Responding to Russia: Deterring Russian Cyber and Grey Zone Activities

Available Downloads

JAMES ANDREW LEWIS: Thanks. Good afternoon. Welcome to CSIS. We’re going to have an exceptionally timely even, which was largely fortuitous. But we appreciate your coming up on a nice Friday afternoon.

Let me introduce our panelists very quickly. If I was to read their full bios, it would take up the entire session. So I’m going to give an abbreviated version. To my right is John Carlin, the former assistant attorney general for the National Security Division at Justice. And he currently chairs Morrison And Foerster’s global risk and crisis management team. At NSD, he did lead the investigation on the Sony attack, and one thing we all know, which is the incitement of the five PLA members for economic espionage. Prior to leading NSD, he was the chief of staff and senior counsel to the FBI director, some guy named Mueller. I don’t know.

JOHN P. CARLIN: At the time, he was anonymous.

MR. LEWIS: (Laughs.) Yes. To his left – his right is Rick Ledgett, who has four decades of intelligence experience in cybersecurity and cyber operations, including 29 years with the National Security Agency, where he served as the deputy director until April of 2017. He also led NTOC, the threat operations center, and was the IC’s first NIM, national intelligence manager, for cyber. So again, another deeply experienced individual.

And finally, Jim Miller, president of Adaptive Strategies. He’s on the boards of the Atlantic Council – we let him in anyhow, thank you for coming – and Endgame. He’s a member of the Defense Science Board. And many of you may know he co-chaired the Task Force of Cyber Deterrence. Before that, he was the undersecretary of defense for policy, and the principal deputy undersecretary of defense for policy.

So couldn’t have a better panel for talking about this topic, which is not to talk about what the Russians have done. I think we all know that pretty well by now – but to talk about what should be done back, right? And this is a new kind of conflict we’re in. It’s not the Russian tanks pouring through the Fulda Gap. It’s a different kind of conflict. And we will need different kinds of responses.

I’ve asked each of our panelists if they could briefly, say for five minutes or so, give some opening remarks. Then we’ll turn to questions. And I hope we have time for questions from the audience. So, John, why don’t we start with you?

MR. CARLIN: Sure. And I might start with the angle of what do you do about cyber-enabled activity and how do you have a strategy to deter that type of activity in a world where the rules are not yet entirely clear as to what a nation can get away with in that space. Over a period of years – and Jim talked through some of the cases – we had started to move towards a policy of showing that when it comes to cyber activity, including by nation-states along with organized criminal groups and other non-state actors, that you can figure out who did it. So doing the attribution and putting the resources in to do the attribution.

And really for a while in government, I had started on the criminal side of the house doing computer hacking cases. And for that period, was really kept separate from what was going on in the intelligence side of the house. When I went over to work for Director Mueller as his counsel and chief of staff the door opened, and I saw what we had on the intelligence side of the house. And the fact is, we’ve been good at attribution for a while, much better than the public or our adversary nations knew.

So we started changing towards the strategy, well, it’s great that we know it, but it’s causing real harm to real people now. And in that sense, it’s not a traditional intelligence collection issue. And starting first in the area of economic espionage with the indictment of the five members of the People’s Liberation Army, but then moving on to calling out publicly North Korea’s behavior when they attacked Sony Motion Pictures because they didn’t like the content of a movie, to charges that were brought against Iranian Revolutionary Guard Corps-affiliated actors for their attacks on the financial sector.

Of, one, figure out who did it and, two, and this was newer, make it public. Don’t keep it on the intelligence side of the house, even though that has real costs in terms of losing sources and methods and perhaps provoking confrontation in this sphere, because once you start making it public – which I think is vitally important not just to send a message to a foreign country or adversary, but also because the victims are often in the private sector, and they can’t take the necessary steps to protect themselves unless they know what’s occurring. And that requires being more public about what we’re seeing.

And linked to that, we need action. We need congressional action. We need new regulations in this space. We need public support for taking retaliatory steps that may cause temporary churn. And unless they see the urgency of the problem by making public what’s actually occurring, I don’t think we’ll have that collective drive towards action. So, one, figure out how did it. Two, make it public. And then the third is impose consequences.

So I named three of the four major adversaries when it came to seeing provocative behavior in cyberspace – Iran, North Korea, and China. And what we hadn’t done prior to the election was take such an action when it came to Russian activity. And whatever the – and there were complicated debates at the time – but whatever the thoughts were in terms of not taking action prior to the election, it’s clear after the fact that the result has been that Russia believes that it was a success and that without taking additional action they’re going to continue provocation when it comes in cyber.

And since then, we’ve seen continued Russian activity not just in the United States but in other countries around the world that’s designed to undermine the integrity of elections. We’ve seen the completely irresponsible use of NotPetya, which this administration has publicly named, that caused hundreds of millions worth of damages to companies around the world, including around 300 million just one – to name one, when it comes to the case of FedEx, to more recent activity. Plus, we have a long history now of Russia shielding the top 10, essentially, cyber criminals who the estimate from CSIS I think put last year at $650 billion worth of loss to global commerce.

So when you put that together on a global scale, they’re – and the things, like as reported in The Washington Post – attacking the Olympics. What greater symbol of our countries working together to show that you’re not a member of the world order than attacking the Olympics through cyber-enabled means. So we’ve moved – and you’ve seen a lot of those publicly – to figuring out who did it and making that public. We’re not where we need to be when it comes to imposing sufficient cost to change the calculus that gets the behavior to change. This isn’t about regime change, and it wasn’t with any of the other three countries in this space. This is about the – having costs proportionate enough to whatever the benefit the adversary is seeing of this type of behavior to get the behavior to change. And if you don’t change the behavior, then the policy isn’t working, and you need to keep ratcheting up the cost.

And I’ll close with thoughts on how one can do that or avoid some of the problems that came to the election. One thing that’s difficult leading up to a democratic election – speaking specifically about elections – is ensuring that there is confidence in the assessment as to what occurred. And in that sense, I very much support a bill proposed by Senator Rubio that would have a requirement that professional members of the intelligence community report to Congress what their finding is, so it’s clear whether or not people believe that someone – an adversary is attempting to meddling in the elections. Two, in advance outline what the consequences are going to be. The bill does that as well.

And in terms of ways one could ratchet up current pressure, I’ll throw out a couple of ideas. One would be we have sanctioned – I think the actions that we saw this week, building on the Mueller indictment and the model of using the criminal justice system to make public in great detail what’s occurring to force public conversation and action, led to sanctions. The sanctions were good, but not enough. They’re not enough to cause behavior. To ratchet up the cost, one, you could look at tying the oligarchs that are surrounding Putin to their assets, and then seizing their assets, particularly in real estate. That – the legal authority exists to do that. So then you do the investigative work to make the tie to those assets and seize them, and impose additional sanctions on companies that they run, often through shells.

Number two, similar to the strategy after Ukraine, would be macroeconomic sanctions focused on certain sectors, like oil and gas. That would cause real economic pain and, in that sense, deter this type of behavior. Three, to try to do this multilaterally and also to look at, as was done post-election in the United States in December, and then, again, against the San Francisco consulate earlier in the year, and as we’ve seen our British allies do across the pond, is to take actions against the intelligence operatives simultaneously with our allies – say, 10 or more countries simultaneously taking action to PNG, to declare persona non grata, operatives operating out of post in countries throughout the world. I think those steps could be proportionate to what the damage has been and send a deterrent message.

MR. LEWIS: Thank you.

Rick, please.

RICK LEDGETT: Great. Thanks.

First off, I’d like to start by agreeing with everything John said. That’s exactly the right – the right way to look at this.

I’d like to concentrate on the benefit versus the cost calculus, because right now the benefit is huge and the cost is basically nil to the Russians. And so when you look at that, when you want to change people’s behavior to get them to modulate their behavior, you have to lower the benefit, increase the cost. And how do you do that?

I think one is, in terms of the upcoming midterm elections, let’s secure the election infrastructure as much as possible. There are a couple of bills in the Senate, one of them by Senator Klobuchar, that I think are applicable that talk about providing federal funding to the states, so they can take action. You don’t want to make this a federally managed activity that infringes on states’ rights. But you do want to provide them with access to threat information, so clearing some of the state officials in the way that DHS has started to do, engaging with them through the mechanisms like the Multistate Information Sharing and Advisory Council.

And taking advantage of the information that the federal government has and making it available to the states. And there’s been some great work in the private sector on that too. The Center for Internet Security has produced a book for states. The Belfer Center at Harvard has produced a manual for states to use to help do that. So continuing down that path and putting some resources and some more attention behind it. So make it hard to do that is thing one.

Thing two, make it harder for the what I call information operations to reach their target. What are the target of information operations? The brains of the decision-makers. So, in this case, the decision-makers are the voters in the country. And so how do you, without infringing on free speech – which is the First Amendment, which is a hugely important American value – how do you make people aware of the provenance of things that they see on social media activities like Twitter or Facebook, or things that are promulgated through the – through the news cycles? You know, which stories are emphasized or not emphasized in order to make a certain point.

The intelligence community assessment that was published last December does a good job of laying some of that out in the – in the unclassified version that was published, the use of state media and the use of troll farms. And if you Google Hamilton 68, there’s a website run by the Alliance for Securing Democracy, and I – full disclosure, I’m on the Advisory Council for that. They track the activities day by day of the Russian-associated troll farms and look at the stories that they are emphasizing and the divisive sorts of things that they’re looking to highlight in social media.

So how do we get a better handle on that, make people aware, help people think critically and look at multiple sources of information? What’s a big, huge strategic problem. We will fix it this year, but it ought to be something that we look at long term going forward.

Third thing is what are the things that would cause the Russian government, and specifically President Putin, to change the guidance that he’s giving to his people? He cares about controlling information flow to the population of Russia. That’s a core part of keeping power, is making sure that – and keeping high approval ratings – is making sure that the information flow is managed.

He also cares about support of the oligarchs. John mentioned one way to approach that. I think that’s a good approach.

He also cares about support of the military and support of the intelligence services.

And so – and, finally, he cares – maybe less than those first four, he cares about the – I’ll call it a thin veneer of respectability on democratic processes that are going on in Russia, especially with the upcoming election.

So there are things that the U.S. government could do if it chose to in each of those domains. And it would require some careful thought about which ones do you – do you start with and how do you ratchet up. The sanctions that the Trump administration just announced against Russia are a step, but they’re a step on a long staircase. And so you want to think about how you go from step to step in that process, until you reach that point where the benefit is decreased and the cost is increased, to the point where it changes the behavior.

MR. LEWIS: Thanks, Rick.


JAMES N. MILLER JR.: Good. Thanks, Jim.

I guess I’ll start by agreeing with both – (laughter) – both John and Rick.

And what I’d like to do first is a disclaimer. Although I may make reference to some of the findings of the Defense Science Board report on cyber deterrence, which I did – co-chaired with Jim Gosler, I’m speaking on behalf of myself, not on behalf of the Department of Defense or anybody else.

I thought I’d make two quick points and then – and then add some additional steps the United States may take. And I think it’s important to think of it in terms of a campaign plan because, as I’ll – as I’ll point out, there are escalation risks associated with taking actions, but there are greater escalation risks associated with not taking strong action.

So point one is that – is that to have an effective deterrence strategy, you need to think about the mindset and values of the – of the party – in this case an individual, President Putin – whom you’re trying to deter. And to put it pretty directly and succinctly, in President Putin’s eyes it appears that – his view is that the United States is the aggressor in this space. When Russian authors have written about hybrid warfare, they’re talking about U.S. and Western nongovernmental organizations who have come promoting democracy. And they’ve thrown some of them out of Moscow, but it continues to be, in their – in their view, a campaign.

They see the United States and Western Europe pursuing NATO expansion. We’ve done that since the end of the Cold War, and at this point in time Georgia is still on the table and Ukraine potentially is.

The United States is pursuing conventional military superiority. It’s part of the National Defense Strategy. In fact, it was explicit in the last administration, as well as this administration.

And somewhat surprisingly to me, the Russians also believe – and I believe President Putin believes – that the United States is pursuing nuclear superiority. When you look at this crazy so-called Status-6 system – the nuclear-powered nuclear torpedo intended to, with a multi-megaton cobalt-based warhead, take out the West Coast of the United States – it shows a certain degree of paranoia, to say the least.

So you can argue that Putin is wrong on these issues, as I believe that he is. But at the end of the day, President Putin and the senior leadership believe that the United States and the West are pursuing regime change. If you want to understand the stakes here and what President Putin may be trying to pursue, you need to understand it at that level. The bottom-line goal is to prevent us from having the ability to grow NATO, to put pressure on them, and ultimately to impose regime change. Pretty high-stakes stuff. That’s point one.

Point two, we need to push back. And as we do so, there will be risks of escalation, as the United States and others push back. But if we do not push back, there will be certainty of escalation. And the escalation initially will be one-sided; it will be Russia continuing to increase the steps that it takes in terms of its information operations; in terms of its potentially affecting elections rather than just having some potential to do so, as it did in the last election; and, obviously, should it wish to do so in terms of its turning the dial up on pain on the United States through cyberattacks on the electrical grid, on water supply, and on other critical infrastructure, and we just saw reports yesterday about Russian capabilities in that area. So we now know as a matter of public record that Russia has cyber tools embedded in the U.S. electrical grid and in other areas – to include in our nuclear power plants, which shows an ability to scale this, potentially, to a pretty high level.

So taking action will have risk of escalation. If we don’t take action, we’ll see one-sided escalation. And at some point – at some point there’s no doubt that either this president or a future president will decide to take more significant action, or Congress and the American people will press toward that. And if we haven’t taken action in the meantime – if we wait until it reaches a catastrophic attack on the United States in the midst of a crisis – then President Putin is likely to be surprised by the action we take, and – that we take, and the risks of serious military escalation will be far higher. So if we wait to impose greater costs, somewhat paradoxically, perhaps, we run a – we run a much greater risk of escalation.

I want to just list – just literally list – one sentence each – 10 steps that we could take.

First of all, to reiterate, much stronger sanctions that target Putin and his – and his oligarchs or cronies.

Second, enlist international support for these sanctions. We have begun to do that. We need to do more.

Third, be prepared to back off of these sanctions that are focused on cyber and information operations if Putin’s behavior changes, so that they are conditional. That’s an important part of having successful deterrence and coercion.

Third (sic; Fourth), we do need to develop real – not just legal actions and not just sanctions, but real cyber options to go after Putin’s valued assets through cyberspace so he doesn’t think that he has escalation dominance.

Fifth, I completely agree we need to get off the dime boosting the defenses of our election system. We’re behind the power curve for 2018. We need to be in a much better position for 2020.

Sixth, we need to push back on information operations. And we can talk about how far we want to go there. The State Department’s Global Engagement Center is effectively doing nothing but studying the problem at this point in time. We can debate what it should be doing, but nothing doesn’t seem like the right answer. It’s been great to see some of the big companies, including Facebook, Twitter, and Google, begin to step up. Their role is going to be fundamental in fighting fake news and so forth, and it does come to First Amendment issues pretty directly, but it’s something that the private sector will have a central role.

Seventh, the push on defense of critical infrastructure is fundamental. It’s a long-term campaign. We’re 10 years away, at least, from being able to protect the electrical grid, so that’s not going to be a near-term solution.

Eighth, we need to expand help to our allies and partners because today – and as we improve, they will become more vulnerable in relative terms. And they will be a target, as we’ve seen from Russia to date.

Ninth, we should not cut off high-level contacts with Russia. One of the – I would have liked to have seen Theresa May and the British government do more in terms of imposing costs, but not to have cut off high-level contacts. We need to have those discussions. We need to ensure that President Putin and the senior leadership understand why we are doing what we’re doing. And because there is a significant likelihood of this escalating, whether it near term or long term or both, we need to have those channels. We need to have people who are able to understand each other in that context.

And tenth, and related to that last point, we need to be prepared to strap it on here. The U.S. is under attack. It’s a different kind of attack than we’ve experienced before. It is going to escalate. It will either escalate because we don’t do anything for a long period of time and the other side continues to escalate, and then we will respond, and that will be very difficult to manage; or it will escalate more systematically and we’ll have an opportunity to have a bit of a – a bit of a learning exercise on both sides. But it’s virtually certain to escalate.

So far, this administration has taken very modest steps – far too little, far too late. I hope that they’ll take more significant steps literally in the coming days and weeks. Thank you.

MR. LEWIS: Thanks, Jim.

That last point is one that struck me. And one of the reasons we’re having this event is in discussions you have with, I’d say, intelligence or military professionals on an unclassified or classified basis, there’s a general consensus within the community that we are in a conflict, right, and that the conflict is getting better and not worse, and that we actually aren’t doing so well.

MR. MILLER: It’s getting worse, not better.

MR. LEWIS: That’s what I meant. I beg your pardon. Getting better – better for somebody else, but not for us. (Laughter.) That’s the wrong way to go.

So we are in a new kind of conflict. And if I got a general agreement from the speakers, it’s that we need to do something back. And so maybe we could start our own discussion here by asking, what does that do something back look like? And one of the ideas that some people, including me, have floated is we had a fairly effective campaign – we can talk about how you define effective – against ISIS. It was Joint Task Force Ares. Should we be taking – and, Jim, you mentioned we need a cyber response – should we be taking pages from the JTF Ares book and applying them to our opponents in cyberspace – Russia, China, Iran, maybe North Korea?

MR. MILLER: I’ll go first, if that’s OK.

MR. LEWIS: Want to go first and then we’ll go down the row?

MR. MILLER: So I think Joint Task Force Ares is a good model. It included both cyber activity – technical cyber actions, as well as information operations. And the idea of having a campaign plan, a campaign approach, is critical as well. But the range of tools that should be brought to bear with respect to Russia and its information operations, its cyber actions and its – and its – and in some of our allies’ domestic politics pressure, as well, being brought to bear on individuals and parties, we need to have a much broader portfolio. It includes legal action, it includes economic sanctions, and so forth, and it includes working with our allies. But a campaign plan that includes all of these elements, to include pushing back on both information operations and on cyber is – does make a lot of sense.

MR. LEWIS: Rick?

MR. LEDGETT: Yeah, I think – I think it does. I think it’s got to be, as Jim said, knit together with legal and economic and diplomatic activities. It can’t just be just cyber.

Some of that has to do with the fact that we live in a glass house when it comes to cyber. We’re more vulnerable than Russia is. And so a tit – in a tit-for-tat battle, we lose because the American people have more at risk than the Russian people do and the Russian – or the American government has more risks than the Russian government does.

And so you think about the malware that we talked about that’s on critical infrastructure in the United States. Well, it’s been there since 2012, starting with something called Havex, and then 2014 BlackEnergy bot. And it’s been known, you know, that it was Russian. And so the question is, what’s that about? Is that about having a capability to use if and when you want to? Is that about messaging, the deterrent value? And I think it’s probably a combination of both: good military planning just in case, and a little strategic messaging and a little strategic deterrence mixed in there.

And so to counter that, you can’t just go back and do cyber activities. You have to do more than that. You have to engage the legal system. You have to find the enablers both in Russia and outside Russia that are enabling that sort of thing to happen and start figuring out how do you exert pressure on them. You build a coalition of likeminded countries in order to make statements about, you know, these sorts of behaviors are not tolerated.

Congressman Mike Rogers and I wrote an op-ed a few weeks ago on four things the government should do. And one of them – and arguably the most important one – is a U.S. statement that says this behavior is unacceptable and we’re not going to tolerate it. We’re not going to get international agreement in the timeframe we need before the elections, so the U.S. should just say that unilaterally and then use it as a basis to gather international support for that sort of thing over time.

MR. CARLIN: Now I’m in the position of being able to say I agree with everything that – (laughter) – that Jim and Rick said.

I walked through a little bit already in my opening remarks two areas I think that, in terms of – you don’t need like for like in how to respond to this activity. You need to devise measures that impose enough pain to change the cost-benefit analysis. And that’s where focus one on two types, at least, of sanctions that we haven’t done to the extent that we could, both in terms of what the law allows and our ability to apply it when it comes to both the assets – companies and real estate – of oligarchs, and also the macroeconomic sanctions.

And then, secondly, the idea that there are known operatives in almost all of our allies that are operating out of post, and so far it’s been tit for tat. Each country, as something provocative occurs, will respond. But if that was done in coordination with allies simultaneously, it would show that there’s an increase to the cost in this behavior.

And the behavior right now is not against the United States. We’ve talked about the United States, but it’s global. And that’s the behavior that has to stop. Russia is becoming a rogue nation. And I don’t know – we can kind of guess at the strategic calculations that are causing it to be increasingly rogue around a variety of areas, but that decision tree is causing it to do things like attack international institutions like the Olympics, to use it looks like Russian-affiliated actors using chemical weapons on the soil of a close ally, the harboring of cyber criminals committing billions and billions worth of damage to everyone around the world, and the servers are known to be located. And rather than take them down, they’re signing up many of these organized criminal groups as intelligence assets while giving a green light to their continued criminal activity. To the use of something like NotPetya, a destructive virus that self-propagates. It pretends to be ransomware, but in ransomware if you paid you’d be able to get your computer system back and in this one you couldn’t. That’s hitting everything from hospitals to companies.

When you look at that behavior, to Jim’s key point, is it’s against their own interests along with ours to allow that to continue to escalate, because eventually there’s going to be a snapback, and that increases the chance of both sides miscalculating and having a much worse situation than you have now. Which is why I think you’re hearing unanimity that it’s so urgent that we act immediately to stop that otherwise one-way ratchet of escalation that makes it much more likely that there’s a conflict that causes much wider harm.

MR. LEWIS: You’re going to hear agreement among the three of my speakers and me throughout the thing. And that’s one of the things I wanted to get out of this, is you talk to people who either are in the business or were in the business, there’s a general sense of consensus. There’s a general agreement. And so one of the things we’ll try and do here is maybe tease out if there is some place we can fight about. Haven’t found it yet. But it’s also to help get the public message out there that we are going into a fight. We’re in a fight, and we now need to maybe put a little bit on our side.

And a couple points came up that might be worth talking about. One of them is one of the advantages that some of our opponents have – and if we come up with response strategies, they could be applied to China or to Iran, who are also very active; to the North Koreans, who are currently on their best behavior, but that could always slip – they know that we worry a lot about being consistent with both our own laws and with international law, and particularly with international humanitarian law. And so how much do we need to worry about proportionality in these responses? Do we need to think about proportionality? What is proportionality in these sorts of activities? So we want to follow the laws of armed conflict, and it turns out that makes it a complicated response.

I don’t know who wants to go first. Jim? I’m looking always at you. (Laughter.)

MR. MILLER: I would be pleased to go first, but we have – we have someone with legal training – (laughter) – I would –

MR. CARLIN: It’s the first time they turn to the lawyer.

MR. MILLER: If I could make a quick comment so you don’t feel badly about that, John – (laughter) – from my perspective, proportionality does not mean either that the response is symmetric – cyber for cyber – not does it mean that it’s at exactly the same scale. A proportional response that’s intended to send a message that avoids a war could be substantially a larger response than something that was – that was tit for tat.

Now, that’s from a policy perspective. Over to – over to someone who understands –

MR. LEWIS: Now the lawyers will tell us why that was wrong. (Laughter.)

MR. CARLIN: No, no, no, I think that – I think it is – it is right. And forget the – the lawyer’s saying forget the law here, it’s the right policy to try to devise something that’s proportionate. That is, in other words, is designed to fit the action that you’re – that you’re responding to and want to – want to discourage.

Now, it so happens in this case that we have pretty good estimates, particularly if you take into account, again, the scale of damage caused by both NotPetya but also the continued harboring and flouting of international norms when it comes to cyber criminal activity. We talk often about this big, amorphous land of organized criminal activity that’s occurring through cyber-enabled means – and rightly so. It’s not, though, amorphous. It’s not occurring from every country around the world. The cooperation between like-minded countries who disagree on a lot of other areas but cooperate when it comes to law enforcement, when it’s criminal behavior, actually narrows it down where a lot of the behavior right now that’s affect the entire world’s – I’d say digital economy, but really ecommerce is commerce now – is emanating from Russia.

That means, though, when you’re talking about proportionate steps, the damage amount is way up in the billions and billions of dollars. It would be an interesting report actually to follow up on the CSIS if you did an estimate. So let’s say the last estimate is somewhere between 650 million (sic; billion) to a trillion dollars’ worth of damage from criminal cyber behavior. How much of that can you assign a percentage that’s coming not necessarily from the Russian – that you can directly attribute to the Russian state, but is coming from Russia without response to request for law enforcement cooperation? That gives you a sense of where the outer boundary might be on proportion.

MR. LEWIS: We’ve actually gotten exactly that question from the House Finance Committee. So hopefully we can cook up an answer to it. But I think it’s probably going to be more than 50 percent is attributable to Russia. That’s a guess. And we need to refine it.

But, Rick, when you think about proportionality, how much did that worry you in your old job?

MR. LEDGETT: Oh, I think, exactly as John points out, you know, it’s a legal basis. We’re a nation of laws. We follow those laws. And so, of course, we have to—we have to be proportional. But I also agree with what Jim said. Proportionality doesn’t mean exactly equal, and certainly not exactly in the same domain. So what are the things – if you look at the assault on our democratic institutions and our society and the use of inflammatory, you know, sometimes fake news, sometimes emphasis of – or slants on a particular story that may have a kernel of truth, that is a big deal. That’s a strategic attack on the United States. And so I think the bar is pretty high in terms of things that we can and should do in order to respond to that. I’m not advocating a military response. I don’t think that’s appropriate. I mean, a kinetic military response. But I do think that there are things short of that that are serious that we should consider.

MR. LEWIS: You could think of a – sort of scale where you’d have cyber, kinetic, legal measures on one side, covert and overt. Is there a preference for how to do this? Does overt have an advantage over covert? What’s the blend that would be most effective?

MR. LEDGETT: Can I take a swing at that? So I think that we want the hand of the United States to be seen in this place because we’re sending a message, we’re trying to deter behavior. And so if you don’t let the hand be known, at least tacitly, then it leaves you in a weak place. And I have to say that the Russians have done a masterful job of this, of doing these – taking these actions and doing things that are essentially, you know, illegal under international law, but having it be known but not provable that it was the Russians, in sort of a wink-nod. That’s good from a deterrence point of view. It’s also good for internal consumption, and it shows the president as a strong man who stands up to the West. And the Russian view is that, you know, they’re not a great power anymore because the West victimized them in the Cold War.

MR. LEWIS: Jim or John, did you want to?

MR. MILLER: Sure. I think you covered many of the categories, but it’s worth being explicit to include diplomacy. If it’s limited to diplomacy – in other words, you know, strong words and so forth, it’s clearly going to be inadequate. But in addition to – in addition to the categories you put out – and John can speak in detail to this, and with more expertise, of course – is economic sanctions of various flavors, whether they’re targeted at specific individuals, whether they’re targeted at other entities, at firms. They can be tailored. They’re not a perfect tool, but they’re a critically important tool in this area. And I do think that we just need to say if we are getting hit with offensive cyber penetrations, then the use of offensive cyber to counteract that should be on the table.

MR. CARLIN: On the point of diplomacy being an important part of the package, I think that’s right. And it’s also proportionate to what’s occurring, because, again, it’s not – it’s an attack on democracy that we’re seeing, where there’s a systematic attempt to undermine democratic regimes in countries throughout the world. Cyber criminal behavior is affecting countries indiscriminately throughout the world. Reckless use of offensive tools like NotPetya affecting countries throughout the world. And so the most countries that can be involved, the greater the likelihood you increase the cost in a way that changes the behavior before it reaches a state that you don’t want.

And so, related to that, I think public is important. And that includes working on means. Use of criminal indictments is one. Sharing information with private sector and with parties overseas is another. Of sharing resources and making attribution public, and continuing to – continuing that strategy, which I think this administration is pursuing. Speed matters. So trying to do that quickly and in conjunction with allies.

I’ll throw out one idea that I’m not sure I exactly endorse, but to try to be – another area to take a look at would be – and this is related really to the cyber criminal activity. I don’t think it fits as well for the undermining an election regime. But the sovereign immunity doctrine, to see if – you might be able to do it now – but also to see if there are ways to look at statutes that would increase the likelihood that private parties could bring suit for the damages that they’ve suffered. And one – NotPetya, the damages to certain companies are already out and outlined by independent groups. So there are victims here suffering damages.

You could consider such a mechanism as well for election. I think it’s harder to come up with a concrete – damages is probably less suited to the civil system. Now, that approach has been explored before for those who support state-sponsored terrorism. And it has drawbacks as – drawbacks as well, because – which is why I think it’ll be – that one is more provocative. I’m not sure I’m endorsing it. But something to think about.


MR. LEWIS: Pretty bold. Go ahead.

MR. MILLER: It’s interesting. Jim, could I – could I add a category? And actually, I may ask a question of you, because you’re deeply expert on this topic. So, improving the resilience. From a technical perspective of the critical infrastructure, for example, is vitally important. Our Defense Science Board report concluded that we are not going to get there within the next 10 years with respect to Russia or China. But taking those steps will make increasing the resilience of critical infrastructure and the – and the cyber protection associated with it – will make it more difficult for them, will make attribution more viable, and it will make it also, and critically importantly, less likely that terrorists or other lesser state actors, like North Korea and Iran, are able to hold us at that kind of risk of catastrophic attack.

And the same is true on the information side, that the Russians are really piling onto – they’re piling onto fires that are already lit on the far right and the far left – they’re pouring gasoline on them. But they’re not creating new arguments for the most part. They’re amping up argument that are there and trying to get us to be more polarized. The reality is that the phenomenon of fake news is not something that they brought here. It’s something that has existed over here, and that they’ve helped to develop further. So finding ways for – it’s heavily in the private sector, but there’s a government role as well.

Finding ways for us to combat fake news in ways that are consistent with the First Amendment and so forth I think are fundamentally important. And you can think of that as a type of resilience. But I just wanted to put that out as a category. It’s – I think it’s absolutely essential. I do not think it is by any means sufficient, but it is absolutely essential. And it is even more essential for the lesser actors who have increasing cyber capabilities and who are going to want to get into this game of manipulating U.S. public opinion as well.

MR. LEWIS: No, I think you need to split it into two parts. And so on the resilience side, I’m a little gloomier, in that I don’t – ten years is probably an optimistic estimate. So I do think – so I used to make fun of deterrence, and I still do at some levels, but I think you have to convince potential attackers – and we have four – that the risk of doing something to U.S. critical infrastructure is outweighed by the cost. And that’s part of what we’re talking about today, is how do we identify costs that could apply to people?

On the social media side, I think there’s this question of what does intermediation look like? What does the ability to impose new standards on the new media look like? And, you know, some people have said, well, Facebook needs to go out and hire 3,000 editors. They probably don’t need to do that, but how do we encourage people to begin to identify the false information. That’s probably something you can do with technology. But how do we do it in a way that’s respectful of freedom of speech? And so it’s a very intentionally complicated issue, because no U.S. government agency has the authority to go and say: This is – this is fake news. This is false. So it’s something that we’ll have to either change the laws or find incentives for the companies.

MR. LEDGETT: I do think that there’s a role for the government in terms of helping identify the provenance of a story and helping to identify – you know, the first time this story appeared was in this place, to our knowledge. And so that’s input to a process that I agree the government can’t run. But I think that – and, John, you would be the expert on this. But I think that, you know, they could add a paragraph to the 39-paragraph end user license agreement that nobody reads that says: Hey, we are going to exercise our judgement and we’re going to flag, you know, things that we believe are suspicious or don’t look factual. And you agree to let us do that.

MR. LEWIS: How would you break – how would you avoid a tit for tat cycle? What would you do to – this is not going to be a one-move game, right? So we’ve experienced things. I think we all agree we should do something back. And I’m fairly confident that other side will not say, OK, we give up. So we are going to get into an iterative process here. How do we control that? And I don’t know if escalation dominance is the right way to think about it. That’s a nice nod to Herman Kahn. But what is it we do to get out of the cycle of just tit for tat? And you’ve seen this in – certainly in some of the terrorist cases, certainly in the Israeli experience. It doesn’t do you any good to get into response – a counter-response cycle.

MR. MILLER: I agree with that. And it’s true within cyberspace. It’s because, as was noted earlier, we are more vulnerable than Russia in cyberspace. That does not necessarily need to be the case forever. I do think 10 years is probably on the optimistic side for hardening, but it’s not the optimistic side for increasing our offensive capability, which is – which is, I’ll say, non-trivial, even today. One of the challenges we need to just have in the foremost of our mind as we think about U.S.-Russia tit for tat is that the high end of the escalation ladder is thermonuclear war, right? And so taking steps to show that we have limited aims, even though we’re responding strongly, keeping open channels of communication, taking note of fire breaks.

Today, there’s a fire break certainly between conventional and nuclear. I believe there’s a fire break between, if you will, non-kinetic and kinetic. At the point at which you cross one of those fire breaks, you’re opening up a new – a new level of potential conflict. And it’s – and it’s important to understand that. And finally, there is also something to momentum as well as to – as to tit for tat. In other words, if the other side doesn’t have a chance to absorb your actions along with your explanation of the action and its limited aims, as well as its intent, then the possibility of moving into a rapid tit for tat that could spiral I think is much more – is much more dangerous.

I think you also have to demonstrate that you’re in this for the long haul. This isn’t a two-move game. This is a game until it’s done, until we get to where we want to go. And that requires a uniting of messaging from the administration and from the Congress to say – and the support of the American people – to say, yes, this is something that we think is important. And we’re going to stay in until it’s done.

MR. CARLIN: I think with the support of the American company and, ideally, key allies – key allies as well. I think where we are in we’re so far behind where the escalatory actions have taken us that the next step, ideally, should be coordinated and large. And that will give – that will give a pause and time to assess. The problem now is that it’s coming late and small. And so in that sense, it invites a similarly small retaliation. And you’re always behind where the initial provocation – where the initial provocation was.

This was serious. Undermining our elections was serious. And I know I’m a broken record on NotPetya, but it’s amazing to me that that’s been publicly attributed and disclosed, but the action to date in response – this was a good beginning this week where we saw sanctions for the first time – has not been proportionate to what occurred. So that ledger needs to be balanced I think with the next – with the next set of actions.

MR. LEWIS: If you were going to look for a precedence for this kind of action, at least for me, the on that occurs first would be the Reagan administration – that’s how long ago this was – where you saw concerted action against, at that point, Soviet espionage by the U.S., the U.K., Canada, and some of our other major allies. So what do we need to do more with our allies? How do we work with our allies on this? U.K.’s easy. They have an incentive. (Laughter.)

MR. MILLER: Well, I think it’s at two levels. And John has really spoken particularly I think to both of them. At one level, it’s the – it’s the – it’s the coordinated responses. And it’s working together so that we don’t surprise them or cause them to think that we’ve gone off the deep end or are going to take such escalatory actions that we then lose their support and we weaken the alliance. Which, frankly, to President Putin, would be a win. So it’s that level of communication and it’s coordinated action. And showing to President Putin and to others to whom we wish to deter that we are capable and will act together, that doesn’t mean lowest common denominator. I think at the end of the day having a sufficient coalition is very valuable. But it doesn’t mean that everyone has to agree.

And then secondly, on technical cooperation as well. And that is – that’s been occurring over recent years. I think that that dial could be turned up dramatically. I know that there are – in working with some of our allies there are concerns about security of intelligence and security of technical information, and so on. But the reality is, to deal with the technical challenges and to deal with the vulnerabilities that we have in these systems. Speed is going to be more important than information security, in my view. And so getting the cycle where we work with our allies and partners closely and help facilitate the private sector supporting them, even more than government-to-government, I think is going to be – is going to be fundamentally important.

MR. LEDGETT: There’s a – there’s a number of Western-style democracies who have been subjected to this sort of stuff. Japan, in terms of the Olympics, is one, I think. Germany, France, Norway, Netherlands, Sweden, Italy. All of them have in one way or another been subject to this kind of activity. And so it seems like there may be some natural allies in that space.

MR. CARLIN: And to your – Jim, this is something you keep emphasizing in your questions. This is not just an issue of Russia. This is an issue of – at least in the cyberspace, I think, of sending a message to those other actors who are wondering what red lines are, what you can get away with, what are the norms when it comes to international behavior. And in that sense too, it escalates the stakes of getting this right, or you’re encouraging a miscalculation by, say, a North Korea or an Iran or another actor, when times are tense.

MR. LEWIS: So the U.S. is encouraging a response from like-minded nations to activities like this. And the response should be, you know, temporary, painful, but reversible, right? And what you get back from some of the smaller NATO members is: I’m worried about attribution. I’m worry that – I just won’t take your word anymore that it was whoever you say it was, North Korea, China, Russia. What do you do in those cases? And our answer, by the way, so far, has been: Can’t tell you sources and methods. Do you change that? Do you just give up and act unilaterally or with – you know, some people have said coalition of the willing? What’s the right response?

MR. LEDGETT: Yeah. I think you have intel-to-intel service conversations about that. And we do exchange classified information with partner services in other countries. And so – and it doesn’t mean you show everything, if it’s a particularly sensitive source. But you show a lot more than you would show publicly. And so – and then if the – hopefully the government trusts their own intel people and they say, yeah, we looked inside the covers and it’s real.

MR. MILLER: Jim, I think –

MR. CARLIN: I just –

MR. MILLER: Oh, John, go ahead. Go ahead.

MR. CARLIN: I think, as well, you’ve seen a strategy – this occurred in the December actions. There really were three. People focus more on the shutting down of certain facilities and removing operatives and sanctions. But the third was releasing the signatures of the code that was being used by Russian actors. And similarly, it’s been an open secret in the cybersecurity community that the energy breaches were linked to Russia. But stating it publicly allows you then to show those indicators to allies who were looking at the same tradecraft. So there’s a way in this space to work with robust third-party community of independent cybersecurity experts who wants to get the signature and make use of it.

MR. LEDGETT: John raises a really good point, and one that I don’t recall seeing in the press, those same implants and critical infrastructure exists all over Western Europe and other, again, friendly to the West countries. So it’s not just in the United States.

MR. LEWIS: If you were going to do one thing right now – I know we’ve talked about the need for a coherent strategy and an all-of-government approach. But, OK, now you’re on the spot. What would you do? What’s the one thing you would do right now? Would you fry the servers in the Internet Research Agency? Would you – what would you do? Would you release Panama Papers 2? Would you – tell me what you would do?

MR. MILLER: So I’m going to – I’m going to do a cheat. The first thing is to have a campaign plan approach to this, right? And to work with our – and once we’ve articulated where we think we should go, to work with our allies and partners so we’re not acting alone. Second, I think it’s time to go directly after the so-called oligarchs, and to hit them in the pocketbook in a way that President Putin notices. And that would be done through targeted economic sanctions. And that would be – I think it’s useful to have a category of these – of sanctions that are specific to the combination of cyber intrusions and ongoing information operations. And for example, we could say these would come off if we get through the 2016 election cycle, and our allies do get through their election cycles as well without interference.

And they could – they would go on –

MR. LEWIS: 2018, you mean.

MR. MILLER: I’m sorry. Yes. Yes, thank you. 2018. And then similar for 2020. But that we leave room for them to be dialed further up also if there’s more interference. That would – that’s not sufficient, but I think that is a necessary part and it’s one that I would be looking to build consensus on right now.

MR. LEWIS: So just to push that one a little further, a key part of what you would do then is interact with the Russians and be fairly clear in messaging them about what we’re doing.

MR. MILLER: Yes, exactly.

MR. LEWIS: OK. Great.

MR. LEDGETT: I think that’s exactly right. And the campaign plan is a key part of that because, you know, if you don’t know where you’re going, any road will get you there. But we need to know where we’re going. And we need to have – it doesn’t need to be a fully formed plan, you know, on page 35. But the first five or 10 pages need to be clear. And included in there is an overarching statement of the goal, and something that you could use to generate unity and enthusiasm inside the country and with allies to support that thing. And then the first actual act I would take is exactly that, going after the oligarchs’ money in terms of asset seizure. I would use the power of the U.S.-based financial system and the banks to exert influence on banks that might not – that we might not have great relationships with. But they all send money through U.S. banks. And so that gives us a very big lever that we can use in that case. We should be willing to use it.

MR. CARLIN: I started in the same space, so I agree. The other thing I would consider – but this has less to do with the cyber activity and more to do with the incident that just occurred in the United Kingdom is, again, to contemplate the simultaneous expulsion of members at post that are linked to their intelligence apparatus across multiple – across multiple allies. The other thing which I think is deterrent with another action, which is the pending legislation, would be a dead man’s switch, as I’ve advocated for a while, that says essentially if there’s a neutral objective assessment from the intelligence community that’s provided to Congress that says X country – and it’s country agnostic – is meddling with our election, the following retaliatory actions will occur.

And there’s a version of that – I can’t remember which bill; I think it may also be in the Rubio bill – that says essentially when it comes to Russia, here are five banks. And the executive branch can pick two – any two of the five. But if this is the conclusion that there’s meddling in 2018, then they will face macroeconomic sanctions, which would cut them off from the U.S. banking system. That way your red line is clear pre-election. And hopefully no confusion as to what our action would be. And it takes it out of the partisanship, so it doesn’t exacerbate any tension between – any internal tensions here. And that way achieves their goal because it’s a dead man’s switch. It’s going to happen if the conclusion is reached. It’s not a party decision.

MR. MILLER: I would just – I would just say that it’s with great reluctance that I endorse that idea. (Laughter.) Not just because of the history of the idea in the nuclear business, whether Russians reportedly did have, at least in the past, such a mechanism to release their forces. But also because I would like – I would like a situation in which the administration and Congress would work together and tailor something. That’s been difficult lately. And because of that I would support that. I would just add that it should be the floor not the ceiling. And that should be understood, because otherwise you’re allowing your potential adversary to calculate exactly what the costs are. And they can – and you want to add that uncertainty. You want to be able to add to that cost.

MR. LEWIS: So that – you can tell a couple of us are recovering arms controllers because we keep coming back to it. But it makes you wonder what would a declaratory policy look like for this? Does a declaratory policy make sense? And maybe not in the old-fashioned way of a single sentence that says if X happens Y is the consequence. What – do we get a benefit from having a better declaratory policy. Do we even need one?


MR. LEWIS: That was easy.

MR. MILLER: Yes, we need one. And at the center of it should be if we are attacked in cyberspace or information space, we will respond. We will respond in a way that is intended to increase the costs of that attack so that they significantly exceed any benefits that the attacker could expect to achieve. And then fundamentally, importantly, we then need to act on it. What we’ve – I mean, we have multiple statements that amount to a declaratory policy from many parts of the administration and from many members of Congress. And what we haven’t done to date is take substantial actions that actually do increase the cost that have any possibility to be even approaching the level of the benefits that are being achieved by these attacks.

MR. LEWIS: So maybe another conclusion from the – Rick and John respond – maybe another conclusion from this conversation is we need to act.

MR. LEDGETT: Yeah, I agree on the need for a declaratory policy. As I said earlier, and as we said in the op-ed. And I think it – being overly specific is bad. You don’t want to give them a roadmap on, OK, well, this is OK, so I can do this. And you want to just say, you know, if we see activities that indicate, as Jim said, that we’re being attacked, that our critical infrastructure is being attacked, or that efforts are underway to undermine our democratic processes, then we reserve the right to act with all elements of national power as we see fit, in a proportional way. Lawyerly words to that effect. (Laughter.)

MR. CARLIN: And I don’t want to underestimate that it’s important to have a declaratory policy. But I would firmly agree with Jim. We had one. We declared it. We’ve declared it now multiple times in the context of specific actions, and then not acted. And that has a – the inverse effect of encouraging future action. So I think less time right now on figuring out the exact words of a go-forward declaratory policy, and more focus on putting points on the board and executing a response to the actions that have already taken place in violation of numerous statements from two administrations that really agreed on very little – very little else.

MR. LEWIS: If I was mean, I would now ask them why do they think we haven’t acted on this, but I’m not going to do that. Or, I could ask them how do we get out of the trap of making statements and not acting. I’ll put that one on the table. But before I do those questions, let me see if there’s anyone in the audience who has a question now. Now, we’ve got one. We’ve got two, three, four, five, six. We’ve got a lot of questions. So maybe we’ll just go down the row and end up. Go ahead.

Q: Steve Winters, independent consultant.

You mentioned the oligarchs several times. And I remember months ago I heard Paul Wolfowitz essentially float the same idea. He said, look, nothing’s working. The way to get to Putin? Get to those people he depends on to run the country for him. And attack them where they’re going to feel it – in their lifestyle, their money. So I’d just like a clarification on that. Now, I’m not a fan of Russian oligarchs. But the sort of principle here, you’re not actually saying the oligarchs are involved in a cyberattack or anything. It’s just Putin’s dependent on them. If we – if we put a squeeze on them, they’re going to say to him, hey, change your behavior, because we don’t like what’s being done to us. But if you extended that principle, I mean, if you didn’t like what Xi Jinping is doing, well, take the top 100 billionaires in China and put the squeeze on them. And then pretty soon he’ll change his behavior. So could you clarify that, exactly what the reasoning here is?

MR. MILLER: My guess is that we all have the same perspective on this but let me – let me go first. I’m not talking about a blanket approach to everyone who’s made a ruble – or billions of rubles in Russia, or anyone who is affiliated with President Putin in any way. Those people who are close and who are part of the decision making process, and specifically those people who are involved in a way in which we can credibly demonstrate – even if it needs to be through classified channels to key allies – we can credibly demonstrate that they have a role – excuse me – a role in decision making and in support of some of these criminal networks that were mentioned earlier as well. There were a substantial number to whom that would be applicable.

MR. LEWIS: And one thing I meant to raise and didn’t, because I forgot, was why China is in some ways a more difficult target than Russia, because of the greater economic strength it has, and the complicated commercial relationship with the U.S. But why don’t we do the – we can come back to – we have a couple of things we can come back to, but there were a lot of questions. Could you hold up your hand again? I’ve got – and then we can just maybe slide over that way. And then we’ll come back to this end.

Q: Thank you. I have two questions. So why do you say that we’re more vulnerable in cyberspace than the Russians? That’s number one. And number two, if there’s an unwillingness to act on everything you’ve said, what are our options? I mean, other than the handwringing. But so far the administration has shown an unwillingness to do much, even to acknowledge that Russia is a problem. Where do we go from there?

MR. LEDGETT: So I’ll take a stab at the first half of that, if that’s OK. The reason that I said the U.S. is more vulnerable than Russia is because we are so much more dependent on computers and networks and information systems that underpin our day to day lives – everything from groceries showing up in the grocery store and gas showing up in gas stations on time to the network that supports using your debit card to pay for those things when it’s time to them, to the power that goes to your house. All those things are intertwined and they’re all part of a critical infrastructure.

There’s a great report by the National Infrastructure Advisory Council from August of 2016, it’s on the DHS website, that talks about the intertwined financial, telecommunications, and electrical power critical infrastructure. And how if any one of those goes down, everything goes down.

MR. LEWIS: Although, the good news is that I think we’re approaching parity in terms of reliance on the internet. And maybe not all of Russia, but certainly key parts in Leningrad – pardon me – in St. Petersburg. Oops.

MR. LEDGETT: Moscow.

MR. LEWIS: Moscow. Why don’t we – hold your hands up again. And this time, Pat – every time I say that more people hold up their hands. Just pass the microphone along as we go and that will save a little time. But we’ve got the individual there with the blue shirt. Thanks.

Q: Mike Connell, CNA, Center for Naval Analyses.

I have a quick question. In the past, Russia’s broached the idea of internet sovereignty as perhaps a way of moving forward. That is, sovereign control of information flow within their territory. Is there any opportunity for working with them in that area, or is it just really there’s no room for compromise in that area?

MR. MILLER: Hmm. Do any of you guys want to?

MR. LEWIS: Well, so the idea has occurred you could make a trade where you acknowledged the desire by Russia and several other countries for greater control over the internet in exchange for some level of cooperation, perhaps on cybercrime, perhaps on stability. And it just – there’s two fundamental problems. The first is that, very often the deal would involve abandoning core parts of the Universal Declaration of Human Rights. And Western countries aren’t willing to do that. The second part is there’s a concern that you could make the concession and then not actually get anything in response. So it has been talked about in the last few years and doesn’t seem to be a useful avenue. Even the Russians don’t raise it anymore.

We had another one? Go ahead.

Q: Paul Schwartz. Also at CNA.

I think Mr. Miller mentioned early on that Putin perceives himself under attack and that the West is aiming for regime. And it was when it came time to talk about potential options going after the oligarchs was mentioned several times. Are these two things reconcilable? Or are we risking unwanted escalation by threatening the very thing that you said that he feels is fundamentally at risk here?

MR. MILLER: Yeah. In my view, there’s – it’s important to go after those people who are involved in this type of activity or supporting this activity, either officially or unofficially, and who are tied to President Putin. And, at the same time, to show that we have limited aims, to both state that we have limited aims and by the actions we take not demonstrate that we have unlimited or broader aims of regime change or of undermining the power structure within the Kremlin or the power structure within the country. Anything that began to hit at that would be at a very high level of escalation.

MR. CARLIN: And there’s a precedent with China, where there was the indictment of five members of the People’s Liberation Army, but it was very specifically tied, and the public messaging surrounding it made clear, that this was because of a particular type of activity that targeted private enterprise here for the commercial benefit of private competitors overseas. And subsequent actions matched that principle. It allowed for a breakthrough where President Xi agreed to that principle. And since then, you’ve seen a decrease in that type of activity – not all activity, but the type that was within that principle. And then you saw on the U.S. side there weren’t – there haven’t been additional actions that are outside of that – outside of that principle. So clear messaging and sticking with your lane, I think, matters.

MR. LEWIS: And if we have time, which it looks like we won’t, maybe we can come back to how would you persuade the Russians that we weren’t kidding? You know, that we really were serious that we weren’t going to change the regime? Because I think they’re deeply paranoid about that. But we had one more question – we had multiple more questions.

Q: Yes, gentlemen, thank you.

I think if you look a comprehensive look at our, like, policy on sanctions for Russians, it’s – going after the oligarchs is going to be what hurts Putin the most, right? We’ve sanctioned oligarchs. We’ve sanctioned banks and companies all over the world. My view on that is that I think that what Putin values most is being the puppet master. He likes controlling the intelligence services. He likes controlling illicit activity, whether it be through federal agencies or, you know, his army of hackers, or mercenaries in different countries. What approach could we take to attack him, if that’s what we think hurts him the most – being the puppet master, being the KGB officer that he formerly was?

MR. LEWIS: You can just pass it to your right there.

MR. MILLER: OK. I’ll give a quick first response. Your question highlights why it’s important to have a campaign plan and to think through the steps that may be taken today and could be taken in the future. My own judgement is that if you lead off by going directly after the instruments of state control and the center of President Putin’s or anyone else’s power, that’s a pretty big move. Far more serious than going after some of the assets associated with some oligarchs or other sanctions.

And I personally would think that you would want to reserve that type of move for higher on an escalation ladder. Understanding that you could get there, but that when we get there President Putin may believe what’s good for the goose is good for the gander, if you will. And there are steps that could be taken the other way around that could lead to, in my view, potentially serious escalation.

I wouldn’t take that step off the table, but I would say that if you believe that they’re already worried about regime change – which I do believe – to go after the instruments of power would reinforce that view and cause them to believe that they had to escalate in order to be successful. The capability to do that may be something that we desire to prevent them from escalating, rather than something we would lead with, in my view.

MR. LEDGETT: Yeah – if I could just chime in. I would agree with that, except I would add one more thing to the – in addition to the oligarchs, I would also demonstrate the ability, although not do it at scale, to get information into Russian citizens’ information flow. There’s dozens of technical ways to do that, everything from you know, broadcasting television over satellite into the country to doing things on the internet. And so I would demonstrate that, and I’d also signal that we can do this if we want to, and so it’s – you know, we’re holding back because we’re, again, trying not to be escalatory, but we want to demonstrate the capability.

Q: Ed Gibson, retired FBI agent and former chief cybersecurity advisor for Microsoft in the U.K.

Let me set the stage here. And, Rick, this question is for you. If we rightly assume that Russia has something that they’re holding over Trump’s head, is it possible – and I’m going to ask if you answer could be yes, no, or maybe – is it possible that Trump is taking actions – that the actions that Trump is taking to destroy our relationships with our allies and other countries with the intention – with the intention of making us act singularly such that our allies will not support us in the future? Is that possible – yes, no, or maybe?

MR. LEDGETT: So is it possible or is it likely?

Q: Likely. (Laughter.)


MR. LEWIS: There’s a fourth option, which is if you’ve ever seen Sesame Street, the option is me no recall. (Laughter.)

MR. LEDGETT: I think that’s highly unlikely. I think if you look at President Trump’s behavior over his career and how he interacts with other entities, there’s a consistency there. It’s not like a 90-degree or 180-degree change in behavior. So I think that this is just the extrapolation of that behavior into his new role.

MR. LEWIS: We had one in the back, and then we could maybe move over to this side. There’s a couple or there’s three. We’re coming close at time.

Q: Hi there. (Off mic) – with the House Committee on Homeland Security.

And typically in the past – (off mic) – a cyberattack, we’ve seen it geared more towards commercial and intellectual property. Given that the U.S. has had kind of a weak response and little expertise in international cyber diplomacy – (comes on mic) – do you believe that this has set a precedent – oops, sorry – do you believe that this has set a precedent for other nations to engage in this behavior and to interfere in other Western democracies? And if that is the case, maybe what countries could we consider as potential threats?

MR. MILLER: So I’ll take a quick cut at it. I think – I think each of the other panelists may have more expertise on the – certainly on the technical side.

I think that we were very slow to respond to Chinese theft of intellectual property. They did it at scale, at massive scale, and it was – had economic costs to the United States and economic benefits to them that I think are measured at least in the hundreds of billions, if not – if not trillions. So that was – we were late – we are late to take action. I’m pleased and proud that President Obama did so. And that – and I’m pleased and I was, frankly, a little bit surprised at how successful it appears to have been in reducing the scope and scale of what the Chinese were doing.

I think your question – your question is right – is along the correct lines. If you are a lesser-developed country and you’re looking to bootstrap your economy, trying to find niches or even larger areas where you can gain intellectual property and have a second-mover advantage, where you didn’t invest in the research and development but you can exploit it, it would look awfully attractive that a small investment could bring that along. The good news is that in putting pressure on that countries, the United States has a lot of tools, including not just legal and diplomatic but economic pressure as well for smaller countries. And it’s worthy of considering what a campaign would look like in that regard.

I don’t – I’ll turn it over to my colleagues. I was not aware of any countries – any small countries attempting to do that – attempting to do that at scale in the ways that having that diplomatic conversation and the threat of economic reaction would not be sufficient. But it’s something to – it’s something to consider for the future, certainly.

MR. LEDGETT: I agree with what Jim said. I misinterpreted your question. I thought you were asking will other countries take a cue from the Russians and try to pull the levers to affect, you know, elections and opinions inside the United States. I think the answer to that is yes.

And I also think that it’s not just governments that are doing it. A colleague of mine was in Europe recently and told about a contact from a company that was offering information operations in support of a brand in a not-very-thinly-veiled offer to not just speak possibly about his brand, but speak negatively about other people’s brands. So think of it as combat advertising.

MR. LEWIS: Some of us got a briefing on effective social media presence by political operatives, and my immediate thought was we should do it at CSIS to boost our ratings. (Laughter.)

But can we move the microphone over to this side to get those questions?

Q: I actually have one question.

MR. LEWIS: Oh, I’m sorry. Go ahead.

Q: Yeah. And it’s actually about social media. Earlier there was a comment about just giving Facebook 3,000 editors to clear up that content, but that goes against the main point of Facebook. Facebook considers itself more as a conduit, a platform for articles. So what does this look like when the U.S. government is asking things like Twitter and Facebook to help combat the fake news?

MR. CARLIN: Well, sort of just in terms of waves – so some of you may remember MySpace, which was one of the original social media sharing type companies. And the first wave, I think, is the – at first did not take seriously the fact that child predators were exploiting that platform to reach kids, and that to – some have said the fact that the platform no longer felt safe drove MySpace out of business and is where Facebook originally got its rise. And then we saw, at the time that I was working on terrorism issues, the Islamic State in the Levant adopted a new strategy of crowdsourcing terrorism and attempting to use social media – just like al-Qaida had used Western technology in the form of aviation to kill, they were trying to use social media to turn particularly young or troubled people into human weapons to kill.

And it took a little while in terms of conversation to convince those social media companies this was a real issue, threat and abuse. And when they were convinced – and that, I think, is a combination of private conversations and public attention to the issue – they took serious steps to combat it and put additional resources in. And we’re just at the beginning now of really focusing on the nation-state threat and the use of those platforms to do things like attack fundamental values, of undermining democracy. In the interim, the other issue that they’ve been having is bullying, which has decreased people’s desire to use the platform and is a way of preventing free speech if you are so bullied when you articulate an opinion that you leave the platform.

So I think there are deep business reasons consistent with their model why they want to make it, ultimately, a safe place. I think it was Rick who raised this, where there’s some transparency as well, so you’re not deprived of access to the view but you know where it’s – where it’s coming from. And that should be encouraged. And on the government part requires sharing as much information as they can about what the threat looks like in a way that the companies can consider and then take appropriate action using their platforms.

MR. LEWIS: It’s worth noting, too, that it’s not just the U.S., it’s also a number of countries in Western Europe, driven more by Islamic terrorism than by Russia in many cases, or now by political extremism. So it may not just be the U.S. that asks these companies to change what they do.

Can we move to this side? I think we’ve got time for – I think we’ve got two questions here. Is that right?

Q: Hi. First, thank you very much for coming today. Really appreciate hearing from each of you. My name’s John (sp). I’m an Air Force officer, and have a question about information operations.

And so, as it pertains to – I know you’d mentioned the GEC earlier today. I would be interested – the way that you portrayed it is that it was not very effective, in your opinion. What would it need to be effective? And is the State Department the right place for it? And then just kind of writ large your thoughts on information operations and how to do them effectively, and the authorities – legalities, maybe – that are needed, and what we could do to actually make them work. Thank you.

MR. MILLER: Yeah, great question. In terms of effective information operations, there certainly are areas in which the U.S. military does it effectively at the tactical level. And you can – you can go through multiple cases, including at certain points of time and in many locations in Iraq and Afghanistan, during those operations. That’s, obviously, not what we’re talking about here.

What we’re talking about is effectively communicating to external audiences, including international audiences, regarding on the one part of it the GEC’s mission, ISIL and al-Qaida and so forth, and the new part about Russia. And to me, what that fundamentally means and what is the – what is the centerpiece of effective information operations at the tactical level, it all is truth telling. And the reality is that the United States is not going to be the most credible source of information about Islam or about – or about Russia. And so that means – to me, it means building coalitions, and emphasizing that the mission is to get the true story out and to – and to shed light, you know, literally in some instances, on the – on what’s really going on.

And I think any effort to – anything that has the slightest taint of propaganda will be absolutely counterproductive, whether in the counterterrorism or in the – in the combating the propaganda from Russia role. It’s got to be about truth telling and getting – and getting the – and getting the story out and working with others who will be more credible than our State Department in that regard.

MR. LEDGETT: I agree. I think the model, to my mind, is like a combined joint task force, where you’ve got from all across the whole of government and you’ve got international partners, and they work together under some kind of a command-and-control construct to say here’s our – agree on the goal and agree on the campaign plan, and then execute it in that way.

And I’m a former DOD guy myself. I would not put DOD in charge because internationally that resonates in a certain negative way. But DOD would definitely be part of the team.

MR. LEWIS: Peter Neumann, who’s at King’s College in London, had a good idea a year or two ago – which I don’t know if he published, but this was in a conversation – that, you know, we should just – we, the USG, should just get out of the business because people aren’t going to trust us and, you know, we’re too old, and the whole bit. And he said, why don’t you just create contests on YouTube and have like a $10,000 prize for the best – we were talking anti-terrorism – anti-terrorist video? Let some kid do a rap video on – you know, or hip-hop on it, and it’ll be 10 times better than – we used to call them useless when I was a child, but the State Department entities responsible for this.

I think we have time for one more question. Is that right?

MR. LEDGETT: Yeah. While we’re waiting, Jim, that kind of reminds me of the – I think they called it the Madison Valleywood coalition that the previous administration put together to get Madison Avenue, Silicon Valley, and Hollywood together to try to produce counterterrorism messaging that resonated with –

MR. CARLIN: And they arrived right where you did, which is I think they sponsored – called hackathons –

MR. LEWIS: Oh yeah?

MR. CARLIN: – of developing content in universities. And the government just explained the terrorism problem and then stepped back and said we’d be the world’s worst messenger to disaffected youth. You do, you know, what you do.

MR. LEWIS: So that’s another area of consensus, is I think everyone up here thinks that USG should get out of the business when it comes to – (laughter).

Go ahead.

Q: Rob Shawl (ph), USG. (Laughter.) Homeland Security.

I think my question dovetails nicely with the last two in talking about the information influence space and building resilience. And maybe this question is to you, Mr. Carlin, specifically. What viability do you see in a German-style law or approach that says social media companies should have reporting mechanisms by their users for this kind of information, and maybe a reporting mechanism to the USG on how they handle that? Do you see that as something that could work here, or would that run afoul of 1A, or?

MR. CARLIN: So the first part of social media companies having a mechanism so that users could report content that’s in violation of terms of service, essentially, and have an effective mechanism, I think you’re seeing movement towards that by our – by our social media companies already. The question of then whether that will require reporting to government, that would be much more difficult and maybe not desirable to mandate. There’s huge brand incentive, though – depending on the type of activity, but if it’s criminal or other type of activity – to do those reports or do them at scale, ultimately.

And then, as I think Jim was touching on, we’re in a world of multinational corporations, where they need to operate and abide by the values of multiple countries and legal systems simultaneously. So the actions of countries in Europe are going to affect – sometimes they can be confined to the country. I’m thinking of the case of France, where certain content – if you had the same law here, it would be violative of the First Amendment. But there you can work out a mechanism where it doesn’t hit what looks like it’s a French IP address. But by and large, I think the solutions need to be ones that can sustain a global test.

So the value that it’s endorsing has to be one that is consistent with countries that share our values and ones that do not on human rights, so that it’s a neutral value. And then, secondly, the execution is one that they could abide by in multiple countries without being violative of the law. And that’s an easier – if you violate terms of service, then that is an easier one to come up with a reporting mechanism and do – that’s country-agnostic.

MR. LEWIS: Anyone else? No?

Well, let me try and summarize a little bit, and if I miss anything please correct me. So what I got from this was we’re in a conflict. It’s not the kind of conflict we expected, but it’s the one we’re in.

We need to act, right, that another declaratory policy or demarche memo will not do us any good.

We need a campaign plan, and it’s got to be a whole-of-government campaign plan. It can’t just be a one-off type of thing.

We need a portfolio of responses that includes legal, diplomatic, economic, and potentially military, you know, either overt or covert. And when I say military, it could be the intelligence community, it could be DOD, Cyber Command. But forceful responses have to be part of this.

This game will be more than one move. It will be multiple moves, and we need to think ahead of how we will deal with those moves.

Finally, messaging is important, both to the American public, to the political leaders so they know what we’re up to, but also to the rest of the world and to the Russian people. And that includes contact with the Russian leadership to let them know we have limited goals. We’re interested in stability. Regime change is not the target here.

Did I miss anything? Is there anything you want to add?

MR. LEDGETT: The only thing I might add is part of that preparatory work is getting everybody on the same sheet of music so that we’re, if not completely unified, at least most of the compass arrow is pointing in the same direction.

MR. LEWIS: Yeah, and I left out –

MR. LEDGETT: It’s for sustainability.

MR. LEWIS: – thinking about how to work with allies and making this more than a unilateral approach. So that’s a good point.

MR. MILLER: Two quick additional points, and they dovetail well with yours, Jim.

One is that we need to expect escalation. And if we don’t respond for a long period of time, we’ll have a rapid later escalation, and we’re better off having substantial steps. But we need to understand that that will happen. And your point about limited aims speaks to that.

And, second, that increasing the resilience of the critical infrastructure, and including our electoral system – or our 50-plus electoral systems and the technology behind them – and to find ways to reduce the impact and the salience of fake news are important not just because of Russia, but because these dynamics exist within our country. And other actors, including terrorist groups and small states that may wish us ill like North Korea, will want to exploit them, and their capabilities are coming up. So we can’t overlook that defensive side as well.

MR. LEWIS: John, any final –

MR. CARLIN: I’ll echo on the defensive side. I think we need to start thinking Moon shot and incentivizing the research that says we’ve put certain systems – we’ve moved information over a very short period of time historically, a 25-year period, from analog to digital. We then connected it through a protocol that was never designed for security. And we’re on the verge of doing that on an exponential scale while repeating the same mistake of not building security in on the frontend when it comes to the Internet of Things. And before we make that societal transformation, which would be the now, we need either legislation, regulation, collective will to ensure we don’t make that move. And so that’s another area where the time to act is now, and that really is regardless of who the adversary might be, to Jim’s, that might exploit it.

MR. MILLER: IOT and 5G both.



MR. LEWIS: Well, you come to CSIS to get good news, so I think we’ve – (laughter) – but on the bright side, the discussion today has sketched out a path forward and maybe a path out of the hole we’re in. So I’m pretty happy with where we came out today.

And please join me in thanking our panelists. (Applause.)