tv Key Capitol Hill Hearings CSPAN November 15, 2013 11:29pm-12:00am EST
like very much the way you, barry, you pointed out about the issue of hedging against russia when you said you americans' main concern is about a declining russia, which, obviously, is not going to be deterred purely by a military hedge, but with sort of an array of means and on one hand sort of credible, clear-cut military capability. on the other hand, a political outreach to russia. even if the president at the moment, the circumstances are not the most favorable. the issue -- so my take on the relationship between deterrence and collective defense would be we should deter when we can.
when we cannot deter, we have to think about collective defense, but the point is this defense has to be collective. nato has been defined by values and by common goods, security being a common good, not by the threats or the challenges. what i mean is, whatever the challenge, whatever the challenges, the common good we want to protect is the same. so in that respect, we have to be able to interpret, not even extensively, but to update the concept of our attack. the part made here about no military warfare being possible today without cyber dimension, about space, it's a clear case for considering these dimensions
as part of nato responsibility. it may well be that some of them require nato to work with other organizations or other forums, but there has to be -- they have to be present also in nato. the bottom line about where we can deter and where we cannot deter is westfallion plus international environment is two stages. even if the most democratic one and the most authoritarian dictatorship, to some extent, share the same language. they don't share the same
values, but they share the same objective, preservation, territory integrity. but this, when we talk about terrorists or pirates, for instance, the movie which is just out, "captain phillips," the captain and the hijacker do not speak the same language. they just talk, and the movie is very well done, because not sympathy, but empathy that makes you understand what makes those pirates tick. so when they -- and we face this problem mainly when we do not have a physical control of territory. and this account, which is my point, we cannot deter
asymmetrical threats, but we can address at least some of the root causes, and say not always political accent, that create the asymmetrical trend. and without going into much of that, at least one called intermediate cause, which is a fail state, to the extent we can prevent the fail state, we set a limit, the possibility of asymmetrical threat. we see that in afghanistan, we see that in somalia, i'm afraid now the risk has moved very much to north africa. while the u.s. may or may not
have that to asia, i think, al qaeda and associate people to africa for a very simple reason, because the arab springs or the arab awakening have created situations where there's a potential for failed state or at least large part of land where it is not controlled by any state authority. so here i come to your question about the mediterranean, damon. i certainly think that nato has to think about that as a possible source of new threats, and a threat which is not simply a threat to the southern flank of nato. it's a threat that effects the entire -- i would say, the entire atlantic area. there might be also some reason
to think about, because we cannot sort of dump all the greater middle east in the same heap, northern africa have some different dynamics. and there could be, especially when you talk about africa, more in association. i hope this answer your question. >> thank you very much. thank you for that. i want to pick up on a couple of things that several of you said and come to jay on this point. i think the way you teed it up, ambassador, the way i'll punt it to jay, is how do you apply
mackiavelli to cyberspace? how do you create the fear of punishment? so as we turn to jay, we heard from svein that it's inconceivable where cyber would not be among the fronts. we've heard the concern about the fear that they can be caught as being the essence of deterrence and how that applies here, and we've also heard, for those nato nicks in the audience, the potential need to update thinking about what an armed attack means. if you read the washington treaty, article 5, which says an attack on one ally would be considered an attack on all allies, also says an armed attack. what does this mean? what does the cyber domain mean in terms of the alliance for the future? >> great, thank you, damon. also wanted to thank nato. the organization itself, as well as everyone that's helped make it strong. yesterday was veterans day,
remembrance day, and hopefully, because of nato, we never have to create another holiday like remembrance day to think of such a terrible war. and, frankly, i think the nobel peace prize probably went to the wrong organization, but thanks to nato and hopefully, we can prevent that from ever happening again. so to pick up on cyber, everyone is supposed to say oh, cyber, oh, cyber, because that's what you're supposed to do, right? it's this new, challenging area. i want to help put some of that to bed, i hope, and show that a lot of nato's traditional strengths, traditional areas that were strong and are going to serve us much better in cyber than we've really been led to believe. so when we talk specifically about cyber deterrence, i made general cartwright's eyebrows go closer together, that means i might be in trouble later. when we talk about cyber deterrence, the main things that people are going to talk about and say, well, cyber deterrence is practically impossible because it's such an easy
capability, two kids in their basement can constitute strategic capability. all you need are computers and the right brain and how could we ever deter that? or we'll never know who's responsible for it. you can't prove who did it, and, therefore, you can't deter it. or it happens at the speed of light and you can't warrant it, so how could you ever deter it? and there are several more of these that we can go on that constitute, i think, the main pillar of thinking on cyber deterrence, but all of those are over here on the technical side. it's looking what happens at the level of tactical combat and extrapolating it to say that it's the whole of conflict. and we don't have to do that. it's like saying that what happens at the level of missile defense, you know, and how fast an engagement could go or the level of aerial combat, because
a dog fight happens so quickly, that, therefore, you could never deter an adversary from sending their bombers that could go nearly at the speed of sound. what happens at the tactical and technical levels within the domain, we've just said that, therefore, it's completely impossible. and that tends to be the strongest. as david mentioned, we just finished our first military history of cyber conflict called "a fierce domain," and what we saw when we look at what are cyber problems, not just as -- this is fred telling me to stop pitching my book, and fred kempe is the last person to tell you to not pitch a book. >> i think this may have been our own cyber attack here at the atlantic council. >> and when we look at what's happened to cyber, not just as crime, not just as a collection of individual cyber attacks, but as actual conflict, and how else
should nato look at cyber other than actual conflict? we find that all of these technical things, speed of light, you never know who's responsible, it's so difficult to warn about, two people in the computer constitute as strategic capability. none of that, it's true at the technical level, but it's not true at the level of conflict. because what you found when you look at it as conflict is that it overwhelmingly takes place within existing conflict or an ongoing conflict between existing national rivals, which means that all of these technical truths fall away, because you're generally going to know who's responsible, because it's going to be the country that you're involved with an existing conflict about. anyone that was confused about estonia in 2007, people would say, oh, it traces back to 178 different countries. we couldn't possibly tell who's
responsible for this cyber assault on estonia. they are looking at it over here at the technical level. if you want to see past that to the political truths behind that, it does not have to be difficult. nato might make it difficult, but that's different from the dynamics of the underlying conflict. likewise, the cyber attacks are easy to warn about or they are more easy to warn about than we've been told, because you don't have to stare down the wire looking for the evil ones in zeros, you can look at the overall dynamics of the conflict, the geopolitical realities, and the geopolitical realities are that cyber attacks, cyber conflicts, tend to follow physical conflicts and physical attacks. if you see a protest at the world bank, you can expect there's going to be an online protest at the world bank. if you see an ongoing conflict in the east china sea or south china sea, a dust-up over natural gas deliveries in
eastern and central europe from russia, you can guess that there's going to start being a cyber conflict or a cyber component to that, as well. you don't have to treat it as some new, dark, mystic thing that's different from cyber conflicts that have come before. so what we found, and this is incredibly important for nato, is that the more strategically significant the conflict, the more similar it is to conflict in the air, land, and sea. so the -- i'll say that again, the more strategically significant the conflict, the more similar it is to conflict in the air, land, and sea. so one reason why deterrence seems so tough now, or why cyber seems so tough now, is that we're looking at these collection of individual incidents and racking our brains over how to deter these, when these are individual incidents that are probably not getting into nato's typical lanes where
we work with. i'll summarize that point when i get to the end. i would contend to close out the main point that cyber deterrence is, obviously, working. people that say that it's difficult or impossible are focusing on the technical or they are focusing on these day in, day out incidents. maybe they are focusing on espionage, but for disruptive attacks, especially the most strategic cyber conflicts, i would contend the facts show, the history shows, here's where i hold up the book, the history shows, $9.99 on amazon, the history shows that cyber deterrence is clearly working. because we've been talking about a cyber pearl harbor since 1991, over 20 years since -- i'm sorry, over 20 of the years we've been talking about a cyber
pearl harbor for 20 of the 70 years since the actual pearl harbor. clearly, there's a different dynamic going on. so what we see is that countries willing to spying one another, they are willing to have proxies that can conduct attacks on others. they are willing to maybe have low-level cyber attacks on one another, but we haven't seen a big nation use real cyber, really destructive or disruptive cyber capabilities against another big nation. you haven't seen big nations use really disruptive cyber capabilities against a small nation outside of an existing conflict. you know, it's not out of the blue, it's taking place during existing tensions. so one of my colleagues says, well, you can't call that deterrence, you have to call that restraint, that we're not willing to go above a certain threshold.
fine, call it restraint, but what you're seeing is nations are acting extremely similarly in this place than they do to others. they are not willing to do big, disruptive attacks on one another, because they fear getting caught, they fear getting punishment, they fear that attribution might prove a very thin veil once people start to die. so i would say nato going forward needs to look at three separate areas, and this gets to barry's point of who and what are we trying to deter. first, is we have today's issues, espionage, large levels of cyber crime, proxies by some countries, but that's not real cyber conflict the way that we've tended to think about it. today's problems tend to be -- call it hostilities below the level of cyber conflict. and how nato is going to be getting involved in that area.
and that, i think, can be tractable and nato has been doing a good job at improving their own defenses and the rest. second, you got an area where we might some day really have a cyber conflict. because that first year what's happening today is never going to get us to an article 5. second, if we get ourselves into an article 5 situation, it's not going to be from a bolt out of the blue cyber attack. i would strongly -- i would guess it will not. it's not going to be some spooky way we get there, it's almost certainly going to be there through existing conflict through normal national power rivals that happens to escalate in some cyber fashion that you've got a massive impact to gdp, far larger than we've ever seen today from a cyber attack, or we have dead bodies, which we've never had from a cyber attack, which i can find. it's going to look like a normal article 5, which radically simplifies nato's planning to get to this. and last, my closing point that
my colleague makes a lot, when we talk about cyber deterrence, especially in the united states, we always tend to think that we're going to be the ones doing the deterring, and especially with our level of strategic vulnerability, i think within the united states and ultimately nato as a whole, needs to look at how we might be getting deterred, how we can make sure that we won't be the one deterred from getting into a conflict. how we can stop others from deterring us, and that means, how can we -- means, in addition to other things, how we can make sure that nato's systems and our societies can survive the first strike from the adversary, because this doesn't happen speed of light. cyber conflicts tend to take place over weeks, months, or years. so what we want is to make sure we can survive that first strike so we can get into the place where we're good. we're democracies, we tend not to be good right out of the box, it takes awhile to warm up. we need to avoid something like
a six-day war, where kind of lost in the first morning in the early air strikes, to make sure that we've got time to warm up. and i think nato's been doing pretty well by focusing on defense of their own systems as a strong first goal there. thank you, damon. >> thank you, jay. let me just pick up real quick before we bring in the audience. we have time for discussion. as i look across the audience, there's an inordinate depth of nato expertise here, so i want to bring in the conversation to hear from all of you, but here at the atlantic council, we actually went out and recruited jay precisely because we were hearing from many of our allies and partners a concern about the disconnect between potentially how fast and how far the united states was going and where its closest allies were, both in concepts and capabilities, and
that was sort of the purpose of standing up cyber statecraft initiative here at the atlantic council, how to keep our likeminded partners in sync of how we're going. we're here having this conversation in the wake of yet another round of headlines that keep sort of the issues and the cyber domain with snowden, the nsa leaks, as a source of tension, perhaps, in the transatlantic space. how -- how do we make sure that what we're doing, first of all, you talked about national versus nato capabilities, and there's quite a distinction, how do you incorporate cyber into defense planning, making this a sort of a real strength for the alliance, unity of the alliance projecting outward, rather than another source of tension and division that can be used by external actors to play, divide, and conquer, if you will? >> there's, i think, a couple, maybe three solid areas. one, i think within the d.o.d., just getting to accept that nato has a strong role to play in this, and i think focusing on actual article 5 and improving
their own will help there. i've heard too many defense officials, even at too many u.s. military cyber officials, even at nato events, downplaying the role of nato. one of our four-star generals, he wouldn't come out and say it was russia responsible for estonia, he wouldn't come out and say that china was behind the espionage, even though the president would say that, so he was diplomatic about that, but he actually couldn't find anything nice to say about nato and cyber, and that's just -- that's just putting us in the wrong direction. second, i think we can deal with our classification schemes. right now, we so highly classify this in the united states, it completely limits our ability to have a debate, even within our own country, and it especially makes it difficult for working with our allies. department of defense has, you
know, there are computer vulnerabilities that have to get patched. the d.o.d. version of that is something called aivas, and we wouldn't even share those f.o.u.o. with our nato allies for awhile, it took months and months to get this approved, and they are for official use only. and the comment that i heard, why do we need to share this? oh, and it's just the wrong way of thinking about, and i'm afraid that's only going to get worse now, post-snowden, that we're going to continue to clamp down ever further on that. third is, we're coming out with some additional ideas on -- i'll only focus on one and it's really frank kramer's idea, he said nato's been in this place before, for example, looking at the nuclear planning group, of a capability, especially looking at offensive capability, a few nato allies have, but it gives everyone a voice and a stake in this discussion, and it's
thinkable to have that on the offensive side, that the allies that have offensive capability can come together and talk about how that might be used. if we come up with another out of area operation, we might need something like that, so that we can talk about it, we can think about how to bring these national capabilities best to bear. for sharing defensively, i think the things that the alliance has been up to, increasing the capability of the insert, having the emerging security challenging divisions, are all going in the right direction. >> terrific, thank you, jay. as we get into the conversation, we have the ambassador of estonia, we have general cartwright, others that know a lot about cyber, so i welcome your comments on this. let me remind the audience that we are welcoming, encouraging your tweeting today.
for the whole throughout the day we're using #futurenato, so feel free to tweet away, and on your agenda, you'll see the handles of each of our speakers, as well. to kick off the conversation, i'm going to turn to carlin almond, and i want to field questions to the panel, is there almost a little bit of a polly anna-ish attitude, we've heard about the strategic level, about an actual work plan, but is this doable given where we are financially, as well as politically? harlin, please, pick up the ball, if you can catch my eye, we'll get a microphone for you, and even if i know you for our television audience, say your name. >> first, many thanks to the panel for a really excellent discussion, and i particularly associate myself with svein's remarks, i think you're actually right and maybe you should put your hat in the ring for a second chance.
my question really is a provocation. i would assert that deterrence is a concept of the 20th century and really isn't relevant to the 21st, and i think the panel by what they said or didn't say may support that contention. now, the question is, what would take its place? i would also observe that perhaps the two most important things that nato can do and can arise from the coming summit have not been mentioned, one, support t-tip, and, two, support some kind of argument to rally domestic support, because the most crucial issue, in my judgment, is that we're lacking domestic support. i just came back from yet again another trip to nato, and this is really missing in action. so, it seems to me to follow on what svein said, and this is extremely difficult, because nato remains, whenever what we say about it, a military alliance. should the issue not be collective security and not collective defense, and if we could make that switch without too much language to go along
with it, it seems to me that that would be ambiguous enough to bring into play all these other issues that are so important, but which individual members have some difficulty in dealing with. so, should we not be looking at collective security, rather than collective defense? >> got it, thank you. i'm going to pick up a couple of comments, i've seen a lot of hands. let me come up to the front here. lisa, then come to these two here, as well. >> thanks. i'm lisa aaronson, i'm at the council, visiting fellow from rucy london. all the presentations mentioned the importance of credibility to deterrence, but nobody mentioned afghanistan. i'd like to just ask, i think this is understandable, damon's mentioned several times we want this next summit to be the first one looking forward and not necessarily a focus on afghanistan, but i'd like to ask the panelists to reflect on how to integrate efforts on big
questions from afghanistan, whether that's spending commitments, mechanisms for managing cash flow, stainability of the ansf, or status of forces agreement, integrating partners into the post-2014 afghan mission. these are all very sensitive issues, and it's important for nato's credibility, especially given the risks of ungoverned space in afghanistan, or even possibly a terrorist attack being planned there from the future. so how do we look forward for deterrence purposes, but also keep enough attention on isaf? thanks. >> i'm going to make a point to add to lisa's question, because she's being polite in some respects, if the best recipe of deterrence is success and credibility and the afghan mission is not seen as that, it's seen perhaps as a failure by many of our publics, isn't that at the heart of how getting that right, isn't that at the heart of how you sustain deterrence going forward, or how do you fix that conundrum?
and we'll take two questions right here and come back to the panel, please. yes, both of you. >> thank you very much. for such an educated discussion. i'm with the american league. the world is going through a constant transition. and my friend, barry pavel, mentioned about russia because of the system and then virtually nonexistence of democracy and then because of technology, so much of gas reserves are coming up and they are going to go down. they can't bounce back.
my question is that nato had been doing a lot of fighting in many area of the world. does nato have the capacity to act unilaterally without leadership of usa to prevent low-intensity conflict and resolve them? and turkey is a member of the nato. could somebody educate me on this? what were the glitches that we could not become a member of european union at the same time? thank you. >> thank you, sir. that last question is the topic of a whole other conference we've got running as well. just to his left and we'll take the last question and come back to the panel. >> thank you. my name is dr. lydia gastopolis. i represent the cyber security forum initiative.
i oversee our mission in europe. more specifically in the mediterranean. as we deal with cyber issues, i've been engaging the communities there with cyber. i have a question regarding austerity and our cyber allies and helping them out in the era of snowden leaks. what i found is many government officials, military officials have said they look up to the u.s. and the way we do things. they respect our strategy and our efficiency and effectiveness. however, when it comes to cyber security now, many people are standing up their commands. this is a sensitive national security issue. seeing some of our nato allies are standing up their commands, how can we help them in a way that would not infringe on the sensitivity standing up to cyber command considering the snowden situation? >> terrific. let me start with you. let's take the first two questions because i think harlen asked a fundamental on