Avril: Very hard to keep things non-attributable over the long term.
Rosenbach: Talks about how to design to be effective only in the right environment.
Haines: Risk that you could infringe on another country's sovereignty when you target their networks. But also need to think about norms & precedents.
Also need to demonstrate deterrence.
Rosenbach: you need to think far in advance about whether you might want to take offensive action later.
Was rarely done, we do speak about it. And there's a rigorous process for vetting an operation. "Not as scary as one might think from the outside."
Rosenbach: I'd call a lawyer for the conversation. Sanger had parts of the story, but other parts that were imaginary. Trying to explain that part is crazy, w/o confirming.
Leadership of CyberCOM & SecDef had different ideas of what would be effective. (!!)
Revealing things, but also it's the view of the entire USG for the framework, so that took time.
Many things still gelling in cyber, but we want to be transparent.
Rosenbach: you're wrong. Those are ongoing operations.
It's not as easy as saying the public has a right to know about all the offensive cyber operations that are going on.
Rosenbach, "Yeah, that was a really bad thing."
Rosenbach says that people may talk about it in Berkeley or Cambridge, but you could never verify that another country wasn't stockpiling.
Haines: But could you remake the internet in a different form that allows for greater security?
@SangerNYT mentions a plan that might have done just that in Iran, when the US was thinking of military strikes.
[We'd be lost, literally.]
Haines says the most important things in cyber journalism is the education mission, and appreciates how hard reporters are trying. Notes that it results in a better debate.