to focus more on defensive operations because they really play a critical role in national security. It reminds me of an exercise that Israel did back in 2013 at Tel Aviv University, where they did a simulated exercise involving an attack that appeared to be coming from Iran

and Iran back Hezbollah in Lebanon. It started with physical attacks into Tel Aviv, and then it escalated into cyber attacks, and eventually those cyber attacks spilled over into the US, took out the stock exchange, again, this was a simulation, took out the stock exchange, took out air traffic control at JFK,

caused two airplanes to crash and kill 700 people, and there was some confusion about whether Iran was responsible or whether it was Israel that was responsible in an effort to pull the US into a war, and there was an Israeli official who said something very interesting after the exercise was over. He said that it was very surprising to him

how, he was shocked to see how quickly cyber events could turn dangerously kinetic when leaders were ill-prepared to deal with the attacks on cyber domain and were under pressure to respond quickly. Without properly defended critical infrastructure, he said, leaders were left with little room to maneuver in their decision-making

when an attack occurred. When civilian systems were struck and citizens were killed, leaders were under pressure to make quick decisions, often based on faulty and incomplete information. Good defense then was integral, sorry, good defense then was integral to good decision-making. If systems were resilient and could fend off attacks, they wouldn't contribute to escalation.

So I thought this was a really good illustration of the national security responsibility that owners and operators of business and critical infrastructure have. It's not just about keeping a pipeline running and fuel flowing, but about shoring up what essentially could become the frontline in a conflict. So Chris, I wanna turn to you and sort of talk about

what's, you know, in your impression exactly, how important is defense? How important is the commercial sector, the private sector, really a national security and keeping systems resilient so that government officials have the time that they need to make decisions when attacks occur or preventing them?

Yeah, so thanks, Kim. Thanks for that excellent introduction. Can thumbs up, can everybody hear me? Great. Thanks for that excellent introduction to the topic and thanks for sharing the stage today. I'm really looking forward to this discussion. I know you're supposed to ask the questions. I'm gonna provide some answers, but I think I will learn as much as anyone in the room might

just from the nature of the discussion we're gonna have. I think defense is very important and I'll explain kind of in my opening remarks why I think that is, but I'll lead with an anecdote that I often tell. So for anybody that's heard me speak before, my apologies, but it's one of my favorite anecdotes, which is the anecdote about an agency or a CEO,

a head of organization who's walking around the building happens to bump into a chief information security officer, not knowing quite what that is and says, you do cyber. I've heard all this stuff about cyber. How are we doing in cyber? And the CISO being somewhat intimidated at that moment says, in a word, good, right? And the CEO or the head of agency now being somewhat

emboldened says there might be a bigger, better, longer story here. I may be able to tell that to my leadership team the next time I meet them says, how about in two words? Two words, not good, right? Now, I tell that story not simply because there's a small amount of mirth in it, but that's actually the nature of cyberspace as we speak. There are things about cyberspace we could say

are quite good, right? The use of cyberspace or the digital infrastructure that underpins everything we do is what made it possible for us to imagine, to design, to fabricate, to kind of generate, deploy, administer a vaccine in record time, what 12 to 15 months,

when heretofore with the standard processes that will rely upon the kind of manual exchange of information at much slower rates and with much less intensity would have taken many years time. That's good, that's hugely good. And what we do in our individual lives, our business lives, what we do across societies to generate

and take advantage of critical functions, that's good. But there's a lot that's not good, right? Across my experience, my time kind of in this domain, which now borders on 45 years, I think we've experienced three waves of what I would describe as macro attacks. First wave was focused on adversaries holding data

and systems at risk. It's what gave rise in the early days to a focus on the defenders part to we have to focus on the confidentiality, the integrity, the availability of data and systems, the kind of CIA triad. But we later learned that that was merely the kind of opening round. The subsequent waves of attacks,

they still held data and system at risk, but they then abstracted that into holding critical functions at risk. And if you're gonna try to defend critical functions, you have to imagine how are they generated. They're not merely simple abstractions of data and systems. They generally require collaboration between disparate and diverse organizations, often private and public organizations working together

to generate electricity, to cause it to flow, to cause it to then have the right properties in terms of the underlying system. But if you're gonna defend a critical function, you have to defend a collaboration. You have to actually effect a collaboration. But the most recent wave of attacks that we've experienced were an attack on confidence. You kind of put all those together

in thinking about the colonial pipeline attack that we suffered a year and a half ago or more. The kind of Russian criminals got into that system essentially by holding data at risk. Somebody failed to properly secure a virtual private network, that being exposed, that attack surface being available. The kind of integrity availability

of that security kind of mechanism not being up to snuff, got it. They then kind of used that to hold the kind of delivery of fuel stocks up and down the eastern seaboard at risk. So they held the critical function at risk. But what really then happened, and the most important kind of lesson from that is they then held the confidence of millions of people at risk.

What they eventually succeeded in doing was in defeating one, they defeated all. They defeated tens of millions of people because of a single person's error. We need to flip the script. We're not gonna shoot our way out of that. No amount of response, no amount of a fire drill responding to two and three alarm fires is going to restore the confidence

that people didn't have that day, or to defend the collaboration that we didn't defend that day, or frankly, to defend kind of in the time necessary the data and systems that are underneath all of that. The only reasonable solution is to get serious about defense, to make defense the new offense such that if you're an adversary in this space,

you gotta beat all of us to beat one of us. That requires an investment up front in resilience and robustness, not just in data and systems, but in roles and responsibilities. That's how you defend collaboration. And the confidence too, so that you need to make sure that everyone in the system understands what role they play in the defense of that system so that everyone can participate in their own defense.

But today, we teach kids more about hot stoves and crossing city streets than we teach them about cyberspace. We need to fix that. So do I think defense is important? I absolutely do. Defense is the new offense, and unless we get serious about defense, make the investments necessary, we will not put cyber in its proper place, which I would not elevate to some new exalted status.

I would subordinate cyber such that it then delivers the confidence that we want in our personal activities, our business activities, our societal activities. If we're serious about cyber, we need to then bend it to our purpose. We need to make sure that we have confidence that we can do on digital infrastructure the things that we wanna do. I think it's all about defense,

and any amount of offense must extend from the defense as opposed to be imagined as something that plays out on a completely separate field. I'm actually going to switch positions over here because I'm having trouble hearing you. So I'm just gonna come down here if that's okay. Yeah, you wanted to move over to get us some space.

With that in mind, I'm wondering, we talk a lot about defense, we talk a lot about the need to shore up, to get more serious, but I'm wondering how we actually do this because when we have attacks, major attacks like Colonial Pipeline, SolarWinds, we usually find out afterwards that there were ways,

things that they should have done in order to prevent or mitigate. I'm thinking about Operation Aurora attack back in 2010 when the attackers went after source code repositories using the source code management systems. And Dimitri Alperovitz said something interesting at the time that those systems were wide open because no one had ever really thought

that those were the things that they should be protecting. They were protecting email, they were protecting consumer information, things like that. And so the crown jewels of these companies were left open. And something happened similar to that with SolarWinds where after the backdoor was injected into the software,

people were saying that the source code repositories were secured but they hadn't thought to secure the build environment because no one had injected malware into software during a build before. So I'm wondering how we fix this problem of sort of a lack of anticipation or a lack of imagination of where hackers are going to go next. And how do we really get companies serious

about doing security when they often are reactive rather than proactive? How do we instill in them the need, and if they may not have budget, they may not have the skillset, how do we get them up to speed and at the level where we need them to be? That's a great question. So first I would observe, building on what you've said,

that the problem that we face is not a technology problem, it's a doctrinal problem or, plainer speaking, it's a roles and responsibilities problem. We actually don't know who is accountable for what in delivering the resilience and robustness that's required in digital infrastructure, not for its own sake, but so that it will deliver personal activities,

business activities, so on and so forth, as I've mentioned. There are three reconciliations that I think need to take place, and these are primarily reconciliations in terms of how do we get a new doctrine on the table. We wrote an article out of my office a couple of months ago, we called this a new social contract. I'll leave the term behind, which may or may not be pithy enough, but it was essentially about

what do we owe each other in this space? How do we get that right? And the three reconciliations I think are required is first there's a vertical reconciliation in any organization, just pick one, where you have to make it such that the leaders of that organization who are responsible for determining what the strategy, what the strategic objectives, what the aspirations of that organization are,

take into account not just the people resources that they would deploy to bring that off, or the big ideas that they would deploy to bring that off, but the use of digital infrastructure to bring that off. Because digital infrastructure is not a commodity in the corner, it's actually the lifeblood of most of these enterprises. And so the leaders need to think, I am accountable for figuring out

how I'm gonna use digital infrastructure, I am accountable for mitigating whatever risks that I take, I need to make sure that I have the relationship with the information technology or the cyber people that would allow me to make intelligent choices, but it's not delegable. We have to make sure that the agency heads or the heads of organizations or boards are the accountable party for digital infrastructure's use

in as much as any other critical asset they think about. This is an OPEX issue, not a, I'm sorry, a CAPEX issue, not an OPEX issue. If you don't think about it in the formative moments as you're designing your business strategy, then you're kind of off to the races. But in that vertical reconciliation, we also need to think about what's the responsibility of the folks who deliver these services.

You ask a line CISO or a CIO or an IT or cyber person, we don't have enough of them, that's for sure. But if you ask them what they do, and if they say I defend critical infrastructure or I defend IT, that's a good answer, maybe a technically correct answer, but it's an insufficient answer. What they need to say is I defend the business,

and I've read the business plan, I know what we're gonna do with digital infrastructure, I know we wanna do business in some interesting, odd, maybe dangerous places, and I know how to actually mitigate the risk and deliver on the business results. That's a vertical reconciliation. There's a horizontal reconciliation across the system. Again, I've said that this should be focused on capital expenditures, not operational expenditures.

We need to make sure that we're no longer going to accept that you can deliver a system to somebody who's using it for some purpose, whether it's individual or societal, and have made no investment in its inherent resilience and robustness. We need to allocate responsibility and accountability to the providers, the suppliers, the integrators,

so that they actually invest what's required to make those systems inherently resilient and robust. They'll never be secure, but they need to be more inherently resilient and robust. We've done that with cars. You can't buy a car without an air safety bag or a safety seatbelt or some form of analog brakes. We've done that with airplanes.

We've done that with therapeutics. If cyber is as important as it is, and it is, we need to make sure we allocate some responsibility across that supply chain so that it's not the person who's operating at the end of that whip chain who's stuck with a system that can't be defended and having to wholly defend themselves against somebody that they actually can't beat on that given day.

And the final reconciliation, if we reallocate that set of responsibilities, is back to that kind of formative moment when we build anything. How do we build in the resilience and robustness? I've mentioned that more than a time or two, but it's not something we do or do well. We just have to do that. I think we do those things that we then will have a resilient and robust infrastructure

that then can be defended, but it won't be secure. It must then be defended. And on top of that, we must then have a collective defense. And we have this kind of slogan, this catchy phrase that we're kind of parroting around in our various venues where we say, we propose that from this day forward, if you're an aggressor in cyberspace, you have to beat all of us to beat one of us.

Now, as pithy as that might be, what's really behind that is the division of effort defense doesn't work. It never has worked. If you say to someone, you defend your patch of this shared space, you defend your patch based upon what little you know, what little authorities you have, and what limited capabilities you might have to perhaps bring some resources to bear in that defense,

that's setting you up for disaster. That's essentially being in a rowboat where there's a hole in the other side, and you say to that person, holes on your side of the boat, I'm not gonna help you. Good luck with your side of the boat. That simply doesn't work. A collective defense is one where you make them beat all of us to beat one of us. It's what's actually beginning to happen in the Ukraine. Think about what's transpiring in the Ukraine.

First, we didn't get enough credit to the Ukrainians for being able to defend cyberspace. I and a whole bunch of others would have said early in that contest, that gross kind of aberration of offense applied against the Ukraine, that the Ukrainians would have a really tough time defending themselves in cyberspace against the Russians

numerically superior, lots of capability, lots of doctrine on their side. We didn't get enough credit to the Ukrainians' ability to defend themselves. Their interior lines, meaning that they essentially have back-to-back defenders on all sides facing out, their ability to do the preparatory work to become reasonably resilient and robust,

and their ability to have confidence that their suppliers are providing inherent resilience and robustness and will deliver under the terms of service that resilience and robustness has made for a collective defense that's really hard to be. Not impossible, but hard to be. When Microsoft essentially delivers under their terms of service, inherent resilience and robustness,

and Cisco and ESET and some number of others, that's a collective defense that is different than what we would have done five, 10, 15 years ago. I think that's what was required. I'll just add one further thing, which is I had the chance here to walk around to the various kind of activities, the villages that were kind of set up, and what I found remarkable was not just the audacity

of the technology and the talent in those various rooms, but the applied purpose to which that's being affected. What people were actually considering is, how do I do something that's technologically interesting, stimulating, new, novel for some purpose that would then aid and abet the increase of resilience in an automobile, or the increase of resilience

in a piece of critical infrastructure? Folks who actually are sharing the responsibility of delivering critical functions side-by-side in those various venues, that's very cool, and that muscle memory would be really useful, necessary for us as we defend these assets out in the larger society. I love that you brought up Ukraine, because I do want to ask you a couple of questions

about that, but I'll come back to that later, because you started to talk about supply chain and the responsibility of software vendors and equipment makers here to put out secure systems to the market, but there's another side of the supply chain issue, and of course, that is the foreign manufacturing of devices and equipment, and we're talking about a situation,

obviously, with chips from China and manufacturing in China that was created for economic purposes. It was a lot cheaper to have chips manufactured there. It's a lot cheaper to have motherboards manufactured in Beijing. How do we, the government has gone on an aggressive push to get Huawei systems out of telecoms,

but how do we realistically, I guess, wean ourselves from the reliance on systems that we now recognize may be ubiquitous in critical infrastructure, and we need to sort of walk back that reliance? How does that happen? Yeah, two ways. One, and there might be some other components,

but I'll just kind of broadly point out two kind of dynamics. One is you need to have an honest, kind of eyes wide open recognition of what the true cost is and relying on kind of foreign produced critical infrastructure. You know, if it comes from a country like China or Russia where the legal system is not one that deals with privacy interest, proprietary interest,

in a manner that you're comfortable with, the true cost of that is not to be measured in the dollars or the yuan that you spend. It's to be measured in the opportunity costs you have about the lack of confidence you have and how your information is going to be protected or the competitive disadvantage you're at when that information is then used for purposes

that are then going to be used directly against you in an economic or a national security context. So we need to be serious in understanding what the true cost is. Having said that, just saying no is not the answer. We can't just rip and replace this stuff if we don't have anything to replace it with. And so we need to actually fill that vacuum with material, equipment, systems, kind of systems of systems

that we do have confidence in. We might not onshore all of that, but we need to make sure that we reshore that to places where we have confidence, both in the manufacturing and the resilience that's invested in that and in the legal systems that essentially govern that. The administration, the Biden-Harris administration just signed into law the kind of the hill,

the legislature just, I think, magnificently kind of generated something called the Chips and Science Act, $52 billion that we're now about to invest in essentially filling that vacuum to ensure that if chips are a fundamental commodity in the economic security, the national security of everything that we do,

and it's a matter of extension, important to all of our individual activities as well. You can't buy a car if we can't buy chips. We need to actually make it such that we can build those again here. Good news is is we retain in the United States and like-minded nations, the Netherlands comes quickly to mind, the ability to innovate that technology,

but we do not have the ability to manufacture. And we need to actually make the investments required to do that. To touch on the Ukraine issue, and you mentioned Microsoft, we have had a lot of reports and a lot of public declarations from companies like Microsoft, Cisco, Mandiant about their assistance given to Ukraine prior to the invasion, in the midst of the invasion,

and since then. And they've talked about defending government systems, in some cases, moving data out of Ukraine. I'm wondering if this puts the private companies in any kind of risk of repercussions. I mean, we don't know the full limits of what they're engaging in.

Presumably, it's just defense. But if you're talking about defending military systems and government systems, is there a potential, and what is the calculus that is made by these private companies, is there a potential for a risk against their own people, their own data centers, their own operations, that they might be the target of some kind of repercussion activity?

Well, as I see it, I can't tell you how Vladimir Putin sees it, but as I see it, shouldn't be. I got a notice two weeks ago from the manufacturer of my car saying that they had found a safety defect in the car and they wanted me to bring the car back in so they could fix it. It's a hugely good thing. I think that that actually is a necessary part

of their terms of service, because that car needs to be safe for me to drive it from point A to point B. I expect it to be safe. I expect them to then vouchsafe across the life of that car, or at least the warranty of that car for the safety, the resilience, the robustness of it. That's what I see Cisco and Microsoft and ESET and others, that's an illustrative list, not an exhaustive list,

doing for the products and services that they deliver to customers in the Ukraine or elsewhere. If they find a problem in that, whether that problem is posed kind of in the form of an inherent vulnerability in the software, maybe it's a zero day that's been discovered, or maybe it's the manner in which some adversary might take advantage of that, it's the adversary's doctrine, but they can shore that up and make it more defensible.

It is, I think, an appropriate act of under the terms of service, defense. It's not provocative, it's not imposing in any particular effect on a transgressor in that space. If it is imposing a cost on Russia, it's only because it's more costly for Russia to do something that's already inappropriate, right? Attacking kind of honest, legitimate users

of those services across the world. So I think it's entirely appropriate, and I think it's high time that if you're a provider of a commodity service, that you think about what's the inherent resilience and robustness that I should deliver hand in glove with that. If that's the only place where that can be done at scope and scale,

then that is the most appropriate place to do it. So the US and other nations have been talking for a long time about setting cyber norms. And they've been having some trouble coming to agreement. There's some basic agreements about not attacking civilian critical infrastructure. But with regarding to get into detail

about a lot of other norms, there's some difficulty because nations are reluctant to give up some capabilities they might wanna use. How do we arrive at norms when countries want to preserve options? And how do you set norms when you can't be certain, for example, that subsequent administrations, subsequent governments might not adhere to them?

Actually, I see that there's more agreement in norms than that might suggest. The global group of experts from the United Nations, and I think I saw Chris Painter here, so kudos to Chris and his colleagues for doing this, delivered in about 2015 a set of norms that the US and a great many other nations affirmed.

And those remain kind of those, the norms that were defined then remain the norms the United States subscribes to in terms of what we would do, should do, will do in peacetime. I think those norms have had an effect not simply in giving people a sense as to what's appropriate and inappropriate, but it has unified and brought together like-minded nations.

And so they have an effect more than simply telling potential adversaries what's on or off limits, but rather to find and unify like-minded nations so that they increasingly create common cause and defenses that are appropriate of those norms. 60 nations gathered in the White House about three months ago to sign something called a Declaration for the Internet.

My bet is those 60 nations would find a lot of other things they couldn't agree about, but they agreed on that. They agreed that the principles of a free and open internet that serves the needs of respective societies was important enough that they would sign up to that. Now the hard work before us is how do we actually then implement that in the practices, principles,

and the collective defenses that we would mount on top of that. I do think that it's problematic because there are some things that look like they're on the edge and they're not clean and crisp in terms of absolute boundaries, but the norms generally are I think reasonably well-defined and generally well-subscribed to. So speaking about norms and we were talking a bit

about Ukraine, I wanted to sort of pivot to the hacktivism that we're seeing out of Ukraine. You talked about the resilience and the defense, and there's this other side that Ukraine is engaging in with regard to the IT Army and eliciting assistance from volunteers to launch cyber attacks against Russian infrastructure.

So Western countries have been very silent about this activity, and I wanted to ask if we are setting a precedent for these kinds of operations. Obviously there's extenuating circumstances here. This is a time of war, but there are concerns that once you've engaged this kind of force,

this kind of volunteer force, you can't really put it back in the well, especially if you're engaging actors like Anonymous. And so I'm curious what you would say and what government's position should be on this,

particularly with regard to Ukraine. It hasn't been just sort of Anonymous volunteers. There are a case of two companies based in Estonia who, one built a DDoS attacks tool for the IT Army and others to use. They're usually, there's a security company

usually involved in defensive activities, and then the other one launched a bug bounty program calling for vulnerabilities in Russian critical infrastructure that they plan to hand off to Ukrainian intelligence and cyber operators to attack those systems. So where should we be? I mean, should we be concerned that this is setting a precedent that we won't be able to control?

I think the law, at least for the United States, is pretty clear here. The Computer Fraud and Abuse Act of 1986 makes it clear that there are limits for individuals who operate using their own authority in terms of what they're allowed to do. And the United States government, despite the fact that that law's got some kind of age on it,

still have the opinion that it will not condone, nor will it support individuals violating a standing law. So I think that's very clear. That being said, there's a way to take this enormous talent, and it's represented in this room and outside these halls, so there's a way to take that talent and within the kind of rule of law,

apply that appropriately to help identify what flaws might exist in our architecture so that we can then, through bug bounty programs or red team or white teams, kind of find and kind of patch those to better understand how we can affect a collective defense. That talent is hugely valuable and can and should be applied under the rule of law for the purposes

that I've described earlier and what a defense might look like. But operating outside the bounds of that law remains kind of unlawful for the United States, and I don't think there's any question about that. And what about, just sort of as an add-on to that, is sort of the activity that we've been seeing in Iran. We've seen sort of a tit-for-tat between Iran and Israel.

And in Iran, we've seen attackers go after gas pumps, 4,000 gas pumps in the country. And then also, we had an incident recently, unconfirmed, regarding a steel mill equipment and fire there. And I'm just wondering, again, we're talking about setting norms internationally.

There were 20 nations in 2015, as you pointed out, that sort of set some basic norms. And yet, there are still actors that we're going to see, obviously, actions that are just reaching up to the threshold and not necessarily going over. But in the case of what's happening in Iran, it is attacking critical infrastructure.

And so I'm wondering, how are we going to, I guess, have some kind of control or set some kind of boundaries or express what we consider the limits of activity, especially if it's, I understand some of the complications when it comes to, let's say, a country, an adversary,

where we might not be opposed to the activity. If you've got Russia, who's a clear aggressor there. If you've got Iran, who may be aggressing as well. How do we grapple with this, these kinds of activities that are going to go after critical infrastructure, what we consider outside of the norms?

We affirm the norms, right, which I think stand to this day as a reasonable articulation of what we believe are the activities that are appropriate or inappropriate in peacetime, as defined by those norms. And Iran doesn't check with us as they then kind of violate those norms, right? So we don't take responsibility for their actions,

but we still affirm the norms and urge anyone who would stand with us and effect a collective defense to affirm those norms, to sign the declaration for a free and open internet so that we can then combine our collective talents, authorities, capabilities to achieve something that we couldn't do alone.

So I don't think that those are in conflict with one another, affirming those norms and observing that there are in fact kind of entities, nation states in the world who violate them. It does not challenge the norms. It might kind of make it such that they're not being perfectly implemented, but the norms stand as they are. Just a decade ago, there were only about a handful

of nations that had offensive cyber operations, capabilities, US, Russia, China, the UK, Israel, just by my counting. And since then, we've added a lot of other countries, Iran, North Korea, more than a dozen others that I can think of. Clearly all aren't equal in their sophistication

and capabilities in terms of causing damage, but even less sophisticated actors can cause real disruption. So I'm wondering, is deterrence and international laws efficient to keep these new powers in check when some parties may not be deterred in the way that traditional nation states might be deterred regarding politics and things like that?

How do you curb hack and leak operations, operations that don't yet meet the threshold of being illegal? How do we control what feels like it's getting out of control? Well, it's a good question. I would offer kind of two kind of framings before I come to main point. First, as you've asked the question,

and I often kind of have this discussion as well, there aren't quite a lot of nation states in the world that are capable of doing offense, and it then leads you to consider whether one is more capable of offense than another, and so you all of a sudden get into this kind of mental discussion, this mental consideration of who's best at offense.

Is party A or party B best at offense? And that's really, however titillating that might be, not the right kind of compare and contrast. We need to think about whether our defense is up to the task of essentially holding at A any offense. It's a comparison of defense to offense that we ought to then start with. And so while there are quite a few more that would enter into offense,

whether that's in peacetime or kind of conflict, kind of lead that to their judgments, I'm really focused on how do I get the defense up to speed? And I think in that regard, you mentioned deterrence as an important piece of that. I think that deterrence, if you think your way through, is really about changing the decision calculus of somebody that would do something to your detriment

before they do it, right? And I don't think that deterrence in cyberspace is impossible, I think it's hard. I think as some have noted that in cyberspace, the cost of entry being so low, you'll never completely remove mischief, but you can in fact kind of challenge it.

And I think you do that in the ways that traditionally deterrence has been thought of. First, you make yourself a harder target. Invest in the defense, remember it's CapEx, not OpEx, such that you're sufficiently resilient and robust, you might cause someone to reconsider whether they're gonna have a go at you because it's simply expensive on their part. Two, mount a stout defense on top of what then results

so that you can catch them in the bargain and engage, interdict, and evict that at the earliest possible moment. Again, that should affect their decision calculus, but if it doesn't, you're at least kind of in the bargain of holding your own against that offense. Three, impose costs on them, but not just cyber on cyber cost. Again, we're not gonna shoot our way out of this

using cyber alone, but imposed financial cost, kind of legal remedies, diplomatic remedies, sometimes public shaming works, but all of those kind of costs impose that on them to change their decision calculus. Now, I'm not in a place to know what Russia's decision calculus is vis-a-vis the Ukraine, but it's an observable fact that they have not attacked

the West in and through cyberspace through this campaign. That can be described as deterrence, whether that's deterrence by, essentially they just haven't thought about it, or deterrence on the basis of a conscious choice, it seems to be working, right? It seems to be that they've not attacked us

in ways that we imagine they might, short of the use of force, as they have complained mightily that we're inappropriately assisting the defense of the Ukraine. So that seems to be, at the moment, something that is working out better than we might have imagined going into that. That might be deterrence of a proactive affirmative kind,

but in any regard, their decision calculus is where I would want it to be. They shouldn't attack us. If they do, we've made it clear that we will defend ourselves stoutly, and therefore I think deterrence can work, and we've got an example in hand where thus far it has. I have one last question.

We might have time for audience questions, so if you think of something, we might have time for one question. My last question is regarding how governments and intelligence agencies have been recruiting talent internally for a long time, and we're seeing particularly interesting developments in China with the Ministry of State Security,

which is the civilian intelligence agency, where they're setting up front companies, commercial entities, sometimes legitimate security companies that have this side business of doing hacking operations, sometimes economic espionage for the government, and also they're hiring university students

and translators who may be witting, may be unwitting, unwittingly contributing to the operations. So how do we, what are some of the ways that governments, I guess, are leveraging this talent, and how does it complicate the U.S. government response to this when we're talking about civilians that may know what they're doing

and may not know what they're doing? Well, first, we need to be crystal clear in the United States and like-minded nations about what authorities we bring to bear and who's then kind of authorized to bring those authorities to bear. So a private citizen, again, I've talked about the Computer Fraud and Abuse Act of 1986. It's not authorized to engage in kind of unilaterally

kind of aimed hacking activities. White hacking testing that's done with a consent, penetration testing, kind of bug bounties, all of that's appropriate, but we can't actually kind of cheat our way to success in filling these jobs. We need to do it the old-fashioned way, which is let's be crystal clear

about what the authorities are. That being said, the question that's really on the table is how do we fill these jobs? At the moment, about one-third of the jobs, anywhere you look, inside the government or outside of the government, that have the word cyber or IT in them are empty. We're not filling those jobs. The good news is we continue to fill them at the two-thirds rate. The bad news is the denominator's running away from us.

And so we need to appeal to the broadest possible population to essentially kind of offer them the opportunity to fill those jobs and then assist them in the transition to those jobs. But we also need to make sure that other disciplines, whether they're lawyers or CEOs or tradesmen who need to know more about cyber, that they have the skills necessary to make intelligent choices

about the use of digital infrastructure in this brave new world, and that every citizen, every person in cyberspace knows enough to make full use of cyberspace. They don't all need to be Python programmers, but they need to know more than they do. We need to solve all of that by mobilizing a strategy that says, how do we educate? How do we train? How do we make perhaps the awareness possible

so that everyone's participating in the defense of this realm, not just the precious few. But we'll do it the old-fashioned way is we'll do it under the rule of law. And we'll do it in the appropriate way that everybody knows what role they're playing and they know why they're authorized or why they're expected to participate in that particular role. What the Chinese do shouldn't be something that kind of teases us or tempts us to do it

kind of in a way that confuses or perhaps challenges our values. Okay, so I wanted to open up for questions from the audience. We have time for maybe one or two. Do we have a microphone? We don't. Okay, so I'm gonna have to repeat the question. Let's take that question up there.

Speak loud. A great prospect, there was a great deal of galvanization from state, industry, et cetera, in defense of Ukraine. But I wanted to give you a sense of how replicable that might be in other geographic periods where there's much less of that historical

kind of transatlantic unity kind of built into those relationships. Yeah, so I'll paraphrase if I cheat on this. You can stop me. I think the question is the Ukrainian situation has galvanized a collective defense. And I think the question really is, is that an anomaly that's a one-time event

or whether that's replicable? Can we actually achieve that on a continuous basis? I think it is replicable. Can I get up every morning trying to make it replicable such that what I pitch is, hey, why don't all of us contribute to the defense of each of us? Or vice versa, each of us contribute to the defense of all of us. That colonial pipeline business

where the defeat of one person held at risk the confidence of 10 million people, why don't we flip that script and say, you know, all of us can make it such that we defend each of us. And if we do that as a matter of course, the way we've done that for highway transportation systems, the way we've done that for airplanes, the way we've done that for just about every other critical asset in our country,

then we all know what role we play in the defense of something that we hold as a common good, a shared asset. I think that's the way to play that. So it doesn't require some electrifying moment, this kind of aberrant transgression of the Russians into the Ukraine to get us to believe that we've got some common resource here that we need to step in and collectively defend.

It ought to be something we think of 24 hours a day. Other questions? Yeah, go ahead. I appreciate your focus on defense. I wanted to get your thoughts on the parent conflict of interest the government has when they also want to have offense

and they actively try to leave vulnerabilities in products or to add back doors. How can we act, how can we have a defense at the same time we also want to have an offense? Yeah, so I'm not prepared to say what the US government will or will not.

So the question is, how can we make a case for defense when we in fact have an offense? So I'm not going to tell you what the US government has in terms of an arsenal of one kind or another. But I would just note that we have offensive capabilities broadly across kind of just about every country I can think of, but the United States,

both kinetic, physical and kind of cyber wise. Why? Because at some point we may need to bring them to bear in the legitimate defense of our people, right? Now they need to be built in a way that they're appropriate, that they kind of are necessary and appropriate to the task. They need to make sure that they do not hold at risk

the society that they would defend. So if we have fighter airplanes and they have munitions, we need to make sure that they're properly secured and that they're not at some point kind of easily deployed or deployed at all, right? To hold that population at risk that they would defend. Same thing's true for cyber, right? There's nothing different about cyber in terms of what norms we would bring to bear.

I would tell you that as a matter of course, the vast majority of weakness that is discovered by US government and other like-minded nations in critical infrastructure, civilian infrastructure, the vast majority if not all of that is given to the private sector so that they might then be defended. And just as I think we know in our own defense,

85% of what we find goes wrong is attributable to kind of a failure of a human being or a failure of doctrine. Our adversaries have the same challenge. And so most of the flaws, the vulnerabilities we would use in the heat of the moment are likely to be found in doctrinal differences, kind of people kind of issues, not in some fundamental flaw that we would take advantage of

that is a common flaw for all of us. The bias has to be if there's a common flaw, we actually defend it. We don't actually use it kind of in some reserve capacity to hold everyone at risk, so. We have time for just one more question. One more question. You briefly talked about the talent problem

and hiring pipeline. The Defense Department and the Homeland Security Department get a lot of coverage as a member of the administration. What efforts are happening in the US or talking about departments like education and commerce? Yeah, that's a great question. So we talk a lot, he says, about, and I think you're right, talk a lot about the need to kind of properly educate

and to fill jobs, cyber jobs, IT jobs, and I kind of added some other disciplines that perhaps we need to do more about. And we hear a lot about what's happening in places like the Department of Homeland Security, the Department of Defense, but what about all the others? I agree that we need to actually, we can't just filter one end of the pool, we need to solve the whole problem, right? And so we at the White House about three weeks ago

had a summit to essentially focus on this problem. We brought 60 leaders from across the private sector, academia, and the government. Interestingly, the Secretary of Commerce, Secretary of Labor, Secretary of Homeland Security, Undersecretary for Department of Education all spoke. Susan Rice also spoke, right, given her responsibility within the administration.

And we spoke about the collective need, not just one department or two departments need, and how do we come up with a strategy that actually kind of tries to solve the whole problem, make a bigger pie for the nation as much as all the agencies and departments so that any one of us then can benefit from what happens inside of that. But you're quite right, we have to solve the whole problem, we can't solve just a piece of the problem.

Thank you. Great. Thank you, Chris. Hey, thanks very much, Kim. Always nice to see you, thanks. Thank you.