WS242 LESSONS FROM CYBER CONFLICT HISTORY

FINISHED COPY

 

EIGHTH INTERNET GOVERNANCE FORUM

BALI

BUILDING BRIDGES-ENHANCING MULTI-STAKEHOLDER COOPERATION

FOR GROWTH AND SUSTAINABLE DEVELOPMENT

OCTOBER 22, 2013

SESSION NUMBER WS242

LESSONS FROM CYBER CONFLICT HISTORY

 

                             ***

This is being provided in a rough draft format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

 

                             ***

 

>> JASON HEALEY: Good morning, everyone. We'll get started in about two minutes. Thank you.

(Standing by.)

>> JASON HEALEY: Good morning, everyone. Thank you for joining us for this morning's session. We are going to be talking about the Lessons from Cyber Conflict History. I'm the moderator for today. My name is Jason Healey, Director of the Cyber State Craft Initiative at the Atlantic Council, a Washington think tank.

We have four panelists here. We will introduce ourselves. And then we will talk briefly about some of what we've seen, some of the major wake up calls from cyber conflicts that we have been going through for over the past 25 years. These are largely from an American perspective. My apologies, but to help make up for that we have, I'm going to do two things. One is we did make sure that we have an international panel. We have different countries represented. As well I am going to try to give as much time as possible of our hour and a half to questions so we can explore other parts of cyber conflict history and how we got here. Let's start with, I'm going to start on the far end for introductions.

>> TIM MAURER: Thank you, Jay. Thanks for inviting me to be on the, I'm Tim Maurer, a policy analyst at the Open Technology Institute, part of the America Foundation, a nonprofit public interest think tank in Washington, D.C. We have worked on a variety of issues ranges from domestic to international policy, including broadband, net neutrality but also the human rights and governance processes and one of the policy areas I work on is cyber security.

And I wrote the case study on Solar Sunrise. That's what I look forward to talking about today. And I grew up in Germany.

And I'm a German citizen. So ...

>> YURIE ITO: Good morning. My name is Yurie Ito. Director of global security at JP-CERT. I'm from Japan. And I'm also on AP-CERT, the global network. I would like to share with you how we are responding to, from the security response perspective, operations perspective, how we are collaborating to respond to the cyber conflict.

>> BILL WOODCOCK: Bill Woodcock with Packet Clearing House. We are an industry-funded nonprofit that has been supporting critical Internet infrastructure for the last 20 years and I am going to be covering the Estonia and Georgia end of all this. We operate a sort of cert of last resort that deals with constituents who don't have a cert of their own and can't figure out who to call.

>> JASON HEALEY: That's a great way of talking about it. Again I'm Jason Healey. So my background came out of the United States military, start out as signals intelligence. We can finish up talking a little bit about U.S. espionage because that will be on people's minds. Spent a lot of time in the finance sector as well as the White House, quite a bit of time out in Asia living in Hong Kong for several years.

As I mentioned we are going to start going through first on some of these main cyber conflicts. This is based, Tim said he wrote the case study. We just came out with the first military history of cyber space, the book called "The Fierce Domain," which came out this summer.

And we had Tim wrote one chapter. Yurie on the case number three there called -- she cowrote on the Japanese perspective and Bill was helpful on the Georgia and Estonia cases. We will touch on those very briefly. We don't want to dwell on the history. We want to look at how those lessons help apply for today and again I would like to make sure we have lots of times for questions.

One of the things that we found when we were going through these cases was that many of the things that were toll about -- we're told about quote-unquote cyber war are it's lightning fast. It's speed of light. It's difficult to warn about. It's very difficult to know who is responsible. And the rate of change is very incredible. That is true at the technical level.

A lot of what we'll talk about here is also what happens at the national security level because we have these two sets of truths: The national security of what is happening in national capitals, as well as the technical truth of what is happening in the network. And both are true. It is just different perspectives and ways to look at it.

I'm going to cover the first two. I'll turn the microphone to Solar Sunrise. Where we really, I was -- many people are even surprise that had there is even a history for us to be talking about. There's a sense that Internet was largely a peaceful place maybe until the 2000s and it was only really in the 2000s when bad things were happening and prior to that it was pretty Utopian. We found that is not quite true. The first main case that we looked at was a case called the cook coo's egg. It was 1996. There was a U.S. astronomer, someone who spends his time looking at the stars. Noticed a 75-cent billing error in his computer systems. And as he pulled strings and kept looking and looking more, he found that there were intruders in his system at one of the U.S. national labs. They were looking for classified information on Ronald Reagan's plan to shoot down missiles called Star Wars or Strategic Defense Initiative.

The more he pulled, the more he was able to help figure out that it traced back to Germany and German hackers who were selling their information to the KGB.

So I talk about this case quite a bit in Washington, D.C. to people at United States cyber command or the pentagon or the White House.

And they never knew that cyber espionage is not in the last ten years. It actually goes back over 25 years.

The second case was the Morris worm which wasn't quite a conflict. Let me come back with how I'm using that word, conflict. It may be new to some of you in this context. Where a U.S. college student, Robert tap pen Morris, wrote a quick piece of code that quickly took down something like 10 percent of the early Internet. It took down something like 6,000 of the 60,000 computers that were on the Internet back in 1988. What the responder, what the people responding found was they could not respond fast enough. They had only been ad hoc, only coming together when something bad happened. Now there was something so big, they had quit a bit of difficulty responding to something of this size and scale, especially because the way they normally coordinated was using the Internet itself. Now the Internet itself was what was unreliable.

And we will come back and look at some of the lessons from these and other cases. I would like to turn the microphone over to Tim.

>> TIM MAURER: Thank you, Jay. First of all, can I ask all of you a question and ask who has heard of Solar Sunrise before? One, two, three, four, five ... great.

So as you can tell, I was at the time not old enough to actually follow this from the perception of a participant. So I invite all of you to join later on in terms of how you perceived it at the time and what your perception is of how it fits into the narrative.

So I come from this more from the academic perspective because as you all know, the militaries of the world have become increasingly interested in using the Internet for political and military purposes as well. I'm interested in how we got to where we are today and how we certain things are perceived and framed to get us where we are today. It's something that I think Jay has been focusing on as well through his work and the book.

If you looked at, there was a new study that came out a few months ago in terms of the number of Governments developing military doctrines and actually there are now, we have seen an increase compared to the first study that came out just a year ago. I'm happy to point you to the Web site if you're interested.

>> JASON HEALEY: Tim, if I can jump in on that point, a lot of what you are seeing here also, we could have almost called this topic, the militarization of U.S. cyber policy because a lot of these cases walk through about how the U.S. military started to get more and more interested and starting raising it to higher and higher level generals. That could have been an interesting alternate title for the panel.

>> TIM MAURER: The second caveat I would like to make is the terminology I am going to use to flag that this community uses terms in a certain way that in other parts of the Internet policy area will be used differently. I will probably reference attribution a couple of times which from the human rights framework is what we praise as the anonymity that the Internet allows in that you can do certain things without having to worry about being detected or monitored. But in the security realm the attribution problem is in terms of tracing the affect back and making life more difficult. But that's perhaps for another panel in the next DOJ.

I'll take you back 15 years in time to February of 1998, which is when operation Solar Sunrise took place and just to give you a broader perspective in terms of the geo politics at the time, it was a point in time where tensions with Iraq were at a high. You had the debate over the UN weapon inspectors who were in Iraq in order to look for weapons of mass destruction and there was a big back and forth in terms of whether they were actually able to carry out the work in the country.

It got to the point where Saddam Hussein threatened to expel the weapon inspectors and in response, the UN Security Council issuing certain statements but the U.S. also deploying at 1.2000 marines bringing the troop level in the region up to 25,000 an having three aircraft carriers destroyed, which if you engage in a conflict it's critical to have those in the region.

We were at a point of a very tense moment in the region. And people at the pentagon were wondering if war had already broken out because something that they knew but that the rest of the world didn't know was that someone was accessing and intruding in systems off the Department of Defense in the U.S. And this took place for three weeks from February 1 until February 26, and therefore coincided directly with the, what was happening at the geo political stage at the highest level.

Solar Sunrise in terms of what the mall ware actually did exploit the a vulnerability in the Solaris operating system which had been well-known. Was traced back from the forensics perspective to among others the United Arab Emirates which was one of the gateways leading directly to Iraq which is what got the officials at the Department of Defense very nervous because of everything that was going on. There was a fear that the attack was actually coming out of Iraq and was part of a lead-up to the military conflict with the potential spill-over effects to the conflict at large.

I think it is important to point out from the start that what we are talking about is not a destructive payload. This was exfiltration. Solar Sunrise intruded systems and planted sniffer malware in order to copy passwords.

It did not access classified networks. However, it did access the global transportation system, the defense finance system, so systems that would have been connected to a military conflict.

The reason why this also attracted a lot of attention at the Department of Defense at the time was that the department had just concluded its first military exercise that would simulate an attack on the Department of Defense's network. So shortly after that took place, the exercise was called eligible receiver, you actually saw this happening in realtime which I think a lot of the people who considered this still to be the future of warfare, it made them quite nervous.

It was first detected through the Air Force emergency response team that noticed a root level compromise at Andrews Air Force base and quickly realised this was not only occurring at the Andrews base but other facilities as well. And what was interesting about the pay load, apart from it being sniff malware, the intruders actually patched the vulnerability as soon as they got root access so no one else could exploit it. In that sense they were actually quite smart in making sure they were the only ones.

>> JASON HEALEY: If I can highlight something you just said, it was very interesting because the pentagon had just gone through this exercise that Tim mentioned, eligible receiver. This was briefed up to the President, how serious this was. It was a very high level exercise.

So the military is primed to be thinking about cyber war. They were already having this exercise and they turn around and just a couple of months later they are pretty sure that cyber war is now on.

>> TIM MAURER: As Jay Healey mentioned, this actually got to the level of the President. So you had the secretary of defense going to the President saying we have a situation here. We don't know yet where it is coming from. This wasn't something that some low level Department of Defense officials were worrying about. This got to the level of the President which underlines some of the things that we still see today when we talk about cyber war, using code, using the term, and cyber warfare. As you can figure people tried to figure out where it was coming from. As with many attacks we saw today you saw the attacks being routed through University networks and networks that are known to be easy to use if you want to kind of hide your tracks.

The Department of Defense was involved as well as the FBI which would eventually take over the investigation. And the hypothesis of who was behind this ranged from Iraq which was the most disconcerting, to some Dutch hackers and eventually a joint task force that I think Jay will probably talk about, hopefully talk about later a little bit.

But it turned out that it was not Iraq. It was not Dutch hackers, or hackers in another country per se. It was two Californian teenagers known by the names of Machiavelli and Stimpy, who was a popular rapper at the time for people who listened to rap in the zeros.

They were mentored by an Israeli hacker known by the name of analyzer, who made headlines a few years ago and has been arrested for subsequent hacks afterwards.

The way they found out about the Israeli hacker being involved was actually hubris. He was boasting about it in chat fora. The person he was boasting to about this decided to take this to the authorities. Therefore, point them in the right direction. This is how it all ended up being resolved in terms of the investigation, finding who out who is behind it.

I'll keep it short and I want to close with three quick take-aways. So what is interesting for me from Solar Sunrise it shows some problems we still face today in terms of the attribution problem, the difficulties to actually trace back an attack or intrusion, in this case. And I'm using cyber attack in a very liberal way here. We don't have a definition of what a cyber attack is. It sound a lot worse than intrusion. If we talking about framing the use of words to highlight a problem it's interesting that this has been used since the '90s as the alimental frame to frame these issues.

To bring it back to a recent event in terms of attribution problem an something that is important when we think about this, how important it is about the cautious about the reaction after a intrusion took place. Some of you heard about the attack that took place in South Korea at the beginning of the year begins south Korean financial institutions. If you watch this closely, South Korea came out and accused China first of being the source of the attack, only to retract that statement two days later because they realised that the IP address that they had assumed to be the source of this was the public IP address linked to China, but they had mistaken that for the internal IP address of one of the financial networks that had been affected.

And, therefore, in terms of being cautious about jumping to conclusions too quickly and the ability of whoever is behind it to cover their tracks. I think that's something that is worth pointing out here.

>> JASON HEALEY: Thank you, Tim. And thanks for phrasing that the way you did. Because if you notice, as I mentioned we are talking about cyber conflicts here. You are not going to hear us talk about cyber wars because we think -- I think and I think probably the panel does, we have not had a real war yet. Wars are violent, deadly, bloody things. Through all of the wake-up calls we see here, we've seen certainly tension and cyber attacks and other things, but as we did our cyber conflict his inform book we couldn't find a single case of anyone who died from a cyber attack. I don't know if my other panel -- I'll leave that.

>> I was going to say in the State of Georgia, paired with military --

>> JASON HEALEY: Okay, Bill is going to talk about that next.

I call it here wake-up calls because each one of these -- and this is the reason why there's a question mark on U.S. espionage. All of these have led to significant changes, organisational changes. Way that is we look at the Internet and cyber space afterwards. Each one of them, therefore, also has implications for how we are thinking about Internet Governance after the one that Tim just mentioned, the military realised they had no one in charge and it led to the creation of the first cyber command. First it was only doing defense in 1998. I helped set it up. Then within a year it was also coordinating United States offense actions.

We are talking about 2000. We already had the first military cyber command to be doing offense and defense.

We are going to jump forward for Estonia and Georgia.

>> BILL WOODCOCK: I actually just dug up some slides I did back at the time in 2008 and think I am going to put them up since they offer a little bit of a view into history. Do you mind?

>> JASON HEALEY: You can tell that Bill is more technical than the rest of us. I wouldn't have been so bold to do this. Bill can get away with it because he's a techie.

That's interesting.

So as we are talking about cyber conflicts there are times we are going to be I am polite. There are times when I'm going to say the United States did this. Like Stuxnet. There are times we are going to say the Chinese did this like espionage or Russians did this. Again, I'm approaching this as historian myself. I mean, we are trying to speak about cyber conflicts largely between nations. When we say cyber conflict we are ruling by definition most of the things that might be crime. We are not generally including crimes of hacktivism. It's largely with security implications between them. Because it's largely between nation states, what we talk about here, we have to bring up nations. We are not doing that to be rude. It is because we are trying to talk about accurate history.

>> BILL WOODCOCK: So this is just two slides from a briefing I gave NATO at the end of 2008 on what had happened in Estonia and Georgia. It has more detail than I would be easily able to dig up now and also it is, I don't know. It is its own sort of view into the way we were thinking about it at the time.

So the interesting thing to note here is that Governments often sort of get this very myopic view. Something comes up in the press and they get excited about it and they think that's the one thing that has ever happened.

What you see here, there was one thing I knew here in 2005 that the Russians had done. Eight events in 2007 and eight in 2008. It wasn't like Estonia and Georgia was the only thing that Russia was doing at that time. This he were part of a very consistent series of actions that by and large used the same bot nets, by and large had the same attack signatures and so forth.

So let me just kind of dive in and talk a little bit about Estonia.

At the time that the Russians attacked Estonia which came with little warning. A lot of these things come with a little bit of warning. Last year the anonymous attack against the name servers, that came with six weeks of warning. In six weeks we were able to deploy about $8 million worth of additional routing equipment to protect the root servers. A little bit of warning goes a long way with these attacks. So the warning came in. And the Russians with trying to recruit inside Estonia. Like the Chinese in Mongolia, the Russians after World War II funded a lot of immigration so there would be Russians in Estonia, like a colonization programme.

Estonia language and culture are not easily penetrable and so there were at this time third generation ethnic Russian Estonians living in Estonia who had no working knowledge of the Estonian language, right? They are a very separate culture within Estonia.

The Russians have worked from the Chinese playbook. The Chinese have a big military academic body of literature on cyber warfare and you can get Chinese academic military journals and read what it is that they think about this stuff and I mean, in translation, of course.

And the Russians, of course, do that as well. And so a lot of what you see the Russians doing follows these sort of Chinese doctrine, right down to the letter. And in this case a big part of the Chinese doctrine is this motion of the people's Army, right? That the, in time of conflict the people form up around the cadre of trained people who are professionals, but everybody does their part. The theory with the attacks against other countries is that there would be Chinese nationals living in those countries who would be able to attack behind the lines, right?

And so the Russians take that very literally. They go to Estonia and say who are the Russians in Estonia that can help us conduct this attack inside Estonia? But that's an attack against law and order, right? That is an insurgency. Which means the Estonians are conducting a counter insurgency here. An appeal to law and order.

The Estonians said: Hey, your second cousins in Moscow have trouble finding decent groceries in the grocery store. Their plumbing doesn't work all the time. The electricity is not reliable. Law enforcement isn't that good. You have it really good here in Estonia, right? Why would you attack that? Why would you go against that? And at the same time they found the Russian agent who is running around recruiting, threw him in jail. Said we are locking him up. He's never going to see the light of day again.

This is very effective counter insurgency. You say here are the benefits of what it is we are offering. That's the carrot. The stick is, if you try and violate that, you know, compact with civilization you get thrown in jail.

When the attack came there was no domestic participation. There were not ethnic Russian Estonian hackers running bot nets inside Estonia. That made the attack a much, much simpler thing to deal with. So two of us in this room were in the room --

>> (Speaker away from microphone.)

>> BILL WOODCOCK: All right, all right. We're almost there.

So Medi Kayo who is sitting back there and waving is like most Estonians from New Jersey, like the President of Estonia. She was there. As was Curtis Lindquist who was from sort of the Swedish government, a public-private partnership that operates critical infrastructure in Sweden.

Curtis and I were most members of NSPSAC, the coordination body that deals with attacks against the Internet infrastructure. And so we were there acting as liaisons to the cert because there was nobody in the E-cert who had yet been vetted into NSPSAC at that time.

We were helping to coordinate the international response, the filtering of the attack. Along comes the attack. It's 11:00 p.m. in Thailand, midnight in Moscow. What the Russians had done is hired one month's worth of attack from two different botnets. It starts at midnight when they paid for it to start and so it's huge, huge, huge attack. Something like 20 times the normal daily peak for incoming traffic for Estonia.

It pretty well swamps everything, but Estonia had two domestic Internet exchange points. So they had a way of producing bandwidth domestically. They weren't dependent upon bringing it all in from the outside.

So these attacks were swamping the inbound bandwidth but not precluding domestic communication. They were precluding communication with the outside world. But it was 11:00 p.m. Not that pane people were really trying to talk to people outside at this point.

And so the response basically happened over the next seven hours. Got it damped down to the point where it wasn't noticeable anymore by six or 7:00 a.m. the next morning before people are getting to work. Really the attack didn't have much if any practical effect. And you know, you could still sort of, if you were measuring closely you could still see it, that it was there, but it had been damped down so well that it wasn't actually impeding anybody's ability to get their jobs done. Regular users weren't noticing it.

A month later you could see it end when what they paid for came to an end.

So it was just a straight-up VDOS. It was coming from the outside from botnets. The Russians, of course, pointed out since they hired U.S. based botnets largely that it was the U.S. that was attacking Estonia.

The Estonians, of course, had just joined NATO at that point. They appealed to NATO and NATO threw up their hands and said computers, the future! Something!

And a few years later as an apology they built a centre of cyber excellence in Thailand to apologize for not having done anything.

I was going to flip to the next slide quickly.

>> JASON HEALEY: While you are doing this, a lot of the dialogue that you hear about Estonia is, it was a cyber war and Estonia was wiped off the network. I mean, when I hear that, that tends to be the myth that is out there. And you're saying neither of those is true?

>> BILL WOODCOCK: Not at all. Really, the interesting contrast here is between Estonia and Georgia. Estonia had a really good cert that was well organised, well trained, really well coordinated with the Internet service providers there.

And more importantly, really well coordinated with law enforcement. Unlike most certs run by somebody who comes out of a computer science security background, theirs is run by a guy who came out of financials crimes, Detective, law enforcement background, which was sort of perfect in a lot of ways.

What that meant was, he was able to call up his buddies still in law enforcement and say: Go arrest that guy, make sure it's in the headlines tomorrow morning. A week later they let the guy go. I don't think they even charged the Russian kid, the Nashi agent. I don't think they even charged him. The point was to make the headlines about how he was going to live the rest of his life in jail and you don't also want to live the rest of your life in jail so don't participate in the attack. That's what mattered.

So sort of following the buck back, the reason why Estonia got attacked -- sorry, I got side tracked there. The difference between Estonia and Georgia. Really good cert. Two Internet exchange points inside the country and their external connectivity was to countries that they were relatively allied with, right? So other Baltic and Scandinavian countries that they had good diplomatic relationship with clueful Internet providers on the other side who could say here is the attack signature. Filter it.

By contrast, look at Georgia. No Cert, no Internet exchange point. Six of the seven fibers in the country went to Russia, the country attacking them. Would be went to Turkey and that was it. Huge difference between Estonia and Georgia.

In Georgia the attack was pretty successful. Basically the country was offline for the better part of a couple months. And the entire government had to roll over on to Google free bootless -- is the mic acting up?

Anyway, so going back to how this played out, the Russian government per se doesn't want to publicly take credit for a state actor attack, right? So what they do is Nashi, which is the Putin youth support organisation stands up and says oh, we did it. This is the patriotic hacker thing. Oh, we take full responsibility.

When it was pointed out that that wasn't plausible because it was from the NSB. They said oh, they ran with it and that's the end of it. But that still doesn't really explain why. To get to why you have to look at the oil politics. Oil and gas politics are what drive almost all of this stuff internationally, from Russia. What had happened was, there was the Polish government -- so there were gas pipelines going from Russia to Germany, a huge export market for Russia. They go through Poland. Poland tried to up the tax on the gas going through. And that ticked off the Russians. The Russians said well, we are going to put in a new pipeline that by passes Poland. That was the Nordstream pipeline and supposed to go around the Baltic and around to Germany. It turned out that Vladislav Surkov, chief of staff to Putin, invested a huge amount of money into the pipeline and the Georgians vetoed the pipeline based on ecological reasons, digging up the sea floor in the Baltic is not the great idea when the Russians have been dumping nuclear waste in there since World War II. So they vetoed the pipeline and Surkov who was the founder of Nashi and issues a lot of orders to the FSB is the one who effectively asked for this to happen. And for very personal reasons.

You get back to it and this wasn't really a Russian governmental action in this case. It was just somebody very senior in Russian government who was able to pull a lot of strings to make it happen.

>> JASON HEALEY: Can you wrap up?

>> BILL WOODCOCK: Yes. So Georgia was very different in that that was in association with an actual military action. Again, it was gas pipeline Georgians negotiated a deal for a pipeline with the Russians and backed out of the deal and signed a deal with the U.S. instead. Russians attacked them. Tanks rolled and they did a cyber attack in conjunction with that and it was effective. The only thing that kept them online at all was Turkish telecom stood up and made it go.

>> JASON HEALEY: I think this one is dying on us.

So some of the things that Bill brought up in there. I mean, there is warning. I mean, a lot of times we are told there is no warning for cyber attacks. And what we have found is we looked at these as conflicts and that's not quite true. Almost all the conflicts we are talking about here take place within a larger nationality security framework where rival nations are angry at one another. And so true, you might have a daily cyber attack, might have a Cybercrime. You might have hacktivists. And those, any individual attack might be difficult to warn about, but the most damaging cyber attacks, the kinds we are talking about here assigner conflict almost always take place in a larger context of rivalries between nations that is starting to heat up into an actual geo political crisis rather than just something that happens on the network.

And again, I think as we are talking about cyber conflict and cyber warfare this has big implications for how we are thinking about Internet Governance. These tend not to be spooky cyber conflicts. They are conflicts between nations that happen to spill over into cyber space.

So we have been talking so far about a very military and intelligence dominated situation because that's how we get to conflict. That is not the only way to be looking at this. Japan has had a very different way of approaching many of these same problems. So I think next we'll turn to Yurie Ito.

>> YURIE ITO: Okay.

Thank you, Jay. Good afternoon. So in Japan we see it also, hack can attacks are being used for a variety of political purposes between especially, especially between China, Korea and Japan. So activity appears to be going on, ongoing and it is increasingly causing confrontation between the parties. And what is not really good is the fears regarding Internet attacks could lead to political crisis or more brutally increasing the cans of conflict, escalation between the countries.

As a result, China, Japan and Korea have identified a need to have more effective conflict management approach to the cyber conflict. So when these things happened, you know, we want to make sure we have stable point of contact and a process and procedure and policy how to respond to that, and be ready when these things happen.

So the collaboration framework is two layers by function. One layer is the cert computer registration response team and the other layer is government. It also, so this collaboration defines the policy and cooperation of collaboration response. So when the cyber attacks occurs, triggered by for example some political conflict, we quickly notify each other and we have a process to start the joint emergency response team between the teams. With that joint emergency response team we share the monitoring. We use different language. So monitoring, joint monitoring, and as the other side of the team, monitoring what is going on in that cyber space and who is talking and what is going on, where is the attack announcement. Where is the malware or a place where people go and download the bot and become a self bot to contact the attack. We are monitoring those things and sharing with each other.

So we have a process to work together. And we are making sure that, so sometimes this type of point of contact, when we talked about this point of contact sometimes we use this confidence building measures and then the nuclear resistance, where there is a red phone lines between two conflicting countries and whenever there is something, there is a stable communication path so that there is a conflict incident will not necessarily escalate to a conflict with the interpretation, wrong interpretations or misunderstanding.

One of the things that I see the difference from the nuclear risk re-discussion CBM and the confidence building measures as cert as providing the stable point of contact is the nuclear risk, it is a government-running facility and a government-owning, and government confidence building measures.

But in cyber, most of the cyber space are consisted. And operated by private sector. So what we did is keep the technical and operational layer from the political policy layer and make sure the technical layers are firstly always contacted despite all the difficult time for the policymakers to communicate.

>> JASON HEALEY: May I highlight something on that if my mic is going to work here? I think it's an important point for Internet Governance. Both what Bill has been talking about and Yurie, in Bill's case he never -- he rarely talked about a government action on the defense. Right? Was largely the private sector groups like NSPSAC, the large telecos and others that were riding to the rescue of the countries under attack.

And likewise as Yurie is talking about, it's a separation of a private and technical level and a lot of techies are in the private sector.

We talked about this in the book, few conflicts were ever decisively resolved by governments. This is important in Internet Governance. The biggest problems that cyber space has been facing is getting solved by the private sector. You can say that the private sector are causing a lot of the problems or non-states are causing the problems. That doesn't take away that it is largely companies and non-states that are solving it.

That continues to point to the importance of the multi-stakeholder model.

Sorry to join in on that but I thought it was an important time to join in.

>> (Speaker away from microphone.)

>> May I just interrupt a little bit myself? The, I think the reason why governments aren't really able to do anything is because they just don't have resources. The Internet is a private sector thing and it takes a lot of resources to be able to write ride out a big attack. It's the ISPs that have those resources. The one big exception is China, right? In China you've got far less separation between what is governmental and what is private sector. So you've got China telecom acting as an agent of the Chinese foreign policy a lot of the time.

So that is one of the tricky things in this area is how do, how does the west or how do non-Chinese countries counter this sort of tie-up between Chinese private sector and Chinese government? Because we don't want to do the same thing because it is not who we are. But it is a very strong position that the Chinese have and we don't really have a counter veiling strength.

>> JASON HEALEY: I would even generalize that point of the more we try to put government, give government leading roles in Internet, especially on response which is what this panel is largely talking about, governments tend not to have the resources as Bill just said. They also tend not to have subject matter expertise like companies. And they strongly tend not to have the agility to be able to respond quickly enough.

That's why I think multi-stakeholder model continues to be important because if governments try to increasingly take over the role of response, then I think the attackers are going to continue to have the edge because governments don't have the resources, I'm sorry they don't have the subject matter expertise or agility and in many cases they don't have the resources to respond. Do you have any last words? Okay.

>> YURIE ITO: Yes, I think escalation process to government is -- country by country it is different. So we have to reach out and find out what is the best, but the escalation process is very important.

It is really important to make, from the technical community, to make sure that the government are not going up to panic and then say well, there's a big attack coming from China and there's state-sponsored blah-blah is going to be the cyber warfare.

We have a big role to making sure that we are handling it. The other side is knowing about this. We are aware. We walk in together and make sure policy layers of governments are stable and really working with the stakeholders domestically to make sure this is under control. That's I think the government's big role.

>> JASON HEALEY: Let me switch mics here. Thank you.

I'm going to talk briefly about the Chinese espionage and Stuxnet U.S. espionage and then I want to leave half an hour for questions. If you have any. If not, I have a few for the panel.

Talk about the different Chinese espionage and U.S. style. Because we've learned a lot in 2013 about U.S. espionage. So I'm not going to cover very much about that. I'll combine it with Stuxnet, though. The way the U.S. tends to collect information tends to be -- I mean, at least if we can believe the Snowden revelations, we like to collect it all, which is what the national security agency, if they can, is the backbone.

If the U.S. does intrusions, breaking into companies, breaking into places, that tends to be relatively quiet and relatively precise. And we also see take kind of position in the Stuxnet and Olympic games attacks that we learned about two years ago. This was attacks apparently U.S. and Israel against the Iranian uranium enrichment programmes. A very sophisticated piece of malicious software. We have a nice case study of it in the book, along with a few intelligence collection pieces of malware that went along with it.

And it was seen to be a U.S. operation and Israeli operation not only because of the target but because of the style. It was a U.S. attack and Dick Clark, who had been at the White House before me, pointed out this must have been the U.S. Look at how many lawyers must have been involved in this.

Because it spread, but it was extremely precisely engineered to only break things in a very specific set of parameters that only existed in one place in the world. In Natan's uranium enrichment. That is very indicative of the U.S. style, being exceptionally precisely targeted to hit only one specific thing.

U.S. tends not to use proxies. We found almost no examples in our history of where the U.S. gave a green light to hacktivists to hack on its behalf. This is all very different from what seems to be the style from China which uses, as Bill mentioned, a lot more patriotic hackers. If there's tension going on in the east China or south China sea, you can expect that there is going to be patriotic hacking that goes along with it.

Whereas the U.S. espionage can either be very quiet and widespread or very quiet and intrusive into specific companies.

The Chinese espionage that we found traces going back ten years of it being a significant issue. Probably even farther back.

It has been much more unrestrained and aggressive. The unique Kaparski from the virus company, the anti-malware company talked about going to companies and found seven different Chinese groups within the same company, all collecting different kinds of information, reporting back to different masters in China.

Now, again, I'm not trying to -- so the U.S. style is much more coordinated between the intelligence community, between NSA, CIA, with the White House.

Much more targeted. If they are intruding into a place. Generally far quieter going in. We only know about a lot of these operations because they got leaked from the inside rather than being detected. Very different from the much larger Chinese.

Just to close on Stuxnet and Iran versus the United States, we only know, or we largely know about this because of the Stuxnet attack. Because the malware was detected, it got widely reported as well as other ones in the same, that appear to be in the same family like flame. It seems that there have been -- this is only one campaign in a larger conflict between the United States and Iran. It seems like other attacks on the U.S. finance sector are part of that. It's difficult to know much of the truth because it is happening in the shadows.

I'm going to close right there. We hit not quite one hour. Just to see if there are any questions from people online or here in the audience. I have only got one working mic. If you ask the question, then I'll repeat it and see how that works. Sir?

>> AUDIENCE: There is a development in London called the Tallinn -- my name is Mike Kelly, a law professor at American Bar Association. My colleague, Shawn Moss. This was commissioned by NATO to apply to cyber conflict. It's three volumes. It sounds like the U.S. also is adapting proportionality rules and sensitive rules of warfare to what it does in the cyber field but other states are not.

Can the U.S. use the intellectual products like the tallinn manual to try to push states into the same paradigm so everybody is using the same type of rules?

>> JASON HEALEY: So the question is on the Tallinn manual from the NATO cyber defense centre got together a number of international law scholars to look at how existing international humanitarian law, that is the laws of armed conflict can apply to cyber space.

And beforehand, the United States, U.K., Australia, a few other countries said for several years that things like the Geneva convention apply on cyber space just as well as anywhere else. Basic human rights, the universal declaration on human rights apply in cyber space as they do in the real world.

Now, there might be, we can hardly give out exactly how, but that has been the official policies. We can see that in the Stuxnet attacks. This year has seen, 2013 has seen a lot, one of the largest cases of agreement between countries, the UN group of governmental experts. If you are interested in this topic I urge you to look at the group of government experts report because you add U.S., China, Russia, 12 other countries, Germany, Australia, all agree that existing international laws do apply to cyber space. So if we are talking about arms control, talking about other issues, the U.S. position has long been that you've got Geneva convention. You have these other conventions. And let's start from there before we invent something new.

>> BILL WOODCOCK: I think one of the big distinctions that needs to be made is between intelligence and military. That line is much more flexible in cyber space. Or it is being taken as being much more flexible.

So governments are never willing to constrain their actions in intelligence side of things, whereas the military side of things they are much more willing to, you know, come up with treaties and say, oh, you know, we are not going to massacre civilians and so forth. That's just fine on the intelligence side, though. Of course, everything gets defined as intelligence action rather than a military action.

I think it's not necessarily quite fair to make it sound like the U.S. is leading some charge towards public documentation and so forth. As I said, the Chinese have been publishing on this since the early '80s, like '83 or '84. We are 30 years into public Chinese doctrine from their military on cyber warfare.

And you know, there's stuff very well argued out on that side. People with different positions hashing it out.

And a lot of quite reasonable stuff.

I think it is fair to say that there aren't a lot of countries that participated in this debate. But I think if you look at what the U.S. has -- the Snowden cyber command, blah-blah-blah, revelations, I think what you see is that the line that the U.S. draws publicly is very, very different than what the U.S. actually does. And it is this sort of weaseling around and saying, you know, none of that actually applies because we are not actually at war because this is a war on terror, which is a war but it's not a war and it's all intelligence stuff and so on and so forth. So we can run over the private sector with hobnailed boots because they are foreigners and foreigners don't count either.

This isn't mature behavior, right? At some point this will have to mature and people will have to take a public position that is in line with their actions and we are just not there yet.

>> TIM MAURER: The GDE, for those of you familiar with the human rights debate, the human rights Council's saying that human rights apply offline and online. You can think about this as the exact same for international human humanitarian law as the international community is trying to now affirm that it applies offline as well as online. That is the reason it hasn't been the case yet is because China argued that it doesn't apply and there should be an entirely new set of laws, but that seems to have changed this year. And the Tallinn manual to put that into context goes back to the centre for excellence. In many ways it is a little bit ahead of the curve in that political negotiation because it already looks at once you have it affirmed how do you actually translate it to cyber space? I think most of what we see is actually stuff that remains below the threshold of an attack that will trigger humanitarian law and we haven't started the debate yet about what norms and rules should apply to subthreshold attacks. This goes back to the resolution from the Russians in 1998. It has taken us 15 years to get to the point of having the Geneva conventions applied not talking about how we talk about the activity we're seeing.

To talk about what Bill said about the Chinese doctrine, this goes back to the human rights piece. Cyber security has gotten so broad that we need to be very careful about the way we use terminology and the Chinese understanding of cyber security is in many ways the terminology of information warfare and information security, which arguably is a Trojan horse for human rights debates because it includes content. What is interesting, you had a similar debate in the '90s about information warfare in the United States, Jay, you can jump into this, that conflated CY ops in what we call attacks now on cyber security that could have physical impact. Those were separated and Martin Libicki has excellent writing on this on how it got disentangled in the U.S. context. At the international level we see a debate that took place in the '90s and we see this content being included in that as a hidden human rights debate.

>> JASON HEALEY: Okay. I think I'm going to have to be my own mic person here. I will go one, two, and three was here.

>> AUDIENCE MEMBER: Thanks. Ron Deibert from Citizen Lab. Great panel.

I was going to make a remark about, I hear a phrase often said that there has been no cyber war. I think that's true, but it's also a bit trite. The fact is that no armed conflict today takes place without the ICT having an important component in that conflict. Especially in low intensity armed conflicts of a domestic nature. So you look anywhere in the world today, Syria, for example, in the case of Libya, ICTs, cyber played a huge role. There is a study that Citizen Lab Fellow John Scott-Railton did on Libya and the role of malicious software and targeted electronic attacks in that case. I think that's especially useful to look at. So in discussing the nature of cyber conflict, I think it's important not to lose sight of those cases because they are actually the most interesting ones and they are not at the level of anything involving the super powers or the great powers. And they are unfolding in ways that have no relevance also to things like the Tallinn manual. It is completely unorthodox nontraditional low intensity violence.

>> JASON HEALEY: That's a great point. Anyone want to pick up on that? Let's try it. Let's try the other one. Bill, can you pass it over?

>> TIM MAURER: Yeah, I think that's a great point. The question is, are we moving in a world where conflict as such, Thomas Ritz's argument that war is a continuation of politics with other means and do we see the level of violence being reduced and we are seeing conflict becoming more or less violent and therefore we need to reconceptualize conflict which would make the study that the citizen labs more relevant because politics and influence on violence is being exercised in a different way now.

So I totally agree with that.

>> JASON HEALEY: It is one of the things we found as we were doing the history. There's tons of conflict. Every time you're seeing a conflict in the real world whether that's between activists or between countries you can start to expect -- actually for 15 years you could expect there to be something happening on the Internet that was going to mirror this. What Ron has brought out was that that started with being harassment, you know, someone putting a picture of their butt on your Web page. It is now especially getting particularly more and more virulent over time and so it is a worrying trend.

But a strong enough caution is that we have been overestimating the impact of disruptive cyber attacks for decades. We first came across the phrase electronic Pearl Harbor or digital Pearl Harbor, which the U.S. secretary of defense brought up just last year, in 1991. So.

>> Cybergeddon.

>> JASON HEALEY: Yes, we have been talking about the cyber Pearl Harbor for many of years. We are talking about cyber conflict but cyber war, not yet. There's a different dynamic going on. If we have been saying this terrible cyber attack is going to bring down our country, and 20 years on we are still saying it.

Thoughts?

>> AUDIENCE: Hello. My name is Andrey Kolesnikov. Head of TLD.RU in Russia. I have a question for Bill. Where did you get all this conspiracy data? I live in Russia. I'm involved in all these aspects but your survey looks like a Batman movie or something like that.

>> BILL WOODCOCK: You are involved in all these aspects?

>> AUDIENCE: Of course, I'm involved because I am in charge of TLD.RU. I know all the data about the most recent D-dot attacks. Of course we analyze all this data and we are trying to find the source and you probably are aware that the average DDOS attack is about $1,500 in price. So how, the question is how do you distinguish, how do you make a difference between Russians as Russians as a people who live in Russia and who pay $1,500 for the average DDOS attack for Estonia or Lithuania and Thailand and the Russian officials who is also mentioned in your presentation like Putin and Surkov, et cetera. How do you build the line between them?

>> BILL WOODCOCK: Yeah, so first of all, attribution is difficult, right? And there is this ... there is this problem that in communication between Internet engineers and political people, right? Political people want to know who is responsible. And if you ask an engineer that, the engineer will tell you that answer is functionally impossible to give. Right? Because there are so many variables. Attribution is so difficult. If you start trying to trace this back through the Internet you will hit so many dead ends that, you know, at some point you'll wind up at some keyboard and you won't know who was sitting in front of that keyboard, right?

So a lot of attribution winds up being giving up on trying to do 100 percent accurate: We know this for certain and we can prove it in a court of law and going to: Who claimed responsibility? Was that possible? Who had something to gain? Who is dancing around responsibility? Right? Who is saying oh, isn't that a shame; wouldn't it be a shame if that happened again tomorrow, but no, I have no idea how that possibly could have happened to you, my enemy, right? Whatever.

It is really tricky, right? A lot of this comes down to sort of detective work an people admitting things after the fact, right?

A year and a half after the Estonian attacks, two of the Nashi people who were involved made a series of admissions about who they had gotten orders from and so forth.

At the time you couldn't get that information, right? In 2007 that information was not available. Those people had not stood up and said here is who I got my orders from.

>> AUDIENCE: It was not public ... (Speaker away from microphone.)

>> BILL WOODCOCK: Right, yeah.

>> JASON HEALEY: The comment was the information was not published but it was there before.

>> BILL WOODCOCK: Facts exist, right? There is some objective reality, but knowledge about that is very constrained and some knowledge gets lost over time and other knowledge dissipates out over time.

So everything that you saw there on those slides was stuff that I dug up by talking to people or through public records.

Right?

>> AUDIENCE: (Speaker away from microphone.)

>> BILL WOODCOCK: Oh, yeah. I am sure that I'm sure that there were many, many more things that I know nothing about.

Part of my point at that time to NATO were that these few examples of attacks against external targets that follow the same pattern as other known attacks, you know, they all kind of follow the same play book, same botnets, so forth. Most of those were against internal targets within Russia.

>> AUDIENCE: You know my problem? The top of -- official reference sources like Kremlin and newspapers and like Putin Web site and blogs -- orthodox ... (Speaker away from microphone.)

>> BILL WOODCOCK: Yeah, yeah.

>> AUDIENCE: So if I come to the data, it is not full data.

>> BILL WOODCOCK: Right, right.

>> AUDIENCE: We have to look at the full data.

>> BILL WOODCOCK: So the question is, that slide showed half the story, right? That slide showed attacks against targets that were not friends of the Russian establishment, right?

Whereas all the attacks against the Russian establishment were not on that slide. Absolutely. That is what the slide was, right? The slide was about things were plausibly Russian offensive operations. Absolutely, the Russian government gets attacked all the time. Russian people in power get attacked all the time. All Russian political parties get attacked all the time, not just opposition parties.

>> AUDIENCE: (Speaker away from microphone.)

>> BILL WOODCOCK: Yeah, exactly. So I was not trying to make it seem one-sided. That slide just happened to be one-sided because that's what I was talking about.

>> JASON HEALEY: Yurie had a comment and I'll add, too.

>> YURIE ITO: To show how we treat this, we never know the source of the attack source. It's very difficult, attribution. Sometimes the PCs launching the attack is a proxy compromised resources. So we are not asking the responsibility. We, if the attacks, if we see the attack coming from Korea, even though this is compromised PC and they are launched and the attacker is sitting in Korea, we ask them to cooperate and ask for coordination and I think they will do that. The important thing is develop the norms. It doesn't matter if you are conducting or not. If you are holding responsibility or not.

If you got the request of coordinating to stop the attack, we all as a shared network operating community, we need to collaborate. I think that type of norm building is important.

>> JASON HEALEY: That is healthy. What we saw, if you remember at the beginning I talked about things that are technical truth. These cyber attacks are difficult to warn, they happen at the speed of light. It is difficult to attribute them, to know who is responsible.

Almost all of these cyber conflicts none of these things were true. It is almost like to me, it's almost like a quantum uncertainty. The smaller you look at an individual attack, the faster it seems, the more difficult to know who it is p behind those specific ones and zeros that are coming your way.

As you start looking at the things that have been most strategically significant between nations, certainly between nations, you are no longer worrying about specific ones and zeros that are going your way. You are looking at a campaign of attacks that unfold over a long period of time. So most of the things we talked about here were not over at speed of light. They happened over weeks, months, even years for some of these. For example, Stuxnet.

Whereas if you are looking at the ones and zeros it is very difficult to know who is behind it for attribution. If you look at it as a national conflict, it tends to be far easier. You have the context of nations that are angry at one another. Stuxnet, as soon as people realised who it was going after. They said: This is U.S., Israel or both. They were correct.

For Estonia and Georgia, the people that looked at it as a technical issue would say oh, my gosh, this is coming from 178 different countries. We could never figure out which country is actually responsible. And that is true at this level of attribution. That tends to start at the packet level and work and try to build a case. I worked at the White House. If I would have been at the White House during the Estonia attacks in 2007 the advice to the President would have been two things: One, some of these attacks are coming from the United States and we need to stop these. Obviously this is taking place in a geo political context where Russians are angry at Estonians. If we want to ease the tensions here, let's pick up the phone and call Mr. Putin. It's different sets of truths -- he was Prime Minister then, that's right.

Sir?

>> AUDIENCE: My name is Cyrus Rassool from Freedom House. I had a question about your on cyber programme. Recently the Head of their cyber programme was reportedly assassinated. I'm wondering if this is a sign that foreign governments are becoming more concerned about Iran going on the offensive and if there are any examples of Iran carrying out cyber attacks on other foreign governments. If you could just give maybe more information about their current cyber capabilities?

>> JASON HEALEY: That's a great question. Thank you.

>> BILL WOODCOCK: I think that the big example, of course, is the Tuesday-Thursday attacks against the U.S. financial sector which are, I think, pretty well understood to be retribution for or retaliation or whatever for the Stuxnet and subsequent American attacks against Iran.

I think it is very hard to tell sometimes what is posturing about capabilities and what is actual offensive action, or actual owe finance I have capability. I think militaries in general find offensive capability inexpensive to develop and put into effect and militaries by and large sort of throw up their hands and give up on the notion of doing anything offensive at all.

So in the conflict between the U.S. and Iran, which has been going on for several years now, I think what is really problematic about that is not Iran attacking the U.S., which is pretty understandable under the circumstances, since we did it first, right? Or sorry, when I say "we" I mean here the U.S.

>> JASON HEALEY: We got caught doing it first.

>> BILL WOODCOCK: I think what is problematic is the lack of closure within the U.S. between the private sector, that is the victim of the Iranian retaliation and the public sector, which keeps doing new attacks, right? The private sector is who loses on both side, right? This is really the big problem with cyber warfare. The way I try to explain it, there is no no-man's land in the Internet. There is no high seas. It's all private sector network. Some actual person opened their wallet, invested and billed.

When militaries run around rampaging around doing offensive operations, it's all over networks that the private sector owns and operates and tries to keep working. And so in the case of Iran attacking the U.S. financial sector, they understand that, right? They are attacking civilian target. They know that.

The U.S. saying oh, you know, we do highly targeted attacks, right? I mean, that's bullshit, right? Yes, it was a military target, right? Sorry, it was an energy sector target.

>> JASON HEALEY: It was a weapons -- I mean at least in the U.S. it was part of a weapons programme.

>> BILL WOODCOCK: All right, but getting there is over the bodies of civilians, right? And that's a problem. And yes, I'm speaking figuratively. I'm talking about networks that are civilian owned and operated. That's problematic in both directions.

>> JASON HEALEY: I'm really I -- so also certainly the mainstream U.S. view is Shimun attacks on RasGas and Saudi Arabia into these attacks or counter attacks back into Iran. That worries me a bit as someone who is in this as a historian. If I look at, I can go and I can see the lines of evidence for Stuxnet and I can examine some of what has been written on that. I can look at Estonia, Georgia or Chinese patriotic hackers or Chinese espionage and I can examine that.

For these Iranian RasGas, Shimun, financial sector, I'm working on what people I really trust are coming back and saying yes, this is Iran. I don't have a high level of confidence about that because the U.S. and private sector are quiet about the lines of evidence that leads them to say Iran.

As far as the assassination, or the killing -- let me say that, because there's a big difference between killing and assassination. This could have been a gel allows lover, right? It fits in, it clicks in with the assassination of nuclear scientists also. To me, I would find it incredibly bizarre if someone killed someone inside of a cyber programme because this stuff is not dangerous, right? It really isn't. It is annoying. It can steal your Intellectual Property. It may ruin your company, but that is a far cry from having -- almost none of these cyber conflicts we talk about here, I would say probably zero, have any of these cyber attacks had any strategic impact. They didn't win a larger war. They didn't get the other side to coerce -- Georgia might be the only example I come up with that.

>> AUDIENCE:

>> Wasn't there a series of assassinations in Italy around ICT forensic stuff?

>> JASON HEALEY: They weren't criminal, right?

>> TIM MAURER: Yeah, but --

>> JASON HEALEY: From a cyber attack itself, it's difficult in these conflicts to say wow, that one side used cyber stuff and it really just won the war.

(Please stand by while we attempt to resolve the Internet difficulties.)

>> YURIE ITO: You know, mechanism to reduce and limit the cyber conflict risks.

So I would like to emphasize that the importance and effectiveness of this year and hope that it is going to be applied to the rest of the world as well.

The important thing is bring the other parties, we have to work on this perception and bring the other parties to be part of the CBM.

>> I think I'm with Jason. The more things change, the more they stay the same. Governments will continue to do what governments do and criminals will do what criminals do and it will be difficult to tell the difference and I think the one thing that seems to be changing over time is globalisation of people's perceptions. I remember going to a law enforcement and Cybercrime conference some 15 years ago and hearing complaints from law enforcement officers and Developing Countries that they would nail the suspect and the suspect would demand to be Mirandized, demand to have their rights read to them despite the fact that they didn't have those rights because they weren't in the United States, but they had been watching U.S. cop shows on TV. They thought that's how law enforcement was supposed to act, right?

The interesting thing there, though, as people began to partake more and more of global culture, they can see better ways of doing things. They can see ways of doing things, of holding people to higher standards. And so you know, it may be that standards of transparency will become more the norm. It may be that people will hold their governments to higher standards of not attacking people while claiming not to or whatever. So I'm hopeful about that. But I'm not hopeful for self reform by governments.

>> JASON HEALEY: You are so glass half full, that's great. I'll leave with all the cyber attacks we talked about here, no one has died from them. It's easy for the Internet to take a target down. It's difficult to keep it down over time. It does take a lot of resources to keep it down over time because the cyber attack only takes down things made of ones and zeros. It only takes things down made of silicon. The more that we start doing Internet of everything, the more that we start doing smart grid, connecting power plants and dams and embedded medical devices, the more we attach that to the Internet, then I am concerned that the norms that we are creating now, whether it's Russian, Chinese or the U.S. norms because we have all been attacking, give us much more wary -- probably not in the next three years but maybe in the next ten. When those targets get attacked, it is not just ones and zeros or silicon that breaks. It is concrete and steel. We might look back to these days not as just the days when cyber attacks were so terrible, which is what we feel now, but these might seem like Utopia days when nobody died and cyber attacks didn't bring down societies. We might be facing that if we don't do the CBMs that confidence building measures that Yurie talked about and if we don't do security for Internet of everything and smart grid, and if we don't get Internet Governance right.

Thank you for being here at IGF. Thank you for helping us try to get Internet Governance correct. Thank you for your time and attention.

(Applause.)

(The session concluded at 11:45 p.m. CDT.)

(CART provider signing off.)

***

  

This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

 

***