Im not saying the estonian system is the one that wins because the singaporans have they flew a big delegation into estonia and said we want to do this for all of east asia, so people are often quite unwilling to trust their own government but if you say this is a Service Provided by another government, you can use it or not use it, an optin sturges people they have issued 10,000 of these. You can pick one up at the Estonian Embassy just down the road for 40 or some small amount. I think this solves one of a fundamental problems on the internet, which is proving who we are because civilization is based on the trust for interaction between people who dont know each other very well. And we use all five of our senses and all sorts of learned responses and other keys and safeguards which means we can do this to each other, facetoface and also by letters, and but we dont have a way of doing that on the internet. I cant proof who i am on the internet. You cant prove its me. We want get together and prove that someone else who is they say they are. This is one of the biggest responsibility wed have. The sort of systems i can solve that. Go to estonia. You mentioned at least three different aspects of the cyberphobia. One is criminals draining accounts of all kinds. The second of all, well say perhaps intelligence of getting opm data for whoevers own purposes, probably not for financial gain unless they sell it. Third, use an example st. S nets, an offensive use of this. Are we looking at different actors, for instance, states in some cases, versus criminal individuals and other in other words, are these very separate enterprises we can separate . Should they be seen as one . The easiest way to look at this is to say some things only governments can do. Highend National Intelligence services. Have got amazing capabilities, for example, in using bulk data. You can be for it or gift it but thats only thing a government can do. Getting stuff into firmware, into a keyboard and find everything type on the keyboard and getting that back to some beyond and control serve are in a secure way. Getting data on screens. Hacks of mobility devices. These are pretty sophisticated capables and you can buy some bits of them on the internet. You can buy very simple malware which you can send a text message. Theres a lot of stuff only governments can do. Expensive buying expensive vulnerables, holes in soft ware, hardware, noelse knows about. The good ones are expensive and its a matter of budget youch put those capabilities together and you get Something Like stocks net which really only a government could have done. The American Government boasted about it, so its no longer really secret. Before we get to that, too. But that is the kind of i think this is the least of our worries of ordinary people. I guess everybody here has seen the obourne identity but theyre not documentaries. Im not jason bourne no one in this room is jason bourne, were being attacked in a simpler way. I think leaving asigh the highend stuff, so many of the vulnerabilities are over if i want to get ton the network, i want to get on a i want to find out how you do your invoicing i want to steal some data and get in and change my grades, all sorts of reasons to get on the network. Theyll go to linked in, find someone who has lots of find out who they worked in the past, a gmail address and say, i found these picks, take a look. And then they click on it, nothing opens, they forget about it and it is very baseic spear phishing attacks. Links and attachments can be used by any one of the threat actor biz think the opm hack started with someone with a targeted spear phishing attack, and then got on the network, and once youre on the network you may need tools to try to get control, root over the network, but theres this very big lump of simple vulnerability which everybody has. Lets go to audience. We have othermake crow phone if a microphone if you just raise your hand until the microphone gets to you. Emily. Go ahead. Just introduce yourself before you ask the question. Thank you very much, mr. Lucas, for doing this. I am marcus picker, work for German National public raid glow washington. What im concerned about evening more than the technical aspect of all those things is the fact that the American Government employed someone who didnt even have a college degree, it got him into the most sensitive government systems, and he could manage to get all those things out and get away with it. Until now, at least. So, how do you think governments or societies can protect themselves from those kinds of breaches . The regular things that people actually steal something. Yeah. Well, its a great question. You didnt actually mention the name edward snowden. Could have been some other hacker as well. Theres been government likes to beat up industry over security. And theyre right to do it. Its scandalous we dont share information better between Different Companies in the same distribution across industries. We need to do a much better job about protecting the data that is entrusted to us as companies whether its the data of our employees or suppliers or customer arizona anybody else and i think should be serious penalties for people who are careless and wreckless and should be civil and criminal liability, but if you want to see a really bad didesigned network youre likely to find until the Public Sector than in the private sector. Its absolutely terrifying how badly protected out of date systems, badly administered by demoralized people. This stuff is happening again and again and again, and at one i think one can make several points. One is that i think this is very good reason i would we should not support any government mandates attempts to weaken encryption. If theres going to be government mandated book doors in commercially provided encryption, that will be a fantastic target for criminals, and i have zero confidence those its as if everybody in the country has to give a front door key to the government to make sure theres no frontdoor key in their front door that the government cant open, and that all these frontdoor keys instinct neatly labeled, kept at the local prognosis station, dont have to be that could be interesting for criminals. We should have very modest expectations of governments abilities to keep our data secret and we should be much tougher of what wet share with governments. Go going back to estonia. Theres no single point of vulnerability. They have a federation of databaseses connected we something called the xroad which works on a very simple but robust challenge and response system. So it will be really hard not impossible because nothing is impossible Something Like the opm hack would be really difficult to do. You need the depression of lots the cooperation of lots of people and nobody simultaneously at different points for and the final point id make is why do we keep all this snuff electronic databases anyway . If you look at films john he krcarre novel. Now, these days you would probably hack in. There you have to physically get into the registry, have to distract the person who is there to stop you copying files. Have to get access to a file, logged in and logged out. Who looks its it, how long. I you want to steal all the documents in the registry you have to attack with a Major Military force and then take the stuff away in trucks, and the omm is like that. Only 2030 years ago, the chinese would have needed trucks to take the stuff out of the opm. Now you can do it on a usb stick. So one of the big lessons, ask your gift why are you keeping stuff . You have convenience. Absolutely. Is that worth the vulnerability . One of the best stories ive come across this year is the blooming intelligence agencies are buying manual because you can theres a saying, ive heard from some Cyber Security guy, you cant hack a steam engine. No electronics nothing to hack. Steam engines would actually survive the carington event in the way no other form of transport would. So we have to be quite prudent about moving away from things that cant be hacked and very resilient towards things that seem convent but are actually vulnerable. Thank you, mr. Lucas. I study energy and environment here but before i used to work for the Korean Government Agency doing Cyber Security. I think the recent International Political environment has kind of come to the state that International Norms is important and the cyber space, but hearing from your example in estonia and other east asian i feel its not only the states that have different per sorptions cyber space and also the people of each state have different values and different cultural norms that they expect from the cyber space. So i kind of want to hear what you think about, is it even necessary to build International Norms . Is it even plausible or is it more practical and make it doesnt make more sense when you come when we have more effort that are done domestically, then kind of national boundaries. Its a great question. I think we are developing were beginning to develop norms in the way we use social media. I was looking at some emails i had done been sending and receiving about ten, 15 years ago. And i noticed a lot of people used capital letters to show they were angry, and thats become socially unacceptable now. We have laws, that theres sort of way we enter act by email. People sent long emails in the old days. Enough its rude to send long emails if you expect people to rate. So i think that the theres a if you look at shipping, which is the first really sort of global industry, we slowly developed in the Maritime World we have enormous about emergencies. The duty of see farers to pick up others in distress. They will pick you up. We developed ways of messaging, the days before electronic messages we had flags put up saying im in quarantine. We dealt with parts. We have the nests and the pirates and americas first overseas motor engagement was going after pirates endangering american shipping. So this stuff builds up on a casebycase basis. The fundamental problem is that the internet is a means for doing other things and the norms about those other things very widely. So you can quite easily get the banks of the world getting together saying, were going to have very tough rules about preventing people cashing out the proceeds of cyber crime. The classic cyber crime queue get into someones internet banking, good threat them to do something stupid and then you stay that money. That money doesnt appear in your pocket magically. You transfer into it another bank and another bank and at teach point youre doing the transfer theres a point of vulnerability. Someone lad to open that account. Maybe you hijacked another account, going from one hijacked account to another, but at some point a physical person went into a bank and opened the account. So we could have a quite easily imagine a lot of Reputable Banks saying were going to superintendent norms for transfers that makes it much easier to trace stolen moneys, hops from country to country and account to account and if you dont play by our rules we me a stop transferring money to you. And you have Reputable Bank gonzalez the world saying we want to play. We want to be in on that. Sigh can see that happening. What is much harder is things like the use of information, because if you look at the theres been a big push in russia and china to bring the internet under the control of the un agency and national telecommunications, the body that sets dialing codes and the rule ford the telephones. And that makes sense. Why not have a u. N. Agency in charge. It might well work better than the these thing wes have at the moment but the problem is one thing that russia and china want to deal with is what they Call Information weapons. Thats what we call news. Were not going to reach consensus on that because they think its part of National Sovereignty on the internet, the government should be able to control what information goes in and out. We say, no, that is totally unacceptable. But by the way, can you help us with child pornography. It is totally unacceptable. So countries have radically differentieses what us accessible. One one country says is terrorism ice countries you can have a global ban or terrorism wont have terrorism on the internet and then the Chinese Government says you have extremists on your server, take it down. Whats going to happen . I think we have to very very modest in our expect additions, whether its a clear common interest, as there has been in shipping, well make some progress. Where theres no common interest, i think we just have to accept what is going to health. Im a student in finance. I want to follow up on the previous question regarding the preventing Cyber Security and i meant to if youre familiar with the information sharing act absolutely. In congress. So theres a proposal by most Financial Institutions and also many other businesses in the americas and i just want to hear your comments on how likely its going to be passed and why the Technology Companies are they kind of opposed the Cyber Security information sharing act. This we call the category of really boring and really exciting. Most people have no idea about this. Opposite you get once you get into this issue its very important. Its been five years its been sitting there, bouncing around in the senate and house and different versions of the bill and amendments and so on and its not going some momentum and its in this process which i know what is brilliantly well where people put aside their Party Differences and concentrate on something that is actually going to work. So sorting out details. It does help i was talking to ibm. They really support this. Theres a lot of obviously not everybody happy with it but seems to be pretty broad consensus across industry that people want for example, people worried about the antitrust side. You get every Major Company in industry and the first thing they say is into we all be here . We dont want to go to jail. And if youre talking about stuff that could be seen as from an antitrust point of view is problematic, you want to have bulletproof Legal Protection on that. Probably overstated and Companies Love to say we cant do this for antitrust reasons but gives some security on that. I think we have already got quite a lot of information sharing but i want to see mandatory breach reporting. I think if somebody had legionnaires disease, they would not say, we wont say anything because it was could our students to panic and some might sue it us. They would sigh, whoa do we have to tell . Because the disease is a Public Health menace. We need to take the same attitude to we need really good ways of identifying malware which we dont really have because sometimes the tax yonny i the code or sometimes its what actually did, and so i think trying to theres a kind of action problem there its worth trying to make everybody report malware the same way. I think well see it from the kind of the other problem is that its always going to be in interests of individual companies to say to keep quiet about an attack because they dont want their shareholders to see but if everybody is doing it then you can be brave together. So i think pushing that. Again, im not sure legislation is absolutely necessary itch think maybe you can do it more on a voluntary basis. So im kind of agnostic but glad do see shares some legislative attention. This comes after five years of basically nothing. Hi. Ive been in the Security Industry for a while. My question is your thoughts on the role of the private certificator, particularly Security Companies with threat intel teams that expose Cyber Operations and point fingers. Do attributions. In my experience as a divide within the community on the appropriateness of that, and the effectiveness of that. Often with these campaigns you can share indicators and point fingers but it really only causes a tactical disruption rather than some sort of strategic change in my opinion. So, be curious about your thoughts on the ethics of private companies doing attribution and exposing indicators and if you think in the long term this will do anything or theyre gloverred marketing fodder. Glorified marking fodder. Its in the interest of the companies to show they can do stuff. The challenge an amazing amount of Cyber Security product and service, which is basically useless. And is bought by people who dont understand the problems. They need to do something and say this has a big companys name on it and ive bought this companys services. Will it actually defend you . Very likely not. Im not a big sort of booster for the Cyber Security industry. And they are, like any company, they will sort of talk up what they do. But the real question is how do we raise the cost of doing business in the criminal economy . And i think many people are have a role there because if youre on the other side of the world and you go by an alas. Youre in chat rooms and you buy and sell malware, maybe develop it, youre making quite a bit of money. Comes in bitcoin and subtly you are linked and snow, ircan never go to a civilized country, the european union, any g20 country, maybe make you will kind of think maybe this is not such a smart idea, and we can Start Building up profiles of people and scaring them. I think the not making any comment about the kim. Com case but i think if people like kim. Com thought they were invulnerable and then turned out they werent and they were attendant away to jail and facing criminal charges. So i think companies have a role in reducing the comfort zone. I think a more coming to hacking and hacking back and everybody this is where you put stuff on your network, which isnt the real secret. Its just labeled, temping secret, and then the bad guys steal and it take it back on to their network with some malware you put in the file and maybe a beacon, maybe opens up their network to your scrutiny. The georgian government did this brilliantly when they realized they were being hacked by the Russian Military intelligence. So they put a file on their network called Something Like secret nato plans to attack russia, and of course the russians spotted, stole it, opened it, and it was laden with malware which had been supplied to georgia by an ally who has never been named so obviously i couldnt possibly imagine who that mite be, and the russias open it and first of all, screwed up everything on the network and sent it back to georgians and presumably from through to the aim not mouse ally, and also turned on the web cam, the georgians put a report on the internet where you seesaws the guys sitting there in tshirts, laughing about, hey, we got that this great stuff but the microphone was turn on. That is not legal. You can do it as a government, as intelligence agencies. Theyre allowed to break the law. But as a private person you cant do that in britain we have the commuter hack act and if you hack why computer, you steal something and goes on your computer, just manipulated your computer without your consent and i could be prosecuted. So we need too think carefully what the Legal Framework is for kind of cyber selfdefense. In the kinetic world we understand this well. The stand your ground law but pretty good defense, he hit me so i hit him back and i broke his jaw, i killed him, but he did hit me first and i can proof that. And so we havent yet work out the vibeber version of that, particularly can you outsource that capability to a Security Company . So if you come hit me, can i pay him to hit you because you hit me . And the kinetic world that ills not allowed. I have to do the hitting myself. I cant get any bodyguards to bead beat you up. Are we going to say in the cyber world thats okay . I think probably is. But were at the very early stage of thinking this one through. Can we have questions on then side of the room . Go ahead. Just one question to continue that thread you. Have been party to discussions about what these what kind of attacks could be actually considered acts of war . That is a really tricky question. Youve got two axises. One is the a attribution. During the cuban missile crisis, jfk knew those were soviet ships. The soviets knew cpc they were american missiles in turkey. No doubt that was not our problem working out who did it. And in the Digital World you can be really fluxed about who did an attack. Secondly, what actually was this attack . If you run to take a hypothetical example, you run russias miss. Computer network, the sensors and equipment that tells roche, are we being attacked bit another country . And you are someone breached your network, someone is in there now, was that espionage, trying to final out our it worked . Was it reconnaissance. You should turn the computer off and go back to the manual system. Now imagine youre not the person running the russian esteem system but you are another country, america, maybe it was your spies 0 another service has been on the russian computer so as far as youre concern its normal, and suddenly they turn if a their computer, go into manual. Why . Well i have to do something you raise your level. Now match the russians. First of all you think the americans attacked your computer network. Belt deer something. So we have a very dangerous position here where we dont know what the attack is and we dont know who is doing it, and i think we have to have great deal more emphasis on these kind of nilnil hotline sort of things. A far more difficult problem than we head with nuclear during the cold war, and there may be no answers because you cant do deterrence with digital weapons. As. In which case can hackers be seen as opportunist . As a lawyer doesnt fit what theyre doing . Do you want to see the International Community doing more . The last point is the most important. In the Justice System we have seen in belgium with the terror attacks. The broader mechanisms for cooperation. Before it disappears off into the bit cleanly and. So was a huge amount of low hanging fruit they didnt necessarily trust the farmers but they needed someone. And someone comes to sprague if it graffiti with those individual hackers rather then the criminaljustice problem. Those the come from troubled backgrounds. And drifting to do personal score saddling selling but we as a respected member of the community. In is a mistake. In to be a deterrent. For what constitutes of breach and the revenge. And that disappointed is a serious problem. With the sharing of the image without the person concerned. But finally more people are worried about being sued then going to jail. I might do something to be careless with these lawsuits that have just started is a harbinger i gave you my data as you lost it. I will sue you. To say i dont want to do that what do i have to do differently . Also was some legal standards. I have this neat idea for those and dont need it. And with those legal standards we need to have some basic standards and with that aspect to run a company so it isnt a compliance issue with other peoples personal data. Net of that is a magic bullet. Can i ask a pair of questions about information on news . How successful do you think countries such as russia and china also the subject of wikileaks with this system looking for the complete openness of news and information. Exposing the acts of government. In is this a new fact of life . That the governments could never shut down. With an amazing amount of information with the chinese and the russians and the others have to get used to it. But that really hasnt happened. We have seen the ability of the russians to dominate with the propaganda but a technical means and there is a small percentage of super curious people in it is a the hassle ases what is available is interesting. So theyre very short of many. And on the second to question governments dont have the right to have secrets. The end with those principles and if it is democratic gore totalitarian government and during that search and it is the question about what is kept secret . End in this country the trifecta is elected executive. It is said nearly enough the when you get into the debate he say the most important question is what said judges on the fisa court you could kill the party stone dead. But what struck me with wikileaks in the state Department Official in the room that i would say any way is there is one that said if he ever went to the the state department with justin of brilliant piece of writing. There is some very talented in the state department. May be to say those diplomats but with the little bit of tweeting there is the massive problem with classification. To be so boring maybe he wants to read it. So this is the serious point because they believe america stands for. Wherein it is quite severe. And nobody really thought about that. They didnt really think about it. And i apologize to the the collaborators i cant understand the justification the time is up. Thanks for your questions. Good job. The good news is that if you have outsiders or pancreatic cancer. Not much can be done. But for the vast majority having enough to make a huge difference. This is the only way to get the attention. With some individual who was mentally ill. On behalf of the entire staff i am pleased to welcome you with the book jfk is forgotten crisis. The a gripping story of the conflict peasants state history of the resonates today. Pooley 90 classified documents to stem the tide of the allout war to explain how this forgotten crisis more than half a century later. Please join me to welcome him. [applause] thanks reintroduction and all of you for coming out tonight. I want to begin by taking you back half a century on the morning of october october 601952 john f. Kennedys National Security advisor arrived in his office in the west wing of the white house there was a file perspired by the situation river the most important topsecret documents that he had to see before he saw the president that day. To documents were notably important. One was a memo from the state department from the bureau of intelligence and research. With the border of the himalayan markers to deteriorate rapidly and a very good chance that a war would break out between china and canned india. It if that happened in india would probably be the loser in the called on the Prime Minister and to you alienate our allies in pakistan the other document that morning was a report from the cia that summarize the results of recent overflight from the island of cuba. That the soviet union was in the process to put intermediate range Ballistic Missiles which have the capacity to hit almost every American City east of the mississippi. With the local paula deen changer by the soviets. In retrospect wannabes is well down. We see movies of the of cuban missile crisis and all these studies and there should be. The closest we have come to armageddon. Jfk was dealing with issue that meant we but not be here today but with the apocalypse. 50 years later it is even more dangerous than people thought. Airtran six and 8,000 soldiers in fact, there were 50,000. To bring only intermediaterange missiles in to surround the Guantanamo Naval base with the missiles and that they had the authority already delivered from moscow. He could fire those tactical weapons. But just as that was so important is shifted completely overlook the other crisis. China and india are the worlds two biggest countries by population. The cutting edge of a competition between democracy and communism. In the whole cold war was fought out that out one of the planks he campaigned at the United States wanted india during that competition. That memo was prescient then then chinese began to overrun that frontline position and within a week or two and a very serious position in to look like it would be defeated. Very reluctantly asked the United States to the United Kingdom for assistance and by the end of october United States and the Royal Air Force of weapons and equipment with ed new Delhi International airport to the frontlines of the himalayas. Then the chinese stopped. Then they started again. At the end of november to overrun all of eastern india. If you think bellow part that sticks out all of that looks like it would fall into chinese he hands. There were some who thought they would march all the way to calcutta to take the second largest city. On november 19, 1962 with that Nationalsecurity Council meeting but the American Ambassador and had already previewed that with the second letter. To say were on the verge of killing under bill whole world will see a cut in this giant marching with a democracy. I am not sure india will survive this catastrophe. Is immediately needed 12 squadrons. Into more squadrons to be stashed immediately to india to join in the war. Event of a ph. D. In bombing raids into tibet obviously is a slippery slope. But the president decided they could not make this decision overnight. And then that the auto group. And then sent on an urgent message that night from lenders aerospace but as the icon of diplomacy. En cent during the blitz to survive the nazi onslaught. To see if the soviet union will survive the invasion. This is the biggest you possibly find anywhere. 17 am i message to pakistan saying dont think about it. To send signals he was very unhappy and then wanted to be compensated. For the up pakistan neutrality. He refused to give into the black male that if you enter the war that is part of the alliance. So it was written in the memoirs it looks like india would disintegrate. The martial law was declared in much of northeastern india. With that pakistan that it could open up. In for no explanation and the chinese announced within one month they would draw back to where they started. The chinese records and not available but the archives remain sealed. Nehru claim to that kennedy was convincing the chinese to stop but it was americas resolve ted kennedys determination not to let the chinese manifested in the battle group to persuade beijing to not let the crisis go any further. In line with the chinese havent stopped . Led the United States have found itself at war . When we had better get more thinking it was the better part of three years. Here nehru was asking us to go to war with china and again. We will never know. So kennedy almost certainly would have said yes first because he really did believe the indian democracy was crucial to the United States with the global balance of power. Because his ambassador is a personal friend whittle will certainly have recommended it because just one year later in the fall of the 60 United States air force with small squadrons from the Royal Canadian air force goes into india for military Training Exercise which is exactly what nehru ask for one year before so we actually practiced. The conflict between china and india ends in this ceasefire but the conflict is a dover. They never settled. The border dispute remains the longest settle dispute today. Either party and not succeeded one iota to move forward. Bill likelihood of another war is probably pretty low. I wouldnt say that about another india and pakistan war but is serious reality. So that dispute continues to this day. That has led to to other things. Access between china and pakistan and. And then to look at the perspective it is 1962 with the alliance begins in it is called the all whether allianz it is a snub that the United States. Is taller them in the himalayas deeper than the indian ocean and in china and pakistan signed agreements that lead 46 billion of chinese investment. And of course, the nuclear pollution. They have been secret Nuclear Partners and china gave if plans for the nuclearweapons force. Faster than any other country this has led to a triangular arms race. Between china and pakistan on the one hand iran and india on the other. Just two years ago to proudly announce to allow live for the first time to target beijing with nuclear weapons. So the crisis averted in 1962 remains a problem to this day. And the story of the crisis and just like the world played and the role played by the cia but i will finish with one final word. But if theyer