Charlie mitchell is the author of a new book. Cyber in the age of trump. The unraveling of Americas National security policy. Before we get into the essence, what gives you a background in cybersecurity . I used to be editor of roll call. I worked at inside washington publishers. We do deep dive coverage into policy areas. Cybersecurity kept popping up. This was in 2012 or so. We looked at taking a deeper dive into it. We started investigating this and decided to start a new publication called inside cybersecurity that focused on the development of cyber policy. That wasnt that long ago, but it really was the stage of creation for a lot of this. I think president george w. Bush was the first one who started getting into cyber as a major policy area. It exploded under the Obama Administration. Cutting across so many issue areas. We decided to create something that would give readers an idea of where the policy arc was going. We covered it through the Second Obama Administration into the Trump Administration. I wrote an earlier book called hacked about cyber during the obama years. Really, the beginnings a lot of this cyber policy. I wanted to write a followup on how a new administration would treat this. That is what led to this book. When you look back at 2012, how is the sophistication of cyber growing . Charlie it was at a low stage in 2012. There were a number of people who were savvy about. At congress, the level was low. People were talking about, we need to build walls that are a lot higher. It didnt have a mindset around with the cyber challenge really required. That has grown. There is a lot more expertise and engagement in the executive branch as well. I think everybody was a little slow to come around to this. People like jeff moss who founded the black hat conference, he said the problem is the attackers, the people who play offense are going and breaking into systems, they can have all the fun and be creative and all that. Defenders are stuck with trying to come up with ways to defend against that. They are forced to fight over budgets and jurisdictions. Laws and things like that that attackers do not have to worry about. It has been very complicated to get to this space. I think we can say, starting with george w. Bush and through the Obama Administration, there were a lot of efforts to build the structures around cyber policy. That was a formula of stage. When the Trump Administration came in, people were seeing abrupt changes in other policy areas. Cyber, not so much. There was a lot of continuity with the basic policy structures. The way i look at it, under the Obama Administration, you are putting the pieces in place to try to have an effective policy. This continues to evolve. Some of the pros who came into office in 2017, took that and ran with that. There has not been this dramatic break in the basics. With a couple of exceptions. The Trump Administration has been more willing to use offensive weapon tree. I dont think the Obama Administration had quite gotten their. The other key difference, i would say between obama and trump as quote unquote cyber president s is obama was pretty interested in the issue. He gave speeches on it and would go out and visit dhs and talk to the people at the National Institute of standards and technology about this. Was trying to project the idea that this was a Huge National issue. President trump does not engage in the issue that much. We can get into some of the reasons i suspect that is the case. There has been a sharp difference in the tone, the personal interest from the oval office. That ends up creating an issue around leadership for cybersecurity. If i can say one other thing, one thing going back to the Obama Administration, the message that the u. S. Government has been really pressing in industry and business leaders. The top person and an organization has to personally take responsibility for cybersecurity and show they are interested in it. That this is a cultural value within their organization. The government is telling that to companies. I would think the same thing should apply to the government. The top official in the government should be saying this is a personal value of mine. We need to do this. Spread that message both through the government but also to the partners in the private sector. That has been a real missing piece over the last couple of years. Peter we will get into the differences between the Obama Administration and Trump Administration. Can you put a dollar figure on how much is spent by the federal government in cybersecurity . Charlie there is a budget for dhs, the department of homeland security, it is 1 billion and change as they like to say in washington for siebel security, going across government. If you throwing the Defense Department spending, you get into the low billions being spent on cyber. Very smart people out there who work in the space will say, they recognize the realities of federal budgets and the battle for every penny you can get, the fact cyber is in competition with every other program. They like to match it up against the amount being lost in the Global Economy which runs into the trillions. Cyber theft and damage. This is a multitrillion dollar cost of the Global Economy. It is in the high hundreds of billions. The amount spent by the federal government is a tiny fraction of the overall cost of this. Because this is very much a government private sector issue, neither side can do it on its own, you look at what the private sector is spending. Companies are spending a lot of money on this. Particularly the larger companies. They devote a lot of their spending on security. It gets a little more complicated as you go down the scale and you look at smaller and smaller entities. That particularly with covid19 have to make tough choices about where they are going to put the next dollar. Their spending is constrained. We see that across different business sectors. The problem is in cybersecurity, you are only as strong as your weakest link. If a Small Company that is part of the value chain or the supply chain in a critical area is vulnerable and gets hacked, that could allow a bad guy to get into all kinds of systems. There is a tension in trying to make sure smaller entities have the resources they need to perform the security duties that they should. A lot of this is being driven by the private sector. I think the cybersecurity agency, within dhs, has been doing a lot of work to try and get tools out to the private sector. Particularly focusing on smbs, small and midsized businesses. The challenge is enormous. You have seen groups, both of which are led by former dhs cyber people, former Administration Cyber people, you are seeing a lot of groups like that who are going out and just trying very hard to get tools for free into the private sector. So companies can look and see a suite of security services. That has been a valuable exercise by these groups. Is it fair to look at Cyber Threats and cybersecurity as a new form of espionage . Charlie it is a aspect of it. It is interesting. You have to look at the threat actor and what the threat actor is trying to accomplish. There has been plenty of evidence in recent years, even recent months, countries such as russia and china and iran have been mapping u. S. Systems, Critical Infrastructure systems. And i would imagine we do the same to their systems. In the event of conflict, this will be another domain of conflict for sure. In the espionage side, there are generally accepted rules you can do certain things related to gathering intelligence for your National Security purposes. Every side does that. The big departure we saw an 2016 and this created something of a redefinition of cybersecurity, was the activities protruded to the russian government to disrupt the u. S. Election. That involved direct things like hacks into email together information. It involved these disinformation campaigns to use social media. To spread things, create antagonisms and all of that. That was a new wrinkle. I am not sure anybody was quite prepared for that. The response to it, of course, was heavily criticized. I think espionage is an aspect of it. The ability to use cyber as a quote unquote military aspect of it is a domain. This use of cyberspace, social media, as a domain to accomplish your goals is a part of it. You talked about oval Office Leadership and the change in tone from the Obama Administration to the Trump Administration. Can you expand on that . I would say President Trump was very interested in this issue. He gave a big speech on it. He spoke on it repeatedly. Through executive orders he launched a series of initiatives that still provides some of the foundation today for cyber policy. President trump doesnt really speak on the issue. He doesnt much discuss it. He has also issued a series of executive orders that have advanced the policy and led the overall cyber policy into the next evolutionary phase, if you will. You do not have that accompanying since the president is keeping track of this. That this is a high priority for the president. That probably has an impact within Government ReadGovernment Agencies were directed by the president to in follow the nist framework which is kind of a foundational set of standards for securing your systems. Also, in an early trump executive order, he made clear the agency heads were personally responsible for cybersecurity. Which was an important evolution, saying somebody was taking responsibility. The downside was more of a checklist approach, i did this and this. Rather than a Risk Management approach where you are incorporating cybersecurity into all of your activities and thinking about it upfront and you realize the cyber aspects of everything you are doing as an agency are just as important as any other aspect. You dont really get the sense that idea is being driven from up top although the rules have been put in place, if you will. The leadership question that i have been very interested in, and i think we need to see more of in order to be effective is in terms of engaging with different communities in this country. I mean different business groups. Civil liberties groups. Civil society. In order to drive a new set of principles around data security. Where do the responsibilities lie . I dont know if we have done a great job of spelling this out. I would say the transition from 2016 to 2017, to my way of looking at it, that was the next big thing that needed to happen. You needed a strong engagement between different groups, different entities. To say, this is the way we are defining your responsibility as a company and cyberspace. This is what the government is going to do to help and protect you. This is what you need to do the help and protect yourself. These are the rules you need to do to protect consumer data. We have seen these massive hacks of consumer data being leaked out into the dark web and all of that. We have not really defined this as of yet. I would take it overseas and say u. S. Leadership is imperative trying to drive Global Standards and create a global system of conduct. I think the Obama Administration was just getting going on that. We were very much in the early days. Creating a Broad International coalition around certain principles and goals seem to be the next step but that has not really been taken up. What we have seen is very particular steps aimed at Chinese Companies, for instance. The huaweis and ctes that provide tech and telecom services. The Trump Administration has issued a series of orders largely aimed at getting those companies out of u. S. Systems. U. S. Telecoms have to strip huawei products over the next couple of years. There is a big effort in congress to make sure that is adequately funded. I think theres about 1 billion available for it. It will probably cost at least twice that much. Telecoms, particularly in rural areas, to replace their equipment. It has been a very Company Specific get china out of here policy rather than one where we engage with our friends in europe and japan and other countries and try to create a very durable system of Global Confidence about cybersecurity, use that to confront adversaries and cyberspace. Peter you are watching the communicators on cspan. Our guest is Charlie Mitchell. In your book, mr. Mitchell, you write the ubiquity of cyber problems might make cooperation between the u. S. And china conceivable. Plus President Trump and president xi formed a Mutual Admiration Society but within a year, the souring of the relationship was front page news. The relationship harmed cybersecurity issues. Charlie right. I think there was some thought, cybersecurity, some cybersecurity goals could be achieved within the context of a grand tree to deal. Of course, that did not come about when there was a deal that has been called the phase one deal. It did not get at the broader cybersecurity challenges between the two countries. This has been one of the fundamental issues during the Trump Administration. Critics say about a lot of the actions, is it cyber or is it trade . In that goes back to some of the issues raised by banning huawei. Professionals will tell you there is plenty of smoke around those companies. There is reason to be suspicious. Strictly going on a policy of banning Companies Rather than trying to create a system of standards everybody has to meet is probably less effective. Another thing with this is, because trade and cybersecurity were so intertwined in the first part of these negotiations, i have to imagine the Chinese Government looked at it as the cyber aspects are just a piece of this. Maybe if we give the u. S. A little more over here, they wont care so much about the cyber elements in a deal. The Trump Administration anyway encouraged that. Encouraged that. The chinese were not sure where the lines were. You probably do want to leave some uncertainty in a negotiating process, but i am not sure this was the most effective way to go at cyber. Again, there are plenty of issues between the u. S. And china. There also were some commonalities. I saw it on the Forbes International list that the chinese now have more companies than the u. S. Does in the top 500 internationally, the Largest Companies internationally. When the book was published, the u. S. Was narrowly in the lead but now the chinese have a clipped that. As i say in the book, these Chinese Companies have boards of directors. They have responsibilities beyond what we perceive to be there responsibilities and obligations to the Chinese Communist government. These are businesses and they have their own hackers and plenty of them. They face some similar challenges which could create that Common Ground to begin working toward Global Standards. The chinese might be interested in that kind of approach. But we have been on a path where we are aiming to drive Companies Like huawei out of the u. S. Market. With some justification. We have focused our International Efforts in persuading allies in europe and asia to go along with us on that. For them to ban huawei as well for instance. Which is fine but not really creating a Global Coalition or alliance around a specific set of principles. We want to get this company out. In a way, all of the evidence is we want to knock them out, that company and the biggest chinese tech companies. There seems to be a trade aspect, they are a competitor. It would be in some ways the equivalent of a foreign power saying we really want to take down ibm or general motors. I am not entirely convinced of the efficacy of that approach. Peter you quote a republican from nebraska saying chinas main exports espionage. The distinction between the Chinese Communist party and businesses like wall weight is imaginary. Weve only got a few minutes left. I want to ask you about one of your recommendations, the white house coordinator empowered by the president is essential when it comes to cybersecurity. Charlie i would say the decision in 2018 to get rid of the white house cyber coordinator, that was a mistake, i think. A lot of people in the business community, the Security Community and others agreed that was a major mistake. It was a john bolton decision. The president backed it in the president has not moved to replace that position. In fact, there is language in one of the annual house defense bills to create an Even Stronger version of that, a National Cyber director. The white house opposes that. Why is it important . For a number of reasons. It signals to the gove