Footnoted. Ten years ago i wrote a book called cyberwar and we said things own one then that military would become dominant. And then attacking each other in cyberwar infrastructure is the target set. And im not just stealing information speak in and we were criticized. So at one level wrote this ten years later just to say we were right. But we also wanted to say what has changed . And while we were right about some things we were wrong about others. So if you look at the major taxes of the last three years for the russian militarys. So if you look at that target set the United States more or less admitted the power grid is the infrastructure target. But with the largest destructive attack and other than attacking them and stealing information so we were wrong you cannot defend yourself. We were talking to dimitri the other day and he said you can have all the defenses in the world but if the massage is after you you are screwed. So the major difference of the landscape from ten years ago so big corporations but there are corporations in america are they in vulnerable . No. But they are resilient can they penetrate the network . Not that there is a perimeter but can they do real damage . The answer is no. If you look at this there is a long list of American Companies that were in the ukraine that had their networks in the us destroyed. But theres also a list of the companies that were in the ukraine so what is the difference . What makes the company able to be resilient . While others dont . So there are a lot of answers to that question that is a determinative answer is money. How much do they spend . It is a gross metric but if they are spending 3 percent on their it budget or cybersecurity which is kind of normal for a lot of companies but if you are in that eight or nine or 10 percent on Security Products, year after year after year you can achieve with technology. Mentioning the cofounder with the ipo for the firm but in the book you discuss about back in the day there were two types of companies those that were hacked and knew it and those that were hacked and did not know it and those that are essentially and money is a key factor. And then to create that third class. And money buys good product. So i started in this business in 1997 if you wanted to defend your network you can buy firewalls which was not very good and antivirus system which was not very good and in 1997 there was a third product which was intrusion detection system so a light would go off saying somebody was trying to get in. If you wanted to spend more money you couldnt. But we interviewed people for major wall street banks that are running networks 50, 60, 70 different it Security Products from almost as many vendors and then to get into all of that. But look at j. P. Morgan they are spending 700 billion per year 700 million a year i mean with it security and thousands of it security people running that network. They can buy a lot of products to be very specialized with there is a new threat product comes out pretty quickly. We have to be constantly buying and updating. The other thing that has changed in this sounds wonky but it is governance the it security person was way down in the organizational hierarchy and reporting to the deputies cio. Never saw the people running the company. But now a quarterly Board Meeting of a Major Company every agenda is the chief Information Security officer and she is in the room and briefing metrics and showing what has happened since the last quarterly meeting and what the risks are and what has to be done. That is part and parcel now of the Board Meeting and that c s i oletter is way up on the food chain reporting and reporting to the ceo. Talk about the company in the book they dont like to use their name because they dont want to be a target but they were in the ukraine and they were hacked but no damage was done. And it just so happens the chief Information Security officer worked with the chairman of the board right along with everybody else and if he wants money he doesnt have a budget he just spends it we have a problem somebody denies him what he needs to talk to the chairman of the board and that is unusual its also unusual for that company to be that secure. Talk about being hacked and rush is doing very bad things im not sure i share all the optimism but that the bad things are happening. After you see this growth in the private sector and so forth isnt it true the adversaries are Getting Better to shut down the power grid . The threat actors are very sophisticated. We have a chapter in the book about Machine Learning and artificial intelligence. So now you go to the cybersecurity conferences every company now advertises Machine Learning. But very few actually have them. That with the adversarial ai it is a thing and right now only being used by governments but it is and they talk in the book how the United States government at the packer convention at darpa the Pentagon Research arm sponsored a Competition Among universities for adversarial ai where they had five large devices on stage and at the signal they all turned on and walked away and for the next couple hours there was no intervention all of the programs to attacked the target they mapped it how to figure how to get in and the defenses how to capture the flag and how to get out. It turns out if you try to steal information, getting in is only half the battle. And they did it. They got through very sophisticated systems. I think that is happening now but that means the Response Time that you have to defend the network gets down to minutes not days or hours. Something else you mentioned in the book is glass houses and to level the Playing Field. And one of the things that you say is United States have the sharpest stone but we live in the classiest one the classiest house. In the last book we said people who live in glass houses should not throw code. We are really good on the offense. I know cia gets bad reviews from time to time to not defend their own attack tools that they are still not in use by other peopl people, but they are still several years old and at any given time the tools are really good and if you are being attacked by the United States government you will not know it. So there is a lot of tendency in the government with cyberpolicy and jobs if we are really good we can just go on to the athens line offense but theres very little attention paid that there are key parts of infrastructure of our government thats really easy to attack and destroy and disrupt. But the good news is some Major Corporation but the bad news is the government and the military are really quite bad at defense. And therefore we do see this i will have been stolen and used against us. The science for gao, year after year issuing reports that our very expensive and very sophisticated technological weapon systems are easily hacked. And the list of those weapon systems with gao that is talked about is staggering with 35 freedom class naval combatants and antimissile systems and it goes on and on. We paint a picture that the United States has to go to war with the sophisticated cyberopponent and maybe with the shiny objects on the battlefield because they have been hacked. I want to get to borer in a moment but another book with the government and the private sector and who should be responsible for the national cyberspace. And ultimately to come down on the side private sector first and foremost in the support not just from the government but the government taking over as others have advocated would be a bad idea. Is that because they cannot secure their own Networks Cracks or are there more reasons . Thats a good place to start. Why should you be defending other people . There is a tendency among some ceos and some corporate boards to say you me to spend so much money towards the russian or Chinese Military cracks i thought we had the difference department to protect us against Foreign Military without a paid taxes for that obviously corporations dont pay taxes. And they think we should just have cybercommand defend us steel or wells fargo. How do you talk to the banks and say you really want to hand over your consent for cybercommand cracks they are horrified. They dont want the Us Government running around. This is very complicated go and theres nothing in the government like it. They dont know how to run a power grid or how to secure a power grid they dont have the expertise. Expertise is in short supply. So this panacea of cybercommand its a pipe dream. Individual companies have to defend themselves. But they can get help they can outsource security go there our managed Security Service companies that run the security of your network if you cant do it yourself. If you your network in the cloud and doing a pretty good job then you can have a managed security provider. And it sets a level Playing Field for slot regulation there has to be a quarter of an inch rather smart regulation and this is the goal. California got a lot of criticism last year to pass legislation that said the internet of things devices must be secure. I didnt say much more than that. People so what does that mean . We need a standard . Yes. But its also a pretty good start. If you put a device on the internet that ran Something Like a heart and lung machine or the iv drip. Or a power grid, you figure out how to do that. And get industry together to come up with industry standards that are realistic and in the government can look at those standards and say i dont think thats enough. Which has happened with the power grid until you come together to come up with your own regulations and now the government says you need to do more. But the title of your book is the fifth domain with air and land and sea in space and the concept you mentioned and that is a kinetic war but and to take down power grids there were attacks that given that the risks are that high to have a few hundred billion dollars. For the knowledge of how to secure these networks really is in the hands of the industry. You mentioned airplanes i have done a lot of work for the Aviation Industry and what strikes me is some of them look pretty good but the product despite the engines are great the aircraft is great but then there is a whole lower level in the supply chain of companies we have never even heard of that all the airports use for the infrastructure layer and most of them are not secure. Now all of a sudden the flight controls that the pilots have with the little ipads dont work now the kiosks dont work. So what the government can do is the requirements is to secure your own product not to secure your own network but your ecosystem. To identify the supply chain. Those are dependencies and to have an industry Work Together the entire industry is secure. To be clear to say in the book Weather Information sharing when you were in government that does have a role to play but but to that and im curious how the administration is currently doing and to help secure site this is the first time in a long time to have a National Strategy i have written two of them. That the National Strategy of the Trip Administration it is a lot. I do think it is disconnected at the actual strategy because part of the strategy you have to have that governmental mechanism and the Trip Administration disassembles the government that we need we need someone to say that person is in charge of cybersecurity policy implementation but we dont have that anymore. Early in the administration they had a guy who used to work for an essay. He was there in the white house everyone in the industry said thats good but then he didnt replace him at the white house. Now the state department we have a small team, too small but worrying about International Norms and also with arms contro control. So on paper the strategy was good but not actually what was going on. So in terms of regulation the Trip Administration says any new regulation has to identify two regulations to abolish before you can have one new one. If that regulation is enacted by this administration and also to people in congress become but in the book there are 12 different Government Agencies that have cyberregulations of the federal level. They are all inconsistent. They were developed holistically so we call for a clean slate to have all the regulators come together and together figure out protection then in those industries have different features but to have a set of differences in those regulations those that were intentionally made. Because in addition to the corporate level to figure out what regulation i have to worry about, then you have regulations at the state level. Actually coming off the girl but then thats because the federal government isnt doing it. To go back to ambassador bolton and to push out rob from his position. I go every year and stay for ten years. But one of those specific things we would go a little wonky but this is one of my favorite topics of the National President ial memorandum that those reversed policies from the Obama Administration have required an elaborate process but now from what we understand to have a much freer hand of these attacks. So no matter what you think of that approach, is that necessary to deal with russia or iran or others that it leads to spiraling out of control trump signs dont have signs for now ms 13 but before that happened and with the annual Defense Authorization but to say in preparation of the battlefield which is one of those buzz phrases through cyberactivity in peace time is considered normal military because you cant do that when the war starts. You have to have done that way in advance. It takes weeks or months and you have to keep it updated. Thats the secret we reveal in the book is despite the fact everybody is out there running around hacking their way into things, it wasnt. It wasnt authorized and there were serious steps you have to go through to get approval. They were told that no one will know it was us. They figured out very quickly with the help of people in europe even though there was no network connection, it ran around the world. Other people caught it in the decompiled. It didnt do any damage. Theres a brilliant piece of software but people call it, decompiled and started building their weapons off of it so the administration said that didnt work. It didnt do as much damage. We were the first nation states to be seen engaged in an active cyber war and it will make it difficult to do that again. We have the Obama Administration on the battlefield and now we have trump divulging the power. Having worked for three president s in the white house, i know when an agency has authority to do Something Like from the covert operation, if it goes wrong, its the president who gets blamed to the president has a right and obligation to have some white House Oversight supervision. Some of the critics would say we dont want him to have that authority maybe you are right the white house should have oversight but in this case we trust the pentagon more than the white house. Do you agree with that . You brought up here on in the escalation between the United States and washington and tehran. In the book you have a hypothetical scenario where hostility between israel and iran in the scenario you describe the situation where the president is informed that the United States blocked the Cyber Attacks and turning to the secretary defense saying david and began bombing iran. Is that possible . Guest is a short piece of fiction in the book and i think it is realistic. We go through and deconstruct it. Yes, it could happen in fact it almost did. My coauthor and i looked at each other and said its going to take place before our book is out. What we see in the scenario is israel gets attacked and they launch an attack on israel. If they use their friends over rockets and missiles they have in the region, it could overwhelm. Israel likes to say it has a missile system, and it does but numbers can overwhelm things like that. Under Richard Nixon actually, they did launch an outreach and went straight for the back. Could we do that again . Well, no not if it was somebody to attack logistics. The. Theres another chapter they are no longer convinced it would also be global. We are putting an idea out the there. The porters established the fee and what you are suggesting is how that might happen if you were going to have countries like russia and iran, north korea and china. As likeminded nations to help each other, but do prosecute crime and share information and do agree on the International Norms. If you will not implement them then you dont get to play. We had in mind something with money laundering. A group together that was a small group. Anybody who doesnt live up to the standards doesnt get to clear their money from the bac backs. So we went around the countries and this is a model law. Most of them implemented them. Established International Norms on cybercrime with nature for cooperat