the nation we also need to factor in protecting civil liberties and privacy of americans. i've witnessed a lot of teeth nashing about people committing acts of terror when the fbi previously investigated and cleared and i think the fbi director jim comey precisely described the problem with his analogy that we aren't expected to just find a needle in a haystack but are also held to account for guessing which pieces of hey may later become needles and we cannot continuously monitor americans who have done no wrong. that's not who we are. so domestic security, particularly in the ct realm is a difficult problem. and better integration of our intelligence, law enforcement, and homeland security communities is critical to our national security. and that, too, is a work in progress. that, too, will continue to

improve long past when i'm fully ensconced in assisted living. i think it's also important to recognize that we're doing hard, grinding work in this space. that doesn't show itself in dramatic force but in real gradual incremental progress. as trusted relationships are grown, as systems and processes improve and integration takes over the culture, that's one of the things we've done, as an example of this is to create the domestic -- dni representative program that was run as a year and a half pilot in four cities modeled after the reps overseas in which cia chiefs of station have a second hat for me as my representative to coordinate, integrate intelligence in each country where they're posed. this pilot had a positive impact on intelligence sharing with state and local officials so

we've designated fbi senior field executives in 12 locations around the united states and those domestic dni reps have made great improvements by leading efforts to integrate and coordinate ic teams throughout each one of their 12 respective aors, to use a military term. the program isn't perfect and it is continuing to mature, but it's doing good things. and it shows how we're shifting focus on to domestic intelligence coordination, particularly with the counterterrorism mission and this is something we'll need to continue to get better at because the terrorism problem isn't going to go away and it's going to continue to more and transform and we need to stay up with it or stay ahead of it if we can. it has metastasized with isil and aq affiliates and the global trends are driving the threat to

be more diverse and fdiffuse. one megatrend making this worse is what i call in congress and the white house an unpredictable instability. about two-thirds of the nation around the world are at some risk of instability right now. that is they exhibit some characteristic of instability. and we can't protect which specific government will collapse next or when that will happen. that's why it's unpredictable and it's something the whole world is dealing with right now. for my world travels just in the past six months or so i've observed that many, many nations are just now starting that growth curve intelligence integration we've been working at for the past decade and a half and they are -- many of them are far behind where we are and they realize that ch. and ic professionals get up every morning, go to work and we get better.

but there are limits to what we can do. bombed by the realities of our authorities and bound by the realities of the resources that we're allocated. and a lot of the obvious solutions ignore or underestimate the necessarily complex legal and political landscape that we live and work in. we live in a federal system of government. the states have a lot of autonomy, and they should. each state has a bewildering away of local structures, priorities, and sensitivities and across the nation there are more than 18,000 law enforcement agencies and departments. the dni and the ic operate within carefully defined and limited authorities, particularly within the domestic sphere and we limit how our national intelligence agencies operate inside the united states. and i think there's a footnote of history that sums up that

balance. 9/11 commission actually recommended that the national intelligence leaders which became the dni have statutory domestic authority. that recommendation did not make its way into irtpa. so for the dni or the ie see to take a more authoritative role in domestic security or create an intelligence truck which you are or organization with that focus i believe would require new legislation or authorization specifically assigning that authority. which would by necessity come from a national referendum and overwhelming public support and i'll tell you particularly over the last three years or so i haven't seen a single press article and i haven't gotten any fan letter that says "james clapper should be given more authority and more capability to monitor what's happening inside the united states." and even if someone did suggest it, i don't think i'd support it

i've been in this business over half a century and i've seen where intelligence agencies do have a domestic component. that's not us. that's not who we are, we're not iran and north korea and the soviet union. we're the greatest free nation on this earth in a way to face unstability and the domestic terrorist threat and the way to face extremist self-radicalized individuals determine to lash out and do us harm isn't to be afraid and let our values and principles that make our nation great be compromised we get better recognizing our differences and if that means getting 18,000 law enforcement agencies bringing their strength to the table, we will help do that. i want to leave you with one

other thought before we have a little dialogue here and that's, of course, with the upcoming presidential transition which is on nobody's mind and an election cycle that certainly for us has been sportier than typical and it seems to be getting sporter everyday a lot of people are getting nervous about what will happen and understandably so. so the message that i've been speaking out about certainly did -- and there was a summit earlier this summer that i think it will be okay. because in contrast to any uncertainty surrounding an election and a transition to the next administration, one constant in national security are the people of the intelligence community. because of our mission and professionalism, today's ie sc represents a pillar of stability during a transition. it will be okay because of our partnerships with defense, law

enforcement, homeland security and with the private sector. those of you from the private sector bring unique abilities with respect to the ways we can do better so thanks to all of you for being here, thanks for your interest, so i think i'll stop talking at you and norty will i guess take our seats out here. thanks. [ applause [ applause ] ladies and gentlemen, we have a -- there we go. we have about 10 minutes or so a little bit less before the director needs to move on. so i'll exercise a point of privilege and then we'll be happy to take questions from the audience, one or two. sir, you mentioned your

conviction that partnerships are the name of the game and it's one of those things that oftens hope if you will, clearly that's the case. i wonder if you might elaborate a little bit an how you see -- how we might advance public and private partnerships in particular with regard to the intelligence mission and with regard -- both in terms of tactics, techniques and procedures, perhaps, but more importantly to take advantage of the eyes and ears of others. >> bem, i think just speaking in the -- you know, in the confines of the united states i've seen just in my time a great improvement in certainly the relationship we have with homeland security and law enforcement communities.

as i've traveled around, i've visited all of the domestic dni rep cities at least once and was always engaged with the local officials, local police chiefs and i have -- i continue to be very impressed with the sophistication that are exhibited by particularly the police very sophisticated approaches to analysis, very enlightened approach to the ct problem at the local level and i find that just about everyone i've ever encountered would fit right in with a meeting of a national intelligence board and they have imported in analytic tactics and techniques and procedures that we employ in the national community are being employed locally.

there are many fora that we try to use, one of which is this one, to reach out to the private sector. that is a daunting task, frankly, because private sector is as big as all outdoors and i mentioned the numerous police jurisdictions there are in this country. i think we've made a lot of headway in the flow of information both -- and when i say integration, by the way, you know i think the conventional meaning is horizontally across the national components and that's integrating with the state, local, tribal and private sector. this is a work in progress, it is not as mature, frankly, as the foreign intelligence

business which we've been at a lot longer but i've seen huge improvements since 9/11, i started as nga director right after 9/11 and i've seen great improvement. not to say we've achieved nirvana, absolutely not. this is a work in progress and we'll continue to work it, seeing frank taylor in the aud grens dhs i just want to single frank out for the tremendous work that he's done in dhs in fostering this relationship at the state and local and tribal sector and what frank has done to rationalize and synthesize intelligence within dhs, building on the legacy left by karen wagner, someone else in the audience today.

so, we're working it hard, it ain't perfect. we open keep at it for -- frank and i will for the remaining 92 days, who's counting? and whoever succeeds us will continue to do the same. >> thank you, sir. question from the audience, please? >> patrick tucker with defense one. you talked a little bit in your discussion about the recent attribution of hiking attempts against u.s. political organizati organizations. we in the press get a lot of questions about how confident are people in the intelligence community that this is related to a state-sponsored actor. can you without giving away important tactics, techniques, procedures and other evidences, can you tell us apt 28, apt 29, cozy bear, fancy bear, what do you know about them? do you have specific individuals

without rereeli irevealing the s in mind? do you have specific buildings? how strong is your confidence that it's related to state-backed activity and what are the details? >> i'd say that's a number of questions wrapped up in the one, sir, so please, over to you. >> if you read the statement that we issues, which is -- i think you'd agree is pretty unusual, we wouldn't have made it unless we were very confident. i am not going to discuss the underlying evidentiary basis for us but when we say we're confident, i think it speaks for itself. that's one of the reasons we waited for as long as we did to make a statement was to ensure that we had sufficient evidence both forensic and otherwise to lead us to the conclusions we

reached as articulated in the statement and i don't think i'll say anything more about it than other than facts and statements speak for itself. it was mainly addressed to the american electorate, and not to any foreign nation state. >> ladies and gentlemen, the director needs to move on. thank you so much for joining us. for audience of practitioners, we'd like to acknowledge that jim clapper has been a practitioner for over 50 years for the united states of america. thank you. [ applause ] in a slightly different twist on polls, cnbc asked voters whether they're voting for or against a presidential candidate. 51% of people who say they're

going to vote for hillary clinton say they're casting their vote for mrs. clinton while 48% of the people who say they're voting for donald trump say the purpose of their vote is to vote against hillary clinton. donald trump and hillary clinton are back on the campaign trail today. mr. trump is spending the day in ohio. he's holding a campaign rally in springfield and c-span 2 will have live coverage at 1:00 p.m. eastern. hillary clinton is campaigning in north carolina with first lady michelle obama to encourage early voting and c-span has live coverage of their stop in win some salem at 2:00 eastern. our children, they look up to us, what we value, how we treat others. and now they're looking to see what kind of leaders we choose,

who we'll entrust our country and their future to. will it be the one respected around the world or the one who frightens our allies and emboldens our enemies? the one with the deep understanding of the challenges we face, or the one who is unprepared for them? a steady hand or a loose cannon? common sense and unity or drama and division? a woman who spent her life helping children and families, or a man who spent his life helping himself? our children are looking to us. what example will we set? what kind of country will we be? hillary clinton -- because we're stronger together. >> i'm hillary clinton and i approve this message. >> far too many families today don't earn what they need and don't have the opportunities they deserve. i believe families deserve quality education for their

kids, child care they can trust and afford, we quality pay for women and jobs they can really live on. people ask me what will be different if i'm president. well, kids and families have been the passion of my life and they will be the heart of my presidency. i'm hillary clinton and i approve this message. >> what's at stake in this election? it's not just who goes here, it's who rules here, the supreme court. the justice who guarantees your right to own a gun is gone. now the next president's choice breaks the tie. four supreme court justices support your right to own a gun for self-defense, four justices would take away your right. >> the second amendment is outdated. >> the right to possess a gun is clearly not a fundamental right. >> what does the second amendment mean to you? >> not the right of an individual to keep a gun next to his bed. >> and hillary says -- >> and when it comes to guns, we have just too many guns.

the supreme court is wrong on the second amendment. >> hillary's made her choice, now you get to make yours. defend freedom, defeat hillary. the nra institute for legislative action is responsible for the content of this action. >> if you missed any of the presidential debate, go to c span.org. on our special debate page, you can watch the entire debate, choosing between the split screen or split camera options or even go to specific questions and answers from the debate, finding the content you want quickly and easily and use our video clipping tool to create clips of your favorite debate movements to sharon social media. c-span.org on your desk top or tablet for the presidential debate. tonight on american history tv prime time, world war ii

programs from our real america series showing archival films on public affairs. the 1943 film on the battle of russia. followed by a film called know your ally, britain. at 10:10 eastern, films from 1944, the negro soldier and the hidden war. american history tv in prime time all this week here on c-span 3 while congress is on break. c-span, brings you more debates from key u.s. senate and house races. republican senator kelly ayotte and maggie has sen. then at 9:00, the iowa senate debate between chuck grassley and democrat patty judge. at 10:00, new york's 24th

district seat. friday night at 8:00 eastern on c-span, the georgia senate debate between republican senator johnny isaacson and jim barksdale and libertarian allen buckley and rick nolan and stewart mills and at 9:30, colorado's sixth district between mike kauffman and morgan carol. and saturday night at 10:00, the pennsylvania senate debate between republican senator pat toomey and katie mcginty, then the new hampshire governor's race. and at midnight on c-span, the north carolina governor's debate between republican governor pat mckrorry, democrat roy cooper and cecil. now until election day, watch key debates on the c-span

networks. c-span.org and listen on the c-span radio app. c-span, where history unfolds daily. >> more now on cyber security threats with the discussion on the ability to hack elections at state and local levels. the institute for critical infrastructure technology hosted this 50-minute panel. >> good afternoon, thank you for joining us for today's briefing, i'm a senior fellow at the institute for critical inif a structure technology and welcome you to the briefing on a recent series of publications including hacking elections is easy. we're holding today's briefing because of the factual conversations on the cyber security of our election systems have been replaced these days

with two extremes, on the one hand conspiracy theories filled with doom and gloom scenarios and banter, with widespread distrust of the democratic process. on the other hand we have statements from ill informed who believe hacking an election is impossible and could never happen because of the decentralized nature of our system and state officials are awed quat adequately prepared to defend. neither of these schools of thought is accurate. as america's cyber security's think tank, they felt it was necessary to introduce the mindset to this conversation to discuss realities of the vulnerabilities that exist at the local and state and manufacturer level. during our first panel we'll hear from experts on how hackers can social engineer their way into manufacturer, map networks and exploit the virtually endless injection points that exist on the systems and machines to deliver malicious

pay load to achieve designed outcome. in the second panel we'll talk more about cyber hygiene best practices, implemented by every private and public sector information as a whole. our motivations are very simple, here to educate the public and our election officials on what is possible so that they can then shore up the vulnerabilities that plague our election systems. with that i'm excited to kick off our first panel, which is an analysis of the publication series, hacking elections is easy. i'm going to introduce our panelists, to me immediate right james scott, a senior fellow and primary author of the paper. to his right is jim walter, a contributor and senior researcher. and to his right, tony cole, vice president and global government cto at fire eye. thank you for making time to be here today. i'll be identifying three major problems in the current voting system and asking you and the

panelists to keep these in mind as we go through the next several minutes. problem one is the black box propry tri systems, the greatest threat is dependent on black box for voting systems because they do not know which code is running and what vulnerabilities exist within the system. reliance on vendors to manage these systems is extremely worrying because it is an enormous security risk. problem two is the anty quaited air gap defenses, they believe systems are secure because vulnerable systems are isolated from network systems. this limited perspective demonstrates how little state election boards understand about cyber security. and finally, decentralization is not a defense and to point to this common belief, i'm going to go to a quote from director comy who said the beauty of the american voter system, it is disbursed among the 50 states

and a lot of people have found that challenging over the years but the beauty is it's not exactly a swift part of the internet of things. it's hard for an actor to reach our internet process. so with that in mind we're going to quickly breeze through a couple of questions before we get into the meat of the conversation. obviously all of this stems from the digitization of our electronic voting system stems from the 2000 election process where gore and bush had a disputed election and came down to 400 votes in florida as a result of this in 2002, congress passed the help america vote act which allocated about $4 billion to fund all 50 states to move to electronic voting machines. fast forward today, there's a dozen manufacturers out there and two primary types of machines used, digital optical systems or -- my first question is, since moving to e voting systems, have we done enough to

ensure the integrity of the machines and systems we're using across our country? >> i would say absolutely not. you know, throughout the history of their use, there's been numerous vulnerabilities in these systems uncovered across all of the manufacturers. they are not at all designed with security in mind from the ground up. and they seem to sort of exist in a bubble outside of the normal sort of hardware software security life cycle in that when vulnerability issues are publicized or disclosed nothing seems to occur. you never see any drxt bes assigned to the issues, no follow-up from vendors. so there's definitely not -- little if nothing being done to address the issues in these systems and this is kind of been that way since these things are implemented. >> and they put out the 160

which takes the security aspect and starts it at the manufacturing level and takes it through the entire life cycle of the technology. it will be great to see something like that. >> let's touch on what mandates have been put in place for the states and if they've been effective and is there adequate funding to states to deliver on these? >> i think that the funding is adequate but the people in charge, the election officials are no longer qualified to fulfill these tasks in the digital age. so we need to start bringing in people that are familiar with the cyber kin etic threat landscape that is plaguing our election systems. >> i would add that i think there needs to be a minimum set of standards that equivalent across all 50 states and territories as well. this is what our democracy is based on, trust in this system, you vote and your vote is

counted for the candidate that you want. if we can't trust those system, we don't know if they've been compromised then we actually chip away at the foundations of democracy. >> and those standards have to be mandatory. right now most of these certified systems are certified against a standard drafted in 2005, the voluntary voting systems guidelines, voluntary being the active word. there have been revisions since and 2015 standard but still proceeded with the voluntary word. so there's no requirement for these things to even follow whatever standards do exist today. >> talking about machines for a moment, do you think that manufacturers have done an adequate job building security into the life cycle of either development or maintenance of these machines? >> dre and optical scan dard just dip lap dated bare bones pcs with minimal end point

security. when you have black box technology, with minimal transparency, it's difficult to get in there and forensically analyze. >> this is a 16 mega bite flash card and this was taken out of an abc edge voting machine, still in use today and i believe 13 states across 170 some-odd different precincts and cities and counties. but this is the kind of system that these things are based on. this is a very ancient variation of dos running the thing. it's very easy too open the box up and yank this out. the point is in terms of designing things with security in mind from the manufacturing process onward, when you're talking about operating systems that a, run on something like

this and running code from between 1999 and 2001 and they are in use today, i would absolutely argue that that's -- there's no security being paid mind there. >> i would add to that, we need to take a completely different path where security is baked into these solutions because people running these systems out there, generally have no training as part of the paper that was done. some of these folks are getting paid $15 an hour. so you can see they are not lightly skilled individuals that understand cyber security and chain of custody and have any sufficient training to actually monitor and maintain and ensure that these machines are doing what they are supposed to do and have not been modified. >> i'm going to summarize some of the things said. easy to breach networks and employees that aren't adequately trained or volunteers. and we have an election systems run off black box code. james, what do you think is the

most likely adversary we're facing? >> could pretty much be anybody. >> you can look at the sophistication of state actors and projects atp 28, you can look at posiedon, hackers for hire can bring it in in a big way. what we're going to go over right now are tools, script tools available on dark web forums that can make -- things that used to be sophisticated, just point and click at this point. >> we'll start. that's the big thing right there. we hear about illinois and arizona. the reality is, voter registration data bases have

been available with recently exfill traited data on dark web forums. if you look at the minimal sophistication of state's governments, nasa, center for disease control, united states postal service, these are pretty sophisticated cyber defenses and they defend in layers. ftpsx is available for a fee. i would estimate by the next election cycle they'll be selling access as a service to state tabulaters. >> this is just a downloadable guide for service. another example of data access as a service, this one was interesting because they offer a refund and you just give the

url, they achieve access and you check it out and then your money comes out of escrow. this is interesting because this is a hacker for hire service. this is an ad by a handler. so you describe the project what data base you want access to and what type of malware you want customized and this individual will have maybe 10 or 15 hackers that he can pull from. a vulnerable port sniffer, you know, we'll talk more about that at the state level injecting malicious code, same type of thing, just a different -- it's more of purchasing the software as opposed to a service. squel injection tools, anybody can do it in about ten minutes. brut force, you can brute force your way into anything,

especially with the web exploits and another brute force -- probably going fast here. >> sorry. this is interesting because it's an all inclusive encyclopedia to step in and be able to do pretty interesting layered attacks with minimal technical capability. okay. zero day for microsoft office is a steal under 50 bitcoin. the excel will be important because state tabulators will use excel as their spreadsheets so finding an exploit that will work with excel, bare bones dilapidated, black box technology which nobody can get into. there's a lot of things that can

go bad there. >> another zero day. this -- you can build your own exploits with this -- this is just another nifty tool for people to figure out you can do your own exploits. >> perfect. that gives you a good example and visual of some of what's out there and many of these and other images can be found in our hacking elections part one and two which can be downloaded from the website. we'll get into a part of the conversation quite fascinating, how a local election system can be compromised. we're going to walk through the process, i want to start off by making a statement that there is no consistency across particular states or precincts on how machines are tailored or what they are using. but very, very high level, the process is quite simple. and they are aggregated and sent

up at the state level, either using a memory card or e-mail or transfer. this is constantly a changing process and there may be some processes being introduced for the upcoming election we're not aware of. what characteristic would malware have to be most effective in impacting an election? >> depending on where you're starting point is, you mentioned right off of the bat, the transfer base stuff of voting data or ballot data, if we're talking about a system that has to stp the data outward and anything that can monitor that traffic or monitor the initiation of that traffic. so that's any number of off the shelf tools like has been shown or doesn't take much to write something to effectively sniffs and monitors and records traffic and sends it elsewhere or redirects it elsewhere. you can get deeper into the -- stuff that can actually run or

be injected into code on the voting machines themselves. those that run windows, it would be very simple to craft a piece of malware to run of those machines or use something that already exists, they are typically not running protection. anything you drop regardless of how old or ancient the malware is, we'll run and do the job. we've seen the scenarios where they trust unite and drop out things like poison ivy or dark comet, well known typically easy to detect in the security world but they'll run on these machines and will absolutely exfill trait the data as needed. >> the other thing to think about, many times this data may be taken back to the state level to be tab ulated and county level and localities. if you've got people sitting in the room who are working on their own systems and maybe more

modern systems, even if you have those other systems for the election that are air gapped, all it takes is one piece of removable media moved over to one of those and you can do -- if your air gaps are safe and there are a number of reports from a number of companies out there that have shown you don't air gap systems get compromised quite frequently today. >> on air gaps, you would have to know how to leverage exploits specifically microsoft operating system, excel, access, but with bypassing the air gap, since 2005 it's pretty common. we had usb stealer and air hopper, bit whisper and project zoron, all easily achieved bypassing the air gap. it is no longer a defense and it's interesting to hear state

officials say that it is. kind of shows how unqualified they are for their positions in the digital age. gentlemen, there's three scenarios -- >> one other thing -- the payload should always target the tabulator, that's where we're headed. we'll talk more about that and activate on election day and self-delete after tab ulags. >> there's three viable injection scenarios, at the manufacturer level and local level and state level. james, i want to talk about the attack at the local and manufacturer level. how are you able to compromise machines at the manufacturer level? >> so at the manufacturer level that's actually the easiest place to inject a malicious payload that will carry through to the tabulator at the state

level. you could use a port sniffer, certain type of credential stealer, gain access and you could sniff for vulnerable ports with something as simple as show den like we showed there. the easiest way to exploit an overall campaign is to poison the update at the manufacturer level. what will happen then is because it's a black box technology, because the code is considered propriety and there's no transparency, you can poison that update and that will then carry through to the contractors and manufacturer reps in the field. also the election consultants and local and state level officials that are updating and certifying. >> there's typically no real strong check summing between the

update process for these machines and the code that it is updating on the machines. there's been a lot of academic and public research on poisoning firmware updates for sequoia and other systems where you can simply take a poisoned firmware update and there's because no signing in place or check summing, very weak crypto, that update will run on the box and generate -- cause the box to be running malicious code from that point forward. in most of these manufacturers have open ftp sites that they use to receive data or distribute updates. so if you can pop the ftp server and stick up your malicious

update, that takes care of it. let's move to the local level, we have an into graphic here. let's talk what you would do at the low level. >> sure, i mean, we could look here or i can walk you through it. >> what jim had showed was to exploit open ports and injectable media so memory cards. if anyone is familiar with the hersti hack, one of the first places where they took a memory card that could manipulate the actual tabulation process and self-delete.

>> there's so many ways to go about it with these varying machines. everyone has voted in the past. you know a good percentage of the the time when i vote towards the end of the day, those people making $15 an hour, $16 an hour are really not paying attention. not only that do they even really know what you're doing when -- it's not difficult to go in and one of them had a switch on the back you could flip so -- pop the panel off. >> the sequoia. >> and actually reset it. another one had a panel you could pop off and stuff the ballot box directly. there are a number of things you can do. i want people to think about this, the fact that it was 400 votes in 2000, 400 votes, for people to say that you can't hack an election, that's crazy. it was 400 votes with a large effort you could have a much

larger effort. >> the focus would be swing regions of swing states for a local attack. poisoning the update you could definitely add a gee toshio targeting feature to the code so you're only focusing on particular proximities in swing states. >> back at the local level, you've got the technical side of it and you've got the human side of it. going back to the sequoia machine, it takes maybe eight to ten seconds to tilt the machine side ways and yank this thing out to replace it. or just leave out causing denial of service effectively and machines rendered useless for the rest of the day. or you could replace it with your own compact flash card. there's two media ports in the back next to that activate button that allows you to vote multiple times. you can remove the results card, the pc card that stores results from the back of the machine, you just pop open a little latch and yank it out.

and then off you walk with all of the results for that machine. there's that sort of technical side but then there's human side of it. you touched on the employee side of it. it wouldn't be uncommon for malicious actors to either insert themselves as employees or volunteers or pay off others. it almost works in a way that mirrors like the universe where you might have paid individuals to look the other way while you work in and tamper with things and make sure no attention is being called to it. there's all kinds of ways of going become it. >> most of these election volunteers have no social engineering training at all. they couldn't identify a physical attack on a machine if they saw one anyway. you know? >>. >> let's move onto the state level, several levels of technology can't be compromised. report discusses serve, em

ploiting website vulnerabilities and breaching state servers and insider threats and infecting state pcs and poisoned updates at the manufacturer level and spreading mall wear to state election systems and compromising state tabulators, we have another infographic. let's start with exploiting website vulnerabilities. dominion systems, they also own premiere, which used to be dibolt. they have a portal for customers, something simple to guess like dominion voting/portal. it can be popped and you go as a customer to -- view or manipulate data from the portal side which includes tab ulated results. all of the different sites that

can be well -- but it's -- it doesn't take a nation state actor and sophistication they have to run simple tools to manipulate these sites or try to force their way into the sites to maintain access. >> i think that's a really important point you just made as well. it doesn't take a nation state to be successful doing this. think about the resources of the nation state that wanted to manipulate our election that could bring to bear to manipulate these because it is not a high level of o sophistication to compromise any of these -- >> it comes down to getting into the website, brute force, sequel injection, getting into the network, mapping the network, gaining intelligence. yeah, i think this is arizona election website was breached this way. so this is already happened so script kitty is learned from what worked so they'll mimic

this breach. >> next move on to breaching state servers. same way, steal credentials and elevate priflths and move laterally throughout the network, try to find those tresh treasure troves of data that you can exfiltrate or that go undetected. these wbts and servers don't have properly layered security. so if you get add min credentials, for example, chances are rethey don't have something like user behavior to detect the abnormality of what's happening with that user's behavior. >> they are going to get credentials the same way they have been for years now. the number one method of achieving that first stage of access has been spear fishing

attacks and it's been that way for years. they are going to use what works. identify key individuals in the state associated with running of elections within that state which is very easy to do through available osint and some spear fishing e-mails to them and see what you get in return. generally you'll be able to -- you'll get at least one hit out of however many you try and at that point you can start to collect credentials and laterally move from there. >> job offers always seem to work in that one so crafted pdf, you have a great job. look at this and we'd love to talk to you about this. take a look at the job announcement, they always open that announcement. >> linkedin is a good starting point. >> linkedin always -- >> we know there's malicious insiders and there's the unintentional insider. talk about this vulnerability.

>> it's a huge vulnerability. one we could fix, most security people today will state the users of the problem, why we have a job. it's important to remember that. what we need acy large campaign for anybody part of an enterprise to be involved in and start to understand the dos and don'ts of cyber security. there's a lot of challenges in the space for us today because if people don't know when that weaponized attachment comes in, looks like a normal e-mail they weren't expecting, they don't check on it because they don't know what they should and shouldn't do. they open it. then it leads to compromise and now suddenly you've got the set of credentials where you can go out and utilize them. so to compromise an election database. those are a huge problem and one that's fixable for some reason that we don't seem to focus on on bringing users in and getting them trained, understanding what they should and shouldn't do. all the way down to our kids before they grow up to be part

of large enterprises. just simply don't do it and we should. the malicious insider, very difficult, it's so inexpensive to hire somebody. in my county, $15 a day for louden county virginia, $145 a day for the election. most counties have very little background checks. they do very little on that side at all and most of the requirements were a high school diploma or g.e.d. to actually be an election official. think about that. no background checks and that's it. they just want to know you can actually take simple steps in the i.t. realm and simple interpersonal communication skills to interact with others there. very, very easy for some nation state to come in and implant somebody so inside that environment, getting a lot more than $145 a day i'm sure, to go

in and try to compromise these systems and impact our elections. >> we were talking about infected state pcs. want to kick off that. >> yeah, state pcs can be infected any number of ways, it can be the contractor who comes in at night for janitorial services, most of these state level pcs have totally exposed tower backs so you can inject any type of malicious payload using something simple as a usb drive. social engineering works with spear phishing attacks. they lack cyber hygiene train g training. they will click on dancing kittens playing with baby puppy on top. isn't this cute? you have to click. download a malicious payload from there there can be -- actually it's funny we were

asked to put a sample exploit. i think a sample exploit if we were targeting a pc at the state level, you want solid functionalifunctional ty across the board, it would have additional droppers and screen grabber, camera, microphone capture tool and network mapper, lateral movement procedures and code injection, mechanisms, social media spread and activation tool and usb infection capability, also with self-deleting capability as well. >> all of that already exists, you don't have to write or code any of that. you can grab your own craft version of zus or citadel or

poison ivy, infinity -- you name it, all of those tools are out there for you to slightly customize and do all of those things you just described. today in the dark ones, it's a robust economy, much like if you run -- you get maintenance and port, you can go in the underground and rent expertise and buy tools and get maintenance support as well to go in and compromise somebody's system, distribute to the service, attack against somebody's system and knock it offline. think about that if somebody went after one of the states and just to distribute a service against one of those data bases online and knocks it off in the middle of the election. >> the next layer, poison updates at the manufacturer

level. >> spreading malware to save election systems. >> sure. >> a lot of these are interchangeable but it comes down to for me, if i were the adversar adversary, i would start at the manufacturer level, also gain access to the state server and get access to the data base exfiltrate and right package side and have a malicious pay load to bridge that air gap and have full functionality. i would also add a ransomware feature, whether it's the voter registration data or final

tabulation, total tally of the vote for that night. it would be interesting to ransomware that, a weaponization of encryption injected through normal channels. >> with these different decisions, the responses will largely be similar, but at that level, you probably see a lot of the same sort of behavior, identify a target, do your recon on them, fekt them either via spear fish or if you have access in terms of just plugging in a usb drive or dropping your payload, in either way that's available to you, but, outside of that it's going to be mostly the same and utilizing the same sort of tools. >> i think that most of these systems are so easily compromised that they should have never been released. there should have been some

standard that they are held to and it's not security through on security as we like to say. quite frankly been proven time and time again not to work. it's better to have a set of standards they are measured against with people actually doing measuring that have a large component of cyber security expertise to ensure those systems can't be compromised. today we could stand up here and talk about the methods to compromise them for hours because there are so many different vulnerabilities in the systems. >> and the issues are no longer obscure. you can't argue security because everything is well documented. you can even get technical maintenance manuals for these things, things that should be internal, are all available on these machines that have been been around since the early 2000s, mid-2000s, all of the machines still used today. there aren't a lot of brand-new machines undocumented or where the documentation hasn't been leaked out there.

you can go to black box voting or any other number of sites that tend to collect this information and pull down whatever you want in terms of field service guys or firmware update manuals ar or code, things you would assume would be internal and closely guarded secrets but they are not. there is no obsurity. >> now that all of the manuals are out there and have been for quite some time, there's no obscurity, it never works. >> the ransomware, any other comments on that. >> a lot of modern systems are running derivatives of windows

and would have behaved like any other host in terms of how to infect them or what types of things to infect them with. a lot of officials argue because they are air gapped you can't compromise them in that way. often times, you have to move data from those systems to connected systems in order to get the full results external so that may be -- i have to move this usb drive or in some cases zip drive or in some cases a pc card over to this connected system to get the results out and that could be a point of compromise. same thing if you have to -- which is the case with at least ten manufacturers, if you have to move the data to a connected machine in order to ftp the results outward, you're -- the user of these tab laters and systems will end up breaking the air gap at one point or another during the process. >> perfect. so now we're going to close out

the conversation by talking about the current climate we're living in, given the time frame around this upcoming election. so media coverage has obviously talked about dnc hack, rnc hack, certain individuals talking about the possible integrity of the results. what's your take on the theories regarding who's behind these incidents? >> i think it's very clear that most of us in the community today feel it's the russians that have been behind these compromises. so whether you look at reports from my company and many others, it's clearly been linked back to the russians manipulating these systems. >> it's important to -- with a lot of these incidents, we're not always necessarily talking about breaches or compromises of the voting systems or voting machines. it may be officials tied to

processes. in terms of leaked data, what the outcome is is a sway of opinion, not compromise of the machines but there's no reason to assume that wouldn't be part of the incident. and in a lot of these things are still going on. they should be treated as ongoing incidents or open investigations. >> time will reveal what's going on with these leaks and incidents but it would be safe to assume that they haven't just left the building so to speak, i would urge people to understand once these actors are in, they tend to hang around for a while and continue to pull what they want to pull. >> just fascinating reports on atp-28 and 29, cozy bear and fancy bear, whatever you want to call them. good reads on the capabilities.

we have to be careful with atrib bugs, when we say it's the russians, where? what russians? the atp nation state, mercenary? cyber criminal gangs looking to pick up a state sponsor, looking to do something big? could it be china? their strategy has a smash and grab aspect to it for technology. to dwindle our democratic process. that certainly coincides with the psychological war fair aspect of what they do. taking into consideration, hacker for hire, that levels the playing field for cyber caliphate, insider threats. cyber jihad, that sort of thing, cyber self-radicalized lone wolves is now a classification. so yeah, media does paint an

oversimplified picture of these groups and incidents. when you talk about a specific group in russia, they paint -- the image in your or they try to infer the image of a roomful of specific individuals part of this super hacker team that is known as cozy bear, fancy bear or whatever mammal it happens to be. and it's not always that simple or cut and dry. sometimes for higher aspect, whoever is behind these things or is controlling the resources behind these groups and incidents, they will find people to carry out what they need carried out one day they may be team fancy bear but then team

cozy bear and you see the different dynamics with the chinese groups as well. it's important to know that the picture of one specific group of state affiliated actors all working together as a team, it's not always that simple. >> it allows for a nation state to create some level of separation as well. >> chinese pla are known for discovering vulnerabilities during the day. they take that down and they'll freelance at night and go through english language handlers. >> when you define what's occurred with a breach, a nation state actor or mercenary gang like out of russia, once you define the forensic value of that breach, you see a lot of

copy cat breaches and hacks. that's another thing nobody is talking about, the copy aspect. it's not enough to just say we think it's cozy bear or apt 29 -- 28 is cozy bear, right? >> yeah. >> fire eye, they know. once you have defined from a forensic perspective, the tool kits and exploits and time stamps on the codes, all of these factors you can easily duplicate with technical sew fisty indication and capability. you'll see a lot of mimicking of nation state and high level mercenaries and criminal gang activity. >> you also see deliberate mask raiding in terms of a group utilizing tool kits that may be

known to be associated with another group or infrastructure known to be specific to another group in order to throw off analysts and throw off the security industry so it's attributed in the wrong way. that's a really big problem with chinese stuff in particular. you see a lot of back in the comment crew days, suddenly all of these other groups were using the same tools and inf infrastructu infrastructure, they get wrongly attributed to common crew and it may have been someone else. that same sort of thing extends to other regions as well, russia included. it's become more common. >> a lot of methods to do that. >> you look at the stealth and sophistication of the russian atp or willingness to throws much funding as possible, to still support the smash and grab

and look at these sophisticated attack vehicle tors and exploits and capitalizing off of o'days, they are used to going into ics systems that are highly guarded. you look at energetic bear, perfect example of poisoning the update. this is something that these are highly sew fisty indicated people and what they are able to do is go into highly protected areas. this isn't a state website with no layers of cyber security. no uba, no encryption of data in transit and stationary the election system is completely fair game. think about that. fair game. >> the people that should be protecting this and should be the gate keepers protecting the

election process. the manufacturers with sib security, and secretaries of state and state official and they are doing nothing, not technically sophisticated enough to do anything. it's time to have changing of the guard i think. it's interesting your point, in the press of yesterday or day before yesterday, it came from a deputy director at nsa, it's something all know, attackers only bring out the tool set needed to require their objectives, they are not going to go out and bring out a bunch of zero days they've got vulnerabilities with exploit code and release that if they don't need that to accomplish what they want to do. here we are talking about this with sophisticated attacks taking place around the world. south korea, the korean nuclear hydroelectric plants from north korea went after the south

koreans system and took out a.t.m.s years ago with sophisticated attacks. that's the point we're trying to make. there's no sophistication required -- >> script at this tikitties. >> for us to say systems can't be hacked is naive on our parts and something we don't want the election to happen and this get tucked away for four more years. it needs action and funding and resources and focus. >> on that note, we're less than 20 days from a major election. is there anything that can be done between now and then even if it's not going to obviously address all problems, what can we do now and what can we talk about doing for the 2018 and 2020 local and federal elections. >> first and foremost protect the tab ulator, anything that comes in remotely close contact

with that process, protect it. then forensically analyze where before election, frenically analyze the black box technology that the manufacturers and state level mutually support. bring forensic people in to hammer the swing region specifically of the swing states from a forensic perspective. the election systems as a whole. >> physical security has to be way before. realistic or not, the ideal situation would be people in the know or people that are familiar with the different ways of to physically compromising system should be available and observing things at the polling places. that or properly educate the

people working there on what these physical compromises are. in some ways, that's been done in the past but it's simply not across the board and not done at the volume it needs to be done. there's so many ways to screw with these things physically. if there were a correct pair of eyes watching for attacks, it would stop a bit. >> just a pinch of paranoia for everybody they hire or already hired in the process and give them a five minute spiel on it along with a sheet of paper. these are election systems we have in our polling place. here the ways they can be manipulated. you should be watching everybody that comes in here to make sure they are not touching these things. you can watch the counterparts also here watching you. just a pinch of paranoia to make sure people understand what shouldn't be touched.

they don't have to understand how it's manipulated. those are things that shouldn't be touched on the systems. >> gentlemen, that was fascinating, thank you very much. [ applause ] i'll ask our second panel to come to the front of the room, please. pennsylvania congressman bren done boyle sent out this tweet, how many already voted in the 2016 election, 5.9 million. check out how and where to vote early. chaffetz will vote for donald trump but won't endorse or defend him after his comments on women came out. now the congressman says hillary clinton is worse than mr. trump so he will vote for the

republican nominee. >> hillary clinton is campaigning in north carolina with michelle obama to encourage early voting. c-span has live coverage of the stop in winston salem at 2:00 eastern. world war ii programs from our real america series, showing archival films on public affairs. at 8:00 eastern, a 1943 film on battle of russia, followed by a film called know your ally, britain. films from 1944, the negro soldier and hidden war. all this week here on c-span3. while congress is on break. >> this weekend on american history tv, saturday morning from 9:00 eastern to just

afternoon. >> the empire and its commonwealth, last for a thousand years, men will still say, this was their finest hour. >> we're live from the 33rd national churchill conference, speakers include british historian andrew roberts, author of "masters and commanders", how four titans won the war in the west. 1941 to 1945. later on saturday, at 7:00. texas general land office commissioner george p. bush, state senator menendez and phil collins talk about the spanish mission, the alamo, at the 2016 texas tribute festival. >> the memories of that time were that this group of people were going and knew they were going to die but they went or they were there. they kind of -- there was

something very noble and very romantic. i've learned that it wasn't quite as black and white and that's one of the things i think would be good in this day and age, we put it into context. >> sunday evening at 6:00 on american artifacts. >> you also notice he's not wearing a weapon. he would lead attacks carrying nothing but that riding crop you see in the left hand. and the men looked at this and realized if the colonel later the brig deere, can take it, i'll take it too. we visit norfolk, virginia, to learn about the early life of douglas mcarthur. >> and at 8:00, conscience in chief, with the highest level of integrity and moral compass locked on true north to always

count on them to do the right thing when times get tough or no one is looking. >> explaining his ten commandments for presidential leadership, what they are and provides examples of presidents who excelled at each one. for our complete american history tv schedule, go to c-span.org. >> technology experts discuss best practices to improve cyber security within the federal government and the private sector. this is about a half hour. >> as i mentioned earlier, the second panel for today's briefing is focused on cyber hygiene. we heard a lot of talking points from our earlier panel and a lot of those things fall into cyber hygiene. this is not specific exclusively to the election processor state or local level this is a best

practices that any private sector organization should be prioritizing and we understand that this is although we've discussed these issues time and time again, they still seem to be a challenge to implement and we'll talk about those opportunities as well. >> let me first start by introducing our panelists to my immediate right. fellow and regional director and to his right is james cramly and to craig's right, trish keg lee os stroe. and to the far right, stacy winter, fellow manager for force point. thank you for joining us. first question talking about the growing microcosm, increasing attack surface, despite many cios and network security operators continuing to struggle with understanding what their network topography looks like

and this is only going to get worse and not get better. let's talk about your views on why this continues to be a struggle and what investments they can make or how can they leverage current investments to a first to make sure what their network looks like and what devices and end points are on it. i open it up to anybody. >> i'll start. the idea of the internet of things is a nifty idea. the problem lies, if i can access a system for my job, an hva system, a pharmacy within a store, then i can certainly transverse the network to get to where i need to go to get credit cards or any information i want to get because it's costly to have separate networks for each one. they are all networked at the physical layer. there are technologies out there that can allow you to, through policy and software, isolate the

machine so they only speak to certain machines, using pki credentialing. transport mode and things of that nature. there's also a way to get rid of vpns and leverage a single port, 4.3 port, for outbound only pipe and use a cloud broker of sorts that will only allow and provide realtime identification of who the person is. also, by using something like that, they could also isolate the resources and wouldn't be able to transverse the network once they got inside if the identity was compromised. >> i think there's two sides, the personal side with the smart watches, the fitbit track activity. those elements are things your users want to bring in. how do you plan for that? the second side is iot and you have business applications, too. you have different devices you bring online. it makes us smarter, better, faster. from a business perspective, especially when you're talking

about manufacturing. so, i completely agree in the sense that this problem is only going to get more complicated. if you think about this, how enterprise can figure out the topology where the devices might never touch the network. think about the instance with a fitbit device where i plug in my piece that goes into my laptop. i'm syncing my fitbit with my laptop but not actually connecting it on your network. how can you find it on your network? right? when you talk supply chain management, what if that device is then preloaded with something that could cause damage to my network, things like that. the tupaulagy of the network is going to be expanded not just by what is corrennected to it, but also the devices on the network. the connections between we are talking on the business sense where if i have smart devices or different industrial systems i'm using, i might think they are only talking to each other. i have to understand not just the connections between them,

but how they're connecting to other parts of my network as well. >> exactly. i will echo that more to say that as cyber security developers and practitioners and vendors as a lot of us in the room are and the panel, it's our responsibility to make sure those solutions we are providing through our customers have security built in from the beginning. it's easy to use. it's easy for our customers using the solutions who aren't necessarily cybersecurity practitioners to start with, as their main job. they can actually utilize these in a secure way. >> a lot of you mentioned end points and devices. when we think about protection, we think about those physical entities. as more and more users are added and more credentials are given to get access to different devices, different networks, different systems. different data information, many are saying that the user is the new perimeter. my first question is, what technologies exist to help

mitigate unauthorized access as we know the numbers go as high as 98%, 99% of all breaches and involve a compromised credential? >> i guess i'll start. i wanted to make a comment. the ioc, what started it. i think the ioc was started when you think star trek. if you watch the movies, there was always a computer in the room. ask the computer anything and he solved it for you. i think that's where we are going with ioc. it's that convenience of doing anything, whether it's my iphone or ipad. i tell my young sons in my hand, in my iphone, i have answers of all humanities questions right here. that's a profound statement and pretty powerful. we want and we desire that. i think if you dovetail that it comes back to with the great power comes great responsibility and it comes back to the user. every user is capable of good and bad. every user as a bad day at work. they might become an insider for a minute. man, i'm going to get my boss or whatever. we have to look at the user and how we manage that.

going into the question and technologies, technologies are there. there are a lot of leading edge technologies uva is a term. my company works through uva space. i look at "star trek." there's artificial intelligence that is going to make decisions for us. are we going to empower that to make the right decisions? another quick example. baseball, everybody is watching the world series. 10% of the pitches are called inaccurately. we have the technology to solve that but we don't. same thing in cybersecurity. we have a technology, but are we willing to implement it to do the right things? >> i agree. there's plenty of technologies and you're right, there's lots of eftsdz from previous breaches that indicate that the identity is the new perimeter. the ability to do things now from afar, unlock your door, check your icebox, see if you

need milk, start your dryer, those types of things, that's kind of cool, but the tough thing is if i can do it, so can somebody else. so, somebody unlocking my car, there was a case of the jeeps being stolen. guys were running scripts, syncing up and getting the code for the key fob. and starting the car and driving away without really breaking into it. it's a legitimate way to get to it. there are technologies that allow you to prevent that. another panel, the previous panel identified the issue of where they were even with the weakness of technology. it's all identity. if you can remove user id passwords and move to something you have and something you know, technology, that's very hard to penetrate because i might be able to steal what you have, but to have what you know, that's difficult. that combination is very hard. if you limit people's access, it controls what the damage can be. >> yeah. what's interesting, too,

compromise credentials show up the internet for sale all the time. one of our capabilities, we will scrape the information, pull it in. there's a tendency to think, okay, well, i had identification, i'm good. it doesn't matter these credentials are showing up out there. that's sort of true, in the sense that, even if they won't be able to extract the password, we had an incident about six months ago where we discovered a 30,000 credential dump in a dark web forum. what we saw was the forum poster said, hey, i found these 30,000 credentials. here's passwords, try to crack those. if you think i'm good, you miss an opportunity because your user, they do their annual security training. they don't think about it after that. think click the supple questions at the end, answer the security certificate. hand it off to management,

that's it. wouldn't to be great if you could reach out to them saying you showed up in a credential dump. you should expect to be targeted with social engineering tactics. by the way, here is a link to training on social engineering tactics. now, you are creating additional touch points to help them get engaged in the security process. >> to add on to that would be fairly simple policy change, a process where you could institute two-person human review for critical changes so if you have a privileged user who can make changes to your administrative system, then if you have two people who have to be able to okay that before it goes out companywide, you're lowering your risk quite considerably. >> greg, you and i spoke the other day about this. i wanted to give you a chance to talk about it. there are federal agencies integrating as part of this larger conversation. several panelists mentioned leveraging existing technology, and there is a lot of technology. how do we use it more effectively.

you want to share what's going on with the government in that perspective? >> sure, the objective, obviously, everybody has kind of read about it with the breach. tony scott and the 30-day sprint and the initial focus on privileged users. the unfortunate thing is, as this gentleman said earlier, everybody is a privilege user. you have a smartphone in your hand. you have applications. you have access to your company's data. you're a privileged user. with that, they want everybody to use a digital representation of themselves because that can't show up on a password dump, anywhere, because there is no password. getting rid of user i.d. pass word is the key to this problem. the issue the government has is getting internet wide use is the cards is the heterojeanality of the network, a variety, a large variety of operating systems across the data system cloud and mobile arenas.

and there are technologies out there that can homogenize everything on the network to make it look like one type of operating system that can be leveraged out of one identity store that will authenticate to and provide the right to the people that they're allowed to have. you get to a point where you have rights privilege as well as access to a bunch of applications. the other thing, too, with the security side of it is to give people the access. give them granular roles so they can only do what they want to do. nobody calls the help desk and says, can you take away this access i have? i have too much privilege. please take some away from me. right? you have to right size the roles by making sure that they only have what they have. it keeps them out of trouble. it's like, you know, having the authority, but also having the responsibility, right? you know, if you give them guidelines like we are as we are being raised, we are given guidelines and boundaries. give them boundaries.

they're using something they have and something they know and you throw a third authentication on top of that, it's hard to end up on a dark website. >> it's funny you mentioned that. talking about the voting, in 2000, i remember working on a project around the election. the voting conspiracy on who won the election. there was immediate funding before 2002 around a project called serve. it was letting the military do their, instead of the mail-in ballots, they would do it electronically using the pip card. i mention this because it's been around for 16 years. the idea has been there. it's a great solution. it would have given great authentication. there are no issues with privacy, which is a major concern in voting. giving the user a password, i know who he voted for. all these solutions are there in technology. just 2000, didn't do it. still not being used today. there's a lot of reasons for that. again, i mention you talk about a great application. it's something i wish citizens had.

you want to end phishing attacks, give me a u.s. postal e-mail address with a postal certificate so i have certified e-mail. i don't need 15 e-mail addresses from yahoo! and g-mail. we need to implement these technologies. >> when you are talking about two factors, the other thing that does, how often does -- you hear the joke about someone has a password for a particular system which means it has really complex requirements and they reach in their desk and pull out the password that's written in the drawer or they lift up the keyboard and it's written down somewhere. that's the nice thing about two-factor that reduces the risk that your user will write it down where anyone can find it. >> several of you mentioned insider threats. with the previous panel we talked about flavors, malicious and insider. sorry, unintentional. regardless of the type, they could have catastrophic outcomes on an organization. the federal government, despite

mandates and requirements to have these programs, it is still not being done across the board. i was curious as to some of your thoughts as to why this is the case and what can be done to change it? >> i think it is a three-pronged approach. it is people, process and technology. you have to train the people. i think it was isc squared. they did a study where they interviewed various departments across a bunch of different agencies. outside the i.t. department, less than 12% of the people thought cybersecurity was important. so people in operations, hr and procurement thought it was okay. the i.t. folks, the highest they got in cybersecurity care factor was 48%. there has to be better emphasis

on training people on what they should do. the second thing is the process. i get back to, you know, providing that least privilege, providing the least access. one of the issues we have at the federal government and the insider threat is people get a chance to go other places. it's always the malicious person is rarely the person with wide open access or needs wide open access. it is the person that doesn't have wide-open access but they are able to hack themselves across the network to get to the place where the goods are. if you can provide them least access, as much as they hit the button, they can't go there. you are going to keep them processed. that gives you a good process. use technology that basically enforces it. that's what i would approach. >> we had lots of mandates from the presidential executive order back in 2011 that came out and actually said, we all need to be doing protections against insider threats and programs.

the trouble is, all these mandates and requirements haven't come with funding. how do you do that? you have to buy systems and technologies to have funding to put behind people to run that program. one of the biggest challenges we all face and have to raise up and make it louder is we need funding behind this to actually implement these processes to protect all of our critical data. >> if i can add, too, you mentioned insider threat, everybody has heard the term. it is familiar. it is almost like a bad word. one of the challenges agencies have, there is a privacy concern. i don't want to be an insider threat organization looking in on my family. people i work with are my family. i don't want to find a bad guy sometimes. account lockouts, everybody has locked out their account. to the cybersecurity side, that's a headache. it's looking at how you're

handling cybersecurity. a good one, lock-outs. on the cybersecurity side, that's a headache. they have to determine what happened in the lockout. did michael fat fingers do it and i have to reset it or is michael an insider? is he being compromised? is he coming in from the wrong place? if you can give the user, contextual information, hey, michael fat fingered on a monday morning from the same i.p. address. that's easy to reset. versus michael was locked out at 3:00 a.m. on saturday trying to gain access to systems he's never touched before. if you take that approach as i can make your business easier and be more efficient in your job. that's to me identifying insiders without saying insider threat. they bring a lot of visibility. there was a recent case, and it's never going to end. it's our approach ow how we solve the problems. how do we make our user use better technology to be faster and make better decisions. >> insider threat is not a new problem. it took us 22 years to find

robert hanson. we've had espionage, corporate espionage that's not new. what's interesting is we had an unprecedented amount of data that's going to make us more effective and it makes it a much more solvable problem. you have h.r. data. knowing if someone is on a performance improvement plan or they're at risk of being fired. you need data to see if they're doing anything suspicious. so all these different data sources. then you have this scenario that organizations get scared of the edge cases where how would you stop a scenario, where i have an employee, his manager is torturing him. there are no hr records of it. he hits the point, that's it, i'm done, i'm going after this guy. let's say he goes out, opens up files he has access to, takes pictures on his cell phone. our users are pretty smart. they see cnn and realize you are watching. they tell you, we are watching you. our users know. now, i can go and let's say he takes his phone out and uploads it to wikileaks, how would you

detect that? that's really scary because it would be really hard to detect and the ramifications could be really big. we can't get hung up in the edge cases. before we can worry about the really, really scary bad stuff, let's solve the 90% of the problems and then we can start to look at the edge cases. the other part of this is like computer network defense, with insider threat, it's not if, it's when. there's going to be a point where something happens and you need to have a recovery and response plan in place that people are trained on. when it happens, learn from it. were there additional technologies that i could have had that would have prevented it? all of that needs to be thought of. not just the program, but how to prevent it, but what do we do when it happens. >> you also mentioned areas to track, h.r. data, travel data. a lot of disparate and usually technologies and databases that don't touch each other, right? having solutions in place that help our analysts track all of

that from one central location are solutions that work together to have a holistic picture of what our users are doing to protect them and the company as well. >> that's great. shifting gears to cdm we've been working on phases one, two, and three the last number of years. dhs has recently started talking about phase four, which is really focused on some of the issues that you have mentioned, that is protecting data that resides on federal networks. my question for you is, what technologies and best practices do you recommend to dhs to include in phase four of cdm as they start to put this together? >> the natural thing for phase four or protecting data is data loss prevention products and redactions products that can redact sensitive information based on use. easily filing things so that the wrong eyes don't get access to them. this technology is out there to do that. they are just difficult to implement.

they are extremely policy based and to get them fully working, it will take a lot of time and money. >> cdm phase four is going to focus on protecting your critical assets and knowing where the sensitive data is. implementing the network is segmentation environment is pogue to become very, very important there. it sounds clunky on the back end but if you have crossed a main technology that can help you access and transfer those multiple networks from one single location, it becomes easier for your users and you are very, the keys to the kingdom, if you will. all that data is in a very secure place. the access controls are there as several panelists mentioned. only certain people can get to that. it is very, very protected. >> there are technologies out there where you can by policy separate things, layer three, four, and five. as opposed to building separate networks. >> it's funny. when you mentioned this to me, i started laughing.

i remember working on phase one years ago. the agencies were deploying it. i don't want to be negative. i am glad the dhs is doing it. it is a great program. one of the biggest comments and it is a challenge especially for small vendors is cdm contract is a great vek to get things going, but it doesn't always mean the best technologies are leverages. that's still a major challenge. yeah, i'm buying x. why are you buying x? oh, it is cdm. not because it is the best product, because it is there. unfortunately, that's a bad thing with cybersecurity. we still need better initiatives to get better faster technology into these programs quicker. i think the government, again, they made a great vehicle to do that. i'm working to get my company into it, which is why i laugh, i'm working on phase three and four right now. i hope people think about how we get those technologies in faster and don't make a decision on a contract all the time. >> the problem with that is that price is right. >> i understand that. but it isn't just price. it's an awareness, right?

>> price and cost are two different things, right? >> i agree. >> the importance of cybersecurity personnel training, again, this was mentioned earlier on some of these panels. what specific programs and methods have been proven most effective to change behaviors and is there a way to possibly leverage technologies and influence people's behaviors? >> sure. training something that there is really a couple things you have to do. first it needs to be engaging and people need to feel they are learning something and getting something out of it. if you're at the point where users are going through annual security training and they're clicking through. when i worked at the department of defense, we had rooms and you would go through the rooms. it's like, someone calls you up on the phone, now what do you do? and so, you know, i would try and get through as quickly as possible and answer questions and i'm done. it needs to be engaging and they need to feel like they are getting something out of it. the next part becomes, it has to be something that's thought about through the rest of the year. sending them phishing e-mails, see what they do. one of the speakers said about a

cat video joke, but when i was working with the marine corps, everyone wanted to see the steve irwin video. so being able to test your users. i think the most important part of training with actually improving the part of your users where there is a punitive action if you violate what actually happens. i think that it doesn't necessarily have to be punitive. it can also be incentivizing someone where let's say you send five e-mails throughout the year that test whether or not they click on it or something like that. but maybe they get two hours per time where they are successful of extra vacation or something like that. that would cost a little bit of money but when we look at how expensive it is when we have a breach, i'm sure there would be a cost effective solution there. >> trish, i agree. i had a customer looking for positive behavior. one of them is making someone aware of touching something when you shouldn't. did you mean to touch that server? oh, what do you mean. they become more aware and are less likely to step out of bounds.

give them an incentive. another one is, i get spammed all the time. i get phishing attacks and i want to press the button. i know i'm not supposed to, but i want to. part of that, why don't we share that? when you get spam, send it to the center, let them detonate it. share with the team, we had a spam come in. this is what it was. share that knowledge with people. again, people are not involved in it. let them share what they found. the other thing is text messages. i'm getting text spam. people aren't aware of that. if they're aware of it and can make it a program, share with me the reese nlcent attack, and le see the result, it answers the curiosity problem we have. >> it is definitely a culture issue. i believe you brought that up earlier. we all have to be a part of that from senior executives on down to the line level employee. everyone has to be aware of it and part of it and all of the practicing the same saying hey, why did you do that? or laugh about the e-mail that comes in and someone will say, make sure you don't click on that. >> did you see that? >> don't open that linkedin e-mail from the person you don't know.

>> those are all great points. i think what tony scott said earlier is important too. we got to get them when they're young. culturally, a lot of us are, us older folks, didn't grow up with technology. >> and i'm pretty sure that everyone on this panel, if i asked, what do you think the biggest risk to your network is, people would say user. i worked in help desk. we used to have a cartoon that said problem between keyboard and chair. we are afraid of our users, security professionals, but there are a lot more of them than us. the quicker we can turn them from the biggest risk that we're worried about to a force multiplier for us where they're actually engaged in helping us do the job, the better. >> that's actually growing with the coming on of all of the millennials. folks from that age bracket with our baby boomers. retiring at ever increasing ages. so we will only see more of that. they, from the millennial generation, are used to technology doing security for them. if there is even security at all. they just don't think about it.

they are used to the technology. we take a different more cynical view of technology we don't expect it to do what it's supposed to do. they just expect it. they don't think about it. they move on. so that's only going to get worse. >> so our final question for the panel is really we're talking about some of the success stories that are out there, we know several agencies and private sector cios who are implementing wide-reaching, i should say, cyber hygiene programs. can you share programs and initiatives that you think some of the audience and folks at home can look to for guidance and or what are other ideas that you have that could help an organization put together a good program and change some behaviors you've been talking about? >> i think this success story is in pockets. because everything is pretty

much stove piped. and i think it is difficult to get everybody on the same sheet of music. and until the executives organization, he or she or the group of them get together and say, here's what we're going to do, to mandate that, and i think that's the attempt of cdm on the federal side, is to put together a standard that of technologies that are mapped to the osi model that you can deploy and that all together will orchestrate this one single cybersecurity capability that will ensure the security of the agencies. >> anyone else? >> sure. so i was in a meeting, this is probably about year and half ago and it was talking about these really advanced things that we can do, you know, to improve cybersecurity. there is probably about a hundred people in the meeting.

and someone literally stands up and says, you're talking about this. we don't even patch our systems regularly. so cyber hygiene is incredibly important. we have to think about this as a phase. if you're a 0, you're not going from 0 to hunting aps in a night. you have to think about this in phase approach, you have to think about this in layers. i do think that there are organizations that are out there and some -- i'm very fortunate, some of my customers i work with, i tend to work with customers that are forward looking and are interested in the intent as opposed to the letter of requirement. and there's a great example where cdm might say thou shalt do these things, and i'm excited and getting this and it will freeze me out to get additional capabilities that will take me further. i guess my response on that is take advantage of the programs that exist. take advantage of anything that people give you. and that will give you the opportunity to look further ahead and get to more of the advanced capabilities. >> definitely. things like the modernization

rules that are coming online. we need to get our systems up to date. and we still have a lot of systems out there especially in the government that are running very old versions. you can only do so much with that. and it is not anyone's fault. again we are back to our funding issue, right? we just have to be aware of that and actually get the policies in place so we can get systems tested in a way that is fast enough so that we as vendors can then bring technology to you. and everybody wants to be there. we just have to take that phased approach and actually just chip away at it. >> i would add, you ask about agencies and programs, there are some doing great jobs but tomorrow they could be hacked. you need to think about that. there is a constant world of change. in 2009 i worked for opm and they won awards for being the most innovative as far as cybersecurity because they were taking advantage of technology at a time where others were not.

we laugh now because they got hacked. let's realize that today that agency is doing great is only a few months away from being bad. the one that is bad could be doing good. cybersecurity is changing. the threats are always changing. and so don't penalize people when they fail. they learn a lot from the failures as well. keep that in meantime. there's no one agency, program. it's always dynamic and continues to change. >> you here cybersecurity is not a sprint. it's a marathon, and unfortunately, there is no finish line. it's not like i do these five things and poof, i'm madge clael secure. things will continue to happen. you will continue to have incidents. you have to learn from them, incorporate and make sure it doesn't happen in the future. >> i agree. it will never necessarily end. but anything you can do to reduce your risk, to minimize the points of attack and i agree, you can't go to college until you go to high school. >> great. with that, please help me in thanking our panelists.

and i want to thank all of you for joining us for today's briefing. papers are available on our website for download. our next meetings are our annual gala and benefit at st. regis here in d.c. on november 10th. we'll be honoring tony scott and keith alexander. thank you to our speakers. see you next time. hillary clinton is campaigning in north carolina with first lady michelle obama. abby phillip with the washington post tweeted out this picture of the first lady's plane and hillary clinton's plane at the tarmac saying, floats and hillary clinton arrive within a minute of each other in north carolina. c-span has live coverage of their stop in winston-salem. >> our children, they look up to us. what we value, how we treat others. and now they're looking to see

what kind of leaders we choose. who we'll entrust our country and their future to. will it be the one respected around the world or the one who frightens our allies and emboldens our enemies? the one with the understanding of the challenges we face or the one who is unprepared for them? a steady hand or a loose cannon. common sense and unity or drama and division? a woman who spent her life helping children and families or a man who spent his life helping himself? our children are looking to us. what example will we set? what kind of country will we be? hillary clinton, because we're stronger together. >> i'm hillary clinton and i approve this message. >> far too many families today don't earn what they need and don't have the opportunities they deserve. i believe families deserve quality education for their

kids, child care they can trust and afford. equal pay for women, and jobs they can really live on. people ask me, what will be different if i'm president. well, kids and families have been the passion of my life, and they will be the heart of my presidency. i'm hillary clinton, and i approve this message. >> what's at stake in this election? it's not just who goes here. it's who rules here. the supreme court. the justice who guarantees your right to own a gun is gone. now, the next president's choice breaks the tie. four supreme court justices support your right to own a gun for self-defense. four justices would take away your right. >> the second amendment is outdated. >> the right to possess a gun is clearly not a fundamental right. >> what does the second amendment mean to you? >> not the right of an individual to keep a gun next to his bed. >> and hillary says -- >> and when it comes to guns,

there are just too many guns. >> the supreme court is wrong on the second amendment. >> hillary's made her choice. now, you get to make yours. defend freedom, defeat hillary. the nra institute for legislative action is responsible for the contents of this message. >> evan mcmullin is an independent presidential candidate. mindy finn is a vice presidential candidate. both joining us from salt lake city. thank you very much for being with us. >> great to be with you. >> mr. mcmullin, let me begin with you by the numbers. how many states are you on the ballot and how many do you qualify for write-in votes and how do you try to get to 270 electoral votes? >> well, we will appear on the ballot of 11 states, and then we will be registered as a write-in in a number of others that will total, including the ballots where we appear actually on the

ballot, 43 to 45 states by election day. so the vast majority of americans will be able to cast a vote for us. but the reality is that reaching 270 votes on november 8th is going to be very, very difficult given the fact that we're a three-month presidential campaign and as a result also related circumstances. but our strategy is different. that is not actually our strategy. our strategy is to win as many states as we can in hopes that if the election is close between hillary clinton and donald trump, we could block them both and prevent them also from gaining the majority in the electoral college, that 270-vote threshold, and in that case, the election would go to the house of representatives where we like our chances. >> mindy finn, one of those states, utah, where you are today, and it has not voted for a democrat since 1964. and yet with governor mike pence campaigning there today as part of the trump/pence ticket, its very much in play.

why? >> well, utah is a conservative state. and donald trump is no conservative. throughout his entire adult life, he was liberal on abortion, on health care, on the second amendment. he changed those positions to run as a republican. in the primary here in utah, they rejected donald trump. we had concerned about him from the beginning. it's impacting their views on the republican party. more so than republicans, they are conservative. we're the only conservative ticket in this race. we're standing on principle, foundational constitutional principles. and that's why they're gravitating towards our campaign. >> evan mcmullin, story today in the "new york times," deep divisions in the gop. a lot of questions, what happens after the election. let me go back to your earlier point. what role do you and your running mate want to play and where do you see the future of the gop heading? >> well, we definitely believe that our role will be as a part of the new conservative movement, the very movement that we're building here as a part of this election. the question is, what role will

that movement play? we do leave some possibility, we believe that the republican party may reform after this election. but having both had direct experience with that effort from within the party, we know how difficult it is and believe that these are challenges that the party will face on a generational basis. so it's very difficult to imagine that the republican party will be able to shake off trumpism after this election. these problems existed before trump entered the race. we knew about them after 2012. the party wasn't able to adapt, however, and now that trump has had the success he had, even if he loses badly in the general election, the people who are supporting him, i think, are empowered and will be empowered even after the election. the reality is that we believe this conservative movement may need to take the form of a new political party. it's simply true that those of us who are constitutional

conservatives who believe that all men and women are created equal and that we all have an alienable right to life, liberty, and the pursuit of happiness and government should be limited and it only derived power from the people and not the source, those people who believe that thing, can in no way support a party that goes down the road of populism and white nationalism, which is where donald trump would like to take it. so if that's what the republican party is going to be, there's no way mindy and i can be a part of that. we have millions of people across the country supporting us, many of whom feel the same way. >> are you saying we could see a new political party? the republican party divided basically in half, the creation of a new party? >> yes, i think that is very much a possibility. >> and let me go back to this idea of trumpism, mindy finn, because it's not only donald trump but 13 million voters in the primaries supporting him. he beat out 17 candidates, and

so there is a base within the gop where the trump message has resonated. what do you say to those voters? >> well, i say that, you know, their frustrations, some of it is founded, well founded in that they have been left behind. we have an economy that's been transformed because of technology and due to automation, many of them have lost their jobs or they're facing wage stagnation. the party for too long has been more focused on those who write the big checks and not the base and people voting for them. that frustration is very real. however, donald trump, while maybe a very loud, bombastic voice, is one that is really just -- is kind of using them for his own political power. he's been a liberal for all of his adult life. and more so than that, he's carrying the country apart and undermining our democracy by demining hispanics, african-americans, women, people with disabilities. we're a country who has legitimate reason to distrust institutions but now we're being

ripped apart by a man who demeans all those groups and calls into question whether our democracy is rigged. people are turning on each other. the republican party is falling apart. there's no body for conservative values. we need to think about the future. that's who we represent, this new generation of leadership who understands the concerns of the same voters who gravitated towards donald trump, who like the fact that he talked directly and plainly and to them. but we have a puzative vision and one that can unite the country, not one that's going to tear us apart. >> evan mcmullin, what will the headline be the day after the election? who wins the presidency? who wins the house and senate? >> hmm. well, you're asking me to do something that's very difficult, of course. you know, i believe that the polls probably reflect the accurate state of the race and that hillary clinton is dominating donald trump very strongly. i would expect, sadly, her to win and be our next president.

but you know, whether it's her or donald trump, i think they're both people who want to grow the size of government and who don't respect our constitution in the way that mindy and i believe it should be. and so that's what i think the outcome will be of the presidential level. i believe that republicans will likely hold on to the house and the senate is less certain. i just don't know. it's hard to predict, but i think donald trump is definitely making it much more difficult for republicans to hold on to the senate and for them to hold on to the margin that they have had in the house for the last couple years. >> evan mcmullin, mindy finn, independent presidential and vice presidential candidates joining us on the campaign in salt lake city, utah. thank you both for being with us and here on c-span. we appreciate it. >> thanks for having us. >> thank you. on election day, november 8th, the nation decides our next president and which party controls the house and senate.