An “All-Tools” Approach to Disrupting Digital Threats

Search Transcript

momentarily you can see we’re all readyfor our first program which is going tobe a short conversation between Gregrattray of next Peak and Taj Moore ofAspen digitalum they’re going to be discussing uh anew paper that they have co-authored thetwo of them have co-authored along withJeff Brown of recorded feature who I sawsomewhere here there he isum and published in partnership with theAspen us cyber security group and it’son the concept of cyber defenseassistantum after that we’re going to be movingto the main panel where Aspen digital’sstrategic advisor and former actingDeputy Attorney General John corlandwill moderate a conversation about theU.S government’s all tools approach todisrupting digital threats he will bejoined by assistant secretary MatthewAxelrod assistant secretary Paul RosenDeputy assistant director of the FBIcyber division Cynthia Kaiser so that iswhat you have to look forward to afterthis first panel so to open things uplet me just again reintroduce Greg andTaj Greg rattray is the founder of nextPeak a cyber security and riskmanagement firm he also teaches atColumbia among many other roles insideand outside government Greg previouslyserved as the global Chief informationsecurity officer at JB JP Morgan Chasewhere he established jpmorgan’s cyberdefense strategy and program and ourvery own Taj moreserves as the Director of the Aspen U.Scyber security group prior to Aspen Tajpractice law at Morrison and Foresterand served as Council in the office ofGovernor uh Phil Murphy of New Jersey sothat is our introduction and I now turnit over to you fine gentlemen thank youcan everyone hear me okaygreat so as Vivian mentioned uh Greg afew weeks ago we launched the Cyberdefense assistance imperative lessonsfrom Ukraine in partnership with theAspen cyber security group and it buildson work that you spearheaded as thefounder of the Cyber defense assistancecollaborative alongside folks like JeffBrown and Michael Daniel of the Cyberthreat Alliance and I guess before weDefine Cyber defense assistance maybeyou can tell me a little more about theorigin story and sort of what led you todefining a new kind of Defense supportthanks Taj and I appreciate theopportunity to be here so the the originstory I think is a bit interesting I hadthe opportunity in 2020 to be to go toKiev I was working both on somecommercial opportunities but also theusaid had started a cyber assistanceeffort for the ukrainians before the warand I was helping you know try to helpsort what would be most useful in thateffort and got to meet a series ofUkrainian National Security officialsthat were working on Cyber so we rolledthe clock forward I actually was askedto help the ukrainians do a nationalcyber strategy which they issued in 2021so one of many sort of internationaladvisors to them very rational strategyprobably not well not adequately in timefor the conflict that they had and alsoneeded a lot more implementationresources in it we get to just beforethe war in Aspen a meeting uh that weheld in the Aspen cyber group group wasabout Ukraine about four weeks beforethe war and had the opportunity to thenyou know some of the Aspen membership uhparticularly the government side connectthem with the ukrainians I’ve beenworking with you know to get ready forthe war but the invasion you know whilenot surprising probably to U.S NationalSecurity leaders uh was very surprisingto the ukrainiansum but the resilience of the Ukrainianeffort became clear within a week let’ssay right so I ended up calling a numberof leaders in the private sector ofcyber security companies as well asMichael at the Cyber threat Alliance andsome of the membership that Michael hasin that organization and said if thepeople I’ve been working with in Ukrainecould tell us what they might need interms of cyber assistance would yourcompanies be up for uh doing that and itwas all yeses very quickly it was aboutsix initially and then now it’s about 16uh seven or eight of them are publiclyacknowledged in 7 eight of them arestill a requests to not be publiclyacknowledged in the effort but you knowpretty quickly the ukrainians in arelatively ad hoc and non-systematic waywhich we’ll talk about began to requestspecific tools training on either toolsor certain types of cyber uh defensetechniques and we quickly had toestablish that this was defense onlybecause we were getting requests for allsorts of cyber capabilities besides justdefensive but you know that’s scaled upum has uh you know become even thingslike helping the largest soil andnatural gas company nap to gas buildtheir security operations center whichis to become a sectoral operation Centerthat’s a sort of big project for thefirst half of of this year but uhthat was a very you know sort of loosecollaborative of basically peoplecompletely voluntarily you know helpingit’s now inside a global non-profitcalled crdf Global and you you know wehave a very we’re having a conveningthis afternoon of probably 40 peopleprivate sector and government about howit worksand I guess most important what makes itdifferent from other kinds of cybercapacity building efforts definitionokay perfect together because in inwriting the paper and I think that I Isay this happened just but also havevery seriously trying to create thewords that describe a new conceptual uhapproach to things and the the paperasserts that it’s a new NationalSecurity imperative which I very muchbelieve in terms of you know we definedit as cyber defense assistance can bedefined as cyber support activitiesprovided to Friendly or Alliednation-states under threat of threat ofor actual attack from a hostile nationstate we worked pretty hard on thatdefinition you know a lot of people youknow uh you know and I’ll sort of talkto a couple of things we were trying todistinguish a you know I I over theyears have been involved in a lot ofcyber capacity building efforts aroundthe globe training courses legalFrameworks for you know cyber securityin in countries do you have a cyberstrategy been involved in the US theJapanese and the Ukrainian cyberstrategies uh but if you’re under attackyou know apts are coming at you from anation-state in a politically course ofuh way you know in this case very muchas part of a larger conflict that is adifferent thing than we usually do ininternational assistance and it’s muchmore akin to defense assistance in beingable to help a nation-state protectitself against aggression in this casecyber aggression and combined with armedaggression than it is with most of whatwe’ve done in this realm almost all ofwhat we’ve done internationally boththis nation and other nations thatprovide so we wanted to State ground tosay we need to distinguish this fromcapacity building because we were havingissues and even the U.S funding today inUkraine is going through aid aid doesnot do defense assistance by Mission bylaw right so there’s sort of veryimportant conceptual boundaries therethe definition says support activitiesyou I think you could conceptualize itas being broader than defense only in ain in other situations that would not bewhat the private sector did we were verycareful and even when we work with thegovernment today which we do prettyclosely and not just the U.S governmentto to not be direct we’re not beingdirected by them in the case of cdac theorganization we formeduh because we do not want to beconsidered combatants right so the theissues of you know how the government inthe private sector with the privatesector and the lead of actuallyproviding the capabilities verychallenging area for a lot of ourconstructs of uh how to do how to dothis type of activity sure and and justto recap I guess for the audience itsounds like what really distinguishescyber defense assistance is that it’sresponding to some cognizablegeopolitical risk that you know in othercases you know maybe it’s you know fardown the road but this is uh you know areal cognizable risk that you’reresponding to that’s right and we we hadthis discussion and sort of oneconceptualization of it is it’s only inresponse to there’s a war on or anaggression happening again you canconceive of it not being linked with aphysical event but you’re you’re helpingthat that entity that you know Ally uhor uh friendly nation and again it’s gotgovernmentalist it’s assistance to thegovernment we’ve sort of said governmentplus critical infrastructureum it only in a war in a conflict but Ithink the concept is better and there’sbeen a lot of pull on the organizationto think about places where aggressionis very estimable right Eastern Europethe Pacific Rim and should we get outahead of that and actually start to workwith those Nations because I would saythe pickup game we played in Ukrainewould be a lot more effective if we wereorganized in advance in other places butI’ll finish with this thought from themoment Ukraine was a very clear-cut casewhere you know the Russians wereaggressors that you know it was easy toget support I think in other contextsaround the globe the companies thatmight provide the support especially ifit’s before any conflict even startsthere may be different sorts ofincentives for the companies to provideassistance in advance sure and I thinkthat’s a point to drive home which islike this is really important in partbecause we haven’t really flexed thismuscle we have a lot of training to doit’s sounds like this was kind of an adhoc effort you know sort of organized onthe fly but in order to be effective inthe future in other geopoliticalconflicts we really need to take awaylessons from this experience and applythem in the future so I guess related tothat what are some of the key LessonsLearned From delivering this kind ofassistance to Ukraine uh one of them waslike developing you know early contactwith allies in you know the recipientNation uh what are some of the othersuh so Taj you yeah you just mentioned itI sort of prefaced it I think you knowand I’m going to get to the issue of howfast you want to scale and what’snecessary to scale because even in theUkraine we we’re definitely not there Iwill also mention the the companies thatwe work with are also doing thingsoutside the collaborative I I see Alyssafrom cloudflare cloudflare has done aton of very important material thingsthey’re not necessarily in cdacum so I guess one of the lessons I’llI’ll Circle back to a couple others iswe just started an effort we call BlueForce tracking just try to figure outwho are all the entities actuallygovernmental and private sector tryingto help the ukrainians and and beginningto understand which things are mostimpactful because there is a lot ofdiscussion of should we start toResource these things at a larger scaleand it’s been a real pickup game interms of there’s a lot of entities inthere nationally like the Estonian certhelps the Ukrainian certain all the timeall the companies you know I mentionedCloud Fair announced from cdac Microsoftmandian who’s part of Google uh Splunkuh Looking Glass a series of cybersecurity companies are all and that’snot all you know certainly not all ofthem Palo alto’s publicly announced sobut again there’s other companies thatare doing things that are not there sosorting that out which is sort of uhparticularly challenging in the Ukrainebecause there’s many Ukrainianorganizations the ministry of digitaltransformation the national cybersecurity Center the you know what’scalled triple scip which runs theirNational should all going to the westand asking for things sort ofindependently there’s not a coordinatingHub in the Ukraine for all of theirNational cyber security assistancepriorities so that that’s a challenge onboth sides the the assisting side andtrying to get the recipient to have anorganized prioritize set of set ofeffortsthat links to what you mentioned whichis understanding the context in theecosystem uh who the players are both atan individual and organizational toinclude their legal authorities levelswhich ones are in most need ofassistance I would say the ukrainiansare very good at some things on Cyberdefense and they have some real deficitso understanding sort of operationallywhat types of things Enterprises aregood or bad at naturallymanagerily and culturally they’re goodat some things and not good at othersright so I would say if we went toTaiwanmany of those things would be verydifferent right there’s still probablyopportunity to help but the the culturalfactors the strengths and weaknesses whothe players are their legal authoritieswould all be different so getting inearly and organizing it as well inorganizing it on our side where if thegovernment is going to be a partner onthe resourcing area which I think isactually the most important place wherethey could help they we’ve got to getthe thought not just the authorities butprobably even more specifically the wayto flow funding into and hopefully amulti-donor effort the effort we havegoing in NAFTA gaffes is funded by theUK and the Danes actually so likeNATO still working out in this area orthe Europe and the U.S are still workingout in this area how to join fundstogether to hit the right you knowassistance efforts at the right levelgot it uh so the people obviously startsa conversation it defines an area Ithink the concept will develop more overtime uh but I guess one question I haveleft is uh what comes next for theconcept as well as for cdac and whatyou’re doing like what are you planningto do moving forward as we think aboutfuture geopolitical conflict yeah Ithink with the concept and I will saythere’s been really strong dialogue withthe U.S government entities that wouldyou know I think need to buy into thisit would be helpful even to have somesort ofguidelines from the government aboutwhat expectations of the private sectorso we didn’t step in some area that weshouldn’t step in uh Define so we’reworking we’ll be working this afternoonwith a series of government players onthat exact thing as I mentioned you knowuh also working with them with there’san interaction going about how do youthink about organizing resource wise andTarget that what you us what you provideresources to the recipient ukrainiansfor like what are the priorities is itincident response is it securityOperations Center building is it moreresilience through cloud-based platformsyou know what are the right things to bedoing in the right order so coming upwith a common sort of first orderframework do I think that the answer tothat’s kind ofum dependent on the context with thecompanies uh they’ve learned a lot abouttheir own sort of uh processes to oughtlike give a license free to a governmentwell is that a violation of the FC youknow foreign crop Practices Act wellit’s not in the Ukraine because at leastby understanding uh cdac doesn’t makethe determinations for the companies isthey’ve suspended their procurement lawright so like for at least one companythat’s the way that they’ve answeredthat question for themselves so in justyou know the who get who would decidethat we’re going to give something forfree who would put the theresources they required to be part of afund assistant package so we’re workingon sort of the construct so that we canyou know do this you know and then forthe concept you know you need to answerall these questions in sort of moredefinitive ways then you know cdac isvery much trying to scale I think inUkraine the war goes on for an in likewe don’t know when that war ends sowe’re certainly planning to be operatingfor the remainder of this year with thenotion that that might it might belonger than thatin Ukraine while thankfully the Cyberconflict hasn’t been a sort ofdramatically challenging aspect to theukrainians that could change uh in youknow as that conflict reaches aconclusion the Cyber in the PhysicalRealm the Cyber conflict probably goeson so cyber resiliency is important inthe long term there so that’s likenumber the number one Focus we are indiscussions for cdac about whether theorganization might begin to think aboutsome other places where uh such a Africacould be proactively you know designedgot it and I I think this goes back tosomething you said earlier on which iswe really need to learn how to deliverthis kind of assistance effectivelybecause it’s going to be much harder inother cases you know the moral line thatwas crossed uh when Russia invadedUkraine was you know much moredefinitive and clear uh it might be alittle more complicated in the future soit’s critical to get it right yeah andthen again I think we’ll we’ll hat allthis activity will be to a much greaterbenefit if we organize proactively greatthank youthanks everyoneif we bring up our next uh speakersall right Dad thank you again to theAspen Institute for hosting this uhevent and to Paul Weiss for itssponsorship it’s great to be back at theAspen Institute as a strategic advisorone note we’re recording thisconversation in addition to being livestreamed for the cafe Insider podcast Ihosted a show on cyberspace there beforeand I’m happy now to be a contributinghost from time to time doing what we dotoday which is speaking to people at theForefront of cyber security technologyand National Security issueswith that I’m very excited today for thetopic it couldn’t be more timely we haveChina’s announcement of a National DataBureau reflecting the approach in Chinaand the importance there of controllingand using datawe also have the recent announcementfrom the justice department of a newStrike Force and we’ll be talking aboutthat today as well focused on disruptiveTechnologies how to counter disruptiveTechnologies we have the new cybersecurity strategy just announced by theadministration with its emphasis on anall tools approach against threat actorson public-private collaboration and onInternationalPartnerships and it’s with that swirl ofevents in the backdrop that we have aunusual panel for the cyber securitygroup at the Aspen Institute because itreflects the different authorities andtools across the government that arebeing brought to bear when it comes toNational Security threatsI’m going to introduce each of thepanelists in more detail and in turn aswe turn to them but we have Matt Axelrodan assistant secretary from theDepartment of Commerce we have PaulRosen an assistant secretary forinvestment security from the treasuryDepartment and we have Cynthia Kaiser adeputy assistant director and long timeexpert in this field from the cyberdivision at FBI and these are all folksthat had the opportunity to work with ingovernment over the years that areleaders in their respective fields andthey’ve moved around from tackling thisfrom different different perspectiveswhat I thought I’d start with becausesome people I think just don’t know therole your agencies play in this battleis to talk about specifically what roleyou play when it comes to cyber securityI mean Cynthia kick it off uh with youhow does the FBI use in telligence whenit tries to drive its approach to threatinfrastructureuh thank you and I’m really excited tobe here with everyone today I um want tofirst kind of broaden out the questionto think about the FBI’s approach todisruptingum and cyber operations writ large uh soin 2020 most people uh are tracking thatthe FBI announced a new Cyber strategythat’s focused on imposing risks andconsequences on Cyber adversaries andthat really emphasizes disruptionsPartnerships and the sharedresponsibility to make it harder andmore painful for hackers to succeed andwhat that really looks like in practiceis uhtaking away the cloak of anonymity thatcyber actors hide behind protecting U.Snetworks and targeting the key servicesthat are shared across the multipleactors that are in this Arena and kindof taking then all of that together wereally look at using our uniqueauthoritiesour Partnerships as well as then ourability to conduct those disruptiveum actions we say disruptive actions itfeels a little uh without without teethit doesn’t there was a recentannouncement of a takedown andum the deputy attorney general theUnited States Lisa Monaco said that youhacked the hackers uh that has a ring toit uh what is that what does that meanand how were you able to secretly getthe key that the bad guys were using sothe bad guys would attack a victimcompany they’d lock up with malware allof their servers so they couldn’t accesstheir own information they’d encrypt itand then they’d say hey give me amillion bucks or five million bucks or20 million 40 million dollars in some ofthese uh cases if you want to get a keyto be able to see your own data andsomehow the FBI working with others wassecretly able to get that key tell us alittle bit about that well um in thatcase you’re talking about the high ofdisruption and Hive uh you know verysignificant ransomware variant and it’sreally the lowest of the low of cyberactors I mean they were targetinghospitals and you know key things thatwe all need to stay safeum so we were able through using our umlike really you know just hard smallsteps on the technical end you know goodcomputer scientists good investigativetechniques as well as leveraging ourPartnerships across the Intel Communityto gain access to enough of theinfrastructure with Hive so that wecould give the unique keys toum victims I think over 48 countries weoffer them probably to about 1500victims over 300 took us up on it saveduh probably 200 million in ransomwareproceeds for these entities but it alsomeans that they saved all thoseremediation costs as well uh so it’slike hard to put a number on that and soreally like how we’re approaching thatis we use the law enforcementauthorities we have so seizures orum the ability toum get on to you know infrastructure butthen also using our you know really goodjust investigative work onlineum you know undercover work goodtechnical work to be able to gain accessto this and that’s really part of ouroverall effort to Target the kind of keyplayers in these ecosystems so that whenwe’reworking and doing these efforts it has abig impact across across and that’s notyour I mean you’ve been doing this formore than a minute something uh 15 yearsover 15 years uh and that’s not kind ofyour grandfather’s FBI where you wouldsecretly get the key and one of thethings I thought was interesting aboutthis in representing victims in thisspace isyou would provide the key to a victim ifthey came to you because they wouldn’tother otherwise know that you had thekey right and then you would ask themnot to share the information for aperiod of time that you had the key sothat it would keep working and so thatthe bad guy wouldn’t know that yousecretly had the key and would just bewondering why is nobody paying anymoreuh so tell me a little bit about that’spretty unusual for the FBI what led tothat and how you operationalize that soit is unusual and it’s actually a littledifferent than what you just describedwhere um in this case we were able toseeum who victims were and go proactivelyto them and offer them um the key and soin that case like we were in this greatplace to be incredibly proactive to dowhat you know while it might seem likean unusual operation the FBI has beenvictim focused for you know over acentury and this is part of our keymission to make sure that we’re doingeverything we can to help victims orpotential victims but I think it speaksto a larger issue issue of privatesector engagement like and and they’rereporting back into us we’re also ableto see that you know it’s not a hundredpercent of victims that report that tothe FBI and you know one sec because hesaid something so you went to the I’mjust imagining the conversation so yougo knock on the door uh and how doesthat conversation go hey we’ve heardyou’ve been hacked at that point havethey been hacked and you’re showing upwith the key or they don’t know yet thatthere’s an intruder inside their systemhow’s it go I think it’s varying uh uhit varies depending onum you know where that operation may bebutum when we go I think it’s a reallytypical conversation for the FBI becausewe’re getting information from ourintelligence Community counterparts allthe time about hey this target thiscompany might be targeted this companymight be a victim and we go and we dothat notification and we um thosecompanies may not know that um they’vebeen targeted but we’re there weapproach we offer our servicesum and in some cases we may have evenmore to offer uh like in the case of youknow having certain decryption keysand that I’m going to turn to uh alittle bit at the Department of Commerceand you’re the assistant secretary forexport enforcement and I don’t think alot of people know that there are peoplewith guns and badges at the at the atthe Department of Commerce or thatthey’re doing enforcement so could youjust tell us a little bit what is itexport enforcement at the CommerceDepartment who are you overseeing yeahsure thanks John and thanks uh to theAspen Institute for having us here todayum yeah so I’m the assistant secretaryfor export enforcement like you said andit’s as advertised uh my job and myteam’s job is to enforce the country’sexport laws the FBI is an amazingpartner of ours the FBI is here Cynthiatalk about has a lot ofum different mandatesum we we have one and it’s to enforcethe export less specifically the lawsrestrictingum dual use items leaving the countryand going overseas and by dual use Imean capable of Civilian use but alsocapable of military use and like Johnsaid my Workforce is primarily federallaw enforcement agents so people withbatches and guns who enforce those lawsand we’re in located in 30 cities aroundthe country and then we haveintelligence analysts as as wellum and so while our primary uh emphasisis export enforcement we do intersectwith the world of cyber security and II’d say we do that in sort of threeprimary ways the first way isum sometimes the technology that wouldbeuh restricted from going overseas canrelate to cyber security challenges I’llgive you one exampleum which I’m I’m not an expert and I’m Iimagine I’m in a room full of experts soyou can correct me if I get this wrongbut what I understand about the futureof quantum Computing for example is thatit has the potential eventuallyum to break all existing encryption andalso the potential to create unbreakableencryption but so if you think aboutthatum whoever gets there first in thattechnological sort of race would have anincredible ability to to um for there tobe cyber breaches and so one of thethings we do on the export enforcementside is to the extent that technology isbeing developed inside the United Statesto help make sure it stays here and isis protected so that’s one way weintersect with cyber security a secondisum that sometimes we will put uhcompanies overseas on what is called ourentity list it’s sort of a restrictedparties list that get enhanced screeningbefore U.S companies can exporttechnology or parts to them and we’vedone that in the last couple years withtwo names that will be familiar to folksin this room NSO group and kandaru so Ihope you explain a little bit about eachof those two yeah sure soum traditionally in the past our entitylist was used you know more primarilyfor um foreign actors involved in thingslike weapons of mass destructionum and more sort of traditional coreNational Securityum it sounds so Bland and very goodempty list like it could be a good thingcould be a bad thing it’s an entity butis it similar to being is there anypositive to being on the empty list nopositive to being on the entity list nono I don’t think that’s something folksaspire to be on our on our entity list Ithink folks we don’t refer to this wayit to it this way internally but I thinkin the press and in the publicConsciousness it’s it’sum it’s perceived as a blacklist becauseonce you’re on the list just like beingon a you know a treasury treasury listum uh there it makes it harder forum people to do business with you whichis why folks want to avoid being on thatlist and so sayingum we we’ve expanded I think uponum you know the sort of types ofentities we put on that list an NSOgroup and and Kendra are good examplesof that because you know there it wassort of for unlawful surveillance whichraises real significant human rightsconcerns and that’s also an aspect thatwe take into account when we’re thinkingabout our entity less and then a third athird way and it’s so grouping that isreally if you could oh explain what theyare Oh I thought I was in a room full ofwhere everyone would know uh yeah yeahso and I saw a group is an Israelicompany that’s um sort of known for itsspyware uh and I think it was um beingsold to uh various governments aroundthe world who are then using thatspyware or to spy on a variety of peopleincluding um you know dissidents andmembers of the of the pressum uh the the third the third way ourwork intersects withum I’d say cyber security uh is thatwhen there’s a breachum if the information that isexfiltrateduh is controlled a technology right itcan be blueprints it can be schematicsit can be things that if the companybefore they were breached were to sendthose things overseas they would need toget a license from usum uh you know if it’s sensitive andcontrolledum and then there’s a breach and it’sexfiltrated and sent overseas by thefolks who did the breach that’s aviolation of our of our rules uh and umwhile the the FBI and working with dojmay have sort of other tools to get atthose breaches are statutes come intoplay as well and there’s one place inparticular where I think that’sinteresting there’s a Supreme Court casethat came down a couple years ago VanBuren that thatum limited the ability of doj to goafter those breachesum criminally when it’s from an Insiderwithin the company who exceeded theirlawful access at Supreme Court case sortof restricted the ability to chargethose folks but if those insiders takecontrol Tech and controlled items andthen send it overseas our statutes comeinto play soum it’s uh are you wouldn’t think of itbut our export laws can be a tool thattheum the Department of Justice can use toget at The Insider breach example ifit’s controlled technology and it goesoverseas so kind of quick quick practicenote or unusual note for the uh thelawyers budding lawyers or complianceofficers out there which would be if youhave a breach and it involves exportcontrolled information what I’m hearingfrom you is you need to report that justlike you would any other export that wasin violation of the export rules thatyou did that someone in the company didintentionally and then similarly thatyou’re under the same responsibilitiesand depending on what the classificationthose change but you’re required to tryto protect that information not just forfrom being accidentally sold ortransferred but also from being hackedyeah and it has real world impact uh wehad an example which is not public yetso I can only talk about it in generalterms butum where there was an Insiderbreach lots of Technology wasumexfiltrated by The Insider and there wasconcern by the FBI and and by Commercethat that information was then going togo overseas and so using the authoritythat I I just mentioned we worked withthe bureau to be able to get a searchwarrant and to be able to recover thethe stolen information before before itwent that’s great and did you have athird or was that uh no that was numberthree okay that was number three socialmatter not a mathematician uh let meturn it over to uh Paul uh and Rosen andI’ll say here when I was running theNational Security division peopleunderstood that we were doingenforcement law enforcement operationsprosecutions understood that we werecollecting intelligence but one of theareas where I got the most question iswhat is this committee on foreigninvestment in the United States whatdoes it have to do with NationalSecurity and why is that part of theNational Security division you’re thelead official overseeing the whole uhcommittee maybe you could explain alittle bit about the role foreigninvestment and what that committee isthanks Sean and uh thanks to Aspen forfor hosting us and to you John for youryears of public service and NationalSecurity as wellum so at treasuryum I run What’s called the office ofinvestment security and it’s part ofthose functions uh manage and lead theoperations of the committee on foreigninvestment United States which we referto as cypheus it’s a nine-member uhinteragency committee uh and responsibleuh to discharge its statutory duties forscreening certain for investment thatcomes into the United States forNational Security risks broadly and sothere is a sort of a series of filingrequirements but also Vol part of itsvoluntary part of it’s mandatory and sowhen there is a foreign acquisition beit a merger acquisition takeoverinvestment that triggers ourjurisdiction which is which is prettynuanced and detailed then we will reviewthat transaction to determine theeffects on National Security so the waywe think about it iswhat is this foreign business or personbuying what do we know about thatforeign person or business what are theybuying do we care about the technologyor business that they’re buying and sortof putting those things together what isthe impact on uh on National Securityand so we do that assessment and thenthe committee uh has the authorityum uh with uh with statutory authorityvested to the president United States toclear a transaction in which case uhprovides a degree of Safe Harbor for theparties to proceed we can clear atransaction with mitigation so SafeHarbor meaning if you clear it and fiveyears later someone might change theirmind on whether it post a nationalsecurity risk they’re good thetransaction stands they don’t have to gothrough another review they don’t haveto sell it yeahpolicy makers think differently down theroad it’s it’s got Safe Harbor fromcepheus review which which is importantand it goes to this issue of voluntaryuh voluntarily filing transactions somost transactions don’t have to be filedwith cypheus but if you don’t cyphiliscan come knocking on your door 5 10 15years later and say that transaction youclosed 10 years ago we want to talkabout it all with the same authoritiesand so as a general matter businesseswant a degree of predictability andcertainty and want to come in the frontdoorand we’ve laid out a little bit thedifferentum authorities enroll I wanted to move alittle bit to threats and particularlyChina uh there’s been a lot ofdiscussion about China as we mentionedthey just created a National Data Bureauhighlighting the importance there uh interms of controlling data and maybe I’llstay on you Paul but uh back in the daywith cepheus when it first started itwould involve transactions for thingslike missile uh technology and you kindof knew as a company that I’m going intoan area where there’s National Securityrisk but uh headlines you know datingback now of cepheus involvement inthings like Chinese acquisition of acompany about dating SO grinder gettingcepheus review codified by Statute nowis the idea that if you have a certainamount of personal identifiablein information names addresses SocialSecurity numbers that type ofinformation that it could cause NationalSecurity risk so I thought maybe youcould dress a little bit both Chinaspecificallyum and how it’s viewed but more broadlyhow you think about data as a nationalsecurity risk yeah thanks John and justto close out the last piece um because Ididn’t finish just um just to sort ofunderstand in the room the theauthorities like clearing clearing withmitigation and then ultimately have theauthority to block or um or thepresident has the authority to unwind atransactionum when it comes they pause in there fora sec So when you say because it’salways strange why would I voluntarilygo in if I’m looking at some of thebusiness folks in the room who arewanting to look at me quizzical lookswhy would I ever voluntarily go in andchoose to do a regulatory uh filing theanswer in part is you could end upotherwise being forced to sell at asignificant loss lateryeah I mean the again going to businesspredictability and certainty you knowyou’re embarking on a businessEnterprise and leaving yourselfvulnerable to siphius regulatory review510 how big is your business going to beuh what are the what are thegeopolitical or natural securityconcerns going to be at the time soum I mean based on that regime kind offollowing up because this is an area soyou know who should be thinking aboutvoluntarily filing and what role doesdata and China play in that analysiswell well oftentimes what we see is whentransactions are happening it could becertain Investments it could there’s athere’s a whole host of internationalbusiness transactions that could happenthat could trigger our jurisdiction whenit leads to uh when there’s atransaction and so oftentimes M Alawyers are involved in thinking aboutthese issues and then they’re on theirradar and Advising clients hey youshould you should see if it requires aregulatory filing or if we with you ifyou fall within the jurisdiction and onthe data point which is really importantbecauseumyou know in in our digital world and ourdigital economy data has sort oftransformed everything that we docreating a whole host of conveniences ineveryday life but it also presents aseries of National Security risks andconcernsum and one of the areas where sort of weplug inum on National Security risks as itrelates to data and cyber security forexample is thinking about that U.Sbusiness acquisition how much data is inthat U.S business do we care about thatdata is it U.S person sensitiveinformation is it sensitive source codeand the way we think about it also is ifthis business is going to be boughtwhere’s the data going to go and whowhat are the cyber security protocolsright is there is there a robust cybersecurity regime to protect that data onthe on the one hand and on the otherhand how can a threat actor potentiallyuse that data offensively uh from anEspionage perspective blackmailperspective inserting code whatever itmay be there’s sort of there’s a wholeset of analysis around data as we thinkabout threat actors and the last thingI’ll say is it sort of underscored byPresident Biden’s September 2020 2022executive order on cepheus which calledout cyber security specificallyum when it when it comes to NationalSecurity risk factors insiphiusokay and Cynthia uh turning to youbecause we’ve talked what role do youplay in identifying the intelligencethat leads to the cepheus review at theFBII mean I think we’re working hand inhand both with um cepheus and ofacum over at treasury to provideinformation that can lead toum the enhanced reviews or sanctions onthese entities I think one really youknow good example of that isum I mean it’s it’s clear China has avoracious appetite for data like in anyform and and looking at some of thesedata reviews we’re trying to point outwhere there when a companyis involved in say a joint venture whatkind of cyber security risk they take onWE published a few years ago thatChina had mandated tax software to go onto certain U.S companies networks as apart of doing business in China wellthat tax software was used for malwaredeployment on their systems and so likebeing able I think to provide thatinformation in um about that landscapehow we’re seeing some of that as well asthis particular company is um you knowmight be associated with a you knowdifferent hacking apparatus back inanother country is really important tokind of that overall whole of governmenteffort to try to counter the you knownefarious efforts that are are obviousright you deploy malware but also thenefarious efforts that might be lookingto go into a side door let me uh followup if you can I don’t know how muchdetail you can get into on the taxsoftware because it’s uh it’s a goodexample so they’re requiring you ifyou’re doing business Central in Chinato put in a certain type of tax softwareand when you say malware what what didit do what would it allow it enablesremote access and it’s really similar towhat we saw in say hafnium right puttinga back door onto a system that enablesan actor to go on to that system at atime of their choosing to collect moreinformation and soum in this case you know what it did isit it enabled malicious actors to getonto those networks where it had beenmandated to put that software on thenetworks in the first place almostacting as a remote access tool and sorryyou said half name so now I have to askwhat’s happening if you can explainhappy to uh so um hafnium is the umrobust Chineseum effort toum where they compromised tens ofthousands of networks across the worldyou know including many thousands herein the United Statesum through a zero day vulnerability inMicrosoft Exchange servers it’s a zeroday meaning that at that time there wasno known fix nobody knew about thevulnerability and so it tookum why is it called zero day uh it’s theum yeah it’s zero days before it wasdiscovereduh so I think uh you know it’s andthat’s in contrast to build it out so alot of vulnerabilities that are used bybad guys even nation state actors areknown vulnerabilities but it takes awhile to patch and fix the system sothey take advantage of that zero dayswhere nobody knows about it until you’vedeployed it are rare and for a nation tochoose to use them it’s using upsomething valuable in the Arsenal soit’s a fairly big deal if they use azero day and use a zero day at scalelike they did in this case and I thinkyou know kind of bringing it back aroundto the disrupting digital threats I Ilike that example though and talkingabout it because this is one of the kindof first times we’re able to robustlyuse some of our more uh offensive cyberoptions to try to protect U.S networkswhere it was deployed Microsoftdeveloped a patch we made sure that thatnotice got out to as manyum uh net us Network owners as possiblebut there are still hundreds of U.Snetworks that had that back door open sowe were able like through our owninvestigative techniques to underunderstand how to close that back doorso we used our legal authorities to dothat get um go shut that back door youknow come back out so that the Chinesecouldn’t you know enter a known onto U.Snetworks where maybe those owners didn’thave the capability or awareness toclose those doors themselves yeah andthat that was a novel use of legalauthorities in other words so you as thevictim might not even know that you hadthe back door uh for half doom and thegovernment using legal authorities wentand closed the door they tried to tellyou I think as part of it but if youdidn’t otherwise see that door was openthey went and closed it for you Matt I’mgoing to move to you a little bit therewas a massive expansion of controls onChina last uh October including advancedsemiconductors and we could talk alittle bit about how that impacted yourenforcement priorities and how thatleads to changes in the enforcementregime sure so um look China’s been aconsistent priority of ours on theenforcement side we talked about theentity list a little bit earlier I thinkthey’re around650 Chinese parties on that entity listand I think 160 or over 160 of them havebeen added during this Administration soit’s definitely something we werefocused on before but yeah in Octoberum the policy side of our house I runthe enforcement side there’s uh we worktogether with our policy side put intoplaceum really sweeping controls when itcomes to Advanced semiconductors andsemiconductor manufacturing equipment toChinaand that for us means that then weenforce those those uh those rulesum andum I think it’s it’s among the reasonsum along with you know concerns aboutsensitive technology actually going toplaces like Russia and Iran and otherother countries as well that led us towork with the Department of Justice aswell as with the FBI and and HomelandSecurity to stand up the disruptivetechnology strike force that you thatyou mentioned earlier all right now nowI gotta ask what what’s the differencebetween a strike force a task force anda working group how did you go withStrikeforce here other than to soundcooler than cepheusoh shots fired Paul shots firedum yeah so uh as a former government guyyourself John I know you have views onthose word choicesum but uh I admit when I hear workinggroup I think no work is getting done asa general as a general rule right um souh I think the reason we went withStrikeforce here is because the ideareally is to take actionum you know it’s it’s in the sort ofcounterintelligence world there’s lotsofum monitoring uh seeing what’s going oncollecting information that’s not whatthis Strike Force is designed to do it’sreally designed to take action toprevent sensitive U.S Technologies fromending up in places that they shouldn’tI had an agent who has since retired hadas heard the tagline on her email whichI have since adopted as well that ourmission was to keep our country’s mostsensitive items out of the world’s mostdangerous hands and um that’s reallywhat the strike force is about so strikeforce isum we’re in 14 locations around the U.Swe have co-located uh not collected butum pulled together a cell of uh uh anassistant U.S attorney so a localFederal prosecutorum one of our agents from exportenforcement FBI agent and HSI agent andthat’s sort of the the cell those arethe people who will talk together on aregular basis in order to shareinformation in order to help bringactions and when I say bring actions Imean either criminal cases that getprosecuted by the Department of Justiceadministrative cases which we can bringwith lawyers in the Commerce Departmentum you can’t put someone in jail on anadministrative case but you can cut offtheir ability to export so depending onwhat business you’re in that’s a prettypowerful tool as well and then of coursewe have our entity list which we talkedabout earlier and we can put people onthat as a way of taking action as welland they’re going to be supported by uhanalytical cell here at headquarters inDC again comprising of FBI analystsCommerce analysts HSI analysts allworking togetherthree different departments thereDepartment of Homeland SecurityDepartment of Justice and commerceworking togetherwell to turn over to you uh you talked alittle bit about where there aremandatory requirements to file andyou’ve heard discussion here about afocus onsemiconductors one way to control thembeing export is by controlling exportsanother way is in the uh Cynthia Lane ofkeeping them from being stolen but Iknow that’s been a focus as well foryour review maybe you could talk alittle about the mandatory regime andwhich are there any of thesetechnologies that link to cyber that arein that mandatory regime yeah well we’rewe’re looking atum all sorts of critical Technologieswhen we’re looking at the vulnerabilityand cypheus is a is a case-by-casereview mechanism so we take every caseAnew because every case is fact specificyou’re going to have generally adifferent buyer and a different uhTarget and so we’re looking at thespecific technology be it semiconductorsQuantum AI we heard a bit about andagain thinking about where is thistechnology going to be vulnerable to goto what can happen uh in connection withthe risk arising from the specifictransaction so we’re really focused onall sorts of Technologies and the risksand concerns that they pose there was athere was a mention on on QuantumComputing and the risk of of hackingpasswords and the like and so we’rethinking about all of those potentialoutcomes and thinking about who is thisacquirer what do we know about theacquirer including from the intelligencethat we get previousum interactions with the committee andother sort of source reporting sort ofseen and unseen and and so that’s how wethink about the evolving sensitiveTechnologies but as you sort of pointout at the top we’ve got a we’ve got adynamic landscape of Technology ourgeopolitical situation is is is isadvancing but so is the technology thatwe’re doing technology of today is notthe same as yesterday and won’t be thesame as tomorrow and so one of thethings we insiphius are really trying todo is think around the corner and bethoughtful because if our adversarieswant to use Acquisitions to get oursensitive technology they too arethinking about new and novel ways to doso and so we’re trying to stay one stepahead of themand and stand you for a sec wellsomething you you touched on briefly butyou’ve talked about the role thatcepheus plays before a transactionoccurs in reviewing the transaction andsometimes if it isn’t notified reachingout and I want to talk about a coupledifferent developments there so one isthe increased Focus you’ve had onlooking for transactions that were notnotified and if you could tell us alittle bit about those efforts and thensecondly I know this has been aparticular focus of yours as a formerprosecutor which is on many of the dealsyou allow the deal to go through eventhough there’s a national security riskbut you impose certain terms to mitigatethat risk and those are go forwardrequirements of things the company hasto do and I know one of the areas youfocused on is making sure people live upto those terms and doing enforcement ifthey don’tyeah thanks for that uh John a couplethings to unpack here one is sort ofthose transactions that don’t come tothe front door that aren’t voluntarilynotified we have a whole team which iscalled our non-notified team that isscouring uh sources of information againseen and unseen to identify transactionsthat maybe fell within our jurisdictionthat would present a concern and we willgo out and we will contact thosecompanies and say hey we got a lot ofquestions about this and we mayultimately tell them they have to comefile even if the transaction is longsince closed so that’s where thenon-notified work which is reallycrucial uh to what we do and it alsointersects with this enforcement pieceand just to take a step back whenCongress updated our authorities in 2018with with with additional budget andresources and the like one of the one ofthe offices that was stood up was amonitoring enforcement office and thatoffice is among other things responsiblefor overseen compliance with theseagreements that I talked about rightclear with conditions these NationalSecurity agreements that we have withcompanies to make sure that they’recomplying with their obligationsand also to identify any other potentialviolations of the sypheus laws which maybe for example failing to file amandatory declaration and that statutethose authorities have given us penaltyAuthority uh civil penalty Authoritywhich is pretty significant it could beup to the value of a transaction and oneof the important pieces of of our workas we sort of grow and mature and evolvecyphilis for the next generation ismaking sure we are holding partiesaccountable to their obligations becauseat the end of the day we firmly believethat we are going to getbetter address the National Securityrisk both if we can hold partiesaccountable but also encourage partiesto come in uh the front door whenthey’re required toand Matt maybe sticking on the themewith you of things that are new uh we’veheard a phrase coming out of the justicedepartment in particular about howsanctions and Export enforcement isgoing to be the new fcpa or do ForeignCorrupt Practices Act what is meant uhmeant by that did that come with new uhnew authorities or is it a new approachon enforcementyeah so I’ll tell you what I think uhthe deputy attorney general means whenwhen she says that although I wouldn’tpresume to to speak for herum but I I I think what she means is theForeign Corrupt Practices Actum has been in a tremendously successfulenforcement program for the Departmentof Justiceum and I’ll give you an exampleum soum in between the uh the ObamaAdministration and the biteAdministration I was in in um out ofgovernmentum working at an international law firmand wherever I went in the worldwhichever client I was speaking tothey wanted to talk to me about theForeign Corrupt Practices Act nowgranted I was their lawyer fromWashington coming to see them but stillthe thing they wanted to talk aboutabove all others Foreign CorruptPractices Act and how they could keepthemselves out of trouble and I askedthem uh how do you know how many ForeignCorrupt Practices Act prosecutorsactually work at the Department ofJusticeum and they didn’t and I told them thatat the time it’s more now but at thetime the answer was 20.20 prosecutors yet no matter where Iwent in the world companies were worriedabout enforcement which meant that theywere investing in their compliance tomake sure they didn’t run afoul of ourcountry’s foreign bribery laws and Ithink what the deputy attorney generalmeans when she’s talking about thisbeing the new fcpa iswe want she wants I want companies tothink about their National Security riskright their risk of running afoul of ourcountry’s export laws and sanctions lawsin the same way they think about runningafoul of our foreign bribery lawsum and I think in terms of resources Ithink so she announced two weeks ago inMiami at the ABA white collar crimeconference that the National Securitydivision which which you used to runJohn Demers who’s in the audience usedto run um will be getting 25 additionalprosecutors in the uh in the the CESwhich is the counterintelligence andExport controls section to help withthat workgot it and uh in terms of new approachyou you’ve talked just then Matt aboutimpact on the private sector and I thinkit’s important topic for the group tothink about as well that some of theseenforcement efforts are really designedabout changing the Thinking Insidecompanies so that it changes complianceon the front end and prevents thetechnology in this case from ever beingtransferred and Paul too was talkingabout trying to influence the way theprivate sector is thinking aboutreporting uh transaction thinking aboutrisk in this spaceCity you have the envelope position ofbeing at the FBI and your boss has nowannounced the head of uh all cyber crimeenforcement for the FBI that he wants tobe the Ritz Carlton of uh victim serviceso I’m assuming that that doesn’t meanyou start handing out little chocolatesuh Etc when you do it but what do youwhat do you mean by that and how doeshow do you interact with the privatesectorum I think first and foremost uh youknow when people think about the FBIthey’re not thinking about FBIheadquarters like we’re not really a DCbased agency I mean we have 56 fieldoffices uh uh you know over a hundredresidential agencies and that means thatwe’re a local presence for PrivateIndustry and for victims and as a partof that we want to engage and make surethat number one we’re working before anincident so working on an incidentresponse plan making sure people knowtheir points of contact they have thecell phone number of somebody on the umcyber squads in the offices so that ifsomething happens they can getassistance right away because we havethe largest uh trained technical Cadrefrom the US government Across the Nationwe alsoum want to make sure that people know wecan be there within hours of gettingthat call we can deploy we can help wecan work with a third party remediationcompany but we want to be there tosupport and you know I mentioned beforeyou know we’ve been a victim-centeredOrganization forum over a century and that means also wehave victim services to offerum when someone is a victim of cybercrime uh it doesn’t matter if you’re youknow a multi-million dollar company or ayou know small startupyou I mean that impacts you evenum on an emotional level like worryingabout what happens with uh your businessor what this might mean and we have theservices we have the victim specialistavailable to be able to help also workthrough that we have media folks thatwill helpum work with companies on you know whatdo you want um your approach to beum do you need us to take any you knowum you know conversations or intake foryou so it’s really about this kind ofjust comprehensive Approach at the locallevel of helping because not only likedo we want to be there we want to helpbut we also know that um we can’t helpothers if we don’t hear from you and wecan’t help you if we don’t hear fromothers and so as a part of that help asa part of that we’re also helpingNationwide being able to take what welearn and protect others along the waygreat uh thank you and you’ve aged uhCynthia you’ve talked about trying toprevent information from leaving theUnited States by being hacked or throughinsiders that you’ve talked about therole you play with hacks and insidersbut also just by regulating the uh byregulating the the uh information and uhPaul when it comes toinformation leaving the United Statessometimes it’s through Goods sometimesit’s because it’s been stolen butsometimes it’s through investment andthere’s been a lot of attention and talkthat the administration is going toissue soon some new set of rules aboutoutbound investment could you talk alittle bit about what role you play atthe treasury Department looking at thatthat new set of rules and what type offactors you’re thinking about as youconsider itsure John so you know as we’ve talkedabout cypheus is an inbound screeningregime we screen Investments coming intothe United States and there has been adiscussion uh vigorous debate publiclyCongress is considering thisaround solving for the National Securityrisk that presents around certain U.Sinvestment dollars going to certainsectors of concern in countries ofconcern that can be used in a wayspecifically against the United Statesnational security risks so think aboutum you know a particular investment inCutting Edge technology that’s going togo into an adversaries Next GenerationUm you know a fighter or whatever it maybe and sort of using those US dollarsbut also the the the know-how andexpertise that flows with those U.Sinvestment dollars and so that’s part ofthe National Security risk that sort ofas a policy matter is being discussedumboth in Congress and in the executivebranchgreat and let me turn to the audience tosee if we have a question or two beforewe wrap upthank you my name is Suzanne Smalley andI’m a reporter at Reuters I’m wonderingif anybody and this might be slightlyfar afield but I don’t think so at leastfor Cynthiathe new Cyber strategy has what’s becomea somewhat controversial provision knowyour customer that eo13894 I’m curiouswhat the panel’s view is on howimportant that might be what kind ofdifference it might make in terms ofthese Bad actors getting into the cloudEtchappy to start us off so I mean we’rereally supportive of the executive orderum and I know that Commerce is reallyactively working on developing some ofthose rules and rules and we’re workingwith companies to ensure we understandexactly how it might impact those rulesmight impact them it’s you know it’simportant for us because having moreinformation and requiring companies toknow who might be using their servicesisum it helps us overall understand thebroader cyber landscape it helps us beable to track malicious actors in a moreuh refined way and really I think helpsus counter one sec just from like the 10000 foot for people uh because noteveryone may be tracking it so peoplemay know the regime of know yourcustomer and this is an idea uh that’sparticularly forced through the treasuryDepartment for banks in particular thatthere’s certain rules if you ifsomeone’s a banking customer that youare required to know about the customerto make sure they’re not using the bankfor some Criminal action you knowsanctions evasion money law uh moneylaundering other activities and so inthe new executive uh order and in thestrategy is the idea that if you’rerenting out or or your Cloudinfrastructure that similarly there’s alot of a lot of the cases that Cynthiahas has brought and worked on havebecome from bad guys criminals sometimesnation states using a cutout usuallywill use that service and then conductan attack or store information that’sstolen from a victim through the cloudservice and so the idea here is thatcloud providers should try to know theircustomer in the way that a bank would doand that would be a significant changeand yet I think to that point it helpsum take away the anonymity that cyberoperation cyber operators are looking touse to conduct their um efforts here itum there’s many companies that say offerleased infrastructureum so you can lease their infrastructureto you know do a variety of things thatmaybe don’t require any customer detailsand you know I think it’s ourum and the US government’s view that weneed to have kind of that same regime asyou were talking about uh that might beoccurring on the financial sideall right I think we have time for onemore questionuh two-part question for Cynthiaum you mentioned the disruption effortsfrom hive how do understanding internetinfrastructure is not essentiallylocated anywhere uh how does the FBIwork with cyber command’s national uhNational Mission Forceum and where does your your lanes startand where do they Air Lanes like howdoes that break down work and thensecond part of that question is wouldyou would you think that the FBIstrategy is Shifting more fromindictments to actually disruptionefforts like you were kind of just didwith Hive is that is that a changing isthat an evolving strategy kind of movingaway from indictments and just focusingon you know disrupting theinfrastructure and notifying victimsASAP so they can get back get back up tospeedso I’m going to reverse the order ofthat uh so first I think um people willbe surprised how often we can um getpeople in in jail cells and lawenforcement um options especially likeindictments are really criticalcomponents to an all tools approach todisrupting cyber actors a great exampleof that and that’s what gets into Ithink your second isum a takedown of um bitslotto uh whichwas a um a cryptocurrency exchanger uhwhere we were able to arrest a senior ofits Lotto executive and Russian nationalin Miami at the same timeum our partners overseas were able totake down infrastructure so uh likebringing it together but we’re doing itwith a purpose that that’s not thenecessarily the end goal or do we wewant to ensure that we’re disruptingthreats in the most effective waysometimes that includes charges heresometimes it includes charges overseasand then it also includes a lot ofunseen activities like we might do withcybercom really closely linked withcybercom we have Personnel sitting withum them working side by side every dayplanning operations but when it’soverseas it doesn’t necessarily have tojust be that kind of covert operation wehaveum a huge International footprint wehave 16 cyber focused uh assistant legalattaches and embassies across the worldwere poised to add more and we’re doinga lot more of that also capacitybuilding that joint investigations Iloved the talk earlier uh on the youknow on Cyber defense assistance becausewe’re in that lane too working with withother countries helping them build casesand you know oftentimes you can go to acountry uh you knowovertly and say you know help us andthey want to help because this is arealm in which we have a lot of allieswho want to help us disrupt digitalthreats togetherthat’s a great uh note to end on becauseI think you’ve heard from all threepanelists how important it is to workwith Partners both internationally andin the private sector so please uh joinme in a round of applause for ourpanelists today in the work they doall right thank you

The security threats facing the United States and its allies are complex and multidimensional, as are are the tools used to address them. On March 15, 2023, Aspen Digital hosted a discussion of the “all-tools” approach to disrupting digital threats, and in particular how the U.S. government uses investment strategy, trade policy, prosecutions, and export controls to tackle threats to national security.

Speakers

Assistant Secretary Matt Axelrod, Department of Commerce
Assistant Secretary Paul Rosen, Department of the Treasury
Deputy Assistant Director Cynthia Kaiser, Cyber Division, FBI
Moderated by John Carlin, Former Acting Deputy U.S. Attorney General

Shared Futures: The A.I. Forum

Aspen Digital