[captioning performed by national captioning institute] [captions copyright national able satellite corp. 2015]

captioning performed by the national captioning institute, which is responsible for its caption contents and accuracy. visit ncicap.org including the impact of encrimination. this event is two hours.

>> you're here with pasco, the modern field guide to digital privacy. we're so happy that you could be here. we'd like to start with a few thanks, dell, the internet society and c-span, our friends that are bringing this to you live online. the st. regis hotel and our friends move on to the keynote

interview and then we'll go to a great panel with ciar rag from the department of justice. just a quick bit on passcode. we launched in february of this year. we bring some of the biggest issues facing the internet. if you were here this morning, you'll agree this is one of them. we hope you'll come to more of them, especially in october where we have a full slate of them here in d.c. we hope you'll listen to our podcast. subscribe to our newsletter.

this is clearly an issue where it seems like there's this immovable force about national needs and law enforcement being -- i'm sorry, immovable object, unstoppable forceover technology and business. we're here to figure out how to move this ahead. how to move this discussion passed what seems like the past. so let me welcome in brett hanson from dell. bret is the executive director of dell data security.

is your mic on? sounds good. >> it's on. >> it's on. >> um-hmm. >> is it going? >> good, good. >> you guys provide a sweet of conduct. little devices, cloud, everything in between. channel functions in the software industry. so we've had, in this town, we're very aware of big breeches recently. can you talk a little bit about mallware tactics? >> well, like you said, the number has certainly increased as well as the effectiveness of this. what is often overlooked, at almost every one of these major

breeches, it comes down to individual. the end users, people like ourselves, are the focal point of the attacks. the reason why, technology can do a lot of great things. we can do a lot of improvements. as long as there's a human being at the end point, that's where the target is. they're the one who is are going to be curious and click on the picture of the pretty kitten and want to find out more about how to buy that. >> it has to be more thoughtful than empowering users. raise the fact that they're going to have multiple devicesment let's do so in a way that allows me to manage -- and

that's if they step up. that's a change in the strategy that we need to itch leapt. >> so, given that, how do you get them? >> there's going to be a combination. cyber security contains lots of different parts. j there's not one silver bullet. i think that's important for everyone to understand. there isn't a silver bullet. it's going to require -- it's going to require advanced policy and advances in education. however, we're seeing a lot of really strong advances in the last few years. indefinite user security is increased significantly.

and that's providing new technology with access today that and networks to better protect. so in the mobile work force, obviously, nations that do that and still stay secure. is that a viable approach? >> it leads the combination above policy. and it needs to be involving the employees thems to make sure that they're in. but for too long you think about data at the end point. pcs, mobile devices, public clouds. that's more of an after thought.

providing i.t. and the chief security officer the full visibility they need. >> can you truly be protected from that? >> there's a lot of noise out there about if you're going to be breeched,it's about when. we started off 5:00nologying the fact that they're difficult to stop.

we shouldn't giver up on stopping it at the input. it can't just be about the technology. for many years, we depended on tradition fall signature-based antimalware. and then saying okay, is that a good or bad executable. clearly, that approach is no longer working.

their approaches are containerized. they're going to keep all the untrusted data, your browser and e-mail attaches in a sand box arena that sprats it from your work flow. so, yes, the challenge is significant. yes, we are challenged nearby. there's a lot of companies out there that employees can utilize. >> let's just pause there. any question frs the audience? anyone like to jump in here? >> if you had a greater ability

of data, what would that change? is there that opportunity on the horizon? better visibility around your data forthcoming? >> so, answer the first part of the question is if you had better visibility or data? absolutely. if you take that to the physical world, companies know where their physical assets are.

so sf you're able to understand where my data is going, you should be able to detect if a breech has occurred. companies have to be thinking about their data as an asset. encrypting it. ensmuring that there's true access control. and mitigating risks going forward. >> one last one, millenials in the workplace.

et's a very unique issue for companies. how do you kpent on that? >> it is not just millenials. most of us have accepted the fact that you're going to have your work p.c. what we need to do is acknowledge that the work force has changed. how people access data has e volg ved tremendously.

trying to be regressive and say i'm going to lock you down certainly will work for a select number of organizations. so we need to be thinking about, again, how do i protect the assets and data itself? but that's where we need to go. i think there's a question. >> hold on just one second. we'll get you a mic here. we want everyone on c-span to hear you, too. >> hi, i'll put my coffee down. i have a question. i took my child on a disney baltic cruise.

and i actually had to get a dod-compliant wipe on my come pulter. and now i don't want to restore my come pulter. a lot of that data, i don't need. just information that we don't want out. there are people carrying around stuff. their laptops. and i carry two laptops. but when i got that dod wipe, i felt so refreshed.

i would really like one formula. >> i will say that there's an opportunity around data of what you're creating and what you're putting in the marketplace. the whole concept of creating data that if it's launched into cyber space and can be used against you is something that we should be aware of. it is a growing need to be thoughtful of what am i putting out there? >> any questions? sure, one right here. go ahead. >> how about pronlsing

technologies and the appeal of them. how do you prevent or break the psychology of companies wanting to invest and then becoming so reliant that they don't continue to invest in new ones. it seems to be a common trap. what can your do to break that psychology? >> that's good news for me. i think enr education is actually foremost. there is at this stage, a lot of excitement in the marketplace around cyber security. and i talked to customers, large and small every day, about how to improve their cyber security. what i stress to them is this is not a sprint. this is a marathon. this is going to take time. and then, to be really effective with cyber security, you need to stop thinking it as a -- as an end goal of itsds own and start to bring it as part of your

business goals and your business objectives. so as you're considering where your business is going, you need to be thinking about cyber security. as an example. i was talking to a company that is increasingly out-sourcing the production. that is creating opportunities to be more efficient. however, it's also creating new risk, as they're having to put more of their i.p into the hands of their partners. there need to be cyber security strategy. i think that's the change that we need to help drive. rather than getting caught and just embracing it and being done, it's how does the technology enable you business strategy and so much is cyber security strategy, as well. that ae that's a change in the mind set, but it's absolutely critical.

>> so my question is the solution that is you've focused on, the end users, the devices and how do we sort of secure those items. at a communications network level. what can be done there on that front to ensure cyber security? >> my name is andy from g data software. you mentioned the end user's perspective. other than a slap on the wrist or you're fired, how do you manage accountability. what is your idea? >> network management.

>> i obviously work for dell. we do have a big focus around the end user security. i think that's been a neglected part of the security environm t environment. security security,as i mentioned earlier, is all about solutions. it's the ability of different pieces to talk to each other. so as i'm collecting information around the attacks and the threat service at the end point, my threat is going to enhance its security and vice versa. increasely wharks you're going to see are these different assets starting to communicate with one another and through that communication, be more e fiblgtive in terms of both addressing threats as well as being proactive and permitting them in the first place. that's a journey we're working on. del has a great asset which we work very closely with. so we're going to be taking

those steps ourselves to really further integrate the two offerings to in realtime to make them more effective as a team. both offered as a team together. second question, accountability. that's a tough question to answer. there's a lot of different discussions about how to encourage work force. . a lot of what i've seen successful is the care and approa approach. >> thinking about how they can be safe. those who go a certain amount of time about how to reach a violation, either receive an award or recognition. there's also those companies focused on a shachling approach. using a little bit of, okay, john's been reached five time ins the last month. john, you're a bad guy. and that's obviously a little more draconian. it's probably in the car rot and stick approach.

but, certainly, at this stage, there is a low-level appreciation for work force employee acountability. i think the carrot is a great way to go. notify worker who is's doing well. give kudos. acknowledge the fact that. affecting data and addressing to protect or advance persistent threats. we're going to need to be much more effective in the long haul. >> thank you, director. thanks for coming. [ applause ]

so, first, we have amy hess. she is the executive assistant director of the f.b.i. science and technology branch. criminal justice operational technology divisions and the f.b.i. lab. she'll keep a few remarks and get to questions and i do want to get to audience questions, as well. >> great, thank you, sir. appreciate the invitation to talk about this very important topic this morning. so the f.b.i. really used the going dark issue as having been a concern for us for a number of years. it's well beyond encrimination.

it basically summarizes the issue we have with the proliferation of technology over the years. and how that might be impacting our ability to do our job. our ability to get information, evidence or leads in criminal investigations or national security investigations. and so as we see this proliferation of technology, we see that case accelerating. and, so, to that point, we have actually been more and more vocal about the issues we're seeing, the concerns we're having, the challenges that we're encountering with respected to be able to do our job. so, as i said, the going dark problem is more than just encrimination. when we're going dark, we're referring to encrimination for, example, data in motion. data that's transported across networks. realtime electronic surveillance that we must do in the course of our investigations. we also view it as a challenge

with encrimination on data at rest. stored data. we also view it as a challenge when it comes to mobility. so people will bounce back and forth between, for example, cellular service, wifi service back and forth. and that presents a challenge to us, adds well. and then anonimty is another challenge. and then, in addition to that, we see, for example, foreign companies. that presents a challenge to us. we see a challenge where it will

disappear as soon as you send a message. and that presents a challenge to us. all of those things factor in to what we refer to as the going dark problem. at the same time, the nafgs we used to keep in our homes are more and more on our electronic devices. and the same goes for bad guys. in trying to prevent those threats from happening or to bring those people to justice.

that's where we live as a society. we also have the foreign intelligence surveillance act. it does the same thing with national security investigations. search warrants. all of those orders signed by a judge that enables us to get access or at least authorizes us to get access. unfortunately, unable to execute more and more because of increasing problems and issue. not proposing a solution to that. from the government's pore spektive, we really need the companies to try to come up with a solution.

to try to build the most secure systems. yet, at the same and present an ord i with the search warnt or signed by a judge that we're able to get the information that we're seeking. the evidence, the data in readable texts. to start, let's go with encrimination. so strong, they say the company itself can't get access to the data. let's distill what we're talking about. that's actually a back door. this is a bimt-in weakness.

what is the problem as the f.b.i. views it and the proposals that have been flying around washington. >> sure. >> i think the ability for us to prevent an attack or to bring someone to justice, that's the piece that's at issue. and for the encrimination piece of the discussion that we've been having, the issue comes down to whether or not the company is talking about

realtime communications or stored communications, data at rest, it comes down to being able to access that. so in order to access that information, the question is how are we able to do that in the most secure way. i think starting with the premise that in the society we currently live in, currently to be able to get that information for some other consumer-based need. at the same time, the question

comes down to whether or not the government should be proposing those type of solutions. they're able to build build in some type of accessibility. >> what is the specific problem. what happens in that process that is holdsing up law enforcement from getting that app? >>. >> sure, when it comes today that at rest, we see the issue and we've presented a number of examples in the past. be i'll start with a passive example. for example, we had a case involving a child pornographer

who eventually was communicating with individuals. based on a photograph, question got access to that person's iphone. and then that investigation led us to eventually identify additional victims that that person had molested. all of these individuals, these children, were under the age of 8 years old.

but without that information, we might not be able to do that. we have homicide investigation where an individual is shot and killed answering the door. now there's no one to serve the warrant on. the police were unable to access to try to find clues as to who might have been responsible for her murder. >> so how big of a scale it shall what's the scale at this point. you have a new york district attorney who's saying that, in 80% of the cases, involving iphones running ios 8, law enforcement was unable to access that data.

that's over the course of the example. >> i will be the first person to tell you that we've done a really bad job of collecting empirical data. we need to do a better job of that. one, for example, we can refer to the annual wiretap report. the problem is, to get it title free, to get a wiretap, it's a

very prolonged, dlib rat process. so in order to do that, not to mention the level of f.b.i. headquarters authorities that we have to go through. an ajoent is not going to pursue all of those things. we have that same problem when it comes to, obviously, what we're seeing across the board. we are seeing an increasing problem. we need to do better at capturing the data. obviously, things like the annual wiretap report kind of presents the problem.

our investigators aren't going to pursue something that's that. >> there are some who say that there's actually more law enforcement available than ever before. that law enforcement, for instance, could collect met data which includes telephone recorders and location data. but aren't these tools enough? >> that's a great question. i think that, personally, i've had discussions with all of the f.b.i. field offices to have enough knowledge of how we investigate and, of course, having been in those field offices myself, and having investigated a number of different violations, agents will always try to get the information they need.

so they're going to try everything possible. in some cases, if we're stymied by the inability to get information in, really, the most effective way of being able to directly access a device or access of realtime communication, we're going to try to find a way around it. sometimes the problem is if we can get to it, we'll have lots of examples where we could have got the information if we had the capableties.

>> what about creting teams to break into the data once it's been collected. >> certainly, that's an issue too consider to discuss. we need to prove to a judge that we have exhausted all lesser means. to me, hacking sounds like a pretty intrusive means to be able to get the information. but on top of that, if they change that device, or if they upgrade to the latest upgrading system, they decide they don't like that anymore, it's very fragile. it may not be timely.

>> yeah, especially for the state and locals. we have a lot of really, really smart technologists who can help think through these problems and challenges. we communicate with our law enforcement partners on a daily basis. but the problem is, fechb we might be able to solve a specific problem, even though it might take us a while to get there, the state or local police departments may never be able to have that luxury to have those types of people employed or available to them to be able to do the same thing. >> so tim cook, earlier this summer, said that he's a ceo of apple. and he said if you put a key under the mat for the cops, a particularer can find it, too.

>> i'm worried about security risks in general. the f.b.i. supporting strong encrimination. clearly, we also have the remit for when it comes to bringing people to justice. that includes cyber threats. at the same time, how do we get the evidence we need when served with a warrant, signed by a neutral judge, to a company. to try to come up with the best, most secure motion to do that.

>> you bring up a good point. both the government and the private sector encrimination is seen as the best practice. so do you see the -- how do you see the relationship between what you're asking for and the need to protect data. do you see that at all? >> certainly, to protect people's communications. i any that goes back to just our first premise. we want people to be secure in those systems, for all the reasons i previously stated. but we also want to be able to get to the information with a warrant. when we do that, how do we get information that we need, but, yet, make sure that nobody else or at least people who build

these systems can make it as secure as possible so that it limbs -- there will always be a risk. and i will readily admit that. there will always be a risk when someone other than the sender and the receiver can get that information. at the same time, how can we minimize that risk? >> what are your relationships like with skoourt secretary. if they can modify it someway, it can hurt them. >> yeah, and we talk to the companies all of the time. matter of fact, we have conversations to try to figure out the best way to get the information that we need in the course of an investigation.

certainly, why they're conce concerned, and, clearly, they have legitimate concerns. y glvrjts if we build this capableblety in, how do we minimize that risk? it is a concern to them. at the same time, what we've been trying to do is to balance the discussion to say here are the two things at play. and what is the american public confidentble with when it comes to either going far perhaps one way or too far perhaps the other way when it comes to being able to access data presenting some risk inherent with that. >> and do you think if there is some kind of channelled access data as other countries are going to want the same thing that the u.s. government is wanting now? >> i think that's always a concern. that's part of our constant, daily discussions. we've had a lot of conversations with other countries, who clearly want that information.

our allies in other countries certainly have the same concerns concern and they want access to that data. the question is how do you differentiate what presents good human rights records are and country that is perhaps don't have those good human rights records, for example. and then, at the same time, if your u.s. companies, what are the obligations versus the. you have to give other countries nanding that access if they do and if this policy goes into effect. and let's say you'll like to have similar access for china. and are you sympathetic that this might put them in more of a political or diplomatic role. >> i think it's a very political discussion.

the question is how might we enable law enforcement to do its job. they want to try to do their job, too. that is a huge policy discussion. how are we able to limit that? that brings up how we might see ourselves in the future. by doing business in this country, does that mean that you're subject to certain rules and laws? >> are you concerned if they do, they can affect people's overall ability to communicate securely? >> sure. i think any country with poor human rights records that's why

we have the laws in place that protects from that. but that is certainly a concern. and, again, it goes back to the policy discussion about how are we able to discern between countries with poor human rights records and countries who don't have thattish sue. and who will be subject to what laws. >> i do just want to ask you one more question. you mentioned how the number of devices is overshrill increasing. so walk me through what is happening now as you're investigating a terrorist.

>> what we're seeing is mr and more individuals associated with isil. to be able to recruit individuals. who will use open social media platforms. but after seeing that that person might be more receptive, they'll try to move them to other platforms that we are unable to access. so what we see there is this going dark issue. how do we get passed that? if it doesn't work, what would? maybe physical surveillance. the problem is, kwhiel we're

trying to figure that out, obviously, we're wasting time. and we're using more resources to get that information, which may never come to fruition. and so our concern and our fear and what keeps us up at night, you may not know who's communicating in that fashion. we don't know how many more people were there. >> i do want to turn it over to the audience for questions. remember to say your name and where you're from. >> i just wanted to get you're views particularly to what's out and how easy it's been for making android users to use this kind of encryptic space.

>> and do you think some of the terrorist groups are taking advantage of the technology. >> i do think those who pose a threat to us are taking advantage. but they know and it's been well publicized as to what communication methods we were able to access. i can't speak to specific capableties or companies. but at the same time, we do see that in the course of our regular investigations chlts we do see those type of investigations, as well. yes, it is a concern. >> in the front? >>. >> how would you address --

sorry, alyss sarks, wait for the mike? >> my name is alyssa vhavinsky. i wrote an article. how would you respond to the concerns raised by alex damos that special keys how do we grant them only to the united states and also to our other corporate friends. we do business in china and russia. clooerly it's against national security interests. >> i washt to clarify again, one size fits all solution. the government is not promoting a folding key that will be the solution for all companies.

that's why i think it would be up to each individual provider to come up with what is the most secure solution for them that still achieves the end result. which is just to get usdatdata. with that said, the larger part of the discussion is how do we make sure that u.s. companies, and u.s. data a, subject to do that type of access. same time, considering what other countries may ask for, how do you factor it in to the larger policy discussion. it's a source of going debate. >> yes? >> it's not here and now. when and when do you foresee that larger conversation taking place? >> about the access issues? >> about the larger policy

question that you reference ad. >> there's daily discussions going on about that type of thing. we are concerned about it. certainly is here in washington, we had a number of discussions, with a number of different agencies. while we don't have the answers, discussions are occurring. >> usa today, congressman, having experience on the incryption issue, would you like to see them get involved with the issue or would that do more harm than good? >> the discussions we have been having, is that we want to bring the jobs to the fore. to also, not take it off the

table. i think that right now the, the idea and our goal is to ensure everybody understands what is at stake. for risks on both sides. and the equities on both sides. and so, currently, that is our goal without declaring whether or not we are seeking or pursuing or need that additional legislation. >> you said that you talk to the companies daily about the best ways to get information and the fbi has been talking about it for a year and you keep saying that you want to have this discussion out there to the forefront, and if you are talking to the companies, daily, i'm wondering, your opinion to reaction that you get from the companies, when you say that you need to be able to get around their incryption? >> the answer is, it depends. it depends on the company. clearly.

some companies, some companies may not are have, some are not subject to mandates. they don't have to build in the, those, that type of access. they have, of course, most companies want to help. they want to stop a threat or bring somebody to justice. but if they are not mandated to do it, the question comes down to a, do they need to take the resources and divert them to build in access? or at the same time, do we have companies that really would not be part of their market plan to do that? and even if they want to cooperate, it could take years to be able to build in some type of access.

so, all of those dynamics are built in, most companies will try to help us with whatever information we can provide. it may not be the, the -- really the solution we are looking for. >> any other questions? yes. right here. then we will go to -- yes. >> russell shea i'm a law student here in d.c., my question is about, in the context of law enforcement cooperation, in a scenario where data may be stored, physically outside of the united states, the, some tech companies argue that the government should pursue the data through mutual legal assistance treaties. are you going to comment on the process, and what it's like, and things that need to be updated or reformed, what is the approach to this issue? >> clearly, we have challenges with the ability to get information on a timely fashion.

sometimes there's processes, and they may take months. if not years. to get the information, sometimes they are just in effective. sometimes they are effective. but, that seems to be, you know, more on the rarity side. so, i do think that this presents that challenge for us. as to if it's u.s. data, in the course of a u.s. investigation. and we are talking u.s. data, in furtherence to a u.s. investigation in pursuing a signing of a warrant by a judge, what is the appetite of the american public to say, that company had to provide the information. that's the debate we are having at the moment. to find out what is the right balance. and how do we get that information. what is the right mechanism to get that information. >> um, so, in the third or

fourth row here? >> hi, dave, from politico. so, chinese fir firms, there's concerns that the chinese authorities can access the communications you are transmitting. if it's aapparent that u.s. firms are offering the same ability to u.s. authorities. whether or not the chinese or other parties can access them, what affect do you think it will have on the u.s. technology industry? >> again, it's a great question. it's, you know, how do we, we have an investigation with the u.s. company data. strictly limit ourselves to it being about u.s. investigations and what the u.s. needs access

to. and the question comes up, other countries want the a access. so when you have a uk that has that need in the course of a law enforcement investigation, versus another country, that we may not have the same type of relationship or same type of, again, human rights record or whatever it might be, with respect to what they are going to do with that type of information. that is the larger policy discussion. and how do we think about that? do we, at this point, again, i think that we knee to have that more open discussion, what's the right solution? we don't have that solution right now. we don't have the right solution for what should be mandated, should it even be mandated? are we comfortable in the place we are in now, where the pendulum has swung so far post sn snowden that we are seeing from

a law enforcement perspective, seeing society as a whole go to a place where more and more people are going to be above the law. and if that's the case, are we comfortable with that as a society? that's the larger question. and then the second question, what do we do about it? if we are not comfortable. >> okay. and we have time for, i think, a few more questions. >> hi, i'm with the intercept. i'm curious in the fbi is concerned, if the companies,you got them to agree to a backdoor or build in capability, are you concerned that other companies may lead, darker companies, criminal entities and provide the end to end incryption and it will primarily be the american user loses out and criminals will find access to these things. >> really, the experience that

we have had is that if companies can build in a such a way, again, i go back to the, it should not be the government pro posing the solutions. the companies know their systems better than anybody. in our ability, the requirements should come from the government, and that is what we are trying to accomplish. but the companies should be able to build in the most secure systems. to build the most secure systems. to do that. with that said, i think you, yeah, the very tech satisfiy peop -- tech savy people are going to figure out how to take advantage of anything. and that clearly happens on a regular basis today. how do we protect against that? again, to say that, i think service providers today are 100% secure is a little bit of a misconception as well. and when we are moving toward

this world, how do we identify the best way to really attribute those types of attacks, or those types of, i guess, protections, if i will, but they are not, the perspective, that the hackers, the criminal element may be trying to try ing to move people toward and we have to root out and identify those individuals. i'm thinking in my head about, you mow, one of theç conversations we have on a regular basis is, with respect to access, historic communications. for example, a communication device like a smartphone, people ask us on a regular basis, yeah, that person backs up to the cloud. the problem with that, what we have found in the investigation is that most people don't do it regularly. and don't do it on a regular basis. they may not do it at all. you clearly turn that feature off.

and we see in the course of investigations that the tech savvy criminal can find out if automatic back ups are occurring. or if that reason is being diverted in some way off of a particular device. and so, we have to be able to, i think account for that in the course of the investigations as well. >> and, last question? >> from a friend of the fbi, of the aclu, i will paraphrase, the question is, does the fbi use incryption in classified e-mails sent over the internet and other organizations and how can the fbi engage this conversation with tech companies if they then

themselves are not operating at a high level of technical sophistication and how do you feel the federal government is doing in general to raise themselves up in the conversation, to say, yes, we are doing our own good cyber hygiene? >> we need our information incrypted and protected the same way as the american consumer and companies do in the country. clearly, you have seen as a result of the recent hacks, we continue to focus on that. i will not talk about the type encryption that is employed on one level. we as a government, need the to do a better job of it. and it comes back to my original point. we support strong encryption, as i said several times today. we need to protect data and communications and

conversations. but, the challenge for us is again, just to tee up the issue, what is the american public's appetite if we go to 100% secure systems that nobody can access, ever. are we comfortable with that? even with, in the course of an authorizationed investigation, in the course of trying protect public safety or in order to prevent an attack. are we comfortable with that? that's the underlying question. >> that's a great place to end on. ha for joining us. thank you. applause

. we've just had a conversation about the law enforcement, in the incryption debate and now we will put in he other views in the conversation. we have next to me, one of the leading cyptographers, he is employed in the university of pennsylvania. we have john calas, he is working with silent circle. and we are keeran braj, thanks to joining me, and we will again, have questions, and then he we will open up to the audience for your questions as as well. >> just to start, why don't we, i have a question for each of you, actually. what do you see as the benefit to society to have a strong incryption, do you see it out weighing or falling secondary to

getting a access to that data? >> it's easy to frame it, it's between national security and law enforcement on one side and privacy and strong protection on the other side. everybody participating in the debate for the last two decades, easily falls in to this. it's a question of having encryption and decreasing our ability as a nation to prevent crime by having weaker encryption, we are both on the

same side for wanting to prevent and stop crimes and for wanting to make the country more robust against national security threats. unfortunately, it's a battle we are wilosing. i would love to stop having the debate and get back to work. >> john, what do you think? >> i think he has brought up the central issue, it's a policy question. and it really is a policy question. it's not a technology question. those of us in business are already international. my company has a swiss company, we are not a u.s. company. and we know that the threats come from the countries where they don't have good human rights. and we don't have a technical way to make it so that we can provide access to the good guys and not the bad guys.

and under certain circumstances where it's hard to know what is going on. they were saying repeatedly, it's extraordinarily hard to get a warrant. that what they need are mechanisms that can go beyond getting a warrant and would just let them get the data. that is a policy issue of what gets protected from a legal aspect of it. and we are in a situation where we are forced to build our devices in countries that are not particularly always friendly. and yet, we have to be immune from blackmail the from them. if they decide that people in friendly countries have done something like not hand their data over because they have just happened to be in that country, how do we handle it? what is the policy of us juggling 170 plus countries and

deciding who has filed what paperwork. >> what are your thoughts? >> i think we have to start with the shared values that we have. ensuring public safety and strong national security and strong to do it. and we do it with our commitment to rule of law. it helps the freedom of expression and data a security and our i.t. security and that's why, the department, the fbi, and just the administration supports strong encryption and i think the rubber hits the road for us when we design systems that use the strong encryption to the point that it's warrant proof. that means the system is designed so only the end users can access the information. so, i think, when we think of what the share values are, we have to figure out how to design systems that maximizes public

safety and national security interests and our cybersecurity interests as well. that's what we talk about in the conversations and key badebates we are talking about. >> matt, you are a veteran of what is known as the crypto wars, they were earlier battles that went on in the 1990s. how are the debates now compared to the debates back then? >> yeah, it's been a long time, and we keep fighting the lot of the same battles. i think the main difference between you know, this discussion can, in the 1990s and today is that in the 1990s, a lot of this was, hypothetical, we were saying things like, you know, this internet thing is going to be important some day. and we are depending on computers, and we are depending on this, this computerized network infrastructure for a big

part of our daily lives and we have to be secure really soon, and that's really important. i'm not sure i believe that it was going to be as important as ultimately it became. every part of our daily life depends on a secure network infrastructure on being able to secure end points. you know, this is so integrated in our daily lives, we cannot identify where. i think the stakes have gone up since is the last time around. >> you were also the one who discovered a flaw in the u.s. government's encr ayption syste. as technology is more in every day life, do you feel it's possible from a technical perspective now, to create a solution like the ones this the national security officials are

proposing? >> it's often framed as well, we have solved so many really hard technical problems. look at all the wonderful things we have done. surely, if we can put a man on the moon. we can design a secure back door encyption system, unfortunately, it's not so simple, when i hear the, if we can put a man on the moon, we do this. i am hearing it as if we say, if we can put on a moon, surely we can put a man on the sun isun. you know, this is a hard problem and it's not even a new problem. ultimately, we are talking about a set of requirements that somewhere along the line involves making a relatively simple problem, encryption between two parties who know each other and only they can get

access. it's a simple problem. turning that in to a very complex problem. and securing systems with complex requirements and building systems of that level of interaction in a way that works reliablely and as we intend them to do. it has been a problem that has been around since the beginning of software and computing. we don't know how to solve it. >> you don't think it's technically possible to do it and have systems be secure? >> a shorter version of my answer is no. >> do you think it's true, that it's impossible to do it? >> when we look at what companies are doing today, we see there are large companies, for example, in the commercial e-mail providers, where are they use strong encryption to protect the e-mails, and for their own

business purposes they have to be able to access the underlying can tent and th content. one of the reasons is to serve you advertisements, but it's also to operate the security software. so the information is generally protected with strong en encryption, the company itself will have access to their information. we see companies now that have the balance, they have strong protection and security for their data and have access to it, it's difficult when we hear, it's technically impossible to do it. so, again, i think we have to

have that discussion about, you know, do we want to really encourage situations where, you are building systems that are warrant proof that provide zones for criminal activity, or do we want to have a larger discussion that said, we want to do it today as well. >> there's not one proposal, technical or otherwise pro he oppos -- proposed by the u.s. government, why is that? do you think the u.s. government will put forward something more concrete? >> i think the reason you do not see a single solution. it does not make sense given the industry. each company knows the system so much better than the government does, or frankly anybody else does. when we think about it, it's about how does a company respond to a warrant or court order,

they are in the best place to figure it out. it does not make sense for them to have a golden key. in that situation, it does not really make sense, it's what is much better and frankly, i think all of us agree that the government needs to go to the company with the court order and the company provides the information. with see ing debates where they are saying that the government is wanting access to that information. >> you do not necessariily thil the government having a role in that? >> the main point for the government, the congress and the american people have given the government certain authorities. wire tap act and we have the

authority and we go to the company and serve them with an order, we just want the information that the order says we can get. and how the company does it is frankly their business. and we want to work with them, and help them, some company cans would wo -- some companies can work with us. but others do it on their own. >> what do you think, john, about this? i mean, there's no one size fits all, but you said there's policy questions involved. >> and they do ultimately boil down to policy questions. to the matt's thing, there's a way to land a man on the sun, and that's you go at night. i feel that is what we are being asked to do, to land on the sun at night. the thing that you are talking about with corporate access, is in fact the easy part of the problem. and there are present solutions to that.

however, when you have third party people, and when you have for example, an e-mail provider that is holding other companies e-mails. and i shut down an e-mail system because we were a provider that was using a system that i built. it was designed for an enterprise that does not work in a model of third parties where i become the weakness that my customers have. and, in that environment, where there are cloud services, and other services. it's very difficult to know who it is that you go to. there's a case that is going on now, which is the microsoft case, where microsoft has literally e-mails that they are dealing with in a cross jurisdictional boundary and we are having discussions like this one with the tech companies saying, if they put their things

in other countries then it's in another country. and my biggest fear is when an american forms a company in switzerland, we will be needing and it seems that you are saying, that we need to take our count companies on out of the u.s. that it would not be a problem if apple is a european country, because you would not have to deal with warrants. >> you did not leave the u.s. because of this? >> when we created our company, we moved to switzerland and other countries. >> you have built your business on the promise of secure

encryption, so how does that affect your company, with these types of discussions? >> again, it's not a technical problem, it's a policy problem. if i am a swiss company that has servers in switzerland, and someone who is not an american, how does u.s. regulation law, affect that. if i have an american customer, who is a customer of mine, how does that do? if i have a american customer that the chinese want something, how do i handle it? these are the policy questions. it's a much harder question. >> for the large multi-national companies. for example, apple, what does the it do from the business side to their operations?

>> well, they have to be putting a backdoor in. if they have to put a backdoor in the phones, which, some of the encryption that is put in now, is designed to stop crime. mayor bloomberg said that a third of the crimes were people stealing cell phones. so now you can make it so you cannot get in the phone without the owner's consent. because they were being stolen and sent to china and being sold as a markup. they are anti-theft mechanisms. the things we are doing for counter espionage, that is what my company revolves around, companies are being spied upon. it really is a huge wild west out there, where, anybody could get any information is doing so,

and so, how do we go and deal with this issue where the customer is, where the warrants are coming from, and where we are and what we want to do. we do want to get rid of the bad guy. >> and so, matt, from your perspective, what role do you see company cies playing and do everything that they can to protect the consume r information? >> you know, on behalf of computer science and security, we really don't know what we are doing. you know, we have been fighting a losing battle to build particular complex many systems for longer than the corporate world, before i was even alive.

and we are actually getting worse as time goes by, and the reason is we have computer systems that can be larger and do more things and are more complex. and we simply don't know how to secure a large complex system. we have two things that work, and they don't work universally well, but these are the two techniques so far that my field has come up with to mitigate our inability to build large complex systems. one is, crypto, that lets you not trust more parts of the systems. you don't have to trust the links. the second, make the system as simple as possible. and you know, we say, when we are asked to put on the security hat, make it simple is as you c

and reduce the number of things it does, and use encryption wherever it can be done. and the backdoor requirement works with that. >> you go to the conferences and aucti talk to people and it's emotional, because their whole job and lifestyle in a way, is to make systems as secure as possible. why do you think the debate, do you think that is why the debate is in some cases so polarized? >> you know, i think the polarization of the debate is harmful. i mean, you know, it's so easy to turn this in to, you know, evil government people that want to spy, versus people that want personal privacy. i think that, you know, in terms of the end goal, there's a lot more common ground here than maybe the debate lets on.

i think the how we get there is where we differ from the fbi's proposal. but, i think, you know, the goal of strengthening national security and preventing crime, you know, it's pretty well shared by almoshare ed by almost everyone. >> i think it's an important point, goes back to what with i saw, with the shared values. we start with here are the shared values that we agree with. and there could be disagreement with how that affects the shared values. that's why we talk about this as a discussion. as an open, and informed discussion. sort of devoid of the pajorative terms. when we talk about this, the us policy points that john brought up, from economic issues and

competitive advantages, and those are valid issues to talk through. we need to on understand the implications of the decisions. my point is we should figure out what is right for us. how do we do that balance and so that's, you know, part of this discussion. but if we can start with, we all have a shared value, which is improving, and maximizing public safety and national security, while at the same time, ensuring civil liberties, it's a great start. and how we go from there is how we move through the discussion. >> and some of the debate has been edward snowden, do you feel the encryption debate is getting caught up in the other revelations about different types of surveillance. and the bulk metadata collection and has this made this case

harder for companies and the american public? >> it has, and in fact, it's one of the things we ride to stress, that going dark debate is different from sort of 215 and metadata debates. for a number of reasons. number one, we can all agree that reasonable minds made the decision for what is lawful surveillance. that is not this issue. we have the surveillance authorities. congress and the american people have given us that power. so the issue here, is when we have that law. we have the court order for a wire tap order, example, and then this we go to the provider and the provider said, we cannot comply a lot of the nsa debate was a question of what authority should government have. it's a very different debate from that perspective. and i think, the important

things, when we talk about capabilities, what it means in practice, no matter how serious the crime is. the fact that the judge has made a he a determination that there's a crime in progress or will be in progress, and we cannot get the information. that is a different than the nsa issue. >> there seems to be a general agreement that if law enforcement has a warrant, they have to try and have access to the data. do you think it's reasonable to ask companies to redesign their systems, to make these warrants happen? >> we don't do in any other part of our society. a warrant is not a right of the government to get data a. it's a right to perform a search and attempt to get a data.

and there may be a lot of reasons why they can't get to it. and this, this is part of the u.s. part of the policy issue. >> right. >> because, back again, to where technology and policy meet, it's that we don't have a way to code intent. we do not have a way to code good guy in to things. that, if i am making a system that will protect people in business, against, not only semifriendly countrieies other stuff that goes on, we know that most countries are in fact spying on each other. and most countries, the country

is specifically, it's intelligence mechanisms to help the needs of the country. and in the u.s. and countries where we have, i will say, bribery, there's the foreign corrupt practices act and so on on, that it is illegal for law enforcement and intelligence to help u.s. business. there's plenty of allegations it's going on anyway. at least it's illegal. it is not only legal, but stated policy in other countries. if we make a system that works in one place, it has to work in another. we are kind of like odyssyus, where we are having to lash ourselves to the mast. if we yield to one, we have to

yield to them all. there has to be an international way that we can come up with reasonable ways to do things. if we have a way to say, that is a reasonable request and that is not. you can have a symptomology cal thing, where you know the -- you can have a symptomoloimple tech thing, where you know you can get to a certain end. >> china wants to have its own system and that country wants to have their own system, walk me through what this means to american companies? >> we have built systems that for a single organization, it can handle all the data, in a

way to do oversight on itself. howev however, once you start having cloud services. once you start having any of these things like, like a provider that provides e-mail to multiple other countries. then, the policy issue comes up up, of, who gets to say to the provider, i am not getting satisfaction from your customer, so i need to come to you. and the rules around how you would do that. are the policy questions of how you would do that. >> and so so, matt, what do you think? >> so, i want to disagree with something that john said, which is that, this is a policy question, and i agree that it's a policy question. but it's also more than a policy question. so you described the abstract

problems you get if you can build it perfectly. what you get at the same time, is making our whole infrastructure vulnerable to more of the opm attacks. more of the ashley madsons and the target reapers and the pick your breech of the day. >> because there's a thing that you can go after. and so, that is why, our best decision is to make it so that nobody but the end user can get there. >> a fundamental problem is, if a company builds in a back door or an ability to provide access to mass market products used by companies and individuals and by government. that company suddenly becomes an extremely aattractive for an intelligence target. and an attractive organized crime target. we've seen all three of those

categories succeed wildly in recent years. and we are going to see more of it if we create requirements that companies retain, capabilities, that would be very, very interesting to have for nefarious purposes. >> this was the lash yourself to the mast thing that i was saying. the only solution we have to protecting our customers and ourselves, is in fact, to do make it so that we are not a target. >> and so i want to let you jump in. what do you make of it? and what is at stake if law enforcement does not get the access they need? >> sure, again, the idea that company cies overnight will go a system where only the users will have access is not compatiable.

there's certain is -- certain systems where only the end user has access to it. and those are the systems, where even with a warrantor court order the government will not be able to obtain the information. so, from the threat perspective. we talked about that. i will not repeat a lot. it has real effects on real investigations. and it's important. almost every investigation we do, involves electronic information. so, if we are creating a class of information that is in a sort of digital safe zone for criminal activity, that's a problem. and it's a problem we want to highlight for folks. they need to know what our, as technology advances. it's a fundamental question, do we want to have technology drive it or should we drive it from a policy perspective?

that is what this discussion is about. we want to let people know, it's happening, but i just don't see a world where, you mow, companies will not have access to information to their own businesses. so the real question is, what happens with those specific platforms, certain applications, certain devices. where, there's a choice you could make, to design it so it's a warrant proof, so only the end user has access, or design it so the company retains act he is s -- retains access and the ability to respond to a court order or warrant. >> i do want to open it up to the audience for a question. raise your hand and say your name and when you are from. right up here in the front. >> thank you. >> eric geller from the daily dot, i wrote a big feature on the cypto wars and the experts said is, listen, the government is saying we want to have the debate and bring it to the

public. but we have been doing it from the beginning. and yet, they are saying let's have the conversation and listen to the tech companies. what do you say about it being settled with the experts and text companies. they have heard the arguments and not see a way to do it securely? >> a couple of on points. one, matt talked about it, we are in a different world than we were two decades ago. just with the inspiration of internet and digital information. number two, you know, back in the two decades ago. the government was asking for something different. there was a key that one government agency held and the other government agency would hold another key. that is not what we are asking for today. what we are telling folks is that, when we go to companies with a court order or warrant, they are unable to comply. we wou we would like them to comply

and how they do it is based on their systems and their designs. i would say generally, you know, we have been having very product relationships with the companies. we all have the same shared values and so, the more we can do to figure out how tomaximize the security, and the civil liberties. we are in a different world than two decades ago. and i think the companies would agree. >> we have question. up in the front. >> ei would like to talk about the american people and trust, and that issue. you know, there was data looked

a at. we are seeing people that are higher up that are like general petraious who got a slap on the wrist and leon pennetta, a lot of people in the intelligence community leak and it happens all the type. and some get prosecuted and some don't. once we saall trust each other,t will be easier to go forward. >> i think most people a agree, our country is one of the strongest commitments to the rule of law in the world. and it's something that we at the department of justice and frankly the whole administration think is very important. so we try every day tonight sure that we are building trust with the american public. we have to. and that's what the rule of law is based on. trusting the folks that are carrying out investigations, and prosecutions and the like.

so it it is an important value to us. >>. >> any other questions? yeah. i loft y i lost you there. my question is for the government official. the issue is about conflict of law. and the situation where some tech companies may find themselves when they have to comply with a foreign law to hand over data, that would bring them in to conflict with laws that make them liable for crimes for breaking u.s. laws. how do you resolve this? where increasing businesses are global and have to can deal with multiple sets of law. how does the doj address the issue? what are your views on that? >> no, it's a good question. and it's a question that companies are facing more and more every day.

i guess the point i would make, just generally on that issue, it's broader than going dark and encryption, we deal with it on a daily basis. so, the companies work through those issues. sometimes they have to do something specific to a particular company. it's really going to deal with the specific law s and it is a problem that is growing in the global community. >> we had a question earlier for amy about what would happenthe policily goes in to affect, to americans, the perception of american businesses abroad. this plays in to it a bit. maybe you both can take a stab at it, answering what will happen. the perspective that they are giving data to the government. >> i, not even speculating on

what it will do to trust on u.s. products abroad. there's the, also the issue of making our infrastructure less secure. we will see a real ripple effect of the horrible security crisis that we are in today becoming measurably more horrible because tools for securing it become less robust and less available. and you know, that would be horrible. >> i agree with matt on that. it does make it less secure. it ruins the security that we are building in to things and i'm going disagree with him, that i think we are making progress. >> did i say we were making progress? yeah, i don't think so. >> i think we are making progress. >> oh, okay. >> but, it would ruin the

reputation of the company cies worldwide, you know if there's a master key that it is only a matter of time until it's leaked and stolen and it gets misused. and we have seen all across the board, whenever there's one of these databases, one of these central repositories for information, people use it to checkup on their ex. they use it to find out what their neighbor is doing. and the fact that it would happen would ruin the reputation and it would ruin the reality. the reputation would be ruined for real reasons. because it really would be weaker. >> and i will say john is making progress, nobody else is. >> two points, when we hear master key, and golden backdoor, we have to be clear that no one is asking for that. number two, is that hearing

arguments that companies' reputations will be ruined. it's a puzzling argument. today, we have large companies, that can respond, to court orders and warrants who have billions of users around the globe. who use theirs services. and we are not seeing those issues. and again, i think it's important to understand what we are in fact asking for. which is that, we don't want situations where there's warrant proving encyption. it is something that we value. it's important to start the discussion. >> you are not asking for the golden key, you are asking for the magic rainbow unicorn key. we have companies that can

respond to court orders today, there's no magic key, they are able to do it. >> but they have security. >> well, many may disagree with you. >> it's the companies that are importing security that you are getting upset about. >> i was agreeing with what you were saying before. we have the shared values and all of this. we are putting in the encryption precisely to stop crime. the reason that others are putting device security in to the device, is so that the system is there is so when you have exactly what you are ask can -- what you are asking for, now that we are doing it, we are being criticized for doing it. >> i think it's important, it's an important point that is getting lost in the discussion.

we want strong encryption and we want to have secure devices. is the only way to secure it to have it warrant proof. some companies will disagree with you. if the answer is there's no way to on do it. they have tried super, super hard and that's the answer, then that is something that the american public and folks should understand. because again, what we are saying is, when we have the court orders, these authorities that the public has given to us and we cannot use them. people need to know that. that is again, the discussion that we have to have. >> i will admit that i'm flattered by the fbi's faith in

my ability and the field's ability to produce these super secure products that you are worried will be warrant proof. but frankly, i'm puzzled by the underlying assumption that we have any chance of actually doing that. and that the internet, that we have today, is adequately secure for just about any purpose you could imagine. i mean, i think, we are in a national security and public safety crisis as we rely on this horribly fragile. or horribly weak infrastructure. and i am really worried about what happens when we rely on it more and more. and i think that is the number one cyber and i promised myself i would not use the word cyber

today, problem that we are facing. and i think it's just pretty close to an emergency. >> so i want to pause you there, we have another audience question with. on the side here. >> yes. maim is gary cthe -- name is gay collen. two questions, many companies are able to provide law enforcement access to the data. that in mind, i keep thinking the target breech, the ashley madison hack. that would not have happened if the data was encrypted and now my question. it's one thing to mention that, assuming everything was encrypted, megadata will still

be available to law enforcement. michael haden, the former head of the nsa said we kill people based on meta data a. what is the difference if law enforcements needs is that they need greater access to content, if the intelligence agency is making life and death decisions based on that information alone. >> amy talked about the need for content. it's helpful to explain a bit, when we say wire tap order, that is what it mean, because i'm not sure a lot of folks know. what it means that we call it for probable cause. it's that committed enumerated federal felony, but we also have to show necessity. and so, that means that we have done, we have either tried to do

other techniques, less intrusive techniques, and it failed. so some of those techniques are physical, using an undercover, pen registers, poll records, those are considered meta data. somebody writes up, an investigator writes up an affidavit that shows they've done these things or they're too dangerous to do for whatever reason. and sometimes those are on hundreds of pages, huge, huge affidavits. then there has to be an application by the prosecutor. the office of enforcement, oeo in the criminal division. that is then signed off by a high-level criminal official, then it goes to a federal judge, a district court judge who does his own independent analysis that the information satisfies the statutory requirements, and only then do we get the court order that says you can get the

content of the communication. so it's not the first thing that we do. many times it's called the investigative technique of last resort. we've already had enormous review, a federal judge who reviews it as well. and only then do we go to the company and say can we have the content of communications. so in those situations, the meta data for whatever reason has not been helpful. so i think it's important to understand that in context. this is not something that happens right away. there's a huge amount of investigative resources and other techniques that are used before, in the wire tap context we go and get a wiretap order. >> we have time for about one more question. does anyone else, a question in the audience? yes. >> just hearing from you in that current context about all the methods that we use prior to actually asking for content, i'm curious if the d.o.j. or fbi will provide numbers on how many times this actually happens in

investigations, just because it seems like it's such an extreme situation, that it's hard to imagine that it occurs more than just a few times. will that data become available to the public? >> amy addressed that a little bit, which is that we do need to do better. we need to get better data on that. part of it is just, one of the hard issues is that investigators, when they hit a wall, they don't stop. they try to do other things. so, for a long time, we haven't been figuring out all the different walls that they've been hitting. but given the current discussion we agree that that's important data, and we need to do a better job of collecting. amy talked a little bit about that, but i want it reiterate that. it is an important point that you make that we have to provide a sense of the scale. >> anyone else have any questions? i'll ask one more of each of you. we can go quick. i knew it was going to get heated at some point, so, just to try to bridge some of those differences there, kirin, what do you think is the biggest

thing that tech companies or security pros or even just americans in general might be missing in the national security interests? >> when we talk about this issue, we really do have shared values. . if there's nothing else that comes from this discussion, that's one of the important points. it often gets missed when we talk about the different issues with the technology, with the economic issues, the competitive end issues and other policy issues, because those are all important parts of this, but if we can start with, we have these shared values. we want to figure out what best way to maximize those values, and then we can have that robust discussion on what the best way is, but it we're all trying to get to the same end goal, that's an important piece. >> what do you think the u.s. government needs to do to help its case? >> i think part of it, we just have to be clear about what the issues are, providing important data to folks is part of this ven discussion is also helpful.

that's why we do these events so people can hear what we're asking for or what we're telling the american public. you've given us these authorities. those authorities are not as useful anymore because of the rapid change of technology and what should we, as a country, do about it. >> and there had been some questions earlier about what, you know, whether the private sector, the smartest minds had done enough to try to solve this. what do you think that, what's the biggest thing that you think they're missing when they say that, and do you think's worth more research or exploration going forward in the private sector to see if something else is actually possible here? >> well, it's a research problem that we've been working on since before the fbi told us about their concerns, which is how do we build harlarge-scale things t are secure. that's a high priority. and, of course, as an academic researcher, i think the government should put lots of funding into that problem and fund people like me to think about it more. but i won't pretend that it's a

brand-new problem. but it's one that i think is of increasing national priority. but it's one that we don't know how to solve. >> interesting, and so, john, at a company where the business model is to keep people secure through encryption, what do you think the government is missing about how this could affect businesses, american or international, and do you sympathize at all with the plight that law enforcement describes? >> oh, i think, i, i sympathize completely, but we are in a multi-country world where there are not shared values across e countries. and i'm in a situation where i worry about what happens when a warrant comes in from another country where they say that even though this person wasn't even born there, their grand parents

were, and so therefore they have a right to certain data. i worry about the costs of how those of us who build this would be able to do this. and that it effectively turns us into something that we don't want to be, which is a supragovernment authority that of decides whose information, which is often who lives and who dies, goes out. that, that we are in a situation where the devices that we manufacture are being built in countries where we could be held hostage with that. and it isn't a matter of we are only in one area where we have shared values. we are in a huge hostile world where there is information warfare going on or economic reasons for things that are

theft and the techniques that we have whereas good as we are at them, you know, i think that part of the reason that this debate's come up again is that we're actually starting to make progress. and there is a very difficult problem in those of us who are international versus the interests of one country or her to or even countries that we share values with. >> okay. i think that's all the time we have, i'm going to turn it back over to david. [ applause ] >> thank you, everyone, for coming. thank you very much to dell for sponsoring us today. thank you technically to the department of justice