Now, a session on offensive cyber operations at #hewlettverify with @SangerNYT Avril Haines & @ERosenbach. Thread to follow.

@SangerNYT @ERosenbach @ERosenbach talks about the challenges in military offensive cyber operations where you can't lie about it (deny it), but can't always confirm.

Sanger asks about "Olympic Games" and Stuxnet. Without confirming, asks about the risk that occurs once the code is out.

Avril: Very hard to keep things non-attributable over the long term.

Rosenbach: Talks about how to design to be effective only in the right environment.

Rosenbach talks about lack of mitigation methods in NotPetya, throwing shade at Russians [for not exercising proportionality and discrimination].

Rosenbach runs through a hypothetical decision to strike against ISIS in syria, and whether you use cybercommand or conventional force.

Sanger asks about challenges of targeting facilities located in other countries.

Haines: Risk that you could infringe on another country's sovereignty when you target their networks. But also need to think about norms & precedents.

Rosenbach: You can do norm building with people who already agree with you, but if you try to have that conversation with the Russians or the Chinese, you're kidding yourself.

Haines: in a state-to-state context, trying to prevent misperception, deter aggressive behavior, reduce vulnerability, to reduce instability. Then also begin to identify legitimate responses to aggressive behavior.
Also need to demonstrate deterrence.

Sanger: When Nakasone talks about "persistent presence" he means putting something on the network to deny access later.

Rosenbach: you need to think far in advance about whether you might want to take offensive action later.

Rosenbach: before 2010, it was illegal to even say that the US did offensive cyber operations. But Flournoy insisted on the change.

Was rarely done, we do speak about it. And there's a rigorous process for vetting an operation. "Not as scary as one might think from the outside."

Sanger asks what happens when reporters come to government officials with a story on offensive cyber.

Rosenbach: I'd call a lawyer for the conversation. Sanger had parts of the story, but other parts that were imaginary. Trying to explain that part is crazy, w/o confirming.

Rosenbach: Public doesn't have a right to know about the most sensitive operations that are going on *when* they are going on. Maybe after.

Rosenbach: Was surprised at media reaction to cyber operations against ISIS. But also, operation resulted in ISIS improving tradecraft.

Leadership of CyberCOM & SecDef had different ideas of what would be effective. (!!)

Haines talks about the process of developing a legal framework for these things, which was cumbersome.

Revealing things, but also it's the view of the entire USG for the framework, so that took time.

Many things still gelling in cyber, but we want to be transparent.

Rosenbach: poses hypothetical challenge where transparency if revealing an operation before its completed would undermine the success of the operation against something dangerous to the US.

@SangerNYT says that in some cases its because they have evidence that gets out, defends stuxnet stories, north korean stories, says mostly there are stories that are in the past.

Rosenbach: you're wrong. Those are ongoing operations.

@SangerNYT Rosenbach: the stories allow the adversaries to look for operations. A delay in publication only buys you, three months of national security.

It's not as easy as saying the public has a right to know about all the offensive cyber operations that are going on.

@SangerNYT @selectedwisdom asked the panel 1) is inaction/pursuit of norms creating instability, 2) why do we pursue norms from a position of defense, not offense?, 3) as a USP you can't hack back, but are we considering that? Norm discussion is state to state.

@SangerNYT @selectedwisdom Haines: act enough to create deterrence, not escalation. The US can engage in norm building from an offensive perspective. References development of Law of the Sea and how long that took. Mapping out what to do in the space short of a conflict.

@SangerNYT @selectedwisdom Haines: US has had an outsized role in drafting rules. Questionable how how we go forward with that in the future. It's also not the state to state piece, but also what do you do about non-state actors.

@SangerNYT @selectedwisdom Haines: States also have the ability to set norms for non-state actors by building out criminal legal frameworks in the context of international agreements.

@SangerNYT @selectedwisdom Rosenbach: if we're not going to take action against things that are clearly against our values (Hacking elections, Bezos), we're not doing our jobs in protecting the nation.

@SangerNYT @selectedwisdom @vermontgmg asks panel about failures to defend against nation state actors in the past, what is the thing that we're failing to think about as critical infrastructure?

@SangerNYT @selectedwisdom @vermontgmg Rosenbach says it'll be a combination of hack + viral spreading that undermines trust in government.

@SangerNYT @selectedwisdom @vermontgmg Sanger asks about Shadow Brokers which shows up in Wannacry.

Rosenbach, "Yeah, that was a really bad thing."

@SangerNYT @selectedwisdom @vermontgmg Rosenbach, that there was no accountability for shadowbrokers/wannacry/notpetya was really embarrassing.

@SangerNYT @selectedwisdom @vermontgmg Panel asked about cyberdisarmament.

Rosenbach says that people may talk about it in Berkeley or Cambridge, but you could never verify that another country wasn't stockpiling.

Haines: But could you remake the internet in a different form that allows for greater security?

@SpauldingSez suggests that there might be advantages to shutting down a grid in wartime rather than bombing that grid.

@SangerNYT mentions a plan that might have done just that in Iran, when the US was thinking of military strikes.

Rosenbach comes back to the missing threat -- a take down of GPS. What's worse? A takedown of democracy, or a loss of GPS.

[We'd be lost, literally.]

@SangerNYT gives Haines the last word.

Haines says the most important things in cyber journalism is the education mission, and appreciates how hard reporters are trying. Notes that it results in a better debate.