establishing clear and acceptable practices in cyberspace is critical. so what are we doing to address this and let's set an initial framework. ich not sure how familiar you all are with penetration tests in hacking. let me just give you a real quick understanding of that. first, how many of you are familiar with back track? one. that's good. two. okay. that will make this, please don't correct me. actually, there's a great book out there on the basics of hacking and penetration testing. and the reason i bring this up is because we're looking at this. i'm actually reading this book when you look at me here's an

army officer who has learned to read and actually reading a book. there are pictures in it, but -- the reason this is important is i think we have to understand the issue of what's coming at us. we have to understand that issue to train our people. we in the defense department in the intelligence community have to know what we're training our people towards and how we share those. if you think about this, we should have a way of discussing that with industry because we're going to ask them to do many of the things that we're doing today. if you look at this book, what the book does is it refers you to a program called back track. a back track is a penetration testing tool kit delight. it's great. it really is. you can get back track and download it off the internet

free. the friesz is great. you can get it free. you can get a virtual machine capability. you can download that. and you can upload two systems. your system and the system you want to do penetration testing on all in your own computer. to train yourself and others on how to test your system to see if it's secure. because this is what people are doing to our systems today. and what the book teaches you is how do do reconnaissance. if you think about 2.3 billion systems out there it's not like hugh jackman drinking champagne typing on the computer and launching these cubes into morph and i'm there. it's actually much -- i'm just kidding. it's much different. it is much more difficult than

that. so this book walks you through it and these cases how do do reconnaissance. how once you find a system to scan that system and determine the vulnerabilities. for example, one of the folks in our office uses this to test his system at home to see if he's got vulnerabilities that others could be exploiting and to patch those. just like you would do if you have macafee or symantec capabilities on your home system. why do i bring this up? my time line is and i'm not the elite computer operator that we have in our young folks today, but i was able to upload this. able to take one of my virtual machines against the other and over a ten minute period break into this other machine. download files. upload a key logger system and essentially take control of it and do with that machine anything that i wanted to do.

now it says what are the training requirements that we have to defend against that? how do we help explain that to the american people. if we can't explain that to the american people how do they know what we're talking about is true? my concern is what happens we throw out these words without having any context for them. that context is civil liberties and privacy. that context is you're going to break the machines. you're doing something illegal. the reality is we can do the protection of civil liberties in privacy and cyber security as a nation. not only we can, but i believe that's something that we must do. and so this cyber legislation that's coming up is going to be absolutely vital to the future

of our country. so what are we doing within d.o.d. on this? we've set up five key areas. i want to talk a little bit about these. what's it take from the defense department perspective i'm going to the kous on the defense department initially and then we can use that as an analogy to look at what you have to do for the country. so the first thing is building a defensive architecture. we've talked about that within dod. when you -- when we talk ant building a defensive architecture there are some things that we can and i think must do. one of those in my opinion is going to the cloud. a thin virtual i. >> infrastructure that is much more defensible than we have today. many of you know that the cloud's not perfectly secure either. we know that the system that

we're on today is not secure. 15 thousand enclaves. system administrate tarrors that can patch those at their frequency. which means if humans are involved and hence there's a vulnerability is almost one. we should reduce that by going to a thin virtual cloud what we can do is have the computer update those patches and mitigate those vulnerability at network speed. that's a huge step from where we are today and something we should take on right away. we need to build a train and ready cyber force with the right capacity. so one of the things the reasons i'm reading that book is knowing what the national security agency does and what cyber command does and what our services are doing, what are the future standards that we have to

have for our military and civilians to defend this country in cyberspace. how do we know we're training them right. the answer is lay that program out get the right people. we have over 100 universities doing cyber security realitied stuff. take the best of that and put it on the table and that's how we've got to educate our future force. we need to do that and we need to build them and we're taking that on. situational awareness. how do you see cyberspace? think about that. if we asked -- if you got a group of folks together and say draw me a picture of cyberspace, and what's that mean? show me what you're talking about. you're saying you've got this different type of vulnerability. what's that mean? how do you see that? how does your system defend against that. how do you know?

how do we share information between government departments? how do we share information between the government and industry? how do we do that in such a way that the american people know that we're protecting their civil liberties and privacy. and this is a great case in point. when mcafee and others look at the different types of malware that are potentially getting in your system they have a number of ways of doing it. they're not reading your email per se to see that. they're looking at the stream of data that's coming in look for signatures or ports or different types of activity. and if they see that activity, they alert off of it. jump forward to our cyber legislation. one of the things that we have to have then is if the critical

infrastructure community is being attacked by something, we need them to tell us at network speed. it doesn't require the government to read their mail. or your mail to do that. it requires them through the internet service provider or that company to tell us that that type of event is going on at this time. it has to be at network if you're going to stop it. it's like a missile coming into the united states. if you think about a missile coming into the united states, there's two things you could do. we could take the snail mail approach and say i saw a missile going overhead. looked like it's headed your way. put the let ner the mail and say how'd that turn out? now, cyber is at the speed of light. i'm just saying we perhaps ought to go a little faster. probably don't want to use snail

mail. maybe we can do this in realtime. and come up with a construct that you and the american people know that we're not looking at civil liberties and privacy. we're actually trying to figure out when the nation is under attack and what we need to do about it. the nice part about cyber erg we do in cyber you can audit. with 100% reliability. seems to me that there's a great approach there. so more situational awareness we need to be able to see what's going on. when i say see, i don't mean that the government has to be in the networks to see. i mean how do you see what's going on and like the police force, like the fire department. they don't sit around every building waiting for a fire to come off. you call them when there's a fire. they come down, they help put it out. in cyberspace i see very much the same thing in our

partnership with industry as an approach. another part. transforming the way the government works especially within dod. what's our command and control. some of the stuff that we're working on is how do we work with the other combat and commands. how do we work with the department of homeland security. how do we work with the fbi. what's the command and control relationships and how do we set those relationships up? first and foremost in my opinion it takes a team. no one agency or department can do this by themselves. we have to have a command and control that leverages the best of what each of us can do. the fbi has some tremendous capabilities in this area. we out to leverage those. dhs the public face for our cyber with private industry and state and other governments. we provide them technical support.

we ought to do that. if the nation is attacked and finding out foreign intelligence and providing that, that's our -- that's the most important one. obtaining the authorities policies, rules for how we're going to operate. we're working through that. you can see this in cyber legislation. you can see in on actions in the defense department and the intel community are doing as we move forward. so there's a lot going on in these areas. i'd like to give you a few thoughts on cyber legislation and then open it up for questions. i don't want to take all the time and i know there's maybe one question out there. first we talked about information sharing.

if we know there are vulnerabilities out there we have to have a way of sharing those vulnerabilities with the private sector or whoever's going to defend the critical infrastructure so that they know what the threat looks like. and we need to be told that when that threat hits that part of industry what's going on so we can help stop it if it's our responsibility to do so. so i think we have to get the information sharing and i think there is a lot on the information sharing going out there. the key thing in information sharing that gets i think misunderstood is when we talk about information sharing we're not talking about taking our personal emails and giving those to the government. as a consequence, i believe where we can all help is by

educating our people on what does it mean to share information and to tell the government when we have a problem so that we can respond to it? i think that's a straight forward thing and we need to do that. if we don't, my concern is what will happen is we'll argue about this. we'll never get to a solution until something bad happens. and then when something bad happens, we're going to jump way over here where we don't want to be. so while we have the time, the patience and the understanding, let's get this right. let's do it right. the second part, and i'm going to quote the sands institute here. they've got a great website. free. no. i'm not on their payroll. i don't know if ef they have a payroll. i might find out later. they have the top 20 things that you ought to fix yo you're an industry. what are the top 20 things that

you would fix on your network if you -- and those are kind of rules of the road. we talk about those rules of the road when we think about they're going to go fix those right now. think ant this like driving. you know, to -- if we had no rules of the road for driving, you could drive on the left side, drive down the right side of the highway. might be some problems, collision. after a while we'd say shouldn't we set up rules of the road, like drive on the right side. yeah, that's going to stop a lot of collisions. so we start the right side. we got it right. the brits we've got to work with them. so this is going to be an international problem. you can see that right off the bat. but you could set up standards what are those standards that we need now to protect our system? we're going to have to set up

some, but how we're going to protect and ensure those systems are secure? because those are the problems that we're going to face many the future. and so i think there's two things that we need. we need the information sharing from my perspective we need to think about that in terms of that situational awareness that we talked about. can we get it in time at network speed. the tipping queue. we do this and protect civil liberties and privacy. and to what are the set of standards that we need out there for operating in cyberspace. so a couple things. as we look at what's going on in this area, it is the greatest growth in our nation. it's tremendous what's going on. tremendous opportunities. for our country and tremendous vulnerabilities. we're seeing that other countries are using this space. that the conflict is growing,

the probability for crisis is mounting. while we have the time we should think about and enact those things that we need to ensure our security in this area. do it now before a crisis so we don't have to jump to the after crisis. so but don't have me hauled down there explaining why it happened and why edidn't stop it. i prefer not to do that. those things are just not fun. i do think that's coming our way. you can see the statisticicly the number of attacks are growing. you can see that they're growing from disruptive to destructive. and that our country has the bulk of the most of this network. it is the part that started it. and it has a consequence i think we're the most vulnerable and we need to do something about it. and now's the time to do that. so with this, sir, open it up

for questions. [ applause ] >> i'm going to pass on the ability to ask questions. there's so many of you that want to ask. state your name, state your affiliation and make it a question not a long speech and we'll try to get in as many as we can. wait for the microphone. someone will bring it. look for somebody over here. >> i write for the epic types. my question is you please talk about the cyber threat that

china poses to the united states. >> yes. did you want a longer answer? well i think if you just look at the networks, the hardest part in an unclassed environment is to go into the details of your question. you look at it statisticicly the united states and china and secretary clinton pointed out we have the two biggest numbers of computers and related devices. from my perspective there's two issues that we have with that. one, it's the greatest probability then that those devices are going to be used for disruptive, destructive and other forms. so we both have to get together and figure out a way forward. and i believe as has been quoted in many things the theft of intellectual property is astounding. we've got to figure out how to stop that.

my perspective part of that is by having a viable defense. and that defense is something that we can put together and that's where the cyber legislation i think comes in. i can't go into the details of the threat in an unclassified venue. venue a keep my job. >> we'll go over there and then to the middle. >> hi. sydney friberg, aol defense. stucksnet and offensive in general get a lot of attention. you've discussed our vulnerability. the united states is in a position of, a lot of people say, a rock thrower in the city full of class houses and we have the biggest glass house. offensive is a very two-edged sword. you know, what vulnerabilities or bad precedence do we create

for ourselves when we work on the cyber side? >> a great question. try to address it without sidestepping or moonwalking. i suspect the latter would be better. i think the issues we face in cyber space, different than the physical world. if you just think about the two. in cyber space, this is an area where we have to look at, and i think other countries are looking at, what are the alternatives? what are the means of potentially getting other countries to do something that they may or may not want to do? in the physical domain that would have been a war. the secretary talked about a world w world war as an example. what are things you can do short of a war and what should we do that are dep make, informational

and the consequence, i believe, my experience has been, people weigh those considerations very deliberately, and i think as a consequence what they do and the policies that they come up with, use all of that. i can't go into anymore details than that general statement, in general. >> tony with bloomberg news. to what extent has al qaeda or any non-state actors aconfide taconfide -- acquired expertise to move in -- are they close a at all? what are some of the ingredients or tools that have to work for becoming a viable threat in that realm?

i don't personally believe they're a viable threat in that realm right now. now, let me qualify that. the reason i think that book is so important to get to and it's worth a quick scan is, when you look at that, you say, wow, this is pretty easy to actually conduct some of these exploits. the ability to get on a machine and exploit it, if it's that easy, we look at the bar of entrance into our networks. the d.o.d. networks where we have this really tough thing. now critical infrastructure and others, you say, hmm, they're all different. when you look at the capabilities that are out there publicly to do this, those could be available to anybody that has access to the web, and who is semiliterate. from my perspective, that means that the gap, because of the internet itself, is decreased. you look at some of those, and you say, hmm. you give somebody who has a

computer science background, maybe even just at the bachelor's level, they could probably conduct this. so i am concerned that while i don't see it today, that they could very quickly get to that. they and others. that does concern me. >> back there. >> hi. -- i'm an automated person, automated digital network that control the internet before in my -- what i've seen in recent times is -- >> please say your name. >> hugh grindstein. and what i've seen in recent times in going to a lot of

cybersecurity events recently is that there doesn't seem to be an urgency to this legislation, that there's a lot of people talking about it, but nothing's being done. in the meantime, putin is now president of russia again and he's not sitting by and letting cyber attacks go by, and china, of course, doesn't need guidance. they just -- so when are we going to get serious about it, and does the president have to have a cyber summit where he gets all the, the congress together and say, look, pass this bill? >> well, there's so many things i could say. i'm trying not to get in trouble. i think this time of year politically very difficult to move things through congress, but my experience in working with both sides, both the

republicans and the democrats, see this is a key issue. and the key problem that i see is, how do we help articulate what's in that legislation. i'm getting a lot of calls from both sides, and from my perspective, they do want to push this. i do think it's hard, because there are some fundamental disagreements. and i think resolving those and helping people understand those disagreements and getting to the right middle ground if you will, is a step in the right direction. we may not get everything that i would personally want, but i think we're headed -- and i think the legislation and the different forms of it, generally speaking, they have the key issues and they understand those. and as the secretary pointed out, we've had a chance to talk to a lot of member, both in an unclassify and classified setting. they take this very seriously. there's no doubt in the my mind, but it's also a difficult piece of legislation, because there are different views, and you see those in the different versions

of the bills that are out there. what we're trying to do is, one, what i can do is help educate people on what it means. we can help educate everyone on the civil liberties and privacy, and i think we need to do that. i think we need to address that head-on and show the american people that we can do both. and i think we do a good job in protecting those civil liberties and privseies. priveies. information sharing, we've got to get that settled. i think the hard part is the what do you mean by setting standards and how do you do that and how do you get that right? because that is a tough part, because industry and everybody's got some thoughts on that. and that's going to be the part that i think we're going to have to work our way through. i see a need for that, and that's why i pointed to the sands institute no those 20 and

i think it's worth looking at. so what's the right starting point? did that make sense? >> katherine, news channel. thanks for taking my question. the utah data center ruled the data of american citizens. >> no. part one. while i can't go into all the details at the utah data center, we don't hold data on u.s. citizens. you know, i think one of the things, from my perspective that is grossly misreported that everybody says, you're going to grab all the e-mails and system them down, all the u.s. e-mails and put them down in some place in the united states. one, we don't do that. two, if you think about it, just the volume of u.s. e-mails. think statistically. just for one minute. we're talking about, you know, probably 30 trillion e-mails a year or more.

anybody read 30 trillion -- think about how that is. let me go back to the mission that nsa does. foreign intelligence. with a focus on counterterrorism. that's our mission, is to protect this country from things like 9/11. look at what happened in world war ii. as you mentioned it. enigma. red and purple. that's what nsa does. you know, it has been the greatest privilege and honor of my career to work for the people there at nsa. they take protecting your civil liberties and privacy as the most important thing that they do, and securing this nation. and so when people just show out they're going to have all this stuff at utah