.? zbl zbl and.and.? zbl.and.

>> that would take an act of the united states congress. despite protestations, the reality is there has been a creation of a class here. i would like to say those five criteria are the criteria for determining class, not the individual discretion as to whether or not somebody would be admitted. that rests completely with the agency. >> they advised him morally and actually put it in writing, which i thought was interesting. how is that case by case?

>> the structure does not allow for government by executive action only. it requires statutory action period. especially on an issue like this if regulation, not the obama administration have determined individuals who have deferred actions, that is 2748.12 subsection c-14 say individuals who have deferred action.

>> once they get work authorization. >> and they would not have been eligible for that but for the president's actions. >> the problem with the obama care thing is yeah there is not going to be subsidies but they are exempt. if you have a naturalized u.s. citizen applying for a job versus somebody who is illegally in the country, that business, actually, it's about a $3,000 discount to hire the person who is here illegally over the person who is a u.s. citizen even if they are naturalized.

it seems to me what the president is doing is he is driving a wedge between illegal and legal immigrants. >> thank you. i have not asked my questions. i am going to ask you if you care to respond to my question in writing. it doesn't have to be that long, any of 03:35:54 i have to switch gears here. i want know what congress can do to have the united states supreme court hear argument on or give parameters a ruling on executive orders, executive privilege. i know we can sue the president no matter who it is on a case by case basis. it is a political issue, procedural issue and i'm just hoping that sometime perhaps the supreme court wil will take that executive order

or authority with regard to what we is a been seeing with regard to republican and democrat presidents. i would love to read it. this concludes today's hearing. we thank all of our witnesses for joining us. i thank you for all being so patient. this hearing issed a vourn journed. thank you. >> thank you. >> before heading to his holiday vacation, president obama held a year end news conference this afternoon saying that sony erred in choosing not to release the movie, the interview. you can see all of that on

c-span.org. >> let's talk about the specifics of what we know, the fbi announced today that north korea engaged in this attack. they decided to have this statement out, an all out assault on a movie studio because of a satire movie starring seth rogan and james flaco. i love seth. and i love james. but the notion that that was a threat? they caused a lot of damage and we will respond. we will respond proportionately and in a place and time and

manner that we choose. >> again you can see all of today's news conference by president obama any time on our website, c-span.org.

>> so all the way to my left, we have a distinguished visitor professor and columbia university. >> and we have verizon and his company publishes one of the most widely respected reports on cyber crime, the verizon data breach report. next we have dino dai zovi. he's a hacker.

in 2008 he was named one of the 15 most influential people in security. and finally we have rick howard, the chief security officer from palo alto networks chls including two years as the chief of the army's computer emergency response team. please welcome our panel. [ applause ] >> we will talk about the future of cyber crime. i want to start us out by talking about where we are today. so andy, why don't you start us out with what cyber crime looks like today. >> thanks for letting us spend the next hour with us today. it has been fun.

hopefully we will have a nice discussion today. from my perspective, cyber crime is filled with a lunch of enterprisial-minded criminals in a global business that harness and leverage their resources in a collaborative manner for the mission sets depending on their goals whether it's political or not. it's a dynamic evolving environment that is growing and i think what gets overlooked in the space is that they are well-informed on the privacy landscape and the regulatory environments of which their businesses operate globally. i think that's important and they also pay close attention to what law enforcement does. they learn from the lessons that those that have fallen before them. as it evolves in growing and as technology is enabling us to interconnect and to enjoy the way we live and take advantage

of the benefits in the space of the cyber crime that will evolve with that. i'm looking if order to see where we as a panel or a group feel like this will look like in the future. >> and marten, we have seen the biggest data breeches to date happening this year. we are seeing millions and tens of millions of customer roars being taken. what possible use could cyber criminals be putting to all of the data they are taking. >> we know that the data that has been taken from places like target and home goods, tackily target have been converted into cards and for which people actually withdrew money.

actually in this case i can say i was a victim of one of those things. when i got a call from the bank noticing there were three grocery store purchases that were made on that behalf. fortunately the bank was good enough after about four or five interactions to take the money off the account. this was the way they had of converting the data into the transfer the goods. that typically has been a funneling issue in the world of cyber crime. in other words, in order to make money from stealing that information, you have to transfer information. you have to transfer money and then you have to somehow find a way of taking the money out of the banking system. it is the last two that criminals have become efficient. i think about 6 to 10 years ago, there was a data breech at

hartland payments system in which 150 million records were stolen. the harm to the payment system was an order of magnitude or maybe two because the numbers are not fully in to the harm to target 00:06:18 ? dino a. dai zovi corporation. i think that's testimony among other things to the increased

efficiency tow which criminals can take information and convert it to money. >> and how are cyber criminals doing. systems breech, they were systematically going through the largest retailers and the largest payment processors, investigating which point of sales and infrastructures they use and targeting them and using those that were considered tools of sophisticated testers and researchers. a wireless attack of weaknesses and wireless networks. this group was able to use that to breech the network of retailers and then compromise their internal systems and from looking at a variety of internal networks and things like that over my career, a lot of us and a lot of defenses are hard on

the outside, soft on the inside. once you are on the inside, you can bounce around a lot and we are still seeing this today and all of the breeches you read about in the news. >> so rick, how did we get here. >> that's a great question. i have been working on the project called cyber security cannon project. it's a list of books that we think that all practitioners should read so they know their graph. the three books that deal with cyber crime that i would like to point out is the first called fatal system hear that covers from 1995 to 2007. the first use of distributed service attacks and extortion. the first successes from the british unit of arresting early

hackers. the second one is spam nation. it's fantastic and you have real deep insight about the business operations of criminal organizations doing this. he is fantastic. you want to get the nuts and bolts of how they do their business. it's an intricate look at that. the hero that am cans out of brian's book is microsoft and about them taking on the infrastructure and legally to take them off line. that's an interesting read. my favorite is kevin's kingpin. it covers from about 2006 to

2007 2007.ú the hacker by the name of max butler. he has a fantastic story and it will make a great movie. his transition from white hat to black hat is really interesting. his claim to fame is that there were about four or five main underground forms where the bad guys were selling credit cards and he didn't like the way he was operating. the way he did it was a marathon session of hacking where they took down all of those websites with the criminals using. he took control of the data and put them on his own forum and put a banner across the four websites saying i am the kingpin. come o. that's awesome. if he was a good guy, we would be going up and hie fiving everybody. s it downfall was that he hooked one of the sites that was infiltrated. his famous story. the agent had moved up in the ranks of that underground forum and was the administrator of that website. he kept meticulous back ups and he was able to come out quickly because of the others and fe figured out who max butler was. that was a of the history of how we got here. >> i wanted to ask you a question about max. that's an interesting story. i was familiar with max vision, was his name at the time. the late 90s or 2,000s.

if i recall, he was -- he wrote a dns through the vulnerability and it would just attack a bunch of open systems that would have vulnerability and one of the things he did, he 00:11:22 ? rick howard would fix them, but he left a backdoor for himself just in case. i think he went to jail for that. he went to jail for that and when he came out, he started the credit card hacking.

>> that's right. they are just making a living wage. stealing the credit card information is relatively easy compared to converting that any money. in max's story, how they were doing it, they had a whole credit card set up system in california. they would steal information and put it on blank plastic and hire young ladies and give them credit cards. they would go to high end retail and sell it on ebay and make money. that was an 80 hour workweek. that's not an easy way to make a million dollars. >> we talked about the infrastructure and the top tier criminals helps prosecutors and coordinate the investigations with federal law enforcement. those were the top tier cyber criminals in the world that drive the economy. we highlighted a couple here. at the end of the day, max was in prison. every major data breech, there was street level component. somebody knows somebody and eventually to a hacker or a vendor of that data. one of the things with my time in law enforcement, especially during the 2008 breeches and

heartland systems being one of them. when you put a face to cyber crime, it changes the perspective perspective. companies and regulators and legislators didn't have a good understanding of what is cyber security and what is cyber crime. we hear about the victims and consumer impacts, but we don't truly have a good understanding of who is behind it. the work that is being done today over the last few years has really increasingly become more successful. there impacts that are having. every major crime that we read about, we call beta breech, but every crime has a bad actor who lives somewhere and interacts with people. i think we focus heavily on the heck technology aspect of it and talk about cloud and mobility and big data and analytics.

at the end end of the day the things we do in security and the evolution of the cyber criminals, some of these guys, the ones we really care about at the top tier level that drive the economy are the ones that outlive the technology. they find a way to do their mission, to make money, whatever it is they want to do regardless of what is in place. and it's understanding the motivation behind those. i would argue some of the differences between the cyber criminals today at least domestically in the u.s. versus a max butler is that some of them had access to the structure that drives cyber crime. it's in other parts of the world as well, but we talk about financially-motivated attackers, the driving of that infrastructure is well protected and coordinated and they move it whr they need to based upon the landscape.

so u.s. hackers having access to that, to be able to monetize the information a they steal very quickly is becoming more and more limited due to the successes of law enforcement around the world. it's important to highlight two things, one, law enforcement is having success in this space. there has an impact. year over year, we see

statistics that i could map back to law enforcement successes, whether it was using pacts back in 2007, to switching to mal ware and going from central databases o of credit card data to targeting point of sale terminals around the world and harnessing that information in more of an automated, scripted, opportunistic way. the impacts of law enforcement and the prosecution of these folks has an impact. in your work, highlight that ifr effort. highlight the fact that we are making progressive steps towards winning the fight. however, we need to consistently work on getting there. >> i want to talk about the trends. what are some of the trends you're seeing today that are going to be important for us in 2020. why don't we start with you this time, martin. >> we're seeing a trend towards more consolidation, a more efficient market. we're seeing a trend towards a use of computers in the sense they control more and more things, more and more connections among them. if you take a look at the trend lines with the exception of law enforcement it looks like the world is getting worse. but i want to point out something that gets us beyond the world of crime and

punishment. we have erected architecture based on computers that easily change their instruction sets. when people talk about mal ware, they are talking about a hacker's ability to persuade your computer to run their instructions. and in most cases, those instructions have been placed into your computer for the computer to run. some of them are realtime. in many ways, this is an artifact of the way we built computers 30 years ago when we thought we were in an innocent world in withe want the to be open to third party software. the computers used an architecture vastly different than any other device around. the result is you get to the

year 2014 is that you have a great. deal of mall ware and it's implicated in most of it. in a world in which e we don't have to have an architecture that works that way. so the question is how bad do things have to get before people start either forwards or back wards, depending on your perspective, to make this crime very difficult to do. there was a series of articles in "the new york times" and of course, they want to push forward. there's an argument to be made in some cases you want to turn the technology back wards, but the question is when do we reach that point.

as bad as things are, i don't think we have reached that point yet. in other words, i think things are going to have to get a lot worse before they get better. we raised, i think we're at that point already and we have been for a few years if you look closely. so in smart phones, we have two leading platforms made these different choices. so for instance what you talk about technically is code or code signing. and on apple's platforms, neither of these are allowed technologically. it's built into the architecture that all software has to be signed and approved by apple. whereas on android-based devices, it's a more open environment and you can run arbitrary software. software can modify itself like a traditional computer system. and we have seen very different

stories about malware on different platforms. what's going to be interesting to see over the next six years as we go to 2020, so if you think about it, six years ago, very few people had smart phones. that's a last six years thing. the next six years, what are the devices that people have right now that everyone is going to have in 2020. so maybe they connect devices in

our home like a nest, all these things. maybe a smart air conditioner. maybe that's what we'll have then then. which of these platforms are learning these lessons from smart phones of how o open they want to be with what software they run. do they want to use the existing open model or a more locked down model. that will have an effect on the crime we see. >> i want to get some of the other panelists' thoughts on both the term that is really taking hold is the internet of things that we're going to have more and more devices connected to the internet, things never connected before. but i want to start with the closed versus open platform. we have seen two different models in the smart phone market. which of those models do you

think from a consumer perspective and from a crime perspective is more likely to take hold going forward on the internet side of things. >> technicians love the apple product because it's shiny and smooth and looks cool and looks like you know what you're doing. so the guys will go for an apple product because it makes us look smart er smarter. consumers. the cheaper but fancier things so they are going to buy the open environment if it's a cheaper product. right now, i believe it is. i don't see us changing any time soon. i agree with you that the apple line is a smarter approach, but i don't see the world going to that approach in the next ten years. >> open and closed, if you run on the premise that the consumer is going to make a decision based on price and that the open is cheaper, let me throw a couple statistics. today more than 2.1 billion consume to service for the 40% annual growth rate. global ip traffic has quadrupled over the last five years and grows 20% a year. by 2017 mobile devices will will

originate more internet traffic than buyerwire ued devices with mobile data growing by 66% a year. if we operate under the premise that an open solution is more adoptable by the consumer, more data is 66% growth rate and mobile traffic will exceed wire traffic opens more security holes. but then it's bring your own device and continues to involve. >> i think the technology is looming right now that e we need to pay attention to. as we wire up your cars as the high-tech models come in, there's a box on your desk that you can get that you can do facebook and all that stuff and the computer manufacturers are great engineers, but they are not security engineers. so if you go back to the clock and look at application that we all use like microsoft and all that stuff, those guys know how to program secure lie and they still have issues. now software from car manufacturers who have no idea

how to do this and we need to start thinking about this, it's kind of scary. there's one manufacturer now who put his onboard computer runs brakes and airbag the same as it does pandora. it's can't imagine what a service attack will do and pandora stops and airbag stops. that's the technology that's looming right now. >> rick answered my question of what connected devices will all have. is it obvious that i live in new york city and forget that cars exist. you mention the price difference for android versus apple products. there's been virtually none on apple products and all the mobile malware has been on android devices. are the higher end manufacturers going to build -- invest the resources to lock down the infrastructure. and on the lower end models will have the malware problems.

>> there's one truth in the industry that no consumer pays for security. there's no money in it. you don't even know if it's working, that's why you won't. pay for it. it's a well designed machine. so let me jump in. >> five years ago when you had these mac and pc commercials, mac advertised that it was more virus free. you can have a nice argument, but basically there's not a difference between the two. when you have the apple ios versus the android where there is a huge difference, apple

isn't advertising that. that gets to the point that if we really were at a point of crisis. but the consumer hasn't felt that crisis yet. in terms of cars, there's a much different dynamic at work and that's called the federal government. start thinking about what the recalls look like when you start having security issues and safety issues and think of the car makers basically 00:26:49 ? michael j. stawasz saying, wouldn't it be nice if

we could fix all the recalls remotely so you didn't have to bring in your car. which opens you up to remote code changing which kind of gets you back to the circle again. >> which we're already seeing. there's a car manufacturer that's relatively recent, thinks of itself as a silicon valley company, tesla. and they have done remote updates over the air updates, as they call 00:27:19 ? dino a. dai zovi

it. is that a good idea. are we ready to have our brakes connected to the internet. >> how did the average consumer who is buying a car, how do they make an informed decision about the level of safety of the facilities. i want to come back to safety versus security later. martin is raising all my favorite points. i swear i didn't plant him. we don't have that for software security or cyber security. so how is the average consumer supposed to know the risk of tesla's remote update versus some other system that may be better or may be worse. >> i'd like to try to drag this back to the topic. these are all interesting things, but how does a cyber criminal take advantage of the internet of things. where that happens is now there's way more places for them to insert themselves to collect your data. so if you've going to be operating out of your car and that's your internet access point from now on, that's the new place for criminals to insert themselves. >> and is that going to be the business model.

is that stealing your data or is it something else? we heard the attorney general talk about ransom wear. is that something we should be worried about. i need to worry that my refrigerator is going to be hacked and i have to pay to save my meat in my freezer. >>. i think so. i'll find network storage devices. so i think that's a business model that's going to scale. especially as we get increasing control over a lot of payments fraud and traditional cyber crime business models. cyber crime is like a business.

i think of them as entrepreneurs with a slightly increased appetite for legal risk. like any other business, they are only going to shift market when is a new market is -- they have better returns or the existing market that they have to look for new business so the example of a car like ransom of your car, if the price is low enough and you can pay with bitcoin and you want to get to work and your car doesn't start, fine, here's $20, let me go. that might be a thing. >> can we talk about that. that's really interesting and comes out in the book. their business process is heavy on customer service. because they don't want people to -- if they don't let you go after the ransom, that ruins their business model. so they are good at undoing what you pay them. that's part of their attendance

that they are good at giving you customer service once you pay them. that's fan it's a ik. >> think of it from a bad guy's perspective perspective. renewable return on their investment, at the end of the day, they are still managing their own risk. not just financially, but they want personal freedom. that's important when we look at we saw in mid-2000s and as the evolution goes more and more, customer service is baked into the online forums and the vending of data online. that's a measure to help a bad guy minimize exposure. i think as you start to see the shift in deploying and being here in the u.s. and north america, that is a model that's going to start to minimize the risk for a bad actor because you look at ach

transfers, why do i hack into your home pc to steal your credentials by moving money from bank to bank, that minimizes the ability or reasoning for me to be on the street exposing risk or creating risk for myself as an actor. i think as we're looking at the business models, we have to look at the infrastructure that supports them, but also how are they going to get access to the money that they are making for themselves and where are the points of exposure for them and focus on that part of it. just as much as we are looking at security architecture, how we want to do network defense or intel-based security, whatever it may be, looking at where the risk points for the person doing

the crime i think is also a important part of the ecosystem as we have this conversation. as soon as we employ chip and pin, the fraud will start to diminish. but others are going to go up dramatically. they are constantly looking at the business model associated with that but also how to i evade detection, evade my personal risk of being apprehended. including that in the conversation is very important. >> the next innovation for cyber crime operations. it doesn't have to be credit cards involved in the attack. as the u.s. moves to chip and pin, it's just chip and signature, by the way we're way behind everybody else on the planet on how to do credit cards. it's one of the reasons credit card theft is easier. so as soon as we get there it will be better. that's going to touch you hard. consumer is going to get that, feel it, see a lot more complaints about that. right now i think credit card fraud, banks cover that for the consumer. it doesn't affect you financially that much. wait until your car won't start. that'sgoing to be real painful. >> i'm wondering if they know anything interesting about me. >> when your car becomes your computer, i think that's where we're headed. >> first of all, it's a good idea not to do too much computing in your car because it's still driving mode. google may change that for us. let's talk for a minute. what does your car know about you. your car may know where you have gone if you have gps, but we're moving into a world where the government knows where you are because there's so many senses

out there reading license plates. you had talked about what if a criminal could get into your car and make a stop. what's the possibility for law enforcement. to say, look, there's a bad guy driving a tesla and i want this guy apprehended. >> it shows how much crime pays if they are driving a test when you talk about smart device, you're not talking about victims and criminals. you're talking about victims, criminals and the government. the interplay which has the potential to be very interesting. and maybe i'll keep my honda for a few more years. >> i think we're going to hear a lot more about how the law is going to have to change in order to strike the right balance when we talk about the governments being able to deal with these new technologies and take advantage of the evidence that's created by them when it's appropriate to do so. but for us with the focus on the technology, we heard a lot about payment systems.

i heard bitcoin and i heard about credit cards. so i want to follow up on payment systems. so i guess i'll ask rick. is the credit card with a magnetic strip going to exist in 2020. >> no, i don't think so. i think in the u.s. we're moving to chip and signature. it will be some holdovers but the industry is moving to something more substantial. i don't think that's an avenue anymore. anybody disagree. >> i think that's the path. it's going to take awhile for companies to get use to the technology. you are already seeing in some countries that have already moved to chip and pin that it's still as companies are doing business in that model are still struggling with how do i secure my network, configure my network so fraud occurs. some of the gaps and things are being configured still exist. over time that will start to diminish.

doing international travel you go there with your american credit card and go to france or europe and give it to aend a vender and they look at you like what is this piece of thing. please leave my store because it's so far behind the european credit card system. >> at what point is it all going to be done in a mobile device. you see that parking here today. >> so credit card sfraud going to get more difficult. that's what i'm hearing. where are the criminals going to go. >> when you talk about their business operations, they ab absolutely need a way to do anonymous money transfer capability. have to have that. and they have it now with bitcoin and other kinds of operations.

and i don't even know what the answer is from law enforcement, how do you track that kind of thing. do you have an idea of how we follow that. >> there's been successing in law enforcement over the years. there's been successes and falls back on banking regulations and lack thereof. you have more courage knowledge, but at the end of the day, they have to find a way and mechanism to receive the benefits of their efforts. and and i think over time they are going to find a way to do that. i think thefr already started the shift with the therefore stuff. and i think that's not going away. in fact, from a financially motivated attacker and state actor factor, it becomes harder to decipher which one is which because they are doing both. so who is the actual actor that's targeting you becomes a very important part of like making decisions.

so i think they have already made that shift into we need to minimize our risk on the street, we need to find our ways to move money, i think their u infrastructures are in place, but it changes as law enforcement has success as a regulatory landscape changes. but they pay attention to it and have the same debate about it online amongst themselves that we are having here today. there's no doubt that they outlive that. so i think they have made good progress in setting themselves up for the future unfortunately. >> you just briefly explain what you referred to. >> it was a digital currency where it was bound i think to the gold and so it basically created an environment where you could move money and had a value in the form. it didn't have your know your customer procedure from a banking regulatory perspective. so that was a way for us and we could prove -- at least law enforcement could prove that the

percentage of transactions was used by fraudulent activity. >> i think that we're saying that credit card fraud is slowly finding its way around and things will come. i'm interested to hear what everybody thinks, it's personal information that's the value that we're worried about. and is that true. is it more than just credit card information. it's your name, where you live, your social security number, your medical history. is that more valuable than just credit card information. >> it's really tough to monetize. sensitive, it's personal. but until there's like a good. monotieization path, i don't think it will be a threat. what we do know is criminals will find a path before we will. >> you brought up something

interesting about a social security number. five, ten years ago shs the notion that everybody who knows my social security number is there for me has been a standard in the porld of finance. and it's an absurd idea given how many times we have to give our social security number, how many poorly protected systems it sits on. maybe the problem isn't the data.62# maybe the problem is the level of awethen the indication that we give and shouldn't. maybe the problem is in the transaction. >> if you look at data breach report that we produce, last year we looked at just over 63,000 security incidents, just

over 1,300 data breaches from 50 participants in 95 countries. and i think when you look at it consistently year over year, even as the report has evolved, authentication becomes a major issue. most folks of things we see would be resolved by leveraging. >> which is getting much easier. >> so we have never reached 20/20. i want to talk about what cyber crime looks like in 2020. so what does it take to be a cyber criminal in 2020. do i need a computer science degree. >> either that or any accredited cyber crime university. one thing that's differentiated cyber crime from a lot of other fields is a lot of the skills can be learned in the underground and can be learned just through those networks. and so the science degrees

haven't been necessary. we have seen that a lot of self-taught people have been able to do everything they need. but i don't think criminals will need computer science degrees >> so from where i sit, doing tests for clients and things like that in my career, there was a practitioner and security field, generally used methods more sophisticatedly than we've seen used. i've kind of watched as they caught up. we kind of feel that we've been warning everybody because we get in and we always get in and somebody else is going to, too. i think that's going to be a constant. so if cyber criminals just use a different target here. there will be unexpected target. >> they're about the same. we now have our smart phones

collecting our information. we walk in the day. i don't think there's a way to monotize this. >> i'll hand it to you freely. but, you know, as we start having devices, we start collecting more and more data. some manufacturers will put all of that data in the cloud and data that is accurate always has more value than data that is dispurse edi dispersed to ed to the end poin. that's what i think we're going to see play out. like, what information could be monetized and those will become new targets. >> the thing that will be interesting to me is even though there's cyber crime all over the

wor world, the bulk of the practitioners seem to be in europe. what i would like to throw out in this group is that we're still going to be. it's in eastern europe for lots of reasons, but because of legal reasons they can operate kind of freely. it's really smart people that are trained in the best yum universities in the world and they're mile grgrated to the wa make a living. >> i think, you know, with the russian-speaking infrastructure, right, that we're describing is, you know, they've embraced a discipline to their craft, right. and i don't think that discipline has permeated his way arnold the world. right? and i think but we look at latin america, brazil is a very, you know, very early adopter of

technology, especially mobility. and they are starting to deal with threats before we are. and so they have a talent point that are exposed to different technologies in life that in america we don't deal with yet. i think we have to deal with what technologies are braced from around the world. at a different standpoint, the russian speaking criminal, the way they've architected a way across that culture in the underground makes it a, harder to access unheszless they want to access it and ub, it has to permeate around the world. i think what will be interesting as we look at it is i have no doubt that they're looking at the r&d of the future in looking at where do we need to be down the road. they will be the ones, most

likely, that will continue to drive the economy of cyber crime around the world, right, whether it's setting price, providing the infrastructure. it would -- take for instance if i'm a hacker here in the u.s. and i hack into a data base and i have access to all of these types of data, the first question i ask is what do they do with it now? they don't ask that question they know exactly how to monetize it. so they're looking for the types of data that they know they can monetize. you know, we saw phishing and spam increase immediately. it's having the infrastructure to permeate the crimes that you want to commit and you know you're going to be able to

monetize quickly. >> my answer to your question would be it depends on global economic shifts. why i think, you know, eastern europe is the center of cyber crime is partially network effect. and, also, they don't have a silicon valley. if there's a rich technology industry nearby for people with those interests that even a lower pay, will be a draw to the criminal world.

>> the united states persuaded with the maltese. i think, in part, somewhere in the justice system. so here's the question. vladamir putin reacted to this by, a, saying this is a great victory for cyber security, or, b, putting on a list of countries where russians shouldn't travel to. as long as he is in charge in russia, or as long as that attitude is in charge in russia or other countries, it's going to be hard to make progress against this. what is criminal is often political. and it's russia's decreasing desire to see themselves identified as part of the west. that has many ramifications and this is one of them. what's going to be important is

the extent brazil sees themselves cooperating with the west. >> so one thing we talked about a bit is what crimes are going to be driven, to a large degree, by a financial moet vags. i agree, it's going to become larger. when you realize roughly one-third to one-half of all computers in this world sport mallware. it's a wonder so little of that crime has taken place.

and this isn't one of the things that's done until it's done and everyone does it. i think, you know, part of the problem of forecasting in 2020 is to try to figure out what innovations will take place in terms of monetizing information. about a week or so, there was a report of a bunch of hackers who had information on drug companies. it's to try to out guess the stock market because of the success of drugs has a lot to do with, as you imagine, stock prices and firms. i imagine that lit up a lot of light bulbs. and they may be looking for information on mergers and acquisitions is a big one. but i'm sure there's a much larger list. i predict in the next five years, somebody will come up with an interesting way

monetizing information that none of us had a clue about. i just don't know what it is. >> or he'd be in that business. >> i mean, i also think that we need to look at the rate of adoption and technology. we're all talking about innovation and we're projecting technology to be. but let's also talk about what adoption would be. we're only six years away or so. we're a return on the risk or a return on the factor. for you, you know, prosecuting cases, are you looking at intent, motivation and financial

loss? so whether it's stealing payment card day the to convert into money, you know, or if it's, you know, some sort of destruction that's occurred, some company has to put a dollar amount to the data that has been destroyed. as we're talking about it, data will be the currency going forward. so what's the dollar figure you need to put to it so i can go to

mick and say, mick, i'm the victim of a crime. how much was that worth to you, right? >> so if we shift from not-monetary-based crimes or activism to cause the victim pain or denial of service attacks or docking their data to read private e-mails and things, but add cryptoware to that tool belt, i can now lock up your data and you can't even touch it anymore. that's kind of a scary proposition. so it's almost time for me to turn it over to the audience so that they can ask some questions. we've talked about a lot of things that we think may happen. what's the one thing we can do to be prepared?

symposiums like this are one of the most important things you can do. if you had this conversation with your family, my eyebrows roll every time we talk about cyber crime. my mother-in-law thinks i'm an idiot. we need to make these confe conversations ease enough for everyone to understand. >> i would say keep your eye on the attacks that are, like, being demonstrated as part of research today. because, how it happens, an attack that is demonstrated by a researcher and sin saying hey, is a risk. they will often become the widespread crimes five-to-ten years after.

in my community, there's a lot of hackers that would hack out other hackers. those sort of attacks that just happened to us then start happening to slebl rities. then this might happen to other people. so there's this pipeline, this trend already. >> i agree with continuing the awareness. getting people to help demystify the problem. and using tools that are an exposure for educational perspective. as business owners and leaders, we can understand the world around us. how does this apply to us. i think, you know, it's nice to talk about where the world will be and look at everything at a global scale. but, at the end of the day, we

have to to skusz legally as well. you know, make the education possible so the masses can assume its importance. >> martin? >> i'm going to be a little contrary. l let's say we had this panel 50 years ago. and, on average, we have a one in fifty chance of ending our life as a result of a car accident. and then you pose the question, what should we do, right? and you don't have a lot of interest i interesting ideas. your results are four times lower.

roughly one in two hundred. is the annals because we were better drivers? the answer is no. it's a lot of different things. we solved not through personal action, although personal action is not an important entity. by the way, we solved the bypassing regulations. probably the only happy accident from the veet nap war as we learned to do ems very well. but, regardless, we've solved it systemically. i have a colleague of mine that says don't blame my mother for the internet. if we build the system where everybody has to be constantly aware and as sophisticated as we think we are here on this panel, right, you're not going to get there. you have to build a system for average people so average people can get out of line and do

average things and not worry so much as they do now. trying to put this on the consumer is just not going to work. >> the tools we used to solve the sandy problem is mandate air bags and seat belt makers and things like that. we haven't come up with a good solution for that. i agree that we want consumer products to be better -- to better protect our end user. and if we could find a way to make that enticing for the people that build those things, that would be a way to do it. but i don't know how to do that. sometimes that happens by second order effect. and then it is in their financial interest to solve the problem.

>> we've reached the point where we want to invite the audience to come up and talk at the panel. >> so, to put this on a concrete example, the sony hack. it's probably the biggest thing in the news right now. it's both hacktivists. what can we learn from that attack and how much do you guys describe that it could b retrobugs for the sony hack. >> maybe we can speak a little bit more broadly about what large data holders are facing on the internet today and the

threat that they may be extorted or otherwise. >> one of the things they did was they send a message on every -- not everybody, but a lot of employees computer screens, locking it audiotaup a saying you better pay your ransom or you're never going to get it dwen. our community is pretty bad about this. we like to blame china, we bliek to blame russia, now we're going to blame north korea. it may be true, but we don't know it's just speculation at this point.

i fundamentally disagree with that. i've been around the world talking to security people. and every man and woman admits that, they haven't really con figured that device they bought last career for a gazillion dollars to do it in the first place. i believe we can be much better at this. we need to make it a lot harder. >> i've seen that sony had that data accessible. but, in my experience, that's not really entirely different from any kpen of that size. so we don't have the tools to protect that amount of data on a network.

squl >> so i've seen some criticism that perhaps there were weak passwords being used in 2020. is it a realistic security mechanism to keeps safe? >> i think we're still using passwords by 2020, correct? i don't see them going away. >> i'd like to think that we'll have a greater shift towards factors or something different. but i still think it's going to be used. >> and by two factor, what do you mean by that? >> take multiple forms. we spend a lot of time and, look, we all have mobile devices i'm looking at and everyone has a cell phone sitting there. being able to leverage, you know, the data, you know, to do the an litices, and i think one of the things that's interesting about what we're talking about in the space is we're talking about the amounts of data that's going to be created. i think to some extent, it's a big data solution that helps solve the big data problem. the more data that's being generated to do -- that could be

stolen, can also be leveraged to do, you know, analytics to protect us. so i think it's important to -- it could be for preventing fraud, it could be for authentication purposes. we make it so hard to do these kinds of things. how many people are using face pook? no one's going to admit. good. how many of you turned to facebook? it's hard. you don't even understand it. and i tried to explain that to my mother-in-law, she doesn't everyone want to talk about that stuff. we have to rely on the people that make the software to make it easier. >> we could use things like machine learning to identify your log-in pat eterns to say h, you usually don't log in from south korea at 3:00 in the morning. that seems pretty weird.

why don't we ask you for a two-factor n/m"[ when any other time we don't. because you're logging in from home from your computer at normal times. >> first of all, i think judge posner would present economic analysis for the situation. but going back to something you said earlier, mar ttin was with regard to what is law is political. and i think any sort so true. that what's sfrfree speech here not necessarily so in europe. but theft is theft. stealing is stealing. at least when it was tangible devices, at least they had to make it out of the non-extradition country to escape execution.

what can the state department, what can the department of justice what can our countries to do? >> i'm glad you started off with theft is theft. there's such a thing as copy right. if i appropriate a book made in 1930, i violated copyright. if it was made in 1920, i haven't. but that wasn't the question you asked. the question you asked is how do we put -- not to put to finite a point on it -- but how do we put pressure on the chinese to stop stealing our intellectual property? the first thing we have to do is figure out what we're losing to them: i find it ironic that the people spending the most time complaining are the department of defense. when you go to the department of treasury, they pay lip service,

but they're really more interested in selling the chinese our treasury bills. we have a very complicated relationship with china. i was a little surprised at number one. there was news that it was going to be number one at the most recent summit. but then they ended up with an envierntal deal, which probably was not a bad allocation of resources. but, at the risk of being wrong, i wasn't sure that they had the intellectual property that they thought they did. when i took a look at the department of justices, almost

all of it is what i would call business proprietary data. relatively short term information that chinese could use either in a political, legal or business negotiations, vis-a-vis the people they took from, okay. the amount of stuff which could be clearly intellectual property was not very high on the list. now, i asked myself why that would sell. there are three answers. one is that it's just a statistical artifact. there were five or six companies in western pennsylvania which all of my friends from there is not the most innovative part in the united states. they didn't have a lot of information to steal. another fact is they stold it and the department of justice didn't praelly want to talk about it. i have no way 06 knowing if it's true. and the third possibility is the fact that the chinese have stolen so much intellectual property that they don't know if that's what they're interested in anymore. that's an empirical question. i don't know the answer to that one. but those are the questions we have to think through before we make a political issue with the

chinese and put other things at prising to gain that. i do think that these are interesting questions, but i want to refocus this on sort of the criminal threats that we're facing, instead of more generally on the geopolitical environment. so if we can go ahead and move on to the next question. >> can i address that one thing? i was on the panel yesterday and we were talking about just general corruption in the world and should we care about that. the u.s. has a mixed review on that. we think stealing is bad, but then we support countries with monetary gifts because we like what they're doing.

should that even be a thing that we talked about? >> what i think is interesting is, at the end of the day, it's human aspect to this. right? if i'm a citizen in another country and i have the ability to travel, i'm going to travel. that's how it's going to be. unless the government prohiblts me from doing so. in the relationships around the world and myself having been fortunate enough to play that role for the u.s. government was building those relationships and parter inner ships to not only learn from them, but to work together to solve as problems. we saw cooperation and that's why you still see more arrests happening around the world.

but the actual mission is moving forward. you're seeing more arrests frequently from, you know, transnational cyber criminals that you ever had before. i think what gets lost in the translation sometimes is we end up, as the general public, don't understand the general interest those arrests have. if we arrested that one person or those five people somewhere around the world, who they really were in the ecosystem of the cyber crime, but who those really had. like i said before, the efforts that are being taken with international law enforcement, you know, is definitely growing, definitely impactful and is having, you know, a lot of impact that i think people don't

realize. >> when do you think the private industry will recognize that they're capable of protecting data? the internet can't have sharing without criminals exploring. jp morgan chase, they're not a retailer. $250 million in data security. they got hacked. >> so when will industry focus? you cannot build a castle strong enough. when are you going to focus on how that data is used to transact in business. just to give you an example. locked up sometime after 2020, solution, he's off the streets. but there was not a lack of

people going back into this. at the time, it was open wifi. payment data was encrypted, but in-transit data wasn't. so what do we have now? ram malware. even after tar get, home depot knew about this. it was in the papers. they got hacked. they didn't know from april to august. >> you don't need to factor authentication. we seem to move from one cell to another. >> what did the industry do? why if my phone is uniquely

protected better than me, why can't industry protect? >> so you'll start to see it first in small pieces and then a larger movement. so what to look for, technology companies who are opting not to collect data. the example that comes to my mind first is apple pay. like google wallet, the transaction doesn't go through apple. so all of that data is not something they need to protect. it's not aggregated on their systems. it's just pushed out. as we see more companies as a potential liability to take actions and design to not collect it or to encrypt it on the client's system or the phone

before they receive it, then we'll start seeing them be able to reduce their costs there. and is that's what i keep my eye on. >> hi. my question has to do with the actors, the cyber criminals. currently, involved with an experts for cyber crime communities looking at cyber crime in the broader context of the evolution of transnational organized crime which also is becoming flatter, more networked, less hire arkty kal. i also hear you and some others

talk about the business models, their methods of operating. so could you just speak a little bit about how you look at the actors and where you see their evolution going forward? >> i think you addressed some of these topics in the hacker's bazaar. >> we did. and i think that the organizations over all are starting to look more networked. one of the tling that is we found interesting about those underground markts is we didn't see much traffic and intellectual property and we didn't see much traffic in really popular zero-day tools. i think in both of these industries, it's a spoked market. you handle these differently than you handle most items. >> i like to address what we called it.

again, when i say organized crime with my mother-in-law, she's thinking the god father, okay. and that's not what's going on here. it is a loosely connected, fed rated group of specialists. and it's kind of like -- it's like lincoln log or leggos when they connect things where they need to connect to. it's not one giant person doing the entire thing. so, yes, get away from the god father metaphor and just talk about organized crime that way. >> i think the connection is trust, right? and credibility within our space. i think, you know, as carl well spoke in the beginning of the conferen conference, you talked about the crews that exist, right? so think about that for a second. you have a hacker who takes away security controls and then tells their parter ins around the world who they never met, who they don't know in real life. here's the information you need to go to an atm, take out all of that money and you physically have the money in your possession.

you're working for or with a group of people you don't know and you have the money in your hand. how does the hacker benefit from you, the cyber criminal, having that money in thailand? well, you have to send me the money, right? the bad guy has to send the money to the hacker. if they don't, they'll be out of the picture. they'll have to reinvent themselves under another nickname, another icq name, whatever it is that they're using to communicate. they will be cut because they're not trusted. i think that that's the piece to this. they're committing crimes that are highly sophisticated because of trust. at the end of the day, the discipline that they applied to their craft and the trust that's embedded in the community is similar to an organized crime

group that would have to either earn and maintain trust, if that makes sense: >> so recognizing that we only have one person here who's former law enforcement to the former government, what does that mean to law enforcement. your ultimate goal is taking out the top. where does the goal have to be? >> the goal for me, we're a commercial business, is to put bad guys in jail. so, because of that, i like the microsoft model. go after the infrastructure. i don't really care if i have to arrest somebody. but i dismantle their ability to do it and i do it quickly. i would like to see a lot more resources thrown into that.

>> do we have one more from the audience? >> never theless, so many of your remarks led to that model because over and over, you're talking about russian and the east european mobs from the standpoint of just criminal organizations have just been there from decades. some of the people are extremely famous. in fact, the top head of the head, a couple were arrested in russia. i don't know what that's saying for putin's group. in the u.s., for example, the organized crime unit tried to take on the mafia and so forth.

so, presumably, you're going to have that same criminal organization and now they've adapted thems or gotten into the lucrative cyber realm. again, maybe we'll hear more about this. >> that's a great question. let me try to clarify. organized crime does exist and they do elaborate cyber crime as one of the things. they used lots of crimes to make money, right? >> when i talked to normal people, they thought that there's one organization that does things. and that's not the way that it works. >> take for example max. he tried to be that. and it didn't work.

criminals realize that. it didn't matter. people got arrested that are in his crew and they rolled. and they knew him personally. and they knew where his operation was in california and they brought us to him, right? that model doesn't work. language is also a barrier. we talk about russian-speaking infrastructures. if i don't speak russian, well, potentially, that could be a counter measure to aclooefuate anybody from accessing their infrastructure.

i think it's important that they've tried it. >> well, we've reached the end of our time. thank you very much. [ applause ] >> tonight on c-span, we start with dave camp, chairman of the ways and means committee. here's a few minutes of our conversation with congressman mcgheen. >> some way, we need to go back and make things a little simpler. when my dad first went into business, he had been working for a company selling off of a truck.

he saved enough money to buy a used fish truck. the war was started. one weekend he had been in business. it got him started. now, to be in business, you have to go get different licenses, permits, this organization and that organization. everything is tougher. the taxes that come with all of this. while this is the greatest country in the world, we've got lots of challenges.

before we get going, i should declare that my partner is an odi partner. we're obviously paid by the

a.d.i. and, in fact, entitled to the salary from the government of sierra leone. >> can we, just before we get into the details of it, know from both the focus rate and sunjourn, i've pronounced that right? okay. just so we've got some feed about what you're actually doing? >> thank you, chair. the rescue committee is working on a series of projects through different funding, including isolation centers in local areas at sierra leonne as well as committee mobilization activities, which is geared towards improving information about what eboladç>]z is and ho prevent yourself from getting it at a community level. as well as the primary health care centers providing infection

prevention and control treatments. doctors and nurses work safely to treat non-ebola conditions. >> and how much money? >> in total, it's approximately 12 million pounds. >> and then some is left in the multiorganizations where it could be a funder. >> correct. as well as ugs government funding. >> and save the children? >> thank you very much. >> our main focus is similar to community centers and relationships in terms of funding is different in sierraleonne.

>> quantums? >> the specific amount is 5 million pounds. >> okay. i just wanted to really start with all of you. i mean, i don't know, but looking at it, what is quite brea interesting is if you're looking at nigeria, a much bigger population, which is large of the populations you put in liberia and sierra leonne combined. the main city is pretty unsanitary. >> yet, they've managed to control the outbreak. why? and what's the difference? i don't know who's best. so we get some feel of why did the challenge not emerge? or why is it not emerging? >> i think, just taking the

nigeria example, what happened in nigeria is because people are aware of the fact that this could rip away completely, this dem straits for the first time really what this disease can do once it's allowed to properly take hold. and the nigerian authorities got on top of the first two or three cases very quickly, followed up all of the subsequent ones. so the first wave before the first piece came into nigeria, the first case wasn't identified until quite later on in the disease. actually, the real failure of the international community was around about march, between

december and march, we knew that. but the expectation was on the previous one side. and there was really a delay between march and the sake of argument. >> so it's important to understand that nigeria is a country of multiple parts. a very large country. there's a very big difference between the industrialized south where these cases actually first appeared. where there is a good public health infrastructure. it's not a good hey one, but it's a good one. that said, in the north, we

might have seen a different picture. it's important, also, to note for example, also on top of an outbreak as did the u.s. and spain. so when people are alerlted early enough, it's fairly easy to stop. >> and what's happened since sierra leonne? why weren't they identified? is it just one of the lessons to be learned? i mean, i'm guessing at this. >> no, that's absolutely right. one of the things, there will be multiple lessons to learn. there is no doubt that multiple

lessons in the system messed up, not only in the first couple of months in the sense when it was epidemic. i don't think we should blame others. it's really important. when this is over. this is not the moment to start throwing stones at one another. but i think margaret chandler, our own chief medical officer both said, for example, who has some very serious lessons to learn from this, and there are others that do, as well. i think we should do that. all of us probably think this isn't quite the right moment to do so. >> principally, of course, this committee is concerned with value for money. for the money that it spends on health care. i'm quite interested in some of those answers. you just said that multiple bits

of the system messed up. >> i think the first identification in sierra leone, in about february, if i understand it, the first confirmed case was just after that. it was a little bit after in sierra leone. it's the expectation that's widely prevalent. it it's quite like all the other outbreaks. as chris said, that is why --

that was a planning asuchgs, which was wrong. now, as time passed, the gearing up happened. >> let me just stop you there. why did they manage to commit that assumption was wrong, but didn't. >> can i be clear? the flag was that we felt that this epidemic was behaving oddly from april. we need to be careful before we start saying if they should have created -- said there was a health emergency. wha wants to do. obviously, if it has a large

presence in one of these countries in siera leone, we mustn't forget that there are two others. that amount of money could have perhaps been much lower. >> so i think all ep deemologists know, you know, have the benefit of hindsight and say we could have predicted from march. >> they were saying very early on, it was too late and should burn itself out. >> what i'm trying to say, at a certain point, you do have to rely on the global excerpt body, given that there's a range of

equipment. let me take a different approach. you would see multiple outbreaks around the world. if it's relatively quickly, if every single time we responded as if it was a global emergency, we would also waste a huge amount of money. at this point, we are responding very carefully and recalling it to trade around with things that are controllable. as you rightly say, balancing the professional judgment overall was we would assume that they would ultimately take all the different views. and we took the view of the international community. what we're saying is, that, in

retrospe retrospect, is not necessarily what we're saying. >> in fact, as far as the scientific advisors were aware, you can see, if i can put it in these terms, where nsf was coming from. if it didn't have a different response, which controlled the outbreak in siera leonna, which had to have a lower level of spending. >> we took into consideration where we thought the census was confined. i think the first confirmed case is sierra leone came through.

we allocated more fund, we provided during a few weeks after that funding for nsf and others to open up their facilities in eastern dlc. >> i was told it's quite difficult to have under control and that's not the case. >> the numbers that who will be using as an indicator for this problem, including through september, it was maybe 20,000 cases. now, as you know, '15-'16, september, published results of their own in much, much larger numbers, by which time it was, because w.h.o. had declared the emergency in mid august.

it was clear what had been done up to then had been declared insufficient. >> it was quite clier that we others acted earlier. it would have been cheaper and easier to solve the problem. one of the big take aways is how are we going to ensure maybe not just relying on w.h.o. it's a great degree of ability and confidence. >> can i just ask either of you to comment on this issue? about whether was it too little or too late? >> i think from our -- i would agree the nsf had been the real heroes in terms of their people on the ground, the scale of their response as well as

calling it iran, i also agree with the world health organization could have mobilized quicker. in terms of our response, back in april, we were already doing community health education which is absolutely vital before this was declared on the 24th of may. i have to say, since that time, particularly, since august-september, the amount of willingness of agencies to work out of their comfort zones to do something incredibly difficult has been very, very substantial. i think that's part of the reason why this outbreak has gotten out of control. and that should be acknowledged. other countries have had the luxury of smaller outbreaks of

which to learn. i sthink that's a part of the contributing factor. i may, go . >> i didn't know whether to get in the end, the a lot of the funding we've put in, we've had to -- talking about the malaria funding. so, you put in money so that seems programs, like that and just wonder coming out of this. in to support the health infrastructure. out of our international aid and particularly, the sierra leone, you've cut the direct funding to the country by 20%. i know you've gone through multilaterals, but just seems to me that goodness sake, we have

more doctors in there. we might have had had a special response. >> on the overall level of funding, in 2010, we were talking about 20 million pounds. 13, 14 of the 68 million pounds. the year, we would be lower the regular program because some of our activities haven't been regular. but what we have done, just explain to me because the community in their report talk about a 20% cut to the in country funding. the program, 20% roughly on health. now at the same time, we take a

strategic view that we want to put in terms of commodities, bed nets, the antiretro virals, immunization and so on. more money through the shared international vehicles. now, that institution in 2014, they will spend 20 million pounds of our money on their set responsib responsibility. is it absolutely the case that having come out of the civil war, which destroyed every institution in the country, there is a massive challenge on rebuilding the health sector. if you look at the progress that has been made before ebola, for example, child mortality, there has been good progress, but it has been overwhelmed and swamped, unfortunately. by the ebola outbreak. i completely agree with the

proposition. we're going to need a much stronger focus in terms of programming on the systems. now, it's absolutely right. i'm really sorry it was just overwhelmed by this epidemic. >> the lack of a robust health care system has made this outbreak much more difficult to do. i think we would agree on that. we were in there for 15 years. one of the largest areas in sierra leone and yet, when this outbreak comes along, british taxpayers find that there are only 120 doctors. one -- that malaria is endemic across west africa and he dies very early in the outbreak. it could be said rather drop the

ball and have very significant consequences during the course of this outbreak. you should have been spending much more on a robust health system well before this outbreak occurred. >> i'm agreeing, we need to put more emphasis on this. one of the emphasis on trained sta staff, for lots of countries which are extremely poor, lots of the men don't need them. >> why don't you have programs to encourage them not to become part of overseas and remain in their home countries? >> that has been tried a lot over the decades as you know and it has proved very, very difficult. people want their trains tend to have freedom of movement. health workers are very mobile internationally. it has proved to be a difficult

thing to tackle. if we, if there was a magic bullet to that, we would love to -- >> isn't the magic bullet for perhaps international community to offer, to supplement terms and conditions in a way which encourages medically trained staff to remain in their hometown? >> unfortunately, that's one of the things that's been tried and it has not so far getting people to stay against their will, things we can do in the u.k. to make sure and the nhs is very committed to this, but it's a large world out there. trying to encourage them, says that's been tried and in various other places, it has a number of

difficulties. not least of which is that you're then committed indefinitely to supporting those salaries because otherwise, the minute you draw, efrk leaves. this is a high risk of course. >> the trouble is, from the point of view of this committee, the taxpayer, that we are helping to fund people to train and that once they have trained, they then go overseas where they think they can enjoy a better quality of life. and that we have funded them essentially not to be there any longer and that results in yet further costs to the british taxpayer? it was one of the most destroyed

communities in africa. that was a horrendous civil war. i think one f of the try ums was actually helps to end that civil war, i think everyone would disagree. the question is, where, it's not a straightforward matter, just putting money in and surface the system just strengthens. it's more complicated than that. >> just on the saf. which was acceptable, i just wondered if you could give us an update on how that's working, particularly with the ebola outbreak in terms of going over. >> well, the, at the moment, in

terms of -- volunteers, hope you don't mind me saying i think we all owe them a debt of gratitude. >> yes, absolutely. >> risking their life. we have seen lots of colleagues -- >> yeah, this is not nhs. >> this includes the nhs. originally, early on, organizations like msn and the red cross doing the recruit including the nhs. firstly on the 8th of september, we agreed to finance kerry town, then the other five big treatment centers. one of the things we did was put in place a staffing plan, plans

to start those. we have so far sent three, we sent two waves so far. 30 in the first wave. we've got the third wave coming. we've had lots of opportunities -- >> what were you aiming for? >> it's different by category. there are two critical skills that we've been struggling with,

which we still don't have enough people and this remains constrained. the first is -- on the lapse. one of the ways in which we could get ahead of the disease is to do the testing faster to find out if people have got it or not. lab testing has been a constraint. we've just opened two more labs this week, but it has been difficult to get them all staffed up to the level we need. the second, which is the biggest remaining constraint, which begin speaks to your point where the nhs has been fan ttastic an remains a challenge, is on the senior people who can be the clinical leads, who have to be experienced in these dangerous facilities. the world does not have very many of those people, so we've had a lot of volunteers and we're taking them up as fast as we can, but in some critical areas, we don't have enough and that's compensated -- >> can i just dig down on that? so,