but it is there to be used. the epa is carrying out a law that congress duly passed. >> when you sit here and think about what this rule doesn't use that back for a minute and all the discussion we've had about what plants should run, what plants should run, what kinds of new generation should be built, these are quintessential legislative questions, and congress should be answering. i understand the frustration that the judges have and express that utah about congress not asked. the fact of the matter is congress has a map. these are the types of questions congress needs to answer. when you look at the statue, it just added step back from it and you take out the fact that gas climate change is a very important issue.

this statute does not authorize epa to do what it's doing. congress needs to make these types of delicate balancing decisions about my generation and how our energies to their word in the country. >> what the supreme court said -- which said that the issuing -- >> the person with the baton can talk. >> there is this unbroken decade of massachusetts and our colleague states including u.s., california and others who have really been seeking epa action on carbon dioxide because we believe and have consistently believed that the clean air act authorizes the epa to take action. that decade, you know, includes the epa case before the supreme court with a shadow over the whole court and the whole

argument. it is a pollutant and not only that but the clean air act was intended at its outset and throughout its amendment process to respond and be capacious enough to address the emerging threat. that is really all -- >> in fact, my predecessor in my current job which is the chief of environmental action argued that case before the supreme court. it really sets the agenda for epa and the states continue to press other options. we had an idea that there should be a federal common law remedy for states who are dealing with

power plants and cutting carbon pollution. this isn't just academic. this is threatening the coastlines of our state. with sealevel rise in store and was referenced in the introduction. the accuracy in the legal framework to me answer this case and provide a section 111 is a tool of the epa can use them that epa is going to reduce pollution. there's no point in doing this if it is not meaningful reduction. epa study solution standard this rule, which is determined. >> i want to ask you a question to a related issue. one thing i found interesting is that department lawyer side.

i've been covering the powerplant for years even before it was ever proposed and throughout this issue has been whether it's president obama talking to the u.n. or epa administrator gina mccarthy talking to leaders around the world about how important this is to the paris climate to which i think the first mention of the paris deal today is interesting because as a reporter i see the administration putting this clean powerplant up on a pedestal. very important policy. they fact check a little bit i would say. nonetheless it is clearly an part of the u.n. deal in paris and yet the justice department lawyer arguing last week uses words like incremental and moderate degree of carbon reduction. that's a very different from a president obama in gina mccarthy has spent the last couple of years.

how can you declare that. i understand why for my nonlegal perspective it seems that the doj lawyers doing that so i guess it seemed to transformative congress passes out then. can you speak to how this can be the most important policy the u.s. government has never issued and that the same time the incremental in terms of its impact. >> so it is the centerpiece of the climate action plan issued in 2013 and the clean powerplant and the broader climate action plan or absolutely critical to convincing other countries starting with china. for years we were in a vicious circle with china, especially under the previous administration. i won't because he wanted they would point fingers at each other. but the obama administration was

able to do was get to a virtuous cycle where i will if you will. the chinese have their own concerns about climate change and their own concerns that they need collective action from all countries. >> had he declared that permit the justice department that? >> this is important to show the united states is moving. what is happening is the marketplace is moving behind the powerplant even faster than anticipated. if you were to look at the clean powerplant's goals, you might conclude one could go further. certainly a reasonable cost because the marketplace is moving so fast. they made their best assessment in 2015 at how much further beyond where it seems the marketplace is going. he could push under the clean

air act and have a story to tell, a good story to tell about modest cost in overwhelming and if it. if anything undermining that now is a marketplace is moving any day. congress is supporting movement with the extension of the wind and solar tax credit last december. so you know, you're going to have to keep looking at these climate initiatives and determine whether we can go further than needed. we are not on a track is a country in the world that needs to the one point by decree target we had to reduce carbon pollution and the other greenhouse gas emissions. this is a start and it is modest in real life now. >> is one of the want to comment on why you think the justice department would consider two

different regulations. something got pulled out underneath a rock you would think they are not talking about the same thing. >> i think they are speaking to two different audiences at the president in gina mccarthy are speaking politically and show this is a very big deal. the justice department is talking to judges and they emphasized different things. >> do you think there'll be a weight on the decision at all? >> i think the judge is under and that this is a big deal. whether you want to use the word transformative or whatever it is, they'd know for the first time in history the supreme court stepped into status role. they also decided for the first time in the history of the d.c. circuit that they were going to hear this en banc without a three-judge panel. all the justices, all the judges know the this is a big deal

whether or not it's transformative. i just don't think anybody can really dispute that. the whole question about whether this should be congress or epa is just another thing under the clean air act. it really didn't help your case very much if you've been saying congress should act. we are going to go ahead and take it into our own hands. i think they notice and again probably all of us in public office to emphasize different things when you speak to different audiences. >> that's the difference in trying to get congress and the bush administration and get to some of the results come medicare role in the clean air mercury rule the president and

his administration. >> wheel and i'm not. >> always have to use the existing law. at the same time you work with congress. this is not the first time the epa had authority to regulate sulfur dioxide. they had multiple price of the clean air act before that. >> i want to drill down to what you just said, which is his or her administration. watching online that the hash tag epc live if you want to share this on twitter. please be thinking of questions. we'll have two people with microphones running around so be

sure to find them down if you have any questions. i do want to ask a question about politics and the presidential election. we've got more than an hour without talking about that which is pretty surprising and impressive getting we are a month after the election. a lot of scenarios could play out regarding clean powerplant depending whether donald trump or hillary clinton wins the white house in november. some people have choose your own adventure in terms of how you want us to play out. some people will probably be unhappy on november 7th. just a wild guess here. i want to keep our discussion contained. i want to hear from each of you. that start with a potential trump administration. what are you going to be looking at? what could be a couple of the

biggest things? alice then come with you. >> if we have an administration, the first with the present administration defend this prior existing rule of the clean powerplant. at this point we have done in the d.c. circuit that there is going to be an opinion. if epa were to lose with the trump administration's weak start to you? probably not. if the petitioners were to lose and were to seek start, with the trump administration coming in now, defend that role? do you have that? then there is a whole other layer of the day dissenting activity to try to repeal it? in other words, do some kind of rule making or if that were

reinvented with hiv restructuring? you are right about it being a flowchart with many different avenues. >> you have any thoughts on how this could play out? >> i know he or at least members of the campaign have said he would revoke this rule. and i think based on for a number of reasons that wouldn't be that difficult to do. if a d.c. circuit comes out with a decision before they take office, then whatever they do it have to take into account that decision. as someone who's been involved in several transitions from one party to another, i can say it is difficult for a new administration to undo certain regulations even though they don't like them. but this is not one of those rules for a whole bunch of reasons it would be relatively easy to 12.

they said that is what they would do. we will have seen if that actually comes to pass. but i do think that i would take them at their word and that's probably what they would do. >> would you guys been said the trump administration? >> all of your gainfully employed for at least the next decade. >> there's no question that the advocacy on this site is the case has been vigorous throughout and would continue and was massachusetts versus the epa that the administrations change. we feel very strongly that we have an agreement with bph are regulated under section 111 that was entered in court, which is really how this process was taking off about five years ago.

we expected we would be in court again to ensure that the epa would be coming. >> i think there is less to be known about what she might do given what we think that might do. let's discuss the clinton administration. david, i will start with you. what do you anticipate happening depending how the cases go. >> i'm sorry, i can't discuss the presidential race because i am here in my nrdc three capacity and i'm not able to. we just observed how much has changed ms remarked earlier. the judge anonymously to it knowledge climate change is a real problem and among the lawyers, to be that boys is

skepticism or climate which you might have heard for years ago or six years ago or seven years ago. we didn't hear from judge sentelle back in 2003. we didn't exactly speak to the science, but he did see a problem equally shared by other and so therefore no one is 10 inches. he was overturned by the supreme court in massachusetts and the standing question as well as the man. and then in 2012 i think it was, he ruled together with judge judge rogers unanimous they upholding the endangerment determination. so times have changed. it's necessary for politics to catch up with reality. >> can you comment about how the industry might raise on, how

they respond to the potential scenarios? clinton is likely going to defend that she can. but avenues does that give industry and state that are suing? >> i think industry would remain on the path the design, which is continuing to challenge. i think most people think given the supreme court having state this rule it's not the end of the road in this litigation. >> the supreme court will not have a seven-hour argument. >> the supreme court is not the same supreme court that issued this day and it's going to pick up a new member presumably sometime late this year or next year.

the prospects of air are different. if you could oppose the rule -- so in a compelling opinion with a large majority of the court, including a couple of the republican appointees. it is not beyond the realm of possibility that the supreme court does not even take the case. the setting but read that they do. a full court might not. that might be the end of it. very many clean air act controversies which ended the d.c. circuit. one point that i like to make in addition. one of the judges called out one of the attorneys for what she called the date and switch.

there was a strain in the argument from the lawyers for the industry signed that it's always some part of the clean power act that the right ones to use against the carbon pollution from power plants or perhaps you can't do it at all. i don't think that argument is going to sell at this quarter. >> i want to go to some audience q&a. >> the thing as a lawyer that is kind of remarkable about this is it is at least possible if not altogether unlikely that he would have a 55 decision from the d.c. circuit and then you cannot a decision from the supreme court into that be the case and in that case it will be upheld. so without a 10 member d.c. circuit and eight-member supreme

court we face the prospect of never seeing where you could have google upheld even though the judges are divided half half. >> here is the lightning round questioned. yes or now, more than 55% say the supreme court will ultimately have some sort of decision. >> whether they opt not to take it or whether there is a tie. yes you think there is one of the 55% chance. i would like to throw it out to the audience. we have a couple over there. please state your name and your affiliation please. please take your question too brief. >> excellent discussion with

climate change. let's take the case despite your hold back that they do take certiorari grants just as pending. it is that roberts issued a bitterly dissenting opinion in massachusetts versus epa, which we think of some motivation for why he stepped in with the five-or maturity and issued an unusual day. so does that create a charged atmosphere if it goes for the supreme court given that we already know chief justice roberts position on massachusetts versus epa and the whole panel. do you think roberts wants another swing versus epa. >> a tardy taken to worsening sense. the american electorate power to stick with the massachusetts

holding on the clean air act and the epa case and there is no questioning the premise and the industry sought supreme court review of what's endangerment determination in the game take that case. those issues are way behind us. >> don't look so shocked. >> david and i agree on something. i do think that it's reopening massachusetts versus epa will be with the supreme court looked at. it won't be a question of whether you can regulate under the clean air act. it's a question of how you can regulate. that is what the epa case wise.

this will be similar. were david and i would disagree issue with day that the how you assign and i say that the how here is not fine. >> that is great and we are done. >> i agree, too. judges are remarkably good at moving on. he would write these bitter dissents and then he would kid consider himself down by this decision. >> anymore from the audience? >> michael fitzpatrick with general electric. i have a question for jeff. i wonder if you could elaborate a little bit more on his theory that under a trend administration it would be relatively easy to overturn this

rule. in light of the state farm decision, in light of the real possibility that there will be a d.c. circuit opinion, i would be interested on what the easy path is because my reading of administrative love with you that it's possible but actually quite difficult and the need to go through comment rulemaking and then a full set of litigation. it would be interested in your further thoughts. >> agree with that completely. there's no question they would have to go through rulemaking. the d.c. circuit by chief judge garland with the agencies are free to change their minds on policies that unless it provides a reasonable basis for doing that. the administration would put out a proposed rule and next in line five their reason of the clean air act is different. they might be a depending on what the d.c. circuit says a building block one only rule.

but they would expand the reasons for doing that and put it up for comment and issue a final rule. the rule would be challenged i assume. but i think it would be very difficult even as good as our friends from massachusetts are biggest required to use this kind of a system. i just don't see that happening. there's no question we can go through rulemaking but honestly i don't think that would be all that difficult or time-consuming given that all these issues are key to a pretty squarely. so yes he would have to go to notice the comment. you can do that in probably a year or last in depending on whether the rule is still standing and presumably it would be that would be all that difficult. >> i have a question here from the internet. in ohio some lawmakers are

currently trying to weaken and further delay any enforceable increases on the state's existing renewable energy and efficiency standards. if that was to have been there or elsewhere with a bad position at the clean power plant is ultimately on palette and in the same vein, could you comment on the possible upside or downside that would require state legislative approval for environmental protection agencies can move forward with implementation plans. the question about how does with the states are doing from us a perspective impact at the federal level. you want to comment on that? >> removable throat olio standards programs i really also bipartisan in nature and there have been proposals to grant them back in certain states. i think the general at events across the country affected the extremely successful.

you see a lot of states even on the other side would have massive wind resources doing great things with renewable energy. it will obviously change the situation in the states with respect to clean powerplant compliant. they take the foot off the accelerator and renewable energy. but what we have seen is that many state those efforts have not been particularly successful despite a lot of political effort to get them through. renewable energy is politically popular in the state. so i think that is really the first aspect of the question. you know, the state legislators with their state agencies in terms of planning for clean powerplant compliant are making a mistake. it is something that states can do. they are very familiar with

planning around clean air rules. this is a somewhat different task in certain respects. it is very doable in the experience of the states i was talking about earlier. the states really confirm that. a diverse purpose dates despite new hampshire is very different in massachusetts and new york and we worked together by consensus and god really these fairly ambitious goals put into state regulations and laws in very short order several years ago. that is an example of states that are looking not for state agencies to look at. it is not really the kind of herculean task that some of these arguments suggests. >> d. of a comment from their head? >> very quickly, we all agree is a practical matter the clean powerplant is a federal renewable for olio standard.

>> i'm not sure if everybody agrees with that. we all agree it's tuesday. >> it requires collectively a certain emission rate the mac and epa expected to be built largely. if a state where to undo it on requirement, the same amount of energy as renewable energy. so i think these individual state standards may move it around a little bit. but the total amount is going to be largely the same as the clean power plants is in place. >> i just point out governor kasich is resisting this is because he understands the value of the energy efficiency and renewable requirements in that state. any state which hamstrings itself in this way is increasing the chance assuming the plan is upheld that it loses the ability

to write its own plan when it comes subject to a federal plan. the american legislative exchange council i think what we need is a smart alec that would be more conducive to better stay planning. >> more questions from the audience. right here in the front. >> i am only from s&p global market intelligence. the judges offered a number of hypothetical regulatory options throughout the day. i think it was just to let that pass of the epa would require all planned switch to gas. so i guess particularly from jeff and allison, what would've been illegal use of the clean air act in your opinion? how should the epa has regulated clean powerplant? >> that actually comes up in the litigation and the petitioners are never disputed building

block one is proper use of section 111. another race, putting in place energy efficiency measures at the plant. in terms of actually converting a coal plant to a gas plant, no one i don't think on our side with the addison appropriate is because that is what is called the clean air act redefining the sewers. -- source. >> we disagree about that. they have observed plans can make substantial reductions, very deep reductions by switching to gas or by using carbon capture and storage. they have served that is more expensive. it is not too expensive to be required under section 111 d. and they further observed that if they did have the standard based on gas co. firing or ccs, but with the power come they do?

they would operate more in these plants yes. >> the nrc sees support is one option. >> well, we support the rule that is written now. we would like to see further exploration of that if there were a ruling that somehow was limited to building block one. bootsy building block 100 more in it in the near to nina. ..

as we become more reliant on gas. and what are potential options. what we found was our infrastructure we have now was adequate to keep the lights on, and that certainly suggests that we should not be investing tremendous amount more a new natural gas infrastructure. one of the strengths of the rule is that it utilizes existing infrastructure that's in place and maximizes the use of that infrastructure. that's a smart decision for ratepayers and for reducing emissions at the burner tip. there's of course no budget issues our natural gas which we don't have time to get to which are not at the burner tip. >> i saw a question back there in the corner.

>> shifting a bit more than the technical aspects of the regulations, i guess in my reading and interpretation seemed like is almost too prescriptive in terms of the technologies that it was calling for to reduce carbon emissions as opposed to trying to about some flexibility. while the regulations say the states can come to epa with new technologies, there's always a concern that maybe epa will not accept it. so for instance, there's a lot of discussion about carbon capture and storage as opposed to use. do any of you any kind of thoughts or opinions on that? >> i would just start by saying that you need to understand the way these rules are set issue come up with a reference technology storytelling this case is a fairly public and one with the three building blocks. but then it comes out to be a performance standard and

emission rate per megawatt hour. they can be achieved using the credits. anyway that the company chooses to do that including by making the conversion to gas or carbon capture and storage, or any new options investment in energy efficiency downstream as well as the renewable energy. so there so many different ways that a company has to implement this. and then states have further choices. they can use this race-based approach which is what we all dedicated or they can switch to a mass-based approach with the conversion teaching to all violence is a cap-and-trade system. it's hard to imagine what more flexibility in it than this. >> just know that bp thinks about this i don't think epa has

an interest in restricting technology. my own -- >> probably the nicest thing i've ever just about epa. [laughter] >> i actually a very high regard for the folks at epa who did this rule. i think they been pretty clever. i think you try to maximize flexibility that i think ultimately they decided in a way that will strongly encourage states to adopt some sort of a trading system, and under each of the systems people have brought flexibility to figure out how they're going to comply. >> we have time for one very quick more question from the audience. if nobody has a question i'm going to ask about donald trump. whether or not you think is going to win. actually no, that's not what i'm going to ask. i do have one more question, actually to a question. one as a lightning round.

you talk mostly about one but which of the other four could be a surprise argument that could if you had to take a guess, you get to pick one that could be the surprise argument that makes an impact on the decision, which one would it be? >> i'll go first. if the court has a hard time agreeing on some of these big issues, and they probably don't want to have a split decision either. it is a real notice problem here, and i was one of the four issues we argued. as you may remember we have this event here 18 months ago, the proposed what we're talking about is completely different from the final rule. one of the arguments is epa is free to change its mind but a nasty people notice so that they have an opportunity to actually comment on the rule that epa is going to design. i think it's possible the court which they were not put aside beyond one defense of the culprit epa should have gone

official out for public does. that would be i think, that some people expecting but if you look at away they could kind of punt on this and send it back and said you've got to go through the proper process. so i think that's a possibility. >> do either of you think one or the other arguments could be a surprise argument? >> i really think most of the other arguments were duds so i would be very surprised if any of them landed with any force. >> great. i have one last lightning round question, which is to say you have one word because we are out of time, someone could ask you the you predict will win because -- >> we believe this discussion to go live as cybersecurity expert are about to discuss government leaks and hacks, cyberwar for and protection of consumer data. this is hosted by the "washington post," just getting underway. >> it could not come at a more interesting time. this summer the democratic national committee was hacked

likely by foreign government. just last week yahoo! news announced a breach affecting hundreds of millions of people. just yesterday an nsa contractor was arrested for stealing the agency code. so the question is what's next? disporting you would've from government officials, security experts, industry leaders talking about the top cyprus did issues facing us today. and we want to hear from you including those of you watching us online comes to please tweak your questions to hashtag wp cyber. will be taking this question that the program. sort out like to quickly introduce john davis. is the vice president and chief secured officer of palo alto networks. today's presenting sponsor of the program. he's going to say a few words. thanks. [applause] will. >> good morning, everyone. it's an honor to be a sponsor for this event today. i'm really excited about the

agenda and were looking for to hearing all the distinguished speakers. i joined palo alto networks about a year ago after a 35 year career in the u.s. military. most of that group was in special ops doing some really cool things, but the last 10 years was in cyber operations, cyber strategy and cyber policy. and i can tell you that the u.s. military really takes cyber seriously, became the mission force. i say that because at palo alto networks, just like in the u.s. military, we have a mission. protecting our way of life in the digital age. very important to us, very important because the digital environment is the underpinning for everything that we do as a society, as an economy, even in national security. i'd like to quote another general, a fous, much more famous than me, sun tzu. and i will paraphrase. he said basically know your

enemy and know yourself, and then 100 battles you will never lose, or something to that affect. what we know about the enemy? the modern cyberthreat. well, we know that it's a professional marketplace of information sharing these days. and we know that the decreasing cost of computing power and the use of automation and cloud capabilities means an ever increasing number of cyber attacks that are coming at us. and with the explosion of polymorphic malicious code, we know these attacks can happen at the thousands and millions in terms of every day, every hour and sometimes even every minute. there is some good news about the threat, and i can tell you from being on the inside, there are only certain number of limited techniques that every cyber actor and every cyber organization uses. buffer overflow and heat spread are some of the most common

types of techniques. there are only about two dozen of those. and debbie cyberthreat and every cyber organization uses a set series of steps called the cyberthreat lifecycle, or if you're at lockheed martin, the attack killed june. the steps provide an opportunity for the defender. in terms of knowing o yourself from what we know about ourselves in terms of cyber defenders and the cybersecurity nerd in general? i believe we've been living with a failed model. whereas we say the attack on has to be right once, and the defender has to be right everywhere and all the time. that's a bad model. we just talked about the attacker leveraging automation and decreasing cost of computing power to come at us in ever increasing ways. while the defender uses a series of isolated point products that simply adds complexity to the environment.

and we use technology, the defense uses technology that's mostly oriented from a legacy view on detection and response instead of prevention. the adversary uses a marketplace of information sharing, very effectively. we have trouble with the cyberthreat information sharing from the defense side. what does a good model of ourselves look like? i think there's no silver bullets, ha after the conference of, has to include people, processes and technology. i think one of the keys on the people side is education and training. that's for the workforce that deals with i.t. and ot as well as the general population and let's not forget leadership. today is about that. it's about education. on the processes side, i think one of the most important processes we need to improve on his cyberthreat information sharing. we need to do it at scale and at speed, that means automation and standardization. and, finally, in technology we

need to move from a legacy view of all we stand at the crime scene by detecting and responding after the fact, to if a prevention first mindset. we need to be able to leverage automation in ways that the thread is using today in order to keep up with an even exceed the threat. and we need to get out of the manual response that's largely based on having to our more and more people to deal with this, and move to an automated capability that lets us say our people for only what people can do. those to the are the keys to success in moving to a successful view of ourselves as cybersecurity specialists. i really look forward to today and the conversation that are coming up. i hope that you enjoy today. once again it's about for me to be here and sponsor this event. thank you and i will turn it over to chris. [applause] >> thank you.

thank you so much, john, and thank you again to palo alto networks and/or supporting sponsor raytheon. i know there are still people coming in, there are still chairs. we will get to see for everybody. don't be shy. i would now like to introduce "washington post" investigative reporter robert o'hara. cable b our first discussion today. thank you. -- you will lead our first discussion today. >> good morning, everybody. hope everybody had some coffee. as she said i'm robert o'hara, i'm reporter here at the post, ma and for years on and off i've written about technology, the rise of the internet and several years ago about cybersecurity. interestingly enough, the issue of cybersecurity was very, very urgent in the early 2000, and

it's only become more and more important. literally i would say buy the week, we have offered about massive attacks, various attacks that have exposed people's information, lead to theft, created national security vulnerabilities and let us all a little more uneasy. today we have some people that on the front lines of trying to find that on behalf of their clients and by extension on behalf of all of us to make the cyber world a little safer for all the social engagement that we have, although this is that we rely on. and once again, for national security. patrick heim is the head of dropbox come he's responsible for sharing secure complex of the company and the dropbox service. kristin is a the chief executive and founder -- after consulting company that works with industry

and government on cyberthreat issues and policy. and she is a veteran of the telecommunications industry. which is fundamental to the cyberspace. brian reed is a chief marketing product officer at zerofox for social media channels. i think we will start with a bit of the news. we could almost cherry-pick the more interesting and unsettling bits of news it was announced this week that yahoo! scans e-mail and use other quests of the nsa. the company said they were abiding by the law. what are the margins here, to what extent should companies comply with the law even if they have philosophical and internal, ethical differences with those requests? why don't you start a? >> wow. i'm not going to comment specifically on the case. i don't have enough details to have an opinion whether it was right or wrong. on the philosophical issues i

think companies to have the response would abide by the law but also their fundamental responsibility to the trustworthiness of the service in providing a service to the customers. so to the extent that they are compelled to do something like that, i would say that has to be balanced with a certain degree of transparency to the users as well. >> in this case is a request from the nsa. if there' the recipient, that'sl obligation. how do you notify customers and protect this vague notion very important notion called privacy? >> i think it's about the as a former general counsel of the big company the first thing to do is figure out what is the law that applies and has legal due process been followed if that's the case then you have to comply. and next up is how did and react to your customers. it's a balance. you want to do right by your customers. sometimes in terms of data breach notification it helps the customer if you don't notify right away.

if you take the time to look at the into any network watch them sometimes to forget is it really a mature, litigation or not if we notify them. so there's little bit of a judgment call. first is that what law applies. in terms of breach notification the article was most every state. 15 plus bills in congress talking about how that should be structured, should be harmonized across the states are not so companies do what to do. the question congress is still debating. >> do corporations have any civic role in pushing back on government request for data as part of an effort to either embrace or encourage the change over from and the type of laws that give the government access to information? >> this is a situation we could leverage classic public-private strategies that have occurred in the past, in terms of business should be working with the government to try to establish a set of standards that meet everyone's needs are trust and

privacy. i don't think we want a world where the government automatically creates new rules don't want a world where business gets to do totally whatever they want to do with your data. sightings of establish privacy and norms. we look at industries like financial services, there's instead of the norms arose and revelations about the banks operate, how to do with privacy and your financial information. how can we get those kinds of relationships intentionally developed between individual business and the government to get to level of understanding and cooperation. >> let's stick with the news for the moment. we all know that there are a whole variety of cyber attacks that could occur. there are a day attacks where the use the bad guys use heretofore unknown vulnerabilities in code. there are social edge in attacks which will come back to him a little bit. we all i believe agree the social edge in attacks which is about as simply as you can get

poses an enduring and a profound threat to our security systems. by want to talk about a threat that doesn't get a lot of attention because it's often not considered a hack, which is the insider threat. we know that the insider hack i should say, we know that the nsa, it was reported this week, arrested another contractor who either took or was trying to take some really powerful code that the government was using to hack into systems abroad. i'd like to hear your thoughts, maybe you can start this time, about the nature and gravity of the insider hack and how corporations and other institutions can prevent it. >> i think from the perspective that have at zerofox look at the insider threat is really how do so become a source of daily linkage. you have the inadvertent leakage

which is something osha and confidential information to give you a perfect example. we had to separate your customers. some extent affordable whiteboard, texas snapchat and the whiteboard, company financial and that's in the furnishing of michigan have the intentional. there's an interesting situation to do with to what degree should the company be monitoring your activity and looking at perhaps who they are associating with on an extra bases. and i communicate with certain known that actors in the social realm, for example? should a company be allowed to monitor the and should a person be held responsible for that or not. i would argue companies, in fact, have a total right to monitor their own networks because they're the ones that are responsible and in charge. so let's think about that for a moment. companies are allowed to do that. let's accept that for a moment for sake of discussion.

when does that kind of surveillance inside a company, now let's extend more broadly, the government has the right to go to yahoo! and the that e-mails. i don't think anybody here would disagree that kind of surveillance can approve cybersecurity. but when does it become onerous and added we strike a balance, balance between the security and the emotional well being of all the rest of us who don't want to be spied on over the speakers that the line people try to figure out. anyone who looks at insider threat realizes there's a lot of data from which to draw, and data that's not this is really sensitive on its face. a company as the data when you show up and when you leave. when you log into computer, the aikido to generally, when you're reaching, when you get to the office. h.r. might be where you have an issue at all or your bowling and a plan. if you take all those factors together and look at the melissa could you can paint a pretty picture when someone is going to

do something. >> that's very interested the excels at something i would read in the counterintelligence. >> it's true though. corporations have access to that data does not necessarily sensitive. it's what i think people fall down most is putting altogether. >> to have a choice to not take the steps? human element in cyprus did is pretty important, isn't? >> it is very important i don't think we've struck the balance between the capabilities of technology, but what can we do, the policy behind. i believe the capabilities may exceed a policy discussion, and the assumption that was made about an employer's ultimate right to monitor, that's the necessary something that's held to be true in europe and other countries that have different legal frameworks. >> good point. we talked earlier about social engineering. i know you've given a lot of thought to social engineering. would you describe the difference between social engineering and a zero day,

which is revealing as the choice? >> we have a billion users around the world and we see a lot of the attacks that happen and the vast majority are very unsophisticated. they are so see with attacking individuals, getting passwords and leveraging password we used to compromise accounts to get access to data. this doesn't involve very sophisticated attack tools but it involves automation and very organized individuals working on this. the sophistication of the threat actor is high but the technical sophistication is relatively low. >> you used some term some people out here will recognize, it quickly what is password reuse? >> i would say that secure the number one risk that consumers face. that is a tendency to use the same password across many different sites. what happens is it's like the weakest link. is one of those websites is compromised and those passwords

are stolen, they are automatically tested against many other sites to see what can the bad guy getting to know. >> you are saying if i use live long and prosper as a password edward that's a procedure? >> not at all. all it takes -- we have been advocating for authentication for 100 the white house is in initiative to drive higher enrollment. we look at the data. there's a challenge with consumers spewing give me an example of that. i'm sorry to interrupt. some of us are lagging behind the current jargon but it's very import stuff. >> to factor verification very simply is a popular password there something else that they need to get into your account and that could be responding to a message, could be an app on your phone with a code that changes every minute or it could be a hardware device that you have to activate. those options are made available in many sites.

but they don't have a high degree of visibility. they are not always turned on by users. at dropbox for example, we offer three different methods and we see 1% of our users opting in to turn those on, which speed what about social engineering speak with social engine is very interesting. our mission is to protect and safeguard our customers, enterprise or impose. on the social networks, facebook, twitter, lincoln, and other networks. soboba look at what's happened with social engineering our research team spent a couple of months and a black cat showed how often to those can be built for social intimate. we have a technologtechnolog y called snapper that should apply that. snapper can profile the use of a basic learned from your tweet stream and engage with and get you to click on malicious links per we don't social tested in a number of organizations -- >> stop.

you said i.t. think it was a malicious link? >> it would be a link to download rent somewhere, malware, link to capture your credentials like a fake credit card site for blogging to affect bank with a candidate user bank user id and password credential harvesting. >> you are saying when i'm procrastinating or cruising through twitter and clicking on things i could actually exposing myself to the virus? >> exactly. and i would bet you have learned that any note you should not click on links from people you don't know, or the places you don't know. what we found on social is that people think its that people think it's safe and so just click on the link. the human condition of socialization that maybe i shouldn't click on that link standing up has not carried over into the social media world. the bad guys know that. what we've learned is social media attacks are typically six times more effective than e-mail for attacks getting behind a firewall or students in information spend what do you tell your clients would social

engineering? >> first of all as a lawyer i want to make sure there's expectation of privacy at the outset. what are your expectations, make it clear of the device they use poses a really interesting angle. if it's their own phone and they're doing this is a person from what is the expectation of privacy. i sit like that at the beginning so there's no question. and then employ the tools that are there. the tools i guess we can find the associated what's really going our prevent them from doing things before the internet were. the sandboxes. two-factor authentification is key. educating them, employs about the. i agree the white house campaign has been fantastic lock down your login. those have been aware that, go look at a. that's a great site called to factor off.org back and tell consumers what services are using, using two-factor authentification to educate consumers and make them aware.

>> it sounds like there's a theme emerging which is that testing it as a threat it's not just the technical response. it's an education. it's all of us learning how to behave properly with the digital hygiene. that sounds so boring compared to the sophisticated cyber world. how important is this stuff and what about the technical solutions? >> is incredibly important, and the challenge has been that billions of individuals that are online across the planet right now, and education i've seen recently affected is incorporation but when you look across the broad consumer space, getting individuals to change behavior has been very for difficult. i'm not quite sure whether that's the long-term answer. so i think much more research has to be done especially on the part of large technology companies on how can we realize that humans are going to be an element of failure, and how can

we help them? how can we compensate for some of those weaknesses? acclimate detection response better? as an example we build sophisticated systems that detect fraudulent login activity. even when somebody comes in with its own password, run 85% of the time we have enough signal to identify if the bank and we can block actively. i think logitech countries have the power, the research abilities to do that type of work to protect users when they have not been a part in protecting themselves. >> terrific. any thoughts on the education? >> what we're finding when it comes to the corporate enterprises and the agency sight of the house is that education is just as important as the technology behind it. sampled socialization strategies where most of you in the organization are probably already promoting good hygiene oi'm in a good hygiene on web. simply admit that with good hygiene of social.

it's a simple step where you can say just like you don't click on that link's in enough, don't click on them and so should you can also educate they should be using two-factor authentification on everything including your personal social networks. .gif your company technology or agency technology, and tactics like that, the same thing children will end of the committee government should apply to the social networks. >> so let's go with the grassroots of the users and the behavior up to the top of the corporations for a moment. it's been my impression going back a long way that corporations will sometimes make short-term decisions that are very profitable that create massive, even hellish cyber for those but i'm thinking about the credit card companies issuing instant credit cards at point-of-sale retail outlets which helps spur the blossoming of the identity theft issue. we should corporations be held accountable for cyber threats

that they create for the own bottom line that infect because the world is so interconnected create threats for the rest of us? and how do we address that? >> i would say they should be held accountable if they have not taken threat to crush and. that could mean any number of things for any number of companies but it's going to be depended upon the type of customer, the level of threat can type of infrastructure they have. it can only of cybersecurity at the board level as a risk issue, then that's where the they should be held at fault. >> deeper government regulation of companies that use technology? >> i'm not doing that at all. i think the secret and exchange commission probably took one of the most influential steps when it published a couple different guidelines reminding companies that had to include cybersecurity breaches and issues in their vitriolic statements for disclosure. >> what about private companies? >> that's a tricky question because we don't have the fcc guiding them.

>> by law they don't have to tell us what they're doing. >> then it becomes a business case to what is the risk to the corporation. is in the consumer? you're losing to business because your not protecting their data. what is the threat, the risk, and then reacting accordingly. >> not to be doom and gloom but i visualize a giant map and saw the companies in the world and solve users in the world and based on what you just described there are huge black holes that lack information in this giant interconnected world, those giant black holes represent unknown security threats because of the behavior and the corporate use. how do we come with all of us around the world rely profound on cyberspace for everything from, this is not trivial, our social interactions and our national security, and our power grids and accredit grids. how do we fill in those black

holes? >> the question is how black are those holes? i think in the consumer space versus the enterprise space there are some differences but obviously when a company is selling to other companies they generally go to a variety of certifications around their security and their processes. they detesting. as a consumer, one of the interesting indicators i see that is a great test for the maturity of the company want to do business with his do they submit themselves to open hacking? do they compensate hackers? so their businesses what is called a bug bounty where if you find a form ability into product they will pay a hacker which is amazing that it gets hackers oriented and a positive direction to make money and help solve issues. it is also a great indicator the organization that puts that out there feels comfortable and they want to learn more. to have a culture that is trying to identify new post in the system to protect themselves and their users. >> any thoughts on the black

holes in the map? >> what's interesting, and now my use of technology we will invent something every five to 10 years and great a new set of potential black holes come in the waves of innovation. soldier me today we could not have happened 15 years ago. so i think it continues to be this notion of mixed public-private in trying to coordinate across those organization. i do think most businesses meanwhile. so finding more ways to partner, finding more ways to work together to make sure that recovering things. if you look at my bad guy database and every other vendors bad guy david, why d don't we he one? so there's an interesting places where federal agencies are now trying to encourage the sharing across organizations, sharing of information, encourage sharing of ppd with attack is the bad guys are using at the avicel space.

>> is a thousand world unto itself. i'm sure the panel did we get into the politics information sharing between government and private because that's a profound, long-term peace of the into. we have some questions on twitter. one of them is very interesting. can you offer advice to bring along slow adopters who are still interested in protecting their turf? maybe each of you can take a crack at that if you want to start. >> sure. the white house issued a few executive orders that are helpful for this the they treated the cybersecurity from a few years ago. that provides a laundry list of standards and a framework for assessments. to companies of all sizes can go to this framework and to help them assess what is my level of risk and much ado in response to that. it is voluntary. it's also self-policing so nobody has to do it, to your point about black holes but helps raise awareness of what standards and processes are available and might be

appropriate for the love of business you have. >> my advice would be focus on the problem we articulated early which is around your own passwords as a consumer. used unique passwords, use a password management tool, like one password, lots of them out there that make it easy to unique and complicated passwords and turn on two-factor authentification. >> we were talking earlier about the things that people put in e-mails. what does have to do with cybersecurity? that seems so banal. should people be careful about what they put out about themselves on social and in their e-mail? >> we were talking earlier about one of the roles is don't do something to want on the front page of the "washington post." that is the reality. i talked about instagram inadvertent posting. so it happens a lot more than you would think. people don't think about the

you're on a trip to in a way, posing like crazy in a wide was a windows u.n. maybe now is a good time to rob your house. you might be in a very social world where you want your friend still much fun you're having in that part of the world and you also need to think about the prudence of assuring that level of information. there's an interesting human condition now we have the sharing economy, sharing communities n now special around social networks and need to make some conscious decision for itself, for your family, for your children on what is the appropriate level of sharing of that information, you don't want to go to see that? at only five to factor all but to also use the privacy policy to restrict my social post on my friends friends can see and not the rest of the world? >> what a fascinating audience, excuse me panel. very interesting ideas and thank you much for joining us. >> thank you. [applause]

>> hi, everyone. welcome to the post. happy that everybody here this morning. i'm a national enterprise reporter and former cyber reporter, although cyber still and happy to be on stage with this panel to talk about political leaks and hacks, the bonneville is up d.c. institutions to our cyber adversaries as something that a lot of people here in town are thinking about, also want to say hi to our viewers at home.

hope the folks in silicon valley are fully captivated. so let's introduce our panel. to my left is michael sussman from a partner at perkins coie. brett dewitt a staff director of the cybersecurity infrastructure protection and security technology subcommittee of the u.s. house homeland security committee. then thomas hicks, commission of the election assistance commission, and finally rich barger, chief information officer and cofounder threat connect which many people will be familiar with. i should want to start with rich and talk a little bit about the motives of our cyber adversaries online. obviously, we know russia and china are constantly probing if not gain access to institutions around d.c., and it's not an overstatement to say that they

are interested in the intelligence value of information that they find. could you talk a bit about that? >> right. with the threat to the intelligence that it depends on what motive, but operation, what affect the time to deliver. you might look at some of the traditional chinese espionage -- chinese espionage we've seen that has gone after a variety of companies, businesses as well as organizations such as opm that they could use or leverage that information or ride and purposes, bolster an economy, get to market quicker with certain technology or perhaps counter intelligence activities the want to look for through various targets for recruitment, for operators within their borders. with regard to what we've seen recently with some of the russian attacks, we are still kind of looking at this activity

trying to figure out what their motives might be. it certainly looks they're being very aggressive in terms of trying to shape a narrative around just hang a question mark over our system. in the case of a lot of hacks, american exceptionalism, the fact whether or not our metals we belong to or athletes or not. it could be a bright of different motives and with these types of routes are trying to do in trying to affect for the own national objectives. some of the things we've been kicking around the office is just for every store that runs in every conversation in and around the elections, what is the thing we're not talking about what we're not talking about syria, the ukraine. so there's some broader issues come to brought and what rush is

doing and the rest of the world where we're still hyperfocus ourselves here, particularly the effect were saying delivered here that mike -- a convenient distraction to keep us locked up in a very interesting time, and a very polarized event. >> i would follow up on that asking, do you think that they special attention being paid to the democratic party, even hillary clinton's run for president? do you think it's possible adversaries are as tuned in as we think they might be to the election that their interest in one party in the outcome that way? >> you know, i think that ultimately what's and is they are seeking leverage, and that i would not necessarily seek a that leverage in one party alone. i would find insurance and would

make sure i covered my bases, depending on however this falls. so i would be very surprised if this would not affect both parties, and perhaps might be the new normal. we see campaigns targeted going back as far as 2008, the president indicated his campaign had been targeted. so my we want to consider this in the next election cycle? and just really start to kind of focus that this is made in the way of life. >> michael, do you think that our cyber adversaries are politically astute in a way? do you think they paid special attention to the dnc because of the potential to see a clinton presidency speak with they are certainly politically astute. we don't know what to do. i think that we're in the middle of the book. someone is going to write a

these events now, we're in the middle, we don't other critically out but would really don't know what, there's a big political theater ticket who's trying to do what and why the time to do it. we don't know, we know there is to because we know it's russian state sponsor one of the groups are doing a very sophisticated and, in fact, this is their day job. and so when we look at activity we saw the most activity begin from 9 a.m. until 5 p.m. moscow time and there were people when we talked to the victims in the political parties we would say that unlike a company where a state actor would say let's find a company we can get into, this one the doors unlocked without, we will move onto someone else. for these organizations if someone's a day job to get into this organization and they're not going to go away. they are going to be persistent severe for sophisticated -- so they are very sophisticated what you're doing but it's a guessing game as to why they're doing it. >> do you think we could see the

e-mails or documents out of the dnc hack? do you think that's possible speak with sure i wouldn't discount the dnc hack. there was a broad campaign to hack party and campaign systems, personal e-mail accounts of people and collect it all. served as more of the. we don't know what we'll see. and interesting thing is that when we see documents we don't know who they are very often. so initially when the booster for documents were posted which would organization was working with, as a short-term is that yours, it's not really good because the document been created by one group, circulated to other groups. some the documents have been altered, some haven't been. some of them down to melbourne on them. the campaigns and the parties are really, really, really busy trying to elect candidates. and so it's worthy, aside job to have to deal with this by to start a full-time job so that is a lot of effort being put into looking at a document that

stolen and posted and figure out whose it was and where it came from come is an authentic or isn't it? their time to move on with the basis of the campaign of the parties. >> your boss, michael mccaul, said the rnc was hacked and then walked that back, wondering whether you are aware of specific chippy operatives who have been either killed or hacked, and whether your boss was really telling us the true story at the first point speak with i would say the point chairman mccaul was trying to make menus on cnn was the point of both political parties have been hacked, trying to make the point that this is bigger than that and just look at the motive, the time, what these hackers are doing to look at psychological warfare, could undermine the integrity and confidence of the entire election system, republican or democratic looking at motives of -- looking at voter registries. those of the motives that we've

been briefed on and so the point chairman mccaul china make his both parties are being hacked. this needs to be a bipartisan issue. we cannot allow nation-states to target either political party, and it needs to be strong consequences when those actions take place. what ever the actor is come and so that's the point he was tried to make. >> do you think republicans are equally global speak with absolute if there's anything, like i said, there have been reportingthe republican political operatives have also been hacked with her e-mails and campaign related issues. both parties have been and i think looking at the political protestations i think will need to be vigilant that this is real, this is the way the future. we need to be vigilant and it's almost gives everyone a warning to all political parties and all state, local, or local, state and federal need to be aware

that this is the new world we have to live in and we need to be prepared for that. and we need to be looking towards november 8. there's a lot we need to do to ensure that we are prepared for the. such as think about being vigilant and everyone should be aware. >> thomas, let's go to you. for our younger viewers in particular, the question of online voting always pops up about this on in the election cycle, and many other people watching will understand why that's a bad idea. i'm hoping you could kind of walk us through what you think of that idea. >> thank you for having me here today. one of the things i know a lot of folks probably don't know about election assistance commission but it's a small federal agency that deals with the administration of elections and was formed after 2000. entrance of internet voting, it is a small portion of folks who are allowed to use the internet to vote and those are military and overseas voters. most of them have to be in harm's way but it's a very small

segment of the population. in terms of expanding the out in custody more of a discussion that we need to get into when we have things about these incidents that have been occurring in the last year or so. so we need to look at best practices and see how we can expand that out. what our agencies doing that is what would on a voluntary voting system guidelines which haven't been updated since 2007. the 2007 was basically the iphone came out. so technology has changed and so policies have changed as well. at the point we should be looking at ways to make it more convenient and more efficient for folks to use the technologies to vote, but also make sure those votes are secure and counted accurate as well. >> internet voting is just one piece of the puzzle as people talk about this, electronic michelin seemed -- electronic voting machines. i'm wondering if it's on the guy for thinking about heading into

next month? >> we think about all of that and w we've been think about tht for years on end, but it's something that's going to change overnight. i'm hoping that this conversation doesn't end on november 9, that we continue it on a genuine favorite on. so that we can look towards the 2018 elected, 2020 election to make it more convenient, make it more secure our elections right now are the most secretive ever been but we can do better. so we must. >> rich, i can think about this election issue i'm wondering if looking toward november 8 there's anything on you like a particular when it comes to threats? >> with regard to threats. i never cease to be amazed. i kind of, i'm never surprised when i start to see these sorts of things. i just think continue to think creatively around how might the adversary can continue to meet their objectives, short of the

crystal ball it's very hard to say what we might see, but there's precedent. i think leaking of some of the audio communications that we saw recently might be indicative of some things that closely matches some activity we saw occur in the ukraine during the election. submitted we just have to kind of look at precedent. want to do we see around some of the ukraine elections, might they be operating from a summer playbook? i can't say for sure, but maybe that's a good river to look at and think creatively as to what we might expect to see. >> michael, would you think about the threats facing d.c. institutions in particular come everything from party committees to campaign transition operation, think tanks, at what is being probed all the time. what would you suggest that

people who have not been ahead of the curve on this begin to do now? how would you introduce them to this problem? >> i think they been introduced by reading the papers and see what's going on. the big change is this broad boxing. the idea that people looking at your things and learning about you, this intelligence collection as one kind of threat but now people are saying that their personal e-mails and communications and papers are being posted to embarrass them. i think anybody here would like, would be proud of everything in the e-mail inbox posted on the internet. et cetera for companies to a threat for people. and the education is in investing for her i think for the political parties and campaigns know, republican or democratic, the are two time periods. there's next month before the election in terms of cyber preparedness, readiness,

response. and then the really important election in thinking about what to do because all these vocal opposition what to put all their resources into winning races. and promoting candidates in building the party. so traditionally this has been like an analog where and and about has a light on for $4 million for cyber. it hasn't been the case. it needs to be the case now. so there's thinking about financing. how we're going to find the money to spend on this on a dedicated basis, and then think about longer-term plans. that's not just about keeping the boat afloat now, but to continue the metaphor, don't be a stronger ship. the one point i wanted to become a because you want ask about from the safety of elections is, my skin is that, is that the election system, the voting system on election day is raising safe from cyber attack because the 8000 or so dishes we have are not interconnected your

they all run different system. some are purely paper, so or not. they are backed up and so it, my skin is or isn't a made one of the other panels will want to comment, it isn't a voting virus or the voting malware to go out or an attack on the nation's voting system, like we are very safe in that way because of the diversification and heterogeneous nature of all of the different districts, none of them are connected to the other. >> what i think i would see as our system is decentralized, and so with a decentralized system you would need an army of folks to basically try to get into the systems. they certify voting systems your every system that we certify, none of them are connected to the internet. so there will not be any sort of in an attack into our internet incidents into voting machines

themselves. >> michael, just one of question. when it comes to individuals looking out their own cyber hygiene and e-mail practices, is there anything that you advise people as all go about our days and see things in the nose that we might not want to be hacked court do you think there's a culture change going on as we approach this technology? >> there's a culture change and a couple of simple things that is what you do. and that's turned on two-factor authentification you into an your social media accounts. two-factor authentification means yo you need to way to log. when i use my personal e-mail i put in my e-mail address, password advocate text message with a good and are prompted to put in the code. so to doctor makes a huge difference. the bad people use your social media and your personal accounts at your personal accounts at all certain progression to create spear phishing attacks but these are really targeted e-mails that look authentic to try to choose to click on the link or open an

attachment. these oh so sophisticated that the sinister with a really simple piece of human injury which is to get you click on something. think more about your privacy in a social setting and facebook has a one click solution that, in privacy this one things to click in all your future posts anything get done in the past friends only. so when you're going to meet someone we look somewhat up, but these who this person is about, some people on facebook or satellite there's a person and the bathing suit, drinking beer, with the kids. people who don't have that awareness and you can take of that with the click. lastly there are peer-to-peer encrypted apps like faced an audio and signal and other apps that allow you to have fairly guaranteed private communications. so those are three quick tips. >> i would ask the same thank you. the coulter on health is their

attentiveness to the idea that you being probed all the time. do you have two-factor authentification as part of the system? >> look at the house of representatives and the system that we have. it's like any other organization. there needs to be training. it's to the point its cultural and geneva everyone within the organization aware of the it bee it just takes on clicking on a malware in an e-mail to a phishing attack. that could undermine the entire system. i would say we are very vigilant. with training programs and i think we do go i think we set an example what we do internally for that. i would say yes for sure. >> thomas, jeh johnson briefly talked about the idea of making our election system account has critical infrastructure officials the could you explain about what that would mean anybody agree with you i'd? >> i can't really speak to what dhs wants to do but i can talk about the fact that states are looking for resources to help

make sure that the systems are secure. and so if dhs wants to offer those resources, i think that's a great idea. >> additionally we pass legislation through the congress back in 2014 that last you basically says that dhs can provide a voluntary upon request assistance to critical infrastructure but also to state and locals for various tools. it's all optional, voluntary and there's a suite of tools that are available in a passionate asked about the a to b. those tools or private sexual but the bottom line is i think states, localities need to invest in these technologies and ensure they are secure. decades of those that dhs have a no more than half have now signed up for this voluntary assistance, and congressman fudge so you got past that of our committee back last year the past the house of representatives in the summer,

ending in the senate that basically even further clarifies that the role of dhs and providing pathology assistants to states when the requested, and so about clarifying the lump we think will make a big difference, ensuring that obsolete not that we want to federalize the election system and that is, it would be unconstitutional, the constitution reserves the rights of states to administer the elections but we do think that providing tools and capabilities would be a good thing if it makes sense for those localities. >> could you give us a quick forecast of a lame duck? what you expect to happen? i will say we're working on some piece of legislation right now. one would organize the department of homeland security for more effectively carry out its cyber nation. we passed several bills through the congress back in 14 as i said.

getting dhs the authorities, this bill we're trying to move through our committee moved back in june and we are working out to get to the house floor that we are basically restructure, streamline, organize the can more effectively carry out the authorities we just gave. ..