city tour takes book tv and american history on the road, traveling to cities to learn about their history and literary life. this week we partnered with comcast. about a largeook animal that in ancient times and american history we would have called a beast, the mountain lion, in what is really a garden in colorado. this is a seemingly natural place, but in many ways it has been altered by humankind. when you get this wild animal coming into this artificial landscape, you can actually cause changes in the behavior of that animal. a mountain lion's favorite food is venison. they eat about one deer per week. on this beautiful lush city, with beautiful

irrigated lawns, and we had a deer herd living in downtown boulder. when the lions moved in, they were in the open space, then they discovered there was deer in town. in the lions discovered they could eat dogs and cats. that is food for them. so the lions were learning, and they have learned, that this is where they will find food. yes, there is food up there, too, there is lots to eat in town. >> this is a retreat, beautifuly an a place for enrichment, enlightenment, and coming together. the people who were intended to be the audience were really what we would call the middle class. the programs were very similar. a combination of speakers of the day, also a variety of both what we might consider highbrow and lowbrow entertainment -- opera,

classical music, and probably what we'd be considered fulfill of that day. >> watch all of our events from boulder on "book tv," and also "american history tv" on c-span 3. >> next, with the u.s. is doing to prevent more cyberattacks. then, homeland security jeh johnson talking about order security and counterterrorism. after that, a preview of the midterm elections with pollster charlie cook. on wednesday, "washington post" live post it representatives and independent consultants for a summit on cyber security. over the next three hours, we will hear about the increasing concerns over cyber security and what is being done to prevent attacks.

>> good morning, everyone. angst to those watching online and here in downtown washington -- thanks to those watching online and here in downtown washington. this is the fourth year that the post has had a cybersecurity conference where we bring together government, defense, state department, homeland security, and the business leaders all together to talk about cyber theft and cyber espionage. and the challenge over this years has only intensified. the u.s. government and companies are now investing billions, many, many billions to try to secure what is valuable and what, by virtue of being connected to the internet, is vulnerable. there are a lot of bad actors. they are great hackers. what they are stealing is everything from the next

generation's fighter plans to a stash of credit card numbers. that is forcing on easy alliances between government and the public sector. that is one of the things we will talk about. how do secure what a company, what the government, what each of you here put on online is becoming more and more relevant, because more and more of our lives are online. our devices are connected, our cars, our medical devices. we have a remarkable group of people from capitol hill, from boardrooms, from research labs to talk about how to make our l ives online more secure. so i encourage you to tweet questions and comments to #washpostcyber. if you are in the room, you can

send a question up to allison at the question desk. what a better way to start the morning than to talk to the director of darpa? the defense advanced research project agency has a long line of breakthroughs. from computer networking to stealth technology to gps. with a $3 billion budget its mission is to prevent technological surprise to the u.s. and to create technological surprise to our enemies. but we welcome darpa's director. [applause] she's now running darpa. but she has been back and forth from the government sector to the silicon valley. she has had many huge jobs in both sectors. president clinton appointed her

the director of national institute of standards and technology. she was running part of darpa as a manager in office director. she held huge jobs in the private sector. so, perhaps the woman with the coolest job in the city is going to prefix playing what darpa's role is. >> thank you very much, first of all, mary for the chance to be here. i think it is great to shine a light on this topic. you set about darpa a minute ag o, is correct. we were created in the wake of sputnik. we did not want to experience those kinds of surprises anymore. we like creating them instead. that's what darpa is about. the internet is one of our babies we are very proud of, but it is a fractious teenager now. our mission today is still about breakthrough technology for national security.

in cybersecurity, during the day, i think you will hear from people who are fighting these battles about how we keep ourselves secure. i'm grateful for the work that is going on today. our role is different. what we are asking is, what are the technology concepts that can fundamentally change the ground rules and give us a way to get out ahead of this explosion of talent? >> give us some good news. you fund people in teams. what are they working on that will tame the unruly teenager? >> i will give you three examples. one of the things we are working on is how to completely reduce the attack surface so it is harder for hackers to find ways in. including embedded systems.

>> ways -- >> in ways. how many ways in. a second example is we are looking at a really interesting new challenge -- the cyber grant challenge -- to find out how we could have automated system to fight defense. i do not think we will able to keyboard ourselves on the head of the problem and throwing her people out is not going to work. >> so the cyber grand challenge is interesting. how much money do you get if you win? >> the first prize for june 2016 is $2 million. >> what do i have to do? >> 90 teams have signed up. what we are in the process of doing is building a basically cyber warfare in the boxed.

a new operating system. it is going to be like capture the flag at defcon, except we are creating a league of their own for machines to fight it out. >> i would have to create a robot. >> right. a set of programs. >> the whole goal is that what? instead of human error about detecting viruses, it will be automated? >> yeah. humans, the key point is we need to get to a point where we can do detection in machines. the attacks are happening in microseconds. so today really all we can do is patch and pay and keep throwing him and said the problem. we are looking for a fundamentally different way to get faster than the pace of the growth of the threat.

>> this challenge. who are the people who sign up? >> we have been excited with the people who have signed up. we have got this enormous range of talents. we got some very eye-popping names. >> tell us some eye-poppers. >> i do not know if that list is public. >> all the more reason. tell us. >> my big opportunity. i will tell you where the website is. whatever is out is what's public. >> big silicon brains. are they kids? >> when you look across the 90, you'll find people that are all of the above. you'll find some superstars that are big academic names, people from companies, people in the hacker community. >> in addition to this, again, i think people are looking to darpa. you have come up with some huge things like gps.

this is the unit that some of your other all-star things, the touch screen. >> if you look at your smart phone, it is chock-full of technologies we helped start. some of the materials in your touch phone, the chip that sends the radio wave to the cell tower. siri started as a project. that was groundwork that we did, and private investment came behind it. >> can you talk to siri and tell it to secure the networks? >> if you could tell it that, you should not sleep easy. >> we are going to go to some audience questions to see what they have on their minds. in general, again, i think when you see how we are going to secure a network, by the end of this year, the u.n. says 3 billion people will be online. because of the internet of

things, machines talking to machines, there are 10 billion objects. this is just getting harder and harder to feel we have privacy but also we are not going to be robbed, whether it is trade secrets or credit cards. so what is the big answer? what is the big thing you're looking for? >> unfortunately, there is not is going to be a silver bullet. again, there are pieces of this that we think and become tractable. the internet of things. dod. every one of our military systems has a computer or many computers. we are living the internet of things with these embedded systems. one of our programs is finding ways to build software that is unhackable for specified security properties. what that means is that there's a mathematical proof that this

particular function cannot be hacked from a pathway that was not intended. so that is not going to solve the entire problem, but especially for embedded systems that might have a more manageable, a more modest number unhackable for specified of lines of code, that is tractable through this method. that is an example of reducing that attack surface, making it harder for people to come in. >> how do you keep the bad guys from getting unhackable software? >> let's start by making sure we are secure. >> isn't a lot of the defense department's mission to be offensive? we are getting inundated by russia and china, but we are also out there offensively. >> i would hope you will get into policy questions around offensive cyber. take a slightly different direction. one of the other problems i think we are seeing is just the

vastness of the information space of the internet environment. we love it. we use it. it is also a place where bad actors hide what they are doing. another one of our programs is designed to find those kinds of hidden networks. >> how do you do that? >> start by creating a different way to look at this information environment. a simple example -- a project we have been doing working with law-enforcement. our thesis was we might be able to find a way to find hidden networks that would reveal a pattern that relates to human trafficking. we started working with law-enforcement. learned that their use of that information space, how they explore that information space, is exactly the way you or i would do a search with google. it is a single threaded walk.

by the way, it feels like search engines are indexing everything, but in fact they are only indexing a very small fraction of the total public information out there. they're indexing what is optimized for advertising revenue. but they are not going to get all the material that might be of interest to law enforcement. our tools build deep cores through the web to look for these hidden patterns. the first project we did, we were able to find a set of phone numbers that were very heavily linked to each other in back page ads where a lot of the sex trade is advertised. we provided those numbers to law-enforcement. we gave them 600 numbers. we do not know anything about these numbers but they are linked to each other. law enforcement found in that list 466 numbers that tied to criminal violation. they also found numbers that

tied to fund transfers in the region around north korea. they are working on finding human trafficking networks. again, we did not give them a smoking gun, but we gave them a powerful way to start grappling with this -- the sheer scale of the information. >> when you look at the cyber universe, what percentage of it is a hidden black-market criminal activity? >> i don't think we even know. there is a huge amount of the internet that is not indexed. it's not readily available through the way we think about accessing it with search. now, a lot of that is completely the mind. all the legal and fruitful ways we use the internet. that is one of the great mysteries. information is so vast that we do not even know. >> do you have a guess, 10%? >> i don't know. i have seen reports that a very significant fraction of network

traffic now is bot nets. those could be benign bot nets, just automated programs that go out and do something on the network. >> malware. >> or they could be malignant. we know a lot of it is machine generated right now, which tells you something about scale. >> we will go to allison for audience questions. you hear me? >> you talked a little bit about patching and praying. can you talk about the process being made unclean sake technology, the idea of rebuilding the internet with security in mind? >> i think patching and praying does work. it is the best thing we have got. we must keep doing it. we think we have got to get beyond it. it is a losing game. one of the questions we asked was if we did have a clean

slate, how would you rebuild systems to make them more secure? one of the ideas was inspired by biology where one of the reasons the human race has survived plagues and ebola and other infectious disease partly because under the skin there is a lot of diversity among individuals. so one attack cannot wipe out the entire human race. similarly, we are now finding ways of building complex network information systems where under the hood each one is different. it changes the economics for the attacker. instead of one attack that can wipe out everyththing, it's not that exciting for the attacker. the hard part is how do you not make that assistance

administration nightmare. how to have things diverse under the hood but be able to be maintained seamlessly is where the challenge lies. that is an example of bringing the methodologies back to the workspace. >> go ahead. >> one more? darpa being created in the wake of sputnik. >> i think one of the hardest challenges about cyber is we're trying to wrangle this problem while the information explosion is continuing. you talk about 3 billion people on the internet. 7 billion on the planet. we still have more to go. as we move to the internet of things, there will be more and more elements connected into our information universe. the moon shot for cybersecurity is to find techniques that scale faster than this explosion of information. again, i do not think it is

going to be a silver bullet, but a combination of these fundamental advances. has the potential to get us to a place where -- not where we never have a problem, but where it is manageable. >> when do you think that will happen? when will this unease, that we are under attack every single day? when will people feel more security? >> i think it will happen in pieces. it is already happening. our most particle systems get the most focused attention. whether within dod or more throughout our economy. gradually, i think we'll will achieve this greater state of cybersecurity. i do not want to be glib. i think this is technically challenging and it is challenging from a practical and policy perspective. so that is the work that is ahead of us. >> their has been a lot of talk lately that it is time, the internet is of age.

it's a a teenager. there needs to be some kind of global body of regulation standards that would issue an early warning system. what do you think? is it time to create some kind of body that has some kind of standards? now we know there are certain countries that are really off the grid. >> that's true. i do not know the answer to that. i think people know a lot more about the policy aspects. the one thing i would just think about when you go down that path is to recognized how dynamic and fluid the situation is. because the power of of information technology and the reason we put up with all these problems is that it is phenomenally capable for all the things that change how we live and work and how we create national security. you do not want to cut any of that capability off in the process of building this underpinning for cybersecurity

>> so the defense department in general, and your outfit has a lot of priorities, a lot of big issues. right now the hot when you are working out is staying in front of infectious disease. tell us, how does securing the internet and cybersecurity rank in priority? >> it is one of many efforts at darpa. i think of it as a foundational piece. a couple of other major things we're doing. one is about finding ways to wrangle biology and turn it into useful technology. one example is work we are doing to outpace the spread of infectious disease. a problem that has a lot of resemblance with cybersecurity threats. those in biology, those are problems recently cannot wrangle without using the power of the data and new information tools. if we do not have that security and that trust in systems, we

will not be able to solve this other really different class -- >> we heard from the head of the cia and the head of the fbi that there is nothing that -- with jamming capability and hacking capability, you can take down critical infrastructure. you can do an enormous amount of physical damage and the theft and intellectual property. i guess i'm trying to figure out if we are hearing from one part of the government that it is such a big threat. so, now, like the big brains in here who are working on it, how hard are they working on it? >> pretty darn hard. don't worry. let's be clear. national security is a, there's not a single problem that if we solve it, the country can sleep easy. yes, it is an incredibly critical problem, but it is not the only problem. i think it is important to keep that in mind.

i think it's foundational and we are going to have to deal with it because of all of the other national security challenges if we are going to build a new generation of complex military systems that can overpower a future pure adversary. that is critically important. it also relies on cybersecurity capabilities. i think they're linked. i think you have to be clear that any of these issues that we deal with, cybersecurity is a piece. >> and break through. when we do hear this is a breakthrough on cybersecurity, presumably it will be out of here unit. what is the core of what we will see? it will not rely on the security of individual people. it will be automated? >> to give you an example, we are working on ways of building unhackable embedded systems. i hope you'll see that rolling out into automobiles and the

commercial sector and uav's in the national security context within dod. those will be new techniques and practices that get adopted by people building the systems. you might see, i hope after our cyber grand challenge that you start seeing automated cyber defense systems that become commercial products that people who are worrying about their own security can purchase and start using. >> one thing, the same type of grand challenge led to driverless cars. >> the urban challenge was significant about a decade ago. could a vehicle navigate without a human being through a particular environment? if you want to find the number one, two and three teams, you should visit google. a bunch of those folks are there. a great example of using the challenge and letting the

technology go out into the world. a lot more work has to happen after we show it is possible. it is great to see that happening. >> thank you very much. thanks. thank you. [applause] and now i want to welcome my colleague who actually has won two pulitzer prizes and is one of the most well-known and respected journalists and national security in the united states. she is going to interview the chair of the house intelligence committee, mike rogers. they are going to talk. then she has an all-star panel from justice, state, and defense. thanks, dana. >> good to see you. >> thank you, mary. thank you for coming. >> good to see you. >> i know this is on cybersecurity, but i wanted to start briefly on white house security.

>> look at the time. [laughter] >> i assume you get briefed on these intrusions. have there been some or intrusions we have not read aboute? >> obviously, this is of concern. there's two problems. one as many know, the static security footprint is always the most difficult. to keep and maintain a state of readiness. there has to be some reviews of how they continue to test and audit that system in real-time to make sure it is functioning properly. clearly, i think the level of readiness decrease when the president was off the ground, which should not happen but did. it will have to do a couple of system. by the systems working, are they appropriate? number two, then you have to start asking the hard questions about the culture. is there a management problem at

the secret service that allows for that kind of behavior to happen? that is a more subjective list of questions that congress will have to ask. >> we will rely on reporters to get into the details. >> i look bad in those orange jumpsuits, and makes me look very boxy. >> cyber security. isis has shown that it has a cyber communications capability that is much more sophisticated than al qaeda started out with. have you seen them attack government systems? >> we have not. we have seen other organizations have reached out and tried to find individuals that have the

right capabilities to put together a cyber attack capability. we watched that happen. we have never seen them put it together to where they could penetrate or do cyber disruption activities. we know they have the aspiration to do it. they have advertised it and they are recruiting networks. i do not believe that they will pose a threat in the cyber realm like we see in criminal enterprises. >> what is al qaeda apostate the ability? >> they are trying to put their capabilities together. they spend time on the public relations portion of the operation and the use social media in an incredibly effective way, a way you have not seen in the past. the islamic state has upped their game and used that tool as a way, not only to subjugate

people to their violent political ends, but to use it as a recruiting tool. that part is dangerous. i do not see them engaging in a cyber attack mode, if you will. >> do you think the united states is trying to counter that in a way that is more effective than they did with the al qaeda cyber communications? >> i do not. on the social media side, the u.s. government using its abilities has really pushed back in a way that i think we have the capability to do and should do. >> why is that? >> do you think the united states is trying to counter that in a way that is more effective than they did >> we wrestle with the policies of what is appropriate and what is not. we should have that debate. we should make sure it is appropriate when you step out on

taking offenses actions. i don't want you to walk away thinking the intelligence community is not doing anything. we are not using all of u.s. capability when it comes to our cyber capabilities to disrupt their ability to have these recruiting tools that are very effective. >> does that mean decisions for threshold offensive attacks are still being debated within the administration in a community? they have not gotten those signs clear? >> i assume you're talking about offense of capabilities. no, we do not. we do not have the policies down. we debated a lot. i cannot tell you how much time we spent trying to figure out the way forward. part of the challenges the government has 15% of the networks.

the private sector holds about 85% of the networks. the nsa is not monitoring those networks, it is not on those networks. the only way they see anything coming in is from the outside. most of the offense of talk is from the private sector saying i have had enough and i am going to do something about it. what we have done today by doing nothing in congress is telling these 85% of the private networks you are on your own. you have nationstates who are targeting you, who are ravaging your networks, but you are on your own, good luck. >> you can trump the reluctance of a private -- >> you would be surprised how far away we are from understandable policy on what offensive operations look like and should be. >> i do not understand that. >> think about the public debate we had after the nsa contractor leak. most of it is wildly inaccurate.

the narrative is the nsa is reading all of your e-mail and listening to your phone cause. politicians use that on the campaign trail. that is an easy thing to believe if you are not exposed to understanding what the rules of law and what the parameters we set on our intelligence agency. attribution is a problem. you do not want to reach overseas and flick someone on the forehead if we are not sure they were the perpetrator of the particular event. private sector, some are better than others. there is a mix out there. some could do it, some could not. you could create a storm of

which the rest of the network is not prepared to handle. >> have you sensed an uptick in counterattacks against the united states, either because foreign entities or governments perceive the nsa is actually acting more offensively or in some cases is? >> we have seen trends that are dangerous. we need to get this right, very soon. one was the public reports that iran has been probing our financial institutions. we know they have the capability that allows them to have disruptive attack so they destroy data when they get there. they made 30,000 computers paperweights.

all of that information, non-extractable. they almost put a company out of business. they have been probing u.s. financial institutions. that is a problem. a nationstate has made the determination they are using cyber as their way of using that as their political tool to influence or damage the united states. >> can you quantify that? a dozen probes, hundreds, thousands? >> it is in the area of hundreds. we have seen a fall off because we assume that is they are waiting to see what happens with the negotiations. the fact they believe they could do that without any problem or consequence is another serious issue for us. the latest round, according to public reports, that the russians were also flying around or attempting to get into some

of our financial institutions, and the question is -- why? the way they were doing it might raise some questions. was it designed it to be disruptive or destructive in our economic fabric? it was believed they made that decision based on the fact that they were having the sanctions imposed in they believed if you are imposing sanctions on us, we can use this capable tool to cause you harm in your economy. this is a new, dangerous form of warfare. the united states, as a whole, is not prepared to handle. the russians can flick a switch and the internet can go down. we do not do that. that exposes these 85 percent of

these private sector networks and puts them at the whim of nationstate capability in cyber and that trend is concerning. >> can you talk about the evidence for the link to the sanctions? is it a guess or something better than -- >> as someone who reviews this, i believe the timing of it, you pair that with public reports, i clearly believe the russians had an intent to cause some harm, some disruption as a result of those sanctions. that is why i think this is so dangerous and important to get right. >> it was the russian state, not russian independent hackers.

>> that is getting harder to determine. the svr and fsb has interesting relationships in their hacking community and in the international organized crime community. sometimes it is hard to tell the difference. >> what did they manage to do to disrupt? >> i am not at liberty to discuss who or what their efforts were other than to say, according to public reports, it raised questions on what -- was that there to monitor transactions. you can let your imagination roll here a little bit. any conclusion as to the bad. >> i am letting my imagination roll.

monitoring financial transactions between russian -- between who? >> i cannot get too close to that. it was enough of an alarm for me to ramp up our efforts to say we have got to put our defenses in place. do you go and flick them in the forehead? the attack will not necessarily come back to the u.s. government. our services are good about getting the threat matrix and applying that to the protection of our networks. that is only 15% of the networks. 85% does not benefit from that information. that would expose them to this attack. they are not likely to come back . they are likely to try to come back in the private sector networks to cause harm or take control. >> how many times have you flicked someone in the forehead? >> again, part of the problem is the notion of what is an offense

of response. i used to say if you're going to punch your neighbor in the nose, it is best to hit the weight room for a couple of months first. if the federal government wants to take offensive action or disruptive action, even in response, it is not the government that we are worried about. we can hunker down and put the helmets on. it is the 85% of the public networks that are exposed and they will not be ready for what comes next. if you have a cio that says i am ready and i can beat anything that comes, time to find a new cio. our noses just above water. the best of the best are trying to keep up. let's talk about industry.

>> your bill -- >> i had a conversation with senator feinstein. we have a small window to get this done. it is not impossible, but the political challenges makes the hurdles high. only in the senate can you tie a fisa issue with a cyber bill and mush it together. we are trying to unwind the political tantrums, if you will. my fear in this, and sinister -- and senator feinstein shares this, if we do not get it done in this lame duck session, we

will have some differences, but we think we can work them out in a conference committee, but it starts over. the clock starts over. i will be leaving as chairman, you're going to have -- it will take time to ramp it up. we have asked house members to vote on this issue because the political narrative is wrong on what is going out there. there is a lack of understanding of what the threat is. it could be years before this gets done. that is why we have heightened the awareness about how important this is to get done in this brief window we have left, if we are going to have any success in trying to push back what is a growing threat. you have criminal organizations

that have nationstate capabilities that we did not even a year ago. this is only going to get worse. nude photos could be the best thing that ever happened to get stolen off the clock. think about be sheer threat level of economic damage, your lights go out and they do not come back on. we have some significant challenges here that we are not prepared to handle. >> we will leave it on "we are getting worse." thank you for your time. >> thank you. >> we are going to enlarge our stage here. first, we have christopher painter and john carlin. this is eric rosenbach.

we have all branches of national security represented here. >> i just got confirmed by the senate last week as the assistant secretary of defense and global security. that is a wide path of stuff in global security. ciber is one of those things, but i am the principal cyber advisor to the secretary. something the senate put into law last year to coordinate the things that go on cyber-wise. >> i want to start with you because --

>> first victim, right? >> why think about military and homeland security, you think about bright red lines about when the military can participate or not. cyber does not have bright red lines. where are your limits? >> we think about that a lot. there are no bright lines. we do not do domestic cyber operations unless with the national guard. there is more leeway there. when it is domestic, it is always the department of homeland security, or fbi in the lead. and then, other cybercom or nsa will provide support. there are some ideas that it should be nsa or cybercom as opposed to dhs. there is a good relationship. we know with the roles and responsibilities are and everyone understands what their places in the game.

it is a team sport. we work in our different positions. >> what can the national guard do? you said they are the exception. >> we spent the last several months thinking about the role of the national guard. we made the decision to build out the structure of cybercom. we had cyber warriors, the special operations command for cyber. we recognize we need to learn how to use the national guard. i went to washington state and i met guard members who worked for microsoft, but work for the guard on the weekends and in the summer. they bring a lot to the table. they have a unique authority set. they can support the governor

first and foremost. we want them to be part of the cyber force, but have the unique role that the guard does in helping with other civil homeland defense issues. >> is that a new policy? >> in this analysis, we outline what the role of the guard is and will be building structure behind that, giving them training they will be required to be up to the standards of the cyber mission force. it is good and positive. >> how do you use this as a backup investigative force? they are much bigger than you are. >> i was hoping to get the question of what is my title. >> john has much broader responsibilities. >> in terms of the united states, that they lead in terms of investigation and prosecution

would be the fbi and department of justice. fbi has set up a center and we have mastered acronyms. national cyber investigative joint task force. "the task force." it has capability from every agency, secret service, law enforcement, nsa, to make sure that when you do the investigation, that you have all of the information in one place so you can figure out who is that actor, where is a coming from, what can we do to stop it. >> do you end up using military

assets to help you in the investigation quite a bit? >> in some ways, i have to do for that. in my experience, in the usual criminal case, as we focus on nationstate actors and a looking to see terrorist groups, i think the fbi has significant capabilities that the prior director said were leaving and direct the -- and director cohen has said he sees as the top priority. we are focused on what we would do if an attack was successful to try to build resiliency. how do we figure out who did it to stop them from doing it again.

>> anytime you talk about cyber, it is invisible to the public. that is one of your challenges. can you make it more visible and quantify -- are you seeing more -- quantify the increase we hear there is an cyber attacks in the u.s., both against private sector and government. >> one framework which fits with common sense and experience of the world is -- many parts of this are good. as a nation, we have put almost everything we value into cyberspace. our personal information, financial information, the way that we operate our critical infrastructure -- it is digitally stored and most is connected to the internet. the flip side is all of the same bad guys and same activity we have seen for years in the brick-and-mortar world is going after where the money is, where the secrets are, and where they can cause damage.

we are seeing the number of criminal groups trying to target it increase. nationstates are developing it as part of their strategies. there was a recent estimate from a panel that said 300 -- they estimated the economic loss to be in the range of $300 million of lost intellectual property, which equals our foreign exports to asia. another figure that chairman rogers put out, looking out one attack, someone wanted to do something destructive with a virus, not particularly sophisticated, was able to wipe 30,000 computers out. there was a good criminal take down. an infection infected hundreds of thousands of people's computers. the criminals were using it for

profit. they would lock you out of your files, you want to get them back and you pay them to get them back. it does not take imagination to say if they put out a videotape, saying what the intent is, to cause harm, if they get access to that tool, they are going to use it to destroy as much information as they can. >> you are inside. you see these. >> yes, we are seeing an increase. >> by how much? how do you quantify it? >> you see an increase in the number of reported incidents.

>> this is an invisible threat to most people. i am a little confused about why the government does not make it more clear. what has been the increase? >> there are many ways to measure the increase. it is a white-collar crime issue. i used to prosecute those cases. until you investigate and work with, until you dig, it is invisible. we are seeing the increase in reporting from all of our private sector colleagues. the intelligence community can say we are seeing an increase in

the intrusions that we see. again, going back to the common sense, that is where the information is. we see large amounts of information being taken. we put additional resources into shining the flashlight. >> one of the problems, and i have been doing this a long time, it is hard to quantify because it is hidden, often. the reporting is not perfect. we do not know a lot of the intrusions that are never reported. not just in the united states, but around the world. sometimes people are more willing to tell response teams, private companies gathering the

data, then they are willing to report to law enforcement. that is driven by a misunderstanding of what law enforcement can do for them. we are getting a better picture, but the danger of trying to quantify is difficult. we are seeing more serious attacks. because people rely on the technology more, we see more dependents and when these attacks happen, and has more consequence. when we talk about intellectual property, one of the challenges is, when your physical asset is taking, it is not there anymore. you do not understand when your trade secrets are taken, you do not understand the long-term consequences. quantifying that is a challenge. >> do you think there is a snowden hangover in terms of getting private tech companies to cooperate with the government?

you see apple and google encryption as a way of saying we are in penetrable. is that having an effect in being able to ask people to help out and tell us what is happening in your company? >> the private sector is getting better. the government is getting better at sharing information. we need to do more, faster. >> there is not a reluctance because of the nsa revelations? >> at the same time that was occurring, you had the target intrusion, home depot, and i see an awareness of the threat at the highest levels of the company, in a way that we have not seen before. that is a good thing and that leaves them to think about what do i do if i have been intruded upon?

what do my shareholders and customers expect of me. you have a response plan to go to law enforcement. you see the president chairing the security council. there is a need to do that where it is taking place, which is social media. the third phenomenon is the one that you refer to, speaking not as a national security prosecutor, but as someone who used to did domestic violence cases, you heard the attorney general yesterday speaking to the global alliance that seeks to protect children online and saying it would be unfortunate and we're going to need the

cooperation of companies that when you have a search warrant for a state and local police officer, that you need to be able to serve it. that is a debate or discussion we need to have to figure out the right response. >> can i ask you the same question? can you tell us how international partners share information on terrorist cyberattacks? >> not just terrorists cyberattacks. one thing we are focused on doing is working to build partnerships. we work with ndoj. one of the things eric said in the beginning, one of the things i have seen in the past few years, inside the beltway, but remarkable, a coming together of all of these federal agencies working seamlessly together. to give you an example, when we

have the denial of service attacks that were hitting our financial institutions, we were working, dhs was working to -- these were bot nets. the fbi was reaching out to their counterparts. there is a lot of noise out there. what we did, and this is unique. the state department decided to do --. i was thought it was a bad thing. you can have a positive, where you can have a positive, where you say i need your help on something, i want you to elevate this. for about 20 countries, we said, this is serious. we want your help. we want to build a cooperative framework to deal with these threats. that has been part of our mission, working with the other agencies. more and more countries are

taking this seriously. this is not just a technical issue. that is another transformation. people used to go in, you would go in and talk to a person, you are the tech, you deal with it. now, people understand it is a national security issue. human rights issue, foreign policy, getting other countries to get to that same level as one of the challenges. more countries are. building that relationship on the technical level and on the policy level, it is a long-term game in terms of diplomacy, what proper norms for behavior are. the consequence, cyber being the new black, everyone wants to talk about cyber. it is increasingly happening around the world.

as you get them paying more attention to this and reaching out and saying how can we build more cooperative frameworks against the threats, that is helpful to us all. >> do we do this bilaterally? >> we have dedicated all of government bilateral relations with the number of countries. we have had cyber discussions focused on the full range of issues, internet governance, human rights, internet freedom. especially on security. we bring our colleagues from doj, dod, dhs, commerce. that forces them to bring agencies. they do not necessarily know what is happening. we have had more formal ones. we have it with the number of close partners, like the u.k. and australia.

we have had it with india, we are renewing it with a joint statement. the presidential joint statement talked about renewing the security dialogue with india. we have had it with japan, korea, other countries. we have also done multilateral work. we have done it within the organization of americans aides, the organization for security and cooperation in europe. it is a landmark thing. this is how you build their -- build a better transparency. we got these measures last year and we are implementing them now. we have to look at both of those and measure our law enforcement. >> do you have similar cooperatives --

>> we do. we will work with other nation's militaries, due capacity building. there is a lot of demand for people trying to figure out how to build their equivalent of a cyber command. we want them to do that in a responsible way. there are things we learn we did not do as well as we could have. how do you balance that with respect to's of liberties within the law, executive oversight. there is another point i want to make. all sense of operations are something that are an option, but it is only one of many tools that you have available on the policy spectrum.

we have made the very conscious decision, especially in dod, that that should be one of the last things you go to. before you would ever take offense of action, you want to work diplomatic channels, law enforcement channels first. it is pretty sophisticated right now based on this. a lot has to do with the fact that we have gotten practice at that during the denial of service attacks and the some of the past years there have been significant threats. >> can i add one other thing? the other part of this was capacity building. particularly for the developing world. we have done them any staffer cut, a couple in west africa, south africa. we are looking at asia. we are talking about building structure in government. there has been a lot of work where we are trying to build law enforcement channels, build good laws. we have a lot of activities we have undertaken. we are always challenged by people who can do this. the bench is not that deep.

>> let me follow-up on your cyber command idea. is the u.s. training countries to stand up -- to set up cyber commands? >> they want to defend their networks. there are a group of countries, a small group, that work actively on giving consulting and advisory advice about how we did it and things they can do to build it in terms of training, doctrine, all of the things you do when building a military force. we do it with our closest partners. we want to make sure it is done right. we are conscious of the fact

that a lot of countries want to build offense of capabilities, which we are not in favor of. we would prefer -- >> have we done it in countries that are allies, but are also developing? egypt? >> not as much. the biggest demand signal comes from countries that have more traditionally well developed relationships with the department of defense. >> europe? >> that is right. we spend a lot of time in the gulf trying to help them build capacity and make sure that is balanced with good governance. in asia, we have strong partnerships. >> who in asia? >> most of the countries prefer we do not speak publicly about a. to honor that relationship, it is probably better not to name names. close allies like the french and germans, we always want to work with. it is a balance of perspective. >> the problem overseas is you are dealing with countries in the process of censoring the public. this is another tool for that. how can you have any impact on that? >> part of the diplomatic effort -- this is a broad spectrum. we don't think it separates a cyber security from human rights

and other issues. you have the same rights online as you do offline. when we think about technologies , there were some recommendations in terms of technology, where you make sure as you are giving aid or working on cyber security issues, that you are not enabling them to better monitor citizens or impinge on human rights. that is a delicate balance. you have the larger context of

what are the norms of behavior in cyberspace we are trying to promote? as more countries develop these capabilities, there should be understanding as what is appropriate behavior. in the u.n., we got a group of experts and got something that said international law, including the law of armed conflict and humanitarian law applies to cyberspace. that makes a lot of sense, but before, there were some countries that said this is a lawless space and you can do what you want. that is a long-term game. things that states should not do below that level, we have been talking about that, peacetime norms. that is part of the long-term game you couple >> with the short-term gain. >> actions matter. these cases are difficult to bring. you need to put resources on the

front end because of the difficulty of developing -- with our partners. if it was a nationstate actor and they were conducting traditional criminal activity, stealing information from private united states companies for private use by companies back in their home country, we are not pursuing those cases criminally. starting in 2012, the department of justice created a national security cyber specialist networks and 94 u.s. attorney offices, hundreds of prosecutors, the fbi announced a similar approach, that it which share the intelligence side of the house with trained prosecutors.

most will not result in criminal cases, but some will. we sold the beginnings of that with the indictment of the five members of the people's liberation army. we have had great cooperation from partners in europe, where we will do a global takedown of a criminal ring. at the end of the day, if we follow facts and evidence, instead of leading to an organized crime group in ukraine, it leads to the five people in the people's liberation army, we will treat criminal activity as criminal activity. that helps build the norm of what is acceptable in this space. >> have you had cooperation from other nationstates for determining attacks against the nationstate here? >> yes. you are starting to see increased cooperation, law-enforcement to law

enforcement channels, prosecutor to prosecutor channels. >> can we down the line, from all of your vantage points, what is the cyber threat to the nation? who keeps you up that night? -- who keeps you up at night? >> in particular, iran and north korea. there are new vulnerabilities that come out that have an impact on the industrial control systems. undeterrable or difficult to deter countries. i worry about that. >> given my portfolio, if i was not a sound sleeper, i would

never get sleep. the top threat are those who would not be deterred. if they had the capability, they would use it. that is the terrorist organizations who have declared their intent to cause maximum harm and are actively seeking to acquire the capability and that is where each day, i feel all of us working together need to do more working with our private partners, so that we are not having an ugly 9/11 commission, that we are not having a post-9/11-like moment. >> i have learned to get sleep at night. at the same time, i agree with what both of my friends have said.

the undeterred, dedicated terrorists, rogue states pose a real issue. that makes the case for having a cooperative framework to deal with this. making sure countries have laws in place and using our outreach tools and capacity building tools, this is something we are mainstreaming as foreign policy. we are getting people who concentrate in this issue and work with the host government. mike rogers said we have not seen the terrorist attacks yet. we have not. we have been talking about it for years now. there is a lot of vulnerability out there. it is a big issue. it is not just to the united states, that is why we have to build the partnerships. >> this also keeps me awake -- in dod, my job is to worry about cyber tech.

i also worry about doing things that impact one of the last great economic centers of gravity for the united states, the i.t. industry, silicon valley. i think a lot about that. you want to make sure you are not hurting the economy in one of those great centers of gravity that we do have. >> thank you, eric, john, and chris. we will have our next panel up soon. >> thank you. i want to encourage -- we have had great comments and questions coming off of twitter. send them into washpostcyber. i want to say that all of the speakers are going to be excerpted in a special section

of the paper. it is a special cyber security section which will have articles and excerpts of what you hear. up next, i want to welcome david cho. we are going to switch. we have been talking to government people and now we want to hear from people in the private sector. i will leave it to you, david. >> my name is david cho. today we wanted to talk about something that is similar to the first panel, but more on the private sector. anything with a computer is a target for hackers today. your thermostat, your car, your pacemaker. dick cheney was worried about it, he probably still is.

also, it jails, power grids, gas pipelines. how do we protect the infrastructure? that is the basic question. we have three experts to guide us. let me introduce them to you. security analyst and attorney tiffany rad is to my left. one of her claims to fame, she demonstrated that jail doors could the opened remotely and we will hear more about that shortly. andy bochman is a senior cyber and energy security strategist. he is an advisor on energy security. mike mckeown is part of the

cyber security team that caught five chinese military leaders stealing trade secrets and so, everyone needs to behave with mike in the room. we have about 25 minutes. i will pose a couple of questions. if you have questions you would like to ask, see my good friend allison. she is also pulling questions off of twitter. tiffany, let me start with you. give us the lay of the land. what has been hacked and what is at risk? maybe you can give us a little bit about your previous work. >> the work that you referenced we did in 2011. it was a team of four. we did about two weeks of research and we found some more abilities in 2011. things have changed since then regarding how much is connected through programmable logic controllers, data systems. one of the things we took from

the research and what we were able to show the community was there is a lot that can be done by changing the security mindset and with training. having an avenue, independent security researchers can go to places if they want to do disclosure, especially in regards to different types of technologies the government has an vulnerabilities researchers may find. >> tell me about the prison doors. it was the rage at some of the black hat conferences. >> that is where a lot of independent security researchers and companies go to share the types of work a have found. the important part is they are there to share it.

if you see it at black hat, it has probably already been done by other groups. that type of conference is good for the government and industry to see. one of the very popular topics is industrial control systems. a lab was set up where people could go and a tanker with industrial control systems. it was nothing nefarious about the work they were doing, but it was to teach people about how to design more secure products and what is possible at this time. that is one of the reasons these conferences are excellent for people in the private industry and the government to attend. >> speaking about value of black hat to improve security overall, one of the motivating factors is that if government and other industry urge a particular type of product manufacturers to up

their security rigor, capability and side products and it does not happen, nice people at black cat are known to carry that product onto the stage and show how they can access it and do naughty things to it. that is a very bad form of advertising for the company in question, having its weaknesses so demonstrated, but it is a motivator. >> tell me the likelihood of an attack on a power grid, for example. help us wrap our heads around the consequences and describe what is being done at idaho national labs to simulate attacks like these. >> to the first point -- what it is like and what is involved. it is not i.t. you see elements of i.t. you see windows operating systems, but the communication and protocols, the types of

processors and the amount of memory and the segmentation is often wholly different. for a standard i.t. hacker, it would be a strange landscape, requiring special knowledge. another aspect about it -- would be attackers on the electric grid, someone can take down the electric grid, the u.s. grid, but the grid is not all one thing. it is many different pieces. it is resilient in the face of natural disasters. it happens all the time. it is not nearly as simple as saying one intelligent hacker can come in and take control of things. there are a lot of layers of protection. on idaho national lab, this is one of a dozen or so department of national energy labs. we focus on energy security matters.

we are in the desert in idaho with huge test range where we do not just model what happens on the electric grid in computer simulations, we can do it in real time and see what is happening from a cyber or physical attack point of view. >> mike, let me get you to jump in. how exposed are the systems that control these networks? who is targeting them? >> i will start with targeting. a couple of different factors. could the targeting before a difficult -- a specific company or the sector in general did something happen, was it accidental or malicious?

how can we share the information more? we are involved in different outreach programs. we work with dhs and their models. we are learning a lot ourselves. we talked about idaho labs. we sent a number of our agents there. we have pockets that have the expertise for ics and they may be around the country, but we have the ability to share the information. targeting in particular, we have gotten better at sharing information. even when it is on a classified nature. a couple of years ago we had a threat against the financial sector. we brought in the financial entities and gave them clearance for a day. >> this was the russian crime

ring going after the banks? >> correct. in order to share the information at that time. we are getting better at getting the information out. contractors may have knowledge they can share about indicators they see. we have a couple of different platforms that share that information. >> there are probably companies that say they need more help from the government. can you describe specific ways -- let me throw it open to any of you -- that this partnership could come together in better ways that it has now, to help companies facing attacks? >> you will hear me speak, not just for the lab, but the department of energy and cyber security in general. the job of the lattice to be different than what is in the commercial marketplace. to be three to five years ahead.

to imagine both the threats, the evolution of the threats, and ways to exploit technological capabilities so that they can do the r&d, get hits and misses, and it can be transferred into the private sector to advance and push forward and stay ahead of the threat is much as possible, or at least keep up. >> andy, you are on the ground, talking to these utility companies, what are you hearing? what are their concerns? the cost increase -- what are they up against? >> the number of people who subscribe to utilities -- we think of them as one thing, and electric utility. they range from fortune 10

company's that have some of the most sophisticated folks and tools, all the way down to 100 person co-ops with a security person who doubles as a maintenance person and safety person. depending on where they are in the spectrum, the challenges they face in what they bring to bear, how much help they need from external sources varies widely. one important point would be to know that -- think of utility like any other asset intensive industry. someone who relies on heavy equipment. having a historic cultural divide between the cyber systems we have talked about here and technology. it is getting the

as having a historic cultural divide between i.t. cyber systems we talked about and ot operational technology. it is getting the utilities to put their efforts are just on the i.t. side but to look at the cozy issues, the ot issues, which we call industrial control. coming around to the question, the smart grid driving interconnections that many of them were working on. >> i want to hear on mike from public partnerships. what do you think the cost of upgrading for a utility company is? >> it ranges massively. >> it ranges massively. >> yeah. if you think about the size, the amount of assets they're responsible for, i let not even hazard -- sorry. >> mike, anything you wanted to add?

>> on sharing information, we have the national cyber investigative joint task force, intelligence community, dhs come together to share different levels of intelligence. i can be different levels of classifications. in pennsylvania, we have partners code located with our fbi unit. i can talk to folks from financial institutions, large retailers, and industry experts. we are right down the road from carnegie mellon. we have that facility available. we have two fbi personnel assigned to see threats coming in real time. going back to real-time information sharing of the indicators that we see. we are cognizant of the fact that it should be within a sector. but sometimes, across a sector. these telecommunications center might tell us the problems they are seeing and it affects another entity.

we have seen that with the telecommunications sector. getting printed notification to the financial sector. -- getting preemptive notification to the financial sector. our program as well as working with dhs and experts has been helpful to get the big picture. the facilities to share that real-time over a couple years. >> the relationship between private companies and security researchers, we have -- when it comes to private companies. if they come across research that exposes former buildings, there was legislation that was proposed, going on since 2012, to give that company civil protection. if they were to go to the government and say we found these vulnerabilities, the trust relationship between the private company and the government would be established so they feel comfortable about saying we found this and we are doing red

team research. we would like to let the government know without whoever the vendor is that the government may be using getting upset about the vulnerability is or how they were found. this type of sharing is important. getting people to come forward with information that they have an trusting that they can still protect some of their i.t. as they share this is very important. some legislation that was pending was significant for private industry. >> how did consumer expectations about service and reliability play into this? security can slow services. >> there's always a trade-off between security and convenience. when we have your bring your own device to work, there are vulnerabilities that can be exploited in someone's home and

bring it into the corporate network. a convenience versus security is always going to exist. when it comes to that type of trade-off, what i suggest, i am a university professor teaching at a computer science department. i teach my students to think like hackers. that might sound scary. we are graduating students where they are writing code and considering security applications of every line of code they write. it is not how does the algorithm run? that is important as well. how secure is the stuff you are producing. when they go to the workforce and work for private industry, they are designing things that are more secure. we like to think that this is going to be changing through the graduates that we have in the u.s., taking jobs here. the convenience versus security, maybe they will say i think there is a different way we can do this that would make it better and more secure. >> when we are speaking about the development and whether it is commercial or on the

industrial side of a new product, new capabilities of paramount interest is a concept called security by design. the idea that you have legacy equipment. some of the power systems that are 20 years or 30 years old. you do what you can to isolate and protected from threats. if you are building something new, you have a tremendous opportunity. other it is an internet of things device, a cell phone, etc. you do not want security to don a the functional requirements, otherwise nobody will use it or sell it. if there can be up security voice at the table in design discussions. a design decision could go one way or another making security down the road better or tougher. it is nice to get the security person, we really need to get the security voice into those early design and development decisions. that is power and everything.

>> let me get a question from the audience. >> a quick question from our general manager. i want to hear more. you are talking about how you are teaching. what are some of the eyebrow raising things you are seeing from your students or people at defcon and black cat? can you talk about the eyebrow raising things. >> we did not hack into the jail. one thing we balance with research is where do we cross the line with research that might be controversial. it was a proof of concept we never released. one thing we look at at the university and def con is how the interconnectedness and the internet of things is coming so fast. the computing power is increasing so greatly. the amount of devices we all have with us and carry with us today and we drive home and cars that are mostly computers. not as much mechanical anymore. the research community is trying

to catch up with what exists. for china find vulnerabilities to let the companies and the government know. -- for trying to fund for abilities to let the companies and government know. >> what are some things that have happened? transportation? >> car security research. preventing at black had and def con. consumer vehicles, trains, trucks, and planes. there are people looking at how these systems have networks and how they are connected to the internet and other things. >> the one thing we hear about is criticism that companies are running ahead and putting up products that may be inconvenient by consumers were running ahead of the security protocol that should be in. dodo you see that trend or

you feel that one of the risks that are developing, especially with developing? sector, that was certainly the case until a few years ago. this will not be all black or all-white. but more of that electric utilities and their constituents, their stakeholders include security language and security requirements in their -- when they are buying some new capabilities, the more it pushes adding that into capability to their product. a product manager who otherwise may have thought it was a good idea but did not justify it. more people can be asking for it all the way down to the consumer and citizen level. is this android or iphone more secure? tell me more about it.

that gives signal soda manufacturers that was not important is suddenly something that they need to be attention to. before.ee with that that is going to be a more significant problem. we don't want to stifle and ovation or creativity or these products that are out there. it is a balancing of that. to theck vulnerabilities, working with a different entities. other avenues to quickly thwart any adware, we knew stay on the cutting edge of what is the new technology and how that will work within the business environment. we want to make sure way and not doing anything to stifle that.

needed to have a rational approach to security. when it comes to the persistence, it means you don't have to have anything that is ironclad. if someone want to get into your target, they will find a way in. we want to mitigate that risk. there were some rings of security when somebody does breach, there are others that exist. 2011, we research in have encouraged -- where not telling people to rip off your equipment because it is not insecure, training and educating your employees or whatever works for you goes pretty far. when you have employees that have many devices they are bringing in to work, having them be aware of some of the vulnerabilities that exist in these particular devices is very

important. it is a rational approach. if they're going to get in, they can but you need to mitigate their risk. . lines, the phrase about inbeen thrown the infrastructure is resilience. it speaks to the fact -- it is a fact -- that whatever you organization is, no matter how protected you are, you are being breached. there are ways for determined people that can get in and have some influence in your systems or visibility on your data. if you know that is the case, it is probably time to not pretended that everybody is kept out sufficiently by your systems. rather imagine how you are going to respond.

do you want to be flat-footed when significant attacks happened or do you want to do an exercise already? call out whatever anybody's tasks are and do the best possible job? you can take a hit, you are taking some level of damage but you are prepared for it and you know what your actions are at that point. keep things going's as best you can during these events. cleanup after the incidents. learn, get through training, whatever happens. understanding what you can get from that, get that back into your employees and your systems so you have better footing next time. that have been reporting apple and google made significant changes to their new operating systems. it is to keep almost anybody at of these incredibly