Attention was paid to that report and things have been moving. So without further ado, richard. [applause] thank you. Good work. Well, thank you very much. Thank you for that nice introduction. Very wise of you to truncate it. My reputation as a speaker had preceded me when i came early and saw that you had out the best speaker award before i spoke. Shows very good judgment. And angelos mentioned that he career, orncated my the description of my career. Maybe this event will actually truncate the career itself. I actually, among other things, was a law professor. I remember having a strong sense about my teaching qualities, when a student came up to me at classesof one of the and gushing with enthusiasm, said, professor danzig, i just dont know how you do it. Your every lecture is better than the next one. [laughter] i thought about that for a while and decided to quit teaching. Um. It led me eventually into government where, among other became secretary of the navy. I thought, admittedly at some lengths, when a marine got up to leave, that didnt seem to me to be withpriately compatible the dignity of the secretary of the navy. Asked himed him and where he was going. I didnt think the dignity of the secretary of the navy was enhanced by busines his answer,h was going to get a haircut. I said, why didnt you get a haircut before i began speaking . He said, i didnt need one. [laughter] so these factors all suggest were very wise to give out the award long before i spoke. But i thank you for the opportunity. To try and do something a little difficult here. Is to provide sort of a bridge between the Technology World that you all know so well the washington policy maker world that youre now physically embedded in, but also functionally so embedded in, as Cyber Security issues. The challenge is to talk between the two worlds and not only to a way thats descriptive that isytic but also prescriptive and suggestive. This draws ind, some measure on a paper that i year, on this last this concept of living on a diet of poison fruit. This is the Organization Site you can download it from the web, if youd like. Im going to go further than the but some chunk of the foot notes and the like will background, ifer you want to pursue it further. Tot id like to do today is give you a sense of the world as it, in terms of particularly admiring the problem first. Im going to spend a little bit of time just emphasizing the character of what were having to deal with. To gom going to try deeper and analyze it. By analyze it, i mean to try and of the key things that underlie the world as we see it. Abstract, beyond perhaps kind of everyday concepts that to some basic propropositions about why weren in. Situation were and then im going to try and description of terrain that i think would be more familiar to you, which is just some of the kinds of things trying to do about it. What i want to get to particularly is a set of recommendations. To attempt toing be comprehensive in those recommendations. Byant, rather, to suggest and large things that are new, things that were not doing, our are not so much on agenda, not that ive discovered some incredible curative unknown world but i think there are things to be said about this are not enough on our agendas. Say,t me start by, as i admiring the problem. A common kind of phrase used is the motion that this is a wicked problem, by which its meant that its highly interactive. It has a number of different components. And these different components create difficulties in our because in fact different parts of the problem resolve it without connecting with other parts. So technology, for example, interacts with legal system. Ive shown you just a little concerns here. F i particularly emphasize that we concerned obviously with business realities. To provide patches or maybe its not so great, but something to provide patches on systems that have known vulnerabilities. Actually look about why it is that people dont or why they download those patches, the reasons are highly and relate to business impair tifs. It may seem like this is just a that i ought to be able to drive people towards. Integratingtheyre the new software into systems complex, because some of these systems arent being shut down on anything like frequency that would response,mediate stores will implement, a few onres at a time, then move to other stores, so youre always having some parts of their system lagging patching or in the a Power Company will have an annual shutdown for maintenance. And as far as theyre concerned, thats the occasion for updating. Idea of updating more frequently is one that they can readilynd but not integrate into their business model. You find that problems like this with real frequency. There are also just the kinds of cultural problems in organizations. Talking with a chief Information Security officer for one of the really brandname companies about his difficulties. He said, every rule you come up most obvious, immediately people ask for exceptions. I said give me an issue. Decree, neverue a tell anyone your password. More basic . E he said, immediately the c. E. O. Tells me of course hes sharing with his assistant. How else can he or she get into the emails . Have somere going to theory of change, youre going to have to take account of these variables. I think another aspect of admiring the problem is simply change. D of its very difficult, i think, cope with n to maybe even for you all as well. And the example i use in the national scaurt establishment security establishment to kind of bring the basic point the historical annal log. Ofnk about the introduction gunpowder into europe, circa 1300. Something that over time the characterges of warfare, which is essential but the now, context,in the warfare our notions of defense, for building castle walls that are straight, have to be abandoned. Notions of chivalry and leadership change dramatically, because if i stand in front of the army waving my sword im going to be shot dead. Organizations have changed, because now i need mass for firepower and i need ability to bring my troops into a state of training thats than if iophisticated simply raise up farmers to be a kind of posse to go deal with something for a few weeks. So i begin to require standing whoes with trained officers even understand something about ballistics and the like. Then the state changes, because to have, in the state, a theselity for sustaining armies, which brings me to taxation and the like. Munitions need a industry, because if i dont have a munitions industry, im any future kind of combat. So everything changes. The nature of warfare, the nature of the economy, the nature of the state. My observ observation is a prety which is that the coming of the Information Age is not less significant than the gunpowder. But all the changes take place essentially over the course of two centuries. That wevenges experienced by and large, and the major changes, in the occurredon world, have over two decades. So the speed of assimilation is just very, very difficult for policy makers and others. Official put it nicely to me when we were talking about this and i made the point ive just described. Said, yeah, the problem is that the Technology Changes at speed of morris law, and the people dont. Whats in our heads doesnt change that fast. We have all kinds of legacy systems operating in this context. So you see the dramatic changes that weve experienced up until now. Im going to say a little bit the future shortly. But what id like to is thatarly emphasize quote, a famous wellknown computer scientist, theiam faulkner, who said past is not dead. Its not even past. Do i have to explain this reference . Im not sure. Overlaps, these thatnuities from the world has past and that remain embedded in our systems and give problems. Ntal so let me give you one example from the National Security world little subtle and illustrative, perhaps beyond your experience. Think its important in the way government officials think about Digital Information that by and large they were in the warfare context, originally, and our Biggest Development of them, in the context of espionage and intelligence, the National Security agency, n. S. A. , is obviously the leading arena of capability in this regard for us. Its striking when you think the National Security world, that it has some kind of implicit norms. In the cold war, theres a tim moore, who helped me the think a this out. War, we basically didnt interact in a direct conflict way with the soviet union, whenever possible we avoided that. Involved various proxies. Think about the vietnam war, cuba, other issues like that. But by and large, we didnt have direct confrontation. About there was some sense of and off the road restraint. At the same time, in the espionage world, by and large, were off. Could do something, then way ofmething by discovering intelligence and the like, directly involved and competition. Comes now the cyberworld and attitude, i think, became all bets are off. Unrestricted. We dont have these kinds of restraints. As another example, if you use a weapon in d. O. D. , you want to introduce a weapon, theres elaborate legal analysis that says, is this weapon consistent with the laws of war . But what happens in the cyberworld is that though the that you are used to, that you would use for espionage intelligence gathering, can also be used for offensive the battlefield. Those tools are treated as if they were informationgathering tools and we dont have the kind around themucture or the conceptual structure around them that we have for other things. Thats one of the reasons i think that the government is struggling with the reaction to the office of personnel that youreack seeing, because the general historical attitude has been things. E two kinds of theres warfare and theres espionage. The cyber know, straddles both of them. When they straddle both of them, creates complications. So we have historic ways of thinking that while the world is so rapidly changing, those historic ways of thinking are handicapping or limiting us. We have this kind of that noentalization longer works out. We dont have these kinds of understandings of distinctions between offense and defense that we used to have. Longer begin to work. And another example is, in the private sector, is different from Public Sector. We used to think of that warfare the Public Sector kind of context. You byns when Public Sector, i mean government. What happens when you begin to freely . Re i want to take you back a little bit and just give you a little a chinese document written at the end of the 20th century. Published a piece in the New York Times in 1998, doing what every pentagon official the most fundamental and wonderful and important thing to do. Newh was i introduced a acronym. And i was very proud of it. Wasew acronym i thought very cleverly signed. New. S called it stood for nonexplosive warfare. The notion was there are a lot of things that are coming that are weapons that dont go bang, that dont explode or are not kinetic. This had, i think, absolutely characteristic success for me, which is to say nobody talks it. T but i nonetheless sort of want to try and revive it, by revealing it here. Two chinesehese colonels in 1999. They advanced the motion of unrestricted warfare, which you can read right up here. That basic notion was were coming into an era of technological violence, that distinction between battlefield. And that the new concepts enable kind of warfare. They then went on to talk about weapons. Ew concept ande not trying to kill destroy so much as were trying to control. Remember, this is 1999. A single stock market crash, a single computer virus can affect these kinds of new concepts. What were trying to do to achieve victory is to control, not to kill. Entering an era of political, economic and technological violence. Some morning, people will awake to discover with surprise that a few gentle and kind things have begun to have offensive and lethal characteristics. Well, you, in if light of the experience the last derk will not decade, will not be surprised at this. Things. These weve lived them. We see it in the world of business, where were dealing with things like i. T. Theft and other kinds of difficulties that ive sketched here. See it as well in individual not only the negatives but also how the positives are with the negatives, sharing of data and the like. In general,eing it in the context of the new warfare that ive suggested to you. So where are we going in regard to this . I dont know. I dont think you know. I published a paper a few years driving in the dark which got some attention, because the gist of the argument, as some others have made, has been we cant see this the evolution of the complex future, the emergent realities are going to be challenging for us, because in fact our headlights only go so far. And if you look at the predictions, historically, theyre not very valuable. To 1990, and you look at predictions about how impactogy change will National Security, the most striking thing to me is the paucity of attention to the internet. Internet is there. Comes out of darpa starting in the 70s. Relatively robust in the 80s. Its all there. Except int see it, retrospect. Theres a wonderful book called once young is obvious know the answer. In retrospect, we can see all this. Prospect, were not good prick tors. Predictors. Not good with need to recognize that, because its extremely relevant dealing withwere here. The fact is, i can point to the fact that i know something about the pace of technology change, i that transition will continue in ever accelerating kinds of ways. Theres a huge variety of actions and actors out there into will occur and that i do know, though, when i am concerned about as a National Security analyst, and what policymakers ought to be concerned about. Very particularly, i am concerned about the destruction of social properties and things like the Financial System, power companies, and the like, that provide a back for our capabilities backbone for our capabilities and im concerned about how things may evolve for individuals apart from the state. My first reaction as the internet of things evolved ever further was that this represented a set of risks from a National Security standpoint was i concerns, could hack my refrigerator or cause an individual automobile accident, but if i am a terrorist groups like isis and i want to create havoc, lack of trust, indeterminacy, and other contexts in america, maybe if i can make people very unsure about the safety of their automobiles by periodically causing them to wreak havoc, i could achieve political fans in ways that i care about political ends in ways that i care about. There is a sense of the problem. At this point you may feel a little bit like this is just too much in some dimensions to come out from a policy standpoint, but clearly it needs to be thought about. Among the other parts of my background, i was at one point a Supreme Court clerk working not far from here for a Supreme Court justice, and another Supreme Court justice, besides the one that i was working for, Justice Douglas, who was wellknown as a misanthropic, sort of, guy. He kind of love mankind in abstract, but hated the rest of us. He felt, one day telling a story about his father, which was quite illustrative, said his father was a minister who wandered around the Pacific Northwest and one day he mounted his help it, looked out at his audience, and found just one guy sitting out there and he said to that guy do you really want me to go ahead with this service. The guy looked up at him and Justice Douglas said the cowboy said well, preacher, im just a lowly cow hand, but if i went to the field and to feed 40 horses and found just one, i would not let the horse go hungry, so he decided to give a whole service, sermon, prayers, hymns, walked to the back, shook hands with the congregation of one and the cowboy shook hands with him. He proceeded to wander off to his father could not stand it, and yelled, how did you like that, and the preacher said how would you like that i am just a lonely cow hand, but if i went out to feed a field of horses and found just one, i what not dump the whole load i would not dump the whole load on him. [laughter] you have to get past wringing our hands and saying i have contributed some. I think we need to get at the root causes and give the and i will be you a summary that represents an abstraction of the phenomenon of the odd complexity of these systems. The microsoft operating system they do not reveal the number of lines of code. Ballpark 50 million lines of code. I asked that Major CorporateFinancial Company person to estimate for me how many lines of code is Company Maintains and he is responsible for. Answer one trillion. These systems are, as others have observed, the most complex kinds of systems we have invented, and that means we have extraordinary difficulty observing them, extraordinary difficulty enabling us to comprehend what is happening within them, and they have exceptional vulnerability. If you take the notion of the stark notion of one bug for every thousand lines of code, the bug does not equal vulnerability, but it gives us some sense of what is involved when you try to write out 50 million lines of code. In fact, in conveying to policymakers this point, which is extremely important, i think, their first intuition is you guys created this problem. It is a technology problem. Fix it. Either you were to, if i am a rightwing politician you are too much about your pieceloving hippies who did not care enough about security, or if i may left wing politician, you guys are all capitalists who wanted to get the software out the door because that is what you got paid for and you did not care enough. I say to them, think about something in the world you know the u. S. Tax code. The u. S. Tax code is 4 million words. Rightly a tax code that does not have any loopholes. Now, you might write me a tax code that does not have any loopholes. You might suggest they are writing tax codes with the intention of loopholes, but if you write a 4 million document