but i want to start with the closed versus open platform. we have seen two different models in the smart phone market. which of those models do you think from a consumer perspective and from a crime perspective is more likely to take hold going forward for the internet of things. rick, do you have a thought on that? >> technicians love the apple product because it's shiny and smooth and looks cool and looks like you know what you're doing if you carry one. so we will go for an apple product because it makes us look smarter. consumers want the cheaper but fancier things, so they're always going to buy the open environment if it's a cheaper product, and right now i believe it is. i don't see us changing any time soon. i agree with you that the apple line is a smarter approach, but i don't see the world going to that approach in the next ten

years. >> let me throw some statistics at you getting away from open and clanc adoptable by the consumer, more -- and data is 66% growth rate and mobile traffic will exceed wire traffic, what's that landscape look like for us? potentially it opens more security holes, right,

depending. they're talking consumer but as bring your own device continues to evolve, what's that mean for the enterprise? >> i think the technology is looming right now, okay? we need to really pay attention to it as we wire up your cars. as the really high tech models come in, there's a linux box on your dashboard. what's the music thing? you can get pandora, you can do facebook, you can do all that stuff and the computer manufacturers are really great engineers but they're not security engineers, right? so -- and if you turn back the clock and look at applications we all use like adobe and microsoft and that stuff, those guys know how to program securely and they still have issues. now we look at software developed from car manufacturers who have no idea how to do this, and it's kind of scary. there's one manufacturer now who has put his onboard computer, runs your anti-brakes and your

air bag the same as it does pandora. it's on the same computer system, right? i can't even imagine what a denial of service attack will do for that when you're driving down the road and pandora stops and your air brakes stop. i think that's the technology that's looming right now. >> actually, rick answered by question of what connected devices we'll all have. make it patently obvious i live in new york city and just forget that cars exist. but you also made an interesting point about the consumer price difference for android versus apple products, and if you look objectively at the amount of malware on each platform, there's been virtually none on apple products and all the mobile malware has been on android based devices. so that extra price differential makes security a luxury good. so are we going to see that same dynamic play out in connected cars? are the higher end manufacturers going to build, you know, invest

the resources to lock down the infrastructure and on the lower end models we'll have the malware problems. >> the one truth in our industry is that no consumer pays for security, right, because there's no money in it. you don't even know if it's working. that's why you won't pay for it, but apple built really cool, efficient, well designed machines and gave us security at the same time. so the consumer didn't think he was paying for security. he's paying for other things. >> well, let me jump in here because i find a deep irony. about five years ago when you had all these i'm a mac, i'm a pc commercials, one of the things mac advertised was it was more virus-free. if you look technically at a mac and pc, it's six of one and half a dozen of the other. there's not a great difference between the two. when you have the ios, the apple ios versus the android where there is a huge difference, apple isn't advertising that. and i think that gets to the point, okay? that if we really were at a

point of crisis, people would be willing to pay an extra dollar or extra $100 or whatever it costs to get that security, but the consumer hasn't felt that crisis yet. in terms of cars, however, there's a much different dynamic at work, and that's called the federal government, okay? start thinking about what the recalls look like when you start having security issues in the guise of safety issues and think of the carmakers basically saying wouldn't it be nice if we could fix all the recalls remotely so you didn't have to bring in your car? which opens you up to remote code changing which kind of gets you back in the entire circle again. >> which we're already seeing, right? so there's a car manufacturer that's relatively recent, thinks of itself as a silicon valley entrepreneurial company, tesla. >> didn't think you were going to name them. go ahead.

>> and they have done remote updates over the air updates as they call it. is that a good idea? are we ready to have our brakes and our steering connected to the internet? >> how does the average consumer who is buying a car, the average consumer who is buying a tesla, of course, how do they make an informed decision about the level of safety of those -- like those facilities? so i'll -- i want to come back to safety versus security again later because martin is raising all my favorite points. i swear i didn't plant him. >> don't tell him about the e-mails. >> but for cars, you know, we have the star rating system. we have a way of testing the safety of a car. so that gives consumers a chance to make those informed decisions. we don't have that for software security. we don't have that for cyber security. so how is the average consumer supposed to know how like the

risk of tesla's remote update versus some other system that, you know, may be better, may be worse. >> i'd like to try to drag us back to the topic though. these are all interesting things but how does the cyber criminal take advantage of the internet of things? where that happens is now there's way more places for them to insert themselves to collect your data, all right? so if you're going to be operating out of your car and that's your internet access point from now on, that's the new place for criminals to insert themselves. >> and is that going to be the business model? is it stealing your data or is it something else? we heard the assistant attorney general talk about ransomware. is that something we should be worried about? do i need to be worried by refrigerator is going to be hacked and i have to pay to save my meat in my freezer. >> i think so. we've already seen ransom ware car get offline -- network storage devices, so i think

that's a business model that is going to scale. especially as we get increasingly -- increasing control over a lot of payments fraud and traditional cyber crime business models. i think, and i think you raised this poupt, that cyber crime is like a business. they're entrepreneurs. i think of them as entrepreneurs with a slightly increased appetite for legal risk, and like any other business, they're only going to shift markets when a new market is, you know -- they have better returns than air existing market or their existing market goes away to the point they have to look for new business models. the example of a car, ransom ware of your car, if the price is low enough and you can pay with, you know, bitcoin over your phone and you just want to get to work and your car doesn't work and you're like fine, here is $20, just let me go, that might be a thing. >> can we talk about that? because that's really interesting and that really comes out in krebs book. their business process is heavy on customer service because they

don't want people -- they don't want -- if they don't pay the ransom -- if they don't let you go after you pay the ransom, that ruins their business model. they're very good at undoing what why you pay them. it's part ever your tenets which i find fascinating. they're very good at giving you customer service once you pay them. >> think of it from a bad guy's perspective, becoming more efficient and leveraging technology, but at the end of the day they're still about managing their own risk, not just financially and what their business model is but their own personal freedom and i think that's important when we start looking at -- we saw, you know, in mid-2000s and as the evolution grows, more and more customer services baked into the online forums and the vending of data online. well, that's a measure to help a bad guy minimize their exposure, right? and i think as you start to see the shift deploying the chin in the u.s. or north america, that's a model that will start to minimize the risk for a bad

actor. you look at ach transfers, why do i hack into your home pc, by moving money from bank to bank or account to account that minimizes the reasoning for me to be on the street exposing risk or creating risk for myself as an actor. as we're looking at the business models, we have to also look at the infrastructure that supports them but also what -- how are they going to get access to the money that they are making for themselves and where are the points of exposure for them and focus on that part of it. just as much as we are looking at security architecture, how we want to do network defense or intel based security, whatever it may be. looking at where the risk points for the person doing the crime i think is also an important part of the ecosystem as we have this conversation because like dino said, as soon as we employ emv or chip and pin, the card present fraud will start to

diminish but other fraud will go up dramatically. they're constantly looking at their business model associated with that but also looking at how do i evade detection, how do i evade my own personal risk of being apprehended through that process, and i think having -- including that in the conversation is very important. >> i think that's why ransom ware is the next innovation for cyber crime operations because it doesn't have to be credit cards involved in the attack, right? as the u.s. moves to chip -- it's not chip and pin, right, it's just chip and something. >> chip and signature. >> we're way behind everybody else on the planet on how to do credit cards. it's one of the reasons credit card theft is easy here, okay? so as soon as we get to chip and signature, it will be a little better but ransom ware is the next thing that comes and that's -- that's going to touch you hard. the consumer is going to get that, they're going to feel it, you will see a lot more complaints about that. right now i think credit card fraud, you know, banks cover that for the consumer. it's kind of scary when you get told your credit card has been hacked and you get a new one in

the mail but it doesn't really infect you financially that much. wait until they start poking but $20 a month because your car won't start. that's going to be real painful. >> i'm wondering if my car really knows anything about me. >> but when your car becomes your computer, i think that's where we're headed. >> first of all, it's probably a good safety idea not to do too much computing in your car because you're still in driving mode. google could change that for us. could be a while. but let's talk for a minute. what does your car know you? your car may know where you have gone if you have a gps in your car, but we're also moving into a world in which the government knows where you are because there's so many sensors out there reading license plates. you had talked about what if the criminal could get into your car and make a stop. what are the possibilities for law enforcement to get into your car and make it stop? for law enforcement to give a

subpoena -- if it already happened, i don't know, to tesla and say there's a bad guy driving a tesla and i want this apprehended. >> just shows you how much crime pays that they're driving a tesla. >> sometimes it does, sometimes it doesn't. but i mean when you start talking about smart devices, you're not talking about victims and criminals anymore. you're talking about victims, criminals, and the government, and it's the interplay among those three i think which has the potential to be very, very interesting. and maybe i'll keep my honda for a few more years. >> i think we're going to hear a lot more about how the law is going to have to change in order to strike the right balance when we talk about the government being able to deal with these knew technologies and take advantage of the evidence that's created by them when it's appropriate to do so, but for us with the focus on the technology, we heard a lot about payment systems, and i heard bitcoin an i heard about credit cards. so i want to follow up a little

bit on payment systems. so i guess i'll ask rick, is the credit card with a magnetic strip going to exist in 2020? >> no, i don't think so. i think in the u.s. we're moving to chip and signature. of course, it will be some holdovers but the industry is moving to something more substantial, so i don't think that is an avenue anymore. anybody disagree with that? >> i think that's the path. i think, you know, it's going to take a while for companies to get used to dealing with the technology and fine tuning the technology. you're already seeing in some countries that have already moved to chip and pin that it's still as companies are doing business in that model are still struggling with how do i secure my network, how do i configure my network. fraud occurs and while some of those gaps in -- and things are being configured still exists but over time that will start to diminish. >> just a pet peeve of mine, anybody doing international travel, you go there with your american credit card and you go to france or europe and you g i have it to a vendor and they look at you like what is this

piece of thing? i don't even want to use it. please leave my store because it's so far behind the european credit card system. >> and then you have to get into mobile payments. at what point is it just all going to be done on a mobile device? you see that parking here today. >> credit card fraud is going to get more difficult, i think that's what i'm hearing. where are the criminals going to go? >> well, when you're talking about their business operations for a second, they absolutely need a way to do anonymous money transfer capability. they absolutely have to have that, and they have it now with bitcoin and other kinds of operations, and i don't even know what the answer from law enforcement is, how do you track that kind of thing. do you have an idea about how we follow that kind of thing? >> certainly there's been successes in law enforcement over the years going back to e gold where you had -- there's been successes and it falls back on banking regulations and the

lack thereof from what that company was doing and that's evolved and you probably have more current knowledge but at the end of the day, you're right, they have to find a way and have to have a mechanism to receive the benefits of their efforts, right? and i think over time, you know, they're going to consistently find a way to do that. there may be ebbs and flows in their model, but i think, you know, they've already started that shift with the ach transfer stuff, a lot of bank money movement stuff, and i think that's not going away. in fact, from a financially motivated attacker and maybe a potentially state actor, from a network defense perspective, it becomes harder to decipher which one is which because they're leveraging stolen credentials to do both. and so who is the actual actor targeting you becomes a very important part of like making decisions, right? and so i think they've already made that shift into we need to

minimize our risk on the street. we need to find ways to move money. i think their infrastructures are in place, but it changes as law enforcement has successes, regulatory landscape changes. but they pay attention to it and have the same debate about it online amongst themselves that we are having here today. there's no doubt that they outlive that. so i think they've made good progress in setting themselves up for the future, unfortunately. >> and, andy, just for those that don't know e gold, can you briefly explain what you referred to with e gold? >> e gold was a digital currency where it was bound i think to the gold, and so basically created an environment where you could move money and had a real value in this digital form, and so it didn't have a know your customer procedure and regulatory -- from banking regulatory perspective, so that was a way for us -- and we could prove or at least law enforcement could prove that,

you know, the percentage of transaction that is went through there was predominantly used by fraudulent activity. >> i think that -- i think we're saying credit card fraud is going to slowly find its way out and other things will come. i think we're saying, and i'm interested to hear what everybody thinks, it's really consumer personal information that's the value that we're worried about now. and is that true? is it more than just a credit card information, your name, where you live, your social security number, your medical history. is that more valuable than just credit card information? >> that's really tough stuff to monetize mostly. >> it's sensitive, it's personal, but until there's like a good monetization path, i don't think it will be a threat. well, what we do know is criminals will find the monetization path before we will. >> you brought up something interesting about social security number, okay? five, ten years ago, perhaps still today, the notion that

everybody who knows my social security number is therefore me has been a standard in the world of finance, and it's an absurd idea given how many times we have to give out your social security number, how many poorly protected systems it sits on, okay? maybe the problem isn't the data. maybe the problem is the level of authentication that we give data -- the possession of data when we shouldn't. maybe the problem is in the transaction. i mean -- said enough. >> if you look at the data breach report we produce, what was it last year we looked at just over 63,000 security incidents just over 1,300 data breaches from 50 participants in 95 countries, and i think when you look at it consistently year-over-year, even as a data breach report has evolved, two factors of authentication become a major issue. most folks i think -- 90-plus percent of all things we see would be resolved by leveraging

authentication. >> which is getting easy with near field communications, much easier. >> so we've now reached 2020, and i want to talk about what cyber crime looks like in 2020. so dino, what does it take to be a cyber criminal in 2020? do i need a computer science degree? >> well, either that or from any accredited cyber crime university. one thing that's differentiated cyber crime from a lot of other fields is a lot of the skills can be learned in the underground and can be learned just through those networks, and so computer science degrees haven't been necessary. we've seen throughout the technology field that a lot -- there's a lot of self-taught people who have been able to do everything they need, but i don't think criminals will need computer science degrees because the level of sophistication of cyber crime has traditionally

been more opportunistic than specialists. so if -- you know, from where i sit doing network tests for clients and things like that in my career, though as a practitioner in the security field, generally used methods more sophisticated than we've seen cyber crime use. i have watched as they caught up. we kind of feel a little bit like we've been warning everybody because we've been able to get in and we always get in and somebody else is going to eventually, too. i think that's going to be a constant. if, you know, cyber criminals just use -- they're on a different tier. there will be different targets, unexpected targets, and i think that's where the quote, unquote innovation will come is figuring out how to monetize information we started collecting. kind of take a step back to what rick was say being other information that we have. we now have our smartphones collecting our health information. we have them collecting our like -- my phone now collects my

footsteps, tells me how many steps i have walked in a day. i don't think there's a way to monetize this, but we're going to -- >> i definitely want that. >> i'll hand it to youm$ñ freel for $1. >> for $1. >> my data comes cheap. but, you know, as we start having these more connected devices, we will start collecting more and more data. some manufacturers will put all that data in the cloud and data in aggregate always has more value than data dispersed to the end points because collecting data is more labor intensive so it has to be a lot more valuable to make it worth the effort. that's what i think we're going to see play out. what information that could be monetized will be aggregated and those will become the new targets. >> there's cyber crime all over the world. the bulk of the practitioners seem to be in eastern europe and there's good reasons for that but i would like to throw out to this group is that we're still

going to be. it's in eastern europe for lots of reasons because of legal reasons that they can kind of operate there freely. it's also there because there's a lot of really smart people in that area flt world who are trained at some of the best universities in the world and didn't have a job to go to. but does it stay in eastern europe is the preponderance. i'm not sure. >> i think with the russian speaking infrastructure that we're describing is -- they've embraced a discipline to their craft, right? and i don't think that discipline has made its way -- permeated its way around the world, right? and i think -- but there are if you it, a,

harder to access unless they want you to access it and, b, i think the mindset hasn't permeated itself around the world yet. so it's going to be -- i think they will continue to thrive and i think what will be interesting as we look at it is i have no doubt that they're looking at the r and& d of the future beca they will be the ones that will continue to drive the economy of cyber crime around the world whether it's setting price, providing the infrastructure.

we talked a little bit about disorderly conduct if i'm a hacker here in the u.s. and i hack into a database and i'll have access to all these types of data. first question you ask is what do i do with it now? well, they don't ask that question, right? they know exactly how they can move that data to monetize it. it's almost as if at times they hack for hire because they have the pipeline, but at times they hack but they don't know who they're victimizing. they're looking for the types of data they know they can monetize or have the infrastructure to facilitate the monetization of that data very quickly. we see that when the e-mail service provider industry was being attacked years ago, we saw phishing and spam increase immediately. it's that -- having the infrastructure to permeate the crimes that you want to commit, that you know you're going to be able to monetize quickly and i don't think other groups are as organized as the russian speaking bad guys we deal with. >> my answer to your question

would be it depends on global economic shifts. why i think eastern europe is the center of cyber crime is partially network effect and also the internet is a -- makes everyone a target equally like globally, so you can target someone across the world just as easy as you can target someone nearby, and also they don't have a silicon valley. so the reason silicon valley works is the network effect of investors and companies and talent, and so they have a similar business network there, and so if -- so that is a draw, although criminal, and if there's a rich technology industry nearby for people with those interests, that is -- even at lower pay will be a stronger draw than the criminal underworld. >> a small story here. about six months ago or thereabouts the united states persuaded a russian hacker to take his vacation in the maldives at which point because we had an extradition treaty with the medical school dives the hacker was apprehended.

so here is the question. vladimir putin reacted to this, a, by saying this is a great victory for cyber security or, b, putting out a list of countries where russians shouldn't travel to? as long as he is in charge in russia or more broadly as long as that attitude is in charge in russia and other countries, it's going to be hard to make progress against this. what is criminal is often political, and it's russia's decreasing desire to see themselves identified as part of the west that has many ramifications and this being one of them, okay? in brazil, which as you point out has a lot of talented hackers, what's going to be important is the extent to which brazil sees themselves as cooperating with the west which i think they do now, but in 2020 a lot of weird things can take

place. >> so one thing that we've talked about a bit was what crimes are going to be committed or are going to be driven to a large degree what i'm hearing by a financial motivation and we talked about the difficulty of monetizing certain types of crime. so, martin, i wonder what the research is showing about what's happened so far about what types of crimes we might expect going into the future. >> well, i think ransom ware is going to be big, and i agree, i think it's going to become larger. when you realize that rough order magnitude one-third to one-half of all computers in this world sport malware, it's a wonder that so little of that ransom ware type of crime have taken place. we're seeing, and this isn't criminal, but we're seeing a trend towards bricking a lot of computers. our good friends in iran and north korea seem to be enjoying this quite a bit. and this is one of those things that isn't done until it's done

and then everybody does it. it's one of those thought crimes. i think people -- you know, part of the problem of forecasting to 2020 is trying to figure out what innovations will take place in terms of monetizing information. about a week or so ago there was a report of a bunch of hackers who had gone after drug companies not for information about how to build drugs, which is actually fairly well patent protected, but to try to jute guess the stock market because the success of drugs has a lot to do with, as you would imagine, the stock prices of firms, okay? i bet you that lit up a lot of lightbulbs and they may be looking for information on mergers and acquisitions is a big one but i'm sure there's a much larger list, okay? i predict in the next five years somebody will come up with an interesting way of monetizing information that none of us on the panel had a clue about. i just don't know what it is. >> or we'd be in that business.

>> i also think that we need to look at the rate of adoption of technology. we're all talking about innovation and where we're projecting technology to be but let's talk about what adoption really will be. it will be interesting to see how fast technology or technological advances and the innovations that we all make are adopting in everyday life that make it more valuable than what's currently out there. i think that will be interesting. we're only six years away or so to 2020, and so how fast will these innovations become mainstream to the point where the risk and the return on the investment of the threat after -- and i think we talked heavily about financially motivated attacks. but for you prosecuting cases you're looking at inintent, motivation, and financial loss. whether it's stealing payment card data to convert to money or

if it's some sort of destruction that's occurred, some company has to put a dollar amount to the data that has been destroyed, right? so as we look at the evolution of cyber crime, i would say from a private industry perspective we need to start thinking about how can we articulate the impact to us in our business and started being able to put dollar figures or estimates to that because if -- it's easy to say a credit card is worth $500 in the system or whatever it is or whatever the fraud may be, but how much was that intellectual property that was destroyed, what was that worth to you and start thinking internally from a private sector perspective of what does that look like. data will be the currency going forward, and so -- not necessarily the currency but -- it's not necessarily going to be payment card data that they will monetize, it will be something else. what is the dollar figure or so that you need to put to it so you can -- you can go to mick and say i'm a victim of a crime. we know this bad guy intended to steal my data but how much was that worth to you?

>> if we shift, too, from not monetary based crime to maybe activism, okay? to cause the victim pain or denial of service attacks or putting their data on a private databa database. locking up their data is another tool an activist has. that's a scary proposition. >> it's almost time for me to turn it over to the audience so they can ask you some questions, but before i do that, i just want to give everybody a chance, we've talked about a lot of things that we think may happen. what's the one most important thing that we can do to be prepared for 2020? >> oh, man. >> let's start with you, rick. >> how to be prepared. symposiums like this are some of the most important things we can

do, all right. if you have this conversation with your family, okay, my wife rolls her eyes up in her head every time i talk about cyber crime. my mother-in-law thinks i'm an idiot. so we have to find ways to make these kind of conversations easy to understand for the normal person who doesn't think, you know, car internet connections are interesting. so having these conversations is a very important thing to do so i hope we continue to do that. >> how about you, dino? >> i would say keep your eye on the attacks that are like being demonstrated as part of research today because how it happens -- an attack that's demonstrated as possible by a researcher and saying, hey, this is a risk, those will often, not all of them, but often will become the widespread crimes, you know, five to ten years after, and there's earlier trends that -- like in my community there's a lot of people who would hack other white hat hackers because all -- everyone you know knows how to do these things, and those sort of attack that is

just happen to us then start happening to celebrities and then this might happen to other people. there's a pipeline, a trend already, so i think that's somewhere where i personally look to see what's going to happen in ten years. >> i think -- i agree with both of the panelists so far but i think also continuing the awareness and getting more people to help demystify the problem, right? and using tools that are available from an educational perspective so not only as consumers are we informed about the technology we use but as business owners and leaders, that we can measure risk and understand the world around us and how does the world of cyber apply to us whether it's in your daily life or in our businesses because i think, you know, it's nice to talk about where the world would be and look everything at a global scale but at the end of the day we have to focus locally as well and look at how does it impact me and what can i do? having the education to inform the consumer in their personal

life but also executives, business decisions, lawmakers, and taking very complex, global, dynamic problem and having a platform to make the education possible so that the masses can consume it i think is important. >> and, martin? >> i will be a little contrary. let's say we had this panel 50 years ago and let's say you pointed out correctly that on average we have a 1 in 50 chance of ending our life as a result of a car accident, and then you pose the question to us, what should we do, right? we'd have a lot of interesting ideas on how to drive more safely. there's nobody who can't drive more safely. now fast forward to today. your chances of ending your life as a result of a car accident are four times lower in this country, roughly 1 in 200. is that because we were four times better drivers? and the answer is no. it's seat belts, it's interstate

highways, its ems, a lot of different things. we solved or went 75% of the way to solving the traffic accident problem not through personal action, although personal action is important, we solved it systemically. we solved it as a country and, oh, by the way, we solved it by passing regulations. some of them were happy accidents of building the interstate highway system or probably the only happy accident from the vietnam war is we learned to do ems very well, but regardless, we solved it systemically. i have a colleague of mine whose basically one of his lines is don't blame my mother for the internet, okay? if we build a system where everybody has to be constantly aware and as so i fis at this kated as we think we are here on this panel, right, you're not going to get there. you have to build a system made for average people so average people can get online and do average things and not worry so much as they do now. and trying to put this on the consumer is just not going to

work. >> i agree. the problem we have and we haven't been able to solve it is the tools we used to solve the car safety program was mandate seat belts and air bags and things like that, and lawmakers can't keep ahead of the internet because it changes so fast, right. so when they make a law today, it's not going to affect the problem we have tomorrow. we haven't come up with a good solution for that. i agree that we want consumer products to be better -- better protect our end user. if we can make it enticing for those people to build those things -- >> sometimes that happens by second order effect, for instance by not making consumers liable for fraudulent charges on their credit cards, you now shift that burden onto the financial system, and then it is in their financial interest to solve the problem. >> yeah. that's really good. >> we've reached the point where we want to invite the audience to come up and talk with the panel. we do have microphones out in the audience.

we do ask people queue up at the microphones so everybody can hear the questions. we already have our first ones. >> so to put this on a concrete example, the sony hack, it's probably the biggest thing in the news right now. it's hacktivist and data has been released. how much do you subscribe it could be retribution from north korea? >> well, so i'm guessing that nobody here has personal experience with the sony hack and i'm going to think that you're probably not going to be able to speak directly to that, but maybe we can speak a little bit more broadly about what large data holders are facing on the internet today and the threat they may be extorted or otherwise -- >> okay. it is different okay.

so one of the things they did was they sent a message on every -- not every but a lot of employees computer screens locking it up and saying you need to pay the ransom by such and such a time or you'll never get your data again. that's made for tv operations. that's pretty innovative how they did it. and i will address the do we think it's the north koreans. one of our -- our community is really bad about this because we want to blame some higher power that has all these advanced capabilities. we like to blame china, russia, now we're going to blame north korea. it may be true but we don't know, and it's just speculation at this point. but it seems to be that our industry has said, well, because these people are so powerful, there's no way i could have defended against those guys. i fundamentally disagree with that. one of the things we are bad at in our industry is just doing base irk blocking and tackling, all right? i've been around the world this year talking to security people, and everyone to a man and woman admits that, geez, you know,

they hadn't really configured that device that he bought last year for a gazillion dollars correctly to do what we thought it should do in the first place. they haven't spent the time to do that. i believe we can be much better. we need to make it harder for hackers to get in. >> and the question that i want to answer about this is i have seen people remark with wonder at the private data being released from the sony breach, and that sony had that data accessible but in my experience, that's not really materially different from any company of that size, and we just don't have the tools to protect employees' data, to protect data on a large corporate network so if someone is able to get in and wants to deliver the pound of hurt that these people did to sony, they could do similar things to any company. >> so i just want to ask one follow-up. so i have seen some criticism that perhaps there were some weak passwords being used in that data breach. are we going to still be using

passwords in 2020? is that a realistic security mechanism to keep us safe? >> i think we're still using passwords by 2020, right? i don't see them going away. >> i'd like this think we'd have a greater shift towards two factor or something different, but i think it's still going to be used. >> and by two factor what do you mean by that? >> take multiple forms. we spend a lot of time -- look, we all have mobile devices. i'm looking over the crowd everyone has a cell phone sitting there. being able to leverage data to do the analytics, and i think one of the things that's interesting about what we're talking about in the space is we're talking about the amounts of data that are going to be created but i also think to some extent it's a big data solution that helps -- big data analytics that helps solve the big data problem. the more data being generated -- that can be stolen can also be leveraged to do analytics, to protect us. so i think it's important and

that could be preventing fraud, it could be for authentication purposes. >> this is one of my pet peeves. we make it so hard to do these kinds of things. to turn two factor authentication on on facebook -- how many people are using facebook? no one is going to admit. good. how many of you turn two factor authentication on on facebook. because it's hard. you don't even understand it. and i tried to explain that to my mother-in-law. she doesn't want to talk about that stuff. so we have to rely on the people that make the software to make it easy for us to be more secure. >> right. and that's another example from i think martin raised it, we push that effort onto the consumer whereas we could use things like machine learning to identify your login patterns and say hey, you don't usually log in from like south korea at 3:00 in the morning u.s. time. that seems kind of weird. why don't we ask you for a two factor now and every other time not because you're logging in from home, from your computer during normal times.

these are not, you know, computer science hard problems. >> i think we've got another question coming. >> dino, first of all i think the judge would appreciate your economic analysis to solving the situation, but going back to something you said earlier, martin, was with regard to sometimes law is political. what is legal is political, and i think in some certain instances that is true, what's free speech here is not necessarily the same thing in europe even, but theft is theft. stealing is stealing. and at least when it was tangible devices, they at least had to make it to the extradition country -- or not extradition country to escape prosecution, but now they can just start in that nonextradition country. what can the state department, what can the department of justice, what can our u.s. infrastructure do to kind of

leverage and push these countries into extraditing these criminals back to the u.s. for prosecution? >> glen just started off with theft is theft because there's such a thing as copyright, okay? if i -- a book made in 1930, if it was made in 1920, i haven't. the structure of the law reflects the policy of our copyright. the question you asked is how do we put -- not to put too fine a point on it, how do we put pressure on the chinese to stop stealing our intellectual property. the first thing we have to do is figure out what we're losing to them, okay? i find it ironic that the people who spend the most time complaining about the chinese are in the department of defense and when you go over to the department of the treasury, they pay lip service to that but they're really more interested in selling to the chinese our treasury bills, okay? we have a very complicated relationship with china, and we have to make a wise choice as to

where we put that kind of pressure in vis-a-vis everything else. and i was a little surprised that when i was at the summit in may 2013, that was number one. there was news it was going to be number one at the most recent summit but they ended up with an environmental deal which probably was not a bad allocation of resources. but let me at the risk of being wrong, which is a risk i take every day, i assure you, i'm not sure the chinese have the interest in intellectual property that we thought they did, okay? somebody correct me if i'm wrong, and i'm sure one of you will so i'll stay after for the necessary correction, but when i took a look at the department of justice's listing of what the chinese had taken, almost all of it, perhaps 100% depending on your interpretation, was what i would call business proprietary data, relatively short-term information that the chinese could use either in a political,

legal, or business negotiations vis-a-vis the people they took from, okay? the amount of stuff which could be clearly intellectual property was not very high on the list. now, i asked myself why that was so. there are three answers. one is that it's just a statistical artifact. there were five or six companies in western pennsylvania which in all deference to my friends from there is not the most innovative part of the united states so they didn't have a lot of innovation to steal. another possibility is, in fact, they stole it and the department of justice didn't want to talk about it. and the third possibility is, in fact, that the chinese have stolen so much intellectual property that they don't know what to do with that that's not what they're interested in anymore. that's an empirical question. i don't know the answer to that one. but those are the questions we have to think through before we make a political issue with the chinese and put other things at risk to gain that, and it might be a good idea and it might be a bad idea but we have to think it through. >> i like your question -- go ahead. i'm sorry. >> i think the u.s. attorney

from the western 2kishg9 of pennsylvan pennsylvania is going to disagree with you later today. i think these are interesting questions that could be a whole symposium of their own, in fact, i think there are several. i want to refocus this on the criminal threats we're facing instead of more generally on the geopolitical environment. so if we can go ahead and move onto the next question. >> can i address that one thing. i was on a panel yesterday and we were talking about general corruption in the world and should we care about that? the u.s. has a mixed review on that. we think stealing is bad but then we support countries with monetary gifts because we like what they're doing. should that be even a thing we talk about? because what you said is theft is theft, okay? it's illegal, immoral, all that stuff and what incentives can we bring that country to bring it closer to what we think it should be in the world? and that's a big question that we haven't even scratched the surface on that yet. >> let me follow-up to that,

rick. so what i think is interesting and we're talking about the geopolitical landscape but at the end of the day it's human aspect to this, right? you know, if i'm a citizen in another country and i want to travel and i have the ability to travel, i'm going to travel. that's how it's going to be. and unless the government prohibits me from doing so, fine. but if you look at the actions that law enforcement in the united states and the relationships they have built around the world and myself having been fortunate enough to play that role for the u.s. government was building those relationships and partnerships globally with international law enforcement to learn from them but to also empower them as much as they have em pouperred us. and we saw cooperation and i think we still do. it's why you see more arrests happening around the world. the frequency of arrests. i think what gets lost is it's actually happening. it may not be happening -- it may not be changing laws in another country necessarily, but the actual operational or tactical mission is moving

forward, and you're seeing more arrests frequently from transnational cyber criminals than you ever have before. i think what gets lost in the translation sometimes is we as a general public don't understand the impact those arrests have. we don't have real good perspective on if we arrested that one person or those five people somewhere in the world, who they really were in the ecosystem of cyber crime and the impact that those arrests had in the underground and the evolution of where things have to evolve to for them. like i said before, i can map specific law enforcement actions and arrests to changes in data breach statistics at a global scale, so there are -- the efforts that are being taken with international law enforcement is definitely growing, definitely impactful, and is having, you know, a lot of impact that people don't realize. >> so this goes to the financially motivated data breaches. what do you think the private

industry will recognize that they are incapable of protecting static data? the internet's genesis was sharing, and you can't have sharing without criminals without criminals exploiting that. and we built this entire system on that foundation, which is crumbling. j.p. morgan chase, they're not retailer, 250 million in data security. they got hacked. so when will industry focus not so much on trying to protect the data, you cannot build a castle big enough or strong enough to keep out of the theft. when are going to focus on how the data is used in transacting basis. one is locked up for 20 years, but probably will be out in 2020. he's off the streets. but there was not a lack of people going back into this. at the time, it was open wi-fi. you know, payment data was

encrypted but in transit data wasn't. it's encrypted now. what do we have? we have ram malware. even after target, home depot knew about this. it was in the papers. they got hacked and didn't know about it from april to august. so, you know, andrew is now with the wireless company. you don't need to factor two awe they wancation -- authentication. in the '90s they wanted us -- wanted the government to prosecute the access devices. they got the legislation, that didn't do that, so what did the industry do? they enscripted the identifier, built a system and why if my phone is uniquely protected, better than me, why can't industry protect me and my identity?

>> so how i'd like the answer that question is you'll start to see it in -- first in small pieces. and then a large -- a larger movement. so what to look for are technology companies who are opting not to collect data. and maybe it's the perception of extra work, there's no way to monetize it. the example that comes to my mind first is apple pay. one of the unique things about apple pay compared to similar things like google wallet, the transaction data doesn't go through apple. all that data is not something they need to protect, it's not aggregated on their systems it is just pushed out. if we see this, more companies are collecting data that might be sensitive as a potential liability, as a cost they have to -- to their responsibility to protect it. so they take actions and design to not collect it or to encrypt it on the client system, like on the phone or the web browser before they receive it. then we'll start to see them being able to reduce their costs

there. that's what i'd keep my eye on to see if it's happening. >> hi, my name is tonya, i'm with the national intelligence council. my question has to do with the actors, the cyber criminals. currently involved in an effort with experts from both the transnational cybercrime communities, looking at cybercrime in the broader context of the transnational organized crime which is becoming more flatter, less networked and more adaptive. and so we talked to some folks in the cyber community who will say that cyber criminals are not quote/unquote organized. they're very specialized. they come together in very ad hoc ways for certain activities and disburse and can't be understood as organizations. but i also hear you and others speak about the consolidated marketplaces, the customer service. the business models. their methods of operating. so you would you speak a little

bit about how you look at the actors and their evolution going forward. >> martin, i think you addressed these topics in the hackers bazaar. >> we did. and i think your observations are correct. that organizations overall are starting to look more networked. and thus, i can imagine organizations of cyber criminals are going to look more networked. one of things -- you know, oftentimes a dog that doesn't bark looks interesting and one of the things we found interesting about the underground markets is we didn't see much traffic and intellectual property and we didn't see much traffic in power zero day tools. i think in both of these industries it's a bespoke market and you have to bespoke things in a different way than you handle mass items. >> i'd like to address what we call it thing because when we -- again, i'm going to bring my

mother-in-law up here. she's thinking of the godfather and that's not what is going on here. it is a loosely connected group of federated specialists. it's like lincoln logs, it's a bunch of loosely connected actors. so getting away from the godfather metaphor and just talking about organized crime that way. >> yeah, i think -- you know, i think the connection is trust, right? and credibility within their space. i think, you know, ms. caldwell she spoke about the cash out crews that exist. you have a hacker who hacks into the bank who takes away security controls. creates accounts and inflates limits and then tells their partners around the world, who they never met and don't know in real life, here is the information you need to go to the atm, take out all that money and you physically have the money in your possession. but you have -- you're working for or with a group of people

you don't know, you have the money in your hand. how does the hacker benefit from you the cyber criminal having that money in your hand? well, you have to send me the money, right, you have to send the -- the bad guy has to send the money to the hacker. if they don't, they're going to complain to everyone else they're working that one person who took the physical money out of the atm didn't hold up their end of the bargain and they're out of the picture. they have to reinvent themselves under another nickname, but they will be cut because they're not trusted. right? i think that's the piece of this, when you start to talk about organized they're committing crimes that are highly sophisticated because they're based on trust. attack methodology may not be sophisticated but at the end of the day they're -- the discipline that they apply to their craft and the trust that's embedded in the community is similar to an organized crime group would have to earn and maintain trust.

if that makes sense. >> so recognizing that, we have only one person here who's former law enforcement to their former government. what does that mean for law enforcement? the godfather model was you work your way up the chain, but your ultimate goal is taking out the top. in a different structure for organized crime today, where does the focus need to be to have the greatest impact? >> i think the goals for commercial relations like mine, i want to stop pain. right? so because of that, i like the microsoft model. go after the infrastructure. i don't really care if i arrest somebody. but i dismantle that are ability to do it and do it quickly. i would like to see a lot more resources thrown at that and make it really hard for organized crime organizations to do what they do. i would like to see that. >> from a -- >> so do we have one more from

the audience? >> i'm a local researcher. nevertheless, talking about the godfather model, so many of your remarks really led into that model because over and over you talk about east european criminality, russian, working language. now, clearly these east europeans mobs from the standpoint of just criminal organizations have been there for decades. i mean, some of the people are extremely famous. in fact, the top head of the head -- was arrested in russia. so i don't know what says that about putin. so are you -- i'm still unclear how you want to do that because within the u.s. for example, you said organized crime unit, you know, tried to take on the mafia in the u.s. at some point. you have organizational charts here so presumably decades from now you'll have that same

criminal organization as you -- you know, and now they have adapted themselves or gotten into the lucrative cyber room. so again, maybe we'll hear more about this today. are you just going to accept the existence of that organized crime so to speak or -- and try just to take down people individually without addressing the organized culture? >> a great question. so let me try to clarify. organized crime does exist and they do elaborate cybercrime as one of things, but they used lots of things to make money. right? but when we associate organized crime to cyber and when i talked to normal people, they assume, you know, some godfather was really good technically has a big organization that does this and that's not really the way. >> take the example of max butler. he tried to be that and it didn't work, right? criminals realize that. max got arrested because the people that he e -- even though

he -- they had the whole undercover operation with doc market run out of pittsburgh, that didn't matter. people got arrested in his crew in los angeles and they rolled and they knew him personally and where his operation was in california. they brought us to him. right? so that model doesn't work in this space entirely because -- and you have with the internet, you have the ability to take away the human interaction which minimizes your risk. language is a barrier, a countermeasure, right? we talk about russians and threat actors, but if i don't speak russian, potentially that could be a countermeasure that russian speaking criminals could use to alleviate anybody from accessing their infrastructure. and having access to the things they do i think it's important to, you know, when you talk about the organized crime model, right, in this space they have tried it. people have tried it and it doesn't always work. >> well, we have reached the