>> let me quickly, is it in your mind very important for there to be a federal tso professional organization as opposed to privatization? >> i believe tsa is a federal workforce. >> but it's important to be under the federal auspices -- >> it isn't. -- it is. >> thank you. ..

>> i commend the work of the police department here at the los angeles airport. they did a fantastic job -- >> yes, they did. >> very, very brave officers that ran right into the situation. but at the same token, tsa, they need a law enforcement there. my good friend and colleague sitting beside of me would not be looking to the phoenix police department to provide the security for his officers. he wants to do that. there needs to be some type of law enforcement inside of tsa to provide security at that checkpoint. there are still a very large airport, parking lots, all of those type things that have to be managed in an airport operation in which we need the

local law enforcement and the airport law enforcement to handle. but those checkpoints and tsa, it was one of ours that didn't get to go home to his family. >> i thank you very much, mr. chairman. i yield back. thank you very much. >> thank the gentlelady -- >> apologize for having to depart at this time. thank you. >> thank you for participating many this hearing. thank you for your leadership. >> thank you. >> chair now recognizes the gentlewoman from california, our host if that's appropriate, we're in your congressional district, so we appreciate you joining us. ms. waters, we now recognize you for any questions you may have. >> thank you very much, and i certainly appreciate your being here. i'd like to thank michael mccaul, richard hudson and congresswoman sheila jackson lee who's sitting in for ranking member cedric richmond for organizing this hearing entitled "lessons from the lax shooting:

preparing for and responding to emergencies at airports." i want to begin by joining with my colleagues to honor the life of he around doe hernandez who was killed in the line of duty during the active shooter incident on november 1st, and i offer my deepest condolences to his family and friends, also honor all of the tsos and other first responders who risked their lives to stabilize the situation and protect the public on that tragic day. this hearing follows the release of two reports on the november 1st incident, one by the los angeles world airports and the other by the transportation security administration. and i am concerned about some of what was revealed many those reports -- in those reports. but i'm not worried because those things that were revealed whether it's the red telephone or the panic buttons or even the inoperability are things that

can be fixed. and i think that ms. lindsey and chief gannon have already talked about a quick response to those kinds of things. they have the resources to do it, and they certainly will do it. i'd like to just spend a moment, if i may, to talk about the need for a consistent law enforcement presence at passenger screening checkpoints such as the one where officer hernandez was killed. now, let me just say this: i know that there are differences of opinion about this. what i'm anxious to hear today and in the near future is that the discussion will continue. there may be things that can be with tried, there may be alternatives, but what i do not wish to do is to simply have the issue put to rest at this time because i am concerned that there may be a better mousetrap.

i'm not sure. following the shooting incident, i discussed airport security issues with leaders of the american alliance of airport police officers. following our discussion, i wrote a letter to tsa administrator john pistole in which i recommended that law enforcement officers be stationed within 300 feet of tsa passenger screening checkpoints. and i have a copy of that letter with me today, and with the committee's consent, i will include it in the hearing record. i was pleased to learn that tsa was responsive to the concerns that i raised and addressed this issue in its report. specifically, tsa issued recommended standards calling for an increased presence of law enforcement officers at high traffic locations within the airport such as peak travel times and checkpoints and ticket counters. however, tsa still because not require that law enforcement officers be consistently present at these checkpoints even during

the aforementioned peak travel times. the longer report, on the other hand, does not address this issue at all. it implements a flexible response approach to security which allows police officers to roam around the airport but does not specifically require them to be present at the passenger screening checkpoints. the fixed post approach, by contrast, requires a police officer to be stationed at each passenger screening checkpoint. airports are local police departments that support the flexible responsibility approach -- response approach have argued this provides better visibility, police officers throughout the airport and less predictability for those intent on doing harm. i realize that a consistent law enforcement presence at tsa screening checkpoints is a controversial issue. however, i would argue that the fixed and flexible response methods are not mutually exclusive. a major airport like lax can

have police officers at every screening checkpoint and still have additional officers patrolling the airport. at the united states capitol complex where we work in washington, d.c. can have police officers stationed at security checkpoints as well as additional officers patrolling the vicinity, then i think it is possible for lax. some airports and local police departments have also argued that stationing a police officer at every screening checkpoint is just too expensive. but i do not accept that particular argument. i do not want to compromise airport security in order to save money by paying for fewer police officers regardless of which local, state or federal agency is responsible for stationing officers at tsa screening checkpoints, a consistent law enforcement presence at these checkpoints is critical. i, therefore, look forward to a

frank discussion regarding tsa checkpoint security today and in the future. however, i firmly believe that we should not adjourn without at least continuing to address this issue. and i want to thank chief gannon for his perspective on this. he gave me a new insight about predictability and the fact that that if it's known that there's an officer at the checkpoint, they become easy targets. i appreciate that. i want to thank mr. cox because you ghei us another way to look -- gave us another way to look at this. and that's why i think it's so important to continue the discussion, because i think we can be creative, and we can try things. i think there's no reason why we cannot take several ideas, try them out, see what works best. but i don't want to give up on this discussion. i thank you for allowing me to be here today, and i thank all of you for the wonderful tour that you gave us today. it certainly gave us a better

insight. this is an important facility. lax is the economic engine of this area, all of the south bay and my district. i appreciate you, i appreciate all of the tremendous responsibility that you have. i want to be part of the solution, not part of the problem. thank you very much. >> thank the gentlelady and now recognize the gentlelady from california -- >> thank you, mr. chairman, and i want to thank you and chairman mccall and ranking member thompson for having this important hearing here today. as someone who travels every week, as my colleague, ms. waters and i both do, to and from lax, i have to say i feel very, very safe. but as chairman mccaul mentioned, we cannot be complacent, and i think this incident informs us on changes we need to make to improve all of our security. i want to thank chief gannon and

all of the men and women who serve with you to protect us here at lax and mr. pistole and all of the tsa officers who work very, very hard every single day and who put their protection or put our protection over theirs every single day to insure our safety. and i have to state that with serving, i believe, over 200,000 people every single day here at lax, it is like a major public event that takes place every single day. so i want to thank all of the witnesses who are here today and their willingness to answer our questions. and, hopefully, the tragic, very tragic death of transportation security officer gerardo hernandez and the wounding of other tsa employees and a passenger at lax on november 1st

will never, ever happen again. but it is incumbent on all of us to work together to identify possible improvements to safety and security for tsa employees and our traveling public. however, the shooting also raised another serious issue and one that i believe we must address. as you know, current law does not provide tsa officers with death benefits like those offered to firefighters, police officers, fbi agents or state troopers, and i'm just naming a few of the law enforcement personnel who all receive of death benefits. that is why i have introduced the honoring our fallen tsa officers act which seeks to remedy this inequity. my bill would amend federal law to provide for the eligibility of a tsa employee to receive

public safety officers' death benefits. as we have learned today and the two with tsa officers who are here with us today, officers rigsby and spear, and all of the tsa employees who demonstrate courage and bravery every single day in hopes of never having another november 1st incident. god forbid that an incident like this ever happens again as well as the husband of ms. hernandez who is with us today. but if another tsa officer ever dies in the line of duty, i believe that these benefits are critically important to their families. so with that i wanted to ask mr. pistole having served in the fbi and now with tsa, what is your opinion on whether tso or

tsa officers should be afforded the same benefits as the federal partners that help to secure this country every single day? >> well, first, congresswoman, let me thank you for initiating the bill to recognize tsa employees as public safety officers to receive that benefit. obviously, it would be a tremendous benefit to tsa overall, particularly to the her nab december family in this instance and, you're right, hopefully it would never be needed again. i greatly appreciate your support of that and would hope that would come to fruition retroactively, obviously, and then be proactive in terms of any future losses. tremendous appreciation and support on behalf of all of the men and women of tsa, thank you. >> well, thank you very much. and, you know, i certainly would appreciate it if you and the organization could -- and i know you have taken a look at the

bill -- but if you could take a deeper look at the bill and provide any feedback as we move forward with it, i would appreciate it very, very much. and i see that my time is almost expired, so i will yield back, mr. chair. >> thank the gentlelady. i would like to recognize the chairman of the full committee for any closing statement you may have, mr. mccaul. >> thank you, mr. chairman. let me just say again to anna, our thoughts and prayers are with you. i know we can never undo what's been done, but we want to make you whole again as much as we possibly can. we're determined to help you. and to administrator pistole, thanks for the fine job that you do and your officers, as i said, under particular circumstances in this case. and, chief gannon, the response time your officers responding to the threat in less than five minutes is to be commended. and finally, ms. lindsey, the

one -- i didn't get to ask you a question, but i did want to close by commending you as well for the model that you've created of cooperation in your command center. i think it's important that the general public know, be aware of what you've done even before this incident, but more so after. pulling together the relevant agencies to work together to better prevent threats like this from happening, again, very similar to a joint terrorism task force model where you bring all of the relevant players into the room with video equipment so that, god forbid, something else like this happens again we'll be able to respond quickly and protect the traveling public. with that i'll just close by saying, mr. chairman, thank you for your leadership and holding this hearing. to maxine waters, thanks for hosting us in your fine district. you're a very lucky woman. the weather's very nice here. [laughter]

a little bit better than washington, d.c. right now. and, again, mr. chairman, thanks for your leadership. >> well, thank you, mr. chairman. and i thank our witnesses for your testimony and the members for your questions today. i'm committed to working together in a bipartisan way to look at lessons learned, to make sure that officer hernandez did not die in vain, to do what we can as our responsibility to representatives of the people to go forward and make this country safer for the flying public to assist the law enforcement, tsa, airport administrators around the country in the tough job they do every day. so i thank you for making this possible. i would point out that members of the subcommittee may have some additional questions for the witnesses, and we'll ask that you respond to these in writing. but without objection, subcommittee stands adjourned -- >> mr. chairman? before you -- >> you caught me before i hit the gavel. >> chair recognizes ms. waters. >> unanimous concept to take

care of something i did not take care of. i just really realized that mr. tony gigsby and mr. james spear are here, and i just wanted to thank you so very much, and i'm so pleased that you're getting well, and you're back to work. thank you so much. thank you, mr. chairman. >> yes, ma'am. without objection -- [laughter] subcommittee stands adjourned. [inaudible conversations] >> treasury secretary jack lew will testify before a house appropriations panel today. topics are expected to include the treasury department's budget and sanctions against russia. we'll have it live at 10 a.m. eastern on c-span3. >> secretary of state john kerry commemorates nato's 65th anniversary and the ten-year

anniversary of the european union today at the atlantic council. we'll have live coverage of his speech starting at 1:30 p.m. eastern here on c-span2. >> c-span's newest book, "sundays at eight," a collection of interviews with some of the nation's top storytellers. >> the normal trajectory of escape stories or of concentration camp stories is you have someone who comes from a sophisticateed, civilized family. they're taken to the camp. all their other relatives are killed. they have to behave in an inhuman way to survive. and then they come out and they tell their story about a descent into hell and then survival. shin's story is completely different because he was born in hell and thought it was home. >> blaine harden, one of 41 unique voices from 25 years of our booknotes and q&a arguments.

c-span's "sundays at eight" now available at your favorite bookseller. >> the fbi says that cyber crime is one of the biggest threats to national security. next, we hear from law enforcement officials about effort toss combat these -- efforts to combat these crimes. from the second annual cyber crime symposium at pace university, this is an hour, 40 minutes. [inaudible conversations] >> good morning, everyone. my name is bob keating, i'm a vice president here at pace university. and it's a privilege for me to welcome you to our second annual cyber crime in the world today symposium. former fbi direct canner bob mueller once said there are only two types of companies, those that have been hacked and those

that will be. shortly thereafter, he had to amend that because of the growth in sign err crime -- cyber crime so that now according to him there are only two types of companies; those that have been hacked and those that are being hacked again. you know, there's no question that cyber crime's one of the biggest threats to our nation's security. in 2012 cyber criminals victimized 556 million people around the world, and consumers lost $110 billion. and as opportunity grows, it'll only get worse. 10 million people -- 120 million people if the united states now own smartphones. the tablet is the fastest growing electronic device ever created, and smartphones and tablets now account for 13% of all internet page views. i'd like to thank the association of chartered certified accountants for

helping us raise the visibility of this critical issue. we've grown very dependent on our digital world. it's created prosperity, transparency and freedoms that we couldn't have imagined a few years ago. but it's also created threats we couldn't have imagined earlier. these require an army of experts to defend us. in a speech at california berkeley a couple of years ago, secretary of homeland security janet napolitano talked about how the department was recruiting college students to focus on cybersecurity. she said her cybersecurity division nearly tripled its work force in 2009 and then doubled that number in 2010. now, there'll be a growing demand for our seidenberg school's computer engineers, scientists and analysts. our alumni network at the cia, we think, the fb, and i in the manhattan -- fbi and in the man

manhattan attorney general's office. with government contractors such as lockheed martin and booz allen hamilton, they'll all be busy over the next few years. i just wish there were more of them. unfortunately, at the moment there are not enough qualified cyber experts to stop all the threats against us. higher education can play a huge role in the war against cyber crime by providing these experts and pace's seidenberg school is creating a model for training and educating them. the nsa and the department of homeland security have designated pace as a national center of academic excellence in 2004, and it's a distinction that we retain today. seidenberg is also one of an elite group of schools that receive federal funding to support students studying cybersecurity. both the department of defense

information scholarship program and the national science foundation scholarship for service program provide pace students with full tuition, fees and job opportunities. the national science foundation selected only four new york universities for its program. pace was one of them. now, research is a big part of cybersecurity, and this is another area where seidenberg is leading the way. our moderator today, dr. jonathan hill, one of our associate deans at seidenberg, is an expert in american security threats. dr. darren hayes, a seidenberg associate professor of information technology, just released his study on skimmer fraud with acca funding. with the help of leaders like these, pace is proud to cohost an important discussion like this, and now i'd like to to introduce another real leader on cyber crime. david szuchman is chief of the investigative division at the pan hat tan -- manhattan

district attorney's office. when david was chief of the id theft bureau, his group chased down cyber criminals that were straight out of a james bond movie. illustrative of this, in one case they convicted 15 defendants for international identity theft and money laundering. the ringleader of the gang operated out of the ukraine, and before david's group shut them down, they stole more than 95,000 credit card numbers resulting in more than $5 million in credit card fraud. this case is just one of a number of investigations and convictions achieved by david's office which is unique in its expertise and aggressiveness in this arena. it's a pleasure to welcome him, our panelists and all of you here today at pace. thank you very much. [applause] >> good morning, everybody.

thank you, judge keating, for that kind introduction, and as a matter of fact, i'm going to be discussing that case in a minute or two. of it was an honor to be on the panel last year, and i welcome all of our panelists today. i'm very grateful to be here with the acca again so we could talk about this critical issue of cyber crime and sinner crime prosecution -- cyber crime prosecution, prevent and the landscape moving forward. now, at the manhattan district attorney's office, we are keenly aware of the value of prosecuting and investigating cyber crime. nearly every case handled by our office has a cyber crime element. when you think about that, that has changed dramatically over the last ten years. every rape, homicide, burglary has a cyber element to it. and that goes before you even start talking about the true cyber crime cases of hacking, intrusion, malware, peer-to-peer crimes including child

pornography crime that is we also prosecute on a regular basis. and as technology becomes more sophisticated, so do the criminals who actually use it, and they take advantage of unsuspecting victims in so many different ways. and i loved judge keating's introductory line where he said you've been hacked and then hacked again, because that is what happens on a regular basis, and we all know that. what's fascinating about new york today is we've seen this tremendous plunge in violent crime, and it's attributed to the new york city police department, to the district attorney's offices, to overall crime fighting. but what we haven't seen a decrease in crime is identity theft. it is the fastest growing crime that exists in the country and most certainly in new york city today. our office sees about 2-300 new identity theft cases per month. per month. and as a red light, when -- result, when cyrus advance took over at the office, he created the cyber crime and identity theft bureau to deal directly with this challenge.

and that bureau staffs adas with specialty instructions, analysts who have specialty instruction. we have our own computer forensic lab that exists inside of our office. we have really made a commitment because this is where the problems lie in crime today. there's one case, and it's the case that judge keating mentioned, and i just wanted to focus on it. it's a closed case. so while the numbers you hear, these are numbers that are eight years old at this point. at the time -- and i can only talk about closed cases which is why i'm talking about a case that is a little more mature. but this case really does tipfy what this crime looks like because it's international in nature, and i'm a local prosecutor. i'm the chief of the investigation division at the manhattan da's office. i'm not like charles who has a more global reach. i'm a local prosecutor's office, but i still have to deal with this problem because it's too much for the fbi to deal with alone or homeland security to deal with alone. i want to spend a minute taking

you through the case that we refer to as western express. this case shows the international aspect of cyber crime. it shows how somebody who's sitting in the ukraine can impact new york city. it shows how someone in the scheck republic can impact -- czech republic can impact new york city. and to prosecute that, you really need to have some very unique resources and capabilities. in its essence, though, this is a classic organized crime ring. that's really what western express was. and it was the first international cyber crime fraud case of this magnitude to be prosecuted by a local da's office. this was eight years of investigating and prosecuting. eight years. a lot of it because there was a an appeal up to the court of appeals that then came back down, and we tried the case. we ended up with 13 -- [inaudible] and guilty pleas from 12, and we convicted three defendants after trial. and this is how it worked. western express served as the

principal money mover or money exchanger for this entire ring. president and ceo was an individual who you may have seen on the cover of the post. he frequent thely would pay people to fly a banner outside the courthouse claiming that he budget getting a speedy -- wasn't getting a speedy trial when, in fact, most of those issues were his own because he appealed to the court of appeals. that clearly doesn't stick in my craw at all. so he made money off of every single transaction that existed as currency conversion. so what happened is the buyers, as you can see here up on one of these charts, put money in dollars into western express, and in return the buyer received e-gold which was a virtual digital currency. everybody's talking about bitcoin right now. you hear a ton about bitcoin. e-gold was one of the first virtual currencies that ultimately went defunct after many criminal investigations and

other reasons. the buyers then would take the e-gold and use it to buy stolen credit card information from vendors. they used the stolen information to manufacture new credit cards which they used to purchase merchandise online and in stores which they fenced for profit. the vendors needed to convert all the e-gold that they were making into a usable currency, so they used western express to convert it into dollars. and to put this in perspective, it's not like you can buy a new car using e-gold. you need the cash. so you have to cash out of that system and get dollars or whatever currency you need. e-gold was, essentially, the money laundering vehicle used by this ring. so one of our other defendants was sitting behind a computer terminal in the ukraine, and he bought and sold the personal identifying information. so every time your accounts are compromised, can i just see by a show of hands how many people have had their credit card accounts compromised in the

audience? virtually everyone. when i was a young prosecutor, the crime everyone talked about was pickpocketing. if i was voir diring a jury, it was pickpocketing. now it's identity theft. everybody has been a victim of identity theft. and he sold the identities of nearly 100,000 victims from the united states, and he earned millions in selling this credit card information to fellow identity thieves. what we did in prosecuting in this case was put this all together, put the entire ring together, and you can see how this worked in the chart, and you can see how the money laundering stages worked. the criminal activity generated the proceeds, you have to place the proceeds into a financial system, you have to layer it and disguise it and then you have to integrate it. so you have to enter the system, commit the criminal activity using the system, and then there's an output out of the system in an effort to discuss guise that money. and that's what happened here. in a sense, just like any other organized crime ring or money

laundering ring, it's just the tools and the ways they're using it are using the emerging technology that you're going to hear about today. that resulted in this. that resulted in two indictments, that resulted in the guilty pleas that i discussed with you and a successful effort by the manhattan district attorney's office to bring this international case to justice here in a manhattan criminal court, in supreme court. and what's significant is the judges are understanding the significance of what is happening to our victims who are being just completely manipulated by technology. and one of our defendants in this case got upwards of 44 years in state prison as a result of the effort that ouredded. -- occurred. now, that is ground breaking to hear a number like that. and while my job is not solely to put people behind bars, there clearly is a deterrent value that we need to show people here. if you're committing fraud elsewhere or in the united states, you're going to be brought to justice, and that local prosecutor's office has the capability to do that.

but we can't do these cases alone. we rely on our partnerships. there's folks here from the computer crimes squad from the new york city m.d. who are a valued -- police department who are a valued partner of our office, there are banks and hiss and others that we work with regularly. we cannot do this work without true collaboration, and certainly we're always looking for that in the manhattan da's office. so this is a threat we're all facing together. this case is just one example, and i'm sure you're going to hear many other interesting examples from the panel. so let me move now into introduction of the panel. our moderator today is dr. jonathan hill. he is the assistant dean for special programs and projects at pace university's seidenberg school of computer science and information systems. he has 20 years of college teaching experience, but he also has managerial experience. he's done 15 years on the faculty at cuni, and in addition to his teaching responsibilities here, he oversees the work of the weapon media -- web media

lab at the school. and those include microsoft, verizon, hp and apple, and he is also -- that team has received a presidential grant from pace university for community service. our panelists are charles -- [inaudible] and he is a special agent with the federal bureau of investigation. he is currently the acting assistant special agent in charge of the new york office of the fbi. he has spent nearly 15 years in that office focusing on counterintelligence, counterespionage and economic espionage matters. he keeps us safe. he has spent 18 months at the fbi headquarters as unit chief in the counterespionage section, he's also a former ohio state university police officer and was also with the columbus division of police, so he has local police in his blood. bernadette gleason has worked in

the incident response team for 12 years at citigroup. she was pivotal in development of the ecrime unit and implementation of the north america, europe, middle east and africa laboratories. this formula was used to implement their asia-pacific and latin america labs. she currently manages the north american lab and has successfully receive certification for computer hacking forensic investigator. dr. of robert zandoli joined aig in september of 2011 bringing more than 25 years of experience in global i.t. and executive leadership from i.t. security, risk and compliance. he has held senior positionings in global technology infrastructure, at major financial firms including metlife and bank of america. he has served as information security officer of metlife where he managed the information security programs for their global enterprise. he holds a doctorate from pace university and an mba from --

[inaudible] vincent tophoff is with professional accountants and business committee of the international federation of account taxes. he previously was a partner in a management accounting consulting firm in the netherlands, and he was a senior lecturer at the postgraduate accounting program of the free university in amsterdam. he holds a master's degree in economics and is a qualified professional accountant and member of the dutch institute of registered accountants. welcome to our moderator and to our panelists, and have fun. [applause] >> judge keating and david, thank you for the wonderful introductions and that fascinating case study. we are going to have a moderated conversation here, and we'll follow that with an opportunity for the audience to ask questions. there are a lot of interesting contributions that you will have to make to our line of questioning for this fabulous panel. first, i want to thank the acca

for making this morning's event possible. i want to thank the pace university community, president friedman, judge keating and our wonderful government community affairs staff, katie and vanessa and derek, for making today's event run so smoothly and accessible to all of us. this is the second year. last year i got to sit in the comfy seat there is, and i didn't sleep very well the night after because there were a lot of things that came up in that conversation that i think are very sobering for an academic and for anybody that uses mobile devices to transport and send sensitive information. so on the topic of not sleeping well at night, we've got this wonderful panel of high-level government and corporate and academic folks here this morning. what's keeping you up at night

when you wake up in those wee, small hours and you're thinking about your work? charles, you want to start? >> again, thanks for inviting me here. i'm very pleased to be here. i think, you know, what makes me not sleep at night is just that everything is so global, everything is instantaneous. we have the ability to communicate, you know, in fractions of seconds, and so somebody says something, does something, and, you know, it's out over the net, and we cannot, you know, we can't pull it pack in. so it goes the same thing when you're in the professional, in your corporate america, you know? you do one thing, you send one e-mail, you can't pull that back in. and it may with something that you had no idea you were doing. you know, you get an e-mail to you, just open up an attachment, and you've got a problem. so that, to me, is just the ease with which people can penetrate

your system. it's very sobering and something that, you know, you can't really be completely vigilant every second of every day. you get an e-mail from a friend or you think it's a friend, you just open it up, and you don't even think about it. it's something that can happen to -- has happened to everybody. so that's what's really something that bothers me. >> interesting perspective. bernadette, when you work for a glamorous, storied international bank, you don't have to miss any sleep, right? >> no, not at all. no, of course we do. the thing that keeps me awake at night is bringing down the network and the availability to the can customers to try and use it. and that is a big, scary issue of that being able to happen, because we've seen it happen and trying to mitigate the response to it. >> wow. we'll be hearing some more about that this morning. robert?

>> i don't sleep very well, and the reason i don't sleep very well is because i'm worried about a number of things. one is retaining and recruiting people to help us protect our corporation. there is not, there's a dearth of people out there right now, and everybody is vying for the same people. that's one. the unknown. we don't know what we don't know. things are happening, sometimes it's to the point where you think about what was said earlier about, you know, those that do know they were breached, those that don't know they were breached. thirdly, it's the obligation to protect your clients. so i worry about that every day. and the fourth thing -- so, like i said, i don't sleep very well -- is the technology allows bad things to happen quickly and in large, large, large numbers. so the breaches of the past where maybe a thousand records

would be exfiltrated now can be millions. so those things keep me up at night. and if you put them all together, it's all about risk. >> and, vincent, you're representing a fairly diverse group of folks. does that mean you don't sleep at all, or -- >> well, actually, i sleep very well, thank you for that. [laughter] but i do wonder every now and then, and i think one of the main points i'm wondering about is just what i call us and them or the black and white. when i was attending this conference last year, i noticed that we were talking about the good guys and the bad guys and forgot about the large, i think, gray area in the middle where people can turn from good guys and bad guys. so i think it's interesting as to how, who actually are the pad guys and also good guys can turn into bad guys, and similarly, i think with a little bit of effort -- because we need those

specialists -- maybe we can also turn bad guys into good guys. another point that i'd like to emphasize is within corporations, within organizations it looks like us and them, like us the normal workers and them, the i.t. guys that have to fix this problem, and i don't think that that's the right way of approaching this. i think that us is them. i think we don't need cyber crimes specialists in our organization, but i think we should all become a sort of cyber crimes specialist because it affects us all. so those are the two points, us and them, and the gray area in between. >> and that's a great point was, clearly, sometimes us is them, but i think all of us here this morning are concerned about who the bad guys and bad girls are, and we see photos of organized criminals, and we read about the successfully prosecuted cases in the paper, and, charles, that's what you do day-to-day.

what should we know about who the bad guys are and how we should, as users of our own systems, protect ourselves and prepare ourselves? >> well, like david said, this is definitely a partnership. the fbi needs to work very closely with corporate america to develop a program where you folks feel comfortable with your own employees. one of the things i focus on and we focus on at the fbi is the insider threat. there are folks inside the corporation, like vincent said. sometimes tear going a-- they're going along fine, and there's a problem, and they become a bad guy. and they actually are damaging your corporations. so we have some vulnerabilities that we like to highlight at least to get the message out there so if one of your employees is exhibiting some of these signs, that might be something that you guys can take a look at, and maybe you can kind of, hopefully, maybe change

that behavior and not come to the critical point of having a theft inside the office. but, again, we have folks that, you know, they have personal problems, they have financial problems, they ask questions that they really have no reason to know, to have knowledge of, and the thing that i like to say is, again, i was a local police officer, the folks inside your company will know the most about your company. so if your employees are saying, you know what? this person is really not acting the way he has acted or she's acted, i've seen her in a place she usually wasn't in, she was it sitting at my computer yesterday, and she never does that, those are the clues, and those are the kinds of things that you should talk to your security office about, your information security folks about and say, you know what? i don't know if this means anything, but this person was at my computer, and he or she never

was before, and let's take a look at that and see what that is. it might be completely harmless, or there might be a problem. the other thing we like to stress is the folks in your companies are going out, traveling overseas, you're traveling to other companies. you're vulnerable to people trying to steal trade secrets from you. and, you know, you may think that a you're, you know, you work for a company that doesn't have a trade secret, but, you know, anything that's of value that your company takes a reasonably, takes a means to protect and has economic value is a trade secret. so, you know, if you work for a large accounting firm and you're traveling overseas to meet with another company to maybe do a joint venture, you might have the plans for the company's new widget or the new, the new, you know, corporate, you know, the new thing that they're going to produce. you might have that with you on

your laptop. .. >> are there some common characteristics to cybercrime that you see from your investigainvestiga tive standpoint that distinguishes it from other types of crime, aside from the digital territory? >> not really. just about every crime today has some element of cyber involved.

we talk, take a clean laptop, don't take any portable, take a blank laptop. do not try to call back into work while you're overseas. we have no idea, you cannot protect your system and your asking for a potential, that's a lot of risk right there. we tried to explain that and have a plan before you go out just to meet with folks, travel into when you come back to have a debrief him to see if there's anything that your folks, hey, my laptop was out of my -- i was with my laptop for a few days. maybe have your it folks to look the laptop to make sure nothing was done with the. that's the kind of thing we look at in terms of try to protect our folks when they go overseas. it doesn't have to be a foreign government. it can be a competitor. it can be many different people that we tried to steal trade

secrets. >> hopefully we'll get to come back and talk about corporate versus state issues like that. bernadette, who are your bad guys and bad girls? >> as charles said we do have the insider threat, too. bringing cell phones into the office, the smart phones, picture taking ability, taking pictures of screens, custom accounts, that's a very real threat and has to be mitigated. when you bring your own device, which is your allowing people to bring the own computers onto a network. if they're infected, that's an issue. also when you use a laptop at home you're not using it for company business and your connecting it to your router and your going out and doing whatever, and who knows if you've been infected. then you come back to work and to infect the network. usb devices, just because you don't have access to it doesn't mean you can't read up from the.

that can be affected. like charles was also saying about when you go overseas and they hand you a usb device and say here you go, and it's infected. it starts downloading your company information and sending it out. that's a very real threat. >> and so what's the practical solution? is it behavior management with the employees of? >> it's awareness, definitely. training and awareness has to be an ongoing, it just doesn't stop when you first come in and get the briefing on the first and then you forget about it. it has to be continuous. we have to make sure the employees, there are threats out there on what the threats are and that they understand the code of conduct that you're using our equipment. you should not be using it for personal use.

and as charles said, the do's and don'ts so the employees know and they are aware. >> between the hardware, software and a different wi-fi areas, how do you deal with that, with your folks moving around? >> first i'd like to say that the weakest part of any security program is people. think about who are, what are the agents that are what about the most, and i've heard insiders, malicious insiders. but i also think about the accidental insiders. someone who sends a bunch of pii to the wrong e-mail address. you have appropriate control. i worry about activists, organized crime, many reasons why these threat agents will target a company, target and

agency in but they targeted many ways and the weakest link is people. so i believe security awareness is the strongest tool in a consistent and continuous program so that when someone doesn't travel with that device overseas or to someplace like china where they monitor everything, they know what they're in for. so continuous awareness, continuous updating of that awareness, continues training. i believe people are the achilles' heel's of corporate -- operations. they will make that mistake or they would be a malicious insider. so the malicious insider, there are controls around access management, role-based, things like that, really smart people can get around that. once that happens the most important thing is good, strong, and quick incident response.

>> so, vincent, again you've got this diverse membership of accountants that you represent. are some of them the bad guys or are they being asked to monitor in their individual circumstances incidents and individual? >> believe it or not accountants are just people like you and me, most of them come and we make the same mistakes and we have the same issues. also accounting for i think it's important. but i think if you talk about target risk with people it's good to give them a baseline understanding and continued to emphasize that what i notice come when people talk about risk, they seem to separate risk management from the daily activities. we have this meeting for 50 minutes and the last five minutes we talk about risk, whereas i think risk should be an integral part of every

decision-making and everything you do. it's a little bit like driving a car. safety is an issue all the time you're driving. you need to be constantly aware of the state issues while you're driving a car. the same i think applies with risk management and taking care of cyber risk. it's not something that you do on a friday afternoon when the heavy cyber risk meeting, but it's something to need to integrate in a 40 or 60 hours you're working a week. with every decision you take him with every action you take you should take into account what are the sources of risk that might keep me from achieving what i want to do and how do i mitigate those? so what i would strongly advise is not to set target risk of heart, but make it more, just like driving a car, it needs to be there 24 hours a day. >> so it sounds like risk

management is a teachable skill set, which is music to our ears. we are, in fact, embarking together on a new risk management it risk and combining some programs that we are quite excited about. but what would student in the program, what would you want them to know before they came to work with you? >> i agree with you that there's some teachable skills but interesting enough when people start with risk management it seems to go, there's a worse effect rather than a better effect. let me explain. i like the comparison with the baby. a baby can usually swim until the moment he realizes that it's not supposed to swim and then the baby sinks. the thing is quite a few people they learn from early age on that risk management is part of

everything you do in your daily life. it to run too fast and you fall and hurt yourself you think, this is not good. to risk management is a natural part for what people do. but then now and businesses, we introduce official risk management and separate risk management from the daily things. we have separate risk management meeting. we have a separate risk management officer. we have separate -- and then it gets kind of dangerous because all of a sudden risk and risk management are separated from what i'm doing. date it should be teachable again, and after it is side note, we need to go to the next place where risk management and risk awareness again forms an integral part in what we're doing. so yes, i agree with you that risk management is teachable and i think we should emphasize risk management, but please let's emphasize risk management and also about the topic of today as

an integral part of what we are doing on a daily basis. >> if i can ask you, bob, if you're going to devise a graduate course on risk management, what would you want these folks to work on? >> let me start by saying a few things first an and not answer t question. i believe that none of our jobs would exist if it wasn't for risk management. i believe that a company doesn't need -- if there is no risk. so when i look at candidates for my team, if they do not say the word risk in business in india i don't even, they failed the first screen. we are here and it's all about risk management. in fact, the things i have continued and mike are have been risk managers. we do different things around risk management but that's a key. so how would you build a program around risk management? you start off by ensuring that

they understand it's about this iis and risks to the business. too many firms, not firms, but to many organizations, the people that are in those organizations, think that i.t. risk as an it problem. but it's a risk to their business. so if there is some it issue with the program or something that might exfiltrated customer information, are we risking the it program, the cio? were risking the business. so build it around business, build it around risk and risk management 101 would be built on that and what you start that program it will go into the disciplines. operational risk management, i.t. risk management, but never lose sight of the business. that's the key. >> very interesting. earlier this year we had read

creation done by some department of defense substituted folks on the cyber attack in a stony a few years back. they took us through what happened in the system that were shut down. up to and including the banks, the atms shut down and people began to write because they couldn't get their money. and the military folks said they weren't about our banking system. so what's happening, bernadette, to protect our banking system today and what do you think is going to have to happen in the coming year between now and when you're back? >> thank you. what i think definitely banks and companies in general need to know, layers of security. when you're building your applications that security is not an act ago. it's one of the first things it comes in to build a program. so you understand what the

program is meant to do and stick it should be not a first step but it should be one of the first steps as you talk about risk, talk about security, how we are protecting this program from being used maliciously. you have to think sometimes like the bad guys to be able to create something very good. and, unfortunately, we don't do that all the time now. security as an afterthought to what is being done. the program is out there, and then let's hack it and see the cause. we should have known the cause before, you hack it to see if the vulnerability are still there and maybe they are not as bad as they were, if you put security into at first. i think also consumer awareness. you have to educate the public. it's not just for our industry and what we know. the people have to know regular everyday people have to realize what the security risks are. not in technical terms but in easy way to do it.

i think you'll have a responsibility to ensure that they know. >> it's a sobering set of thoughts. i'm really gratified that after school, our software engineers and computer science student to work on software projects come and with security first focus. that's really instilled in them. it has to be. but when you think about if the ark of cybercrime moving from script kiddies to criminals, to organized criminals to state sponsored things, is that something that we need to focus on. and certainly with a major businesses that are represented through acca and the folks on this stage, are we at the point where we have to think about defenses, cyberwarfare being launched against a business?

>> i think he did and the one thing i want to say, i'm not part of the cyber division of the fbi has an entire division of cyber agents that work, partner with very closely with like the banks and all of the private sectors to try to come up with some ideas and investigate the intrusions. but what i would -- what i'd like to say is we cannot do our job and less the corporate, the corporations report this information to us but it's very difficult and we acknowledged the difficulty of a company saying we just had a $509 loss and we don't know what happened, it's difficult for them to talk to their stockholders and difficult for them to make a public. a lot of corporations might say we're just going, it's the cost of doing business. we're not going to report this. we can't do our job. it's got to be a partnership. we get all of our referrals, most of our referrals on the folks that are picked and companies.

we acknowledged that's extremely hard to do and our place in the fbi is we want to work as quickly and as diligently and professionally as we can to identify have the stuff occurs so that we can do as much as we can to protect your sources. but again, we know that you need to come and tell us that you just suffered a loss. that's very difficult. we take this opportunity to say that these are ou priority cases for us in my division is to look at these cases, to try to investigate into the best of our build and try to determine what happened, why you suffered this loss. that's kind of what we do on that. but yes, to answer your question, again i think that these fortune 100 companies, they've got very good it systems, secure the systems. we are more concerned about the smaller companies, the regional

combatant may be working with a bigger company that might not feel they are vulnerable, but unfortunately they are and, unfortunately, we see these smaller companies that are being approach, being victimized. they have no idea. so again, there it group maybe one or two people versus, we have these folks here have many people that are working in their organizations but it might be one or two people but they're just as vulnerable if not more. we try to get the word out, try to educate, try to train and just come up with a system for your company that best fits your company but knowing you are a target. >> you represent and work with love those one or two people, their accountants in the organization. what do you tell these folks who don't have layers and

departments and the cis of our security and risk management available to guide them? >> well, you know, again as i think maybe the biggest risk in the metal group i would say because if you're a small business owner you know, cause and effect is very tricky. it's the route for the customers and the next day you don't get the customer back. so i think if you create awareness in smaller organizations because they learn because it's their own money which is on the line and that's a very strong motivator. i started as a junior accountant, a bad debt that was just turned bad debt and later on in life when i was self-employed and a loss $25,000 because a client went broke. that's bad debt. now it's internalized. it's here, bad debt. so for smaller organizations if

they can come sometimes may be the trigger is something small, and hope that something small that they can survive and gives them the lesson. a lot of people leave their home open. you need some sort of incident happening on your street to become aware. so how unfortunate things like major events like what happened to target the other day might be. there's i think, if there's one positive aspect of that, it also creates awareness with the common person like me and small business owners as to who will be compromised in this breach. with events like we are doing here, but mostly i think him on

television, radio, creating awareness is the first step. you need to be aware first before you take a measure. >> it's a great point. it's been said that at least internally accounts, the account step is the first line of defense and identify theft, cyber theft particularly. so that may put additional pressure on cpas and accountants to shoulder that responsibility, but shoulder if they must. what do they need to do? what does the rank-and-file accountants, the head of the department, head of the office, what do they need to look for? are there patterns they should be looking for? what do they need to do to shoulder that responsibility effectively? >> question for many? >> for everybody but we will start with you. >> you know, what's important i think for accountants as well is

knowing their business. and also when you're an external accountant through an organization you need to know that this is and what's going on in order to identify strange things. but in addition to that i think a lot of things are just common sense, what you would expect, if you see people sharing passports, see people doing things i went with my own stuff, think something is wrong. these are all journalistic. maybe they can get a more specific examples. >> i have no doubt. one of the questions i have for you, bob, to the it folks and the accounting folks, finance folks, do they talk in a comedy speak enough of the same language to share the critical information, to share patterns, to share -- >> , most companies, large companies have the forensic

accounting unit that's tied with a forward unit. so if they find something they would bring in the it security people. it's a really more discovery, depending on what the issue is. so that is, they worked together. there's a whole incident response process around that. that's really the way it works and that's the way it should work. >> bernadette, are you able to facilitate those conversations? >> well, for us i would say it would come off on the opposite side, and then discovering anomalies. we handle a lot of different incidents ranging from insider threat to the external. it's not just the accounts that help us. we get information from, not only the source can what's going on and what we need to be aware of.

>> very interesting. my next question is how wide is the gap? if there's a criticism of cybersecurity practice in general, it's that it's always reactive. that it's addressing the last incident that's a more tangible thing to address than the potential incident next week or next year or in five years. so how has the cyber crimes, cybersecurity practice changed for you in terms of preparing for a potential attack in the future as opposed to reacting to what happened last week or target in the last year? >> a lot of it has to do with you take away the, what occurred and why it occurred, and then see if i can fit into other areas that might be compromised. and it has to be prevention, education, response and mitigation. those are the main issues you need to focus on when you are

trying to sort the next attack -- fort. unfortunately, that takes a little bit out of it. but not few and far between but hopefully we catch them with that type of business plan in place and were able to remediate the threat. >> as the technology evolves, you all heard of dynamic defense because the tools are advancing. the tools are advancing and baby, tools that have intelligence. they see anomalies and they react to anomalies automatically. so if you think about the way i put it is it directed at anyone has read the art of war, brazier hand. see if anyone knows the boat. everyone should read that about. there's a general set of tools if you know your enemy and you

know yourself you will win the battle. so if you know your weaknesses in your environment and you know the threats, so we get feeds and you correlate those, let me give an example of what could happen. somebodies exploiting a patch, and there's an alert. we scan as we normally do our enterprise and find that a server that might have, might have personal identification information on it is not patched. we patch that before there's the potential that they come after us. so the point about doing things before it happened, it's evolving. the tools are evolving. isn't perfect? know, now you think about the concept of defense and depth and now the new concept of cyber defense, cyberthreat intelligence and defense, dynamic defense in depth, it is evolving to be able to detect and respond automatically.

because if you wait for people, i know that large companies get billions of alerts a month. i can't imagine how many alerts, huge -- well, i can't imagine, get. how do you imagine those three alerts that you have to do something? so it's all about this dynamic defense and where the industry is headed. isn't there yet? it's getting there, but right now if you take the external, right now companies are sharing information because everyone knows what's at risk these days. so all the major companies are sharing information through things like fs isac. we will know a company might be having some exploitation going on. they will inform their partners so that we all have a chance to react to it. all that's part of the future. it's nobody's going to continue to get better and develop where

things are prevented as opposed to detected only. that's the point about what you need to do and where we need to do. it's not all there yet. it's getting there. there's a lot more to do, and to learn every single thing that's happening and every single threat agent and what they are doing and have tools that they're able to do that is a daunting task. >> excellent, excellent point. so, charles, are you getting that kind of communicate should from big companies, from other government agencies, small companies, researchers, the knowledge of this emerging threats and impending attacks? >> it's much improved. it still has way to go but i think we do a lot of partnerships with private industry where much better sharing of information with our government colleagues. i do think it's much better. but it is a daunting task when you have like bob said, the

fortune 50 companies, i think we have a pretty solid significant liaison kind of relationship, but every company, it's very daunting. when you have a vigorous outreach program where we are trying to partner with private industry and trying to get the message out of what people like bob are trying to do and what we are trying to do. but we're not there yet. >> do the bad guys still have that first mover advantage of their developing tools, they are motivated? >> i think so. i think they can, it is, the fbi has always been kind of, it is reactive. we are challenged with trying to get out and do the emerging threats. we spent a lot of time trying to

determine the emerging threats but it's difficult when you are faced with 14 reports of intrusion during the day to get out there and the emerging threats. we are constantly trying to develop emerging threats in all of our programs, criminal, cyber, counterintelligence and counterterrorism but again it's very daunting when you have all this reaction is stuff that you have. >> interesting. sobering and interesting stuff. sitting in the audience this morning we have students who aspire to law enforcement careers, law careers, the business careers, technology careers, and all of them are here because they are drawn to the opportunities, opportunities in cybercrime of the things that are under the cybersecurity umbrella. pays students make great prose. if you haven't talked to one yet

this morning, make sure you do when we break later. i would ask our panel what you see the opportunity for bright and well educated and well trained students as they come and try to get work in this field? >> let me say the first thing. i do a lot of mentoring of college students, and i actually done in my whole career. and indices i told him if you want to work forever, to into cyber for i.t. security. there's just not enough people. you heard me in the my opening remarks at what keeps me up at night. one of those was there's just not enough people out there. the government need you. major corporations need you. think about the government. they protect the infrastructure. president obama, what is it, the -- i forgot the name, the executive order. >> right. >> the executive order of protecting the infrastructure of

the united states, we need people like you. there's a huge opportunity. this is a career area that is absolutely needed. if you enjoy this type of stuff, but make sure you understand risk first. >> vincent and for all these wonderful aspiring cpas here this morning, what do they need to know about cybercrime to be effective professional? >> well, i think that the problem with all of the specialists that we educate, that are also hundreds of special is being educated in china and russia, and that's light, it's just like an arms race, like if it's on the one hand side, we need specialist to different organizations, our countries. but we should also realize that these same specialists can also

turn to the other side and attack our organizations. so i think what we should do is, i look at this as both triangle which is unique to have incentive to commit fraud and opportunity carry out fraud, and the rationale to justify in your head that it's okay to do fraud. so two things. i think first of all we should realize that it's good that you are here, being educated to become those specialist. i think we should realize that the our specials all over the world. we need to keep him on the right side of the fence to help us protect organizations instead of effect in more organizations. in addition to that, i continue to stress -- of cybercrime.

people are dedicating their lives in facilitating organizations and helping organizations. but i truly believe that if we don't internalize these organizations, if we don't see cyber risk as something that concerns all of us in the organization, i think we are losing the battle. >> bernadette, how about you? what are you looking for in a young higher? >> well, i think as a bob said, there'll always be a place in this profession for bright and talented people, and that the more we know and try to thwart the attacks, unfortunately the bad guys are one step ahead of us. as much as we try to catch up, unfortunately they show us we

are not caught up. to always be willing to learn more, to learn new things, and it can be a very interesting job at times and a very depressing job at times. you have to be able to kind of put both together and say, okay, it is what it is over not going to be able to beat everything and try to make corrective actions for the stuff we can. >> charles, you were saying the dark side of humanity -- you are seeing the dark side of humanity more often than the light side. what would you advise folks who would like to follow your career path to? >> we have a need for computer scientists and our cyber division, the number one priority of the viewer right now, we are hiring i think 1000

agents and 1000 analysts the next year. again, so the opportunity in the government will be extraordinary. obviously, the salary, we can't compete with the private sector but i don't really look at that as a negative because it would get quality trained professionals that are going in the private sector, then we're still going to be in the long run have a better defensive mode and we will still build a wind. but we will hopefully have people that will stop these things. again there is extreme need for us. we have a very vibrant program to try to thwart these cyber criminals, and, obviously, there's a very high profile cases in the most recent past, so it's not going, it's actually increasing. it's not actually, it's not something that is waning. like, trying to get out in front

of it and develop some things we can be a little more proactive but it's extended difficult. because a lot of these people, they are lone actors. and so we really rely on whoever they work for to monitor them. typically is not an organized kind of activity where it's a large group which is a lot, frankly a lot easier to go after because there's always a vulnerable person. if it's one person exfiltrating information, then that's very difficult for us to defend. >> we are almost at the point where we'll be able to take very good questions from the audience. i have a final one that i'd like to ask all of our panelists if i could have you put on your futurist hats for a moment, and if you could identify for our audience this morning one win and one loss, one good thing and

one troubling thing that you think will occur between now and next year's acc a cybercrime session. is there going to be five more examples of the target situation? are we going to have cyber attacks on a electronic installations on the west coast? or are we at a point where maybe our tools are advanced enough that we can protect against those things and protect the infrastructure of our major businesses and our small businesses as well? so i guess you get to start on this one. >> again, this is nothing, i'm still very concerned about the utility systems, and what i think there is a lot of actors

in the rest of the world that are probing the utilities and trying to see what they can do to disrupt our services. that would concern me the most. again, nothing inside. it's all open source in terms of, but there are a lot of folks subjects out there, folks out there who are really trying to probe our utilities. i think for a small utility, as you see when we have a blackout in new york for a day or two, it cripples the city. if it was a concerted effort to do something like that, it would be very, it would be very sobering and be hard to recover from on the short-term. i think that we're getting continual attempts to do that. >> i would say the worst is the third party security companies that have access to your

corporate information and not using as strong of protection to protect that data. and i think the wind is we have become more aware of that and making them become more adheres to your information, to your policies, that if you do not hold them and you're not up to our level, and you can't do business. >> big day become a big vulnerability? >> yes. that's all i can say. >> interesting you brought up big day. i did a presentation at mit about privacy and big data your and i think they did is a risk because he didn't put all your eggs in one basket, you tend to have the opportunity of the bridge of the century. so i posed many questions to the students at mit, the questions were like what is the lifecycle

of big data? how do you segregate what you can from what you can't destroy? what is, is the confidentiality? what about the integrity of the data? i bet if someone did a google search on who discovered america in what year you would probably find one iteration of 1942 because someone inward before and the nine in open source somewhere. the point is i think that is a challenge at the good news is i think people are understanding those challenges and people are addressing them. so for the future given what has gone on, i will say that we will not see a huge change in the amount of bad things happening in the next year. you'll see a larger investment in the tools that i was speaking of for dynamic threats. because when you see the things that happened i think people are going to invest more in the

proactive. but i think because of the bad guys continued to invest more, whatever i has to do is make thr enterprise the least target, the hardest target to hit. it's like when you put the motion detectors, the alarm system and the attack dog in your home, they will go to the next on. you hate to hear that because nothing is perfect, but that's the nation. so in the future i believe next year we will see it's about level. i do believe the good will be the fact that if you buy stock in a company that do dynamic defensive debt you'll probably do pretty well next year. >> dynamic defense in depth. i hope you're all writing this down. >> i like what you just said, if you're being chased by a bear, you don't need to run superfast. you need to run faster than the other people and somebody else is eaten the first.

you know, the good thing is that, well, the best thing a good thing are the same thing to me, which i think what might happen between now and five years, you were talking about, we all hear about commercial banks and target being attacked. i think we can also expect an attack on our utilities, for example, and what makes those attacks different is that we, ordinary people, immediately see the results of that. we are affected by the outcome, we are in the dark for one or two days and then we are affected by the output immediately. it also turns into a good thing because all those things that are happening are also creating the awareness of the vulnerability that we all have, not only in the commercial sector but also in the other sectors. i think creating awareness and

knowing that the risks are there and the risks are growing is the first step to building resilience that we are able to cope with those kind of attacks in the future. so the best thing is, it's a bad thing but might turn into good thing that it creates better awareness and start is to building resilience, if you like. >> what type dispensers and what a fabulous panel. i can tell you how much i have learned myself this morning, and just what a great conversation it's been. now it's going to get really good. ladies and gentlemen, there is a microphone to your left on the floor here. if you have some questions for our panelists, we would ask you to come down and give usher name, your affiliation, your company or your university. ..

of the questions i have for the panel, touched on a little bit of an idea that there needs to be integration between concepts of business and i t and the question is is that now part of the curriculum development process where even if you are not specialists in i t security, marketing and something like

that, in the curriculum or the business program. a focus on marketing. >> for the academic viewpoint absolutely, i think it is imperative that business profits bubble to this earlier. he is incredibly well educated. the business process and that thinking combined with computer science process and i keep thinking makes for a student professional so that you have the foundation theory and the applied business, you are spot on, absolutely imperative. >> anything you brought up, i wrote my doctor rest on using adjunct development processes, taking that agile development

into p and p and project management so that you have this agile developments off and at the same time put it in business. in the business problem should have one course in business risk-management. i really do believe that. that would be helpful, would make every student well-rounded. every corporation is concentrating now on risk, regardless when you going to major corporations. >> once you graduate, and ups, he said in his career one of the most important things he had

been doing in various departments, it is an eye opener for people who market things and hold on to have a couple months in internal audit department or i t department or security department and experience, they circulate back into business. these people bring a total point of view on their business. in a general sense, are in this department as well. >> great question. >> good morning. my name is jonathan miles, university student with the tbs program, and this idea, one of the things i think you touched

in, utility. what i didn't hear is cloud computing and also of problem, the risk that one might encounter with cloud computing. things that were associated with traditional organizations. i wonder if you could add something to that. >> i should have been more specific. more cloud computing, and data to the same information security processes that you use to protect your data and should be able to have them to ensure that they are doing that.

they have a team that goes and gives investigations, and how it happened and what was our information disseminated so that i might not have said it but that was what i was alluding to. >> thanks. >> my name is peter burgess, true value metrics. my take away from this morning is we are dealing with a really, really huge problem and there is almost no discussion of this problem in the public. i would point to the word transparency which i had not actually heard this morning. it has been corporate policy

forever, really, that things like hacking into the system is a cost of doing business and we are not going to tell the public. if that had been much more visible light argue it would have been massive amount of interest in this subject rather than almost nothing. what do you think about making companies really publish the bad news about them -- the cost of this is a huge. in the case of piracy in the oil industry. the amount of money that was spent to buy off the pirates, and this sort of ten years later. and i suspect the same thing going on with cybercrime.

>> the theory behind that, disclosing what actually happened is you don't want to open the door for someone else coming in and looking at another vulnerability looking at what occurred. because sometimes there are more than one probability associated with that. and to give all that information out is detrimental to the company. >> regulation and disclosure of customers need to be reported. that is by law. i do agree with that. you disclose what you have to disclose by law. >> just encourage any time you feel you have been acting with the fact to notify, we should acknowledge sometimes it is not

always the case but there is a lot more regulated, we see a lot more of these examples of them. we are hoping this information that we can try to identify and try to stop it. >> my name is terry young and the work for a company called newtech and we bring products to corporate america and the question i had was about the nsa. it appeared that politically, being handcuffed, they were taking phone records and trying to figure out who was talking to whom. that certainly seems to me to be a good way to catch criminals.

i would like the panel i guess to talk a little bit about this problem we have seen with privacy pretending an investigative agency like the nsa to focus on who's talking to, let's get the bad guys, lock them up. and that is being stopped because politically in this country our privacy supersedes catching the bad guys. you have an opinion on that? >> sometimes the best questions take all longer to think over. >> does anybody really know? all they were doing was taking phone records, running them against programs that will show

us relationships of who is talking to home and that might lead us to the bad guys, that was not obvious to me. >> i know i cannot answer anything about that. i don't know what they operate. i know what you know. you are asking the question from my standpoint i can't give you an answer but i will say as a citizen of this great country of want them to do everything they can to protect us from the next terrorist attacks though wherever they end up, that is my biggest concern. that is all i can say. i can't judge anything. unfortunately that is -- the nsa has their own regulations and restrictions and maybe their own program but i really don't feel comfortable commenting on some things they are doing. i will say when we do investigations we have to have court orders to do any kind of review of any kind of record.

focused on the fbi, that is -- to s it is we have a lot of complaints and checks and balances. we feel very comfortable, we have a strong oversight. and it is a completely different we do have strong requirements that they need to work through. it is how is being perceived and over privacy aegis in the discussion today. >> thank you, appreciate it. >> good morning.

new york law school. we talked about attack dogs and dynamic dissent. my question is to charles gilligan, a panel 2. what about allowing companies access like self-defense or hack attack or even if you want to go to a lesser offense publicizing your arrangement so some companies what they do when someone gets their data they actually trace the ip address, it is not the original computer and lincoln formation back to the customer. what about other areas of putting viruses on your computer so when the party goes to the computer or corporations take information they can try the data and make it not necessarily harm them so much the change would they have like going into banking and disclosing money.

>> i think we actually have our cyber division with companies that have intrusions and they work with the companies and in to mitigate that. i am more focused on i do know the cyberdivision has a plan, and work with victim company and come up with good ideas and pretty active on how they do their investigation. >> anyone else gets to speak to what they want. >> regarding third parties, using corporations should

actively go after hackers themselves. >> go after? i am trying to -- third parties, actively go after them. what we would do is see what their response is to it and hopefully we have what is called -- let me make sure who we are dealing with is the same information security standards we deal with and how we would react to a breach and they might hire who they want to hire to investigate and we would hire someone to investigate and compare the findings and see why it occurred and going after is them, that would be a friend's job. >> what do you think regarding your analysis? do you think this would be something companies could quite

possibly go at? the you think it is something companies could find a lot in the sense that your company cost of getting data, and open up and close it and get a lot say? >> most companies of large size or small size have controls that they meant so i am not sure i understand the question. and opening controls that are up and down. >> trying to give a deterrent for someone casually hacking into your company other than the fact that it takes hours to do so. they are going to get big in a sense. >> use countermeasures and

controls to do that. and builds the defense and build your awareness programs and build all that and what it is known as, all that should be a deterrent, what i said earlier about alarm systems, most detectives, building of defenses, enterprises and government agency, and too much time and effort to attack you so they go next door. i just didn't hear the question well enough. >> time for a few more. >> i am a student here. my question is with cybercrime, a big boon to investigating the

crime, and communication, and do you think there is a trade off, to investigate a crime or a breach. because it is so easy to go in after the fact and perhaps too easy for the person in the first place to make the attack and is there a trade off? and the balance on the side? >> is there a trade off between preventing it and incident response? is that your question? what do you think the answer is? >> don't want them to have it. >> incident response is very

important. have to build this and build it very well so it is quick and stops whatever is going on as quickly as possible and you do the investigation. the best scenario is you prevent it from happening. >> good morning. pro-life consulting solutions we are consulting firm. in listening to you and having spent a good number of years in the industry could you respond to what you are thinking might be how we effectively respond in this cybersecurity environment and making the context of big data in various organizations, you have been effective at using big data for behavior modeling to offer products and services organizations. are there ways we could be or

should be sensing and responding in cybersecurity to better protect our organizations? our customers? our clients and our good businesses? >> all the information coming in from various organizations and what i said earlier was about that correlation between the fees from the outside, information we know about the inside and what ends happening and we had this billion, billion sized database and some correlation engine to pick out those 5 incidents. there are companies working on that right now. that is one of the most important things you can do with all of that information because correlating that information will get used to that issue you need to prevent or you can at least respond to quickly. i keep going to that response,

incident response, how companies do this thing called war games and continuously cast their incident response so they can do that but that data is critical and yes, it is big day. >> we have ti . >> we have time for a last question. >> want to talk about the human aspect of threats. insiders came up with that and that is very interesting. just to give brief background, my focus, my coverage is on particularly chinese espionage, working lot with the human side of cyber which from my context they have been telling me becomes much larger problem.

larger companies because of cybersecurity system is getting a lot better, state-owned enterprises but government's having to go through the inhuman elements of company networks and curious about your thoughts about this new problem we are seeing, how large is it and in terms of larger scale of attacks but what percentage is there a human element? >> you said that -- talking about intellectual property theft. people inside the company, you had mentioned before bringing their own devices. affecting the network. i have been told this happens intentionally and and intentionally but people can for example fight a vulnerable and affect your computer and access

and at and i'm curious what skill you are seeing, i use the get often and just starting to come up? >> it occurs obviously. bigger coming years? probably. and rules about how what you are bringing in, what is allowed and how that helps mitigate that threat. that is the best thing you are saying. >> a lot of folks coming in bringing their own computers and it is not nefarious, just doing it -- it might be growing. i don't think people are focused on that as a way to beat the system, using personal computer, not because they take the data out but for convenience or that is -- it is a big problem.

>> to let you know there are computers on it, company computers so they can do that. you can actively apply. and also have limits for what is being done. >> we don't really -- mobile laptops, i guess one of the best ways of mentioning it is realistic in private industry, my wife works at night at 2:00 in the morning on private industry but i have to leave the office and be done. we have tighter controls because we still have that, we can't use

them. >> last question. >> great morning to all of you. i am the ceo of my token international company, my company. i have a question for dr. -- the doctor. yes. the doctor. my question is you mentioned the book the art of war. i read the book along time ago. i think probably it speaks about the element of surprise. as far as cybercrime, how can you deters the element of surprise or is it effective at all? who is getting surprise?

>> the perpetrator -- will we get surprised because they got away with it? >> i just asked you a question and you are asking me a question? [laughter] >> the point is every perpetrator, every threat agent wants it to be a surprise. even the activists, these groups that they will attack your company or your organization or whatever just so after they do it they will say now the surprise is over. the surprise is the attack and now we're going to brag about it but the nature of these attacks is surprise. i am not sure i understand the question. surprise -- we're cyberwar.

surprise is degraded vantage for adversaries and to that point anybody that is attacking will want it to be a surprise so i think you will see the element of surprise as one of the things he always tells you you need to have and you should never be surprised. the other side of that is if you are preparing correctly and doing all the things you can to have the most hardened target that you will prevent surprise. or reduce surprise should i say. does that answer your question? >> yes, sir, i appreciate it. we are over time considerably. we will have some questions in the lobby and i apologize that we have not been able to get everybody. is wonderful that there are so many questions.

we will continue the dialogue next tuesday at 6:00 in association with the downtown alliance. we will have a number of cybersecurity practitioners from the downtown tech community speaking about their products and awareness of is upstairs in the upper room, 6:00 tuesday. there is any event going around, otherwise show up early and we will get you in. thank you for being here. i am honored to share the stage with such top professionals that speaks so well and thank you to all our sponsors, computer forensic schools, and darren haze for his research and work culminating at this event. and look forward to saying hello to you over a cup of coffee after words. thank you very much. have a wonderful day. [applause]

>> treasury secretary jack lew will testify before a house appropriations panel today. topics will include the treasury department's budget and sanctions against russia. live at 10:00 eastern on c-span3. >> secretary of state john kerry commemorates nato at 65st anniversary and the tenth anniversary of the european union at the atlantic council. live coverage of his speech setting and a one:30 eastern on c-span2. >> my critics in the international community call me arrogant. i will not even honor that with a response. screw them.

don't say screw them. let's hit them with some rhetorical eloquence. my friends, our purple mountains with ramparts red glare white with home and justice for all, free planes gallantly streaming, from sea to shining sea with a shining pity on a shining hill above the shining for area and maybe some shiny freeze, i see a shiny america. >> watch this year's white house inner lives that it night. president obama and joe mchale with community headlines before an audience of celebrities, journalists and the white house press corps. coverage starts at 6:00 eastern with red carpet arrivals followed by dinner. live saturday night on c-span. >> u.s. senate is about to gavel in for the day beginning with a general speeches and ellen:00 eastern the begin procedural

votes on judicial nominations for district court positions. senators will recess at 12:30 eastern for a weekly lunch meeting, they will be back at 2:15 to continue debate to receive the go ahead during the morning vote. live to the senate floor here on c-span2. the president pro tempore: the senate will come to order. the chaplain, dr. barry black, will lead the senate in prayer. the chaplain: let us pray. o god, in whose life we find life, open the hearts of our lawmakers to the whispers of your spirit. make them productive, accomplishing your purposes on