give carte blanche to people in the workplace to stop an individual from performing her regular job duties. and as ewpewsentative speier said there is no such thing as on-line offline life in his life we are on line no lot of the time. so that argument is quite frankly one that comes from privilege or those who have not experienced that are much more likely a to be worried about first amendment problems but those who have experience of the total shutdown of much more willing to say we don't have a first amendment right. >> i will open to the whole panel of where you draw the line with the first amendment that seems to be

the biggest hurdle to moving forward to recognize the problem. . . been nd a half hours.

[inaudible conversations] >> good morning. good morning. i realize people are still coming in so please don't be shy. there are still seats. thank you all for being here today. i am the vice president of communications and events here at the "washington post". thank you to those of you watching this on line. this is our sixth annual cybersecurity summit and it couldn't come at a more interesting time. this summer the democratic national committee was hacked likely by a foreign government. just last week yahoo! news announced that breach affecting hundreds of millions of people. just yesterday an nsa contractor

was arrested for stealing -- so the question is what's next? this morning you would hear from government officials, security experts, industry leaders talking about the top cybersecurity issues facing us today and we want to hear from you including those of you watching us on line. please delete your questions to hashtag wp cyber. we will be taking those questions out the program. i'd like to introduce john davis of vice president and chief security officer of palo alto that work presenting sponsor of the program. he's going to say a few words. [applause] >> good morning everyone. it's an honor to be a sponsor for this event today. i'm really excited about the agenda and looking forward to hearing all the distinguished speakers. i joined palo alto networks about a year ago after a 35 year

career in the u.s. military. most of that career was in special ops doing some really cool things that the last 10 years was in cyber operations, cyber strategy in cyber policy and i can tell you the u.s. military really takes cyber seriously and became a mission for us. i say that because palo alto networks just like in the u.s. military we have a mission. protecting our way of life in the digital age. it's very important to us and very important because digital environment is the underpinning for everything we do as a society, as an economy and a national security. i would like to quote another general, a famous, much more famous than me and i will paraphrase. he said the know your enemy and know yourself and then 100 titles you'll never lose or something to that effect. what do we know about the enemy?

the modern cyberthreat. we know that as a professional marketplace of information sharing these days and we know the decreasing costs of competing power and the use of automation and cloud capabilities means an ever-increasing number of cyber attacks coming at us. with the explosion of polymorphic militias cote we know the attacks can happen in the thousands and millions in terms of everyday, every hour and sometimes even every minute. there is some good news about the threat. i can tell you from being on the inside there are only certain numbers of limited techniques that every cyber actor in every cyber organization uses. there are only 2000 and every cyber thread in every cyber organization uses a set series

of steps called the cyber threat lifecycle or if you would like be a tack killed james. he steps provide an opportunity. in terms of buying yourself what do we know about ourselves in terms of cyber defenders and the cyber community in general? i believe we have been living in a failed model. where as we say the attacker may have to be right once and the defender has to be right everywhere and all the time. we just talked about the attacker leveraging automation and decreasing costs of computing power that comes out is an ever-increasing ways. while the defender uses a series of isolated point products that simply add complexity to the environment and use technology, the defense use of technology mostly oriented from a legacy view of detection and response instead of prevention.

the adversary uses a marketplace of information sharing very effectively. we have trouble with cyber thread information sharing on the defense side what is does a good model of ourselves look like? i think there is no silver bullet. it has to be comprehensive that it has to include people processes and toality. one of the keys on the people side is education and training. that's the work worst that deals with i.t. in the ot as well as the general population and let's not forget leadership. today is about that. it's about education. on the processing side i think one of the most important processes we need to improve on is cyber thread information sharing. we need to do it at scale in its speed and that means automation and standardization. finally in technology we need to move from a legacy view of always standing at the crime scene by enn responding after-the-fact to a prevention first mindset.

we need to be able to leverage automation in ways that the threat is used in order to keep up with that exceed the threats. we need to get out of a manual response has largely based on having to hire more and more people to deal with this and move to an automated capability that lets us save our people for all new what people can do. those are the keys to success in moving to a successful view of ourselves as cybersecurity specialists. i really look forward to today and the conversations coming up. i hope that you enjoy today and once again it's an honor for me to be here and to sponsor this event. thank you. thank you and i will turned over to to chris. [applause] >> thank you so much john and thank you to palo alto networks and their supporting sponsor raytheon. there are still people coming on

there are still chairs so we will get a seat for everybody. i'd like to introduce robert o'harrow. he is going to bleed our conversation today. thank you. >> good morning everybody. hopefully everybody has some coffee. i am robert o'harrow, i'm a reporter here at the post and for years on and off i've written about technology, the rise of the internet and some years ago about cybersecurity. interestingly enough the issue of cybersecurity was very very urgent in the early 2000 and it's only become more and more important. literally i would say by the week. we all have heard about massive

attacks and varied attacks that have exposed information that have lead to theft and created national security vulnerabilities and left us all a little more uneasy. today we have some people that are on the frontlines of trying to fight that on behalf of their clients and by extension on behalf of all of us to make the cyber world a little safer for all the social engagement that we have and all the business that we rely on and once again for national security. the head of trust and security is responsible for ensuring security for the company and the service. the chief executive and founder of a consulting company in d.c. area that works with industry and government on cybersecurity issues. she is a veteran of the telecommunications industry which is fundamental to cyberspace.

and chief marketing and product officer to provide cybersecurity services for social media channels. i think we will start with a little bit of the news. we can almost cherry-pick the bits of news. it was announced this week that yahoo! was and the e-mail of users at the request of nsa. the company said they were abiding by the law. what at the margins here what extensions companies comply with the law even if they have philosophical and internal ethical differences with those requests? >> i am not going to comment specifically on the yahoo! case. i don't have enough details to have an opinion of whether was right or wrong but the philosophical issues i think companies do have the responsibility to abide by the law but they also have upon the the -- fundamental responsibility to the trustworthy of their service providing service to their

customers so to the extent that they are compelled to do something like that has to be balanced with a certain degree of transparency to the industry as well. >> in this case it was a request from the nsa. how do you notify customers and protect this vague notion and very important notion called privacy? >> i think it's a balance. the first thing you do is figure out what is the law that applies and legal due process. if that's the case you have to comply. the next step is we will have you react to your customers and it's a balance. you want to do right by your customers. sometimes it helps the customer if you don't notify them right away. if you take the time to look at the intruder inyon network and watch them sometimes to figure out is if a big issue or not

before you notify them. the first thing is to figure out what law applies. terms of breach of modifications there are different laws in every state. 50 plus bills in congress over the session talking about how that should be structured. should it be harmonized across the states and do companies know what to do? at the question that congress is debating. >> right into corporations have any civic role in pushing back on government requests for data to either embrace or encourage the change or reform in the type of loss that give government access to information? >> this is a situation we can leverage public-private strategies that have occurred in the past in terms of business working with the government set up standards to meet everyone's needs. i don't think we want a world where the government creates new rules or a world where business gets to do whatever they want to

do. having established privacy and norms. we look at industries like financial services are incensed. their rules and regulations about how the banks operate and how they deal with financial information and so on and so forth. how can i get those kinds of relationships potentially developed between individual businesses and the government to get to a level of understanding and corporation? >> let's stick with the news here for a moment. we all know that there are a whole variety of cyber events that occur. there are the zero day attacks where the bad guys use heretofore unknown vulnerabilities and code. there are social engineering attacks which will come back to in a little bit. we all i believe. that the social engineering attacks which is as simple as you can get poses an enduring and profound threat to our security systems. but i want to talk about a

threat that doesn't get a lot of attention which is the insider threat. we know that the insider hack as you say we know that the nsa what it was reported this week arrested another contractor who either took or was trying to take some really powerful code that the government was using to hack into systems of fraud. i would like to hear your thoughts and maybe you could start this time about the nature and gravity of the insider hack and how corporations and other institutions can prevent them? >> from the perspective looking at the insider threat is how the social become the source of data leakage? so you have to inadvertently gauge which is someone will share confidential permission. i would give a perfect sample. someone stands in front of an

instagram picture and behind a white or does financial information so that inadvertent sharing of information and then you have the intentional. to what degree should the company monitor activity and computer association on an internal basis. am i communicating with bad actors in the social realm and she would be allowed to march or that it should the person be responsible for that or not? companies have a total right to monitor their own networks because they are the ones that are responsible and in charge. companies are allowed to do that. that's except that for a moment for the sake of the discussion. when does that kind of surveillance inside a company now the sixth and more broadly

the governor has a right to go to yahoo! and look at e-mails. i don't think anybody here would disagree that kind of surveillance to improve cybersecurity but when does it become risk and how do we strike a balance between security and the emotional well-being if they don't want to be spied on all the time? >> i think anyone who looks at the insider threat realizes there's a lot of data from which to draw and data that's not necessarily sensitive on its face. a company for example has data when you show up and when you leave. the sites that who generally when you get to the office h.r. might be aware that you have issues at home or your bullying and employee. if you take all of those factors together and look at them holistic leaf contained it good picture when you could do something. >> that sounds like something i would. in counterintelligence.

>> corporations have access to that data that isn't necessarily sensitive. >> do we have a choice not to take those steps? the human element here in cybersecurity is pretty important, is important, isn't it? >> it's very important but i don't think we have struck a balance between the capabilities of technology and what can we do in the policy behind it. i believe right now the capabilities exceed the policy discussion and the assumption that was made around and employers right to monitor people have different legal frameworks around policy. >> we talked earlier about social engineering. would you describe the difference between social engineering and which is prevailing as the tax of choice? >> at drop talks we have half a

billion users around the world and we see a lot of the attacks have happened and the vast majority are very unsophisticated. they are so shaded with attacking and vigils in getting passwords and leveraging passwords to compromise accounts to get access to data. this doesn't involve very sophisticated attack tools. it's lots of automation and organize individuals working on it. the sophistication of the threat actor is high but the technical sophistication is relatively low. >> you use in terms of some of the people will recognize but quickly what is password reduce? >> that's currently the number one risk that consumers face. there's a tendency to use the same password on many different sites and what happens is like the weakest link of one of those passwords is compromise in and the password is stolen they are tested against many other sites to see what can the bad guy get into now? this is sophistication of the t.

>> you are saying if i live long and prosper used as a password that's not very secure. >> not at all. >> we have been advocating for two-factor authentication. the white house has an initiative drive higher enrollment and we look at the data and there's a challenge that consumers. >> give me an example of that. some of them are lagging behind but it's very important stuff. >> to back her authentication very simply is on top of your password there something else that they need to get into your account and that could be responding to a message or could be an app on your phone with the code that you use every minute or could he a hardware device that you have to have and those options are made available on these sites but they are not, they don't have a high degree of visibility. they are not always turned on by users. at dropbox we offer three different apps that we see 1% of

our users on. >> what about social engineering? >> the social media security company, our mission is to protect and safeguard our customers be at their enterprises or employees on social network. when we look at what has happened with social engineering our research team said a couple of months and a black hat shows how offensive tools can be used to have a technology called snapper. snapper can profile the user and that learns from your tweet stream and engages with ewing can get you to click on links. we have done testing a number of organizations. >> you just said a key thing. what is a malicious link? >> a malicious link would be a link to download ransomware or malware, a link to capture your

credentials like a fake credit card site for logging into a fake bank or they get your idea and password. >> you say when i am procrastinating for cruising through twitter and clicking things i could expose myself to a virus? >> exact way about that you have learned an e-mail you shouldn't click on links from people you don't know. what we found on social is that people think it saved so that the come the link. the human condition of socialization that maybe i shouldn't click on bad links hasn't carried over and the bad guys know that. and so what we have learned is the social media ipaqs are typically six times more effective than e-mail a tax at hitting behind a firewall or stealing information. >> what do you tell your clients >> first of all is a lawyer i want to make sure the expectation of privacy is there at the outset. as an employee what if your

expectations and make it clear that every device they use poses a very interesting angle. what is the expectation of privacy for that? i say lock it at the beginning so there's no question and employ some tools that are there. the tools like his wake and find out on social media what people are doing or prevent them from doing things before they hit your network. to factor out the vacation is key. educating the employees about that. i grew the white house campaign has been fantastic. some people aren't aware of that. go look it up. they can tell consumers what services they are using in two-factor authentication and employees if you are in a corporate context. >> it sounds like there's a theme emerging here which is that to stay ahead of the threat it's not just a technical response.

it's an education. we are learning how to behave properly with good digital hygiene. that sounds so boring compared to the sophisticated cyber world how important is this and what about the technical solutions? >> it's incredibly important and the challenge has been that we have aliens of individuals that are on line right now and the education that i've seen recently affected the corporations but when you look at broad consumer space getting individuals to change behaviors has been very difficult. i'm not quite sure whether that's the long-term answer. i think much more research has to be done especially on the part of large technology companies on how can we realize that humans are going to be an element of failure and how can we help them? how can we compensate for those weaknesses that make retention

response better? as an example we build sophisticated systems that detect fraudulent login activity and when somebody comes in with a stolen password around 85% of time we have enough signal there to identify that it's a bad guy and we can block it actively. i think a large tech company has the power and the research abilities to do that type of work to protect users when they have not done their part in protecting themselves. >> terrific. >> what we are finding when it comes to the corporate enterprise and the agency side of the house's education is as important as the technology behind it and simple socialization strategies where most of these organizations are probably already promoting good hygiene on e-mail, simply amend that with good hygiene on social. there's a simple step where you can say just like you don't click on bad links in e-mail don't click on them on social and educate them on two-factor

authentication on everything including your social network and not just your agency technology and tactics like that , the same things you learn before. >> let's go away from the grassroots of the users in the behavior up to the top corporations for a moment. it's been my impression going back a long way that corporations will sometimes make short-term decisions that are profitable that create a hellish cyberbullying and i'm thinking about credit card companies issuing instant credit cards at point-of-sale retail outlets which helps spur the blossoming of the identity theft issue. when should corporations be held accountable for cyber threats that they create further all up bottom line is that in fact because the world is so interconnected create threats for the rest of us and how do we

address that? >> i would say they should be held accountable that they have and take the right precautions and that could mean any number of things for any number of companies. going to be dependent upon the type of customers, the level of threats the type of infrastructure they have. they are not looking at cyber security as a risk issue. >> you are advocating deeper government regulation of companies that use technology. >> no am not doing that all. i think the securities exchange commission took one of the most influential steps when i published a couple of different guidelines reminding companies that they had to include cybersecurity breaches and issues in statements for disclosure. >> what about privacy? >> that's a trickier question. >> also don't have the insight to their activities because by law they don't have to tell us what to do. >> and then it becomes a business case. is it her risk to reputation or commercial property threat?

is that the consumer and you are not protecting their data? what is the risk and reacting accordingly. >> not to be women do here but i visualize a giant mass and it's all companies and users in the world in based on what you just described there are huge black holes and black information in this giant interconnected world and those giant black holes represent unknown security threats because of the behavior and the corporate use. how when we all bus around the world rely profoundly on cyberspace for everything and this is not trivial our social interaction and our national security and our power grid and our credit grids how do we fill in those black holes. >> the question is how black are those holes and i think in the consumer space verses the enterprise space there are some

differences but obviously when a company is selling to other companies they generally go through certifications around their security in their processes. they do testing. as a consumer one of the interesting at indicators that is a great test for the maturity of a company want to do business with is do they submit themselves to open hacking into the compensate hacker's? if you find a vulnerability of their products they will pay which is amazing. give hackers oriented in a positive direction to make money and help solve issues but it's also a great indicator that the organization that puts that out there feels comfortable and they want to learn more. they have a culture that is trying to identify new holes in the system put to protect themselves and their users. >> you talked on the black holes and the math. >> what's interesting in all my years of technology we will it invent something new every five to 10 years and create a new set

of potential black holes. the social media today we could not have happened 15 years ago. i think it continues to be this notion of mixed public private and in trying to coordinate a process organization predicting think most businesses meanwhile so finding more ways to partner in finding more ways to work together to make sure we are covering things. how come we don't have one bad guy database? there are interesting places where the federal agencies are now trying to encourage sharing across organizations encourage sharing of tactics that the bad guys are using and the adversarial space. >> is the best in the world unto itself or it a panel later will be getting to the policies of information sharing between government processes and found a

long-term peace of the answer. we have some questions from twitter and one of them is very interesting. can you offer it buys to bring along at doctors who are still interested in protecting their turf? may be each of you can take a at that. >> the white house issued a few executive orders that are helpful for this. they created the best cybersecurity framework that provides no laundry list of standards and a framework for assessment. companies of all sizes can use this framework and it will help them assess what is my level of risk and what should i do in response? itself policing. it definitely creates an awareness of what standards and processes are available for the level of business you have. >> my advice would be to focus on the problem we articulated earlier which is your own

password as a consumer. use a password and management tool like one password. they are there lots of them out there that make it easy. most of your problems are solved as a consumer. >> were talking about the things that people put into e-mails. what does that have to do with cybersecurity and should people be careful about what they put out about themselves on social in her e-mails? >> were talking earlier about one of the rules is putting something on the front page of the "washington post." that's reality and i talked about the graham inadvertent posting. it happens a lot more than you would think. people don't tend to think about it so you were on a were on the trip and why and you are posting like crazy and in hawaii that someone surveilling of property knows you are in hawaii to now's a good time to rob your house.

you might be in a social world where you want your friends know how much fun you are having in that part of the world but you don't even think about sharing that level information. there's an interesting human condition where we have this sharing economy and community especially around social networks. what is the appropriate level of sharing of that information and who do i want to be a will to see that? i also use the privacy policy to restrict my social codes only my friends can see it and not the rest of the world. >> what a fascinating audience, a fascinating panel with very interesting ideas. thank you very much for joining us. >> thank you. [applause]

[inaudible conversations] >> hi everyone. welcome to the post. happy to have everyone here this morning. i am a national enterprise reporter and former cyber reporter also in cyber still unhappy to be on the stage with this panel and talk about what occult leaks and hacks, the vulnerabilities of d.c. institutions to our cyber adversaries. a lot of people here in town are thinking about come i also want to say hi to our viewers at home and hope that folks in silicon valley are -- early. let's introduce our panel.

to my left is michael sussman a member of the cybersecurity and privacy board. lots going on there. brett dewitt as staff director of the cybersecurity infrastructure protection and security technology subcommittee for the u.s. house homeland security committee. then michelle di gruttolo commissioner of the election assistance commission and finally rich barger. actually want to start with rich and talk a little bit about the motive of ours fiber ever terry terry -- cyberadversaries of my three russia and china are constantly probing if not gaining access to institutions around d.c. and it's not really an overstatement to say that they are adjusted in the intelligence value of information that they find. can you talk a little bit about that? >> with regard to the

intelligence value it really depends on what motive, what operation, what affects they are trying to deliver. you might look at some of the traditional chinese espionage we have seen that has gone after a variety of companies and businesses as well as organizations such as opm that they could use to leverage that information for a variety of purposes, to bolster the economy market quicker with certain technology or perhaps buttressed counterintelligence activities that they wanted to look for various targets for recruitment or operators within their borders. with regard to what we have seen recently with some of the russian attacks you know we are still kind of looking at this activity and trying to assess what their motives might be but it certainly looks at the very

aggressive in terms of trying to shape the narrative around just a question mark over our system and it the case of the hacks in american exceptionalism and the social media the fact of whether or not our metals are really fun to our athletes are not so there can be a variety of different votives and with these types of groups are trying to do and trying to effect for their own national -- some of the things we have been kicking around the office is for every story that runs and every conversation in and around the election what is the thing we are not talking about? we are not talking about syria were talking about what's going on the ukraine. there are broader issues and what rush is doing in the rest of the world where we are hyperfocused on ourselves and particularly what we are seeing delivered here that this is a

convenient distraction to keep us locked up in a very interesting time and a very polarized event. >> i would follow-up follow up on that by asking do you think that there is special attention being paid to the democratic party given hillary clinton's run for president? do you think it's possible that adversaries are as tuned in as we think it might be to the goings-on of our election and are they adjusted in one party and the outcome that way? >> i think that's that ultimately what is at hand is that there's a sinking leverage and that i would not necessarily seek that leverage at one party alone. i would make sure i covered my bases depending on how this resolves. so i would be very surprised if this wouldn't affect both

parties and perhaps might be a new normal. we see campaigns targeted going back as far as 2008. the president has indicated his campaign has been targeted. might we want to consider this in the next election cycle? and just really start to focus that this may be a new way of life. >> you have to more questions. do you think that our cyberadversaries are prolific in that way? do you think they pay special attention to the dnc for the potential of clinton losing? >> we really don't know what they are doing. i think that we are in the middle of a book. someone's going to write a book about the events now. we really don't know the political theater to find out

who is doing what. we know that it's russian state sponsored and we know the groups that are doing it is sophisticated and in fact this is their day job. when we were looking activity we saw the most activity began at 9:00 a.m. until 5:00 p.m. moscow time and there were people when we talked to the victims in and the political parties who would say unlike a company where a state actor would say let's find a company. the doors are locked really tight and we'll move on to somebody else, for these organizations someone's day job to get into this organization and they are not going to go where they are going to be persistent so they are persistent and what they are doing. it's a guessing game as to why they are doing what they're doing. >> do you think we have seen more e-mails or documents out of the dnc hack and you think that's possible? >> it's a broad campaign to hack

party and campaign systems personal e-mail accounts of people and collected all. we don't know what we will see and the interesting thing is that when we see documents we don't know who they are very often. it initially when the it goes up or documents were posted, the big question is this is yours and is that your sense not layer. the document may have been created by one troop in -- group some of the documents have been altered in some have been found to have malware on them. the campaign and the parties are really really busy trying to elect candidates so it has become a side job but it's not a full-time job and there isn't a lot of effort being put into looking at every document that's been stolen and posted in the graph whose it was and is it authentic or isn't it?

>> brat but stirred to you. your boss michael mccaul said that the rnc was hacked in and walked out that back to them wondering whether you are aware of specific g.o.p. operatives who have been hacked and whether your boss was telling us the true story? >> i would say to point chairman mccaul was trying to make when he was on "cnn" was the point that both political parties have been hacked and trying to make the point that this is bigger than that and you have to look at the motives and times of what these hackers are doing and look at the psychological warfare to undermine the integrity and competence of the entire electoral service -- system including republican and democrat. those are the motives that we have been briefed on an appointed chairman mccaul was trying to make is both parties are being hacked.

we cannot allow nationstates to target either political party and there needs to be strong consequences when those actions take place whatever the actor is. so that is the point that my boss is trying to make. >> do you think republicans are equally vulnerable? >> absolutely. like i said there have been reporting set republicans and operatives have also been hacked with their e-mails and campaign related issues. both parties have been and i think looking at the political organizations i think we all need to be vigilant that this is real, this is the way of the future and we need to be vigilant. it's a warning that all political parties and all state or local state and federal need to be aware that this is the new world we have to live in and we need to be prepared for that. we need to be looking towards november 8.

there's a lot we need to do to ensure that we are prepared for that. >> thomas let's go to you. for younger viewers and predict where the question of on line voting pops up at this time in the election cycle and many the people watching will understand why that's a bad idea. i'm hoping you can walk us through a think of that idea. >> thank you for having me here today. one of the things i know a lot of folks probably don't know about the election assistance commission, it's a small agency that deals with elections. in terms of internet voting there is a small portion of folks who are around to use the internet to vote in those are military and overseas voters. most of them have to be in harm's way but it's a very small segment of the population. in terms of expanding that out it has to be more of a discussion that we need to get into when we have think about

these incidents that have been occurring in the last year or so we need to look at best practices and see how we can expand that out. what her agency is doing now is we are working on our voluntary voting guidelines which hasn't been updated since 2007. 2007 was basically when the icon came out. technology has changed so at that point we should be looking at ways to make it more convenient and more efficient for people to use their technologies to vote but also to make sure those votes are secure and counted accurately as well. >> internet voting is one piece of the puzzle and people talk about electronic voting machines if they have access to the internet can be vulnerable on their own. i'm wondering if that's something you are thinking about headed into next month. >> we think about all of that and we have been taking about that for years on end but it's not something that's going to change overnight so i'm hoping

that this conversation doesn't end on november 9 that we continue on in january and adoree and on so we can look towards the 2018 election in 2020 election to make it more convenient and more secure than our elections right now the most secure they have that prevent that we can do better so we must. >> rich again thinking about this election issue i'm wondering if looking towards november if there's anything in particular what comes in tax? >> when it comes to threats i never cease to be amazed. i'm never surprised when i see these sorts of things. i just think we need to speak creatively about how might the adversary continue to meet their jack tip. short of a crystal ball it's very hard to say what we might see but they are president

precedent for the leaks. leaking of some of the indications we so recently might be indicative of some things that closely match activity we saw occur in the your current -- ukraine during their election so we have to look at the precedent and the way we see some of the ukrainian elections. might they be operating from a similar playbook? i can't say for sure but maybe that's a good rubric to look at and think creatively as to what we might expect to see. >> michael when you think about the threats in the d.c. institutions in particular everything from up party commissioners and think tanks everyone is being broke all the time. what would you suggest that people who haven't been ahead of the curve on this should do now? how would you introduce them to the problem?

>> the big change is this broad dock thing. the idea that people are learning about you through intelligence collection is one kind of threat. now people are seeing their personal e-mails and can indications and papers are being posted to embarrass them and i don't think anybody who would be proud of everything in there e-mail inbox posted on the internet. so it's a threat for companies and is a threat for people and the education is investing. i think for the political parties and campaigns now republican and democratic there are two commentaries. there is next month before the election and in terms of cyber readiness and response and then really important is thinking about what to do. all of these political organizations want to put all

their resources and promote candidates. traditionally this hasn't been like an equipment analog where the annual budgetary line item for $4 million for cyber. it hasn't been the case. there is thinking about financing and how we will find the money to spend on this and thinking about longer-term plans. it's not just about keeping the boat afloat now but to continue the metaphor building a stronger ship. the one point or to make for the question i want to ask about the city of elections is my understanding is that the elections and voter systems on election day is reasonably safe from cyber attack because the 8000 or so districts we have are not interconnected. they all run different systems. some are purely paper and some are back sell my understanding

is there isn't a voting virus or a malware that's going to go out or an attack on the nation's voting system. we are very safe and outweigh because of the diversification and heterogeneous nature of all the different districts none of whom are connected to the other. >> one of the things i would say as our system is decentralized so with the system you would need an army of folks to basically try to get into the systems. bea certified voting equipment and 47 out of 50 states use our certification program in one way or another server system we certify none of them are connected to the internet so there will not be any sort of internet hack into the voting machines themselves. >> michael just one other question. when it comes to individuals looking at their own cyber hygiene and e-mail passes --

passwords is there anything -- do you think there's a culture change going on as we approached us to knowledge a? >> there's a culture change in their couple of simple things that everyone should do everyone in this room and everyone to think return on two-factor authentication. two-factor authentication means you have to waste a lot and the one i use my personal e-mail i put in my e-mail address in my password and i get a code and a prompt to put in the code. two-factor makes a huge difference. the bad people use your social media and your personal accounts to create spear phishing attacks. these are targeted e-mails that look authentic to try to get too caught click on a link or an attachment and these are so sophisticated that most of them start with a very simple piece of human engineering which gets you to click on something.

it's more about your privacy in a certain setting and facebook has a one click solution. there is one thing you can click to make all future posts in everything from the past friends only. when you have a colony look someone up, and some people on facebook have a person in a bathing suit, a person drinking a beer and a person with their kids. lastly there are peer-to-peer encrypted apps like facetime audio and signal and other apps that allow you to have guaranteed private communications. those are three quick tips. >> the culture on the hill is the idea that you are being probed all the time. you have to drop authentication as part his year system?

>> if you look at the systems we have like any other organization they are training. you need to have everyone in the organization aware because it takes just clicking on a malware an e-mail and a phishing attack that can undermine the entire system. i would say we have training programs and i think we do set an example of what we do internally for that. >> jeh johnson recently talked about making our election system count as critical infrastructure officially. can you explain about what that would mean and whether you agree with the idea of? >> i can't speak to it dhs wants to do what i can talk about the fact that states are looking or resources to make sure their systems are secure. if dhs wants to offer those resources i think that's a great idea.

>> additionally we pass legislation through congress back in 2014 that basically says that dhs can provide voluntary and upon request assistance to critical infrastructure but also to state and locals for various tools. it's all optional, voluntary. there's a suite of tools available. it could be those tools or could be private-sector tools but the bottom line is i think states and localities need to invest in technologies and make sure that they are secure. the capabilities that dhs has more than half have signed up for voluntary assistance. the congress we have legislation that passed out of our committee last year that passed the house of representatives in december pending in the senate that basically further clarifies the role of dhs and this bollettieri

assistant to states when they requested. it's about clarifying the law and i think it will make a big difference in showing that absolutely not do we want to federalize the election system in the united states. with the unconstitutional. the constitution that observes the rights of states to observe elections but we do think are fighting tools and capabilities would be a good thing if it makes sense for those localities. >> on that topic could you give us a quick forecast of the lame-duck and what you expect to happen there back. [laughter] >> we are working on several pieces of legislation right now. one would we one would rear up and i said department of homeland security to more effectively carry out its cyber mission. we passed several bills to the congress. the big one is for cybersecurity act giving dhs the authority. we are trying to move here in our committee moved it back in june and we are now to get it to the house that would restructure

and streamline and organize the ability to carry out those authorities that we just gave. that's a big one we are trying to get through. there are a lot of other committees involved so we are doing the best we can to hopefully get this done by the end of the year. it's definitely a top priority for chairman michael mccaul mike bost. one is the state and local cyber protection act which clarifies and loss in the 50 states and strengthening the local crime-fighting act that would provide tools to state and local law enforcement, judges to go after cyber criminals so we think these assistance tools will go a long way. those are pending in the senate so we are trying to shake them loose over there. these are the bills we are trying to get not just in the lame-duck we will see if we can though.

>> we have gotten a couple questions from twitter. i might go to your rich on the something is that cyber espionage as well pack discussion seems to suggest that the u.s. and americans are -- victims. >> i think everybody, large countries and even emerging economies are seeing the power of cyber and how the world has adopted it and how they work, but i'm play. the internet permeates every area of life. how you go after those national objectives within that perspective domain. some countries might seek to alter their economy. others might seek go after terrorists. others might seek to undermine an election. it really just depends on probably their perspective to who is a good guy and a bad guy and the motives behind leveraging that domain to enable

that perspective nation. >> the next question sounds a little bit like a plot for an action film. we talk about international attacks but is there a chance domestically to see hacks between parties? michael, any comment on that one? >> i think and hope that everyone is working on the support of their candidates winning the election and so to make it possible for there to be another water like -- watergate type break-in? we will leave that to good fiction reading. >> absolutely. ..

>> we are not going to sit idle either late by to go after information. we do not want to use the kinds of tools that we have. we do not want to engage in a different kind of warfare. but we will defend the citizens of this country. the russians need to understand that. i was so shocked when donald publicly invited putin to hack into americans. >> as far as cyber, i agree with parts of what secretary clinton said. we should be better than anybody else and perhaps we are not. i don't think anybody knows it was russia, she is shane saying russia, russia, russia. it could be or could be china, it could be lots of other people. it can be somebody sitting on their bed that weighs a 400 pounds, okay.

>> if we could go down the panel, i would be curious what questions you think presidential candidate should be able to answer about cyber in this day and age. what do voters need to know to evaluate the candidates. >> they need to take it seriously. they need to understand how serious it is and understand the seriousness of the consequences. one of the most difficult things about considering retaliations are considering the consequences of that retaliation. keeping in mind and i hope that short both candidates are aware of this, our economy, our internet economy and internet lives are very fragile. so, going to cyber war with a country like russia or smaller,

sophisticated country could result in grave consequences to our economy and our critical infrastructure. it is a difficult difficult thing. something that has not been something a large scale concept that we have not waged it before. there is a lot of thinking going into what the next steps will be. >> what about you? >> i would say look at the last several years. we have worked in the congress in a bipartisan basis to get important foundational cyber security legislation through. going back to the five bills we passed in 2014, the big belt we passed the cyber security act are bipartisan efforts to address a thread in national security and economic security issue. i think going into the next administration it is important that we realize this is the number one that we have heard from. this is now the number one

threat we are facing as a nation. i think looking to the next administration and investment into cyber security. there did is a lot that needs to be done. we need to beef up and make stronger our cyber defense strategy. we. we need to do more to show our adversaries there will be consequences when cyber attacks take place. i think i would answer the question. >> i would answer to full, one, one of the best ways, is my microphone not working question what can you hear me now? how about now? >> speaking, speaking, speaking. no? well, i will try to speak loudly. two of the best things that can be done is on the front lines is basically to have additional workers. having additional workers so they can see what is actually,

the best way to see the administration of elections is from the inside. becoming a poll worker allows you to do that. that is what i would say. the other thing i would add i would add is both president bush and president obama added billions and billions of dollars and for the administration. so i would hope that whoever becomes president looks at elections not just in terms of november coming up, but as we go on. elections happen every two years. states and locals are at their wits end in terms of funding for schools, roads, military and so forth. we all know those things are important. but our democracy is also important. we need to make sure we have that investment into it. >> do you want to close us out here? >> sure i would just go analog here, it seems analog here, it seems like we have had some issues. i think all our next leader

and/or any new world leader is going to see and understand how important the internet really is to everything from our economies to elections, it is really a new domain that we have a lot of power. i think it needs to be respected and understood. it is certainly complex and so those who seek to wield it there needs to be norms that are stylish. there needs to be greater understanding and an o round what the possibility is that it certainly an interesting time to see the effects the internet holds, not only here in the states but maybe the world at large. >> a great. help me think our panel. [applause]

>> there is actually long history of the russians trying to interfere with and influence elections, going back to the 60s. so there have been several documented cases of previous elections that would appear that they were trying to somehow -- there's actually a long history of the russians trying to interfere with war. >> there is actually long history of the russians trying to interfere with war and influence elections going back to the 60s and the heyday of the cold war. there has been several documented cases of previous elections that would appear that they were trying to somehow influence the election. of course there is a history

there, there is a tradition in russia of interfering with elections. their own, and others. so it should not come as a big shock to people. i think it is more dramatic maybe because now they have the cyber tools that they can bring to bear in the same effort. it is still going on, but i will say it is probably not real clear whether there is influence in terms of outcome, but i worry about more frankly is just sowing seeds of doubt, where doubt doubt is cast on the whole process. >> okay i am tim berg the national technology reporter at the national post. we are here to talk about cyber war.

this is a reminder to tweet your questions and comments using the # wp cyber. i will not roam the audience like phil donahue to get your question appear if you'd like. immediately to my left were may be right if you're watching a tv is one, he is the cochair and founder of -- he worked under george w. bush. richard is the chief strategists, he was a director with general electric and started his cyber security career as an officer in the air force. on the far side is frank, our associate vice president at george washington university where he directs a set or for cyber and homeland security. limits are with the general issue that i wrestle with all the time. what we mean when we talk about cyber warfare question think we know it hacksaw. a lot of what we read about in

the press and some of what i write about us espionage. what his cyber warfare. let's start with frank. >> thank you. i'm glad you asked that question because a lot of the coverage of cyber security today reminds me a bit of's kids walk soccer. everybody's chasing the ball. we. we need to recognize not all hacksaw same, their intentions very, their capabilities capabilities very. if you were to stack the threatened environment you have nationstates at the very top of the list. those at the top of that list is a country integrating computer network attack and exploit into the war fighting strategy and doctrine. obviously you have foreign terrorist organizations, criminal organization and hacks. not all are the same cut is very different. different. countries that are marshaling and organizing cyber capabilities are the very top of the list.

from u.s. national security perspective russia and china are at the very tops of that list. in terms terms of capability. a lot of what we have seen is computer network exploit our espionage and cyber space. but they they have been done intelligence in the data field and into their war fighting strategy in crimea and as russia did in georgia. but those who be at the very top. you have other countries that may lack the capability of russia and china but unfortunately what they lack an ability they make up for with intent. this is where you put north korea, iran, more likely to turn to a disruptive or destructive cyber attack. so they have fewer constraints in terms of those capabilities. not all hacksaw the same, not all nationstates are the same, not all capabilities are the same. and ultimately it hinges around intent. if hinges around intent. if you can exploit you can

attack, the line is very thin and it's hinging upon the intent of the perpetrator. >> and do things need to break for it to be cyber warfare in your mind? my answer to that question is that cyber warfare is way call your book or documentary if you want people to pay attention to it, that or -- either college cyber war and it will get someone's attention. my definition of cyber war is the imposition of will using a digital means. now, there are are two schools of thought. one is that in my phd advisor who wrote a book called cyber war will not take place. the reason he called the book that is that he believed that wall war equals violence. if you don't have violence don't have war. he believes that cyber cannot be used to impose violence, therefore cyber war will not take place. so take place. so that's a school of thought. another is it is much more expansive and this is where the russian and chinese think about it. they believe that war is not

just violence, it can be any means by which you are trying to get your way. in fact they tend to come from a tradition especially the chinese essay you're better off not fighting and achieving your way. so i tend to take the position that if you're imposing your will using a digital means, that could be war. to take it further, we may be in a situation 5 - 15 years where this thing we call cyber so integrated into every aspect of life, even more so than a that it makes no sense to talk about a cyber war. because an f 35, 35, is that a cyber weapon, and f-22 could be considered a cyber weapon. one of the benefits it has is to network with other fighters to get a better picture of the battlefield. >> and if i ran for example you

cyber tools to attack a big u.s. bank for example, is that an act of war? >> that's a great question. i'm a bit more forgiving for the five girls soccer problem because i think we are in uncharted territory because you have a blend of actors, state and nonstate, both in attempting to acquire data as well as disrupt and even destroy systems. you have a change of concept of what warfare even means. so the very notion of russian hybrid where warfare combined with cyber capabilities becomes interesting. we don't have doctrines who defined what the clear lines are. so as we think of it we do not think of these tools as true cyber warfare tools until there is an element of destruction. something that is demonstrable. that's part of the reason why we have not has much awareness around the issues as we see nationstates and non- states engage in cyber aspirin each.

to answer your question specifically, one of the challenges is the fact that we do have nationstates already attacking private actors. you have had iranians entities, syrian entities attacking western banks as part of a denial of service set of attacks, not destructive but certainly intended to send a message. you've had north you've had north korea attacked south korean banks as well as sony. you have had other state actors like russia attack systems, government and nongovernment. but you have is an open field and the cyber domain where actors are feeling out the bounds of what is permissible. one challenge in the space is how do we define the boundaries of what is acceptable or not. how do we respond. that puts great stress on things like how do we attribute attacks improve them? how do we respond in a proportional way without unleashing other forces or other

warfare. that is part of the reason why you have not seen officials wanting to be to open about russian hacks despite what was said. it raises fundamental questions about what is the end game. that is not well-defined. >> can i pick pick up on a couple of quick points. so, all forms of conflict today and tomorrow, almost 100% unanimously will have a cyber dimensioning component. to pick up on some of the points my colleagues raced, cyber is its own domain but those that are integrating computer network attack tools into the other domains, air, land, sea, space, that is were cyber is that its own entity but it enhances the lethality of other weapons and different tony domains. it enhances the ability to seize

territory. it's important to recognize that the battlefield today has been extended to incorporate all of society and companies are on the front line. that's what makes us different. targets are not merely government on government targets or the like. at the financial services sector, the switch back to me is an incident that rises above. not because the central bank of bangladesh lost 82,000,000 dollars and we could've known it could've been $900 million. it's a bad day for the banking customers, but the global economy could absorb it. but what it did recognize is a systemic risk. the entire financial service sector is dependent upon swift. it. it was a hack through swift that we're talking billions of dollars of transactions are being settled daily. these are the different targets in the ukrainian hack that was a big deal.

the ukrainian grid hack, not because of 250,000 people losing power for a couple of days but the line was crossed were cyber weapon had a effect that took down power. >> so to sum it up if there is a kinetic physical effect that is clearly cyber war. sounds like cyber wars going to be part of any shooting war, certainly the united states we get into in the foreseeable future. if we are actually at war with someone we are going to be sending bits and bytes to them. i wanted pick up on your attribution, this is what you think about a lot when we hear sometimes on the record sometimes not that so-and-so attack so-and-so. yahoo when it had its data breach said it was a state-sponsored actor. it's hard for us as journalists to find out if it's true. it's also hard for the experts to find out if it's true. and

this creates you norma's problems. in the old kind of war they should've asked that and we should back at them. that sort of makes and fits into a strategic moral framework that makes sense to all of us. i guess i would ask, let let me start with you richard, are we ever going to know who is shooting us well enough that we feel comfortable shooting back, i'm not talking about private companies but it nationstate level. >> absolutely. we know all of the time. >> how do you know? >> are 2013 mandate report, there were indictments levied based on that. so there are certain levels of a community that they would not even believe if they were a camera on a person typing at a keyboard hacking into an american bank, they would say that this effect that the cia created as a plot. >> after they landed on the moon. >> because they didn't land on the moon apparently. >> l's