thank you very much. [applause].
>> thank you very much and master huntsman. it is my honor to introduce the distinguished panel today. we have william glass, a threat glass, a threat intelligence analysts, previously worked with the u.s. government. denise, deputy director of csi strategic technologies program, previously an advisor to darpa and an expert on cyber security. and robert manning, a senior fellow senior fellow here at the atlantic council. he comes from the dni, the state department policy planning office an expert in asian experts. so let's dive into the conversation. i welcome the panelists to come up so we can start our discussion.
>> i thought we would begin today first by talking about very briefly the four main pillars of chinese cyber strategy. and we can use this opportunity to dive into each of these pillars looking at economic and industrial motivation for chinese cyber operations as well as the geopolitical form policy dimensions, the military aspect, and domestic information control. these are all overlapping but important pillars of the way that the chinese leadership is thinking about it cyber strategy. so i wanted to first begin with a topic that is timely as a basket or huntsman mention. we are are coming up on one year anniversary after the cyber agreement last year. my colleague, will has to work
looking at the repercussions of the sticker agreement and how chinese cyber activity over the past year has been impacted following this agreement. so i wanted to open up the discussion by asking will to share some insights on what we have seen in the past year since that agreement. >> thank you for having us. i cannot take credit myself or writing that report that the company released in june. it was a many many of us working sometimes long into the night. i will summarize for you couple of the key points that we found. we looked at the holdings of our data that we have from various sources from company engagements and collection on the internet. we wanted to see what impact they agreement between president obama and the chinese president would have over the past six months and since it was originally signed. a long story short we saw a dramatic decline in activity than we have seen for recognized compromises of corporate networks that we can trace back to or suspect we can trace back to chinese organizations or china sponsored groups. something on the order of more than 80% going down.
in order to get there we looked at approximately 262 different compromises that we saw. was looked at 26 different countries. we looked at 72 different groups that we suspect emanating from china overall. it is not to say the chinese groups are necessarily gone, they're still out there, they, they are still active, there's really going after some particular industries. there being less of voluminous but more targeted and who they're going after. so some companies healthcare information, navigational technologies are just a few. so we wanted to say something about what we had seen. they're probably a number of factors that went into the decline that we saw and it is our contention that the agreement was signed between president obama was just one of several events that contributed to the decline we have seen so far. >> thank you.
at the moment right before the announcements of the cyber agreement last year i remember here in washington everyone, there is a lot of buzz because everyone thought the u.s. government was on the verge of coming out with sanctions against chinese companies for the first time. that they were associated with cyber enabled industrial espionage. at the last minute this allegation came and all of a sudden the sanctions were off. so since then there's been discussion about what are the policy tools that the u.s. government has in terms of influencing chinese behavior. so i want to test the panelist if you had any thoughts moving forward what other tools that you think the u.s. government should consider if you want to continue on this trajectory. >> i think it depends on what kinds of cyber activity you want to deter. so is not useful to talk about
deterring in a cyber realm from a nuclear perspective because were talking about a lot of different types of activity. cybercrime, is really difficult to deter. it's easy to access capabilities, easy easy to the top of my sin look at the source of this attack. it's cheap to acquire. the infrastructure to do this kind of stuff. law-enforcement is not set up well to prosecute, to identify these people, and best get them a big bed to justice. so that is an area where the tool to deter that type of activity, we need more development, we need to improve. on the other side of the spectrum when you're looking at really catastrophic cyber attacks you can argue that we effectively deterred those be cause mostly of our conventional military capabilities. if you attack our power grid and bring our power grid down we have many other options on the table to
retaliate. some some people talk about building a cyber nuclear bomb, i think a lot of folks that are new to the issue have sort of use that example. it's not particularly useful. we would not necessarily respond to a catastrophic cyber attack using a cyber capability. so a lot of the tools that the u.s. government i would argue has used in response to espionage, cyber espionage, damaging cyber attacks has actually been outside the cyber realm. in part because we do not want to set a bad precedent. we do not want to condone this type of activity. it's a slippery slope. so that is why we have use things like sanctions, and things like sanctions, and
indictments. we have used diplomatic action, a combination of all of the above to deter this type of activity. >> do you think sanctions are still on the table? is a they will stumble forwarded sanction another? >> if i was a u.s. negotiator i rise keep it on the table. so yes. i think that is very possible. but everyone is kind of waiting to see, has the deal actually had an effect. so will mention the data, the trance at the scene, a lot of folks are saying that the chinese are getting better and getting more covert. they're switching from the pla in terms of conducting these activities to parts of mss that are quite frankly better at covering their tracks.
and there's also some discussion that it's possible that the chinese are seeing a diminished return on cyber espionage because they want to climb the value train in terms of industrialization. they want to be providing goods and services at the higher end of the value chain. and stealing blueprints, stealing ip doesn't necessarily enable you to develop that an terminal capability. so they have announced a biotech, big data, ai is key areas where they want to grow their industrial capacity and capability. it's not as easy to steal that type of information. you have to train algorithms. it's a totally different technology development process. >> one of the findings from a recent report that you are involved with argues that while we have seen a decline in traditional hacking activity we have seen more of an emphasis on using partnerships with western firms to leverage technology transfer. will you comment on that trend. >> that goes back to what we're talking about. there's a certain limit to which you can drive value from stealing blueprints from something. you need to people who know how
to build a. support of the reduction we might be seen as somewhat of an attempt by chinese scientists to say that, we are going to scale this back a little bit. will try a little more friendly environment for western companies to come to china and feel like they can invest the money or make partnerships or provide expertise companies want. if there's too much of a perception that they are hard-won research and development that has caused these companies hundreds of million dollars over several years if they have a feeling that will be erased or stolen from them, they'll be less likely to make something of a partnership like that. this could also be a recognition they're getting less bang for the buck in terms of stealing it, better to invite them to come to china and form these partnerships to get the value that way. >> any advice for western u.s. industry on how to engage in the market in china? but also also
protect yourself from the threat. >> i spent some time with the friends who got to companies when they have a problem into a forensic analysis and determine what happened, who stole it from and, how did they do it. they always say that they advise people to operate under the assumption that you are breached. there there used to be a perimeter model where you can set up a wall in a mode to the marchers to use and you could pretty much keep everything out. now, it is probably not going to be as effective. so you also have to be able to say i have to operate under the assumption that there are some bad guy in my network. what do i have to do to make sure that i can mitigate the damage that it can cause once they are inside. so there's various strategies you can do, i will get into them
here. it's really not that much of an interest you guys. but guys. but there are certain options out there, on there's a growing up that needs to occur. i will taken aside for companies that are operating in the asia-pacific. some of our responders put together what we call an end report earlier this month. we found the average into all time for a cyber espionage actor inside a corporate network in asia-pacific is around 520 days. in the united states is about 146. so europe into a greater extent the asia-pacific are couple of years behind in recognizing the threat they face, understanding that groups are coming for their technology, they're very skilled at getting inches a lot of times network security is pretty lax by itself. so the fact that these groups are able to stay inside a corporate network for 520 days bordering on two years, the amount of technology and information or proprietary stuff that can be stolen during that amount of time is extremely
high. >> will work and go away from the espionage angle and talk about information technology policy in china. i think this is an area where we saw a rapid buildout of laws and regulations. denise and the other panelists can you talk a little bit about what you're seeing in terms of china's efforts to build up a cyber governance regime? >> -is part of a larger trend that i find a little disturbing. that is that markets are closing in coming up with all sorts of devices, regulatory and otherwise, the ngo law that they pass to squeeze out american firms and to build national champions of their own. particularly they have gone after it firms, apple, and others. i think there's still some back and forth about trying to get
them to back off some of these legal devices that they have come up with. but it's a troubling trend because i don't see how they get from their to the so-called market-driven reforms that they claim they want to implement. i think it is a big, larger problem for them and a larger problem in the overall u.s. china relationship. i think as i recall one of the reasons they came around was they were stunned at our attribution capability that we identified which office and the poa was tuna, who is doing it, we it, we went under the facebook page of one of the guys doing it. so that must have woken them up and wondered what else we could do. i think there are basic tools in
foreign policy and logic, drives and threats. i prefer threats in many instances. but i think the stakes for them and the relationship of 600 billion-dollar per year trade relationship. there's really limits on how far they go on the stuff. >> i would like to just add to that as well that what we see in china and the policy spaces sort of a completing of industrial interest in security interests. i think china, just like any other country has legitimate security concerns about the products they buy and the services they procure. when you look at the design and implementation of the loss, the regulations, the policy that they are pursuing in the space, i think, at least from my vantage point that the underlying motivation is really to advance their domestic
industry. even even though they have these legitimate securities concerns. this is very obvious when you look at their 13 five-year plan, when you look at statements that the former head of the cac, their varied speeches. when you look at the longer term plan this type of ideology is reinforced across the board. i think they're probably probably three trends that are worth noting as well and this policy space in china. the first is there is an expansion as well as a centralization of private security authority under the president. you see that across the military, you see that across the intelligence apparatus as well as the civilian government. they have fought a number of laws, number of new regulations
specifically to do this as well as structural reforms to centralize a lot of the different things taken place. i know there were at least 15 different entities across that were involved in cyber until the recent reform. another area where you see in terms of trends that will continue. sick curing controllable and some people are saying secure and trustworthy. that along with data localization and content censorship will continue. i don't think there is any hope at least within this administration of those activities diminishing. you see a great example of that is in the recent cyber security law, the draft that was released where you see a broad expansion into other sectors, additional reviews and requirements. also a lot of the definitions in terms of who is covered and what types of reviews they'll have to undergo has gotten more
ambiguous. that leads me to the third trend which is chinese cyber security laws and policies are intentionally ambiguous. they do this for a reason. they do it because it provides great flexibility. it provides the government with the discussion to determine how to enforce things and whether to enforce things to their advantage. it also as some analysts have said, enabled, it shields them from wto complaints as well. if a lot of the laws are not finalized or if the regulations do not actually have guidance it is harder to bring a dispute. there's reasons behind it all. >> i think it's easier to look like they're making concessions
from u.s. government and u.s. industry. last year there is a lot of resistance to the banking sector regulations which would have put a very burdensome requirement for it vendors in china's banking sector. the government says we suspended these law, meanwhile for your they have been implemented informally in ways that create a significant disadvantages significant disadvantages to u.s. companies in the sectors. so i think victory at this point is something the obama administration needs to be careful about climbing particularly in the itt sector. i wanted to talk little bit about the military reforms in china and a point that you raised the president has taken over sweeping commands of the pla. i think there's two thoughts of what the
implications have been in terms of cyber activity. one is that it has caught some paralysis in the pla. that may be why we have seen a flurry of activity and the other is that it has been made for more refined targeted approach. i wonder, i think you've done some implications on the military forms. >> it's interesting stuff we had a new set of poor force and it's going to do technologically relevant skills that they had. but then that was it. we didn't hear much about it afterward. so some detail started to come out and they gave a speech the other week about how it needs to be a driving force that will be able to support the other services in the military the army, navy, air force and the strategic rocket force. it will be interesting to watch workers. as mentioned there are wider aware of organizations within the pla that had a cyber attached to them. we had a
similar issue in the united states with u.s. military. that's where the money is, everybody wants have cyber in front of their name even if they are in janitorial services or something like that. to them just said, there is some slowdown but i think there's also going to be, once they figured out it's going to be an interesting thing to watch. u.s. cyber command was officially in 2009 and they're expected to have their 133 teams of the cyber force ready in 2019. that's a nine-year spread. if we can have a similar time phrase with the chinese weird expect them to get going by 2024. i don't think it will take them that long. as one of the factors we looked at when we wanted to figure out why we were seeing some of the declines. if a large bureaucracy which is also politically tightly controlled is trying to reorient itself by eliminating people's jobs and they have an anticorruption drive going on where pla used to drive some
commercial benefit from some of the things they're doing. if those things have been stamped out there's a lot of commotion going on and that could be part of what we are seen. >> i think this touches on another trend which as mentioned the centralization of different actors. there's a misconception about china's political system which is that cyber strategy has always been quite centralized and top-down in terms of court nation. meanwhile you have different actors, the pla, civilian industry, academia, those competing for influence. i wonder if the panel has any thoughts about the new cyberspace administration of china. that new anymore is set up in february 2014 under the administration to take the lead on the cyber security initiative. any thoughts about what the creation of this entity will mean for cyber security and cyber policy in china? >> it's okay if not. these are
tough topics. >> sam you actually authored a piece of this. so it's not quite fair for us to be -- she actually authored it through csi so maybe you could answer that question for the audience. >> sure, thanks denise. my assessment that cyberspace administration of china has emerged one of the most powerful entities in the political bureaucracy in china. the same time, there still some internal battles that are being sorted out and not completely over so you have the ministry of public security that has played an increasingly important role in driving these ic p policies and studying the cyber security agenda. i think it or four between them is playing out. we saw play out in terms of content of cyber security law. it highlights attention in the government which is, the one hand you have a government that wants to clamp down on control of digital information and in
terms of the hardware, software that is involved but you also have a government that wants to create national champions in the technology space and promote entrepreneurship and innovation. i do not think, i think that tension is being hotly debated in the bureaucracy right now. and the ministry of public security is in the mix of that debate. it's an open-ended question who is going to emerge as the more influential player. >> i have a question actually. what you think is the delineation between roles between cac and the new cyber security association of china? and then the new standards organization to 26 zero. >> it is an entity, an industry group does establish this spring
under the cyberspace and menstruation of china. it's essentially a party sponsored association it includes not only prominent government entities, it includes research institutions as well as members of private chinese private industry. some of the most important chinese cyber tech firms. so far no foreign members are ball. its mandate is mandate is essentially to strengthen cyber security in china as you have a heightened awareness of these a as well as to groom national champion companies like ali baba, and compete globally. this still a little too early to figure out how exactly what its influences going to be within the broader cyber governments read jean. we will have to watch and see when the final draft of the cyber security law comes out and
these other regulations that are still pending. other going to have a voice, they going to represent chinese industry? i there is a myth that chinese firms are always aligned with the government's agenda on these regulations and that is not always true. cross the border data flows also hurt companies that want to go out and compete and don't want restrictions on data flows. so we are going to have to keep an eye on it. >> if i could touch on something. the cac were in charge of it and used to talk about the contest of cyber sovereignty. the idea that a a country should be allowed to control the internet, the tubes in the wires that are inside that country's borders and nobody else is allowed to tell them how to run it. obviously great concern for the chinese. they want to make sure they know what information is flowing around what people can see. i can is a private organization
set up in 1988 to govern the internet's addressing system. i apologize if you know. but when you type in google.com ago some figures out what ip address it is out what ip address it is so that your computer can take you there. so there has been a lot of debate especially since 2013 when -- decided to let everybody know what the intelligence committee was doing they said you have the control over the internet addressing system this sounds like a terrible idea, i don't like it. a lot of countries out there were legitimately concerned. china, russia and a couple other countries with authoritarian were eager to take the control out of the u.s. government and put it in the un which governs phone lines and most other agreements when it comes to telecommunications. the issue with that for a lot of people including the united states government was that
having it as a un body would allow for governments to possibly exert a undue influence especially since china has a veto in russia under the un security council. in addressing systems ever reach the level of skinny council issue we would be in big trouble. so fortunately the u.s. government announced last month that it is supporting the complete privatization of icann. it will be this super national organization that is run not by any government whatsoever and he gets to determine who owns.com, who owns.net. who owns what. so kind of a victory for those of us who like to have free information flow on the internet. but as bringing up cross-border flows in certain chinese companies have to be connected to the world economy in order to make money. so there's probably a disconnect somewhere between where the government wants to have more control over the internet addressing system but companies like ali baba or others would say we actually like this and
wanted information to go wherever we want to make more money. >> take you for that. i think internet governance is a topic that gets us into a broader, the other pillar of chinese strategy which we haven't talked about yet which is form policy and china's role for the region globally. and cyber has a pole in that. will you comment on cyber is a tool of of these broader form policy objectives? >> i don't know how much i can add but i think it is another arrow in the quiver so to speak. and i think an area like the south china sea where the philippines is vietnam where president has been elected they have been using it to be disruptive in getting their message across, but i also think the cyber association you
mentioned has -- your and they sort of seem like a smiling face of chinese cyber policy. they want to engage, they want to talk about cooperation, codes of conduct and that sort of thing. i do not know, i'm reserving judgment on it but i think all the things that you talked about is a work in progress and it's not clear where the ball will land. i think the more pressure we put on them, probably the better in terms of what the results will be. i think in terms of industrial espionage i think they're trying to be more discreet and discerning rather than a full-court press they have done in the past. i don't think it's over. i think the overriding goal is
still modernizing the chinese economy. i think the concern is that they put forward an agenda of where the market was supposed to be the determining factor and that seems to have fallen by the wayside in the state is clearly the determining factor in's dad of what were hearing about his consolidation so if you end up getting a crip state any bigger it would make a difference in his behavior. >> i want to focus on something you said, you talked about cooperation and collaborating on dakota contact. we been quite pessimistic on this panel. other areas for collaboration and cooperation in the sulfur realm with china? >> i think there is room for
more detailed codes of conduct. i think there are some basic, i don't want to draw out the analogy too far but there is an analogy to nuclear deterrence and that both sides have agreed not to attack each of this critical infrastructure. i don't know how else you could apply that type of logic to, but i also think the more china develops, the more vulnerable it gets and with this major vulnerability of think cuts across the strategic relationship with china. i guess the way i look at it it took us about 20 years with the soviet union before we had our strategic framework. i think we are in the early phases of trying to develop one and i think cyprus part of that but it's nuclear, missile missile defense commits a range of strategic issues where we had no understandings of china whatsoever and now if you think about how bad our relationship
with rushes, we still have certain amount of predictability from arms control agreements that we have made in the past. we do not not have anything like that with china. it's all very uncertain. i know the u.s. government for long time has tried to push them on strategic dialogue. i think as soon as -- i'm just noticing the traffic of the chinese, with people coming through here, with one person came through here recently, i did a project project a few years ago and extended the terms and they developed a strategic framework and they all kinda looked at me like i was smoking something. and this guy comes in now and says we need a strategic framework. so i think there is a learning curve. i. i think it's going to take a
while and i think cyber is probably the larger strategic framework that we have to develop. i don't have any illusions about anything happening overnight. >> i like to make one comment about the norm on a green not to attack each other's critical infrastructure. if you actually read the text in the fine print it says -- i think it is pretty safe to assume that if you are attacking each other's critical infrastructure, you are somewhat in war. we're talking about, i'm not sure about the value of that particular norm if were going to call it in norm at this point. i think think it's a step in the right direction, but it's obviously attenuated by that condition. the chinese in the u.s. have an ongoing dialogue as robert mentioned. where they are trying to establish some standard operating procedures in terms of when there is a crisis, when you
need technical assistance who do you call, what are the hotlines and to exercise those means of communication. i think that is helpful. but at the end of the day, at the real sticking point between the u.s. and china are making a lot of progress on cyber norm is the issue of internet sovereignty. the fundamental disagreement about whether or not states have a sovereign right over the internet and the ability to control the type of data that flows over the internet, how it secure and regulated. that i think is a barrier to making progress. >> i wonder how sustainable the chinese policy is. if their overall goal is to have a knowledge base in the way of the economy, how do you do that and have can complete control over everything? is the antithesis of. i think it i don't know how's
going to come out. so far been disappointed. everything disappointed. everything i see going on is going the wrong way towards more control and lesson ovation. then intimidation. if your chinese decision-maker in the military or the state enterprise or -- you're free to do anything. there is a fear because they'll sit there with the cam corruption campaign after you they don't like what you doing. >> i wanted take time to open the floor to questions from the audience. we have touched on a lot of different topics. any questions? >> i'm with the atlantic council, thank you panel. i
would like to reverse the bidding assuming this was a conference being conference being held in beijing on american separate espionage. the reason i ask that question is the couple accompanies on his board i sit said to and things i'm interested in, some are brought in some joint tenures. i think it's not with china russia it's from competition in the united states, in europe, and, from disgruntled employees. when we report the still authorities we get a big shrug same is too big a problem. how would you compare chinese hacking with domestic hacking in terms of being a menace to u.s. corporations? >> i think that -- certainly u.s. is has a specific law on the books that they will not conduct commercial espionage. virtually every other other company doesn't with their intelligence services. or suspected of doing so.
certainly given the attribution challenges that some people have had there is a possibility that competitors might say i'm going to go higher this company over here and break into my competitor over here, still some stuff and make it look like the chinese did it. boom, done. despite that being highly illegal and stiff penalties for doing so, you have to be able to prove that actually occurred. the burden the burden of proof in cyberspace is very low. in cyberspace there so many opportunities for running false operations to make it look like somebody else did it come into a level of evidence that would stand up in court is extremely difficult. you have to look at the agreement though sign between president obama, were not going to support cyber enabled espionage for commercial
businesses. if if you can prove those things you have a violation. but i think it's challenging to do so. criminal actors have gotten a stream really good. they've looked at what some of the nationstate groups have done, the way they've organized themselves, they have formalized hacking systems, they have walls they erect between the people who are the keyboard on the keyboard and the people who are financing it over here, the rise of digital currency, big coin is the one everyone knows about and has made this wildly profitable enterprise. it's kind of interesting that a lot of the big claims, mining and storage goes on in china so that's another issue for the government and they need to figure out why we need to keep control over currency. people are doing a lot of crime over there, china has china has largest internet market by far, plenty of opportunity for stealing peoples payments accounts from whoever and bind whatever you want.
i think you are right in saying that the nationstate actors get more press, in terms of total volume of damage criminals are probably doing more. >> other questions? >> i have a question about the supply chain. there was an issue with the routers that had to do with china and i know that like you said the hacker could be a corporation for over 500 days days before they are caught. now, i will bet there's a lot of routers that have still been compromised, has that been addressed? i do not even think china might know what ones are still compromise. so how has that been resolved? there are so many of those area thank you.
make sure that it's all from somewhere and no doubt it is a big challenge. >> since no one else is asking, this may not be relevant to this issue that right now the big cyber issue intervention in the u.s. election, would anyone like to comment on that? [laughter] >> i hear there's some pretty run-of-the-mill political espionage activities and, you know, i am sure this is a pretty well-informed crowd. folks know that in terms of political campaigns, they are fair game in terms of espionage. it's the release of the data that was collected to sort of
shape and influence the u.s. election that is obviously more concerning. putin was interviewed by bloomberg a few days ago where he said he denied responsibility for the dnc that he said isn't d is a public good? why aren't we even debating who actually conducted this attack? let's just focus on the fact they did something good for society. and so i think that's a pretty good indication that they are probably evolved and behind it. it seems almost admission he and some ways. this type of stuff is really hard to detour and figuring out how to respond to it is difficult. the administration is still
trying to figure out how to respond and looking at a lot of different options to gain those out. one of the biggest challenges is attribution not because they haven't determined that as the russians but because they don't know how to publicly provide attribution. people talk about attribution has gotten better and we develop better tools. that's right but it's not necessarily reverse engineering code and looking at the data analysis. it's using all different sources of intelligence. there is a sources and methods problem and that's why we are able to fully attribute publicly and to do any type of activity like indictment indictment for s for example, we need to have public attribution, or official attribution. we need to have all the evidence
and articulation of how he we acquired the evidence. that's a problem. so i think there are multiple layers to this in terms of coming up with the right response and what is an appropriate response, i think they are much more difficult to detour. not because we don't know, but because of the question of how to publicly attribute. >> i could give you more of a tactical view of the way that i see it and that is the russians are significantly skilled enough if they didn't want us to know who did it they could have known who have done it. they use tools that we know are used by other members of the russian intelligence services to break into the organizations in the dc area that seems they were careless and didn't care or they wanted us to know. the fact they came up with this moniker and 2.0 version who
claimed that he found the private server, there are too many different things that it almost seems forced to say we are coming up with this persona in the internet and we are not expecting you to believe this but if you do, that's too bad for you. and so, looking at this and saying they want us to know we have all this information about these capabilities gets mentioned deterring the physical russian forces whether it is a plain or tank division, we know how to do that. we haven't figured out how to do to turn to this other domain we are not particularly comfortable with. this is information flow and everybody doing things however they want to feel like we are going to restrict that somehow, that's something that we are prepared to do.
>> i'm a senior at the university. i know over the past 30 years in the research and development funding there've been parts of the country and europe and asia-pacific areas. i was wondering if you could tell mhelp me and for everyone f there's areas we can improve on to improve on cybersecurity and increasingly to get kind of ahead of the game whether it is just focusing on funding and security and things like that if you could touch upon it that would be great. >> this is an issue that i've been looking at. when you look at innovation and a cyber technologies, you find a handful of technologies that can
practices have been in existence for well over a decade. and the innovation that takes place in the industry on that is how to basically deploy our implement those practices. that's what all the companies compete on. when you look at the capital investment firms and startups, they are looking at companies that can do it better, faster, cheaper. that's great but also misses the underlining root causes of the problem. there's not enough private money going into funding the development of technology that could have game changing effects on the security and resiliency. that is the role of the government in some ways because it is hard to realize the return on your investment in a period of time that you can justify making that investment as a private entity. so you have the organizations
that are making investments in this space but there's something that we call the transition valley of death and that is after you've developed a prototype, after you've developed a product, using government money it is almost impossible to transition back into the commercial practice. it's already difficult to transition the technology to government even when the government has to spend money building it. so we need to be focusing on efforts to bridge the technology valley of death into transition. and i would argue government should take a page out of the playbook not necessarily in terms of the entities they are investing in th that how they do it. they are sourcing startups, for looking at which technologies are promising but they are not just doing that, they are looking at the teams of people.
do you have a person on the team that those sales and a person on the team that can get you access to the marketplace? you are building a product team, not just getting desperate people to develop the technology. not only are they doing that but they are getting validation from outside. big companies to validate so they can commercialize the product. that's what we need to be doing with more government sponsored programs, thinking about how to put together smart people but not only develop the product but make sure that it successfully transition to the government customers as well as the private sector. you are right that spending has gone down. i think an easy thing for people to say is we should just increase funding. if you compare the funding that we spend now, national security or defense related technologies compared to the cold war, it's a fraction.
i haven't calculated the numbers, the dot it's significantly lower. a lot of the major technological breakthroughs happened during the cold war because of the amount of the investment. we are not in that type of environment anymore. we have to think differently about following this problem. so, that would be my advice. not necessarily increasing funds, the bridging the technology transfer and building smarter and more versatile teams. >> it's interesting because the chinese government is having thithesame debate and discussiot now around the 13-five-year plan where they come up with a list of strategic industries that are targeted for more state support, more investment in r&d, and the question is i had a conversation with a friend of mine in china about how is this 13-five-year plan lead to innovation in the sectors when there is a heavy hand of the state capital
allocation. and indeed in china right now they are thinking about how can we take it to the next level and commercialize these technologies and they are thinking through the same challenge. so it will be interesting to see how both of those on the u.s. and chinese side will grapple with the same issue. >> hello. i am jack lipinski a former software developer. my question is about open source technology and transparency. do they give an advantage to the defender or the attacker or is it leveled the playing field or have no impact on whether it is easier to defend or attack? i would say there is a debate about that right now. the one school of thought would say open-source technology means everyone can see the backend code and can get the wisdom of the crowd in finding the bugs
and vulnerabilities and that is where all the software and computer problems spanned from in the first place. the other side is that everybody knows the code and if there are bugs and people can't necessarily find them fast enough, it's easy for them to find a particular vulnerabilityy they could build a tool to explain. succumb as the software code it's getting longer and longer. i think i saw a mercedes-benz the other day that said this card has ten times as many lines of code as the commander. the fact that we have so much is scary to me that it's getting longer and the number of man-hours that it takes to go through and find problems as an open-source tool make iopen soua benefit to the attacker will look through that code all the way through however if your microsoft windows or something like that, it would be harder to find those problems as it gets
bigger. >> another problem is the issue of responsibility. some open source code is reviewed by a lot of people. then there are many libraries that don't get reviewed for the book's abilities because nobody's being paid to do that. so there's a discussion about whether through the dhs there should be some sort of a fund that enables them to go through open source libraries and look for vulnerabilities and connect patches. the answer isn't so binary i guess is what i would say. >> in the front. >> thank you for coming. i'm a freshman and thank you for taking my question. one of the biggest things in the industry i as quantum computing where we spoke around
$600 million of investment. also in the technology industry including google and startup firms and i was wondering if there's any chance this will raise the stakes between the chinese and u.s. governments were just keep the states where they are right now except it's just a technological advancement? >> -- there's a race to acquire quantum computing capability and i would say the most cutting-edge developments are taking place in parts of this government and country that do not get reported on in the news and where the budgets are not necessarily made transparent. so i think it would be difficult for us sitting on the stage to articulate where the sort of
order and how that is and how he would compare. i think the u.s. is probably the leader. i hope it is. the chinese claim to have launched a quantum communication satellite a couple weeks ago. they did launch of the satellite but it doesn't have the full capabilities that you would need to fully call it a quantum communications. it's a nice first step and there won't have to be a lot of additional research and development before they get any use out of it. >> i think also there's still some debate in the technology community about the possibility and with the capabilities would be in the real world?
>> thank you for putting this together. the first thing is there's an issue othere is anissue of encrs good to me the second issue is we are going to have a new administration so where are the three or four issues that you advised and tell us to focus on and how was this the most advantageous and successful to bring the relationship forward. >> i don't think we are going to do anything on encryption unless there is a commitment to
directly tie it to the use of the encrypted communications platforms. i don't think they are political well for it and i don't think there's an appetite for the industry and i don't think we have very good sensible solutions either. the fbi law enforcement community has been talking about the need to gain access to the encrypted messages for the number. in fact something people often don't realize is in 2013 they have put together a proposal that they were going to push on the hill and they decided not to d.something else happened becaue
they decided to wait. i don't think we are going to do anything because frankly we don't have good solutions right now. no one has articulated a framework that could actually work domestically and internationally. it's hard to make progress where there is a huge market for mobile and that is the future for the mobile industry and what they decided to do both certainly have influence over
how they put their position on the matter. in terms of the next administration should do. they need you to adopt new technology. he just knew where technologies. that should be the first goal. there's a number of topics that include a lot of attention including how to enable companies to protect themselves. these had this debate and i don't think that is a useful way to describe this problem. what we need to do is figure out how to enable companies to
provide and that isn't going out and breaching other organizations that may be other types of activities that operate in this area so .net is a great example where the companies are concerned about engaging with that company and i think rather than sort of articulating what t those activities should be on the stage here the government ought to consider putting together for information sharing. when dod put together their information it was kind of a first of its kind and now the information sharing is a mainstream topic. it's what every energy sector is investing in and a lot of that
goes back to the defense department's effort. it affects success right off but it will establish the vehicles and helped build a lot of relationships within a trusted group to get information sharing to where it is right now. i would say we ought to consider getting critical companies together and establishing a pilot program. what types of activities can they put out for self-defense. >> because the chinese are watching the debate quite closely in the process of forming their own laws and regulations. he thought the perceptions of what's coming down in terms of the chinese encryption policy. it's not very obvious from the outside so it's okay if the answer is no.
>> they have their christian law which i don't think has been implemented. >> there's still some pressure. they are the encryption products where it's the core function of the product and i highly regulate it. thertheir smartphone encryption. we haven't seen them fully implemented yet and we don't know how that will play out. it is an internationally
recognized standard at this point so all the documentation details have gone through public review but there is s still concerned about a sort of backdoor. obviously the big question people want answered is what about apple, will they continue to do so in china i don't know the answer to that i know when you look at chinese smartphone you see it as a tiny percentage of their user base. it's the vast majority of what people are used to communicating
when it comes to the mobile platforms and those do not offer anti-encryption and when you look at the type it's a wealthy group of people not necessarily that those in the government. these are people who can afford to buy the expensive device so it may be companies like apple are flying under the radar right now because they are not predicting significant problems in the government. when they do, that might change. >> i guess i would say you either give all the encryption.
there is a lot of useful applications of encryption anytime you want to send a mail if you don't want anyone else to read except for google these are things the encryption is a fundamental technology and blaming somebody. there are ways you can get around encryption in the communications protocol that happens to be unencrypted. you can tell in the content of the message. if we talk about the application we can't read the encrypted bits and pieces fundamentally banning encryption is a dangerous road.
they look at the u.s. and see if thhave savedthe u.s. can get aws if china decides and encryption ban is going to take place and they can no longer complain. to pay back this may be something they are hoping for. >> that's maybe another avenue. government access is about encryption. the next iteration is law enforcement hacking activities.
that's the direction we are moving and they could think a little bit more about how to govern the activity. >> we have time for two more questions. >> i was wondering if you could comment on the cyber. the rest comes from the community and there are cyber criminals and they've been conscripted. do they utilize the same services and pay differential between the public and private sector.
>> that something i think i can comment on. >> time for one more question. president obama was just in china yesterday so how do you think the -- they've written president obama off as a certain extent and the climate change is when people like because it has no enforcement or penalties. they've been dependent for about
67, 70% and it hasn't changed very much despite their intention to do so. it's good to have a cool but i'm not sure we have the wherewithal to reach it. there is a slathering of global issues, counternarcotics, a number of other things that are limited and coo cooperating on. the general relationship wasn't reduced to. and i admit i kind of find the
chinese behavior a little confusing because they know whoever wins that's what they had with obama said the fact there might have been an interest in locking. there is some exception that seems to have made some progress. >> thank you for coming today i think we touched on a lot of important issues. the agreement last year was an important milestone but as we have seen from the industrial policy, internet governance, there's a long way to go and we will continue to watch for signs of future progress. [applause]