learning and education. followed with a look at his presidency. and at 10:25 p.m., a talk about washington's defeat at the battle of brandywine, a lesser- known battle that was fought an earlier stages of the american revolutionary war. >> he says what he thinks, no matter what it is. sometimes -- i think you have to be political in a certain way. i think you have to be honest and say the same things. still, you have to cater to people, sometimes, i think i'm a and know what they want and need -- i think, and know what they want and need in order to influence them to vote for you. it's not being dishonest. it's just finding out what they want and knowing -- letting them know how you can help them with that problem. >> first ladies, influence and

image, season two. this week, lady bird johnson to roslyn carter. and highlights weeknights at 9 p.m. eastern on c-span. leaguenational consumers held a daylong conference earlier this month in washington dc that focus on identity theft and data security. the discussions from that conference. it deals with how identity theft has evolved through the years as well as what consumers can do on their own to protect their personal information. this is an hour and 20 minutes. >> thank you. i'm rob pegoraro, or so you have been led to believe. let's -- why don't you all introduce yourselves briefly, explain how you get to this issue and we'll get to it? >> my name is andy bonillo, i'm from verizon, director of cybersecurity and public safety. at verizon, we handle hundreds of data breaches for our clients

around the world and we have this unique position where we get to see what happens when security fails. so as we are traveling around the world investigating crimes that leads to ultimate data theft and we felt the need to share and research that perspective with the rest of the world. we put out a report every year. it's a data breach investigations report that you can get from verizon.com, just google dbir, data breach investigations report and you'll be able to get to it. prior to that i was with the secret service, so part of today's conversation -- i've been involved in investigating and consulting on identity theft since about 2001. i will be sharing some insights from the law enforcement component as well as my private sector time at verizon. >> hi, i'm abigail davenport. i'm with hart research and we're a public research and strategic research firm. i do research on a wide variety of topics, but have had the privilege of doing research for the family online safety institute for the past few years on issues related to parents and teens and their attitudes about

privacy, security and online safety and identity theft, particularly most recently in the fall, we did a survey of teens looking more specifically about their attitudes regarding identity theft, what their behaviors are and what they're doing to protect themselves, what they might be able to do more of. i can bring that perspective in terms of parents, teens and the way they approach this issue. >> my name's allan friedman, i'm at brookings. i used to be a computer scientist and i wasn't very good at it, so i got a degree in public policy which makes me a mediocre economist and a mediocre political scientist and a mediocre organizational behaviorist. when you're mediocre at that many things you sort of have to move to washington. i have been here -- a few years ago i wrote a paper on identity fraud from a systemic risk perspective and i'm also here to plug a book coming out in january, "cybersecurity and cyber war," which actually ties together how these different

issues are related to these broader international discussions at cybersecuritybook.com. >> my name is zach intrater. i am an assistant u.s. attorney in the district of new jersey. i work in the economic crimes unit and more specifically i am part of the computer hacking and intellectual property section in our office. our office is one of the first ones to start up a so-called chips unit, the coolest unit in the office, obviously. i work on these types of cases pretty much every day. >> let's go to the first question. champlin strategy does a lot of research on identity theft and the latest stats, i was looking at them just now, the problem in financial terms peaked in 2005 at $32 billion and now it is down to only $20.9 billion in 2012.

which is great except the percent of u.s. customers hit by identity fraud seems to have stayed around five percent for the last seven years. so is it just getting -- has the profit margin just gone out of this, but not enough? what is the overall dynamic we see here? >> certainly, i don't know the population statistics, so i apologize for not knowing. the population may have grown since. but we see that the number of data breaches is certainly going up every year. we analyzed 47,000 incidents last year. 621 of them resulted in data breach. when you look at the evolution of the criminal and their desire to go after a central location of large amounts of data, it really pays a contributing factor.

>> building on the idea that a lot of the risks we are seeing is emerging from data breach is a study that came out of carnegie mellon a few years ago that found that data breach notification laws actually helped. the ftc collects state by state reporting data and looked at how states adopted data breach laws which happened over a period of time and found that on average about six percent reduction, which is a large number when you talk about the numbers we have been talking about, make a difference. the bigger question is how people are using this data. andy is completely right. these are criminal acts and the question is how are people actually extracting value from the system. credit card numbers trade on the open market for dollars. certainly andy can tell you his group has done a lot of work on that. i interpret that fact to say that the real heavy lifting is not getting the data, it's using the data. if i have your credit card i can go on a nice spree, have a nice night on the town. if i have all of your credit cards, that doesn't scale. so the defenses have to focus on changing the economics, raising

the cost to the attacker of efficiently and most importantly automatically extracting data. anytime you can remove the computer as a tool from a cyber criminal and make them do things by hand, you have helped reduce crime. >> that is an excellent point. if you read up on malware, viruses, trojans and spam, the discussion is too focused on technology. it is a business. it is a stupid business and a criminal one, but there are economic motivations and if you can make it more expensive to try and make a living this way, realistically if criminals wanted to work hard they would get a real job. >> i hate to disagree right out of the box, but i think a lot of the criminals that we look at, especially the sophisticated ones, really do treat it like a

job. i get up in the morning and go to work, these guys get up later than i do but they work just as hard. it is remarkable when you're sitting across the table from someone who you have arrested and who you are now proffering, and you realize just how much work it is. just to build on what allan said, monetization is not a simple thing. especially if you are obtaining large amounts of data, oftentimes, you need a network of lower-level people, you need runners, you need people who you can sacrifice if things go wrong and it is much more difficult than you would think to actually pull the dollars out of stolen identities. >> one of the bigger case that came out, you probably remember the name, but he was linked to compromising 30 million credit card numbers and the department

of justice filing demonstrated that he had earned $200,000 over three or four years. that is not a lot of money for a smart guy in the tech industry. >> that being said, albert gonzales had $1 million buried in his backyard. what we're focused on here is infrastructure that the criminals are leveraging. over time, you will see as we go through the panel today, the evolution of the cyber criminal and the infrastructure that supports him has evolved. those that were committing the crimes that were impacting us 10 or 15 years ago are now the ones that are commercializing and industrializing the underground. the commoditization of malware, leveraging, bulletproof hosting and other types of infrastructure for making it much easier for most that wouldn't have programming background or computer science background to engage in cyber criminal activity. that is going to provide the anonymity. with zach and what his team does, i don't think the

public truly understands how difficult it is to merge the online identity with the real- world identity. that is a very daunting task and it becomes quite cumbersome. the efforts that law enforcement around the world and secret service and those investigations do a really good job to merge that and it is very challenging. the results of that give us a bigger, broader picture that we will paint for you today. >> the second question may shed light on this. another stat from javelin, 2010 11.8% of notified data breach victims are victims of identity fraud. in 2012 the number had climbed to 22.5%. it seems that we are talking about industrializing and getting a mechanism exploiting this. obviously if you can get a bunch of credit card numbers, other data points about someone all at once, it is easier to monetize that.

to what extent can you drive up the cost of that. besides, if we assume that data breaches are still going to happen at some level, what is the next at to try to increase the cost of actually getting the money out of the data you have acquired? >> i'm going to speak for my law enforcement background here and not necessarily from the verizon brand. what is interesting about the evolution of the infrastructure is that it is built upon a certain mindset. that mindset has been embedded within that culture for well over a decade. in order to operate within that environment you have to have certain skills, you have to have a certain respect for the community, if you will. it polices itself. is that evolution and mindset has been permeated, it is not a large group of individuals. we are not fighting, at least

that are affecting the payment system when we talk about identity theft, it is a very small number. it is not a large group of individuals. it is those that have honed their skills. >> can you give a number on that? >> i would like to not. because i don't want to give any kind of indication to the criminal. at the end of the day i would say it is less than a few thousand, if you will. but that is important to understand because i can his -- zach and his team and law enforcement are having successes every year, we focus on -- but i think we understand the importance of that one or two arrests a year of that high- level criminal because we don't truly understand what it means. and we look at data breach statistics i could map from 2008 until now changes in the statistics and the methods of the bad guy and how they have to attack organizations and their shifts and the cat and mouse game every year in the data breach report that we produced. there are statistical changes of how bad guys are having to go after the data they want based

upon those arrests. i think that is an important part. even though statistically there are things that are occurring year-over-year as far as security organizations, their weaknesses and vulnerabilities that exist, the bad guy still has to find different ways and we see this changes year-over- year in the statistics. >> so i just to sort of get back to the economic angle, i guess there's a certain amount of competition in the market. maybe that explains the cost -- >> >> they are about renewable process and return on their investment just like any other business. if they find a vulnerability they can leverage that vulnerability across a specific sector or a piece of software. they will do so. >> and is on to the next thing. >> this is an embarrassing story. on one of the first talks i gave after my phd i started to make the case that cyber crime isn't a law enforcement issue. i gave it an -- i gave it at an interpol conference so it didn't go over very well.

i got a good education shortly thereafter. i think there are some things we can look at. we are seeing a change in the curve of what the law says. for example, for payment card fraud, a lot more people are getting notifications because there are a lot more cards out there. when you talk to the processors a lot of those are test cases. they're trying to find out is this a good card and that triggers an alert and once you get a phone call from your credit card company you're going to say yes when javelin calls you. so we need to understand the data and is similar types. -- and the different types. similarly, when we are talking about the organizations, banks have been interested in understanding the value of their own internal credentials, protecting their brands against phishing, they go after phishing websites that are their brands. but it wasn't until recently that the banks are going after money mule sites, huge network of websites that are trying to recruit individuals to act as

patsies. these are the runners that we talked about. the banks have said hey, this affects our business we have to go after this as well. i think it is important to draw a distinction between how you raise the cost of the payment card sector versus the broader more complicated frauds that do require the sophistication that and he talked about. >> so this question is for zack. in july the u.s. attorney's office in new jersey announced the biggest data breach in history involving the theft of more than 160 million credit card numbers, which statistically some of you must have been the victim of that. hundreds of millions of dollars in losses. this is a big difference in the scale of what they're doing? >>

>> the short answer is yes. it goes back to something that and he said earlier which is earlier, whichid is that the population of people who are really sophisticated is shockingly small. i think there's a perception out there that every other eastern european teenager in a sweatshirt is able to pull data out of the cloud and essentially terrorized americans and western europeans. it is not the case. if you really want to engage in this kind of high-level long- term activity, it is extremely difficult. you need a tremendous amount of skills, but even more importantly you need a group of people who have a division of labor. we think what separated this crew out from your run-of-the- mill group are a few things.

the biggest thing was patients. these guys were willing to wait -- the biggest thing was being patient. these guys were willing to wait for six months or a year after infiltrating to hang out essentially in the systems and not x filtrate any data so that the systems would not necessarily see brand-new code and then immediate exfiltration and look to see once the change, -- what is the change what took , place just now that allowed the exfiltration? so they waited. if you are desperate for cash and only looking for a quick hit, you're not going to take that time. the first difference between these guys and almost anybody else was that they're willing to wait, they're willing to be patient. second, they had this division of labor where they had specific people who were skilled at the initial hack. then there were people who were skilled at exfiltration and finally there are people who are skilled at monetization.

most groups, most gangs don't have that kind of really specific division of labor. the other thing that should be pointed out is that the case we announced in july was really a continuation of the albert gonzalez case. albert gonzalez case was an amazing case for number of reasons and andy worked on it. i was still in high school, i think. no, no. [laughter] it was amazing for one reason -- it was an amazing case that resulted in the longest sentence in cyber history. albert gonzalez is serving 20 years right now. it was amazing for one reason

, that albert gonzalez was caught initially. he flipped and began cooperating at a very high level and at the same time that he was cooperating at a high-level on the one hand he was hacking at an extremely high level on the other hand simultaneously. he is quite a character. he was caught again and his arrest really spurred on this heartland case which was still producing results as of july of this year. and he can probably give more -- andy can probably give more details on exactly how the case went down. >> this next question is something we've gotten familiar with in my home. if you have a credit card long enough you will get a nice letter notifying you that there has been a data breach and you should check your credit report, inform your bank, change your passwords. i think i got two of those a few years back.

do any of the steps that are recommended in those letters, do they actually do anything? i have to say i don't know that we actually did any extra checking of credit reports. our finances seem normal, from then on it seems like nothing happened. is that advice constructive? >> personally i think the answer is yes. i think that anything you do helps. there are real-world analogies that work. so thieves are looking for soft targets on the subway, soft targets if they're burglarizing houses and they're looking for soft targets if they are engaging in identity theft in data breaches. if you change your passwords on a regular basis, if you use longer passwords, if you use to step up education, any of those -- if you use two-step identification, any of those things are going to put you

ahead of 99.9% of the population. nothing is going to stop the most sophisticated person perhaps from obtaining your data, but if you get to the next upend it is time for -- the next step and it is time for monetization and your information is a little more difficult to obtain, why would they spend the time if you're just a regular person, to obtain it as opposed to going down the line and finding the person whose password is 1234? which is not a good idea. so all those things work. longer passwords, changing your password, the head of the fbi's cyber unit in new jersey had the -- he has now left, but he had a that would bea extremely useful and extremely effective. he said anybody can go out these days and buy a laptop or desktop for 300 bucks. you buy laptop for 300 bucks,

you set it up in your house and the only thing you do on the computer is your online banking. the only thing. even checked the new york times, -- you don't check the "new york times" or your gmail or anything except your online banking. you turn the computer off and you're not using it. that would make your bank information a lot more secure. >> i would say get a clinic's cd a linux cd and do your banking off that and you don't even need to get an extra computer. -- just get a linux cd and just boot it off that. >> sure. does that make you 100% secure? no. >> because the bank would have a data breach. >> yeah, but does that make you a heck of a lot more secure than anybody else? absolutely. there are the steps that you can take and the answer for each one of them is yes. >> i would agree with the fact that it is valuable. we all play a role in protecting data and if you look at this on a broader level, all this revolves around the active criminal. anything that we can do, a dash

-- anything that we can do to protect ourselves, right? and also give some sort of assistant to law enforcement and their efforts to try to combat this crime and these threats. every major digital breach -- data breach that we read about in the news that resulted in identity theft leads back to the street on some level. if you report something that happens to you, then law force and can take action, then eventually that all adds up to give law enforcement more information and leads to work off of. albert's original arrest was at an atm in new jersey or new york. everything goes back to the street. i think we forget because it is hard to demystify ciber. it is hard to put a face to cyber. it is being conducted by real humans with real skills and they all live and walk. they could be anywhere at any time. i think it is important that we look at this -- those steps are reactive steps. if we can take the steps proactively, that make it was

-- that may give us much more of a fighting chance as individuals and certainly organizations around the world are now at a point where they are doing the same for themselves. they realize that the results of their security and the other efforts at the put in to this are now -- they affect the livelihoods of others and they are taking security very seriously around the world. >> next question is abigail. hart has done some interesting research. only 11% of teens say they felt personally vulnerable to identity theft and only 20% of teens say they had posted the following, whole name, date of birth, self-portraits, name of their school and e-mail address. to think they are more or less -- do you think they are more or -- do you think they are more or less vulnerable to id theft than in the past? >> the gentlemen here would know more in terms of the law enforcement side and the technology side but in terms of the behaviors and what teens say they are doing, i think just the virtue of the fact that they are so many more platforms are using

in so many opportunities for them to be sharing information about themselves and they are doing so would suggest to me that the threat to -- that the threats are greater than they were in the past. interestingly, teens -- the issue of identity theft is on the radar. people have talked to them about it, the idea that the security of the personal information is something that they are cognizant of and that they say is a concern for them, but there is a disconnect because they are teenagers. they don't see that they have anything worth stealing. they don't personally feel vulnerable. they make it a section between -- make a distinction between themselves friends since and their parents and recognize that when someone is an adult they perhaps to have something that can be stolen and they mostly focus on credit card fraud, the idea of credit or a credit history is not something that teens really are aware of much less even in focus groups we did we try to talk about that a little bit and it just kind of goes over the head. it is more concrete for them if you have a credit card and some

can still that number and you are on the hook for whatever they have charged, that is more concrete. i do think that there is an awareness there and the question is, the ftc's report showed that 18 to 29-year-old people where particularly the prevalence of identity theft was high there and these forks may know more about this figures, the question i would have is there is an awareness there but they don't feel vulnerable now but there's clearly room to educate kids and parents about what teenagers can do. there are some things they are doing. for instance, using a variety of passwords. about 54% of teens say yes they do that. under the hand they recognize -- on the other hand, they recognize that is the most helpful thing they could do to protect their information. there are a lot of them that are doing it. the focus groups say that is complicated and burdensome and the idea of a dual authentication -- what, i

logged onto facebook 20 times a day and i have to do that every time? there is this convenience factor which overrides any particular personal vulnerability they feel. i do think there's a question of are they going to age into adulthood when they go on to college and out into the real world and start to take out loans for their education or credit cards. are they going to bring an awareness of the issue that i don't think was there as much for previous generations. whether they take the steps to protect their information as needed in a more comprehensive and complete way will remain to be seen. i think the threat is greater now, but there is an opportunity because they seem more aware of it and they recognize that once they become adults, once again a credit card, for instance, then they are particularly vulnerable. will that play out in terms of their actual behaviors. >> to avoid having to seem like

a what is wrong with kids these days, i might as well share this anecdote from i own past. when i was a college student the loss in the district of columbia -- the laws of the district of columbia were looser. i made a fake id based on my college id and my college id had my social security number on it. this was 1989, which is then put on a fake id, too. because sure, why not. i think today's kids are little smarter than i was. >> connected to back off one thing? -- can i just go back to one thing? this is above my pay grade, but as a federal employee, most things are. look, the harsh reality if you want to call it harsh is that security inconvenience -- security and convenience are in constant tension. and we recognize that. corporations need to recognize that because there are sometimes that corporations perhaps make it easier to access your data

than it should be based upon their understanding and their history. they want to provide their customers with the most convenient and best possible interface they can. they're afraid that if there -- if their services are harder to use than their competitors, then people will migrate to their competitors. but we are all responsible. everybody is responsible for taking the steps that they can to make themselves more secure. who wants to change a password every two weeks? who wants to do that? but we should at least recognize that as a starting point that these two things are in tension with one another. >> i think if they recognize the personal vulnerability more, that tension would be greater than they might have a harder time always going down the road of convenience. one thing that is interesting, we did ask kids if their social

security number is available online. 75% or more said what their name was other school memoirs. -- said what their name was, and others said their school. but only two or four percent said that the social security number was. in this focus we said, kids clearly have been told not to carry the card with you and never give the number out. i think it is also worth noting that they don't know their social security numbers so it is not something they're going to share off the top of the head. they have heard this message and that is something that they don't really understand why it is important, but they recognize it but telling them that is something you shouldn't share with anyone. >> if i could add one last thing, i think it is important as we talk about vulnerability, it comes down to the motivation of the attacker. certainly the more data we put out, whether you are an adult or teenager, we don't all know

where that data goes, right? it does come down to some extent to what the attacker wants. >> the next question may speak to that. this one is to allan. he did a paper in 2011 on identity and consumer trust suggesting that what is under threat is not credentials but the whole identity layer of the internet. this is never part of the original architecture but it emerged organically through linkedin, facebook, foursquare, whatever. how well can you protect your identity while documenting yourself through these different portals? >> this is why i hate the term identity theft. if i am going to steal abigail's water bottle, we as a society have two things. we say alan if you steal her water bottle we're going to find a piece of your anatomy and chop it off.

but we also say abigail why did you leave your water bottle next to this guy who looks like allan. come on. we intuitively understand that we have a responsibility to mitigate theft. it can't all be law enforcement. don't park in that neighborhood, lock your doors, have insurance. these are all things we intuitively understand as part of the theft model. but what we are talking about is more of the case of me going to andy and saying can't have my andy, i amng, abigail. can i have my water bottle please? here's my is this card. -- here is my business card. if you want to stop me you can go after me with a big knife or what can we do to empower andy to make better decisions about whether or not the person claiming to be abigail is

abigail. there are a couple of implications for that. one is to compare the payment industries response to fraud and the broader response to fraud or the more complicated frauds. we have consumer protection laws in this country that were fought against by the early credit card companies. now they turn out to be their best friend because consumers weren't afraid to adopt credit cards in america. now it is inconvenient. -- we can argue whether that was ultimately a good thing. we argue that it is inconvenient. we have to go back and said did make a purchase but most of the responsibility rests on the banks who are in the decision to align responsibility. this broader question of opening up new lines of credit or obtaining access to goods and services which require things like social security numbers for

-- or other information, which by the way, if i see your social security number i can tell when and where you were born. why isn't anyone looking and saying hey that person as a teenager they can't possibly have a mortgage with that number. we need to figure out how we put these protections in at the decision-making process. unfortunately, there is a financial conflict of interest. these same people who are responsible for making the decisions about how and when to grant credit are also -- also have a vested economic interest in ensuring a consistent availability of their services to make that decision. you have people proposing that maybe teenagers should have a lock on their ability to take out a large line of credit. that seems like a no-brainer. using the nudge-based regulation saying let's make it harder for everyone to get a line of credit.

it is going to be harder to get, so we are raising the cost to the attacker. the real risk is when does fraud get high enough? when our criminals getting -- when are the criminals getting systematic enough that they are actually going to rake -- break the authentication systems that we use now? that is username and password right now. when the back and fraud protection fails to keep up, you are going to have decision- makers who are going to say well, here is my progress, when that -- when that fraud rate gets too high, as a society we -- here is my fraud rate, my ,rofit enabling on the backend when that fraud rate gets too high as a society we will lose some very important infrastructure that has made a lot of things cheaper and easier. >> this next question -- a few years ago the advice you get was very stereotypical i.t. request

that you blog with a different password and change your password every two weeks. do you think that is the case? if it is not, what else is going to take to ensure that it is not so simple to take over my account and act as may? -- as me? >> i can take a stab at that. 76% of all data breaches that we analyze, the attacker leveraged weak or stolen credentials. two-factor identification solves that statistic. that would be one mitigating factor if you can employ that two factor technique. this points back to how i can become you without interacting with

you. we go back to the human factor. 95% of all state-sponsored acts that we investigated had a state affiliation. leveraged fishing. we partnered with a company that contributed to our report last year and they found -- what they do is fishing education -- phishing education. in reality, an attacker really only need to send you or your organization seven to eight e-mails to have a very high success rate.

we start talking about return on their investments for them and knowing that the lack of two factor authentication continues to work, we need to employ some strategy that helps them change that behavior. >> i'm looking through the apps on my phone and i have an authenticator which works great for my google account and wordpress blog. i have it turned on for facebook and twitter. my bank will send me a code if it sees me login from an unusual place. the problem is when i don't have that option. the business banking account i have, i don't think that is supported. customer fios i am afios customer. does verizon have a department for that? you hope that the

provider has a data about you offers it or will offer it sometime soon. i say this not knowing a lot about the burden involved in setting this up internally. you think this is going to be a commonplace thing right after you set your username and password, give us your mobile phone number so we can have that? >> certainly we as a company take great strides in security efforts to protect our consumer data and the privacy of our customers a that. -- our customer's eta. -- our customers data. we take a look at what is happening in the threat landscape, what is failing around the world and how we can offer solutions to mitigate that. some of the things we do is work on developing stronger authentication infrastructure. we offer a lot of strategies to our mobile device. that is an important problem that we are committed to solving.

>> for to step authentication authenticationp to work -- i have to enter the code. facebook will only ask me to submit the code if it is a strange block from a new computer. -- a strange log-in from a new location. for that to work, these companies need to know a lot about you, same as your credit card company knows about where you stand. -- where you spend. are we as a society ready to put that trust and say yes you should be peaking at what i'm doing all the time so you know when something, a login that is supposed to meet me is probably not -- that is supposed to be me is probably not. >> i can say that for example the steps that banks take when you apply for a credit card online.

i'm sure you know and some of you don't come if you apply online, the bank places a cookie on the machine that applied for that credit card online. i'm working on a case now, it is a charge case, an indicted case. we took down about 25 people in new jersey and new york and pennsylvania, mostly around the northeast, who had applied for and received tens of thousands of fraudulent credit cards. this is one of the -- this is not a tremendously sophisticated fraud. they had a huge network, dozens or hundreds of people working for them and they would apply for credit cards online, receive

-- direct the credit cards to address his geneticist they controlled, have runners go out, click credit cards, use them for really decent. of time, elliptic credit slowly held up the credit slowly. a tremendous amount of the evidence that we have been able to obtain is to say from this address we know that 44 credit cards were applied for from the single machine. that is extremely helpful to the eventual prosecution. we query why it was on the 43rd of fourth application from the same machine there wasn't an automatic rejection. maybe the bank that it was a start up founder and is trying to -- >> the same applies in stolen identity refund fraud.

i don't know if you know about that, but this is something that affects all of us directly because it is money that is stolen directly from the u.s. treasury. stolen identity refund fraud is the theft of real people social security numbers and the filing of tax returns using the social security number of real people. the thieves direct -- they fill online usually now, they fill out tax returns that indicate that the applicant is due a refund. they direct the refund checks to addresses a control, again runners got collect the checks and deposit them into accounts that the thieves control and spend the money. you might be shocked to hear that stolen identity refund fraud cost united states treasury $2 billion a year, every year. to me, that was a shocking amount. a lot of the stolen identity refund fraud is centered on puerto rican citizens because

they have social security numbers but they're not required to file 1040s unless they do work in the continental united states. you have big pool of sources. -- of social security numbers that will not already have a 1040s filed. we broke up a ring in a case that i worked on with about 14 arrests and about $65 million in real losses to the united states treasury. why is it that -- again, the irs knows where the online tax refund applications -- sorry, where the 1040s are being filed from. they can tell you that 56 1040s

were filed from the same computer. we had one in the bronx that have filed hundreds of tax refund applications. well, if you can tell that there are hundreds of applications being filed from a computer, why would you accept anything beyond the first? if you want to say well, h and r block is going to file hundreds of applications from one computer, then fine, all text repairs should have to register with the irs and say that this ip is -- i think that this is all a continuum. corporations and the government, we are moving towards greater security and it is the cat and mouse game referred to before, but lots of steps can be taken that would make us more secure and make it a lot more difficult to monetize, i think, the fraudulent information. >> the difference between public

and private responses to id theft is something we talked about. it does seem that if you compare the loss prevention routine that credit card issuers -- you wonder if the irs is as good at catching fraud as american express. what would we have? to what extent could you improve that given that more effective irs enforcement gets people upset a little bit? >> that is exactly right. it is a resources issue. it was said earlier to really effectively monetize ace surface scheme, a stolen identity refund scheme. -- a stolen identity fraud scheme, you need a lot of people. people have to really need to work together. you need crooked postal workers. what we will see is the postal service is beginning to track

this stuff. you will see that 700 tax refund checks fought gently obtained -- fraudulently obtained are delivered along the same mail route. so what does that mean? all of this stuff is so reactive because we first see that, then you have to start at the bottom with a mail carrier. you try to arrest a mail carrier and flip the mail carrier and then you get to the next up and the next up. the people at the top of the pyramid are really sophisticated. but you have to get to all the other layers -- >> assist -- it is starting to sound like an episode of the wire. >> yeah, it is hard. our case was a great case. not to take too much credit, but it was a $65 million case. the problem is a 2 billion dollar problem. people like me who are on the line are not going to be the ones who will solve that problem systematically. that is the reality of the situation. >> one of the reasons why we do

the data breach report is that most organizations are protecting themselves in their it. -- to some extent in theory. we try to bring in evidence- based risk approach to the problem. it is hard for individuals to understand until they understand what reality is. we have the true knowledge of the problem in the threat landscape and it is important to understand our attacker. in the effort of attribution, law enforcement gives us methodologies and things like that that help us understand and demystify the threat. but as security professionals we have to look at what are the products that we sell, what are the methods we use and what folder abilities are we -- and what vulnerabilities we are creating. all of us have to take ownership in understanding what folder abilities we introduce, what is a threat landscape and how does that landscape apply back to our self? constantly going through that process. that is on an individual basis,

as an organization, if you develop software applications, if you protect fortune 500 security determiners, whatever whatever that might be heard >> the next question governs the study the federal government did in 2007. which if any have you seen as being most effective in lowering identity theft rates? >> i like the red flag rules which grew out of this. it basically is a lightweight approach to regulation. it doesn't prescribe particular processes. it also doesn't prescribe -- you have to hire a consultant to give you a process which is the sarbanes-oxley model.

you have to have a plan set of something bad happens to your organization we are going to come and look to make sure you actually did have a plan and were looking for bad news. that is a very nice lightweight model of the government identifying risks without being overly prescriptive in a way because information systems vary so much across companies. you cannot have a one-size-fits- all model. >> abigail? >> i think it comes back to as we evolve and look at the landscape and it is constantly changing. with the changing model being able to point to yourself third i tried to tell organizations -- to your self. i try to tell organizations that

your best intelligence source -- a lot of the threats and things that happen on the street happen to us that we don't know about. i think the efforts here are for us to look at ourselves internally. if you look at data breach notifications, 86% of all victims were notified by somebody else. i think that is important part. with the reflect portion, that -- with the red flags portion, that is a big part. understanding the landscape outside of us and pushing it act in. -- pushing it back in. >> i will say that the recommendation i liked was don't use social security numbers so often. and yet healthcare.gov i had to provide my whole ssn very -- 12 times.

sometimes you can't get around it. >> there is an important thing -- an important point to make with regard to how we build systems. a social security numbers absolutely critical. we need them in the have to use them. but we have to treat them as an identifier. you know me as alan friedman. that is not a secret. the distinction is that we have also decided to say well, it is also an authenticator. we use the same thing as an identifier, how the computer looks you up in the system and there's only one you. we also say we assume you're the only one who uses it and therefore use it as an authenticator. that is the real danger of where we switched and in fact if you plot your sources a your card -- pull out your social security card number, your card, it says on them not for use for identification purposes. we have decided to do that, but we also need further layers in

the authentication system to help provide that support. an interesting study, your social security numbers were predictable. it is a function of where and when you're born, the first five digits. there is a wonderful study that basically went from taking a picture of you to actually been able to guess was 60 to 70% accuracy the first five digits of you so security number by -- social security number by doing facial recognition, mapping it to online social network profiles. if you are hometown and birthday, then you have got a good chance at guessing. that demonstrates how we can't assume that the data we have is private anymore. >> i'm thinking of what a clear picture of my face at posted on

linkedin and twitter. will catch all of us here. -- the next question will catch all of us here. so much has changed in terms of ways of finding information about people and dated collected on our purchases and activities online, if we invited for identity thieves, i did check your licenses you could be identity thieves, what would they say are the biggest changes they have seen in their own business model, how they go about their work such as it is? >> i would say that i want to look for centralized data storage. i want to be able to leverage and get more return on my investment. i'm going to focus on the easy prey, but today i still have to have an extra in those -- and make sure i maintain those relationships with large- scale infrastructure providers in the underground to help facilitate my criminal activity.

>> like foolproof hosting and what not? >> i have to navigate the landscape within the underground. i am going to be completely cognizant of the relationships i maintain and i will continue to do research on organizations that do research. -- that take security seriously and those that don't. and i will try to get in and steal that data before i do anything else. i may have very sophisticated means, by a m naik and share them with you fight on have to because i can save those tools in my toolbox and arsenal for a later date when i needed. when i come up against a security team is more secure and defense adept. >> abigail? >> i don't know enough about the backend of it, but in terms of the many opportunities that people have to share that information and are encouraged to do so and can provide them a lot of value, it seems that

there is more and more that is out there, there's a lot more you can land upon i would think. i don't know the backend. >> it does point to the whole challenge question method of security -- you can research a lot of that stuff pretty easily. allan? >> we not giant password -- >> will at the automatic site , one of the things that we have seen with data breaches is giant password files. you can actually run all of the password set of ever been used for zappa was. at the garden-variety retail local level where you see a more insidious crime, there have been two things that have changed. one, fake ids have become a global business, predominantly driven by american university

students, see you can get large amounts of very good quality id's. instead of having to rely on one guy in a basement, there's someone with a plant in china who will make them for you. also, there is anecdotal evidence of successful criminals using some of the defenses that we have set up as an autoimmune attack. if you are a clever criminal who is trying to really exploit a small number of people's identities for large game, you will start affirmatively asserting that the real mr. or mrs. is the identity thief and that will come up things in time and give you more time to extract value and get away. >> here are a couple things that are interesting. first, i think that just in the last five years at the federal level there is a lot more federal law enforcement attention in.

to cyber.aid the secret service has a long- standing dedication to it. all the other agencies that we deal with are now much more cyber aware and are setting up more squads to do cyber. that would make me nervous as an identity thief. what would make me happier is that obviously there has been an explosion and this will continue. there has been an explosion in the amount of data that exists. that is going to continue, perhaps geometrically perhaps not heard certainly there'll be more data online tomorrow than there is today. it is an obvious point. is going to continue. one thing that is interesting to me and the folks i work with is that it seems as though there is

less of the sort of original hacker mentality among cyber thieves, whereas it used to be that the thrill of the chase was much more of a shared ethos that it did to get in and show your skills improve yourself to -- and prove yourself to the community are in. let's not fool ourselves, these folks aren't communities. -- are in communities. they know about one another. it is a much more tightknit community than you might think, at least at higher levels. it used to be that you get in, get out, demonstrate that you could ask filter data, but i -- x filtrate data, but i don't

think it was as organized in the dedication to monetizing reaches as there is now. i think unfortunately cyber criminals have become more professional. i think that is a trend we have been trying to deal with and will continue to, because it has gotten away from the -- at enough it ever was an idealistic -- i don't know if it was ever >> but is a good capitalist. >> effected at a couple of things to this. as we talk about the landscape from the criminal's perspective, the russian government has come out recently and has publicly stated that if you are a russian cyber criminal and you're packing outside -- and you are hacking outside of russia, you should not travel. that is something that is been publicly put up a russian government. they're saying hey the law enforcement around the world is

working together. i think the same goes for security organizations around the world heard companies in the financial sector are realizing we can't fight these adversaries on our own anymore. so that is an important part. as a bad guy i was all say to the group that i really focus and a study the regulatory environment globally. i change my operations based on the regulatory requirements of certain countries. i tracked iressa bad guys around the world that i understand how they are arrested so i can understand how law enforcement is doing what they do around the world. i think that is an important part right there. there are students of their craft further honing their skills based upon lessons learned by those who fail. similar to the way we do with the data breach report. want to share those lessons

because you don't know. there will be skepticism around how they may have been arrested but until they read an affidavit that is publicly available or they have talked to another cyber criminal in a conversation, they are not truly going to know. that information travels very quickly amongst the underground. they communicate in a manner that is much more effective and efficient than most teams communicate in the private sector. >> there has been a lot of chatter about real names policies at places like facebook, google plus and certainly when i first got online there's no such thing. your aol account to be whatever. your compuserve user name wasn't even your choice, it was a random string of numbers. now it is much easier to just give out who exactly is your

talking to. on to hear from you particularly him abigail. how our average consumers dealing with the fact that they are making it easier for people to figure out who they are irl while still online and still interact with all these interesting sites and services that were not an option back in the day? >> teens certainly say they are using their privacy settings and are aware of them, but there are some that aren't and 10% today use privacy settings under accounts. the majority said that they had them on all their accounts, but there is certainly room there to increase usage of the settings among teens. they are made aware of those and are doing other things in terms of their various passwords and of writer passwords as i mentioned before. parents, we did a survey of parents and teens, parents have a bit of a disconnect. parents and they know more about what 13's are doing then the

teens say they know. a lot of parents are using parental controls. they had a majority, but there is room for that. parents are only concerned about identity theft but particularly about stranger danger and the personal safety of their kids. a lot of the delays at their monitoring relate to that in terms of logging onto their children's accounts, looking at the browser history and other things. interestingly, the parents actually underestimated teens concern about identity theft. they cut their teens agree more concerned about reputational damage if someone posts a picture of them they didn't like or said something about them that they didn't like. it is on parents radar clearly and they recognize their kids

are focused on it, but they may not understand or agree it to the degree the children are aware. the challenger highlighting is that they are encouraged to give a lot of information and have a balanced what is a and what is part of the experience versus maintaining the privacy of their information. just conversations in the service we have done would suggest that there are some challenges they are having in navigating that. there is always a clear -- a social security number is a clear red line. i think they don't necessarily think about the web of information that could be available, particularly across platforms. if we had done a survey of the identity thieves themselves, and have learned a lot about how they use that word but you guys obviously no one more about that. >> so tumbler, for example.

the tumbler community is very active and popular particularly among counterculture and minority groups, is popular and is based on a culture of pseudonymity, a reverse of what people are doing. twitter is seen as a private network, limited and very actively controlled drive c settings heard whereas facebook is seen as a popular global everyone you have ever met gets on facebook. the fascinating studies i've seen on teens show that they were -- they really do care about privacy. they care passionately about

privacy, for a teenager, privacy is about hiding information from the parents. so that is the main issue and it is a question of control. similarly, , the most dangerous thing that i have seen in terms of security behavior is password sharing is seen as a sign of intimacy. the way that you know that 2/10- graders care about each other is that they share their passwords. that is a very dangerous habit. one hopes that like many of the things we do and we are teenagers it is grown out of. >> in our survey of teens, it says that they have shared their password with someone other than the parent. behaviors that might not be protecting that identity. >> now it is your opportunity to quiz these fine folks. somewhere out there is someone with a microphone. please raise your hand and it will be -- a microphone will make its way to you.

>> high, susan grant, consumer federation of america. if breaches are the main source of identity theft and fraud these days, should there be a law that says that breach entities have to pay damages to preach victims automatically? or haps a set amount or actual damages, whichever is greater as a way to incentivize holders of data to secure better? >> there's certainly a whole market emerging around cybersecurity liability insurance very as i continue to mature and grow, not to push liability on one arty or

another, organizations are looking at what my liability is or what i'm going to be responsible for based on the set of circumstances i deal with. you will see that market continue to evolve over time. i know the government is doing a lot of work and research on that. >> on the question of this, every year, every security company sells what they were selling last year but now protects you against a different thread. three years ago it was due to loss prevention. i think there is an active set of incentives for organizations to minimize data breach. it is the only area where we are seeing cyber insurance actually thriving where companies are understanding what their exposure is. there's a very real consequence. rich notification is not free. -- breach notification is not free. counsel get the attention of senior management to invest in mitigation and insurance.

the real challenge is creating an environment where you have insurance, not just pushing the risk onto another party, but actually internalizing that the insurers are in turn working with companies to minimize the overall ability of loss. i don't -- >> i don't want to advocate one way or the other, but one thing i think we should consider, if we were thinking but a law like that is who it might impact the most, because we c.l. otter breaches that are not against a verizon or not against and at&t, companies that have tremendous amounts of resources dedicated to breach prevention, but some of the most effective breaches we have seen now and a growing trend are attacks against point-of-sale terminals for very small businesses.

your local chinese restaurant has a credit card terminal. there's information stored on those and when that is breached it is not as though this chinese breached it is not as though this chinese restaurant has a tremendous amount of excess cash to be able to try to mitigate those risks. if there was automatic liability, you might be hurting the little guy a lot more than you might miss incentivize him. >> we have seen the midsize organizations go bankrupt because they cannot survive everything they have to to get through a cybersecurity incident. i think what is important shifting the focus to empowering organizations. we mentioned earlier that 86% do not detect the breach themselves . what that means is they do not have control.

how they would or would not approach a strategy around dealing with regulation. i think we should focus efforts empowering organizations to be able to detect things on their own to give them the ability to give the control on how they move forward. >> who has the next question? >> could you address the role of whether education and it has had a success recently and identity theft and what more we can be doing as consumer advocates? >> certainly education is always a great tool. i do not think you can have enough of it. as the landscape for cyber criminal he comes easier and

easier to monetize, i think it to trulyant for us understand and train and make aware that threats. not just the behaviors of what we do but that the threat does exist. i think the more awareness, we should continue to do so. is key in helping consumers understand actions in context. to say something -- it is another thing to say your passwords as have all of these things. there is a great tool called guess my password. by microsoft research. they are encouraging people to enter their password at or by letter. it will try to predict what the next password is as you enter it so you can see the computer can

read your brain and tell you what the password is before you have identified it. that type of tool is so powerful, because it is suddenly, oh, this is how i can make a stronger password. immediate feedback. that type of tool is what we need at the point of interface. security becomes something that is part of the flow without being follow these rules. for teens, we talked about who they would want to hear from on this. particularly to make them aware of their own former ability -- vulnerability. maybe they went to get a college loan and were denied because

their identity has been breached and credit was no longer clean and could. hearing from someone who has had the experience to make it more real is particularly important is notnagers because it as readily recognizable to them as something that could affect them. time for one more question. >> time to follow up on the password guesser. i am 55. they tell you, do not write down your password. i have 30 accounts for which i have to the password. my brain cannot remember 30 passwords. i understand what you're saying, but for the average person, that is really difficult. >> or you should write down your

password -- you should write down your password with the assumption that your house is a fairly safe space. if the fat guy is sitting in front of your computer, you have a lot of other problems. the oldu cannot trust that is something else. , your e-mailng address for which you do the most important thing should have the best password and should be changed regularly and has that is a key that can lead to the compromise of everything else. the american idea to have one or two or three passwords depending on what you do. >> one of the best pieces of

security advice came from a guy named bruce snyder. he said put it in your password. right -- but your password in your wallet. you keep that same. >> there is a lot of different ways you can go with this conversation. at the end of the day it has to be something you can employee reasonably. at the series are consistently putting malicious software on your computer that captures every keystroke you have. you could have a really long password and the bad guy could steal it without being in your home. you look at the applications you use and what are the security methods being employed.

do not think it is something that -- you need to constantly move online identity. move theo -- the way that you authenticate. we want to move. we want to move in different laces. we would not want to appear to be the same thing all the time. you will do that in the online persona. think in terms of that, how do i make it harder for the bad guy to know who i am and how to get access to the things i own. if that is changing your password, that might be a strong strategy for you. that, i think we have to stop. quiz us off-line afterwards. i want to thank you all and thank you as well.

>> all this week c-span is prime tv. marcia coyle discusses her book on the supreme court under chief estes john roberts. the greatlys book dissent looks of the first amendment and how it was interpreted in an earlier 20th- century supreme court case. on c-span three, american history and prime time. a lifelong interest in learning and education. followed by a look at his , talkingy. after that

about washington's defeat at the battle of brandywine. a lesser-known battles fought in the early stages of the american revolution. i think you have to be political in a certain way. you have to be honest and say the same things. still, you have to cater to people will sometimes i think. know what they want and need to be able to influence and vote for you. being dishonest, just finding out what they want and letting them know how you can help them with it. first lady's influence and image season two. rosalynnjohnson to character -- rosalynn carter.

>> things are moving extremely fast. historically what we have done is we have categorized human life into force spaces. what i think we should be doing is have them all in the same thing. wait, learn, work at the same time. today.working so fast we really have to stay up-to- date. >> new year's day on c-span. of twitter and others on the future of higher education, robotics and data as the new industrial evolution on book tv

unflinching courage. kay bailey hutchison on the women who shaped texas. daughters of civil rights leaders in segregationists share their memories of the civil rights era sunday. month the university of akron hosted the seventh state of the parties conference. focused on national party nominations and rule changes for the 2016 eight elections. this is close to two hours. my job really is to keep time . we have four papers to be presented, which means we will give about the team minutes to each. will see a weaving together of the topics. we hope you will have great interest in the things they

present and what have great questions. the group of individuals have not only told us what is been but a little bit of a respective of what is to come. the first of the presentations is a paper called kingmakers or cheerleaders. seth is at the university of denver. i will shut up and let them talk. >> thank you. we are presenting on behalf of our other colleagues. we are trying to come up with the measurement of the impact of a party endorsement in the veryry, traditionally tricky to measure. we are using a fun case that he to do this. this is the state of california that in just -- that just

employed a top two system. basically every candidate of every given party can participate starting in the june primary. all voters see the pilot. they cast the vote. the top to go on to a november runoff. this is one of the latest california innovations to and parties and make everything wonderful. the parties noticed what was happening and responded by issuing endorsements. trying to spear the voters in the direction of a candidate. we wanted to see what kind of an influence that might have. of impact departing endorsements have. do they help candidates in the primary? this is a very tricky area. parties and other indoor season

generally pick strong candidates. they picked the type of people likely to do well anyway. if you look at every california candidate for assembly, state senate and congress who ran and compared, it looks like they got it before percentage points more than those who did not get the endorsement. that is an absurd number. we do not think it is worth 54 points. it might be worth something. the problem is that it is really hard to figure out what it is worth. this is a pretty important question. if endorsements actually convey can benefits, and parties be influential in primaries. they can do some of the picking for us. make him king or queen makers. effect.e important on the other hand, if there is

no real value of endorsements, then parties do not have much power to pick a for us. basically they are just cheerleaders. we try to get at this question using two different research within the same study. the first is a survey experiment in which we created three dishes candidates and presented them to 1000 respondents in the survey. three candidates with bios. reran demised the endorsement between the two democrats. isolate for all other candidate and were looking

to see what impact the endorsement had on the stated intentions. discount annuity model on that. we have a nice piece of data on that. we have the endorsement votes. we can see essentially how strong the candidates were, how much they were supported iparty elites within the county. candidatesare those who came just short of the party endorsements. we can see how much the endorsement mattered in the ultimate i married vote. the main hypotheses are that the endorsement should revive benefits for candidates. it should be a help. whether the exact reason for that, we are not totally sure about.

the second hypothesis spoke to the democratic hearty endorsement. we would expect the democratic party would matter more among them a credit voters. democratic voters. the third is that might benefit some candidates more than others. in california you could say there are two main types of democratic candidates. the traditional who comes out of education or labor unions and the new or business democrat. we are wondering whether an endorsement my matter for one type of candidate than the other. the first one provides a set up for the survey experiment. i will not get too into the details but say these are the main three the dishes democratic

candidate for the state assembly that we came up with. johnson. is greg an educator, law -- involved in the local school board. the second candidate is the new democrat. sam guthrie. he wants community-based policing. token republican dave robertson. owns and operates small business. standard republican stuff. then we randomize the endorsement in the survey. we contacted 1000 californians around the time of the june 2012i'm married. we gave these people the short bios. a third of them salt craig johnson getting the internal complements.

what do the results look like? here you go. middle set a bar graph shows the condition in which no one saw endorsement. guthrie gets around below 20. the other half is to robertson. you see that the dark blue line goes up. the traditional democrat getting the endorsement seems to be worth about seven points. the right,ver to that is where the new endorsement is, only about two or three points. endorsement seem to be of greater help to the traditional

democrat benny were ones. i will turn you over to eric for the conclusion of the talk. >> stay tuned. one more graph about the experiment. as the party experiment becomes treatmente effective also gets weaker. you will not be as responsive to democratic use. cues. the second way we look at this question is a -- because that might be was artificial and may not apply in the real world so we took election data and did discount annuity. it is all the rage it turns out.

basically a measure of how much how much they supported a particular candidate. imagine not as support got higher, the performance in the primary would get better because you late -- elites are picking candidates that are good. red dotted line is, that is the endorsement. if there were no effective endorsement, this is roughly what you would expect to see. as party elite support grows, performance grows. if the endorsement had some effect, you would expect those who just barely got the endorsement, even though there is an underlying quality issue

that barely got the endorsement what actually do better than those who just rarely did not get the endorsement. .hat is the logic if you only look at those that are right near the cut oinked, you can make the case that it is like flipping a coin. so do we see and affect? -- an effect? yes, we do. discontinuityct a . it is about 15 points, which is remarkably similar to the size of the effect we saw in the survey experiment. not making any claims, but kind of cool anyway. what is always an issue with discontinuity design is whether

somehow even though you are looking just above or just below, really close endorsement vote, the candidate who is more skilled, who has some quality will be able to manipulate the outcome. an insider track that they will always come out ahead. they will be able to manipulate the results. tried looking at it. to see if they are different on other dimensions. so here is one. we tossed out all of the incumbents. graft,ut in the original there are more incumbents just below -- just above the just below.

but when we tossed those incumbents out, it turns out the effect is still there, maybe even a little bit cleaner. we also went through and coded the candidates according to whether they had business experiment -- business experience or not. roughly comparable to what we had in the experiment. i am sure many in the crowd will look at the values and say neither one of those equals .32. using the values to evaluate signs. the point is, basically the same pattern we saw before. we also did what is called random inflation in france test.

there he similar. it is a very similar way of calculating this. it tests more directly for the .otion of internal validity not worried about representative sayingbroader sample but did the actual treatment make a difference on the group of people we have in front of us? when you do that you see we have the same result. people going down that table might see what you call up placebo test. something we ought not to do for below the threshold and do not see any difference for those but see a difference for the vote share. that is what you would want to see if you believe the endorsement is having an independent factor. summary, the experiment

shows endorsement matters. matters more for strong democrats then the week republicans. that is a little more counterintuitive but interesting nonetheless. the versions of aggression discontinuity show about the same. 10-15 point affect. fact thatt a 54 point we never believe that was true anyway. is partiesshowing cannot just ruled the roots -- rule the roost but can have an important impact on the outcome of the race is. they are halfway in between. thank you very much. going a little bit further on the role of parties. is going to talk

about the role of roles in the 2012 presidential nominations, which means pretty much republicans, right? in 1968 the democratic hardy embarked on what is often referred to as one of the greatest party reforms in american history with the creation of the mcgovern fraser commission. it was the beginning of an overhaul of how presidential nominees were selected. by year to this, the party elites were the one choosing a candidate. wallowing the mcgovern fraser commission, the needs was shifted to voters. we see very rapidly primaries and caucuses start to matter where individual voters can candidates in that culminates at the national convention. starting at the democratic

hardy, they made numerous reforms to the process and tinkered with it all most every lateion cycle up until the 1980s. the democratic party had no fewer than eight reform commission starting in 1868. meanwhile, the republican party was very hands off in the process and did not become active and reforming the nomination process. one of the most recent activities is the creation of the temporary delegate selection committee in 2008. the most recent nomination process. the broader agenda look up the rules put in place by the national parties and effects of the rules. look back ate a the party and look at why republicans became involved after being so uninvolved for such a long time and what the

consequences were in the most recent nomination. there are four main reasons the republican party has been less involved in the presidential nomination process and the democratic hardy. the first, they have been more content at the presidential level particularly in the 1970s and 1980s. in the democratic hardy it was a faction calling for reform and did not exist to the same extent in the republican party. additionally, the republican federal known for their involvement limitation and did not see the need to come -- he involved as the democratic party did. finally, traditionally it has been more complicated to change the rules on the republican side than the democratic side. on the republican side, changes have to be approved by four different bodies come at the national committee rules

committee, the national committee of the national convention and the convention itself. that meant if they wanted to make changes for the 1976 nomination season, they had to implement reforms of the 1972 convention. it was a much longer process and one they did not partake in like the democrats did. regardless, the republican process did change in large part because of changes at the state level. changesresult, many switch to holding presidential primaries. that was the result of changes in state laws. when the states created the laws, they also did so for the republicans at the same time. even though there was not involvement from the national or republican party to the same extent than the national republicanhardy, the

process also changed. it did not resist those changes for several reasons. the first, a move towards primary and active voter involvement was seen as a pop it where reform. the republican party was not willing to go against the reform that the people had embraced. the first time the republican party was hosting a , becauseve nomination in 1972 president nixon was being renominated the public had accepted these reforms. they had seen it play out on the democratic side. additionally, to top it running.n candidates candidates were willing to accept input from the mass public on which candidate they prefer.

the republican party had also seen the national attention from the media and voters. they were not willing to quietly nominate a candidate while the democratic party can't the spotlight. so the changes happened to the republican process as well not because of the direct involvement. first real major attempt at reform on the republican side with the for the of a task force national convention. they wanted to combat front loading. this is the process of states in orderem up earlier to gain influence on the process. the group applicant party elites that front loading promoted -- prevented voters from meaningful participation and harness the ability to fund raise over the

compressed calendar. party offered bonus delegates to states that held contest later. that was supposed to be an incentive to hold the later contest and not make it worth more to the candidates. that it was frontloaded. it started three weeks earlier than the 1996 calendar began. they were more successful at holding states back saying you cannot hold the contest in february. large the reforms were seen as a failure. so that brings us to the republican party second major attempt at reform with the creation of the temporary delegate selection committee

that was formed in 2008 in order to make reforms for 2012. is creation of the committee significant not only because it is one of the rare interest is -- changes because it allowed the effects to go into effect for the and convention. the changes would go into effect. so the republicans once again tried to reduce front loading and allow more states and voters tuesday in select and then on -- and voters a say in selecting the nomination. on the democratic side obama and clinton battled it out for months. we sell media attention at an all-time high in the race. the republican party goal in

part was to create a more exciting domination that would pull voters into the process. they tried to achieve these goals through two main ways. the first, by regulating the calendar. the republicans said the four vote carveout states can on or after february 1 and before the first tuesday in march, where as all others have to vote after the first tuesday in march. they also said that states voting before april 1 had to use proportionality to allocate -- had to delegate. this was supposed to be seen as making the states more influential. so rather than relying solely on incentives as it did in 2000, the republican party said we will enforce a penalty if the

states do not abide by the rules. so it said we will take 50% of the delegates away if you break the rules. despite the penalty, but republicans were not able to prevent states from blatantly ignoring the rules and gladly accepting the penalty and scheduling early contests. as we likely should have expected given florida's actions in 2008. in 2012 we see movement by florida, arizona, and michigan looming the contest earlier. then creating a ripple effect were iowa, new hampshire, nevada, and south carolina move their contest early to preserve their early status. so as a result, the 2012 calendar look completely different from the republican party intending it to look. we see a spokeswoman give this after the movement

happened. the primaries will start earlier than planned. the overarching goal was to allow more state and voters to have it role in choosing the next nominee for president. this gold will be met. depict theaphs location of the state on the calendar with the left most point indicating the iowa caucuses. while the republicans intended for the race to start later in 2012, the iowa caucuses in both years were held january 3. thectually see here that 2008 calendar appears more frontloaded with more candidate -- more states holding contests on super tuesday or we see the very high bar. toer tuesday appears closer the iowa caucuses in 2008 than it did in 2012. reforms wereblican successful in lengthening the

process because mccain secured the nomination on march 4, 2000 eight in mitt romney became the de facto nominee in 2012 on it rolled you 11.11. -- march 4, 2008. in other words, the 2012 nomination was competitive for 38 days more than the 2008 nomination. so it did link than the process. when we look closer at the goals of the number of states and voters allowed to participate in the process am a we see a different story. days thein those 61 race was competitive, ready seven states have the opportunity to hold the contest, compared to the 30 states that held the contest in the 99 days that the race was competitive in 2012. see fewer voters

participated in the republican 2012 race with 16.15 participating, compared to a little over 17.5% participating in two thousand eight. additionally, the participation rate in both years were substantially lower within the participation rates in the democratic 2008 contest. so we see the temporary delegate selection committee are a significant departure he could -- because the republican party is becoming involved in the process, something it has not done very frequently over the past 40 years of reform. it has been fairly unsuccessful in achieving goals and assuring the states abide by rules and regulations. unlike the democratic hearty that has been fairly successful in ensuring the states abide by the rules, particularly when we look at the very like overhaul of the process in the 1970s. rnc has said it intends

to take a harder stance in 2016 and the chairman is quoted as saying he will -- impose a death penalty on states that moved early by only allocating the state to nine delegates to the national convention. fewently you state -- states would have primaries earlier than allowed by the republicans so it is yet to be seen that will happen but the republican party will be performing the rules and try to maintain rules of the process in the upcoming election. i think the research highlights to tensions. the first is we typically see frontloading as a negative, something that has negative consequences. we see here in 2008 the frontloading process allowed more voters to participate then

when the calendar was not as frontloaded on the republican side. party isthe republican in a difficult place. if it wants to mandate -- achieve the calendar and rules, it has to mandate the rules. >> you are good. >> absolutely. is from depaulr university. his paper starts with a statement, the party decides among candidates. >> thank you. thank you to the bush institute for hosting the conference. outstanding opportunity for all of us. this title built off of earlier which thehers in argument was the parties decide

and basically conclude on who the nominee will be even before the caucuses and primaries begin . presidential nominations are really about welding a coalition among the winning parties. the various people who participate in the changes over time. in part, the transformation of the 1960s into the 1970s through a series of reform movements really opens up and changes the nomination who participates. in the 1970s we see the coalition formation really occurring in the caucuses and primaries. arguing the campaign momentum is driving who becomes the nominee. in the 1980s we get counter reforms, adaptation by candidates on the greater signaling efforts, greater organizations during the

invisible primary that leads to coalition coalescence or unifying behind a candidate. so we are really left with two patterns. some nominations we do see the nomination essentially being primaryup before the and caucuses begin. an example would be of the coalition on both sides. everyone knew church w bush would be the republican nominee. maybe not john mccain and his band of supporters that year but pretty much wrapped up. al gore was a pretty convincing nominee. when we look at other 2000 8-2012, does not look at all the denominations were wrapped up. if we look at this on the democratic side, hillary clinton

sense the establishment candidate. she had more endorsements than any other candidate, and yet she lost. more money and more media coverage. normally the things we think about winning. likelooks more like 2012 the campaign of the 1970s. the campaign momentum becomes important. they gain more media coverage. wind up getting more fundraising. able to build support in national holes. there is a couple of theoretical arguments. one is bandwagoning, jumping on the more popular candidate or citizen learning as more and more caucus primary voters learn about the candidates across sequential time mary's.

the idea of the invisible primary explanation is that it is a long national discussion in evaluateider activists candidates and engage in signaling candidates that generate more endorsements and tend to be the ones that raise more money and gain a more media in national support polls and importantly, that endorsements lead other indicators as a presidential nomination campaign. really leaves us to having two perspectives. coalesce before the primaries and caucuses, we should see very few are getting votes in the primaries themselves and will see very low levels of competition -- of competition. alternatively, if they fail to coalesce, then we should see more bright very -- primary

candidates. it will reflect higher levels of competition. what i have done in this piece and others, i use concentration .cores i used two different measures. one basically copulate the number of serious candidates. are doing this as a number of big share in the market. the second normalized number accounts for the number of candidates in the race. that number is used by the justice department to determine whether the justice should go forward or whether the government should engage in anti-trust activity. of thently, low levels competition indicator reflect more competition. it will come to that. so this is the measure if we look at the primary votes across all of the primaries from 1972-

2012 what we have going back to 1972, unfortunately the color scheme is reversed. i have read diamonds for democrats and blue squares for republicans. democratsiamonds, the in this case, we had an average of five candidates per primary across all of the primaries in 1972. it continues to decline over time. conversely, republicans started out with less competition in the 1970s in part because of incompetence and have become more and more competitive or recently. in terms of a competition indicator, the normalized measure, what we are looking at are in the same races.

incumbents tend to have the scores near one. the score in the competition indicator basically reflects a monopoly. see is some incumbents have been challenged. i would point out you have 1976, the single most competitive was actuallyce that between jerry ford and ronald reagan. jimmy carter was fairly in 1980 with ted kennedy. the horizontal line is really an indicator used as a justice department. below that is a competitive market. a low that, it is not competitive. most residential nominations are not particularly competitive. those below the line occurring more frequently in the 1970s and 1980s are. kind of the patterns we see here. whenirst line is

presidents get renominated, generally not competitive races. the two that with all that were competitive for 1976, 1980. he had not been nominated by his own party, he was appointed. both to the vice presidency and the presidency. you had the watergate scandal plus a wide-open donating process with the new rules that were implemented. carter is associated with the minority wing of the party the democratic party in the 1980s, 1970s was very divided. the conditions basically enable kennedy to have a more effective nomination challenge. aside from that, what we typically see our nominations that are much closer to a monopoly. there is no competition when the incumbent president runs. in open nominations, they're close to being what we call competitive.