Dissonance: Conflict & CyberSpace: Emerging Norms & Challenges

Dissonance: Conflict & CyberSpace: Emerging Norms & Challenges


My name is Joel Iverson,
I’m with Information and Technology Services
here at the university. We would like to welcome you this
morning to this Dissonance event. This Dissonance event series is actually
celebrating its one year anniversary two days ago. A year ago we had our first event,
it was Apple versus the FBI. It was panel of discussions available on
our website if you’d like to watch that or any of our past events. We’ve had a total of five and we’re very excited to bring this
panel of discussion to you today. It will be the last panel discussion
we have for this academic year. And we have Tim Maurer here to thank for
helping organize the panels and Tim will be serving as our moderator. First, I’d like to thank
the organizing groups on campus that have helped the Dissonance
series take off in its first year. The Bentley Historical Library,
the College of Electrical Engineering, Computer Science Department,
the Law School, the College of Literature, Science, and the Arts. Information and Technology Services, U of
M Privacy and Technology Law Association, and the School of Information. And today’s event is called Conflict &
Cyberspace: Emerging Challenges & Norms. Tim Maurer is a fellow from the Carnegie
Endowment for International Peace. And has also been the visiting
scholar in the Ford School. And he co-directs
the Cyber Policy Institute and his research focuses on cyberspace and
international affairs. Tim Maurer.>>Thank you very much Joel,
and thank you all for coming. It’s a pleasure to be here on
this beautiful day in Michigan. Which I define as, if there is no snow,
it’s a beautiful day in Michigan. I’m very excited about this event. And I think we have a terrific panel that
brings together different faculties from the university. And we’re co-hosting it with the Carnegie
Endowment which is based in Washington DC where I spend most of my time. And I would now like to jump into
introducing you to the panelists. We will have a panel discussion
that will last about 45 minutes and then we’ll open up to Q&A. So if something pops up during
the conversation that you’d like to ask or you have prepared questions already,
please reserve those for then. If you could turn off your cellphones and also be aware that this event is
being recorded and live streamed. So just, when you ask questions please
make sure to identify yourself and to let us know what
brought you here today. For those on the live stream, apologies
that we are starting a little early. I was alerted at the beginning of
the event that Michigan academic time is ten minutes delayed to the time on
the clock for the event itself. So we wanted to make sure to give students
enough time to join us this morning. With that, let me now introduce you
to our distinguished panelists today. To my left is Professor Alex Halderman,
who’s a professor at the Computer Science and Engineering department here
at the University of Michigan. And director of the Computer Security and Society Institute here at
the University of Michigan, the center. Alex focuses on computer security and
privacy. And many of his papers that he has
published in the last several years have won the award for best paper at
the conference they were presented. And I think, most important for the event
today, Alex has focused on the question of hacking of election systems long
before it made front page news. And was actually trying to raise
the alarm bell around this. And then thanks to events last year, I
think has gotten a lot more attention for the important research he’s
done in the past few years. To his left is Theodore Nemeroff who
is a senior advisor at the Office of the Coordinator for
Cyber Issues at the Department of State. His office is the lead in the US
government with large for developing a strategic framework for
international cyber security. Teddy was working at a law firm in
Washington DC prior to joining to the state department. And focused on national security and
telecommunications law in that capacity. He is a graduate of Columbia University
and also worked at a democracy NGO in South Africa before joining the State
Department and focusing on cyber security. Professor Bob Axelrod is a professor at
the Political Science department here at the University of Michigan and
also at the Ford School of Public Policy. His accomplishments are too
numerous to recount all here. But he is the Walgreen Professor for
the Study of Human Understanding. And among his many
accomplishments includes winning the MacArthur Genius award that I
think many of you are familiar with. In 2004, he received the National Medal
for Science by President Obama. And he was the youngest political
scientist to be inducted into the National Academy of Sciences. To his left is Nadiya Kostyuk,
who is a current PhD professor at the Political Science department here and
at the Ford School of Public Policy. And she will be leaving us soon
in an hour to become a PreDoc at the Harvard Kennedy
school at the Belfer center. And Nadiya has been focusing specifically
at the use of offensive cyber operations in Eastern Ukraine. And how offensive cyber operations have
been used as part of the kinetic conflict on the ground as well. She was a program coordinator at
the East West Institute before joining the University of Michigan. And is a fellow with
the East West Institute, which does a lot of work
on this space as well. My job today will be limited
to being the moderator and kicking us off with a couple of questions. We will try to make this more
of a moderated discussion. And not necessarily having
opening statements. And to kick us off I’d like to ask Teddy,
your office has been really the lead in the US government for
developing strategic framework for thinking about cyber security
at the global level. Your office is fairly new in
the context of the department itself. So it’d be great to have you walk us
through why was the office created, what was the rationale behind it? And what is the current
strategy that’s in place for the US government to try
to improve the security environment that we currently experience?>>Thanks Tim, and thanks to everyone. It’s really a pleasure to be
here just as springs seems to be springing out here in Ann Arbor. Get to go a few weeks back
in terms of the allergies. So spring is a little farther on, we have
our own pollen to deal with there so. Anyway it’s a pleasure to
be here with all of you. So as Tim mentioned, I work at
the Office of the Coordinator for Cyber Issues at the Department of State. Our office was established in
2011 as part of an effort to begin to coordinate better our
foreign policy around cyber issues. Cyber policy, there are many different aspects to
kind of our foreign policy on cyber. And many different parts of our
department that work on these issues. To name a few,
we have Internet governance, issues around how
the Internet is actually run. We have issues around Internet freedom and
human rights online. There is cybercrime and how we cooperate with other
governments to fight cybercrime. Which is often transnational and therefore
requires international cooperation. There is what we call cyber security due
diligence, which is essentially how we as governments cooperate with
each other around cyber security, keeping the networks secure. And it, from our perspective, involves
a lot of work around capacity building. Because in a interconnected network,
we’re only as strong as our weakest link. And then, lastly, and this is, I think
the topic we’re gonna focus on a bit more, we look at the issue of
conflict among states and the role of cyberspace and
cyber capabilities as potentially a destabilizer that might contribute
to conflict among states. This is an area we, before it was
international security in cyberspace. So as Tim mentioned, the state department, working with the rest of the US
government, has been working for the last few years, really actually
a decade preceding the founding of our office to develop a framework for
responsible state behavior in cyberspace. And the concern that we have,
I think it’s a concern that many share, is that as more and more governments
are developing capabilities, military and other capabilities
to operate in cyberspace. That this creates the risk for
instability, for misperception when an incident occurs, for
escalation and potentially conflict. There are a lot of somewhat unique traits
about cyberspace that can lead to this, this includes the fact that it’s
difficult often to attribute an attack, the fact that even if you can see an
activity happening, it’s often difficult if you see code on a system to figure
out what the purpose of that code is. The fact that, everyone of us, we all have computers whether sitting on
the desk here, in our pockets hooked up to our electrical grid, the fact that we
all feel very vulnerable as a result of this. All of this we believe adds a new
dimension to international relations and adds, creates new foreign
policy challenges. So what we’ve been trying to do over
the last few years is promoting framework. And there are two key elements
that we’re promoting up until now. The first is around getting consensus among governments about
what’s constitutes responsible behavior. [SOUND]
Why don’t we go. You can hear me, right? Getting consensus around what constitutes
responsible state behavior in cyberspace, and we’ve been negotiating this
in expert level for the UN. And trying to promote
consensus more broadly. The bedrock of our approach in this
area is that the same international law that applies to state conduct
anywhere else applies to state behaviour in cyberspace and
seeking affirmation on that and trying to deepen our discussion
about how it applies. In addition, we have been promoting, and
I’m sure we’ll into this a bit more, some additional what we call voluntary
norms of state behavior that we think that states should abide by,
particularly during peace time. I think the most well-known peace time
norm that we’ve been promoting that’s been around, that states should not
disrupt the delivery of services by critical infrastructure to the public
using cyber-enabled means. So that’s the first big element of
what we’ve been promoting right now. Building a consensus about what
constitutes responsible state behavior. Secretary Tillerson,
during his confirmation hearings, spoke about the importance of norms, the new
Homeland Security Advisor spoken about it, it’s been a longstanding
piece of our approach. The second piece gets a little
bit less play in the press and in the conversations,
because it’s maybe a little less sexy, but it’s very important and
it’s very practical. This is what we call
confidence building measures. These are practical measures that
we encourage states to develop to improve transparency about what
their intentions are in cyberspace, to create means for cooperation. One example of a transparency
measure is getting states to publish cyber strategies or white papers
about there military doctrines about what they’re goals are in cyberspace,
how they intend to operate. Helping since we can’t actually observe
often what governments are doing in cyberspace, helping to sort of
fill that gap with statements. An example of cooperative measure, these
are often communications channels that can be used in an incident, these are not
technical channels, for example, there are certain channels where incident
responders can talk to each other. These are more of a political and
diplomatic nature so that states can talk when an incidence occurs and try to
understand better what’s happening and how they can work to resolve it, so
that’s broadly what we’ve been doing. A little bit our priorities I think going
forward continue to be broadening and deepening what we do. But I think you can also expect, I think
the conversation to move a little bit more towards the question of
deterrents and consequences. We have now that we’re building
a sense of consensus about what is responsible state behavior. Well, then, what happens when certain
states don’t act consistent with that consensus? How should other like-minded
states respond to that? So those are the kinds of questions
I think I can see as going, pursuing of that further in the future.>>All right, thank you. You’ve already noticed that Teddy
is used the term cybersecurity, in most of the description
of what his office does. What’s important to bear in mind is that
within the global discussion that some of the other states that are involved
in this, for example, Russia or China use the term Information Security
in just the position to the term cybersecurity as studies using it. And that’s primarily because
some of these other states have a broader definition
of service security. To not just be more focused on the
technical aspects but to include content. So this comes in especially as we talk
about more of the type of information operations or the type of operations where
you’re not causing necessarily a physical effect but where content is at play. Which leads me to Nadia. Because Nadia,
you’ve done a lot of research focusing specifically on
the conflict in eastern Ukraine. And partly what Teddy just outlined in
terms of the US strategy focusing on these voluntary norms was a response
to the Russian proposal for an information security
treaty in the late 1990s. Where Russia proposed we should
have a treaty on cybersecurity, which was opposed partly
because of that raw definition. In your research, what have you seen, how
offensive cyber operations have actually been used as part of the conflict in
Ukraine and with Russia on the ground, and what have been your findings and
lessons learned from that experience?>>So when the conflict in Ukraine
started, a lot of experts, they were hoping to see similar situation
that took place in Estonia and Georgia. Basically, they were hoping
to see a lot of cyber attacks that would have to disrupt the purposes. And they worked to some extent at
the beginning of the conflict. But then, what we saw is that the client
in frequency of cyber tax for the purpose of disruption and espionage. So our research and field work, and
introduce with the experts in Ukraine, Russia, as well as as in the US, give three potential explanations why
we saw a decline of such attacks. The first one was the lack of targets. Specifically, a lot of critical
infrastructure in Ukraine is very old. It doesn’t have online access,
so experts were saying that the targets is very hard to,
at that targets who cannot be accessed remotely. However, some experts were very skeptical
to this explanation and to say that the weakness of infrastructures security,
it makes the target very easy and this is something that we saw in 2015 and 2016
attacks on the Are power trips in Ukraine. And these attacks make one of these
explanations not as good as possible. The second explanation
was a lack of audience. So in Ukraine, there are only 44%
of people have internet access and most people who use internet,
they use it for social media purposes. There are very few of them who use
like for online banking or anything, what we do in the US. So, a low level attack that would disrupt
the website of the Ministry of Defense or the President of Ukraine would have
less of the effect when on regular masses versus the attack that would
propagate the campaign that would display images of crucified babies or
raped women in the conflict zone. So we can see that changed in Russia’s
strategies towards more propaganda campaign, displaying such images
to get effect in regular masses. And the last reason was lack of incentive. Since Ukraine use a lot of software and
hardware from Russia and it’s been they bought this during the Soviet time,
a lot of experts they mentioned that there wasn’t a need for them to have
it because they already have access to. And this access a lot of the cyber
espionage campaigns that started in Ukraine in 2010,
supports this kind of argument. Additionally, another change had happened, was the change in
the presidential administration. So with the switch of, they had
a presidential administration in 2011. And they just love [INAUDIBLE]
who was the new person. He basically studied promoting
usage of social media and mass media for information campaigns and
social media and mass media as you know is very,
very controlled in Russia. So in the case of Ukraine,
this changed from cyber techs for disruption espionage purpose to propaganda
campaign that had very vivid effect. Because usually, when you think about
cyber attacks that have disruption purpose, usually they will
mobilize the opponent, but when you have propaganda campaign
they will try to bring this seed of disagreement between different groups and
this is what we saw in Ukraine. There were two groups
there were people who supported the side of
the Ukrainian government. There were people who really
supported rebels of pro Russian side. And another thing that I would like
to mention about the advantage so called of the propaganda campaigns is
that when you have a cyber attack, even though we know attribution
is very difficult but still it’s possible to pinpoint to
a specific actor who has done it, right? But when you have a propaganda campaign
on a large scale that involves wide usage of all mass media sources and
social media, it’s very hard to pin down who actually is behind
this and whether it’s actually a campaign. So this is what we saw
in the case of Ukraine.>>Thank you. And as you just heard, the Ukraine
conflict is interesting because we had this outage that occurred in December 2015
which raised some questions around whether this normal, critical infrastructure that
had been agreed to earlier that year was actually effective or not when,
six months later, all of a sudden you have a power outage in Western Ukraine for six
hours that was the result of a malware. And we might get back to that in a second,
but the Ukraine conflict is also interesting because during the
presidential election, the commission was hacked and Ukraine was actually one of
the first instances where we had seen an offensive cyber operation being used
targeting specifically an election. So Alex, you’ve been working on this for many years now, specifically in
the context of electoral systems. What struck you about what
happened here in the US last year, were you at all surprised
that this has happened? And what did you learn from
that experience now as we move forward with the French and
the German elections, and a lot of Europeans who are very anxious
about this potentially happening again. Right.
So, there were a number of interesting things that happened during the 2016
election that we can talk about. Looking back at what happened prior to
the election, the selective leagues and attacked attempts, well,
successful attacks against the DNC, against John Podesta that resulted in
information being leaked to the public and to the media that was damaging
to the democratic side which was a part of a campaign that
the intelligence community has labelled an attempt by high
ranking Russian officials to interfere with the politics
of the presidential election. So starting there,
one interesting thing about all of this is it’s not actually
a disinformation campaign. It’s true information that
is being selectively leaked. And I think that’s a fascinating
phenomenon to think about because in a great sense, it’s a challenge
to this internet program of radical transparency that Wikileaks and
other groups have been promoting that we should have government
related information made available to the public in all circumstances, it might
be Julian Assange’s line about this. But here, if it’s being used by another
government in order to interfere with the politics of one country,
I think that’s a fascinating phenomenon. And it really speaks to the limits of
what that program of radical transparency can do in order to improve the public
discourse rather than distort it. In terms of those specific attacks and
the technology, well, they weren’t very sophisticated attacks. There was a lot of low hanging fruit,
especially in small and widely distributed organizations
like political campaigns. If anyone has ever had their password
phished or something like that, that’s basically what
these attacks amounted to. They are low tech, very common kinds of
attacks but simple attacks worked in these cases, and that’s part of the disturbing
thing about it, this kind of leak, this kind of attack could happen
to just so many organizations. And given that they
appear to be successful, I think we’re going to see a lot more
instances like them in future campaigns. The simplest thing that ironically, very simple things could have
also prevented these attacks. I think if the DNC had just
hosted their email with Google, like the University of Michigan does,
they wouldn’t have had this problem. If they had just turned on
two-factor authentication and hosted their email with
a low-cost cloud provider. So simple defenses can work
against those attacks too, but far too few organizations apply them. Now another question that we
might ask is whether the Russian influence campaign stopped on election
day, and so far, we’ve seen no evidence that they were attacks that targeted
the machinery of the election. Now, whether they stopped or
not, I don’t know. Even though we don’t have any evidence,
it does seem strange than an organized and sophisticated campaign to manipulate
the election result wouldn’t go beyond the politics, and
also target the machinery. And there’s a lot of low hanging
fruit in our voting machinery too, maybe, more than I even realized
before the election day. So our voting system is very distributed
and that’s often seen as an advantage. And maybe that was enough of
an apparent advantage to deter an attack on election day. By that, I mean just that most voting in
our country is organized at state and local levels. That different counties even within
the same state can have different and sometimes disconnected systems. And that the machines we use to
vote are usually not connected directly to the Internet. All of that sounds on paper
like a good model for a system. But in practice,
many of these things break down. So the fact that the system is
widely distributed means that if an election is very close and
turns on just a small number of states, an attacker can pick any one
of a large set of states to flip by electronic means and
thereby change the outcome. So the attacker now gets to select from
many targets which is the most vulnerable. Beyond that, even though the machines themselves are
not directly connected to the Internet, they’re programmed from central computer
systems either at the county level or, in many states, including Michigan,
commonly from a third-party vendor. And those systems are sometimes
connected to the Internet. So in Michigan, typically, the county or
the Secretary of State’s office will email information about the ballot
design to a small business, a 10, 20 person company,
sometimes out of state. Which will program that
data on to memory cards that are shipped to the polling places and
placed into the voting machines. If an attacker can compromise
one of these small vendors, they can manipulate the data on the memory
cards in ways that cause the machines to misbehave on election day. And by attacking just two small companies, that probably were not even on the radar
of authorities prior to the election, an attacker could have changed
votes in 75% of Michigan counties. So the only way we could have reliably and
conclusively detected an attack like that would be by reviewing
the physical evidence of the election. That is, the paper ballots were available, we’re doing forensics on
specific voting machines. To my knowledge, no close state
that might have been targeted by an attacker did sufficient forensics
to conclusively detect an attack. Very little of the paper was
analyzed except as a part of the recounts that were initiated. And even those recounts stopped
short of manually reviewing enough paper to conclude with certainty
that the votes in Michigan or Wisconsin were not manipulated. I don’t think those votes were
manipulated, and I didn’t on election day either, because we’ve
never seen that happen in this country and it would be really a new phenomenon
to observe such an attack here. But there’s a chance that some
manipulations or attempts took place. Let me give one hypothetical scenario. And I have no concrete evidence
to believe this is true. But suppose that an attack
attempt was organized to discredit the election in
the case that Hillary Clinton won. And that would involve not necessarily
as much work or as much compromise as one that would change the outcome, but
just to cast doubt on the conclusion. If such an attack were organized, then
perhaps that just would have been done but not announced when the real
election result showed a victory more favorable to the Russian
influence campaign. So we may never know whether there
was hacking of specific machines or systems in 2016, but what I worry about
most is what will happen in 2018 and 2020. Because the possibility for an outcome
changing attack is certainly there.>>Well, things got scary real fast. I think it’s been less than
half an hour into the event. [LAUGH] Thanks, Alex, for that. Bob, I remember we had lunch a couple of
months ago and we talked about the DNC hack and what was unfolding and
you brought up the analogy to Watergate. I know you’ve thought a lot
about analogies to this space. In fact, you’ve written an entire
article about analogies for this. What do you think was similar and what was different comparing
the DNC hack and Watergate? And more broadly than that, why do you
think is hacking really something that ought to be of concern to us from
an international security perspective?>>Right, well,
the DNC attack in 2016 was by cyber means, and the DNC attack in 1972
became known as the Watergate scandal because it was
a physical attack by burglars getting into
the Democratic National Committee’s offices on behalf of
the Richard Nixon campaign. The exact purpose is still not clear, but
apparently it was to prevent a scandal. That is to say, Nixon was worried
that there were documents the DNC had that might damage his campaign. What happened in that case was they were
caught by a guard who was walking down the corridors, and that lead to the arrest
of the people that were doing the attack. And that lead to their trial where
the judge said that if they didn’t tell who ordered them to do it,
they would get a really stiff sentence, like 20 years, instead of perhaps 1
year for a first offender for burglary. And so that worked,
that the burglars themselves gave evidence that it was from the White House,
and that led to them going to jail and eventually to Richard Nixon
resigning the presidency. So we have here a system were the domestic
law enforcement involving guards, police, judges, plea bargains,
investigations, and then eventually the resignation
of the president. A system that worked and, after the fact, including good attribution. Now the DNC hack, of course,
was not physical, it was by cyber means. And the CIA attributed to Putin himself,
saying this must have been from Russia and it could not have been done without
approval at the highest level. The purpose appears to be to discredit
the candidate, Hillary Clinton, by revealing emails from the DNC that
would prove embarrassing to her. In particular, what was
embarrassing was that the DNC was, Supposed to be neutral between
the candidates for president, and the other one being Bernie Sanders,
the other leading one. And it was clear from
the emails that they weren’t, that they were working on behalf of
Hillary, and they weren’t being neutral at all on that Democratic campaign and
that was an embarrassment. Now whether that affected the votes is not clear. It was one of about a thousand
things that were going back and forth of why you should vote one way or
the other. My guess is it certainly wouldn’t have
been a scale that would have affected the outcome, but it could have. But it was an embarrassment, especially since it was
revealed very late in the game. Now that led to three different things One
was that a minor effect on the vote and the effect on embarrassment
of the candidate. And the second was that
the Obama administration then, after attributing it
to Russian leadership, expelled 35 Russian diplomats
who they identified as spies. And that’s a substantial number. Normally, in the response to
declaring people persona non grata, is the other country declares and equal
number and throws them out of the country. Actually Putin did not do that,
which is striking, and probably because at
the time he was hopeful for good relations with President Trump and
didn’t want to retaliate. So we had this sanctioning of Russia, but in a way that doesn’t
seem to be large enough to deter the kinds of things that Alex
was worried about in the future. The third effect is,
it led to a series of investigations into the relationships between
the Trump campaign and Russia, which are still on-going
in the Senate and the House, both. And we’ll see whether those are,
And the FBI. To see whether those are serious
investigations and whether, if they are serous, what they find. So that’s the effect of the DSC
hack are still playing out. So one of the implications is the, of the comparison of these two
attacks on the very same target. And both for
information purposes is that domestic law enforcement is much more powerful than international enforcement of norms or
deterrents. So, in an international real sense,
we don’t have a central court. Or essential authorities to
deal with this, we do it by, not only trying to promote norms,
but trying to deter bad behavior and the main way of doing that is by punishing
bad behavior so they won’t do it again. And, interesting enough,
the Obama Administration, Retaliated in a completely different
domain of diplomatic expulsions. It’s conceivable they’ve done other
things that they have not announced, but and I think it’s likely that if this
sort of thing happens on a larger scale the American administration will
find other perhaps more drastic measures. But then of course,
there’s always the fear that if you do something substantial they’ll retaliate,
especially if they feel as unjustified. Another issue is about attribution in
political leadership, it’s there’s sort of two levels of attribution that
are often not distinguished. One is, where did the attack come from,
and the second is, who is responsible. So to say that the attack came
from Russia is not the same as saying that the Russian
government is responsible. And even saying somebody in the Russian
government was responsible is not the same as saying the Russian
leadership is responsible. However, I think it’s safe to say,
as the CIA implied, that if it’s an attack that has major political
significance it would not have been done by a small part of the bureaucracy having
a bright idea and acting out on its own. Of course, in United States, Russia, and China, there’s really quite
good supervision of parts of the organization not as acting
without high level of approval. And in Russian case, that would be probably Putin personally if
they’re messing with the United States. So there we’d do the attribution,
not by direct technical means, but rather by political understanding of
the way the system works in that country. Now, another contrast is what
the public sees as going on. In the burglary at the DNC,
it took months to unravel, but eventually, even Nixon supporters accepted
the idea that he ordered it. But with the DNC hack, it’s widely
believed that it came from Russia, but it’s not universally accepted that it
must have come from the highest levels of Russian government, and that’s one
of the issues being investigated. And so the attribution in cyberspace,
even when it’s technically quite good, still leaves open, in many cases,
the question of responsibility, which is important to know who
to try to deter in the future. And so these two attacks on exactly
the same institution, both for getting information out of it
led to quite different results. In the domestic case,
it led to the president’s resignation and in the international case,
it led to some minor retaliation and investigation that may lead somewhere. But basically,
it looks like the effort might, as Alex was saying, might happen again.>>Teddy when you started
out the event earlier today. You pointed out that in 2015, there was
this international agreement including with Russia where the states committed
not to target critical infrastructure and causing an effect that would disrupt
the services being provided to the public. We’ve now heard two
instances where Bob and Alex were talking about the DNC hack and
the elections, and then Nadia was talking about Ukraine
and we had the power outage in Ukraine. How did that shape the strategy and
your views and your office’s views on
the norms discussion? And how did you make any adjustments? What was the explanation for
why these incidents occurred? And to Bob’s point in
the absence of 100% attribution. What can be expected from the Russian
government in instances where it’s unclear what the involvement was to
clarify what should happen after?>>Yeah, so there’s a lot there and
this has been a pretty rich and detailed conversation. Just to address the norms question first, I think a critique we hear
sometimes from people about what we’ve done in terms of norms is
that the bad guys don’t follow the norms. I think the first thing I would say is,
just because somebody doesn’t follow a norm,
it doesn’t mean a norm doesn’t exist. And there are,
the world is replete with examples of countries signing on to norms
that they don’t follow. The fact that they don’t follow it doesn’t
mean that’s not a norm, where in fact that they don’t follow means that they
are acting a counter normative way. We promoted the norms,
not because we’ve thought that it would cause irresponsible states
to suddenly act responsibly. We promoted the norms because and we promote responsible state behavior
generally and international law. Because we think it helps governments
trying to think about these matters that would like to act responsibly to figure
out what are the rules of the road for lack of a sort of crude way to say it. But essentially that, and
second of all, because we think that it can provide a rallying point for countries
that want to see more stability in cyber space to work together to counter
irresponsible behavior by states. So as a general matter,
that’s how we think about it. And I think that’s the direction
that we’re going generally when I said earlier about looking at
consequences is how do we as states that wanna see stability in cyberspace
work together to promote it and to respond when we see
destabilizing activities? I’m not gonna,
the Ukrainian power incident. I’m not going to go too far into that. We had a team in 2015 go there and
take a look at it and we concluded that what happened there after
the outage was caused by a cyber attack. For one thing we thought it was very
important to share information that we learned about it with our own industry. So they could better
secure their own systems. Whether something violates
the norms you need attribution, you need to know it’s a state. It’s a question of whether it
taking place during peace time or not which is obviously in Ukraine
considering what is happening there, their questions around that, whether or
not it takes place during peacetime. We’re obviously very concerned and there
still are issues under international law about targeting a civilian infrastructure,
if there’s not a military purpose. So I think there are a lot
of concerns there. Regarding influence operations and
some of the other, and the DNC. Influence operations and
propaganda have been around forever. They certainly pre-date the internet. I think what we see with the internet and
cyber capabilities is it, greatly increases the ways that you can
share that information and spread it. And certainly in the case of the DNC hack, this was a new way of actually
obtaining the information, you didn’t have to break into the DNC
offices, you could do it remotely. So I think you see conduct that’s
taken place throughout history really. Being carried out through this forum,
one thing that I will say for sure is that we don’t see, we stand
by freedom of expression online and I think the direction we don’t
believe one should take that is towards more censorship on the Internet
to address some of what you were saying. The attribution, the response, I think
these are all interesting and complicated issues, as you said our position all along
has been that you don’t have to respond, we will respond to cyber incidents
using all means of national power. And with respect to the DNC. So the expulsion of diplomats
that occurred on the same day, that was more I think a response to some of the other concerns that we’re
having about treatment of diplomats. The other actions we took we imposed
economic sanctions, we designated two Russian intelligence agencies as well as
several companies and several officials. And at the same time we also designated
two Russian cyber criminals for economic sanctions. And we also,
as a network defense measure released, a large amount of information
basically about activity we’d, malicious activity we’ve seen and
hope that network defenders could use that to better defend themselves
against the Russian threat. So there’s, you know there’s a range in types of
activities of responses that can be taken. And I think the question,
a big challenge in this domain, is that many of these activities occur
below the threshold of a use of force. Above a threshold of a use of
force when it’s an act of war, I think it’s a lot clearer
the types of response options. Below the threshold there’s a range
of different things you can do. And those were the steps
that were taken then.>>Nadia, I want to follow up with
you because Teddy just mentioned they had sent a team to Ukraine
to investigate what had happened. And you earlier mentioned that this wasn’t
really the focus of a lot of people when you talked to them in Ukraine
prior to this happening. What were what were your thoughts when
this occurred, why did it happen and how did it fit into the narrative,
what was your explanation for it occurring in first place?>>So the first attack in the power
grid happened in December 2015 and it was considered to meet the financial
of the actual cyber warfare. That’s why it was very
important event because it was the first event of its kind. Even though the event happened
at the end of December, when the evidence was analyzed, it was clear that a lot of
preparation took place. So the attack started in spring. So basically,
there was a spearphishing campaign, an email was sent to the workers and
they opened it. And this is how the perpetrators were
able to get into control network system. But the power plant in Ukraine
is completely separated from the Internet by firewalls. So they were not able to
get inside of the system. So what happened is that they spent
some time collecting intelligence and they were thinking how they could go
around the firewall and how they can get, how they could control
the actual power plant. And they were able to do it, again they were able to get
the credentials by some workers. And because the defensive systems in
Ukraine don’t have the two factor authentication’s, something
that Alex mentioned. They were able to get inside,
and they were able to control it. So when the attack was happening
on December 23rd 2015. Another interesting fact was that
the perpetrators they executed the telephone denial service attacks for
the call centers. So at the time when people
didn’t have outage, the call centers there were receiving
a lot of traffic coming from Moscow. So the workers at those power plants,
electricity plants, they were not aware that people didn’t
have electricity for this time. So it was very, as you can see,
it was a very smart attack, I would say. There were a lot of different pieces. And when they look at the evidence, in general, computer scientists they
say there were a few potential actors. There were not just like state or
non state actors. They were saying there was a potential
of combination of work between cyber criminals as well as nation state actors. So of course the Ukrainian intelligence
services, they pinpoint the I think at Russia they said we have conflict with
Russia and that Russia has done it. But they didn’t really provide
any evidence that Russia was responsible for it. Another theory that was out there is that,
this was a response for the Ukrainians physically
attacking the power plants that were giving power to the Crimea and
the Russia naval base. And it happened a few months before that. But when we actually look at
the evidence the preparation for this attacks started spring so
at that’s not a potential theory. And another another explanation
is that a few months before before the Ukrainian Parliament
was discussing a bill to you, nationalize a lot of
privately owned companies. And some of these privately owned
companies, they were owned by the important, influential people that
have ties to Putin, right, Russian elite. So some people say that an attack on
this grid was not unlike a signal, you should pursue this bill. But again, there’s no clear evidence
of who has done it, and who hasn’t. But again, one of the potential ways to attribute it is to look at the
political context and evidence that we. We have something else that
Bob had suggested earlier.>>I wanna stay with this example for another minute just because
going back to Teddy’s point, I think it’s really important for how
these incidents that do not conform with what we consider to be normal behavior or
what the norm tries to accomplish. And what the reaction to that is, right,
because state practice ultimately decides, determines what international
norms look like. Bob, you’ve written two papers,
one on the timing of cyber conflict. And one that actually just came out
called The Blame Game about how do states decide to, one,
engage in cyber conflict. And how do they decide when to engage in
attribution based on a game theory model. So for all the quantitative nerds in
the room, I encourage you to check it out. But what was your
analysis of the incident? And what was your analysis, assessment
of the US government’s reaction to it?>>Well, first, a distinction
is made between peace time and war time in international law. And you’ve heard, it’s referenced here,
how the United States government views activities in
those two states quite differently. And traditionally it has implications, like you can kill an enemy
soldier in wartime. But if you do it in peacetime,
it’s murder, and you can’t do it. Now, unfortunately,
there has been a substantial breakdown in distinction in war and peace in the last
10 or 15 years for three reasons. One is the ubiquity of low level, local conflicts of which
the Ukraine issue is certainly one. It’s certainly conflict,
but is it war or peace? It’s not exactly clear. The second is terrorism. A terrorist attack means that the origin,
the source, of the terrorist attack,
that you’re in a state of war with them? Not necessarily. And so that’s been very indefinite. And we don’t know whether to apply, under
what conditions that you could use things that you could only use in
wartime against terrorists. And the third is cyber,
where cyber, of course, has a whole range of, a scale of,
effects from very small things to possibly much larger
things than we’ve ever seen before. And that really blurs the distinction
between war and peace. With kinetic attacks, kinetic means boom, explosives, if you bomb somebody’s bridge,
that’s an act of war. But with cyber,
it’s not clear exactly how big it is. I mean the DNC attack,
presumably, is not an act of war. Was the Stuxnet attack? I think Iran could have definitely
said that it was, if they wished to. They didn’t because they didn’t have
an appropriate way of responding, so they didn’t. Now, in the case of the power grid attack, it is the first established attack
against civilian infrastructure. It was in the context of fighting. And the scale of it was 230,000 people
lost electricity for one to six hours. Now, what’s the scale of that? Well, the Ukrainian electricity commission
said that the outage was equivalent to not 1% of the Ukrainian electric consumption,
not even a tenth of a percent, but 100th of a percent of Ukrainian
daily electricity production was outed. So in that sense it’s a pin prick, although it certainly got a huge
amount of international attention. Well, the attribution,
as Nadia was saying, is difficult in terms
of how high a political responsibility for
Russia is involved in this. It appears that the level of
sophistication meant that it would probably have involved some
professional hackers, and probably, I would I guess,
beyond the criminal units, and therefore probably have
some Russian involvement. But it’s not clear because
it could have been Russian, but not necessarily government
because the motivation is not clear. In particular, when you see that
there’s this relatively small effect, one wonders what the point of it was. It appears to be larger
than just hactivism. That is to say, some Russian patriots
took it out upon themselves to mess up something in Ukraine. It looks like it’s more than that. It did involve what most people
would call a zero-day exploit, but in this case it was a 400-day exploit. And what I mean by that, a zero-day exploit is something
that’s never been seen before. First time it’s used, therefore,
it’s a sign of skill and vulnerability that hasn’t
been detected before. Well, the vulnerability that
this was based on was in Windows systems that had been seen 15 months
earlier, and been used several times. So what does that indicate? It indicates that computer
hygiene is not very good. And this is very common. And people already remarked on this
that much of the vulnerability of computer systems is because people are, and institutions really are,
unbelievably careless. In retrospect, when you do an audit, and
you look and see how did they do that, you see, as Alex was saying, as an example,
the DNC, was just total incompetence. And that’s true in a lot of other attacks. So, it wasn’t an instance where the perpetrators,
presumably Russians, were exploiting, were letting loose, something that hadn’t
been seen before, and suggesting that they’re willing to pay the price of losing
that ability to exploit in the future. In fact, it was something that had
been used over and over again, but still hadn’t been patched. The purpose, it seems to me,
most likely was some version of warning. Some version of saying, we can do more
then we’re doing unless you don’t stop some things that you’re doing,
either in the past or in the future. And in that sense,
it’s a wake up call about how civilian infrastructure could be attacked. And it’s not clear whether it could have
been attacked in much larger scale and, therefore, what the intention was. There were several other electric
companies in Ukraine that were attacked, but it didn’t seem to do any damage. It didn’t get all the way to customers. So my guess is that it’s a matter of, Russians issuing a warning that
they could do more of this. But even that’s not certain. So this is a place where the boundaries
between war and peace are vague. The attack on civilian
infrastructure was of international significance, and yet it was small-scale. And what we can learn from this is that,
Several lessons. One is that, Systems that you would
think should be well protected aren’t. And the reason they’re not is carelessness
or for inadequate attention to security. And that is so ubiquitous, and not just
in Ukraine, and not just in the DNC, but everywhere else except
perhaps the financial system. Which has always been very alert to
people trying to steal money from banks. And so that system we hope is a little
better and maybe the stock exchange but a lot of other things are not. The second thing we can
learn is that there’s a serious possibility that various norms
will be impinged upon in ambiguous ways. And ambiguous in sense
of attribution ambiguous in sense of the scale of importance. And therefore we’re always gonna have
to police these boundaries both for things like the Russian attack
on American election process and attack on the Ukraine power grid. That these kinds of things are likely
to continue, we have not yet developed a doctrine on how to deal with it. So to prepare the new technology of
nuclear weapons and after 45, it took 15 years to develop appropriate understanding
of what difference nuclear weapons made. Wasn’t until about 1960 that we
realized the that the standard military wisdom that we want
to maintain flexibility. Because you never know what’s gonna
to happen after an attack starts. You don’t know how it’s gonna play out. And so you need flexibility. Well, with nuclear weapons took 15
years to figure out the exact opposite. You want commitment,
you wanna tie you hands. For example the Americans wanted to keep
troops in Berlin during the cold war and not have the ability to
evacuate them in a hurry. So if the Russians ever tried to conquer
Berlin they’d kill 3000 Americans and that would be enough for us to declare
war and have a serious conflict. Whereas if we could evacuate maybe
they could get Berlin without, so the military doctrine turned
upside down with nuclear weapons. And so we’re about halfway through
that 15 year period with cyber and we’re still trying to figure out
the implications of this new technology.>>That’s a great segue to it. Before we open it up to Q & A my
last question for you, Alex. What implication of this, what Bob just outlined would be to say
right now everything is really vulnerable. Maybe we shouldn’t leave everything really
vulnerable because it’ll create this mutually vulnerability regime and
that will deter everybody. But unlike nukes, it’s not only the most sophisticated
states that can actually build nukes. Its like also a sophisticated
hacker who can do a lot of damage. We spent the last half hour
talking about diplomacy. You’re on North Campus at
the Computer Science Department which to me feels kind of like Silicone Valley. Whenever I go to North Campus
to see you I have to switch and talk about information or
computer security and not cyber security. What is your sense of how
much difference do you think the diplomatic efforts are going to make
when it comes to actually improving this security environment and
the online security environment? And what do you think will
be the main drivers for improving the situation
if the coming years?>>Wow, well, that’s an enormous question-
>>[LAUGH]>>With a lot to unpack. But since I’m standing in the way of
our Q&A, and I’m sure the audience has a lot of good questions, let me
just take a few small aspects of that. So I think going back
to what Bob was saying. Yes, there is a tremendous
amount of carelessness and low hanging fruit in security. But at the same time I think that the
militarization if you will of cyber space. The trend towards using
attacks on security for military or statecraft purposes. By nation states is still
an enormous threat, and an enormous cost, and I want to
focus a little bit on those costs. Because yes,
there were other implications too. But the costs of having to defend
against state level threats or something that’s borne
by society at large. So typically security in my view
is an equilibrium between, or something like an equilibrium between
the cost of defending yourself and the risk that you’re going to be attacked,
right? And we’re going to only pay for
as much defense as we need. So some of that sloppiness
that we see is because adopting secure techniques is harder. And it raises the cost of your products or lower the competitiveness of your company
somewhat and so everyone else is doing it. And so people will pay for
the amount of defense they need. But the militarization, if you will,
these new forms of attacks have raised the amount of defense that we all
are going to need to pay for eventually. Even just the threat of attacks
like the DNC, raises that bar. And not only does it raise the cost for
everyone it potentially is going to lead to arms race situations
between nation states. But in terms of the development
of offensive capabilities and the beefing up of domestic
security in response to those. And I think this is likely to
be a form of over-investment in security as opposed to what would be
needed without the nation state threats. Another factor that raises cost is
this dual role that states play in developing cyber arms and
offensive capabilities. And also trying to defend domestic systems
creates conflicting roles for government. And conflict in fact between the interests
of government sometimes at least with the offensive hat on. And the role of private industry in
trying to secure software products, hardware products and systems. If government is reserving certain attacks
for its offensive use, well, those aren’t attacks that government is helping
industry defend against necessarily. So, yes, there were things we
absolutely need to defend. Critical infrastructure, and I would include in that the election
system, to bring us full circle. Where relatively low cost defenses like
a having paper ballots available and then having routine audits of them can
provide a fairly strong level of defense. But raising the bar for
all applications for everyone’s email, for everyone’s personal security and private
information that might be leaked in order to manipulate the politics or
the marketplace. That is going to be
enormously expensive and, in some forms,
wasteful if that’s not yet what we need. So in security, we have so much to
worry about already without also having to worry about in addition, potentially
very sophisticated nation state attacks. And I think diplomacy needs
to be part of the solution. What I think is necessary
includes stronger red lines about what attacks will justify
a strong government response. Maybe some more efforts towards cyber or
arms reduction if you will to try to break the cycle of arms races and
investment in offense. I don’t know how much has been
conceptualized in the world of policy and diplomacy about cyber peace and [LAUGH]. But maybe naively I hope some day we can
get to a world in which that is our goal. But I think we’re a long way away and
I look forward to increased interaction between people who
are working on the diplomatic front. And people who are working on
the technical front in terms of understanding attacks and defenses. Great.
With that, I’d like to open it up to any
questions you might have. We have another I think
five to ten minutes. I think five is what we have. So, yeah, in the back. And if you could please make sure to
introduce yourself with your name, and make sure it’s a question and
not a comment, thank you. I was wondering if you
heard of [INAUDIBLE].>>Wifi pineapple, Drew what’s that?>>[INAUDIBLE]
>>[INAUDIBLE] It takes advantage of [INAUDIBLE] devices and [INAUDIBLE].>>Okay.>>[INAUDIBLE]
>>[INAUDIBLE]>>Let’s talk after the panel.>>Of course.>>Any other questions? Drew.>>I just got a question about
rule of [INAUDIBLE] with regard to>>All those process for our attributionwith
the exception of some very small or excuse me, not very small. With the exception of
the more esoteric attacks. Things like the Podesta issue,
things like even the [INAUDIBLE]. Non-state actors [INAUDIBLE]
some [INAUDIBLE] things.>>That’s a great question.>>So
I think from a diplomatic perspective. So primarily our conversation
around responsible state behavior, around norms of in cyber space and responsible state behavior
generally has focused on states. I think part of the view here is that
this is what diplomacy is about. This is engaging among
states about what we can do. That isn’t to say that
>>Within the context of that discussion, there isn’t some discussion
of non state actors. In particular, we focused on the issue
of proxies, that, in many cases, there is the concern that non state actors
will be acting as non state actors but in fact be acting on behalf of the state. And so we try to make very clear in
that discussion That non-state actor. That states are responsible for activities carried out by
non-state actors on their behalf. There’s also been some discussion
about responsibility of states to respond to request for assistance when there’s malicious
activity Emanating from their borders. So those are the types of places where
we’ve talked about that, and that would apply to state or non-state activity
obviously occurring within their borders. More broadly of course cyber crime
is one of the big areas where we work on the issue of
non-state actors since a lot of activities by non-state actors It’s
criminal in some way and another and so you know the there the focus is has
been on trying to harmonize laws. So that what’s a crime in United States
is a crime in some other country where a hacker might be located and
creating procedures for us to be able to cooperate in doing
investigations and sharing evidence. So I’d say the issue of non state actors,
I think we end up getting at it from a few different perspectives and
those are a few of them.>>Let me expand on the principle that
you mentioned that is widely accepted, that states are responsible [COUGH]
for at least trying to stop activities. that are belligerent that
come from there territory. That’s widely accepted and so
the example is that the Russians have said to the FBI here are some people that we
want you to investigate and deal with so that they’re not bothering us
anymore coming from your territory. We’ve given the Russians a list
of some things coming from Russia that we want them to do now,
that’s a good idea. But here’s where reciprocity breaks down. Because I’ve heard from a responsible
source that the FBI, dealing with all the complaints they have from banks,
private industry, and individuals about things the FBI should investigate
that they tend to prioritize by the scale. So if you’ve lost $1,000,
the FBI is gonna give low priority. If you’ve lost $100 million,
they’ll give it a high priority. And the scale of the things that
the Russians complain about are not the largest scale. And they don’t ever get to the top
of the list of the very few things they are able to
investigate in detail. So we’re not doing our part,
according to the source to maintain the credible investigations of
the things other countries, at least the Russians complain about and
so it’s no surprise that they don’t prioritize
the things we complain about. And that’s something I
think It could be approved, changing the sense of priority for
our own investigations.>>I think we have time for
one last question.>>Hi, I’m Chris Sorenson. I my thoughts. I am from industry I am a senior
cybersecurity researcher at GE Digital. I’ve been in IT for 30 years,
about 10 of them in security, in a bunch of technical roles. I’ve done a bunch of compliance risk
roles, threat intelligence roles. I wrote a briefing two years
ago on the pineapple so if you wanna talk about
that let me know… and I also spent time on north
campus recruiting people. I need the higher brackets
of cyber security people. So does everybody, right? To comment all of you,
the state of education and training in cyber. And not just the technical stuff,
which I love, but managerial, policy. All those areas.>>Thank you.>>And if you wanna sneak in your
final remarks into your response. That way we’ll wrap up the panel.>>Maybe I can go first and
just speak on the technical side. And I think certainly we need more cyber
security education in computer science. Everyone who is going onto write
software should know at least something about the security implications
of the decision that they make. That just is common sense I think and
our students are picking up on that. So over the eight years that I have
been have been teaching here at the undergraduate security course that
we teach has gone from 50 students a year electing to take it to about 750
students a year electing to take it. That’s a good introduction
to the security mindset and to the first thing someone needs to know. The problem is that having
taken an introductory course is obviously not enough
to make someone an expert and we need better resources available
to take people to the next step. I don’t think we have the capacity
right now to train the number of true experts that we need. But we do have the capacity
to give people the basics And a little sense of the mindset. And we’re doing a fairly good
job of that now at Michigan, I think, thanks to the student interest. But in terms of,
you mentioned, managerial and other aspects of other people who need to
have some awareness of cyber concepts. And I think there is more room for
that, too. Maybe I’ll let others speak to what
we maybe doing here at Michigan. Although, just to take this back to my
last point that the necessity of everyone being cyber aware is an unfortunate
part of the cost of large scale attacks. And I wish that were less
necessary than it is. I think, in a sense,
we’re still in the backyard bomb shelter phase of,
>>[LAUGH]>>Of cyber. Everyone needs to go out and dig a bomb shelter personally
because of the risk of attack. Well, it shouldn’t be that way. We need more of a collective form of
defense that will shift some of those costs away from everyone having
to make that investment.>>At the international policy level,
there’s the very unfortunate divide between
people who are technically skilled and people who are politically sophisticated. The people who are technically
skilled usually come from an engineering background. And their understanding of diplomatic
history, of deterrence and of how policy is made at the national, international level is
usually pretty thin. On the other side, the people who are
sophisticated at the political diplomatic and policy areas are often intimidated
getting into computer security issues. Because they’re afraid that the level
of technical competence needed before they start, before they stop looking
really naive, is just too great. And so, that’s different again for
the nuclear, because what a political scientist
needed to know to think about deterrents is that one missile can destroy one city. That was all you really needed to know. And you didn’t have to know how to
make an A-bomb or an H-bomb, or how a rocket really worked or
how the guidance system worked. But with cyber, it’s different. I think you do need to know something
about the details of how you do it, of what makes an attribution
possible or impossible. Is largely,
is initially a technical question and later becomes a political
question about responsibility. So I think that’s a tremendous gap, a tremendous specialization barrier that really hasn’t been crossed very well
with very few exceptions on either side. I’ve done my tiny bit by teaching
a course on cyber conflict, where I have about two-thirds Master’s
students in public policy and about one-third computer scientists. And I have them do projects together so
they learn to talk to each other. But it’s a very small scale thing and
I hope that there could be more
of that around the country.>>And if I can add, so I’m in the joint
program in political science and public policy and, but I always introduce myself
as a person who does cybersecurity policy. Because when I say I do
political science people tend to think that I’m doing traditional
conflict or political economy stuff. But going to different conferences and
different events, I’ve noticed that there a lot of people who are similar to me who
are in political science programs for public policy schools. But they are trying to you
know get some knowledge, do some research about this new,
very fascinating, and emerging field. And our approach usually is to go
everywhere on campus you can and in Michigan I attend Alex’s
security reading group. I try to attend events at
the School of Information, the communication departments. I will try to find any person who
can help me and learn from them and this is what I think a lot
of people are doing. But also there are programs, I would say,
around the world who specialize at this, and one of the really good programs is at
Oxford which is called Internet Studies. And what they actually do,
their requirement is, when you apply, is either you have to have
a Bachelors in Computer Science and how let’s say some minor in
Political Science or vice versa. So you have to have some kind of
substantial knowledge in one of the field and small knowledge in the other. And it’s just, I think,
these are the decent steps but there’s a lot of promise and
there a lot of people who are really eager to learn and wanna learn and
they tried to find the resources. And I think that I’ve seen this
development during the last three years so when I started my program there were
very few people who were doing it. Now it’s like more and
more of us who wanna get involved. So, I think because
the field is developing so much quicker, there will be a lot of
changes in terms of the programs and master’s programs and doctoral programs. And maybe we’re gonna have a PhD
in cybersecurity policy one day.>>When I joined my office three and
a half years ago, everybody in, I think there wasn’t a person in my office
at the State Department who said that, you could say that, they planned
to end up in cyber as a career. We all want a speciality. I started out as a lawyer,
doing what lawyers do, and I ended up in a practice that was
basically applying the legal skills. Often it was applying, figuring out
how old laws like wiretap laws from the 1980s applied to
21st century technology. I was lucky to have in private practice
a mentor who had pioneered in the area. And at the State Department,
I’m lucky to work for two, our coordinator Chris Painter who was prosecuting
cyber crime in the 1980s and 90s. And our deputy coordinator, Michele
Markoff, who has a nuclear deterrence and strategic studies background, who got
interested in computers in the 1990s. And kind of dreamt up this whole concept
of responsible state behavior and our entire framework. So when I started out, it was very much
learning from the people who were there. We were all policy maker types and
picking up the technology as we go. The nice thing is that in the last year or
two, we’ve been able to start hiring people into our office who actually
studied this in graduate school. And I’ve also seen that these programs
are beginning to pop up thanks to people like you. This is a 21st century issue. I just suspect this is gonna be,
I can imagine at law schools that this is just gonna be a part
of what you learn when you’re a lawyer. Just like, as a lawyer,
you’re gonna have be better at securing your documents if you wanna
maintain attorney-client privilege. And as you say it’s gonna be,
unfortunately it’s gonna become a necessary life skill
in a range of professions. Learning about it as a policy matter,
I think, hopefully you will all help
save the day in that regard.>>And if you are not a student and have
a chance to either participate in Bob’s or Alex’s class, I encourage you to attend future
events of the Dissonance Event Series. Because I think that’s part of
the aim of what Sol and Joel and Alex are trying to do
with this event series. And with that please join me in thanking
the terrific panels and thank you all for coming today. Thank you.>>[APPLAUSE]

Leave a Reply

Your email address will not be published. Required fields are marked *