states has been blessed with a number of different kind of relationships. but, basically, we've had two different kind of big relationships. we've had very close allied relations with strong cooperation and then we've had relations with the country like the soviet union deeply antagonistic. try china represents a new that will be difficult for us going forward. i think we need to recognize that. i think it will embody elements of necessary, inevitable, purposeful cooperation, but also areas of tension and the most important thing in a relation like this is to be honest about those areas where we tend to disagree and where we have problems. confront them, try to address them honestly and avoid circumstances where we can have mistakes or miscalculations that spiral a lot of control. that's going to be difficult but

it's going to be the necessary challenge of the 21st century. the chinese want to avoid instability in north korea. they want to avoid refugees and other things that are -- that could cause problems for their own country. i think we understand that more generally. i still believe that much short of a scenario that you have laid out, it's possible for the united states and china to set very clear parameters for what is unacceptable for north korea. i believe there's leverage that china has not used that they need to use that is in their best strategic interests as well that falls far short of these scenarios that some describe associated with uncertainty or instability in the grand peninsu peninsula. >> if i can just add, if you go

to mit, you can talk about -- it's management theory. it's a business theory that the relationships that are the healthiest relationships are those that have tension in them in that, you know, it's the kind of relationship. and i want to say in a very positive way with international relationship, the relationship where you have tension, where partners are pushing against each other and they're challenging each other to make sure that these things worth for both parties. it's a dynamic relationship. that is a great relationship to have. it says that, you know, you're being open and honest and moving forward and you're willing to put energy in the relationship. in business world that's healthy and i think in foreign affairs it is a very healthy relation. where you don't want them to go. you don't want to go to the rubber band, there's no energy in it at all. nobody is investing in it. it's like a company that has no energy or tension, it dies. the other thing that you have to worry about that you don't manage the tension properly and

you pull it too far apart and the rubber band snaps. okay. and so that's the kind of relationship that you need to have, i think, in international affairs and those are the most comfortable, that's the most comfortable, but the most effective relationships. this is how we're going to manage through a lot of these types of challenges that we face by engaging other people on a healthy debate and healthy discussion to move forward. so tension in and of itself is not negative. it can be a very positive force moving forward. >> managing professor at georgetown. i want to be a little bit more specific. the last three years north korea has been pretty much unconstrained in its production. those are really the hard parts of a nuclear weapon. we heard just a few months ago

defense intelligence agency analysts saying they probably have about 20 weapons now and they're working toward about 100 weapons in the future. in that context, have we -- are we correctly changing our posture in south korea to defend south korea? i ask that because the last ten years we've been building this new base, $5 billion of u.s. taxpayer's money, $5 billion korean taxpayer's money, concentrating all of our focus, forces down at tech. from a layperson, it looks to me like we just created a target for north korea on nuclear armed missiles. is that the right kind of approach or do we need to radically change our defense posture and maybe be much more provocative against the nuclear arm competitor here. >> yeah.

i think the -- again, this is -- this is why you've got, you know, the in asia today because of the significant progress that north korea has made in both of those areas. and that the -- our strategy, you know, the combined strategies have not evolved to take into account the new reality. and so, you know, north korea just continues moving down this path and you haven't seen a recalibration, and that will be -- there are enough things to focus on and national security right now when mr. trump takes office on -- in january. but, you know, this will be one -- you know, pushing for that reassessment to respond to what we've seen. and that has not been a proactive initiative by the united states and our allies to

address exactly those kind of questions. so, no, the specifics aren't right there. because number one, the u.s. can't dictate and we can't come up with specific steps at this point until you have the collaborative process. >> thanks, bill, for the question. i appreciate it. look, i would simply say that i believe that the deter rent capabilities and intent united states are unwaivering and have been in place for decades and i have very little doubt that they will continue going forward. in terms of our conventional capabilities. i think as you know well there is no -- and i want to be careful as we discuss here both the chairman and i have been both briefed on this and i want to be careful. there are no set of that are subjected to more scrutiny and innovation than the particular capabilities, the joint capabilities that have been put in place on the grand peninsula. i can assure you that our

capabilities involve manifest more than simply one base in south korea. we are able to articulate and active -- activate capabilities from across the pacific and in deed from other theaters in short order to support our objective and i think a number of senior leaders in the states have made clear, our goal is to avoid a conflict, which would be deadly on the -- but if that did come to pass, it would end unmistake bli with the end of the north korean regime. and we have the capabilities to actually ensure that out come. ultimately, the key here is to ensure the terms and are steps as a partnership are strong to deter any of those actions and also to explore diplomatic

options if they surface. i will say in the current environment, i see no sense that north korea is prepared to entertain the entire agreement that will be necessary to sustain peace and ability on the korean peninsula and northeast asia. and that, again, is going to require a substantial activation of surrounding nations. i believe all, privately or publicly are deeply concerned by the provocative steps that north koreans do. >> hi. my name is tara. i'm wondering if you can tell us a little bit, you talked about donald trump's clarity and language and how that might be, you know, people in the political class might not be use to it. can you tell us about his statement, having nuclear weapons? >> the -- >> maybe you can clarify, i guess. >> the clarity there is that is

an issue that will be decided once korea, south -- korea, japan and the united states identify what their objectives are going to be vis-a-vis minority korea and the strategies and the tactics that they are going to put in place to address that objective and state it very very clearly that as we go into those discussions with south korea and japan, that everything is on the table. >> can i just say, look, i accept there's often, you know, this difference between, you know, clarity and diplomacy and i think the congressman makes a point here. but there are also things that that's not the appropriate dividing line. the real issue here is this strategically wise and i think it is undeniable that maybe in the heat of the campaign or in a circumstance where he's feeling

some passion, i think mr. trump has said some things that have been deeply unnerving in asia and that if he went through them would not be in the best strategic instance of the united states. i appreciate the congress saying, look, it's a starting point and, you know, i don't want to hurt anyone's feelings and let's talk about it. but the problem is that's not what mr. trump is saying. if he began the conversations the way congressman has done i think very effectively, i think most people would agree with that. but the statements about, you know, whether japan and south korea are allies and friends, what's going on with nuclear weapons tend to create more problems than just simply start a conversation. >> from csis. prime minister appears ready to

open up a major debate in japan about gratifying, about revising japan's 1947 constitution, a constitution that the united states basically fashioned after world war ii. what we're hearing about proposed changes would include either a radical of article ix. so-called no war, no belligerent si clause that the americans imposed in that constitution. now, if this kind of debate begins in japan, it will be c controversial. the chinese and south koreans are going to react strongly to that kind of debate.

however, the article ix and for japan major options for military expansion, including a nuclear option. when this begins given mr. trump's do more, to support the united states. and also given the fact that the obama administration two years ago quickly endorsed the nuke self defense policy, you think -- would be willing to make american views known on the article ix issue if the debate, as likely, begins to unfold in

japan. >> a couple of things. japan is actually, and the prime min ser is bringing that up, reinforces what he said at the u.n. a couple of weeks ago where he said it's time to reassess and basically put everything back on the table because of the lack of success that we've had on the korean peninsula and reigning in north korea. so that is one. that's a much more dramatic statement than donald trump saying that they should have nuclear capabilities. >> the point is, we saw that here, i think, donald trump administration would be very very restrained in expressing

our views on a debate that's going on internally in china. excuse me, in japan. okay. i think you've got to be very very careful about that and you're not ever sure when you insert yourself into someone else's internal policy debate as to whether that actually helps move the ball forward in the direction that you would like it to go or whether it actually hurt. so i think we would be very very restrained. and i can't let this go, the comments about mr. trump are not unsettling relationships with our allies because of the statements that he's made. because i think we have a very good example and if i'm taking a look at the people in asia and they're wandering about the reliability of the united

states, vis-a-vis its allies. some of the things that have happened under president obama and secretary state are much more concerning than what donald trump has said. in egypt we have an ally who for 30 years, for 30 years pretty much was a full partner with the united states maintaining stability and the relationship with israel. and when we were contemplating going into war in afghanistan and in iraq, said to the united states and i met with them and i listened to him and his intelligence, folks. and they said, you know, we're not sure that this is a good idea. and they went and outlined the reasons why they weren't sure that this was a good idea.

and as we walked out the door, his staff indicated just remember that if you go to war in afghanistan, if you go to war in iraq. we may be told it wasn't a great idea. but we will support you. and tae did everything we asked them to do. and we threw it under the bus. in 2003 i was asked by a friend of mine on the house floor pete, you go want to meet in libya. no, not really, that's not on my bucket list. and he said, no, serious. the bush administration is seeing the fruition of, you know, 30 to 35 years of consistent american foreign policy of republic cans and democrats, the same, republicans

and democrats putting sanctions on the gadhafi regime and putting a tremendous amount of pressure and awe industry sizing them in the world. we're getting hints that maybe republicans and democrats for that period of time were having a successful strategy, he wants to flip sides. so we went and i met with them two more times after that. so in 2004 and 2005, we achieved a bipartisan success of a long-term, consistent american foreign policy where we flip gadhafi. we got rid of his nuclear weapons program, he paid reparations for the families for those who had paid a tremendous price because of his terrorists acts. and then for seven, eight years he did everything that we asked him to do to fight radical g

gihadist, helping us confront, contain, with the ultimate goal of defeating radical groups. 2011, this administration flipped sides. you've got a lot of people in the middle east who were wondering, i wonder how great this relationship is with the americans in it. what did it really get gadhafi. and in the end it came back to bite. and i've got to believe that there are other people around the world wondering, too, how reliable as america as an ally. if we're going to take a shot at what mr. -- some words that mr. trump may have said that had been less than diplomatic, it's also important to take a look at what this administration has

done to some of our friends who have stood by us side by side for a long time and see ultimately with we left them. >> last ten minutes, if i can ask people to keep the questions short and try to get more of them. >> yes, ma'am. and i'll go to the back, right here. >> so far, we. >> a new reality north korea has nuclear missiles that can date united states. so the reason why the pre-emptive strikes the options of this these days. i think it may be because united states are dealing the north korean situation not as an asian policy, but as u.s. also see

caribbean issues. do you think that changing is going to happen. >> i think increasingly the north korean challenge is not simply a regional challenge, as you describe. because of proliferation concerns it is a global challenge and ambitions that they've outlined with respect to the united states, it is a direct challenge to the united states. so it has to be looked at through all of those lenses and it should animate our attention and our focus substantially in the time ahead. i believe it is not any one of those issues, but it is all of them together that unify each of the countries that surround north korea to take more activists stance. >> it's a global issue.

it's very important to the next president that's going to take a look at it. it's a national security threat to us, the regional. it is the secretary outline. this is also a global issue because of proliferation issue. you know, what -- who might gain access one way or another to this capability from north korea. something -- something that we -- all of us, at least, need to be conscious of is that that is a possibility that may occur. however, that may be an issue we confront sometimes in the future, you know, george bush, when he went into office on in january of 2001, who would have thought that his presidency would have been dominated by al qaeda and an attack that ended, that happened nine months later after he got. you know, president obama,

secretary clinton face challenges that were not anticipated when they came into office and, you know, a couple of weeks ago someone asked me, and i think you can throw the north korean proliferation into here, you know, when the next president is sworn in on january 20, what is the issue that's going to develop in their administration that no one is talking about today. >> yes, sir. >> thank you. kevin lee, how are you. let me ask a question about the pre-emptive military action, the possibility. it's kind of area sensitive but also very crucial, at this point. senator tim kaine, he said the president should take the action to defend u.s. on the imminent threat if you have to. and yesterday wendy sherman

senate korea said that the every single tools should be used to north korea and these words are being understanding korea that the campaign. the using of pre-emptive military action is not unconceivable. i want to ask them, what is exact -- the opinion of the secretary clinton on this issue and also to the chairman, the last -- during the first debate, mr. trump said nothing can be taken off the table to deal with north korea and, can i ask that that also included this kind of pre-emptive military action towards north korea, thank you. >> i can give you a straightforward action. north korea is an urgent matter that requires focused american

attention, working closely with allies and partners, number one. and number two, as secretary sherman, vice president elect kaine, others have indicated, we're not going to take any options off the table at this time. >> i think mr. trump has been very very clear about, you know, when it comes to threats to our national security, whether it's throughout the middle east or whether it's in korea or whether it's the continuing involving threat from russia that, you know, hell eel do two things, he won't take options off the table and he won't really send a lot of clear signals to people about at least short and median turn objectives as to what we may be doing. obviously, you've got a established parameters in terms

of where your foreign policy is operating from and what's acceptable and what's not, but, you know, i think the statement that at least as we enter into the next set of negotiations with our friends and the region as to where we're going to go, you know, all the options, at least, initially, are going to be on the table. >> will donald trump ask south korea and japan to increase their defense budget? and to mr. campbell, what specific role will the administration ask of japan in the region? >> i think what mr. trump has made clear both to, you know, those folks who work with us and have the military relations that

they will be expected, after a comprehensive review, to pay their fair share, that the united states taxpayers and american workers can't be expected to pick up a disproportion gnat share of what global security require, far willing to pick up our fair share and recognize that, you know, some of that comes with additional costs of being a global leader and those types of things, but we can't -- we are not in a position to subsidize and pay for other people's national defense needs. so, yeah, we, again, it's the healthy relationship of a, you know, there's the tension in the relationship. if it's saying, yeah, don't worry about it, we'll pay for it. i'm sorry, that's not a healthy relationship. if national security and the priorities for korea or our friends in other places in the world, the threats that they face, if they're not willing to pay for it or they just go into

it and say we don't have to worry about it, the united states is going to pay for it, that is not a healthy relationship. healthy relationship is where we pick up our fair share with our goals and objectives as to what we want to accomplish globally and for our national security and that these countries will pick up their responsibilities, that is a healthy relationship because we're both getting what we're willing to pay for and what we are willing to invest for. if we're -- if the criteria of the agreement is don't worry about it we will pay for it, that is not a healthy arrangement. >> so, thank you. i would say that, you know, the relationship between the united states and japan is going to take on added and increased significance in each of the specific region going forward. and not just in each globally. one one that has supported our activities in the middle east, appropriately in terms of civil

society is japan. we work with them on a global basis. i expect that to continue. we had a very good question about debates going forward in japan around national security. i agree with the congressman that we have to tread very carefully with the democracy about how you communicate matters associated with critical issues around national security. i will say these issues are controversial in japan. they are controversial in the region. prime minister and his team have committed to strong consultations, active engagement with the public about the way forward. i think that is appropriate and we would support that more generally. in terms of specific things, perhaps the most important thing that the united states will want to work with japan on is to ensure that the japan's economy continues its forward progression and success, forms,

the so-called third arrow. i would like to see japan relationship with china continue to improve and i think we can all be ambitious about the prospects and possibilities of even tighter, closer coordination between the united states, japan and south korea. these are things that i think are appropriate. it has been the case for de decades. there is no relationship more important, more important relationship barnone. i will say it's more than in any period during the cold war and that's something that, i think, is deeply recognized by the both the japanese american people like south kroo ya, attitudes of japan about the united states and the united states about japan have never been more poz tiff. we need to capitalize that. deepen our people to people exchanges, our understanding of

our role and recognize that japan will not only work with us in partnership as they have done for decades, increasingly they will also demonstrate areas of an independent foreign policy. as a nation, we have confidence in japan, with prime minister has done in india, southeast asia, in africa, recent trip to cuba. these are things that we support and we encourage. i expect the japan relationship will continue. >> we have time for one more question. >> here comes the microphone. >> how critical is the deployment to u.s. interests -- to u.s. interests, is it that important. >> i think it's important to south korea. my own personal view is that

this is a decision primarily for south korea and i think south korea is taken the decision. we're facing a deeply provocative missile capabilities that threaten south korea. this is an appropriate step, the step that united states supports and we're prepared to follow through on. >> i think that's accurate. i think the other thing that you need to realize is that -- as we're talking about some of the challenges throughout asia and, you know, much of the discussion appropriately today has been focused on the korea peninsula. if you take a larger look, you also have to take a look at, you know, there's going to be another pressure that is starting to rear its ugly head and that is the pressure from the radical radical gihadist th.

people were dying as a resultover the radical ghiadist. in 2015 that number is approaching 30,000 people per year. that threat was limited and focused primarily in the middle east, today it's the middle east, it's northern africa, but it's spreading down into other parts of africa. but it's also spreading into asia and these types of things. so this is another -- it's going to make the situation more complicated. again, it may be one of those issues that, you know, in 2018 and 2019 people are going to be talking about, well, you know, this threat of radical islam and parts of asia may get to be more significant than what it is today and so, you know, this is not just, you know, the issues here in this part of the world are growing more complex and more deadly each and every year and it's, again, not because of

it's coming out of the middle east, but it's coming -- excuse me, not that it's coming out of asia, but it's coming because of its actions in other parts of the world and you can't view what's going on in asia in isolation. you have to take a look at what's going on in other parts of the world, as well. >> okay. i think we'll end on time. i wish we could all have this thoughtful political dialogue this year. very illuminating and struck tif. i'm going to ask you to stay in place for a minute. before i let them gorks i would like to ask you join me and thank them in a traditional way. [ applause ] . >> here is an article from the -- the headline "independent candidate evan mcmullin in statistical tie with clinton and trump in utah."

the statewide poll released by the news found that trump and clinton are tied at 26% and mcmullin, who has been campaigning for only 2 months, garnered 22%. libertarian gary johnson also received double digit support with 14%. the clinton and trump campaigns released web videos wednesday. here is a look.

>> we're going to go on -- >> mr. trump, we're going to move on. >> oh, please go -- >> allow her to respond, please. >> what do you think if aleppo falls? >> what do you think it will happen if it falls? >> how stupid is our country. >> there are sometimes reasons the military does that,warfare. >> i think the subpoena from the united states -- we have to move on. >> we wanted to give the audience a chance, here. >> let alone, after getting a subpoena from the united states. >> secretary clinton, you can respond. we have to move on to audience question. >> mr. trump, mr. trump, i want -- >> i'll -- i just one thing. >> first of all, hillary, everything is broken about it. >> please allow her to respond. >> no it hasn't.

and it hasn't been finished at all. >> kim has a question. >> nice, one on three. >> white house homeland security and counter terrorism assistant lisa monaco was part of cyber security summit.

a number of panel issues, cyber warfa warfare, and infrastructure security. this event was hosted by the washington post. >> good morning, i realize people are still coming in. please don't be shy. there are still seats. thank you all for being here today. i am the vice president of communications and events here at the washington post. thank you to those of you who are watching us online. this is our sixth annual cyber security summit and it couldn't come at a more interesting time this summer, the democratic national committee was hacked, likely by a foreign government, just last week. yahoo announced a breach effecting hundreds of millions of people, just yesterday and nsa contractor was arrested for stealing the agency's codes. so the question is, what's next?

this morning you'll hear from government officials, security experts, industry leaders talking about sort of the top cyber security issues facing us today and we want to hear from you, including those of you watching us online, so please tweet your questions to hashtag wp cyber, we'll be taking those questions throughout the program. so right now i would like to quickly introduce john davis, he's the vice president and chief security officer of palo alto networks. today's presenting sponsor of the program, he's going to say a few words. thanks [ applause ] >> good morning, everyone. it's an honor to be a sponsor for this event today. i'm really excited about the agenda and really looking forward to hearing all the distinguished speakers. i joined palo alto networks about a year ago after a 35-year career in the u.s. military. most of that career was in special ops doing some really

cool things, but the last ten years was in cyber operations, cyber strategy, and cyber policy. and i can tell you that the u.s. military really takes cyber seriously. became a mission for us. and i say that because at palo alto networks, just like in the u.s. military, we have a mission, protecting our way of life in the digital age. very important to us. very important because the digital environment is the under pending for everything that we do as a society, as an economy, even in national security. i'd like to quote another general, famous -- much more famous than me, i'll paraphrase, he said, basically, know your enemy and know yourself and in a hundred battles you'll never lose, or something to that effect. what do we know about the enemy. the modern cyber threat, well, we know that it's a professional

marketplace of information sharing, these days. and we know that the decreasing cost of computing power and the use of automation and cloud kablt capabilities by the threat means an ever increasing number of cyber attacks that are coming at us. and with the explosion of poll moore if i can malicious codes we know these attacks can happen at the thousands and millions in terms of every day, every hour, and sometimes even every minute. there is some good news about the threat. i can tell you from being on the inside, there are certain number of limited techniques that every cyber actor and every cyber organization uses, buffer over flow and heap spray are types of techniques. there are about two dozen of those. and every cyber threat and organizati

organization. >> while the defender uses a series of isolated point products that simply add complexity to the environment and we use technology to -- the defense uses technology that's mostly oriented from a legacy view on detection and response, instead of prevention. the adversary uses a marketplace of information sharing, very

effectively. we have trouble with cyber threat information sharing from the defense side. what is a good model of ourselves look like, i think that there's no silver bullets, has to be comprehensive, has to include people, processes and technology. i think one of the keys on the people side is education and training, that's for the work force that deals with i.t. and o.t. as well as the general population and let's not forget leadership. today is about that, it's about education. on the processes side, i think one of the most important processes we need to improve is information share. we need to do it at scale and at speed and that means automation and standardization. and, finally, in technology, we need to move from a legacy view of always standing at the crime scene by detecting and responding after the fact, to a prevention first mindset. and we need to be able to leverage automation in ways that

the threat is using today in order to keep up with and even exceed a threat and we need to get out of a manual response that's largely based on having to hire more and more people to deal with this and move to an automated capability that let's us save our people for only what people can do. those, to me, are the keys to success and moving to a successful view of ourselves at cyber security specialist. i really look forward to today and the conversations that are coming up. i hope that you enjoy today and, once again, it's an honor for me to be here and sponsor this event. thank you, and i'll turn it over to chris. >> thank you. thank you so much, john. and thank you, again, to palo alto networks and to our supporting sponsor. i know there are still people coming in. there are still chairs, don't worry, we'll get a seat for everybody. don't be shy. i will like to introduce robert

o'hare, he's going to lead our first discussion today, thank you. >> i'm a reporter at the post. for years on and off i've written about technology about cyber security. interestingly enough, the issue of cyber security was very very urgent in the early 2000s and it's only become more and more important, literally, i would say by the week we've all heard about massive attacks and varied attacks that have exposed people's information, led to

theft, created national security v vuner abilities and left us all a little more easy. today we have people that are on the front lines that are trying to fight that on behalf of their clients and by extension on behalf of all of us to make the cyber world a little safer for all of the social engagement that we have, all of the business that we rely on and, once again, for national security. patri patrick hien is the head of the trust. he's responsible for securing the compliance for securing the company and drop box service. he's the chief executive and founder, consulting company here in a consulting company here in the dc area that works with industry and government on cybersecurity issues and policies. she's a veteran of the telecommunications industry, which is fundamental to cyberspace. brian reed is the chief marketing and product officer at

zerofox, which provides cybersecurity services for social media channels. we'll start with a little bit of the news. we can almost cherry pick the more interesting and unsettling bits of news. it was announced this week that yahoo! scanned the e-mail of users at the request of the nsa. the company said they were abiding by the law. what are the margins here, to what extent should companies comply with the law, even if they have philosophical and internal ethical differences with those requests? why don't you start off. >> wow. i'm not going to comment specifically on the yahoo! case, i don't have enough details to have an opinion, whether they're right or wrong. on the philosophical issues, i think companies do have a responsibility to abide by the law. but they also have a responsibility to the trustworthiness of their service, providing a service to their customers. to the extent that they are compelled to do something like

that, i would say that has to be balanced with a certain degree of transparency to their users as well. >> in this case it was a request from the nsa. if there's a subpoena, that's a legal obligation. how do you mollify customers and protect this vague notion called price of? >> it's a balance. as the former executive in a large company, the first step is to figure out the legal obligation. the next step is, you obviously want to do right by your customers. sometimes it helps the customer if you don't notify right away. if you take the time to look at the intruder in your network, watch them sometimes to figure out is it really a material, big issue or not, before you notify them. so there's a little bit of a judgment call. the first thing is figure out what law applies.

in terms of breach notification, there are different laws in most every state. with 15 plus bills in congress over this session talking about how that should be structured, should it be harmonized across the states or not so companies know what to do, that's a question congress is still debating. >> brian, do corporations have any civic role in pushing back on government requests for data as part of an effort to either embrace or encourage the change or reform in the type of laws that give the government access to information? >> certainly this is a situation where you could leverage sort of the classic public/private strategies that have occurred in the past, in terms of business should be working with the government to try to establish a set of standards that meet everyone's needs for trust and privacy, right? so i don't think we want a world where the government automatically creates new rules nor do we want a world where business gets to do totally whatever they want with your data. so having established privacy

and norms. in the financial industry there's a set of established industry norms, rules, and regulations about how the banks operate, how they deal with privacy, how they deal with your financial information and so on and so forth, how can we get those kinds of relationships developed between individuals, business, and the government to get to a level of understanding and cooperation. >> let's stick with the news here for a moment. and we all know that there are a whole variety of cyberattacks that can occur. there are the vaunted zero data attacks where they use -- the bad guys use heretofore unphone vulnerabilities in code. there are social engineering attacks which we'll come back to in a little bit. we all i believe agree that the social engineering attacks, which is about as simple as you can get, poses an enduring and profound threat to our security systems. but i want to talk about a threat that doesn't get a lot of attention because it's often not considered a hack, which is the

insider threat. we know that t-- the insider hack, i should say. we know that the nsa, it was reported this week, arrested another contractor who either took or was trying to take some really powerful code that the government was using to hack into systems abroad. i would like to hear your thoughts, maybe you can start this time, about the nature and gravity of the insider hack and how corporations and other institutions can prevent it. >> well, i think from the perspective that i have at zerofox, looking at the insider threat is really how does social become a source of data leakage, right? you have the inadvertent leakage, someone will share confidential information. we've had this happen to our customers, someone stands in front of a whiteboard, takes an instagram picture, snapchat, on

the whiteboard is confidential information, and it's on the internet. there's an interesting situation to deal with, to what degree should the company be monitoring their activity and looking at perhaps who they're associating with on an external basis. am i communicating with, you know, certain known bad actors in the social realm, for example, and should the company be allowed to monitor that, and should the person be held responsible for that or not. >> i would argue that companies in fact have total right to monitor their own networks and the behavior of their employees, because they're the ones that are responsible and in charge. so let's think about that for a moment. companies are allowed to do that. let's accept that for a moment, for the sake of discussion. when does that kind of surveillance inside a company, now let's extend it more broadly, the government has a right to go to yahoo! and look at e-mails, i don't think anybody here would disagree that

that kind of surveillance can improve cybersecurity. but when does it become onerous and how do we strike a balance between security and the emotional wellbeing of the rest of us who don't want to be spied on all the time? >> i think that's a line everybody is trying to figure out right now. everybody who looks at insider threat realizes there's a lot of data from which to draw, data that isn't necessarily offensive on its face. the company has information on when you show up, when you leave, when you log on to your computer, the sites you go to generally, your routine when you get to the office. hr might be aware that you have issues at home or are bullying an employee. if you took all those factors together and look at them holistically, you can paint a pretty good picture of when somebody is going to do something. >> that's very interesting, it sounds like something you would read in john le carre. >> what i think people fall down

on is putting all that together. >> do we have a choice to not to take those steps? the human elements here in cybersecurity is pretty important, isn't it? >> it is very important. but i don't think we've struck the balance yet between the capabilities of technology, the what can we do, and the policy behind it. i believe right now the capabilities may actually exceed the policy discussion. and the assumption that was made around an employer's ultimate right to monitor, that's not necessarily something that's held to be true in europe and other countries that have different legal frameworks around privacy. >> that's a good point. we talked a little earlier about social engineering. i know you've given a lot of thought so social engineering. would you describe the difference between social engineering and a zero day, and which is prevailing now as the attack vector of choice? >> at dropbox we have a half billion users around the world and we see a lot of the attacks that happen. the vast majority are very

unfistu unsophisticated. this doesn't very, very sophisticated attack tools. it involves organization and individuals working on these. the sophistication of the threat factor is high but the threat level is relevant low. >> quickly, what is password reuse? >> sure. i would say that's currently the number one risk that consumers face. there is a tendency to use the same password across many different sites. what happens is it's the weakest link. if one of those websites is compromised and those passwords are stolen, they're automatically tested against many other sites to see what can the bad guy get into now. there is sophistication on the testing tools. >> so you're saying if i use

tr trekkie or live long and prosper everywhere, it's not a good idea? >> not at all. we've been advocating for two factor authorization for a long time. the white house has an initiative to drive higher enrollment. >> give me an example of that. i'm sorry to interrupt. some of us are lagging behind the current jargon. it's very important stuff, right? >> so two factor authentication very simply is on top of your password there is something else that they need to get into your account. it could be responding toen asms message. it could be an app on your code with a token code that changes every minute. or it could be a hardware device that you have to activate. and those options are made available on many sites. but they're not -- they don't have a high degree of visibility. they're not always turned on by users. at dropbox for example we offer three different methods. we see approximately 1% of our users opting in to turn those on, which is a challenge. >> what about social

engineering? how important is that to your business? >> social engineering is very interesting. our mission is to protect and safeguard our customers on these social networks, facebook, twitter, instagram, linkedin, a corporate social network as it were, and other networks. when we look at what's happened with social engineering, our research team spent a couple of months in black hat and showed how many offensive tools can be built in social engineering. snapper can profile the user. it basically learns from your tweet stream, engages with you and gets you to click on malicious links. >> let's pause there. what's a mal-i gueicious link? >> a link to download malware, a link to download credentials

like a fake credit card site where they gather your information. >> when i'm cruising through twitter and clicking on things, i could be exposing myself to a virus? >> exactly. i bet you've learned that you shouldn't click on links in e-mail from people you don't know. people on social think it's safe and click on the links. the human condition of socialization that maybe i shouldn't click on bad links in e-mail hasn't carried over to the social media world. the bad guys know that. what we've learned is social media attacks are typically six times more effective than e-mail-borne attacks at getting information. >> first of all, as the lawyer, i want to make sure there's the expectation of privacy at the outset. as an employee, what are your expectations? make it clear that every device

they use, byod poses an interesting angle, what is the expectation for privacy. i say lock that down at the beginning so there's no question. and then employ the tools that are there, tools like his where you can find out on social media what they're doing, the sandboxes, that fireeye or someone might use. two factor authentication is key, educating employees about that. i agree, the white house has been fantastic about that. there's a great site out there called twofactorauth.org, that can tell you what services are using two factor authentication, and employees if you're in the corporate teccontext. >> it sounds like there's a theme that's emerging here, that to stay ahead of the threat, it's not just a technical response, it's education, it's all of us in the air, learning

how to behave properly with good digital hygiene. that sounds so boring compared to the sophisticated cyberworld. how important is this stuff and what about the technical solutions? >> it's incredibly important. and the challenge has been that billions of individuals that are online across the planet right now, and the education that i've seen reasonably effective is in corporations. but when you look across the broad consumer base, getting individuals to change behavior has been very, very difficult. i'm not quite sure whether that's the long term answer. so i think much more research has to be done, especially on the part of large technology companies. and how can we help them, how can we compensate for some of these weaknesses? as an example, right now we build sophisticated systems that

detect fraudulent log-in activity. even when somebody comes in with a stolen password, 85% of the time we have enough signal there to identify that it's actually a bad guy and we can block that very accurately. that's an example. i think large tech companies have the power to do that kind of work, to protect the users when they have not done their part in protecting themselves. >> terrific. any thoughts on the education? >> what we're finding when it comes to the corporate enterprise and the agency side of the house is that education is just as important as the technology behind it. simple socialization strategies where most of you in the organizations are probably already promoting good hygiene on e-mail and good hygiene on web. simply amend that with good hygiene on social, where you can say, just like you don't click on bad links, don't click on them in social. use two factor authentication on everything, including your

personal social networks, not just your company or agency technology. >> let's go away from the grassroots of the users and the behavior up to the top of corporations for a moment. it's been my impression, going back a long way, that corporations will sometimes make short term decisions very profitable, that create massive, even hellish cyber situation, companies issuing instant credit cards at retail outlets that help spur blossoming of identity issues. when should corporations be held accountable for cyberthreats, that because the world is so interconnected, create threats for the rest of us, and how do we address that? >> they should be held

accountable if they haven't taken the right precautions. that could mean any number of things for many kinds of companies. if they're not looking at cybersecurity at the board level as a risk issue, that's where they should be held at fault. >> so you're advocating deeper government regulation of companies that use technology? >> no, i'm not doing that at all. i think the securities and exchange commission took one of the most influential steps when it published guidelines reminding companies that they had to include cybersecurity breaches and issues in their materiality statements for disclosure. >> what about private companies? >> that's a trickier question because you don't have the sec guiding them. >> and you also don't have insight into their activities because by law they don't have to tell us what tear doinhey're. >> what is the risk? is it the consumer, you're losing their business because

you're not protecting their data? what is the risk and react accordingly. >> not to be good morning and doom here, but i visualize a giant map. it's all the companies in the world. it's all the users in the world. and based on what you just described, there are huge black holes that lack information in this giant interconnected world. and those giant black holes represent unknown security threats because of the behavior and the corporate use. how do we, when we all of us around the world rely profoundly on cyberspace for everything from -- and this is not trivial, our social interactions, and our national security, and our power grids and our credit grids, how do we fill in those black holes? >> the question is how black are those holes. and i think in the consumer space versus the enterprise space, there are some differences. but obviously when a company is selling to other companies, they generally go through a variety

of certifications around their security and their processes. they do testing. as a consumer, i would say one of the interesting indicators i see that is a gate tereat test maturity of the company you want to do business with is, do they submit themselves to open hacking? do they compensate hackers? there are businesses where if you find a vulnerability in their product, they'll pay the hacker, which is amazing, it gets hackers organized in a positive direction to make money and solve issues. it's a great indicator that the organization that puts that out there feels comfortable, they want to learn more. they have a culture that is trying to identify new holes in the system to protect themselves and their users. >> any thoughts on the black holes? >> yeah, i think what's interesting is in all my years of technology, we will invent something new every five to ten years and create a new set of potential black holes, right, in the waves of innovation, right? the social media of today, we

couldn't have fathomed 15 years ago. i think it continues to be this notion of mixed public/private, right? and trying to coordinate across those organizations. i do think most businesses mean well, the agencies mean well as well. so finding more ways to partner, finding more ways to work together to make sure that we're covering things. you know, if you look at my bad guy database, your bad guy database, and every vendor's bad guy database, how come we don't have one bad guy database? there are interesting places where federal agencies are now trying to encourage sharing across organizations, encourage sharing of that information, encourage sharing of ttp, tactics that the bad guys are using in the adversarial space. >> it's a fascinating world unto itself. i'm sure the panel later is going to be getting into the policy of information sharing between government and private, because that's a profound long term piece of the answer. we have some questions from twitter here. one of them is very interesting.

can you offer advice to bring along slow adopters who are still interested in protecting their turf? maybe each of you can take a crack at that, if you want to start, kristen. >> sure. the white house issued a few executive orders, they created the nist cybersecurity framework a few years ago that provides a laundry list of standards, and a framework for assessment. so companies of all sizes can go to this framework and it will help them assess what is my level of risk and what should i do in response to that. it is voluntary. it's also self policing so nobody has to do it, to your point about black holes. but it definitely helps raise awareness of what standards and processes are available and what might be appropriate for the level of business you have. >> my advice would be focus on the problem we articulated earlier, which is around your own passwords as a consumer. use unique passwords. use a password management tool,

a data save of some kind, like 1password, there are lots of them out there, that make it easy to have different passwords, and turn on two factor authentication. >> we were talking about things that people put in e-mails. what does that have to do with superb security? that seems so banal. should people be careful of what they put out on themselves on social and in e-mails? >> sure. one of the rules is don't do something you don't want on the front page of "the washington post." that is the reality. i talked earlier about the instagram inadvertent posting. it happens a lot more than you would think. inadvertent sharing. people don't tend to think about it. you're on a trip, posting like crazy in hawaii. someone surveilling your property knows you're in hawaii and now is a good time to rob your house. you may be in a social world where you want your friends to know how much fun you're having

in that part of the world, but you have to think about the prudence of sharing that information. there's an interesting human condition now where we have this sharing economy, this sharing communities now, especially around social networks. and you need to make some conscious decisions for yourself, for your family, for your children, on what is the appropriate level of sharing of that information, and who do i want to be able to see that? not only do i have two factor on, but do i also use the privacy policies to restrict my social posts so only my friends can see me, not the rest of the world? >> what a fascinating audience -- excuse me, a fascinating panel with interesting ideas. thank you much for joining us. >> thank you. [ applause ]

>> hi, everyone. welcome to "the post." happy to have everyone here this morning. i'm elise viebeck. i'm a national enterprise reporter and former cyber reporter, although fan of all things cyberstill, and happy to be on stage with this panel to talk about political leaks and hacks, the vulnerabilities of dc institutions to our cyberadversaries, something that a lot of people here in town are thinking about. i also want to say hi to our viewers at home. i hope that folks in silicon valley are fully caffeinated because it's a little bit early. michael sussman is a member of the dnc's privacy, security, and

cyberboard, lots going on a there. brett dewitt is staff director of the cybersecurity infrastructure protection and security technologies subcommittee for the u.s. house homeland security committee. then thomas hicks, commissioner of the election assistance commission. and finally, rich barger, chief information officer and co-founder of threatconnect which many people in the audience will be familiar with. i actually want to start with rich and talk a little bit about the motives of our cyberadversaries online. obviously we know russia and china are constantly probing if not gaining access to institutions around dc. and it's not really an overstatement to say that they're interested in the intelligence value of the information that they find. could you talk a little bit about that? >> right. with regard to the intelligence value, i mean, it really depends on what motive, what operation,

what effect they're trying to deliver. you might look at some of the traditional chinese espionage we've seen that has gone after a variety of, you know, companies, businesses, as well as organizations such as opm, that they could use or leverage that information for a variety of purposes, to bolster an economy, get to market quicker with a certain technology, or perhaps buttress counterintelligence activities, if they wanted to look at various targets or recruitments or operators within their borders. with regard to what we've seen recently with some of the russian attacks, you know, we're still kind of looking at this activity and trying to kind of tease out what their motives might be. it certainly looks that they're being very aggressive in terms of trying to shape a narrative

around just hanging a question mark over our system. and in the case of the wada hacks, american exceptionalism, the fact of whether or not our medals really belong to our athletes or not. there could be a variety of different motives in what these types of groups are trying to do in trying to affect for their own national objectives. some of the things we've been kicking around in the office is just for every story that runs and every conversation in and around the elections, what is the thing we're not talking about? we're not talking about syria. we're not talking about what's going on in the ukraine. and so there is some broader issues, what russia is doing and the rest of the world, where we are still hyperfocused on ourselves here, in particular the effect we're seeing that might serve as a convenient distraction to keep us locked up

at a very interesting time and in a very polarized event. and so -- >> i would follow up on that by asking, do you think that there is special attention being paid to the democratic party given hillary clinton's run for president, do you think that it's possible that adversaries are as tuned in as we think they might be to the goings-on of our election, that they're interested in one party and the outcome that way? >> you know, i think that ultimately what's at hand is that they're seeking leverage, and that i would not necessarily seek that leverage in one party alone. i would buy insurance. i would make sure i covered my bases, depending on however this falls. and so i would be very surprised if this wouldn't affect both parties and, you know, perhaps might be the new normal.

we've seen campaigns targeted going back as far as 2008. the president indicated his campaign had been targeted. so might we want to consider this in the next election cycle, and just really start to kind of focus that this is maybe a new way of life. >> michael, i would ask you a similar question. do you think that our cyberadversaries are politically astute in that way? do you think that they paid special attention to the dnc because of the potential to see a clinton presidency? >> well, they're certainly politically astute. we really don't know what they're doing. i think that we're in the middle of a book. someone is going to write a book about these events now and we're in the middle of them, we don't know how they're going to play out, and we really don't know what -- it's big political theater, to figure out who is trying to do what and why are they trying to do it. we know they're astute because

we know it's russian state sponsored and we know the groups doing it are very sophisticated. in fact this is their day job. when we're looking at activity, we saw the most activity begin to come from 9:00 a.m. until 5:00 p.m. moscow time. there were people, when we talked to the victims in the political parties, we would say that unlike a company where a state actor would say, let's find a company we can get into, this one the doors are locked really tight, we'll move on to someone else. for these organizations, it's someone's day job to get into this organization. and they're not going to go away. they're going to be persistent. they're very sophisticated in what we are doing. but it's really a guessing game now why they're doing what they're doing. >> do you think we could see more e-mails and documents out of the dnc hack? do you think it's possible? >> sure. i wouldn't just call at it dnc hack. this is a broad campaign to hack party and campaign systems,

personal e-mail accounts of people, and collect it all. there certainly is more out there. we don't know what we'll see. an interesting thing is that when we see documents, we don't know whose they are very often. so initially, when the gucifer documents were posted, with whatever organization i was working with, they would say is this yours, is that yours. it's not clear. a document may have been created by one group, circulated to other groups. some of the documents have been altered, some haven't been, some have malware. the campaigns are really busy trying to elect candidates. it's become a side job to deal with this but it isn't a full job, and there isn't a full-time effort to figure out if something is authentic or isn't it, they're trying to move on with the business of the campaigns and the parties. >> brett, your boss, michael

mccaul, said the rnc was hacked and then walked that back. i'm wondering whether you're aware of specific gop operatives who have been either probed or hacked, and whether your boss was really telling us the true story at the first point. >> i would say this. the point that chairman mccall was trying to make when he was on cnn, the point that both political parties have been hacked, trying to make the point that this is bigger than that and you have to look at the motives behind what these hacker groups are doing, looking at the psychological warfare, trying to undermine the integrity of the entire system, looking at harvesting americans' personally identifiable information, looking at voter registries. those are the motives we've been briefed on. the both he was trying to make is both parties are being hacked, this wneeds to be a

bipartisan issue and there needs to be strong consequences when those actions take place, whatever the actor is. and so that's the point my boss was trying to make. >> do you think republicans are equally vulnerable? >> absolutely. i mean, if there's anything, like i said, there have been reportings that republican political operatives have also been hacked with their e-mails and campaign-related issues. so both parties have been. i think looking at the political organizations, i think we all need to be vigilant that this is real, this is the way of the future. we need to be vigilant. it's almost as a warning that all political parties and all state, local -- local, state, and federal, need to be aware that this is the new world that we have to live in, and we need to be prepared for that. and we need to be looking towards november 8th. there's a lot that we need to do to ensure that we're prepared for that.

so it's about being vigilant, everyone should be aware. >> thomas, let's go to you. for our younger viewers in particular, the question of online voting always pops up about this time in the election cycle. and many of the people watching will understand why that's a bad idea. i'm hoping you can kind of walk us through what you think of that idea. >> thank you for having me here today. one of the things that i know that a lot of folks probably don't know about the election assistance commission, it's a small federal agency that deals with the administration of elections. it was formed after 2000. in terms of internet voting, there is a small portion of folks who are allowed to use the internet to vote. and those are military and overseas voters. most of them have to be in harm's way. but it's a very small segment of the population. in terms of expanding that out, it has to be more of a discussion that we need to get into, when we have things about these incidents that have been occurring in the last year or so. we need to look at best practices and see how we can

expand that out. what our agency is doing now, we're working on our voluntary system voting guidelines which haven't been updated since 2007. so 2007 was basically when the iphone came out. so technology has changed. and so our processes have changed as well. and so at that point we should be looking at ways to make it more convenient and more efficient for people to use their technologies to vote. but also make sure that those votes are secure and counted accurately as well. >> absolutely. internet voting is just one piece of the puzzle as people talk about this. obviously electronic voting machines, if they have an access to the internet, can be vulnerable on their own. i'm wondering if that's something you guys are thinking about headed into next month. >> yes, we think about all of that. we've been thinking about that for years on end. it's not something that's going to change overnight. i'm hoping this conversation doesn't end on november 9th, that we continue it on in

january and february on. and so that we can look towards the 2018 election and 2020 election to make it more convenient, make it more secure. our elections right now are the most secure they've ever been. but we can do better. we must. >> rich, about this election issue, i'm wondering if looking toward november 8th there's anything on your mind in particular when it comes to threats. >> with regard to threats, you know, i never cease to be amazed. you know, i kind of -- i'm never surprised when i start to i have see these sorts of things. you know, you just think, you know, we just continue to think creatively around how might, you know, the adversary continue to meet their objective. short of a crystal ball, it's very hard to say what we might see. but there's certainly precedent for the leaks. i think leaking of some of the audio communications that we

saw, you know, recently might, you know, be indicative of some things that closely matches some activity that we saw occur in the ukraine during their election. really we just have to kind of look at a precedent. what did we see in and around some of the ukrainian elections? might they be playing and operating from a similar playbook? i can't say for sure. but maybe that's a good rubric to look at and think creatively as to what we might expect to see. >> michael, when you think about the threats facing dc institutions in particular, everything from party committees to campaigns, transition operations, think tanks, everyone is being probed all the time. what would you suggest that people who haven't been ahead of the curve on this begin to do now? how would you kind of introduce them to this problem? >> well, i think they've been introduced by reading the papers and seeing what's going on. and the big change is this broad

doxing. the idea that people looking at your things and learning but, this intelligence collection, is one kind of threat. but now people are seeing their personal e-mails and communications and papers are being posted to embarrass them. and i don't think anybody here would like or be proud of everything in their e-mail in-box posted on the internet. it's a threat for companies, it's threat for people. the education is in investing for it. i think for the political parties and campaigns now, republican or democratic, there are really two time periods. there's the next month before the election in terms of cyberpreparedness, readiness, response, and then really important work after the election in thinking about what to do. because all these political organizations want to put all of their resources into winning races and promoting candidates and building their party. traditionally this hasn't been like in a corporate analog where

our annual budget has a line item for $4 million for cyber. it just hasn't been the case. it needs to be the case now. there's thinking about financing, how we're going to find the money to spend on this on a dedicated basis, and then thinking about longer term plans, that it's not just about keeping the boat afloat now, but to continue the metaphor, building a stronger ship. and the one point that i wanted to make or maybe a question i wanted to ask about the safety of the elections is, my understanding is that one of the -- is that the elections system, the voting system on election day is reasonably safe from cyberattack, because the 8,000 or so districts that we have are not interconnected. they all run different systems. some are purely paper. some are not, they're backed up. my understanding is there isn't a -- maybe one of the other panelists want to comment, there isn't a voting virus or voting

malware that's going to go out or an attack on the nation's voting system. we're very safe that way because of the diversification and heterogeneous nature of all of the districts, none of whom are connected to the other. >> one of the things i would say is our system is decentralized. so with a decentralized system, you would need an army of folks to basically try to get into the systems. the eac certifies voting equipment. 47 out of 50 states use our certification program in one way or another. so every system that we certify, none of them are connected to the internet. so there will not be any sort of internet hack into our incidents on voting machines themselves. >> michael, just one other question. when it comes to individual looking at their own cyberhygiene and e-mail practices, is there anything that you have i seen people as we all go about our days and say things in e-mails that we might not want to be hacked, do you

think there's a culture change sort of going on as we approach this technology? >> there's a culture change. and therefore a couple of simple things everyone should do, everyone in this room, everyone listening, and that's turn on two factor authentication in your e-mail and social media accounts. that means you need two ways to log in. when i use my personal e-mail, i put in my e-mail address and password and i get a text message with a code and i'm prompted to put in the code. two factor makes a huge difference. the bad people use your social media and your personal accounts and all sorts of information to create spear fishing attacks. these are really targeted e-mails that look authentic to try and get you to click on a link or open an attachment. these attacks are so sophisticated, but most of them start with a really simple piece of human engineering which is to get you to click on something. so think more about your privacy in the social setting. and facebook has a one-click

solution that in your privacy settings, there's one thing you can click to make all your future posts and everything you've done in the past friends only. you know what it's like when you're going to meet someone, you look someone up, you say, what's this person about. some people on facebook, it's like, oh, there's this person in the bathing suit, drinking a beer, with their kids. and people don't have that awareness. you can take care of that with a click. and then lastly, there are peer to peer encrypted appearance like facetime audio and signal and other apps that allow you to have fairly guaranteed private communications. so those are three quick tips. >> i would ask the same thing to you, brett. the culture on the hill, is there attentiveness to the idea that you're being probed all the time? do you have two factor authentication as part of your system there? >> you look at the house of representatives and the systems we have, i mean, like any other organization, there needs to be training.

it's a whole -- to your point, it's cultural. you need to have everyone within the organization aware of it, because it just takes clicking on a malware in an e-mail from a phishing attack that can really undermine the entire system. i would say we're very vigilant, we have training programs. and we're -- i think we do -- i think we set an example of what we do internally for that. so i would say yes, for sure. >> thomas, jeh johnson really talked about the idea of making our election system count as critical infrastructure officially. could you explain a little bit about what that would mean and whether you agree with the idea? >> i can't recall speak to what dhs wants to do. but i can talk about the fact that states are looking for resources to help make sure that their systems are secure. and so if dhs wants to offer those resources, i think that that's a great idea. >> additionally we pass legislation through the congress

back in 2014 that also last year basically says that dhs can provide voluntary, upon-request assistance to critical information, but also to state and locals, for various tools. it's all optional, it's voluntary. there's a suite of tools that are available if asked upon. it could be those tools, or it could be private sector tools. but the bottom line is i think states, localities, need to -- need to invest in these technologies and ensure that they're secure, the capabilities that dhs has, more than half have now signed up for this voluntary assistance. in the congress, we have legislation that passed out of our committee last year, that passed the house of representatives in december, it's pending in the senate, that basically even further clarifies that the role of dhs in providing this voluntary assistance to states when they request it. and so about clarifying the law, we think that will make a big

difference, ensuring that, you know, absolutely not do we want to federalize the election system. that would be unconstitutional. the u.s. constitution reserves the rights to states to administer elections. but we do think that providing tools and capabilities would be a good thing, if it makes sense for those localities. >> while we're on this topic, could you give us a quick forecast for the lame duck? what do you expect to happen there? >> i will say, we're working on several pieces of legislation right now. one would reorganize the department of homeland security to more effectively carry out its cybermission. we passed several bills through the congress back in '14, as i said. the big one, the cybersecurity act in december, giving dhs authorities. this bill we're trying to move through, our committee moved it back in june. and we're working now to get it to the house floor. it would basically restructure, streamline, reorganize, so it can more effectively carry out

those authorities that we just gave. so that's a big one that we're trying to get through. there's a lot of other committees involved, so we're doing the best we can to hopefully get this done by the end of the year. it's a top priority for chairman michael mccall, my boss. the cyberprotection act provides assistance to states and strength the state and local crime fighting act that would basically provide voluntary assistance tools to state local and state law enforcement, judges, to go after cybercriminals. so we think these kind of assistance tools to states will go a long way. but those two bills are pending in the senate. so we're trying to shake them loose over there. these are the various bills that we're trying to get enacted in the lame duck. we'll see. we're doing the best we can, though. >> we've gotten a couple of questions from twitter here. i might go to you, rich, on this one. isn't the u.s. involved in

cyberespionage as well? discussions seem to suggest that the u.s. and americans are innocent victims. comment? >> innocent victims. well, i think everybody -- large countries and even emerging economies are seeing the power of cyber and how the world has adopted it and how we work, live, and play. the internet permeates every way of life. it's how you execute your -- and go after those national objectives within that respective domain. some countries might seek to bolster their economy. others might seek to go after terrorists. others might seek to undermine an election. it really just depends on probably their perspective. you know, as to who is a good guy and a bad guy. and the motives behind leveraging that domain to enable that respective nation.

so -- >> the next question sounds a little bit like the plot for an action film. we talk about international attacks, but is there a chance or enough sophistication domestically to see hacks between parties? michael, any comment on that one? >> i think and hope that everyone is working on their -- supporting their candidates winning the election. so is it possible for there to be another watergate-like break-in? sure. hopefully people are smarter than that now and will leave that to good fiction reading. >> absolutely. i know that our video team has a clip queued up from the last presidential debate, clinton and trump's comments on cyber. there weren't very many of them. we might take a look at that and lead into our last question here. if we've got that. >> we need to make it very clear, whether it's russia, china, iran, or anybody else, the united states has much

greater capacity. and we are not going to sit idly by and permit state actors to go after our information. we don't want to use the kinds of tools that we have. we don't want to engage in a different kind of warfare. but we will defend the citizens of this country. and the russians need to understand that. i was so shocked when donald publicly invited putin to hack into americans. >> as far as the cyber, i agree to parts of what secretary clinton said. we should be better than anybody else, and perhaps we're not. i don't think anybody knows it was russia that broke into the dnc. she's saying russia, russia, russia, maybe it was, i mean, it could be russia, but it could also be china. it could also be lots of other people. it could be somebody sitting on their bed that weighs 400 pounds, okay? >> the 400-pound hacker, that's right.

if we could go down the panel, i would be curious what questions you think presidential candidates should be able to answer about cyber in this day and age, and what do voters need to know most about this topic in order to evaluate the candidates. michael, you want to start? >> wow. they need to take it seriously. they need to understand how serious it is. they need to understand the seriousness of the consequences. one of the most difficult things about considering retaliation are the consequences of that retaliation, and keeping in mind, and i hope -- and i'm sure both presidential candidates are aware of this, that our economy, our internet economy, our internet lives, is very fragile. so going to cyberwar with a big country like russia or a smaller sophisticated country could result in grave consequences to our economy and our critical

infrastructure. so it's a difficult thing. since it hasn't been that kind of large scale conflict hasn't been waged before, there's a lot of thinking and a lot of caution going into what the next steps could be. >> brett, what about you? >> i would say if you look over the last several years, we have worked in the congress on a bipartisan basis to get important cybersecurity legislation through, going back to the five bills we passed in '14, the big one we passed, the cybersecurity act in 2015, those were bipartisan efforts to address a threat, a national security and economic security issue. and i think going into the next administration, i think it's important that we realize that this is the number one concern that we've heard from -- the mike went off -- that this is now the number one threat we're facing as a nation. i think looking to the next administration, investment in

cybersecurity, there's a lot that needs to be done. we need to beef up and make stronger the cyberdefense strategy. i think we need to do more to show our adversaries that there will be consequences when cyberattacks take place. anyway, i think that would answer the question about. >> sorry about that. thomas? >> i would answer it twofold. one, one of the best ways -- is my mike not working either? can you hear me now? how about now? >> speak up. >> speaking, speaking. no? no? well, i'll try to speak loudly. two of the boast things that can be done is on the front lines, is basically to have additional poll workers. so basically having additional poll workers so that they can see what is actually -- so the best way to see the administration of elections is from the inside.

so becoming a poll worker allows you to do that. that's one of the things i would say. the other thing i would add is that both president bush and president obama added millions and billions of dollars for the administration of elections. so i would hope that whoever becomes president looks at elections not just for november coming up, but elections happen every two years, and states and locals are at their wits' end in terms of funding for roads, schools, military and so forth. we all know those things are important but our democracy is also important. we have to make sure we have that investment into it. >> rich, you want to close this out here? >> sure, i'll go analog here since it seems we've had some issues. i think all -- you know, our next leader and/or any new world leader is going to see and

understand how important the internet really is, again, to everything from our economies to elections. it is really a new domain that wields a lot of power. and i think that it needs to be respected and understood. and it's certainly complex. and so these asymmetric threats that seek to wield it, you know, there needs to be norms that are established. there needs to be greater understanding in and around what the art of the possible is. and, you know, it's certainly interesting times, we can really see, again, the effects that the internet holds, not only here in the states but maybe the world writ large. >> great. help me thank our panel. [ applause ] >> there is actually a long

history of the russians trying to interfere with or influence elections, going back to the '60s, the heyday of the cold war. there have been several documented cases of previous elections that -- where it appeared that they were trying to somehow -- there is actually a long history of the russians trying to interfere with or -- there is actually ray long history of the russians trying to interfere with or influence elections, going back to the '60s, and the heyday of the cold war. so there have been several documented cases of previous elections that -- where it appeared that they were trying to somehow influence the election. and of course there is a history there of -- there's a tradition in russia of interfering with elections.

their own and others. and so it shouldn't come as a big shock to people. i think it's more dramatic, maybe, because now they have the cybertools that they can bring to bear in the same effort. you know, it's still going on. i will say that it's probably not real, real clear whether there's influence in terms of outcome. what i worry about more, frankly, is just sowing seeds of doubt where doubt is cast on the whole process. >> i'm craig timberg, the national technology reporter at "the washington post." we're here to talk about cyberwar. and this is a reminder to tweet your questions and comments to us using the #wpcyber. i'm not going to rome the audience like phil donahue, so

that's the best way to get your question, if you like. to my left, maybe to your right if you're watching tv, is juan zarate, deputy assistant to the president and deputy national security adviser for combating terrorism under president george w. bush. richard bejtlich is the chief strategist at fireeye. he was previously director of incident response for general electric and started his cybersecurity career as a military intelligence officer in the air force. on the far side is frank cilluffo, associate vice president at george washington university where he directs the center for cybersecurity. let me start with a general issue that as a journalist i wrestle with all the time. what do we mean when we talk about cyberwarfare? i think we know what hacks are. a lot of what we read about in the press, some of the stuff i write about is really he espion. what is cyberwarfare?

let's start with frank on the end. >> thank you, craig. a lot of the coverage today reminds me of kids' soccer, everybody chasing the ball, the shiny object. not all hacks are the same, nor are all hackers. their intentions vary, their capabilities vary. if you were to stack the threat environment, nation states are obviously at the top of the list, countries that are integrating computer attack and exploit in their doctrine. you have criminal enterprises, and hack-tivists. not all hacks are the same. they're very different. countries that are marshaling and mobilizing cybercapabilities into their war fighting strategy and doctrine are the countries at the very top of the list. when from a u.s. national security perspective, obviously russia and china are at the very tops of that list.

in terms of capability, a lot of what we've seen is computer network exploit or espionage in cyberspace. they've also done integrating the cyber into their war fighting strangltegy. you've got other countries who may lack the capability of russia and china, but what they lack in capability they make up for in intent. this is where you put north korea, iran, more likely to turn to a disruptive or destructive cyberattack. that's got fewer constraints in terms of some of those capabilities. i'll shut up at that point. not all hacks are the same. not all nation states are the same. not all capabilities are the same. ultimately it hinges around intent. in other words, if you can exploit, you can attack. the line is very thin. it's all hinging upon the intent of the perpetrator. >> richard, do things need to blow up, do things need to break

in order for it to be considered cyberwarfare in your mind? >> my answer to that question is cyberwarfare is either what you call your book or your documentary if you want people to pay attention to it. >> or your conference panel. >> it will be sure to get someone's attention. my definition of cyberwar is the imposition of will using a digital means. now, there are two schools of thought. one school of thought, which is the school of thought of my ph.d. adviser who wrote a book called "cyberwar will not take place," and the reason he called the book that is he believes that war equals violence. and if you don't have violence, you don't have war. and he believes that cyb cyber cannot be used to impose violence, therefore cyberwar will not take place. that's one school of thought. another school of thought says it's much more expansive, this is the way the russians and chinese tend to think about it. they believe that war is not just violence. war can be any means by which you're trying to get your way.

in fact they tend to come from a tradition, especially the chinese, that say you're much better off not fighting and achieving your way. that's the highest acumen of skill is to not fight. i tend to take the position that if you're imposing your will, using a digital means, that could be war. just to step a little bit further, though, we may be in a situation in five, ten, even 15 years where this thing we call cyber is just so integrated into every aspect of life even more so than it is now, that it makes no sense to talk about cyberwar. because i mean, an f-35, is that a cyberweapon? an f-22 right now could be considered potentially a cyberweapon, because one of the benefits it has is it networks with other fighters in order to get a better picture of the battlefield. that's the way i tend to think about it. >> and juan, if iran, for example, if they use cybertools to attack a big u.s. bank, for example, is that an act of war? >> it's a great question, because i'm a bit more forgiving for the five-year-old soccer

problem. we are in sort of uncharted territory, because you have a blend of actors, state and non-state, both in attempting to acquire data as well as to disrupt and potentially even destroy systems. you have this change of concept of what warfare even means, right? and so the very notion of russian hybrid warfare combined with cyber capabilities becomes interesting. we don't have doctrines to define what those clear lines are. currently as we think of it, we don't think of these tools as true cyberwarfare tools until there's an element of destruction, something that is demonstrable. that's part of the reason we haven't had as much awareness of these issues as we've seen, nation states and non-states engage in cyberespionage and data exfiltration.

we do have nation states attacking private actors. we've had syrian entities attacking western banks as part of a denial of service, not destructive but intended to send a message. you've had north korea attack south korean banks as well as sony. you've had other state actors like russia attack various systems, government and non-government. so what you have at play is really an open field in the cyber domain where actors are feeling out the bounds of what's permissible. one of the great challenges in this space is how do we define the boundaries of what's acceptable or not, how do we responde respond. that puts great stress on how do we respond in a proportional and commensurate way without unleashing other forces or warfare. that's why you hadn't seen officials wanting to be too open

about, for example, russian attacks, despite what klapper said above our heads. there has been reticence to do that because it raises questions on what the end game is here. >> can i pick up on a couple of points? all forms of conflict today and tomorrow, almost 100% unanimously are going to have a cyber dimension and component to it. to pick up on some of the points my esteemed colleagues raised, cyberis i is its own domain. those integrating computer attack tools into other domains, air, land, sea, space, that's where cyber is not its own entity but it enhances the lethality of conventional weapons in other domains, enhances the ability to seize territory. and i think it's important to recognize that the battlefield today has been extended to incorporate all of society.

and companies are on the front lines. that's what makes this different, is that the targets are not merely government on government targets or the like, but the financial services sector, the recent swiftack is one of the incidents that rises above the fold, not because the central bank of bangladesh lost money, bad day for the bank and its customers, but the global economy can absorb it. what it did recognize is a systemic risk. the entire financial services sector is dependent upon swift, and it's an attack on swift, we're talking about billions and billions of dollars of transactions being settled daily. these are the different targets. and the ukrainian hack, that was a big deal, the ukrainian grid hack, not because of 250,000 people losing power for a couple of days, but the rubicon was crossed wherein a cyber weapon

had a kinetic physical effect that took down power. >> if there is a kinetic physical effect, that's a cyberwar. we have these weapons, if we're actually at war with someone, they're going to be -- we're going to be sending bits and bytes at them and they'll be sending them back to us in some capacity. i want to pick up on your attributions problem. this is one of the things we think about a lot. when we hear sometimes on the record, sometimes not on the record, that so and so attacked so and so, yahoo! said it was a state sponsored actor. it's hard for us as journalists to find out if that's true, right? and it's also hard for technical experts to even find out that it's true. this creates, it seems to me, enormous problems, right? in the old kind of war they shoot at us, we shoot back at them, right? that sort of makes -- it fits into a kind of strategic and

sort of moral framework that makes sense to all of us. i guess i would ask, let me start with you, richard, are we ever going to know who is shooting at us well enough that we feel comfortable shooting back? i'm not talking about private companies, i'm talking about at a nation state level. >> absolutely. we know all the time. there are certain elements of the private sector who know all the time. >> how do you know? >> our 2013 report, mandate report on apt-1, that was -- there were indictments that were levied based on that. there are certain elements of the technical community that they wouldn't even believe that there were a camera on a person typing on a keyboard, hacking into an american bank, they would say that's a fake that the cia created. >> after they landed on the moon. >> yeah, because they didn't land on the moon, apparently. it astounds me that people doubt the ability of the government to do attribution after the snowden

revelations. if the u.s. says north korea is responsible for the attack on sony, you better believe it. for example, just looking strategically, president obama is not looking for fights. he does not want a fight with 9 north koreans. to actually come out and say it was the north koreans, that introduces a whole new level of complexity to his life. >> depending on whether the next president is hillary clinton or donald trump, maybe your comfort in the assertions of the u.s. government may go up or down. as sometimes who as a journalist sometimes lives on the outside of these things, let's talk about the gulf of tonkin attack which precipitated the u.s. move into the vietnam war, it turned out not to be true, and we

promoted it as true in the press because we didn't know any better. how can the public be assured to any extent that it's worth engaging in hostile action with another country that may eventually involve other kinds of weaponry and death and destruction if we just have to kind of believe, you know, the nsa or the president? ju juan? >> it's a fascinating and important question. there has been an attribution revolution. >> largely in the private sector. >> yes. and the technology has really, you know, advanced in ways that are incredible in terms of cyberforensics, not to mention overall cyberintelligence assessments that the government can bring to bear, not just the forensics online but everything else they have at their command. that's there. the problem is all of this is cloaked. to your point, there is a sense in the public and internationally of, well, how do you prove it? and i think part of the answer is, much of this has migrated to the private sector. companies like fireeye, some

would argue they're too close to the government, but there are these private sector entities that are serving as external validaters. you do have private companies that are doing this work internally. and so this is a space that isn't being left to just the u.s. government. but you're absolutely right, i think the challenge that the u.s. government has faced is twofold. one, how do you prove this that way that doesn't demonstrate and reveal sources and methods that will make it more difficult in the future? so that's the first barrier. and that was a criticism in the sony hack. in fact one of my colleagues at harvard law raised questions as to whether or not we could believe the fbi's assertion, to your point. the second problem, is what richard said, which is, okay, let's say we do attribute the attack as we did with north korea, what then?