lindbergh baby where huh photographs running around with those. that's not what we are talking about. in the day and age where everybody has a phone and a camera, i'm not suggesting that everybody sit there and roert it on their. >> i do not hear you saying that you agree with what i'm perporting that the court cameras are the only cameras in the courtroom and the judge controls them. do you not agree? >> i have a problem with that. >> okay. what do we do about -- my time is running out, but what do we do about the situation that once the digital recordings are released. what is going to happen when the public gets ahold of it and the comedians get ahold of it. what's going to happen when someone ho who has the ability and it's easy today, take that

video and alter it and put it out on you tube. >> obviously we have no control of any of that. but to suggest that that's a problem, if there is value in the public having the right to record the proceedings and having access to that's one of the risks. no matter what we do and how far we try to think this ahead there will be an issue. >> i agree with my friend that it's the sanctity that we have to cherish and i hate to see it be ridiculed. with that i would very much love

your testimony. this concludes today's hearing. thanks to all of the witnesses and those attending. all members will have five days to submit additional questions or materials for the record. this hearing is adjourned. >> both will fund a federal

government past september 11th. they are set to consider the house past authorization bill and another that would extend past the house breaks. they will return to session on monday. live coverage on the c-span networks. tomorrow on washington journal, we will look at the november jobs report. then a look at the use of executive orders and president obama's recent use of the authority with princeton university professor. also a look at food labeling and the debate over genetically modified foots. washington journal airs every morning at 7:00 eastern on c-span.

we partnered with time-warner cable. >> as we began to receive them to be digitized and saved, we began turning it over. gospel music was not widely heard in the white community. it would only be the hits, if that. the b side would be heart even less. what we discovered quickly was how many of the b side songs were directly related to the civil rights movement. we didn't know the sheer numbers like there anti-no segregation in heaven. you can get killed for a lot of things, but singing that song out loud, that's a risk.

>> the texas ranger hall of fame for the 175th anniversary and honors at this point 30 ranger who is made major contributions or gave their lives under heroic s. they begin with austin. he was successful with his rangers. they not only managed to make the area reasonably safe but when the rangers gained their role, they saved off the mexican army long enough to allow them to become texas for a year

years. >> sunday afternoon at 2:00 on american history on c-span 3. with the senate on c-span 3, we compliment that by showing you the most relevant hearings. on weekends, c-span 3 is the home to american history tv with programs that tell the kmagz's story. the civil war's 150th anniversary visiting battlefields and key events. curing museums and to discover what they reveal about america's past. the best known history writers with the commanders in chief. lectures in history with top college professors. real america with archival government from the 30s through the 70s. c-span 3, created by the cable

industry and funded by your local cable and satellite provider. watch us in hd and like us on facebook and follow us on twitter. coming up, we will show you a portion of the justice department's symposium on cyber crime. we will look at technology and it's 30 minutes. >> i am the dean of georgetown law. it's a privilege to welcome you to the program. cyber crime 2020 the future of crime and investigations.

i'm delighted that they have westerned for the conference. the criminal division's mission is to serve the public interest through the enforcement of criminal statutes through a vigorous, fair, and effective manner. that resonates through focus and justice. it pleases me to look out and see so many alumni. the experts on the panels that you will be hearing include many who dedicated much of their career to public service. we are thankful for them to be here and dedication to public service. today's conference assembled the nation's leaders including experts from government and private law firms and businesses from the executive to the judiciary from k demmia, think tanks and ngos. it's a remarkable lineup. these experts today will focus both on criminal acts that

utilize the internet and the way the government makes use in investigating all sorts of criminal behavior. you will hear where cyber technology is taking us and the new ways in which it's likely to be ex-poeted in the future. you will hear what they can and should be doing to address threats while working to balance privacy and civil liberties and how techniques may be shaped with the juris prudence. what may be needed to address the challenges ahead. it's an important and wide ranging topic and everyone will learn something today. i am pleased to see home stay tuneds taking a break to be here

in order to learn from the panelists. to begin, i would like to introduce the assistant deputy at the department of justice. he was confirmed on may 15th of this year and oversees nearly 600 attorneys who prosecute federal criminal cases across the country. she helps develop criminal law and formulate policy and works closely with the nation's 93 u.s. attorneys in the investigation and prosecution of criminal matters in their districts. the assistant attorney general dedicated most of her career to handling federal cases. both as a prosecutor and defense counsel. she served in the task force for should which she received the award for exceptional service.

prior to that in the u.s. district attorney's office. her positions included trial council for the fraud section and chief of the criminal enterprises section. she is the recipient of the attorney general's john marshall award and the award for fraud prevention. prior to joining the criminal division, she was partner at the law firm where she was cochair of the investigations and white collar practice group. general caldwell received her degree in economics from penn state university and jd from george washington university law center. join me in welcoming the assistant attorney general and thank you for your public service. i am looking forward to her comments as we kickoff the

conference. >> good morning and welcome to the criminal division's symposium on cyber crime. before we start i would like to thank georgetown for hosting the conference. it's much better than if we had it at the doj where the food is not as good. thank you for traveling from all over the count skpree in some cases all over the world to contribute their expertise on these important issues that we will be discussing today. we assembled an impressive array from academia, law enforcement and the private sector and privacy groups and aul three branches of government. we look guard to hearing and the perspectives that all those will bring. a special welcome from the key

note speaker to be with us today. he is the director of the cyber crime center. headquartered at the hang. the u.s. attorney's offices and federal investigators and private companies executed some of the most elaborate operations ever completed in the cyber crime arena. trolls have been instrumental to the success and i wanted to make sure i expressed my personal gratitude for your help. it's really become clear to me in my six months at the criminal dwhagz in the area in particular robust cooperation with law enforcement and the private sector is the future. the necessary future of cyber crime investigation. i anticipate that the department of justice and ec 3 will be allies for many years to come.

as keen trainer said, it is focused on the future of technology and online crimes. we will be crimes and change in evolution in a few mnlts. i wanted to start with the internet and technology and how they there is crimes and more and more heavily influence the crimes of tomorrow. by now it's obvious to us that the internet and related technologies have completely changed the way we live, the way we work, the way we play. everyone in this room i would bet has some electronic device either on their desk or in their pocket or bag. a cell phone or a tablet or something connected to the internet right now. the vast majority of americans and people around the world made

this technology a critical part of their everyday lives and that is not going to change. this bottom has obviously brought with it many opportunities for individuals, businesses, and others to increase innovation,e?fi productivity and entertainment. it's helping people connect locally and helping people connect globally through e-mail, social networking and other forms of communication. it helps to compete in an expanding and faster market. it gives a stream of information and unlike anything that proceeded it. from big companies to tiny start ups. it's exciting and dizzying pace. unfortunately there is a flip side, a tool that is so vital to businesses and government has

also become a tool for criminals. they are taking part in that advance in technology to carry out more and more complex and extensive schemes. according to data from the 2013 norton report, there will be more than 14000 additional victims of cyber crime by the time i have finished this speech in about 15 minutes. cyber crime is going to increase. by exploiting technology the most skilled cyber criminals will be capable of kriting crimes on a skile never previously imagined. it will result in more and more lost data and risk to all of us who use the internet. we are seeing glimpses of this coming tide. last year just two cyber intrusions targeting the banking system inflicted $45 million

worth of losses on the global system in a matter of hours. let me emphasize, that figure is not a speculative estimate. that is the sum total of money that criminals were able to withdraw by going to atm machines from banks around the world by hacking into the computers and withdrawing the limits on the atm machines. they withdrew the money from banks all over the world. getting 45 minutes in a matter of hours plotly dwarfed the most sophisticated made into movies heist that you can imagine. unlike the bank heists that involve complicated logistics and the high risk of getting caught, these masterminds of this crime never had to worry about getting caught and never had to leave their homes. our dependence is also ushering

in a new era of online data breeches. i have heard a figure that there more than 100,000 data breeches per day. that's quite shocking. our networks are processing more and more consumer data in an effort to make our purchases easier and faster and less time consuming. they are enterprising hackers all over the world and targeting them to dwarf anything we have seen before. i wish i could say we have the problem under control, but it gets worse before it gets better. individual breeches put at risk your financial information and the financial information of tens of millions of customers and consumers all over the world. this has an obvious and understandable threat on consumer confidence and has devastating consequences for the companies who are the subjects of the data breeches.

>> we have also reached another that cause harm that is harder to quantify. rather than stealing money or valuable financial data these breeches have robbed people of rifacy. some have been home innovators and using mal wear to tap into they can spy on the most deeply private and intimate moments. others have hacked into storage accounts and snatched personal photos and communications for money or used to expert someone or just thrills. so far 13 defendants have been convicted in connection with the crime and outstanding arrest

warrants for several others. arrests and& they are common for the criminals to be based elsewhere often in jurisdictions where we have no ability to get them or whether it's difficult or will be a matter of luck. as a result, we adjusted our tactics and we are engaging in larger international law enforcement operations with folks like trolls to target criminals around the globe. we are using other laws like the authority to help us stop the harm up front to try to to stop the mal wear or criminal activity it's as going on. a good example has been in the work. they are networks of computers that have been infected and

controlled by criminals. some are millions of computers strong. once they are created, they can be used without their knowledge, including syphoning off financial data and emptying bank accounts and conducting disruptive cyber attacks and distributing the mal wear. one was called game over deuce from criminals of businesses and consumers and often small mom and pop type businesses. also for a scheme. ransom wear is mal wear that affects a computer and encrypts your hard drive and demands payment to have access to your files. it infected hundreds of

thousands of computers. it generated more than $27 million in ran som payments for the creators in the first two months after it was created. you can imagine how many were infected. through carefully choreographed coordination, we not only identified and attained a 14 count indictment from game over zeus a russian hacker and also obtained court orders to dismabtle the network that he created and used to orchestrate his scheme. the justice department numerous partners and more than 11 countries as well as ec 3

mounted operations and that's an important theme. what we do is court authorized. they get permission and we were able to kreaft control and get it away from the criminals and disable it and start to have the damage it caused. his office worked with computer crime section to spearhead that action. in another operation and almost all these operations are international. these are websites that sell illegal goods and services on line and really a grab bag of

things. there is a picture of the methamphetamine. it's quite sophisticated and it's a special network of computers on the internet that is designed to conceal the officials. stolen credit card information and firearms for the for hire schemes and we hope anyway. how to commit crime over the internet. using the legal process and treaty requests, the department and the fbi and the partners and ec 3 and they were associated

with the websites as well as multiple servers hosting the websites. they are located all over the place. it's important to have your cooperation that we had. that was pivotal and as i said before, i think it's going to continue to be the key to success of operations of this type going forward. in addition undertaking the they better address the fronts. high tech is not new to this. we have been investigating computer crime since the computer crime property section was created in 1996. the department has really worked

and expanded the computer. we worked to establish the chip network that stands for computer hacking and intellectual property. there now over 270 prosecutors on that. it created a strong partnership between the u.s. attorney's office in addressing cyber crime. over the last couple of years it has been used as the model to create the national security cyber specialist network which is a partnership withed the department of justice. as they increase, the area of cyber security is receiving the attention it deserves. i'm announcing that we are creating a new unit called the

cyber security unit. it will have responsibility on behalf of the criminal decision on a variety of ways to enhance public and private efforts. giving the growing com policity and as well as the nature of the laws and tools that are needed to thwart the attacks, the cyber security unit will play an important role. prosecutors from the security unit will provide a central hub for advice and legal guidance regarding the law enforcement tool that is used to bring the criminals to justice. this is very important because this is something that is important to the doesn't. while protecting the privacy of effort americans and people all over the world. the unit will work hand in hand with law enforcement and work with the private sector and congress. this new unit will drive to ensure that advancing cyber

security ledge stlagz will need to change as the threat changes and we have already seen the legislation is blind it needs to be. you will hear more about that later today. this security unit will strive to ensure that that legislation is changed to most effectively protect our computer networks as well as protect individual victims from skiber security attacks. the private sector as you know proved to be an increasingly important partner in the efforts, but particularly in the cyber security issue. prosecutors from the cyber security unit will get engaged in significant outreach to the partners to facilitate relationships that will help us both going forward. one example of the kind of outreach we do, we heard concerns from communications service providers about uncertainty of whether the communications privacy act prohibits sharing certain threat

information. that uncertainty was limiting the sharing of lawful sharing of information that really could better protect networks from cyber threats. in response, our division produced a white paper to publicly released the analysis in may. we hoped to opinion about emerging issues so we can keep roadblocks from occurring and thwart the cyber security attacks that we see happening all over the world. we will be engaging over the issues and we noticed we are not blind to these things. a growing public distrust about law enforcement surveillance and techniques. this can halfure our ability particularly in the cyber

security area. this comes from the technical ability of tools and more significantly from misconceptions about the manner in which we use them. # we will be hearing about those subjects. they play an important in clarifying for the public what is law enforcement's role in cyber security and what law enforcement can do and what tools we have. they have man nulls that are online at the website that really are probably the most helpful and far reaching materials that you will see on the areas of topics like what are the laws governing seizing and searching computers and electronic surveillance and for those of you interested in seeing what the laws and tools are, i recommend that you go on to that website. and again it's cyber crime.gov.

i would like to address one overarching misconception and that is the apparent and i think unfortunately growing view that privacy and civil liberties are afterthoughts in criminal investigations. nothing could be further from the truth. in fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, we take those responsibilities very seriously. the concerns are not just tacked on or a box that gets checked during the investigations, they are baked into what we do skpa who we are. the concerns are at the core of the laws that set the ground rules for us to follow as criminal prosecutors. the department policies that govern our conduct have privacy concerns at their core. the accountability that we must

and happily embrace when we bring a cyber crime case into a court of law and present the evidence to a judge or jury. privacy again is at the core of the values that we bring to all of these things. it is also at the core of the proud culture of the department of justice. not just in cyberspace, but the enforcement we do. we not only carefully consider the implications throughout the investigations, but dedicate resores to protecting the privacy of americans from hacker who is steal our information financial information and credit card information, online predators who talk and exploit our children. cyber chiefs who steal the secrets of innovative american companies. we recently announced the conviction of a danish system who installed a spy wear application called stealth jeannie. they could monitor calls texts videos and other communications

on mobile phones without detection. this app was marked to people who wanted to keep tabs on their partners or spouses who they thought were cheating on them. it was used as a stalking tool. similarly earlier this year, the attorney's office in the southern district of new york and the fbi announced charges against the owner of a site called black shades. we love these names like black shades. they sold something called the plaque shades remote access tool. they played a in the worldwide take down that resulted in the arrests of more than 90 people all over the world. the cool was used by hackers to gain access to the certainly computers to secretly steal their files and krouz their personal photos and to monitor them through their web cams. this was one of the carriest invasions of prove tees date and one of the things they were doing is one hacker was using

the tool to capture the photos of naked girls and a woman including miss teen usa and used those to extort the victims with threats that he would post them on the internet and also he would extort them into sending additional nude photos. those are two examples to prosecute people who would invade the privacy of unsuspecting citizens. we are thwarting attempts to innovate privacy. we are hoping the efforts will help combat misconceptions that people have about american citizens and others. the outreach allows us to participate in the debate about technology and it would benefit about we we can contribute about how it is being used by

criminals and how we are leveraging to investigate and disrupt activity and how technology can be leveraged in the public and private sectors to enhance the area of cyber security. misconceptions and inaccuracyies can hamper efforts cyber security programs and the efforts to protect the privacy of all of you. georgetown and the department of justice have purposely designed the program to bring together diverse views and our aim is to make sure a range of views are presented at the symposium. there will be limits to what specific things we can say about the investigations that are ongoing. i appreciate that everyone will understand that. regardless, we are excited to add our voice and we are grateful this georgetown for everyone to support the effort.

hopefully it will be the first of many conferences. thank you very much for coming. # >> and more from the cyber crime symposium with how criminals can have the advances and the challenges face faced by law enforcement. this is about an hour and 20 minutes. >> they asked me to keep the introductions short. if i had to list all the accomplishments, we would not get to the content. if i can ask the 51leists to take their seats, i will stand up long enough to give you a brief overview of who is talking today and i will have a seat and let them carry the water from

there. all the way to my left, we have the doctor who is a senior management scientist and also a distinguished visiting professor at the naval act and adjust professor at columbia university. he writes extensively on topics including most relevant for today. it's a publication called hacker's bazaar. to the doctor's right, we have andy who is the director of cyber security and public safety for verizon. he had a variety of roles including serving with the united states secret service and his company publishes one of the most widely respected supports on cyber crime with the data breech report. he has been working with experience in red teaming,

penetration testing and software security. that all means he's a hacker. they named him one of the 15 most influential in security. we have rick howard who is the chief for palo alto networks. he had a variety of different jobs and he is currently providing oversight to palo alto's intelligence team. he served for 23 years in the united states army. including two years as the chief of the army's computer emergency response team. # we will talk about the future of cyber crime. i want to start us out by talking about where we are today. so andy, why don't you start us out with what cyber crime looks

like today? >> thanks for letting us spend the next hour with us today. it has been fun. hopefully we will have a nice discussion today. from my perspective, cyber crime is filled with a lunch of enterprisial-minded criminals in a global business that harness and leverage their resources in a collaborative manner for the mission sets depending on their goals whether it's political or not. it's a dynamic evolving environment that is growing and i think what gets overlooked in the space is that they are well-informed on the privacy landscape and the regulatory environments of which their businesses operate globally. i think that's important and they also pay close attention to what law enforcement does.

they learn from the lessons that those that have fallen before them. as it evolves in growing and as technology is enabling us to interconnect and to enjoy the way we live and take advantage of the benefits in the space of the cyber crime that will evolve with that. i'm looking if order to see where we as a panel or a group feel like this will look like in the future. >> and marten, we have seen the biggest data breeches to date happening this year. we are seeing millions and tens of millions of customer roars being taken. what possible use could cyber criminals be putting to all of the data they are taking? >> we know that the data that has been taken from places like target and home goods tackily target have been converted into cards and for which people actually withdrew money.

actually in this case i can say i was a victim of one of those things. when i got a call from the bank noticing there were three grocery store purchases that were made on that behalf. fortunately the bank was good enough after about four or five interactions to take the money off the account. this was the way they had of converting the data into the transfer the goods. that typically has been a funneling issue in the world of cyber crime. in other words, in order to make money from stealing that information, you have to transfer information. you have to transfer money and then you have to somehow find a way of taking the money out of the banking system. it is the last two that criminals have become efficient. i think about 6 to 10 years ago

there was a data breech at hartland payments system in which 150 million records were stolen. the harm to the payment system was an order of magnitude or maybe two because the numbers are not fully in to the harm to target corporation. i think that's testimony among other things to the increased efficiency tow which criminals can take information and convert it to money. >> and how are cyber criminals doing? >> it's a right to incriminate yourself. don't worry. >> i know a good lawyer. >> i appreciate it. there is a variety of methods we are using and you are seeing a variety of levels of sophistication and how i think of a lot of the cyber methods of criminal, they are a diffuse way of looking for loopholes.

so most commonly there is weak internet infrastructure allowing attackers to get in and harvest credit card members. one thing we have seen in the last five years is they have gotten more organized and determined. from my knowledge of the payment systems breech, they were systematically going through the largest retailers and the largest payment processors, investigating which point of sales and infrastructures they use and targeting them and using those that were considered tools of sophisticated testers and researchers. a wireless attack of weaknesses and wireless networks. this group was able to use that to breech the network of retailers and then compromise their internal systems and from looking at a variety of internal

networks and things like that over my career a lot of us and a lot of defenses are hard on the outside, soft on the inside. once you are on the inside, you can bounce around a lot and we are still seeing this today and all of the breeches you read about in the news. >> so rick, how did we get here? >> that's a great question. i have been working on the project called cyber security cannon project. it's a list of books that we think all practicingticianers should read so they know their graph. the three books that deal with cyber crime that i would like to point out is the first called fatal system hear that covers from 1995 to 2007. the first use of distributed service attacks and extortion. the first successes from the british unit of arresting early hackers. the second one is spam nation.

it's fantastic and you have real deep insight about the business operations of criminal organizations doing this. he is fantastic. you want to get the nuts and bolts of how they do their business. it's an intricate look at that. the hero that am cans out of brian's book is microsoft and about them taking on the infrastructure and legally to take them off line. that's an interesting read. my favorite is kevin's kingpin. it covers from about 2006 to 2007 2007. the hacker by the name of max butler. he has a fantastic story and it will make a great movie. his transition from white hat to black hat is really interesting. his claim to fame is that there were about four or five main underground forms where the bad guys were selling credit cards and he didn't like the way he was operating.

the way he did it was a marathon session of hacking where they took down all of those websites with the criminals using. he took control of the data and put them on his own forum and put a banner across the four websites saying i am the kingpin. come o. that's awesome. if he was a good guy, we would be going up and hie fiving everybody. s it downfall was that he hooked one of the sites that was infiltrated. his famous story. the agent had moved up in the ranks of that underground forum and was the administrator of that website. he kept meticulous back ups and he was able to come out quickly because of the others and fe figured out who max butler was. that was a of the history of how we got here. >> i wanted to ask you a question about max. that's an interesting story.

i was familiar with max vision, was his name at the time. the late 90s or 2,000s. if i recall, he was -- he wrote a dns through the vulnerability and it would just attack a bunch of open systems that would have vulnerability and one of the things he did, he would fix them, but he left a backdoor for himself just in case. i think he went to jail for that. he went to jail for that and when he came out, he started the credit card hacking. >> that's right. they are just making a living wage. stealing the credit card information is relatively easy compared to converting that any

money. in max's story, how they were doing it, they had a whole credit card set up system in california. they would steal information and put it on blank plastic and hire young ladies and give them credit cards. they would go to high end retail and sell it on ebay and make money. that was an 80 hour workweek. that's not an easy way to make a million dollars. >> we talked about the infrastructure and the top tier criminals helps prosecutors and coordinate the investigations with federal law enforcement. those were the top tier cyber criminals in the world that drive the economy. we highlighted a couple here. at the end of the day, max was in prison. every major data breech, there was street level component. somebody knows somebody and eventually to a hacker or a

vendor of that data. one of the things with my time in law enforcement, especially during the 2008 breeches and heartland systems being one of them. when you put a face to cyber crime, it changes the perspective perspective. companies and regulators and legislators didn't have a good understanding of what is cyber security and what is cyber crime? we hear about the victims and consumer impacts but we don't truly have a good understanding of who is behind it. the work that is being done today over the last few years has really increasingly become more successful. there impacts that are having. every major crime that we read about, we daal beta breech, but every crime has a bad actor who lives somewhere and interacts with people. i think we focus heavily on the

heck technology aspect of it and talk about cloud and mobility and big data and an lytics. at the end end of the day the things we do in security and the evolution of the cyber criminals, some of these guys, the ones we really care about at the top tier level that drive the economy are the ones that outlive the technology. they find a way to do their mission, to make money, whatever it is they want to do regardless of what is in place. and it's understanding the motivation behind those. i would argue some of the differences between the cyber criminals today at least domestically in the u.s. versus a max butler is that some of them had access to the structure that drives cyber crime. it's in other parts of the world as well, but we talk about financially-motivated attackers the driving of that

infrastructure is well protected and coordinated and they move it whr they need to based upon the landscape. so u.s. hackers having access to that, to be able to monetize the information a they steal very quickly is becoming more and more limited due to the successes of law enforcement around the world. it's important to highlight two things, one, law enforcement is having success in this space. there has an impact. year over year we see statistics that i could map back to law enforcement successes, whether it was using pacts back in 2007, to switching to mal ware and going from central databases o of credit card data to targeting point of sale terminals around the world and harnessing that information in more of an automated, scripted opportunistic way. the impacts of law enforcement and the prosecution of these folks has an impact.

in your work highlight that ifr effort. highlight the fact that we are making progressive steps towards winning the fight. however, we need to consistently work on getting there. >> i want to talk about the trends. what are some of the trends you're seeing today that are going to be important for us in 2020? why don't we start with you this time martin. >> we're seeing a trend towards more consolidation, a more efficient market. we're seeing a trend towards a use of computers in the sense they control more and more things, more and more connections among them. if you take a look at the trend lines with the exception of law enforcement it looks like the

world is getting worse. but i want to point out something that gets us beyond the world of crime and punishment. based on computers that easily change their instruction sets. when people talk about mal ware, they are talking about a hacker's ability to persuade your computer to run their instructions. and in most cases those instructions have been placed into your computer for the computer to run. some of them are realtime. in many ways, this is an artifact of the way we built computers 30 years ago when we thought we were in an innocent world in withe want the to be open to third party software. the computers used in ark tech tur than any other electronic

device around and the early 80s allowed to be changed to radically. the result is you get to is that you have a great. deal of mall ware and it's implicated in most of it. in a world in which e we don't have to have an architecture that works that way. so the question is how bad do things have to get before people start either forwards or back wards, depending on your perspective, to makeñ this crime very difficult to do. there was a series of articles in "the new york times" and of course, they want to push forward. there's an argument to be made in some cases you want to turn

the technology back wards, but the question is when do we reach that point. as bad as things are i don't think we have reached that point yet. in other words, i think things are going to have to get a lot worse before they get better. >> in the topic that we raised, i think we're at that point already and we have been for a few years if you look closely. so in smart phones we have two leading platforms made these different choices. so for instance what you talk about technically is code or code signing. and on apple's platforms, neither of these are allowed technologically. it's built into the architecture that all software has to be signed and aprued by apple. whereas on android-based devices, it's a more open environment and you can run arbitrary software.

software can modify itself like a traditional computer system. and we have seen very different stories about mall ware on different platforms. what's going to be interesting to see over the next six years as we go to 2020, so if you think about it six years ago very few people had smart phones. that's a last six years thing. the next six years, what are the devices that people have right now that everyone is going to have in 2020. so maybe they connect devices in our home like a nest, all these things. maybe a smart air conditioner. maybe that's what we'll have then then. which of these platforms are learning these lessons from smart phones of how o open they want to be with what software they run. do they want to use the existing open model or a more locked down model.

that will have an effect on the crime we see. >> i want to get some of the other panelists' thoughts on both the term that is really taking hold is the internet of things that we're going to have more and more devices connected to the internet, things never connected before. but i want to start with the closed versus open platform. we have seen two different models in the smart phone market. which of those models do you think from a consumer perspective and from a crime perspective is more likely to take hold going forward on the internet side of things. >> technicians love the apple product because it's shiny and smooth and looks cool and looks like you know what you're doing. so the guys will go for an apple product because it makes us look

smart er smarter. consumers. the cheaper but fancier things so they are going to buy the open environment if it's a cheaper product. right now, i believe it is. i don't see us changing any time soon. i agree with you that the apple line is a smarter approach, but i don't see the world going to that approach in the next ten years. >> open and closed if you run on the premise that the consumer is going to make a decision based on price and that the open is cheaper, let me throw a couple statistics. today more than 2.1 billion consume to service for the 40% annual growth rate. global ip traffic has quadrupled over the last five years and grows 20% a year. by 2017 mobile devices will will originate more internet traffic than buyerwire ued devices with mobile data growing by 66% a year. if we operate under the premise that an open solution is more adoptable by the consumer, more

data is 66% growth rate and mobile traffic will exceed wire traffic opens more security holes. but then it's bring your own device and continues to involve. >> i think the technology is looming right now that e we need to pay attention to. as we wire up your cars as the high-tech models come in there's a box on your desk that you can get that you can do facebook and all that stuff and the computer manufacturers are great engineers but they are not security engineers. so if you go back to the clock and look at application that we all use like microsoft and all that stuff, those guys know how to program secure lie and they

still have issues. now software from car manufacturers who have no idea how to do this and we need to start thinking about this, it's kind of scary. there's one manufacturer now who put his onboard computer runs brakes and airbag the same as it does pandora. i can't imagine what a service attack will do and pandora stops and airbag stops. that's the technology that's looming right now. >>. rick answered my question of what connected devices will all have. is it obvious that i live in new york city and forget that cars exist. you mention the price difference for android versus apple products. there's been virtually none on apple products and all the mobile mal ware has been on android devices.

are the higher end manufacturers going to build -- invest the resources to lock down the infrastructure. and on the lower end models will have the malware problems. >> there's one truth in the industry that no consumer pays for security. there's no money in it. you don't even know if it's working, that's why you won't. pay for it. it's a well designed machine. so let me jump in. >> five years ago when you had these mac and pc commercials, mac advertised that it was more virus free. you can have a nice argument,

but basically there's not a difference between the two. when you have the apple ios versus the android where there is a huge difference, apple isn't advertising that. that gets to the point that if we really were at a point of crisis. but the consumer hasn't felt that crisis yet. in terms of cars there's a much different dynamic at work and that's called the federal government. start thinking about what the recalls look like when you start having security issues and safety issues and think of the car makers basically saying, wouldn't it be nice if we could fix all the recalls remotely so you didn't have to bring in your car. which opens you up to remote code changing which kind of gets you back to the circle again.

>> which we're already seeing. there's a car manufacturer that's relatively recent thinks of itself as a silicon valley company, tesla. and they have done remote updates over the air updates, as they call it. is that a good idea? are we ready to have our brakes connected to the internet? >> how did the average consumer who is buying a car, how do they make an informed decision about the level of safety of the facilities? i want to come back to safety versus security later. martin is raising all my favorite points. i swear i didn't plant him.

we don't have that for software security or cyber security. so how is the average consumer supposed to know the risk of tesla's remote update versus some other system that may be better or may be worse. >> i'd like to try to drag this back to the topic. these are all interesting things, but how does a cyber criminal take advantage of the internet of things? where that happens is now there's way more places for them to insert themselves to collect your data. so if you've going to be operate. ing out of your car and that's your internet access point from now on that's the new place for criminals to insert themselves. >> and is that going to be the business model. is that stealing your data or is it something else? e we heard the attorney general talk about ransom wear. is that something we should be worried about? i need to worry that my refrigerator is going to be

hacked and i have to pay to save my meat in my freezer? >>. i think so. i'll find network storage devices. so i think that's a business model that's going to scale. especially as we get increasing control over a lot of payments fraud and traditional cyber crime business models. cyber crime is like a business. i think of them as entrepreneurs with a slightly increased appetite for legal risk. like any other business, they are only going to shift market when is a new market is -- they have better returns or the existing market that they have to look for new business models. so the example of a car like ransom of your car, if the price is low enough and you can pay with bitcoin and you want to get to work and your car doesn't

start, fine, here's $20, let me go. that might be a thing. >> can we talk about that? that's really interesting and comes out in the book. their business process is heavy on customer service. because they don't want people to -- if they don't let you go after the ransom, that ruins their business model. so they are good at undoing what you pay them. that's part of their attendance that they are good at giving you customer service once you pay them. that's fan it's a ik. >> think of it from a bad guy's perspective perspective. renewable return on their investment at the end of the day, they are still managing their own risk. not just financially, but they want personal freedom. that's important when we look at we saw in mid-2000s and as the evolution goes more and more, customer service is baked into the online forums and the vending of data online.

that's a measure to help a bad guy minimize exposure. i think as you start to see the shift in deploying and being here in the u.s. and north america, that is a model that's going to start to minimize the risk for a bad actor because you look at ach transfers, why do i hack into your home pc to steal your credentials by moving money from bank to bank that minimizes the ability or reasoning for me to be on the street exposing risk or creating risk for myself as an actor. i think as we're looking at the business models, we have to look at the infrastructure that supports them but also how are they going to get access to the money that they are making for themselves and where are the points of exposure for them and focus on that part of it. just as much as we are looking at security architecture how we want to do network defense or intel-based security, whatever it may be, looking at where the

risk points for the person doing the crime i think is also a important part of the ecosystem as we have this conversation. as soon as we employ chip and pin, the fraud will start to diminish. but others are going to go up dramatically. they are constantly looking at the business model associated with that but also how to i evade detection, evade my personal risk of being apprehended. including that in the conversation is very important. >> the next innovation for cyber crime operations. it doesn't have to be credit cards involved in the attack. as the u.s. moves to chip and pin, it's just chip and signature, by the way we're way behind everybody else on the planet on how to do credit cards. it's one of the reasons credit card theft is easier. so as soon as we get there it

will be better. that's going to touch you hard. consumer is going to get that, feel it, see a lot more complaints about that. right now i think credit card fraud, banks cover that for the consumer. it doesn't affect you financially that much. wait until your car won't start. that'sgoing to be real painful. >> i'm wondering if they know anything interesting about me. >> when your car becomes your computer, i think that's where we're headed. >> first of all, it's a good idea not to do too much computing in your car because it's still driving mode. google may change that for us. let's talk for a minute. what does your car know about you? your car may know where you have gone if you have gps, but we're moving into a world where the government knows where you are

because there's so many senses out there reading license plates. you had talked about what if a criminal could get into your car and make a stop. what's the possibility for law enforcement? to say, look, there's a bad guy driving a tesla and i want this guy apprehended. >> it shows how much crime pays if they are driving a test la.la. when you talk about smart device, you're not talking about victims and criminals. you're talking about victims, criminals and the government. and t the interplay which has the potential to be very interesting. and maybe i'll keep my honda for a few more years. >> i think we're going to hear a lot more about how the law is going to have to change in order to strike the right balance when we talk about the governments being able to deal with these

new technologies and take advantage of the evidence that's created by them when it's appropriate to do so. but for us with the focus on the technology, we heard a lot about payment systems. i heard bitcoin and i heard about credit cards. so i want to follow up on payment systems. so i guess i'll ask rick. is the credit card with a magnetic strip going to exist in 2020? >> no, i don't think so. i think in the u.s. we're moving to chip and signature. it will be some holdovers but the industry is moving to something more substantial. i don't think that's an avenue anymore. anybody disagree? >> i think that's the path. it's going to take awhile for companies to get use to the technology. you are already seeing in some countries that have already moved to chip and pin that it's still as companies are doing business in that model are still struggling with how do i secure my network configure my network so fraud occurs.

some of the gaps and things are being configured still exist. over time that will start to diminish. >> anybody doing international travel you go there with your american credit card and go to france or europe and give it to aend a vender and they look at you like what is this piece of thing? please leave my store because it's so far behind the european credit card system. >> at what point is it all going to be done in a mobile device. you see that parking here today. >> so credit card sfraud going to get more difficult. that's what i'm hearing. where are the criminals going to go? >> when you talk about their business operations they ab absolutely need a way to do anonymous money transfer capability. they have to have that. and they have it now with bitcoin and other kinds of operations. and i don't even know what the answer is from law enforcement, how do you track that kind of

thing. do you have an idea of how we follow that? >> there's been successing in law enforcement over the years. there's been successes and falls back on banking regulations and lack thereof. you have more courage knowledge, but at the end of the day, they have to find a way and mechanism to receive the benefits of their efforts. and and i think over time they are going to find a way to do that. i think thefr already started the shift with the therefore stuff. and i think that's not going away. in fact, from a financially motivated attacker and state actor factor, it becomes harder

to decipher which one is which because they are doing both. so who is the actual actor that's targeting you becomes a very important part of like making decisions. so i think they have already made that shift into we need to minimize our risk on the street, we need to find our ways to move money, i think their u infrastructures are in place, but it changes as law enforcement has success as a regulatory landscape changes. but they pay attention to it and have the same debate about it online amongst themselves that we are having here today. there's no doubt that they outlive that. so i think they have made good progress in setting themselves up for the future unfortunately. >> you just briefly explain what you referred to. >> it was a digital currency where it was bound i think to the gold and so it basically created an environment where you

could move money and had a value in the form. it didn't have your know your customer procedure from a banking regulatory perspective. so that was a way for us and we could prove -- at least law enforcement could prove that the percentage of transactions was used by fraudulent activity. >> i think that we're saying that credit card fraud is slowly finding its way around and things will come. i'm interested to hear what everybody thinks it's personal information that's the value that we're worried about. and is that true? is it more than just credit card information? it's your name, where you live, your social security number, your medical history. is that more valuable than just credit card information? >> it's really tough to monetize. >> it's sensitive it's personal. but until there's like a good.

monotieization path, i don't think it will be a threat. what we do know is criminals will find a path before we will. >> you brought up something interesting about a social security number. five ten years ago shs the notion that everybody who knows my social security number is there for me has been a standard in the porld of finance. and it's an absurd idea given how many times we have to give our social security number, how many poorly protected systems it sits on. maybe the problem isn't the data. maybe the problem is the level of awethen the indication that we give and shouldn't. maybe the problem is in the transaction. >> if you look at data breach report that we produce last year we looked at just over 63,000 security incidents, just over 1,300 data breaches from 50 participants in 95 countries.

and i think when you look at it consistently year over year, even as the report has evolved, authentication becomes a major issue. most folks of things we see would be resolved by leveraging. >> which is getting much easier. >> so we have never reached 20/20. i want to talk about what cyber crime looks like in 2020. so what does it take to be a cyber criminal in 2020? do i need a computer science degree? >> either that or any accredited cyber crime university. one thing that's differentiated cyber crime from a lot of other fields is a lot of the skills can be learned in the underground and can be learned just through those networks. and so the science degrees haven't been necessary. we have seen that a lot of

self-taught people have been able to do everything they need. but i don't think criminals will need computer science degrees because the level of sophistication has traditionally been more opportunistic than specialists. so from where i sit doing network tests for clients and things like that in my career, those practitioners and security fields generally used methods more sophisticated than we have seen in cyber crime. so i have watched as they have caught up and we feel like we have been warning everybody because we have been able to get in and always get in and someone ls is going to e eventually too. and i think that's going to be a constant. if cyber criminal cans just use a difference here, there will be different targets and that's where the innovation will come

from. figuring out how to monetize information we started collecting. kind of take a step back to what rick was saying about other information that we have. we have our smart phones collect ing our health information. we have them collecting our phone now collects my foot steps, how many footsteps i have walked in a day. i don't think there's a way to monetize this. i'll hand it to you for a dollar. some will put that in the cloud and they always have more value than data dispersed to the end points. collecting is a lot more labor intensive, so it has to be a lot more valuable to make it worth the effort to attack each individual individually. and that's where i think we're going to see play out. what information that could be monetized will be aggregated.

those will be the new targets. >> there's cyber crime all over the world. the bulk of the practitioners seem to be in eastern europe. there's good reasons for that, but i would like to throw out to this group, is that where it's still going to be? it's in eastern europe for lots of reasons because of legal reasons that they can operate there freely. it's there because there's smart people in the area of the world that's trained at some of the best universities and didn't have a job to go to so they migrated to this is a way to make a living. does it stay in eastern europe? i'm not sure. wtñ >> we're describing they have embraced a discipline to their craft. i don't think that has permeated its way around the world.

if you look at brazil, it's an early adopter of technology. and especially mobility. they are starting to deal with threats before we are. they have a talent pool that's dealing with co-writers that exposed to different technologies that in america we don't deal with yet. i think that's going to continue to grow depending on what technologies are being embraced around the world. but i think from a discipline standpoint, the russian speaking criminal, the way they have permeated that discipline in the underground makes it harder to access unless they want you to access it. and b, i think the mind set hasn't permeated itself yet. it will remain to be seen. they will continue to thrive and i think what will be interesting is i have no doubt they are

looking at the r&d of the future and looking at where do we need to be down the road because they will be the ones most likely that will continue to drive the economy of cyber crime around the world whether it's setting price, providing infrastructure. if i'm a hacker here in the u.s., and i hack into a database and have access to data, what do i do with it now? they don't have sk that question. they know exactly how they can move that data to monetize it. it's almost as if they hack for hire. at times they don't know who they are victimizing. so they are looking for the types of data they know they can monetize or have the infrastructure for that data very quickly. we see that when the industry was being attacked, we saw fishing and spaming increase immediately.

so it's that having the infrastructure to permeate the crimes that you want to commit and know you're going to be able to monetize quickly. i don't think other groups are as organized as the russian-speaking bad guys that we deal with. >> my answer would be it depends on global economic shifts. why i think eastern europe is the center of cyber crime is partially network effect and the internet makes everyone a target globally so you can target someone across the world just as easy as you can target nearby. and also they don't have a silicon valley. so the reason silicon valley works is companies and talent. and so they have a similar business network there. so that is a draw although criminal and if there's a rich technology industry nearby for people with those interests that is even at lower pay will be a

stronger draw than the criminal under world. >> a small story here. . six months ago the the united states persuaded a russian act to take the vacation to the maldives and because we had an extradition treaty the hacker was apprehended somewhere in the justice system. here's the question. vladimir putin reacted to this, a, by saying this is a great victory for cyber security or putting out a list of countries where russians shouldn't travel to. as long as he is in charge in russia or more broadly as long as that attitude is in charge in russia and other countries it's going. to be hard to make progress against this. what is criminal is often political. and it's russia's decreasing desire to see themselves identified as part of the west that has many ramifications and this being one of them.

in brazil, which has a lot of talented hackers what's going to be important is the extebt to which brazil sees themselves as cooperating with the west, chi think they do now o, but in 2020, a lot of weird things can take place. >> one thing that we have talked about a bit is what crimes are going to be committed are going to be driven to a large degree what i'm hearing by a financial motivation. we talked about the difficulty of monetizing certain types of crime. so i wonder what the research is showing about what's happened so far about what types of crimes we might expect going into the future. >> well i think it's going to be big. i think it's going to become larger. when you realize that one-third to one-half of all computers in the world sport malware, it's a wonder that so little of that

ransom has taken place. we're seeing, and this isn't criminal, but we're seeing a trend towards bricking a lot of computers. our good friends in iran and north korea seem to be enjoying this quite a bit. and this is one of the things that isn't done until it's done and everybody does it. it's one of those thought crimes. i think people -- part of the problem of forecasting in 2020 is to try to figure out what innovations will take place in terms of information. a week or so again ago, there was a report 06 a bunch of hackers who had gone after drug companies not for information about how to build drugs which is patent protectsed, but to try to outguess. the stock market because the success of drugs has a lot to do with, as you would imagine, the stock prices of firms. i bet you that lit up a lot of lightbulbs and may be looking for information on acquisitions but i'm sure there's a much

larger list. i predict in the next five years, somebody will come up with an interesting way of monetizing information that none of us on the panel had a clue about. i just don't know what it is. >> or we'd be in that business. >> i also think that we need to look at the rate of adoption and technology. we're talking about innovation and where we're predicting technology to be. and it will be interesting to see how fast technology in the innovations that we all make are adopting an everyday life that make it more valuable than what's currently out there. i think that will be interesting. only six years away or so to 2020. so how fast will these innovations become mainstream to the point where the risk and the return on the investment of the threat actor. i think when we talked heavily

about financially motivated attacks, for you prosecuting cases, you're looking at intense motivation and financial loss. so whether it's card data to convert into money, or if it's z some sort of destruction, some company has to put a dollar amount to the data that has destroyed. as we look at the evolution of cyber crime from a private industry perspective, we need to start thinking about how can we articulate the impact to us in our business and start being able to buttput estimates to that because it's easy to say a credit card is worth $500 or whatever the fraud may be but how much was that property that was destroyed? what was that worth to you? as we're talking about data will be the currency going forward and so we're not -- it's not going to be payment card data

it's going to be something else. what does that type of data, what's the dollar figure that you need to put to it so i can go and say i'm a victim of a crime. well, we know this bad guy because you don't want to, but how much was that worth to you? >> if we shift from crime to maybe activism, activism to cause the victim pain. or service attacks or their data to a public database to read their private e-mails, but add crypto ware to that tool belt, i can lock up your data and not even touch it anymore. that's another tool that an activist has. that's a scary proposition. >> it's almost time to turn it over to the audience so they can ask you some questions. but before i do that, i just want to give everybody a chance. we have talked about a lot of things that we think may happen. what's the one most important

thing we can do to be prepared for 2020? >> oh, man. >> how to be prepared. symposiums like this are some of the most important things we can do. if you have this conversation with your family, my wife rolls her eyes up in her head every time i talk about cyber crime. my mother-in-law thinks i'm an idiot. so we have to find ways to make these kind of conversations easy to understand for the normal person who doesn't think car internet connections are interesting. so having these conversations is a very important thing to do. i hope we continue to do that. >>. how about you? >> i would say keep your eye on the attacks a that are being demonstrate d as part of research because attack demonstrated by a researcher and saying this is a risk, those will often become the widespread crimes 5 to 10 years after.

and there's earlier trends that affect in my community there's a lot of people who would hack other hackers because everyone you know knows how to do these things and those attacks that just happened to us then start happening to celebrities. and then this might happen to other people. there's this trend already. i think that's somewhere i personally look to see what's going to happen in ten years. >> i agree with both the panel so far. i think also continuing the awareness and in getting more people to help demystify the problem and using tools that are disposable and make sure that not only as consumers are we informed, but as business owners and leaders that we can measure risk and understand the world around us and how does the world of cyber apply to us, whether

our dilly life or in our businesses. because i think it's nice to talk about where the world would be and look everything at a global scale but at the end of the day, we have to focus locally as well and look at how does it impact me and what can i do? having the education to inform the consumer and personal life but also taking complex global dynamic problem and having a a platform to make it consumable. >> i'm going to be a little contrary. let's say we had this panel 50 years ago. let's say you pointed out correctly that on average we have a 1 in 50 chance of ending our life as a result of a car accident yop you pose the question, what should we do? we don't have a lot of ideas on how to drive more safely. fast forward to today.

your chances of ending your life are four times lower in this country, roughly 1 in 200. is that because we were four times better drivers? and the answer is no. it's seat belts, it's interstate highways, it's ems it's a lot of different things. we solved not through personal action action, although personal action is important. we solved it systemically. we solved as a country and we solved it bypassing regulations. some of them were happy accidents of building the highway system or the only happy accident from the vietnam war is we learned to do ems very well. but regardless we solved it systemically. i have a colleague whose lines is, don't blame my mother for the internet. if we build a system where everybody has to be constantly aware and as sophisticated as we think we are here on this panel,

right, you're not going to get there. you have to build a system that's made for average people so that average people can get online and do average things and not worry so much as they do now. and trying to put this on the consumer is just not going to work. >> i agree. the problem we have and haven't been able to solve it, it's mandate seat belts and airbags and things like that. lawmakers can't keep ahead of the interpret because it changes so fast. when they make a law today it's not going to affect a problem tomorrow. we haven't been able to come up with a good solution for that. i agree we want consumer products to be better to protect our end user. if we can find a way to make that enticing for the people that build those things, that would be a way to do it. >> sometimes that happens by second order effect. by not making consumers liable for fraudulent charges you now shift that burden on to the financial system. then it's in their financial

interests to solve the problem. >> that's really good. >> we have reached the point where we want to invite the audience to come up and talk with the panel. e we do have microphones out in the audience. we do ask that people cue up at the microphones so everybody can hear the questions. i see we have our first one. >> to put this on the example of the sony hack, probably the biggest thing in the news now. it's different than some of the other hacks we have seen. data has been released in massive amounts on the interpret. what can we learn from that attack and how much do you subscribe to the idea it could be retribution from north america? >> so i'm guessing that nobody here has personal experience of the sony hack. i think you're probably not going to be able to speak directly to that. maybe we can speak a little more

broadly about what large data holders are facing on the internet today. and the threat that they may be extorted or otherwise. >> okay it is different. one of the things they did was they sent a message on a lot of employee's computer screens saying you need to pay the ransom or you're never going to get your data again. that's made for tv operations. that's pretty innovative in how they did it. i will address do we think it's the north koreans. our community is bad about this because we want to blame some higher power that has all these advanced capabilities. we like to blame china russia now north korea. they may be true, but we don't know. it's just speculation at this point. it seems to be our industry has said well because these people

are so powerful there's no way i could have defended against those guys. i disagree. one of the things we're bad at in our industry is doing basic blocking and tackling. i have been around the world talking to security people and everyone to a man and woman admits they haven't configured that device they bought last year for a ga. -- dollars. >> the question i want to answer is i have seen remark about wonder of private data being released from the sony breach and that sony had that data accessible. but in my experience, that's not really different from any company of that size. we don't have the tools to protect employee's data on a large corporate network so if someone is able to get in and wants to deliver the pound of hurt that these people did to

sony, they could do similar things to any company. >> so i just want to ask one follow-up. i have seen some criticism that perhaps there were some weak passwords being used in that data breach. are we still going to be using passwords in 2020? is that a realistic security mechanism to keep us safe? >> i think we're still using passwords by 2020. >> i'd like to think we'll have a greater shift to something different, but i think it's still going to be used. >> and by two factor, what do you mean by that? >> take multiple forms. we spend a lot of time. we all have mobile devices. everyone has a cell phone sitting there. being able to leverage data to do analytics, one of the things that's interesting about what we're talking about in the space, we're talking about the data that's going to be created. but i also think it's a big data

it solution that helps solve the big data problem. the more data being generated to do -- that can be stolen can also be leveraged to do analytics to protect us. so i think it's important r for preventing fraud, authentication purposes same data. >> we make it so hard to do these kinds of things. to turn authentication on, how many people are using facebook? no one is going to ed aadmit. so how many of you turn two factor authentication on in facebook. a couple of you. it's hard. you don't even understand it. and try to explain that to my mother-in-law, she doesn't even want to talk about that stuff. so we have to rely on the people to make the software to make it easier to be more secure. >> that's another example we push that effort on to the consumer.

. we could identify. that seems kind of weird. why don't we ask for two factor now. you're logging in these are not normal times. these are not hard problems. >> first of all shs the judge would appreciate your economic analysis in solving the situation. but going back to something you said earlier martin, with regard to sometimes law is political. what is legal is political. . and i think in some instances that is true. what's free speech here is not the same in europe even. but theft is theft. steaming is steeling. they had to make to escape

prosecution. but now they can just start in that that. what can the state department and department of justice, what can our u.s. infrastructure do to kind of leverage and push these countries into extraditing these criminals back to the u.s. for prosecution? >> theft is theft because there's such a thing as copyright. if i appropriate a book made in 1930, i violated a copyright. if it was made in 1920, i haven't because of the politics of the copyright. but that wasn't the question you asked. let me get to the question you asked. how do we put -- not to put a point on it how do we put pressure on the chinese to steal our intellectual property? the first thing we have to do is figure out what we're losing to them. i find it it ironic that the people who spend the most time

complaining about the chinese are in the department of defense. when you go to the department of treasury, they pay lip service to that, but they are more interested in selling chinese our treasury bills. we have a very complicated relationship with china. and we have to make a wise choice as to where we put that kind of pressure and vis-a-vis= : everything else. and i was a little surprised when in may of 2013, that was number one. there was news that it was going to be number one at the most recent summit, but they inded up with an environmental deal which probably was not a bad allegation of resources. but let me at the risk of being wrong, which is a risk i take every day i assure you)zuk the chinese have the interest in intellectual property. correct me if i'm wrong, but when i look at the department of

justices listing of what the chinese had o itaken, almost all of it perhaps 100% depending on the interpretation was what i would call business data, relatively short-term information that chineseltñ could use in a negotiations, vis-a-vis the?ìáhp &hc% people they took from. the amount of stuff which could be clearly intellectual property was not very high on the list. i asked myself why that was solved. there's three answers. one, it's a statistical artifact. there were five or six companies in western in all deference to my friends from there, is not the most innovative part of the united states so they didn't have a lot of innovation to steal. another possibility is they stole it and the department of justice didn't want to talk about it. i have no way of knowing whether that's true. the third possibility is, in fact, that the chinese have stolen so much intellectual property that they don't know what to do with that that's not what they are interested in anymore. that's an empirical question.

i don't know the answer to that one. those are the questions we have to think through before we make a political issue with the chinese and put other things at risk to gain that. it might be a good idea and might be a bad idea but we have to think it through. >> i think the u.s. attorney is going to disagree with you later today. i do think that these are interest pg questionskfsirá could be a whole symposium of their own. i think there are several. but i want to refocus on sort of the criminal threats that we're facing instead of more generally on the geopolitical environment. to the necri' >> i was opnqeá yesterday talking about corruption and should we care about that. the u.s. has a mixed review and we think stealing is bads but we support countries with monetary gifts because we like what they are doing. should that7 even a thing we

talked about. it's illegal and immoral. what incentives can we give that country to bring it closer to what it should be in the world. that's a big question. we haven't even scratched the surface. >> let me follow up to that. what i think is interesting and talking about the geopolitical landscape, it's human aspect to this. if i'm a citizen in another6ìáhp &hc% country and want to travel and hac) ñe ability to travel, i'm going to travel. that's how it's going. to be. unless the government prohibits me from doing so, fine. but if you look at the actions that law enforcement in the united states and the relationships they have built around the world and myself having been fortunate enough to play the role for the u.s. government, was building those relationships andkt=,t partnerships globally with international law enforcement to not only to learn from them but to also empower them as much as they have empowered us to work together to solve this problem. we saw cooperation and still dolçv which is why you see more

arrests happening around the world. what gets lost is it's actually happening. it may not be changing laws in another country necessarily, buti the actual operational or tactical mission is moving forward. and you're;h $wájjt more arrests frequently from cyber criminals than you ever have before. i think what gets lost in the translation sometimes is we ends up not understanding the impact those arrests have. e weyo?n don't have good perspective on if we arrested that one person or those five people somewhere in the world, who they really were in the ecosystem of cyber crime and the impact they had of where things have o to evolve. like i said before, i can map specific law enforcement actions and arrests to changes in data breach statistics at a global scale. so the efforts being taken with

international definitely growing definitely impactful and is having a lot of impact that people don't realize. >> so this goes to the financially motivated data breaches. what do you think the private industry will recognize that they are incapable of protecting static data? the internet's genesis was share sharing. and you can't have sharing without criminals exploiting that. and we built this entire system on that foundation which is crumbling. jm morgan chase, they are not a e retailer. $250 million in data security,qnñ they got hacked. so when will industry 5>l' m not so much on trying to protect the data. you cannot build a capsule big enoughn#ñ/ñ strong enough to keep the theft. when are you going to focus on how the data is used in business. a quick example, the gonzales case. he's locked up for 20 years but

will probably be out some time aftermsazs 2020. he's off the streets, was not a lack of.9j people going back into this. at the time it was open wifi. intransic data wasn't. so what do we have? we have ram malware. every other merchant was advised of this. even after target home depot knew about this. it was in the papers. they got hacked and didn't know about it from april to august. so wireless company and you don't need to factor authentication. we have moved from one cell to another frictionless. in the '90s they went ahead and wanted the government to prosecute the access devices. they got the legislation. that didn't do it. so what did the industry do?

they encrypted the identifiers, they built a system to recognize two in the system it kicked them off. if my phone is uniquely protected better than me why can't industry protect me and my identity? >> so how to answer that question is you'll start to see it first in small pieces and then a larger movement. so what to look for are technology companies who are opting not to collect data and made a perception of extra work. and then they have to protect it. the example that comes to my mind first is apple pay. one of the unique things about apple pay compared to google wallet is the transaction data doesn't go through apple. so all that data is not something they need to protect. it's not aggregated on their systems, it's just pushed out. and as we see more companies -- if we see this, seeing collective data that might be sensitive as a possibly liability, as a cost and

responsibility to protect it so they take actions and e design to not collect it or encrypt it it on the client system like on the phone or web browser before that is what i keep my eye on to see if that's happening. >> my question has to do with the actors the cyber criminals. i'm currently involved in an effort with cyber crime communities. transnational organized crime which is becoming flatter, more networked, more adaptive. and so we taught this to folks on the cyber community. they come together in very ad

hoc ways. i also hear you and some others speak about the consolidated marketplaces, customer service, business models and their methods of operating. could you speak about how you look at the actors and where you see their evolut1m forward? >> i think you addressed some of these topics in the hackers bazar. ih+ think your observations are correct. one of the things often as a dog one of the things we found interesting a about the underground markets is we didn't see much traffic in really powerful zero day tools.

>> i would like to address the what we call it thing. my mother in law is thinking the god father and that's not what is going on here. they -- it's like lincoln log or le goes. get away from the god father metaphor metaphor. >> i think the connection is trust and credibility within their space. i think when she spoke at the beginning of the conference, she thought about the cash out crews.

here is the conversation you need to go to an atm, take out the money and you physically have the money in your possession. from you the cyber criminal. you have to send me the money, right? the bad guy has got to send the money to the hacker. if they don't then they will complain that the one person didn't hold up their end of the bargain and they're out of the picture. they will be cut because they're not trusted. at the end of day.

similar to the way an organized crime group would have to earn or maintain trust. >> what does that mean for law enforcement? the god father model was you work your way up the chain but your elt mat goal is taking out the to be. where does the focus immediate to be to have the greatest impact? >> i think the goal for commercial organizations like mine, what law enforcement wants to do is put bad guys in jail. i want to stop pain. i don't really care if i

dismantle somebody. i would like to see more resources put to that i would like to see that. >> from a -- >> do we have -- one more from the audience. >> local researcher. never the less talk about the god father model so many of your remarks led into that model now clearly from the standpoint of this organization has been there for decades. some of the people are extremely famous. so are you -- i'm still unclear

how you want to do that. you said organized crime unit, try to take op the mafia in the u.s. at some point. presumably decades from now you will have the same criminal organization and now they have adapted themselves or gotten into the lucrative cyber realm they will hear about this today. are you just going to accept the existence of that organized crime so to speak? and try just to take down people vinlly without addressing the organized culture? >> let me clarify. organized crime does exist. when i talk to normal people they aseem some god father has this big organization that does

stuff and that's not really the way it works. >> max tried to be that and it didn't work and criminals realized that. max got arrested because even though the fbi had the whole undercover operation, it didn't matter. people got arrested that were in his crew and they knew him personally and they knew where his operation was in california and they brought us to them.j with the internet you have the ability to take away the human interaction which minimizes your risk. language is a counter measure. that could be a counter measure. right? and having access to the things

that they do. when you talk about the organized crime model people have tried it and it doesn't always work. >> we have reached the end of our time. i think it was an interesting discussion and i look forward to having many more today. thank you very much. >> the cyber crime symposium looked at the balance between the fourth amendment and new techniques applied by law enforcement. this is an hour and 40 minutes. [ applause ] . >> it is my great pleasure to introduce our panelists today. there are full bios but i would like to highlight some of the elements of their careers that

bring a special expertise to what really is my dream panel. so i will begin with michael who is deputy solicitor general. his primary responsibility is representing the united states in supreme court criminal cases. he received his undergraduate degree from wisconsin, masters from chicago and a law degree from duke. he went on to clerk for judge williams. he has argued more than 9 0 cases before the united states supreme court including one we will be discussing today. it is my great pleasure to welcome in our our panel. to my right i have professor

orin kerr. at that point i understand that you agreed to right a manual on computer crime investigations and that is what got him into fourth amendment doctrine generally. he joined the faculty in 2001 and is one of the most highly influential scholars. 150 judicial opinions have cited his work and many scholarly articles have sited his work. chief justice roberts last year appointed him to the federal advisory committee for the federal rules of criminal procedure. now in 2004 he argued that the court should approach the fourth amendment cautious