10011001010101010110011000101010110111001100101010101011001100010101011011100110010 10101010110011000101010110110011001010101010110011000101010110111100110010101010101 10011000101010110111001100101010101011001100010101011011100110010101010101100110001 01010110110011001010101010110011000101010110111100110010101010101100110001010101101 11001100101010101011001100010101011011100110010101010101100110001010101101100110010 10101010110011000101010110111100110010101010101100110001010101101110011001010101010 11001100010101011011100110010101010101100110001010101101100110010101010101100110001 01010110111100110010101010101100110001010101101110011001010101010110011000101010110 11100110010101010101100110001010101101100110010101010101100110001010101101111001100 10101010101100110001010101101110011001010101010110011000101010110111001100101010101 01100110001010101101100110010101010101100110001010101101111001100101010101011001100 01010101101110011001010101010110011000101010110111001100101010101011001100010101011 01100110010101010101001010101101111001100101010101011001100010101011011100110010101 01010110011000101010110100110001010101101100110010101010101100110001010101101111010 10110111001100101010101011001100010101011011100110010101010101100111000001010101101 01010110011000101010110100110001010101101100110010101010101100110001010101101111010 10110111001100101010101011001100010101011011100110010101010101100111000001010101100 STANFORD CONGRESSIONAL CYBER BOOT CAMP ! Hoover Institution | Center for International Security! and Cooperation | Stanford University AUGUST 18 – 20, 2014 TABLE OF CONTENTS Note from the Conveners 1 Conference Agenda and Schedule 3 Map of Stanford 5 Keynote Speaker Biographies 6 Session Descriptions 13 Overview of Google Visit 23 Staffer Biographies 24 A NOTE FROM THE CONVENERS Cybersecurity represents one of the most pressing challenges that the United States will face in the coming decades. Ensuring continued economic prosperity and defense readiness requires improving the security of the computing devices, systems, and networks that have become essential to the nation’s commerce and defense. Moreover, the United States has at its disposal powerful offensive capabilities in cyberspace—how can and should it use these capabilities in support of national interests? These and other cyber issues are important, complex, and here to stay. While technological capabilities are moving ahead at international security issues through rigorous lightning speed, policy and legal frameworks in scholarship, policy outreach, and Track II diplomacy. cybersecurity are lagging behind. Historically, Both institutions are dedicated to developing policy governments have safeguarded citizens and national relevant knowledge by bridging academic divides, interests from external threats. In cyber, however, convening leading thinkers across sectors, and training traditional boundaries the next generation.! are fuzzy. What constitutes an The spirit of cross- internal threat? An disciplinary external one? How collaboration and do we even know a drive for innovation threat when we see run deep at Stanford, it? The roles and and help explain why missions in the university ranks cyberspace of various as one of the best in government agencies the world, with top are also unclear. departments ranging What is clear is that from computer the government science to classics cannot go it alone: and scholars and the private sector alumni who include 5 holds key capabilities Pulitzer Prize winners, and owns vital assets 21 astronauts, 27 that make public/private cooperation essential, MacArthur Fellows, 28 current billionaires, and 22 living demanding, and often problematic.! Nobel Laureates. Stanford’s interdisciplinary programs include new undergraduate joint majors combining Stanford University’s Hoover Institution and the Center computer science with English or music, and research for International Security and Cooperation (CISAC) are collaborations between doctors, scientists, and natural partners for tackling cybersecurity challenges engineers that have generated breakthrough discoveries across sectors and academic disciplines. The world’s in medicine. Companies founded by Stanford faculty, growing interconnectedness and the “Internet of researchers, and former students—including Cisco things” raise key questions about privacy, individual Systems, Google, Hewlett-Packard, LinkedIn, Sun liberty, the appropriate role of government, international Microsystems, and Yahoo!—today generate more than peace and national security, and economic freedom – $2 trillion annually in revenues, a figure equivalent to the issues that lie at the heart of Hoover’s mission to GDP of the world’s 7th largest economy. Stanford’s develop “ideas defining a free society.” CISAC has a location and ties to Silicon Valley put us at the heart of unique and successful model of bringing together the technological ecosystem that is driving scientists and social scientists to address pressing transformative international change. !1 Breaking out of intellectual be brought to bear to understand Washington. The next 72 hours will stovepipes is crucial to developing the relevant issues. Indeed, there is be all about connecting— a better understanding of cyber little consensus even about which generating ideas, insights, challenges and how to address issues constitute the most questions, and relationships that them. Cyber threats involve important ones deserving we hope will better inform both political, legal, organizational, attention. These gaps and policy and academic research to economic, and psychological questions provide an opportunity improve American cybersecurity.! factors that technical experts often for CISAC, Hoover, and Stanford do not fully understand or more broadly to play an early and We would like to thank Hoover appreciate. On the other hand, significant role in thought Institution Director John Raisian these conflicts in cyberspace may leadership and cross-sector and Mariano-Florentino Cuéllar, also involve technologies that convening.! Director of CISAC’s parent institute, social scientists and policymakers the Freeman Spogli Institute for often do not fully grasp. In the Hosting this inaugural cyber boot International Studies, for their policy world, current priorities leave camp for congressional staff—the indispensable support. Thanks also little time for longer term thinking. first program of its kind at Stanford to Leisel Bogan, Heather Campbell, In the academic world, research on —is an important step forward. Our Ryan Mayfield, and Russell Wald for cyber policy and security is siloed aim was to bring together senior taking this boot camp from idea to and embryonic. While there is great legislative staff across political reality. Finally, we are grateful to consensus on the importance of parties, chambers, and committees each of you for sharing your most cyberspace from the standpoint of for three action- packed days of precious resource: time. We are international security, there is workshops, simulations, and thrilled that you could join us for surprisingly little consensus on discussions with leading academic this inaugural boot camp and look appropriate strategy, doctrine, and industry thinkers away from the forward to working together. tactics, theory, or data that might pressures of daily business in Sincerely, Dr. Amy Zegart Dr. Herb Lin Co-Director, CISAC Consulting Scholar, CISAC Associate Director, Davies Family Senior Fellow, Chief Scientist, Computer Science and Telecommunications Hoover Institution Board, National Academies (until December 2014) Professor of Political Science (by courtesy) Senior Research Scholar, CISAC, and Research Fellow, Hoover Institution (effective January 2015) !2 CONFERENCE AGENDA CYBER ATTACKS AND RESPONSES Day 1 – Monday, August 18, 2014 10.00 am Congressional staffers arrive at San Francisco Airport 11.45 pm Welcome: Framing Session Faculty Speakers: Dr. Amy Zegart (CISAC, Hoover), and Dr. John Villasenor (UCLA, CISAC, Hoover) 12.00 pm Lunch and Keynote Address: Dr. Jane Holl Lute (Council of Cybersecurity, CISAC) 1.00 pm Session 1: Security as a Concept Faculty: Professor Tadayoshi Kohno (University of Washington) Discussant: Dr. Herb Lin (National Research Council, CISAC, Hoover) 2.30 pm Break 2.45 pm Session 2: Threats to Cybersecurity Faculty: Professor Carey Nachenberg (UCLA, Symantec) Discussant: Dr. Tim Junio (CISAC, Hoover) 4.15 pm Break 4.30 pm Session 3: Offensive Dimensions of Cybersecurity (dinner served during presentation) Faculty: Col. Matteo Martemucci (U.S. Air Force) and Oren Falkowitz (Area 1 Security) Discussant: Dr. Tim Junio (CISAC, Hoover) 6.00 pm Break 6.15 pm Session 4: Simulation Dr. Lucas Kello (Harvard University) 9.15 pm Return to Stanford Guest House !DEEP DIVE: TECHNICAL & NONTECHNICAL ASPECTS OF CYBER Day 2 – Tuesday, !August 19, 2014 7.15 am Depart from Stanford Guest House for Stanford University 7.45 am Breakfast and debrief from previous day 8.30 am Session 5: Fundamental Principles of Cybersecurity Faculty: Dr. Drew Dean (SRI International Computer Science Laboratory) Discussant: Dr. Herb Lin (National Research Council, CISAC, Hoover) 10.00 am Break 10.15 am Session 6: Economic, Psychological, and Organizational Dimensions of Cybersecurity Faculty: Professor Tyler Moore (South Methodist University), Dr. Janice Stein (University of Toronto), Paul Rosenzweig (George Washington) Discussant: Jonathan Mayer (Stanford, CISAC) !3 AND SCHEDULE OF EVENTS 12.00 pm Lunch and Keynote Address: Dr. John