>> Narrator: Live, from Washington DC, it's the CUBE, covering .NEXT Conference. Brought to you by Nutanix. >> Welcome back to Nutanix NEXTConf everybody. #NEXTConf, this is theCUBE, the leader in live tech coverage. We go out to the events, we extract the signal from the noise. My name is Dave Vellante, and I'm here with Stu Miniman. Stephen Hadley is here. He's the former US National Security Advisor, and currently with RHG, who is an advisor to Nutanix. He's an expert on national security and foreign policy, and public policy. Stephen, thanks very much for coming on theCUBE. >> Nice to be here. >> So very important topic. One that you just can't talk about enough. So lets start. We're here at this sort of infrastructure show. We're up-leveling it now to this very important topic of security. There's so many things that are going on. We interviewed Pat Gelsinger on theCUBE five or six years ago and asked him, is security a do-over? He had a one word answer. Yes. So, where are we at? What's the state of cyber today? >> Well, let's talk in a couple respects. You know, one of the things that's been interesting to follow your industry, and I'm not a technical person. But, interesting following your industry, a lot of what was done, social media and all the rest, started to be fun. It was almost a toy. And what has happened, is you now have become, this industry and the services it provide are a international, global, and national resource. And is at the center of how we do business today. And it's been interesting to watch the industry deal with that challenge. It started out, what do you do about child pornography that gets onto the various sites and the like? Then it got to be, what do you do about terrorism? Now it's, what do you do about false news? And it's been interesting to see the industry, and I think very effectively, start to respond to what are the responsibilities they have to their users, in these various troublesome areas. And what are the solutions, technologically and process-wise. And I think the industry is taking the lead, and I would encourage them to do so, because I think the industry needs to define the solutions. If you wait to Washington to define the solutions, we'll get it wrong, as we usually do in Washington. >> Well, so let's come back and talk about that. But, I like to think of three categories of cyber threats. You've got the hackers. Like you said, maybe it's child porn or something else like that. You've got criminals, organized crime. And then you've got state-sponsored. Where do you feel the industry, that you've just sort of said, the industry really has to lead. Where do you think the industry should put its focus? Should they think about the attackers? Should they think more about the defense? Is that a right way to look at it? Those sort of three categories of threats? >> I think those are three categories. They are different kinds of threats. I think the industry is going to have to deal with all of them. I think the principal focus is going to be on defense. There has been a discussion in the literature, should companies have the ability to go on offense? And to respond to cyber attacks, by trying to reach out and hurt the attacker. That's a tricky question. And I guess, as a national security type, my instinct is, the industry needs to lead on defense. The government needs to think about offensive responses. I think particularly since one of the problems you've got in this business is the attribution problem. Someone marches into your country, you know who's doing it. If you get a cyber attack, it's not clear who the enemy is. And who the attack is coming from. And it makes the issue of response very difficult. Secondly, the problem of collateral damage. As we saw, beginning with Stuxnet, and in these latest attacks. You try to hit somebody over here offensively with cyber, and turns out your hitting users in 150 countries. So I think the industry's responsibility is to defend and to try to prevent their systems being used by various nefarious characters. The issue of how to respond to cyber attacks, I think is much more a state function. A law enforcement function, in terms of ordinary criminals and the like. A national security function, in terms of nation states. >> Well Robert Gates in theCUBE last April said that even governments have to be very careful about using cyber as an offensive weapon. You mention Stuxnet, and we saw what happened. But there are no standards with cyber war. With conventional warfare there's the Geneva Convention, there's standards that we can apply. With cyber it's the Wild West. So, what is industry's role in terms of creating those standards of cyber attacks? >> I think industry can inform it. I think it's going to be difficult for industry to take the lead. And I think one of the, my response would be, one of the problems is, cyber attacks, the attackers pay no penalty with cyber attacks. It's hard to find. It's hard to prove. And there's no responses. And, there's a whole question of what is the right response? So for example, some years ago, over eight 10 years ago, Russia pretty clearly took down the Estonian government, which was a real E government. Now NATO is, Estonia is in NATO. NATO, one of the pillars of NATO is an attack on one, is an attack on all. Was that an attack? Huge debate within NATO. Was it an attack, was not an attack? Nobody died. Traditional measure of where you've been attacked. On the other hand, a government was almost paralyzed. What's the right response? Do you have to respond only in cyberspace? Would you think of responding conventionally, through conventional military power to a cyber attack? None of that has been worked out. And, as a consequence, nobody pays any price for cyber attacks. My own view particularly with respect to state-sponsored cyber attacks, is until the country pays a disproportionate attack in cyberspace, for a cyber attack, you won't get them to stop. But as you just talked about rightly, it's very hard to respond in cyberspace, because of the unintended consequences and the cyber collateral damage, if you will. My hope, the way out of this, is, as you've seen in these last attacks over the last week or so, which were targeted, I think the most recent one was targeted on Ukraine, and ended up affecting 150 countries. I would hope that some of these at some point are going to bring the international community to it's senses. And people are going to basically say look, we're all vulnerable. We're all at risk. The United States is more dependent probably than other countries, but China isn't too far behind. And for the United States and China to start leading an international conversation about developing the rules of the road. I think that would be good. I think though there needs to be a panel from industry, that supports that effort. Or my worry is the governments will get it wrong, and will impair the growth of the industry, which is bringing so much benefit to the global community. >> Really interesting point. A couple of years ago, we interviewed the President of ICANN. The organization that >> Stephen: Yeah, I know him. >> oversees the entire internet >> Stephen: Good guy. >> Stu: Fadi, and he was really concerned that companies like China, and Germany were going to say, we're going to have our own internet. We're just going to wall things off. Kind of goes against what you're saying, is we need to work together. We see, dissonance between private corporations, and governments now. How do we get globally working on technology, working together? Rather than fragmenting more. >> And you make a very good point. It's working together on the basis of our principals. Look, our view is that a global internet, free access for everyone is a powerful political statement, and can be empowering of individuals. So it is a small d, democratic institution. And it is an enormous economic power. It would be a tragedy if individual countries start to Balkanize the internet. And start to make them national systems. Because you know the countries that will do it, are countries that are authoritarian, and will convert a device that actually empowers individuals to be a device by which the state controls individuals. Secondly, it will risk cutting them off from the global community. Which will have economic consequences, much less social consequences. So, I think it is important for us to try to take the lead and start that conversation, and to do it while we're still talking about a global internet, and really haven't lost that. So this conversation needs to start sooner rather than later. >> You're the Chairman of the United States Institute of Peace. I have to believe that there is some parallels between the work you're doing there, and what we were just discussing. Trying to get cooperation across communities. >> There is, in this sense. One of the things that USIP has found is, and when I was in government I always used to think about what governments can do to resolve conflicts, end wars and preserve peace. And that's sort of top-down government policy. What US Institute of Peace is doing, is bottom-up. Facilitating groups, civil society, and peace-builders and peace makers, in war-torn communities to begin to resolve the ethnic conflicts, the tribal conflicts, the religious conflicts that are really the kindling, and the fuel for conflict. And through an affiliated organization of the USIP called Peace Tech Lab, technology people are coming together with civil society people and saying, what are the tools you need that we can put on an app, and use on an internet platform that will allow you to do your bottom-up peace building work? And it's very powerful. So for example, election violence. Always a big problem. There are civil society groups using technology that we're able to monitor through social media the first signs of electoral violence, and bombard them with text messages and the like, to try to bring down the temperature. So, what we're seeing at USIP is, there is a bottom-up component of peace building that can be technologically enabled, to allow people to try to maintain peace in their communities. It is the new frontier in some sense, for the work of the US Institute of Peace. >> So, with Stuxnet we saw that malware had the potential to kill people. Maybe in and of itself, that malware didn't kill people, although people died in that whole dynamic, with two nuclear engineers in Iran. My question is, and Stuxnet is 15 year old technology. >> Yeah, I don't think it's Stuxnet was responsible for any of technicians. >> Dave: No, right, so let's clarify that. >> There was a separate. >> And it was associated with that whole initiative, and. >> There was an effort to set back the Iran nuclear program. >> Yes, right, but it wasn't the malware itself. But the malware was demonstrated to do damage, and it could theoretically, and probably in practice, kill people. And it's, as I say, 15 year old technology, and just scratching the surface. So, god knows where we are today. You may know, I don't. But you've sort of put forth this notion that countries, states need to come together, and sort of address this problem. My question is that, I'm inferring that the US has a lead. And as the leader, with the best weapon, what's the motivation for the United States and other countries, who are the "haves", to work with the "have-nots", and actually create these standards? Is it because we have more to lose? I wonder if you could comment. >> I think it's vulnerability. I mean look, we're more dependent on the internet. We're more dependent on cyber systems. Look, to your point, if you bring down and get into the control systems that allow you to shut off the water filtration plants, and bring down the electric grid, a lot of people are going to die. They're going to start in hospitals, and it's going to get worse. So, what is the task? The first task is, and we've known about this problem, of the vulnerability for critical interest structure since the 1990s, that the first studies were written. Government has been slow. Quite frankly, industry has been slow. And it's, I think that train is finally moving. Some sectors are farther ahead. The financial sector is much better and further along at hardening their infrastructure against cyber penetration. But we still are very vulnerable through control systems, in our water system, electric grid, all the rest. And of course, the internet of things, has only multiplied the portals through which people can get into these systems. So there's a huge task of defense. And hardening that needs to go on. And that's a responsibility of industry, and government working together. It can only be done if industry and government work together. That's the process we need within the country. Secondly then, can the US lead in a process to try to develop rules of the road that provide another layer of protection? But it's got to start with hardening our infrastructure here at home. >> I got to ask you about fake news. Fake news in Russia. Is Russia an adversary? Should they be perceived, from a diplomacy standpoint, should we be antagonistic? Or should we try to be more friendly? As it relates to what's been going on with fake news. I wonder if you could tie those together and give us your thoughts. >> Well look, one of the things that's different about Russia today, is what we've seen in the election. This effort through hacking, through disclosing emails, through probing our electoral infrastructure, through a variety of things the Russians are doing. They intervened in our election process, in a bigger way than we've ever seen before, and they're doing the same thing in Europe. That is a new problem. We need to get to the bottom of it, to know what happened. People do it from the standpoint of retaliating against Russia. I think the bigger problem is we need to harden our electoral infrastructure. Our electoral infrastructure turns out to be critical infrastructure that we have to harden, just like our electric grid, and our water supply systems. And you know, fool me once, shame on you. Fool me twice, shame on me. If we don't harden our electoral infrastructure so this cannot happen again, next time it happens, it's our fault. >> So kind of a cyber Star Wars. Is it, we don't know if it's technically feasible. That's not your area of expertise, that's industry's problem to figure out. >> Stephen: Yes sir. >> Stephen, you are a fantastic guest. Thanks so much for coming on theCUBE, really appreciate your insights. >> Stephen: Delighted to be here, thanks very much. >> Alright, keep it right there everybody. We'll be back with our next guest, right after this short break. This is theCUBE, we're live from Nutanix .NEXT, NEXTConf Be right back.