December 5, 2016, 3:45 pm - July 8, 2019, 1:51 pm


Carnegie Endowment

, (Map)

The Middle East Institute and Raytheon hosted a conference on "Strengthening U.S.-Arab Cyber Security Policy Cooperation." James A. Lewis (Senior Vice President and Director, Strategic Technologies Program, Center for Strategic and International Studies) focused his remarks on advancing policy dialogue.


Jim: A 6-minute commute, so how could I say no? Or, more to the point, I was the –what would you call me? The rapporteur for the United Nations, for the successful negotiations on international norms. Managed to escape in 2015, this round of negotiations going on, we’ll see where they get. It’s sort of an awkward time, when you have to get the US and Russia to agree. Who knows? Maybe it’s gotten better. But, I’m going to talk a little bit about where we are on some of this stuff, then we’ll have time for questions.

So after 16 years, of misadventure in the Middle East by the US, the international order is fraying. And that’s the context you want to put this in. Of challengers, there’s trends to change how nations cooperate. We’re entering a new period, where you have kind of sub rows of conflict. In the Middle East, of course, the leading cyber powers are Iran, as you’ve heard in the previous session. At [trails off 01:18] I got to brief a group of Saudi Ministry of Interior officials once. And at the end of the briefing they said, “Can Israel do this to us?” Geez, what do I tell them? Yes, Israel can do it to you.

But Iran can do it now, too, right? The external actors who enter into the region frequently or are there permanently are the US, UK and Russia. There’s a very close relationship. And with, between Iran and some of the proxies like Hezbollah, the Syrians, so you have this complex set of relationships. There’s essentially 2 sides. One group I’m not going to mention are the non-state actors like DAESH or even some of the ones I’ve mentioned like SEA or Hezbollah. They do not have very advanced capabilities. And so every year, people say they will have advanced capabilities within 2 years. And I would believe that if I hadn’t first heard it in 2011.

So they’re not going to get advanced capabilities anytime soon. I just interviewed a group of senior intelligence officials in a number of European and Middle Eastern countries, and asked them the same question. “Do you see groups like Hezbollah or other non-state actors getting advanced cyber attack capabilities?” They unanimously said, “no.” And then offered their 2-year, 5 year, whatever, you know? So, with cyber techniques are a really good tool for coercion and attack. You can kind of think of it as a new kind of weapon. That there’s a powerful informational aspect, right? And this new tool for coercion is not very well captured by existing law, international law agreement. In some ways an untraveled space.

You have intangible affects. Most of our international law is focused on tangible affects. You know when a tank crosses a border; you know that your sovereignty has been violated. When a building is blown up, you know that something bad has happened. We aren’t going to see that level of clarity in cyber activities. That makes it difficult. Difficult to think how nations define responsible state behavior. Creates a gray area where you can have countries compete to influence each other. And of course, in the last couple years, you’ve seen a powerful effort to use cyber tools against the United States. With Iran, North Korea, China and the Russians all using them.

And one of the dilemmas we had, was well how do you respond? What is it you do back? Trying to define this response under existing international law, turns out to be difficult. One of the things I hope you noted in the last panel, was at least for the United States, attribution is a problem with declining significance. Yes it’s hard, but it’s not impossible. And it can usually be done. So very often, what you see is a disconnect, and this is important diplomatically, between our ability to know who is responsible for something. The ability of our allies. Including most of our NATO allies. The only ones who are on par with us would be the UK.

We can say it was Iran. It was North Korea. And there’s first a degree of skepticism that greets proclamations from the US anymore. And second, it’s difficult for us to share how exactly we know this. Saying take my word for it isn’t as persuasive as it might have been once. And then third, the other people can’t manage it on their own. Now that will change over time. We’re beginning to see companies that offer attributions services and some of them like Cloud Strife, Indiant. That are better than many governments. So overtime, we’ll have the ability to attribute the sources. And how that will affect international law. How that will affect the efforts to define responsible state behavior remains to be seen.

One of the things I think you can say, now, based on observable behavior. Which is really important –the countries use cyber techniques in a way that’s consistent –larger, strategic goals. Their larger national strategies. And they’re practiced. And so when you look at Iranian behavior –and you look at other countries, this is not like it’s opened a whole new chapter. In –people used it in a way that is consistent with their existing –that’s useful for predicting what it is they’re going to do. And I think, when this comes, we’ll talk about some of the things you can do about cyber attack later. Clearly countries go through a process that is rational, at least from their perspective.

I was a little uncomfortable describing North Korea as rational. They use a process that’s rational in calculating the benefit and risk. I can use this new tool to coerce, and yet there might be some risk. And so how do weigh that? One of the concerns we have, and particularly with Iran, they will miscalculate the degree of risk. More dynamic than would be wise. That hasn’t happened so far, that hasn’t happened with any of them except maybe the North Koreans. But people do think, “how much can I get away with?” And one of the changes in the last couple years, was that countries decided they could get away with more against the United States, than you might have sought in the past.

So, starting at about the end of 2013, you saw a number of incidents where our primary opponents, that would be Russia, China, Iran, North Korea; pushed against the U.S. Coercive cyber techniques against he U.S. The one with the Middle Eastern focus was the Sands Casino. Where we chose not to pay as much attention to it, because of the ongoing Iranian –pardon me, nuclear, nuclear talks. Right, that would have been bad. It sounds like attacks, right. It’s close. And so you saw an effort by the administration to push back. To redraw the lines of what was acceptable behavior. So, there are implicit thresholds for what acceptable behavior is.

And one of the efforts in the U.N. for the last 5 years has been to make these a little more formal. A little more extended. But the implicit thresholds are pretty low. They are that you should probably not cause physical damage. Or that you should not cause casualties or death. And that’s a threshold that everyone has more or less obeyed. You don’t want to cross those lines, or you could trigger the retaliation that you’re worrying about. But that leaves a lot of space to do bad things. So what we’re seeing now is people experimenting with different kinds –of how to use these cyber tools. There are regimes governing cyber activity. They are very weak, however. We’re in a period of very weak regimes, when it comes to this.

We talked a little bit, I think earlier, about the Wassenaar Arrangement. Where I had the misfortune of being one of the negotiators. And that has attempted to control technologies that could be used for surveillance by states. In very often the countries that are countries looking at are countries in the Middle East...only, but that’s been driving a lot of it. It turns out to be very difficult, though, to define these technologies in a way that –in a reluctance to move to –end-user controls. [Trails off-09:36] Instead there’s been an effort to define technologies that you would want out of the hands of states that routinely violate [trails off 09:45]

It turns out this is next to impossible to do without also catching legitimate research tools. I’m not worried that will come, but right now, while there’s a strong desire on the part of nations to control technologies that could be used to violate [trails off 10:03] there’s not good way to get to that. The more important regime, but also very weak, is in the U.N. Based on [trails off 10:13] of the group of government experts. U.N. is not allowed to say cyber security because the Russians object to it. But they have some long term. It’s [inaudible 10:24] of information and communications technology on the Internet. I’m going to cheat and just say cyber security. It’s too hard to remember.

There’s been 4 rounds of negotiations. Three of them were successful. And as I’ve said there’s a 5th round going on now. The effort of these negotiations was to define responsible state behavior. And they probably peaked in 2013. The way it works is the GG is a small group of countries, regionally distributed. Selected by the secretary general, who then attempt to provide a report on this topic, that he would then take to the general assembly, if he chose. And ask them to endorse it. Well, there’s been success in doing that 3 times. And each time, it’s then led to some further resolution. The first one, which I wrote, the areas of agreement were 8 lines.

Actually it was harder to cut out the stuff that people [trail off 11:29] The second one, the 2013 agreement, was probably the most important because it agreed that international law applies to cyber security. [trail off 11:39]  –national sovereignty –with that agreement, which was endorsed by the general assembly, adds these activities in the existing framework of international law. As I said, there are these gray areas, driven by the fact this is a different technology –attribution is a problem for most countries. But we have agreement on what responsible state behavior is. But it’s got many, many areas of definition –the last round of negotiations –saw almost came to grief over these definitional difficulties.

The chair of the group and I, as the rapporteur, in the beginning, in one of our strategies sessions, ah, you know, this application of international law, how hard can it be? It’ll be mechanical. And we didn’t actually get agreement on that until 20 minutes after the negotiations were formally supposed to end. It’s only because the chair held the clock, that we were able to get agreement. So there’s [trails off 12:49] about how does international law work in this space? And I’d say the most important decision is, cyber attack the equivalent of a weapon of mass destruction? Can it have mass affect? This is the position of Russia, China, Egypt, Pakistan, a few other countries, Belarus. And probably, many of the non-aligned countries –the WMD and therefore, we should simply ban it.

We should ban cyber –And I got in trouble by saying. People said, well come on, the Russian and Chinese have cyber attack capabilities, how can they seriously propose banning it? Isn’t that hypocritical? I said, well, [trails off 13:39] but if you think about the model for them, they have this approach as we should ban it. The U.S. and its allies take another approach, which is this is normal military activity. It’s a weapon like any other weapon, and therefore, it should be governed by international humanitarian law. And the Laws of Armed Conflict. And the tension between these two sort of defines this –what countries can get away with. There have been Middle Eastern countries involved in these negotiations with Qatar, you have Egypt continuously.

You have Israel on and off. Up to the secretary general, of course do [trails off 14:22] And their views are with the exception of Israel, closer to the Russian point of view [trails off 14:30] Makes it difficult, then to define responsible state [trails off 14:36] What does that mean for us? In terms of what we have to do. What are the options for defense? And you heard some of them in the discussion we had earlier. First, you can of course improve your own defenses. There’s 2 problems with this. The first problem, and maybe the most important, problem, is there is a ceiling to how much you can improve your defenses. For a determined opponent, and you can put certainly the U.S., the U.K., Russia, Iran in that category.

For a determined opponent, you cannot block them from entry. There’s no defense against these kinds. You can make it more difficult, you can raise the cost, you can slow them down, there is no defense. So, sometimes the old view of cyber security is, well, each country, each company will do its own thing. They’ll work to improve their network defenses. And that doesn’t work. Paul, I think it was Paul, it was Rob who was talking about moving away from the national firewall –no such thing as defense –can raise the cost, you can make it more difficult. And frankly, some of the defenses in the Gulf region are so shameful that this would be a good thing to do.

I know this, because the Department of Defense, I’ve heard someone ask this; did do a study about a year or two ago, looking at some of our Gulf security partners. And found that they were lacking in their ability to defend their networks. An area for improvement, but we don’t want to put too much hope on it. There’s the question of international restraints. That’s what I’ve been talking about, that’s what I helped negotiate. The problem with international restraints is they are voluntary. Even in the best of all possible worlds, voluntary restraints take years. Those of you who have experience with say, the missile technology, some of the conventional arms transfer regimes. It can be years, or even decades to finally have an affect on the international system.

Sort of ironic, because the other U.N. employee and I had both worked on the conventional arms transfer policies that were [trail off 17:05] arms register and all that –British, I was American. We had both worked on them in 1992 –there to see them finally agreed to in 2013. Of course we were working on different subjects, but it was sort of funny. We took the afternoon off to go watch. So, it’s good to have international restraints, but first, they take a long time. Second, as I said, not everyone agrees on them. There’s large areas of ambiguity. A classic example would be [inaudible 17:38] 2015 we got agreement in the U.N. that nations would not attack each other’s critical infrastructure.

And 3 months later, Russia attacked an electrical facility in Ukraine. That would really be the second. One of the few incidents where we saw physical damage, [trails off 18:01], so I wrote to the chairman at the time and said, well so much for agreement. And he wrote back to say, it’s possible that the Russians don’t believe we are in peacetime. Well the areas of ambiguity are quite large. I wouldn’t count on these weak, voluntary regimes to improve. One issue that hasn’t come up might be active defense. Active defense has a term in the United States that involves companies putting on black eye-patches and saying, “yo, ho ho.” Going off and you’d have discussions about should they be allowed to be private –back.

That’s pretty nonsensical. I usually ask companies is one, if you do that you of course are violating international law. And so if the Chinese show up and ask with a warrant for your arrest, what would you have us do? Because we’ve been pushing them, of course, with [inaudible 19:02] warrants. The second problem is you have a liability risk. You don’t know what the consequences of your attack might be. You’re taking a [trails off 19:12]. But third, and perhaps most important, one thing we’ve learned is that no company, or for that matter, no small agency can stand up against the People’s Liberation Army, with the FSB [trails off 19:25] Fine, enter into a fight with them, that’s fine. Just don’t expect to win it. Well, that’s a dilemma.

But in this sense, active defense means looking for things you could do on your own network as a nation to make it harder for an opponent, you could change their [inaudible 19:48]. And the second part which is a little more delicate, and doesn’t come up so often, is active defense could mean intruding onto your opponent’s network. And so one of the ways that the U.S. has improved its attribution capability, and we are not alone in this. But it’s a very small number of countries, is we break into other people’s networks, observe their plans, their capabilities. And certainly, that’s been the case with Iran. And when you have that ability, you have the ability to disrupt potential attacks.

And so one of the questions for countries like the U.S. or for Israel, I can get into the attacker’s network, and if I see something coming, should I do something to prevent it? None of the other Gulf countries have this capability. They say the Iranians have improved [trails off 20:42] over the last 3 or 4 years, but they are not yet at this point. But one thing you could do, is the U.S. could intervene against potential attackers. And in the Gulf it’s [trails off 20:52] to disrupt operations. A final possibility is deterrence. I usually make fun of deterrence, and I’ll continue to do so. Largely because deterrence requires credible threats. Could fix it overtime, so let’s walk through deterrence and the like.

One of the things we saw in the last couple years was the failure of deterrence, because our opponents felt emboldened to exploit the gray area, to coerce, coerce American targets. Take action against American targets. They were not deterred. When you look at China, when you look at North Korea, they accessed the risk of retaliation, and decided that they could extend what they were doing. And a lot the noise you saw around Sony, was an effort by the U.S., a successful effort I think, to rebuild the idea that there are thresholds you should not cross. At least when it comes to the United States.

We have not been as successful with some of our allies. In extending this deterrence to them. Extended deterrence is another one we could have a [trails off 22:06] work so well in the past. It doesn’t work now. The lesson, however, and this is the perhaps the story of the Iranians hacking into a dam, is that first deterrence depends on the credible threats. So at one point we had a, an early draft of a defense, actually it was a final draft of the defense [trails off 22:30] said that the threat of cyber attack was so significant that the U.S. should threaten to use nuclear weapons. I got in trouble like [inaudible 22:43] got in trouble cause I went to a dinner with the members of the Defense Science Board and I asked them, how many ATMs Iran had to hack to justify a nuclear response? And the answer is, it’s not a credible threat.

So how do you find credible threats? And what we have learned in part from the OPM incident is that a credible threat may not involve military force. They involve indictments, sanctions, international condemnation –develop a new way if we are going to deter opponents that doesn’t rely particularly on military. And we haven’t done that. So where are we in the region, right? And the U.S. has as I think you heard in the earlier panel, been extending cyber security cooperation –effort to improve their defenses against Iran. This is part of a larger trend, where if you look at the NATO or the Japan alliance, the alliance with Australia, we’ve gone through and added cyber security each of the existing [trails off 23:58].

What would trigger Article 5, what qualifies as a cyber-attack, joint exercises? We’re not as far along in the Gulf, in part, because our defense relationships aren’t as formal. But there has been an effort to work with partners, security partners, to improve [trails off 24:19]. The goal is to help them defend against Iran. There is some capacity building, either through encouraging U.S. contractors to work with countries in the region, [trails off 24:33]. And then some with providing direct, kind of, support. But if we were going to look at this, we would say in general that these efforts have not been adequate. Though, we don’t want to go through a country-by-country list.

I don’t think it would surprise you if I said that the U.A.E was probably the country –advanced defensive capability. And the others fall rapidly below that. But we have identified better cyber security as a security goal for the Gulf, our Gulf partners. We have begun to work on it. In all cases, they’re better than they were, but in only one case, they perhaps as good as they need to be. More importantly, our regional cooperation still remains inadequate. Though this is not unique to the Gulf. There’s been good work in the OAS. There’s been good work in NATO. And there hasn’t been good work anywhere else in developing a partnership among, and cooperative mechanisms among allies and partners in cyber security.

In that sense, the Gulf, you would probably put them a little bit ahead of some other places. One of the problems with the U.N. is that you have to have a paragraph that acknowledges everyone. You have to put in the African Union. They haven’t done anything. It’s like, no you have to put them in. So, alright. In that case, some of the Gulf efforts are a little further ahead, but again, not enough. So what we’re seeing is in, if you were to look since Iran Co, a little before Iran Co –could see there’s a much greater awareness. There’s much more discussion, but that the measures taken for defense, either cooperatively with the U.S., other, or on a national basis, are not yet adequate.

So if you were to think about what can I do to improve cyber security? You probably want to focus on 2 words which happen to begin with the letter “C” which makes it easy. The first is cooperation, of course. The ability to cooperate on an international basis among partner countries is essential for better cyber –they’re all trans-border incidents. With the odds of the most sophisticated attackers, attackers being foolish enough to reside on their territory, are close to zero. So you’re always going to have some trans-national aspect. And very often they are regional in the sense that an attack may focus on the U.A.E or Saudi Arabia, but it will hit other countries in the region as well.

Intermediate [inaudible 27:28]. So you need regional cooperation. You need cooperation, perhaps a bit more formal, although it’s a very difficult issue [trails off 27:36-27:25]. They have security partnerships. The second letter, the second word that begins with the letter “C” is consequences. This has been a problem for U.S. policy. But it’s one that we’ve made some progress on in the last few years. But for about the first, if the real sort of hyper-ventilation about cyber security began maybe about 2000, 2002, somewhere –one of the things that was true for at least a decade or longer, was there were no consequences to bad cyber actions. You could do much ever you want and you would never run any risk of being punished. Or being called to order on it. And so the ability to associate consequences with malicious cyber action is important.

And it might include, not military consequences because you do have difficulty in finding a proportional response. You have a difficulty in saying they erased data on 30,000 computers, what [trails off 28: 56] I erased data on 30,000 computers, turn off the electrical grid. Why, in a recent incident, one of the proportional responses was considering us leaking Vladimir Putin’s Botox injection schedule. I wasn’t quite sure that would actually do the trick. That was one of the, what is a proportional response? It works pretty well, he looks good, that’s why he can’t smile. People think it’s because –but defining what a proportional response is is essential.

Because what we've learned, in a number of incidents, is that you can change opponent behavior if there are consequences to [inaudible, trails off 29:39]. And get them, if nothing else, to recalculate the risk of taking an action. But to do that, there has to be some consequence. And I think that will be difficult, because it won’t be like classic deterrents where you could [trails off 29:55] and never use the weapons you had built. You probably have to do something. Whether that’s more of the active defense model of intruding on other people’s networks and doing some kind of damage. Whether it’s the sanctions and indictments model, very successful in some ways.

Though right now, the Gulf remains vulnerable to manipulation. Largely by Iran. Iran with some support from Russia. But it will be possible to change this I think both, you’ll see slow progress on international agreement that will create a framework for defining what response [trails off 30:40] and what state behaviors justify some kind of consequence. And you’ll see relatively faster progress on building cooperation. This is an area where the U.S. could helpfully contribute working perhaps with the British and some others. Though, overall I’ve been tracking the Gulf, the Gulf is a flashpoint. To the extent there are flashpoints in cyber space.

They exist because they’re linked to territorial conflict so the flashpoints are in North Asia, North Korea [trails off 31:12] Europe around Russian activity. And they’re in the Gulf because of Iran. The flashpoint, when it’s one where we can do more to manage it, to make it a little more stable. And to make it a little less intensive for both the U.S. and our partners. Why don’t I stop there and see if there are any questions?

Interviewer 2: Thank you Jim. And yeah, let’s maybe we’ll bunch 2 or 3 questions together, and yeah, so. Right over here, let’s wait for the microphone. It’s coming right over.

Audience Member: I was wondering if you could talk a little bit, or have an opinion about U.S. export policy around this arena. You know doesn’t seem to be a really clearly defined, explicit, export policy and we in industry have to try and interpret that and walk a line, and sometimes it’s kind of difficult to know exactly where that line is. You know, as you’re doing things with technical assistance with our allies on things like, vulnerability assessment, and penetration testing, and giving them some of the skills to do that, you can then use some of those same skills to do offensive operations with that. Which is not acceptable per export policy. Where do you think U.S. export policy is going to go in this arena?

Jim: The problem let me do that quick, the problem with this is it is a dual use technology. So it could be used for purposes both peaceful and military. My favorite example is there’s something called System Administrators’ Tool for Analyzing Networks. The acronym is SATAN. So, I think it’s the difficulty of wrestling with defining the technology. I think there’s a split in the government between those who would prefer tighter controls, based on human rights. So we control a number of technologies for human rights purposes. And they would like [trails off 33:20] the same time, that would get in the way with us being able to cooperate with our partners. And so it’s an unresolved dispute.

Maybe this administration will be –wasn’t, it’s only been, we’re on government time, I guess this isn’t slow, it’s only been 4 or 5 years that this has been ongoing. But, unless you’re willing to say everything should be able to go, the U.S. is not there to set up restrictions. And that’s turned out to be really hard. Right now, if you’re not captured by the munitions controls, you probably should be able to make a case.

Interviewer 2: Any other questions for Jim? Alex, Liz? Thank you. I think you said, remarkable growth in the capacity of the Iranians. I was just wondering if you could share with us, the key factors and the timing of it. The creation of the Iranian Supreme Rational Council in cyber, if I’m not mistaking, kind of coincided with the Stuxnet attacks. I also wanted to hear about your views on that in hindsight. Was that something that perhaps shouldn’t have been done? In the last few months, I’ve seen so many reports about fires in Iranian refineries. And they keep, the Iranian minister keeps saying, you know, it was an accident. But there’s a lot of suspicion that somebody out there might be behind some of these fires.

And to that point, obviously, the U.S. knows a lot more about what’s going on between some of these regional states. But can we, to your point about intercepting; if Country A is about to attack Iran, is there anything the U.S. can do in that process, in terms of cyber space? In terms of cyber attacks? Like, for instance, I just want to give you a sense of the, again, to the point about these fires in these refineries, say these are actual fires that are as a result of cyber attacks. Is there anything the U.S. can do to prevent, to basically contain the situation in a moment like that?

Jim: So there were 3 questions if I remember correctly. The first one was on progress in Iranian capabilities, and perhaps, Stuxnet. And the second question, I know I missing, is –what was the second question? Does the U.S. have the ability to intervene? Oh, is Stuxnet a good idea? Sure. Well, let’s start with the first one.

I think the more, the greater incentive for Iran was not so much Stuxnet, but the green revolution. And it was the domestic political turmoil, which the Iranians belief was both fomented by the West, and accelerated by the use of Internet technologies. That is, I think, the real starting point. Because, as with China, as with Russia, as with North Korea, the principle objective of defense is to defend the regime. When I look back, I actually trace it back to that. And if you look there was an incident where the Iranians broke into a Dutch credential provider called DigiNotar. That was largely so they could track internal dissidents. That was the start of the Iranians building cyber capabilities.

Stuxnet of course accelerated that. They were assisted by the Russians. Both in developing greater awareness of the threats they faced and perhaps in developing, or acquiring the tools they used in [trails off 37:44]. Though, but for me that, it was the political term, what was the risk of the green revolution? Did the Iranians suddenly sit up and say, “we gotta get this thing under control?” And, when they built the mechanisms for control, they did quite a good job. They assigned responsibility, they developed proxy forces, they have laboratories. So you have to give them credit for, moving rapidly from being 3rd tier to top of 2nd tier.

When Stuxnet, I personally thought it was a good idea. I think there’s a long, and I believe I wrote a piece for a journal explaining this. That the U.S. has a long history of using covert action, to advance both its own goals and goals internationally. This was simply another one. People don’t like it. One of the questions would be, well if Stuxnet, Stuxnet was the use of force, Iran could have gone to the Security Council and complained. But of course they didn’t, because they had so many Security Council Resolutions against them. Probably wouldn’t have dared to show up. Yes, it was effective. It was not, one of the, the alternate narrative is that it was taking the lid off Pandora’s box.

Whenever anyone uses a cliché, you should immediately be suspicious.  Though, if the real start was the green revolution – Stuxnet was in some ways irrelevant. In a number of incidents aimed against Iran, not entirely by the U.S. Not always by the U.S., or not even mainly by the U.S. But you have other countries. Who’s to say that there were so many foreign intelligence agencies in Iran that they had to stand on top of each other. We are not the only people to have a bone to pick with them. And so, to use a counter-example, Iran probably launches some sort of effort to grade or destroy Israeli critical infrastructure every week.

Though the Iranians are engaged actively, that they are not successful, doesn’t mean that there’s any less of an effort by them. And so they have used it against the U.S. The funny story on the dam was, the dam in upstate New York has the same name as a very large hydroelectric facility in the Pacific North West. So I think, when the U.S. first saw this, the Iranians are hacking name-of-dam, they freaked out. And this is from friends of mine who work in the White House and other places. Is this was a huge attack on, huge piece of critical infrastructure. And I think the Iranian, you know it’s hard to do this stuff. So the dam, the dam actually attacked is about as big as [trails off 40: 45]. Satellite, so who knows cause it’s covered by treaty so it’s [inaudible 40:52].

But, the point is, the fact that you’re trying to find a significant piece of critical infrastructure that you could penetrate and potentially attack. There’s a sort of covert conflict here. Similar to what we see perhaps, in some of the actions using terrorist proxies, going back as far as say, Lebanon. This is simply another aspect of that. So there’s a cover conflict between the U.S. Some of its partners and between Iran and its partner Russia. In that, Stuxnet, to me, seems like a very legitimate activity that could be justified under international law.