economy. it is a conspicuous 1% to 1.5%. keep in mind that gig work did not just began three years ago. anyone who was in the construction industry, it has been kind of a gig economy for a long time. it seems to me that the question presented is -- how do we accommodate the desire -- and it is an understandable desire -- for people to have flex ability and control over their own destiny? what is the need for the social safety net because it is great andave flexibility independence until you get in a car wreck, and then if you do not have workers comp or health care, you are kind of in a world of hurt. and that is why i have always been before told at republican opposition to the aca, because the formal care act is a linchpin of the gig economy because you can have portability.

and i have been really appreciative of efforts that people like alan krueger of thateton and people like who are talking about things like portable benefits. how do we build that social compact 2.0? i have more questions than answers about proposals out there, but it is a conversation that is important to have your for me, what we need to do is values,ut what are our because we can have a conversation about whether we need an independent contractor -- is defendant contractor think what we ought to do is figure out what are our shared values, and then values can drive public policy. to me, the most important value embracelcome and innovation. that has been who we are as a country since the beginning of time, what will we to make sure is that the innovation that we are observing now in the

on-demand economy benefits everybody, and if we don't have inclusive innovation, and just of innovation that benefits a few investors, then that is gilded age,ike a which is not a golden age. ms. dyer: i am getting in serious trouble because they are saying please wrap. perezne last -- secretary talked about values, and i would not want to leave without acknowledging and appreciating the values represented in your endeavor with shinola and the idea of moving to detroit, ringing manufacturing into detroit, this huge risk that you have taken. so thank you for that. thank you all. i guess we have to stop. we could go on. [applause] >> c-span is live at the

atlantic council for washington for a discussion for cyber security and vulnerabilities as well as potential solutions to address those risks. among the participants, the chief technologist for the federal trade commission. it should get underway shortly. reuters reports that the administration is prepared to elevate the stature of the pentagon's cyber command, signatur signaling more influeno deter attacks. under the plan being considered by the white house, the official said u.s. cyber command would become what the military calls a unified command, equal to combat message of the military, such as central and pacific command. that is from reuters. the air force in particular this afternoon will be live at the pentagon to hear from the air force secretary, and the chief of staff, david goldfield. they will be talking about new rules that the air force is proposing, illuminating extra

duties by some personal. extra duties by some personnel. that will be live at 2:00 p.m. eastern.

>> good afternoon, everyone, and welcome to the atlantic council for this month's cyber wednesday event, and welcome to everyone

joining is online. the very, director of international security here, and i am really excited to be able to watch this event and learn. today's events looks like it will provide an exciting and relatively unique -- at least for washington, look into the hat, and the conference just wrapped up last week in las vegas. that of you know tha defcon and black hat were years ago. professionals, lawyers, and even someees, politicos this year. the confrontation includes hands-on training and contact such as capture the flag, which

-- the security conference coincides with other major hacker conference is taking place in cities around the world. fresh off the plane from las vegas today so we can have all the biggest jokes, today's panelists will summarize dozens of hacker presentations and briefings delivered at this years conference is, and for this year's conversation, we hope to bridge the technical and policy communities. we want to help translate the solutions delivered by hackers in vegas into more informed and digestible policy options that officials here in washington can consider, develop, and execute. this is part of our monthly cyber risk wednesday series, which is designed to bring cyber experts together with experts from government and industry and policymakers who examine topics

at the core of our mission. i will keep this short so we can learn more. let me briefly introduce the panelists. i will not go through their full biographies. you have those available. if you would like, dr. lori trainor is at the federal trade commission, where she is response before devising the chairwoman and developing policy matters. she delivered a keynote on protecting consumers in the age of connected devices at defcon and delivered the opening keynote. the panelists we are calling space rogue -- i have never done that before the panelists -- helps people understand the unique advantages of continuous monitoring. he has testified before senate committees and has also served as the editor for the hacker news networks, which i hear is getting more popular than the

cable news network. jason healy is at the international school for international and public affairs, specializing in cyber conflict, specializing in cooperation. seniorlso a nonresident fellow here in our cyber initiative and was the founding director of the initiative. he delivered talks both at blackhat and defcon, and is on the papers review board at defcon. the moderator is the deputy director of our cyber initiative . his focus is on the intersection of cyber security and the human condition, primarily around cyber safety. he organized the iambic cavalry atck and is one of the goons defcon. i have always wanted to call you a goon. i would like to thank our media partner passcode from the christian science monitor for , and i urge you to

join us on twitter, using the athtag ac cyber and also cm passcode. join the q&a. i strongly encourage you to submit such questions, and with that, panelists, please take the stage, and let's begin. >> hello. welcome. i am bill woods, as their he barry said. it is good to see so many people crammed in here on a nice august day. they guesaugust is a vacation mh for a lot of folks in d.c. doing a to start by

little bit of background on what the hacker community looks like, if you have never been there. i am somebody who has spent quite a deal of my time in the past 10 years engaged with the hacker community or the security researcher community at events like defcon, blackhat, and some of the others. this community is probably the only one that i know of that goes to maybe a dozen conferences a year and brags about never talking at any of them. that is kind of a running joke, even though it is true. you go to these events not for the content -- because they are almost always reported and put online for free later -- but because of the interactions there. it is an incredibly vibrant, diverse, and really fun community. about 2000 events that happen every year in the information security community, and that was the last count from a group.

before they stopped tracking. that is a lot of events. it is hard to keep up. even some proportion of them. the thingst one of that makes this community great dcsone of the reasons why hesitantly rushing towards that is because the pace of innovation is so great right now, especially in computer connected technologies, that the only way to keep up, to stay on the cutting edge, is to be embedded within this community. movestrue that government slow. that is by design. you do not want a government to move to quickly, or they will miss some of the important, broader trends. corporations and the private sector move faster, but the only thing that moves at the cutting

are, the real bleeding edge these communities of interest. particularly the bio hacker communities, some of the other groups that are spawned, that get together. this year at defcon, there was a bio hacking group that was doing implantable chips in your hand. if you ever wanted to have an r fid chip in your hand, the next defcon, you probably can. i want to give a little perspective on a couple of the conferences and then turn it over to jay to get perspective on some of the others. vegas conference is about 10 years old. it runs concurrent with blackhat . this year, there were 2600 participants across nine

different tracks in two days. organized by the community for the community. it is 100% free entry. things paid of the for by sponsors and by donors. they have a huge donor community. for me, it is the best part of hacker summer camp, going to this event, because that is where all the people who do not want to go to blackhat but are compelled to go to vegas by their companies, they go hang out there. it is a great crowd. amt is why w where we ran i the cavalry track. this year, there were more than 22,000 attendees in four tracks, 10 villages -- which is basically a truck within a track or a conference within a conference -- and then 40 or more events that

officially and unofficially happened. that is not include all the nighttime events, the parties, and things like that. so it is a huge community. if you can imagine some in the size of a public university descending on vegas and taking over a couple of hotels, that is essentially what this is pure for me, the best part of defcon villages, ands, event spaces. that is where you meet people, interact. there is a joke in the hacker community, "how do you tell a next revert from an introvert? the extrovert is looking at the other person's shoes when they are talking to them." but that is really a stereotype. all of us have been to seaside, defcon. we have been in that space, and we interact really well. i say we interact really well -- maybe we don't. contests and villages, event spaces, or a chance for everybody to get together, to talk, to learn from each other. this year, for instance, there was a car hacking

instance where you had a chance to get to a chrysler, american vehicle, that had been modified in such a way that you could essentially play with the shock absorbers, the hydraulics. it was pretty cool. we had lessons teaching people how to hack cars. so it is a really good chance to engage and learn from the community at large and some of the best people in the world are at one of my friends runs car hacking village, craig smith, and he was sitting down with people that he had never met, never heard of, who was just a andyist in their garage, that is a pretty amazing opportunity and experience. there are also multiple capture the flag contests, which is --ically renting, blue red team, blue team, offense, defense, how do you target a treasure chest?

and some of the level of skill in each competition are what we normally say can only be done by nationstates. instead, you have hundreds and thousands of people who are engaged in these types of contests. i think that can satisfactorily bus a myth that only nationstate adversaries is what we have to worry about when these tools and techniques are available to everybody. it is very easy to take advantage of them. village,ad an iot internet of things village, and one of the highlights for me was they had a remote controllable wheelchair. i do not know why you would want to remotely control a wheelchair, but somebody has made this thing. it was driving up and down the halls without anybody on it because somebody had figured out how to gain access and control it and drive it around. i think that underscores some of the direction that we are going in this completely connected world where now that we have got

everything connected, everywhere accessible, therefore it can be controlled by anyone who has a small degree of technical skill and a willingness to use that. there were at least two sitting congress people at defcon this year, two that i know of. in past years, there have been more at that event, so i think that underscores the importance at least to some people in d.c. why they want to get engaged with this community. with that, i will throw it over to jay to talk about blackhat and the cyber grandchild. jay: thank you very much. how many folks have been to the rsa information security conference? 0 ofir amount, maybe 1/1 the room. blackhat? defcon? information security

conference. there is a booth, they will shine your shoes, and they the money goes to charity. , the money does not go to -- the money still goes to charity, but they do not shine your shoes, you get a mohawk. curiosity,n by trying to understand the system, and figure out if you can make that system do something that you wanted to, even if that is not necessarily what the makers of that system originally intended it for. so the thing about hackers and hoodies and people making mischief, there is that element to it, but it is still a lot of people that are fascinated by systems and want to try to get in and understand it. so blackhat happens in the earlier part of the week, defcon in the later side, and besides are on the -- b-sides are on the

flipside of the conference be are one of the big things that came out of blackhat was we were very pleased because apple came and announced the bounty program. this really came up in the news most in the last couple of fbi-apple hack where fbi wanted access to the apple phones of the san bernardino murderers, and they ended up using a vulnerability that they bought the use of, and it came out that apple was really the only big company left have a bounty, the amount of money that they would pay, if you were a security researcher, if you were a hacker and found a bug, they would list your name on their website, but that was it. they would not offer you any kind of reward. so now they have got the boundaries of two $200,000. i saw some hackers that were awarded oneere

united points on united, airlines said we're going to reward these security researchers that find thiese bugs. alan friedman of commerce has been doing a great job pushing, trying to get up these vulnerability exposure programs. that was a big take away. you might have even seen the hack the pentagon program for security researchers to try to pentagone bugs in the website. it was apparently even a win to call it "hack the pentagon" rather than some bureaucratic name. "discovery process comma amateur." one of the things that came out, it was surprising to many of us

in the community and got a lot of press, was hackers for hillary. that was an event on wednesday. these conferences will talk about this, especially defcon. contest, spot the fed where if someone was there that was maybe a federal agent trying to infiltrate the community, it was your job to try and spot them. you were in effect, you would try to hide and not get spotted. that was at defcon. here you were out of this community, and now you are having a political event, and there are probably 30 people at the event, cohosted by jeff moss. he is known here as our senior fellow. he is known there as the dark .angent maybe 30 people, and maybe an equal number of journalists

covering the events. but i really think it caught a as the maturation of the field, all of a sudden, now we matter. we used to have to go to d.c. to testify, and now it is coming to us. maybe i want to hold off right there. jeff? jeff: i can comment on the hackers for hillary event. i think it shows, as you said, a maturation, mostly of the people who are attending these conferences. i started back in my 20's. i am in my 40's now. so defcon has gone on for 24 years, and people have sow sort of grown up with that. also, we are seeing a change in government attitudes toward "hackers." butears ago, it was nothing fbi raids. you have foc, dod reaching out and trying to bridge that gap and trying to access that

knowledge and expertise and saying hey, come help us out. so we are seeing a change from a completely adversarial relationship between government and the hacker community, and it is starting to thaw a little bit. it has not completely thoughawe, but it is getting there. jay: for some of you know your hacker history, testifying in congress -- jeff: in 1998. i forget the name of the committee. communities, we used only our handlers. we did that because we were afraid of reprisals from other companies and other parts of government, we made a big point of only using our hacker handle. that has changed. obviously. i now use my real name, cris

still commieeople space rogue, space, or sr. that is my identity, but it shows the relationship between government and hacker types. beau: lori is the loan fed on the panel. jay: spotted. beau: we used to do spot the fed. and now we invite the feds to sit there and engage with a productive conversation. cris: it got to be too many feds. used to be, you would spot the fed, and they would get a t-shirt. than it was like there are too many here. jay: now jeff moss is a fed. [laughter] beau: why don't you tell us

about why you were out there for the government and what you found valuable? so the ftc was out there. we actually brought our own fed t-shirts to wear. we made our own special defcon t-shirts. there is a special code that you could crack on them. i made it myself. there because we wanted to do outreach to the hacker community and to let people know that we are interested in hearing about research that people are doing that can help us understand ioterability, especially in systems, to give us an idea about how we can protect consumers from scams, from fraud, and we wanted to make those connections. that is why we were there. beau: in the spirit of creating

your own clothing line, this would not be bringing defcon to d.c. if we do not have black hoodies for all of our panelists. so we have very special atlantic council exclusive hoodies for all of the panelists. i will just hand these out, and maybe we can hold them up and get a photo op. jay: while he is doing that, if you go to lackh -- blackhat rsa, you get a badge. because defcon is a hacker conference, it cannot be that simple. i believe this is an x86 board.

what can i do with that? they will get in and discover what the badge does. we have got hoodies, photo op. cris: thanks, beau, for this heavy shirt. beau: we did not have enough. hackers have more hoodies than the general population. cris: it is a little cool in my house, i keep the thermostat down. beau: you mentioned the badges, jay, this is one from the car hacking village. jay: it is like an intel community. the more badges you have, the cooler person you are. [laughter] beau: that is right.

this is something that was created by some security researchers, and it has this too end heretool on the that plugs into your car, and you can start reading out codes that are coming across your port. this is one from the bio hacking village, and this one will read on your communications, so you can actually read the implantable chip in your hand -- i know you all have for you can actually read credit cards with this, like passports, if you have a badge to get into your house or your workplace, be careful, if you get too close to me, i might be reading it, and that i can impersonate you but you back. jay: this underpins so much of blackhat and defcon. they will have thoughts on how you can improve the business resilience of your company and

how you have a good password program. that conferences are about we have got this technological infrastructure around us. we don't know how it works, and we assume it is secure. we assume there are people out there that are taking care of it. there is a gathering of folks that are driven to understand this technological infrastructure and to come out and try to figure out all the ways it is not secured. that is why it is great to see the government out there. instead of saying it is illegal to have curiosity about this object and figure out how it works, saying these people are figuring out how this stuff is completely insecure, much of it, work asad better quickly as they are discovering things and as quickly as we continue to spew out ever more of this technological stuff, or

it's all going to end in tears. someone tweeted out how los handles-- las vegas gambling machines. if the player thinks the machine is fraudulent, you can talk to the inspector. there are rules. independent testing to make sure it is right. on voting machines, none of that is true. it is illegal to go in and try to figure out how it works. it's not independent testing. they have very limited powers compared to vegas. would you say it's easier to game in election machine than it is a gaming machine? lot,that did come up a coming right out of the dnc hack . if the russians were going to

mess with elections, there are a lot more direct ways to do it. cris: there is a digital millennium copyright act exemption on election machines that i believe takes place this year after the election. it allows researchers to look at the systems and see if there are vulnerabilities without fear of prosecution. would to the copyright office, library of congress, very difficult to get, so i hope you see there's a lot of researchers taking that up this year and looking at those machines. actually, at black hat, there was an election machine simulator for people to come up and try hacking. they still have an election machine playing

that's the level of security. space had some really good comments earlier. cris: there was a comment or movement -- i'm not sure exactly where it came from -- of making election computers, and i think we should use the term computer instead of machine -- as critical infrastructure. my opinion is that comes with a bit of baggage. we already have seven industries labeled as critical infrastructure, and we are getting to the point where everything is critical infrastructure, and if everything is, then nothing is. but we already have organizations in place to look at these systems and certify them at the national level. there's a voluntary election commission or something that allows local governments -- and i think a lot of people forget local governments are the ones in charge of local elections.

declaring them critical infrastructure kind of changes that, how we have done that historically. i don't want to that whole down this too much, but anyway. don't think there was any election computer hacking this year. cris: i did not see any on devcon -- defcon. beau: there was a lot of iot hacking. medical devices. obviously, harz. did anyone get into the hacking village? lorrie: i walked through the car hacking village. beau: how did you walk through? it was hacked. lorrie: very slowly. beau: i know chris and charlie, wereamous jeep hackers,

there this year, but several other people were also presenting research they had done on other vehicles at the conference. i know in past years, the -- you guys had some contests for stopping robo callers and everything. lorrie: we were there mostly to listen and to do outreach. beau: good. i know whitney was running the privacy and crypto village. lorrie: yes, she was. like aillages are conference within a conference. they have their own tracks. it's interesting that you bring up that you were there to meet people and to do outreach. you brought up earlier that running joke that i went to a con and did not see any talks.

for me, the best part of the conferences i go to is the hallway track where you hang out in the hallway and start talking to people. i get the most from the hallway track that -- then i get from the talks. meeting people and engaging in interacting i can only do at the conference. most of us have been there several times to vegas to do that. i think it is your first time, lorrie. because most of the folks in the audience have not been, you probably can serve as the best bridge. why don't you tell us a little bit about what you observed as a first time attendee and participate in some of those conferences? lorrie: sure. i started at kind of a small conference, much more accessible because there's less than 3000 people. still somewhat chaotic.

i gave the keynote talk, so imagine a really big room. and in oneendors corner, there's people learning how to pick locks and in another corner, people who are hacking something -- i don't know what. ,n the middle, the eff booth and i was on the stage trying to talk to these people, many of whom were standing or sitting on .he lord that's how i gave the keynote talk. but it was fun, and i did get some audience participation. it was chaotic, but a good experience. i had never tried picking a lock myself, and i wandered over to the area, and a volunteer immediately rushed over to me and handed me a lock and lock pick set and showed me how to use it.

it did not take very long. i now know how to pick a lock. watch out. i also did a career panel where they had a room where they were interviewing people about their careers and taking questions from the audience. so i talked with them about the various careers i have had. , andi went to black hat this is a very corporate, very polished event. you get name badges that actually have your name on them. notice there's no name on this badge. we're completely anonymous. badgeside -- the b-side was like a poker chip. .lack hat was very corporate flashing lights. they had this whole breaking glass thing, a breaking glass sounded when the speakers come on the stage. vendor areabig

where everybody is handing out free t-shirts, and i brought ofk a whole big for my kids t-shirts so i do not have to go shopping for back to school. then i went to devcon -- defcon, which is, like, 20,000 people. you do not register in advance. it's very chaotic, but there is creative energy. you see all these people, and they are all huddled together, and it looks like they are all .oldering something the contests are really interesting. challenge was really exciting. teams had built computers to hack into other computers, and the teams had nothing to do during the event. going,puters were just

but they had running commentary to make itzation really exciting, so that was really interesting. other thing i wanted to mention was being there as a woman, there's only about 10% when and these events. .o it is kind of isolating for the most part, i found it was a very comfortable environment, but there were still a few things going on, especially at def con, that were uncomfortable to be there as a woman. beau: going back to the cyber grand challenge, i always have seen this -- always -- for the past week i have seen this as gary kasparov versus the robot man or machine will win. when will skynet be here and how many of us will be left in the

end? lorrie: it's interesting. the winner of the grand and the winning human team was also from cnu -- from cnu. the humans beat the machine, but the machine did very well. some depth ont the cyber grand challenge. it has been going on for a few years. has this capture the flag where you get a team of humans that will have a series of computers, and they will have to defend that system and try to patch it as well as going out and trying to attack all the other human teams that are playing. so darpa said, "can we do this autonomously?" they ended up with seven finalists of supercomputers that had to be built and programmed by these teams.

they had basically a made-up operating system, a program that would tend to be e-mail and another that would attend to be web, and the referees would release new code, and the supercomputer would have to keep the code running because they get points for availability. they would have to spot any vulnerabilities in that code and decide when it was best to patch it, giving the least loss to availability, and when it down bugs, go out and try to hack the foundteams that had not and patch that yet, all while gaming it and trying to figure hackf they should patch or first. technologically --cris: technologically, it was a major step forward, and i applaud them for bringing it. technologically, we would not have seen that with that level

of federal involvement at the show, but the fact they were able to do it really shows how both groups are starting to come together and take advantage of each other. >> there were 600 or so vulnerabilities that they built in for the computers to find and i think the computers found something like 350 or 400. they found a bunch of bugs that the programmers did not know where there, that the referees did not know where in the system, but the supercomputers found it, and they included some from history, like the one that led to the morris worm, and these computers were finding and patching them in, like, five minutes. think mayhem was the name of the machine that one and then competed in a human capture the flag and did not do as well. to worry aboutve skynet today. maybe next year. that's good. the theme of this year was "rise of the machines," and there is a

big prize at the end of def con for some of the best competitors . they call it the black badge or the uber badge. if you get a chance, go out and look at this thing. hollywood special effects artists. it is a 3-d badge and the eye pops out and rolls around and looks at you funny. the that's not as good as award for the cyber grand challenge. the team that one got $2 million -- the team that won. it was pretty cool. but i do not think our but is going to do another challenge for autonomous computer security, and i think it's too bad. i hope we are going to do another one of these because i think the lessons that came out of this work great. >> i would expect such a challenge to be picked up by another organization. i could definitely see that being a contest and a couple of years. there was a small contest

that went on. they called it -- that one was schemaverse. a database person, so i might butcher this, but essentially, you have to do database commands to play a space game and take over the universe, so a lot of this is people manually doing database commands or scripting it so that they can run it 100 times. to benner built in ai able to play this game and came out with, i think, 299 out of the 300 prizes. i think you are right. will continue to be a place where we will see the rise of machines and advances in ai. jay: we will probably go to questions, but i just want to talk about the talks. i'm on the review board. we've got about 600 talks, maybe 650, that were proposed this year. we had to whittle that down to .bout 80 that made it through

it's fun because you can see this, and you know what the hackers are interested in and where people's attentions are going, so there's a lot more internet of things that is coming in. especially, there is a lot in their unlocks -- there's a lot in there on locks. smartlocks, maybe bluetooth where you get close and enter in a code. keeping people from being able to unlock those from half a mile away. a lot of them were not even using passwords, or they were sending passwords in the clear, so all you had to do was set up .n antenna i think out of about 10 or 20, the only lock they tested that had good cyber security had physical security so bad you could just bump it open with a

screwdriver. we are still trying to get that balance right. but here is something designed for security -- it's a freaking was still sending passwords in the clear. it was not trying to encrypt the passwords or any other stuff. so it was really incredible on that. there's a lot coming in on cars. there's a lot coming in on drones. but there is some interesting stuff in there. i saw one talk by a chinese .esearcher using gps spoofing he had real-time gps spoofing to be able to throw off a drowned -- a drone. that was still for commercial drones, but again, this is how iran supposedly took down one of the u.s. stealth drones a couple of years ago. spoofing is now starting to get so easy that one single researcher can control it with a and is also -- just

one last thing on the cars i will mention. another set of chinese researchers doing really interesting work on how you can throw off the sensors on autonomous vehicles. all different ways of throwing .ff their ultrasonics it is still a research project, but you can easily see how in two or three years, if someone wanted to, they could equip a part for this and cause havoc on .he roads again, another of these examples of curious people coming in saying we are building this .tuff we have this dependence on this, and yet, the dependence is misplaced. beau: i think there was also a ware onut ransom thermostats. some researchers build a proof thatncept of ransom ware

they manually loaded on a thermostat. they went through some tortured steps to get it there, but it demonstrates how devices can have this type of thing on there. if you think back to march, i think it was, the atlantic council released a paper on smartphones, and in it, we called out these types of things. we had a really cool haunted house scenario where the internet things in your home get oren over by hackers corporations that are trying to compete with each other, and what will be the possible outcome. so i like to take a minute to talk about that. things for me. one is when you see these stories such come out, you should always ask. how do you have to get access to the system? on some of these, like the example below -- like the just talked about,

you basically trick the user into putting code into the thermostat. i saw one that was attacking the on windows or apple, but you had to have base access. if someone can get physical access to your hotel room, they can completely own the computer. that's one of the key questions eerie to do this remotely, do you have to have physical access or do you have to trick someone into doing it? >> if you're standing at the console, you can basically do anything. the key is if you can get remote code execution. at black hat this year, there was for the first time a track on human factors, a look at how difficult or easy it is to trick humans into basically cooperating. i would like to see more

on the flip side, which would be doing things -- how you make security so easy that is easy to make things more secure. finalgo through and do impressions before we open it up to questions for the audience. on twitter, if you want to submit a question, #accyber. and we will get back to it. what was your biggest surprise, what you hated the most and what your big take away was. lorrie: the thing i hated was isker jeopardy, which supposed to be a fun contest, thatt is a fun contest involved a host stripping down to her underwear. did not really feel that was appropriate. let's see -- surprise. there were just lots of surprises. inause i do a lot of work usable security, the human factor stuff i thought was

fascinating. i went to a really interesting linguist,a forensic who was analyzing scammer phone .alls i thought that was pretty cool. away? hat was your take .orrie: takeaway, oh this is a really vibrant community, and there's a lot of interesting and scary things going on out there. beau: same questions. cris: i'm going to try to merge them altogether. i was really surprised at the level of interaction this year versus past years. 20e been going to def con years now myself. the interaction between government and hacker types. i am glad and frightened at the same time to see at what level that is happening. both sides are bringing baggage.

you mentioned hacker jeopardy, which i would love to see some changes made to that event. on the government side, we still have raids and prosecutions that should not be happening, but despite those obstacles, we are still trying to reach across the aisle, if you will, and trying to help each other out. i am both surprised at that and scared. if i could say on the surprised and scared comment, when i lead this program, when we started this program, how beau has picked it up and now i'm teaching at columbia, it is about how we can step up to the communities. we wanted to be in that space. they knew they could not solve it just with technology anymore. talk at def con was i have never been more scared --

scareder? -- of talks. i was talking about the ility equities talk. this is now a white house process on what zero day vulnerability is that the government keeps end which it is going to share with the vendor. i asked crowd at the beginning -- do you think the government keeps hundreds to itself, thousands to itself, more, or less? , would say out of the audience and asd 100,000 more, far as we could tell, the answer was actually in single digits. that's probably what i would have thought beforehand going into this research. we were off by two orders of magnitude. this last year, looks like the government kept two. i was really worried in that crowd, with someone with my background -- again, i had come through the fed era, and here i was, former white house guy,

delivering this message that nsa and u.s. government is less evil than you think, and i did not get egged, and i have not visibly been hacked yet, but i will tell you, i was really worried about that talk. beau: i think for me, the biggest surprise was the quality of people there technically to be able to do things that i had even with my background, i had not expected to be possible. the guy who won the car hacking challenge -- he was a 21-year-old. he had on a hat that said "i he hadrned 21" because been out partying. he managed to do this in a number of hours, not days. they had a projection on the wall, and it was like everybody was gradually gaining points, and he came in and went from virtually zero to just done in a

couple of hours. when 21-year-old kids are able to do this, i think that underscores the capability that exists within the community. the worst thing was the crowds. 22,000 is a lot. we're going to need a bigger boat i think is the lesson. cris: i think they are going to caesar's next year. yes, we're going to caesar's next year, which should be bigger, although it has more bottlenecks. elseakeaway, as everyone said, the amount of collaboration, cooperation, friendly interaction among everyone there -- no fights between feds and hackers. i think the worst was people falling asleep because they had been partying all night and being escorted back to the elevators to go to sleep. will open i think we

the floor for questions. again, we will be taking questions on twitter. we have a couple of microphones around here in person. let's start in the room first. i saw your hand first. >> mike nelson with cloud flair. a number of our people were there as well. very glad to hear that congress and some of the feds were interacting with the smartest people in the room. question i had was if any of you heard policy complaints from the hackers and technical people you talk to, specifically people complaining about the boss in our agreement that made it hard for hackers to work , complainingly about the computer fraud and abuse, complaining about the computer fraud and ssenaarct -- the wa

agreement. cris: there were talks about recent actions that have been brought under the caa. that was a big conversation at b side. the hallwayays, in track, you hear lots of complaints about lots of things. policy was one of the chief complaints. in the hacker community, we have kind of run our own ship for a long time. securitysecurity to conference because none of the actual security people at the hotels and private contractors can figure out how to deal with us. we have kind of run our own stuff or a long time and when the past few years, there has been a noticeable imposition we do, what to what we consider our ground, our homes where we play, live, work. havehat will naturally negative side effects, especially when some of the policymaking is not as

ul as somey cluef of the people in that room. but i also heard a lot of people in the room talking not about how bad this stuff is an , "we needg but saying to fix it. how do we fix it? how do we influence this policymaking apparatus?" alan friedman was at nta talking about policymaking. also one where we had policy makers coming up like suzanne schwartz to explain recent policymaking things. you were there talking about what you were looking for. i think there is a growing attitude about security researchers and that entire community that, like it or not, policy is here to stay. imposed upon us currently. we need to flip that and figure out how to make something that

makes everybody happy or at least the most people happy. cris: there is a growing ivement, at least in circles frequent, of people trying to get involved. has an open comment period, actually sending comments, where previously, they would have just logged -- lobbed from the sidelines. lorrie: at the meet the fed panel, it was 800 people, standing room only. we got 800 questions about making things more effective. is always going to be an issue. do not criminalize curiosity and phrases like that are extremely .ommon

encryption was always going to be a tough one for this. i was out at aspen security hand, and brendan was almost yelling at a cryptographer that asked a question saying, "this is your problem to fix. work harder on this," so encryption can be easier. a lot has been done on the issue. it did pop up a little bit. who washe congressman there is will heard from san antonio. i forget which district that is in texas. working not just national clandestine service, but he had been consulting for one of the computer security companies, so he was of the community before he got elected. cris: one of the few people with a science degree. it was great, him coming

out, and not sitting back holding court as a congressman. he's mixing it up and getting in their. see moreould love to elected officials get involved, either go to vegas themselves or invite some of us to talk to them. there are enough of us that are more than willing to have meetings and sit down that actually put the tie on. i think it is important and i think there are a lot of other people in the community who are willing to engage. beau: we would have to take off our honey, though -- our hoodie, though. some, inat there were addition to elected officials, some staffers out there, which is great to see. there's more and more staffers who have a background in computer science and in other technology fields that can bring that technology in education to bear. twitter ando out to pull in a question. ftc's standce on

encryption? ftc would like to see encryption used to protect consumers. we do not have an official stance. beau: ok, yes, we will go to you. >> i did not make it out to the conference this year, but last year, i was at def con and black hat, and the common theme or basically any of the feds who were speaking was basically a recruiting pitch. --rk with us," "work for us" things of that ilk. has put forward an initiative which is supposed to

increase the ability for especially cyber experts to get involved working with the government and military. we see he brings chris lynch, who wears a black hoodie to all of his defense level meetings and is noted as doing that, but on a basic level, there's more communication, but is it working? is there now a willingness to go work for the government? is the outreach actually effectively bringing people into provide the tower? -- the talent? cris: there is a dramatic shortage of cyber talent throughout the industry. i think the government is uniquely situated to attract some of that power. it's not always about paychecks. as a lot of people in this room know, government attracts a certain caliber of people. i think if the government plays on those aspects of its attractnt, it will

people. it will be difficult, just like it is in the regular industry. company that did three recruiting events that i know of in vegas this year to try to get qualified candidates. we have just as much trouble as everyone else. an issue globally, but i think the government is uniquely positioned to take advantage of things only government can take advantage of. jay: i'm really hoping to see kernel space rogue -- colonel space rogue. sergeant space rogue. yeah, i did my time. beau: i think there is a willingness, it seems, to engage in new mechanisms to work with the community.

bringing people in in nontraditional ways where maybe it's not somebody's full-time something, in and but they are able to engage. you are a perfect example of that. fed.re a you are in the government, but after your tenure, you are going to go back into the academic world. lorrie: increasingly, we are seeing people coming in midcareer for a short-term stint in the government. a bunch of the feds i talked to view themselves as this was a career change, they're going to do this for a few years, and then they will go back to academia. also, i think with the ftc, we do not currently have a lot of positions open, but we are interested in collaboration and bringing in faculty members for sabbaticals, bringing in their ,tudents for summer internships

having them sit down and talk to us for a day or two, and those sort of partnerships have been incredibly useful. all right, we are going to take one from twitter now. do we think that as a result of this new effort to bridge the that we will soon see better, more technically policiesinformed directed as legislation? if so, how long before that kicks in the? i take we -- cris: are starting to see it now. it is a slow process. things do not move quickly and d.c. - in as a legislation is introduced and new bills are proposed, those bills -- in my experience, what i have in reading, everyone gets a little bit better, so

hopefully, that continues and we start getting to the point where they are bills that we like. when i say "we," i mean hackers. involved, our views are not going to be heard, but i see that increasing over time, and hopefully, that continues. it is interesting -- there is a sense among a lot of the hackers that i know that if i can break into it, then it is absolutely not secure and you should not trust it, and that is not the way that policy works. policy is always working through compromise. if you can make it a little bit better, it's better than you were last year, but we are in this race. ? n we get it good enough the more we are rolling out the internet of things, the more we are increasing that vulnerability and exposing ourselves. lorrie: progress is slow, but we

are seeing it. these guys in congress in the regulatory agencies -- the ftc now has an office of technology, which started out 18 months ago. bring thattrying to expertise in, and increasingly, agencies are hiring experts who are being involved in the policymaking process. i agree, too. if you look at the types of engagement that have happened over the last few years -- suzanne schwartz was out track,g on the b sides and she said engagement with that community is what is helping them become better at doing their job in this new dynamic field. i know there have been several other agencies who have engaged and worked closely with the security research community and been better off for it. maybe it will start -- if i

could summarize our thoughts -- maybe it will start with the agency and the different kind of hands-on parts of government and through twoeight up legislative and potentially judicial and other areas. at least that would be the hope. >> my name is jonathan nichols. i'm wondering about hackers who come from nontraditional backgrounds, guys who do not have degrees, guys who do not have work experience. i'm one of them, too. a lot of the kids i know do not have any of that traditional experience, and it does not seem to be a traditional career track for those guys. what can i say to the younger hacker kids who do not have that type of that ground -- background? guess my career track is

very nontraditional. i will not go into details, but i started working retail. i guess -- this is going to but followcliche, your passion. learn what you want to learn. do your own research. published your own findings. we have the world wide web. it's very easy to publish stuff. follow what you like to do. become an expert at one small thing. once you become an expert, someone is going to pay you for your knowledge. that is really a sort of way to break into the industry. in the meantime, you have to work in computer sales to pay your bills so you can follow your dreams and follow your passion. i know that sounds cliche, but really, just focus on what you like to see and what you like to do until you reach the point where you are the expert and someone wants to pay you for that knowledge. i talking to my policy students, some of the alumni here, i give them the same

advice. published as you have got to get out there. we are publishing different things. be an expert. even if you do not want to be an expert in what you have to be an expert in, just being a hiring manager. think this field is very open to people who do not have a college degree. it's going to hurt them desperately to get them into not have aif they do degree, but with as much venture capital money as there has been in this field for 15 years, talent and good ideas. >> a nontraditional role is definitely more difficult than going high school, four-year college, grad school, job, but it may be more satisfying depending on who you are, and it may help you out in the long run in your life. it varies person-to-person and what path you want to take, but as you said, it is very much meritocracy driven. if you have the knowledge, there is such a shortage of people you will get hired.

lorrie: i would also say consider going back to school. in the have noticed security research community, there tends to be an inverse relationship between community and status. people at the top did not finish high school, if you can believe it, but i've also noticed in publishing, there is an inverse relationship. in the academic communities and a lot of circles, the longer you write, the more respected the paper. in hours, 140 characters is all you get. we will go back to the audience. the lady back there. sharon brobeck, "voice of a moderate." is there a hackers without borders? i was in cuba,

and they are in the process of even getting internet. i talked to a mid-level government official, and i asked if he would have americans or russians helping with internet security, and he said whoever will help, and i really want it to be an american. is there a way that the hackers -- have they talked about going into third world or second world countries and helping them with infrastructure and security? is an organization known as hackers for charity, which is actually the charity hackersrying to bring to various organizations. they primarily right now operate -- i believe it is uganda. they have been there for several years. i believe they are trying to move their headquarters back to the united states and basically assist charities. i do not know if they are interested in going to cuba.

bigger like to see more, efforts, especially in developing nations. that is a very strong point, a very big issue for developing nations, that they need that assistance. i think it would be great if maybe we use the peace corps or whatever to try to bring that expertise to some of these other countries. there's a few others i can think of. .ne is geeks without bounds they do some things, although it is not exactly that. there's also one called securing change. i like that organization as well. it's very small, could definitely use more assistance. i was at the hope conference, hackers on planet .arth hackers can go to it because it is relatively cheap in downtown manhattan. but a couple of years, there was a big theme i noticed of people

going into third world countries and doing things like standing up mobile phone infrastructure so just around the villages in these mountainous rural towns that otherwise do not have a way to communicate across long distances -- they can talk to each other, and there were s to getother attempt outside first world countries and help people in other places, not to impose technology on them when it is not wanted, but to engage and help when they are being pulled in as advisors, technical experts, people who can lend a hand. i would love to see more of that, and personally, i would love to go to cuba and set some of that up. unfortunately, my boss probably does not want me to leave what i'm doing. there is also a trend of academics encouraging undergrad students to do that sort of thing. instead of spending your summer working for a u.s. tech company, spend your summer in one of these countries teaching

computer science or setting up infrastructure or whatever. will go back to twitter. there's a question -- how do we square the visceral fear that some of the people in the community have of the federal , and things like surveillance, prosecution, some of the things that are maybe legacy or historical problems, particularly around law enforcement, and doj, with some of the newer trends, more recent with folks like ftc, fcc, fda, and some of these organizations, to try to bring this community and for the -- try of the government to bring this community in for the benefit of the government? great question. i talked about both sides bring some baggage to the table, and it has been difficult to overcome that. how we accelerate that process

-- time heals all wounds, hopefully. on the one side, we have many in my which community feel is over handed and poorly worded, but we also have people still breaking into nasa and dod and doj who should .ot be there is stuff happening on both sides, but there has been a thawing, if you will, and people trying to bridge the gap. jay: i don't want to over-gloss the community in a talk about the hacker community being primarily driven by curiosity, and that is true, but at def con , there's a high degree of mischief. one guy had a little remote control he developed a couple of years ago, and it would take over a wireless mouse because that is not encrypted. he would be disrupting people's presentation.

kind of fun and games and mischief, but you have some in ofl anarchist mr. robot mode "the system is screwed and what we do in that system is ok." there was a big, incredibly well attended talk -- some 2000 people -- of some guy talking about how he would fictitiously take down the kuwaiti government and stage a coup. the crowd loved it. cris: with 22,000 people at def con, you are going to have a wide swath of people, especially since it has been traditionally french part of society, but at the same time, there are elements within the group trying to improve society. by the way, the most popular men's fashion other than the black hoodie is the utility kilt. extremely popular.

when you turn on your wi-fi on you get 40er, different things. cris: this also jokes people put i'mo the wi-fi name like " with stupid" or "fbi surveillance van number 43." in the past, you would always have blue food coloring the swimming pool or bubblebath. all right, another question. you talked about the ways the community can participate in this and discussion about they could participate in public comment, the idea they could contribute to potential

legislation. get totioned we want to the point where things are good enough. generally, when we look at what the ftc is doing, we are trying to get a risk-based approach that recognizes that security is a journey and not a destination. there are things that are very important i think for the community to participate in. one thing that i hope comes out next year, another is what the white house talked about in the strategic action plan. the other which some people in the white house commented favorably on at a session of lack hat was ratings system for software. is there a way for the community to engage in some of those public/private partnership efforts, which seem to be what we are really trying to go forward with as a larger community? favorites ofy i'me is i met cavalry -- the cavalry. cavalrye i'm the

that nobody else is going to fix these problems. we need to step up and try to fix some of these issues that are out there. the cavalry is not coming. you are the cavalry. the organization has been trying to impact public policy, trying to educate corporations, and trying to get security built before they cause issues, before the vehicles are .n the road i and the cavalry is definitely one way. you talked about ranking -- based on how much security is involved. there was a talk about the bounty, getting that off the ground. there are a lot of people in the community who are involved, but i would like to see more. part of that is education on our

side. part of it is we read something in the news and say that it is ad and complain about it and do not actually stand up and ask how to influence someone to change it, and they do not look up when the public comment periods are or what hearing they can attend. part of that is on us to have part of ition, but is also trying to get people motivated to be the influencers jay:. changed-jay: it is so from the early years where people would launch at black hat and the vendor would have to struggle to catch up. that was normal in the late 1990's. boy, that just does not happen. , you expected at def con have to talk about the vendor. if you do not say what vendor this is, you are probably not

going to get a talk. you are expected to release a tool to go after that vulnerability. but it is also expected you have told the vendor beforehand. sides, someone talked about their proposed authentication guidelines. they have done something pretty cool where they taken their proposed standard and put it online. you can submit comments -- not the typical form where you have to submit a letter, but you can just submit a comment. they are dynamically adjusting this proposed standard. the new cyber security framework is an excellent example of industry, government, and hackers coming up together to work with a standard, and i hope that comes out pretty quickly. it is starting to show its age. i was going to say something else, and i lost it. what if you do not know

--jay: if you do not know what github is, it is the repository for code. comingans government is to the hacker spaces rather than the other way around. since you are here, do you want to point out on the talks for def con, i have never heard anyone bringing up some -- someone's nationality. there might eat concerns about their english and if they could do a good presentation. it is meant to be the content of the top, so it is very egalitarian in a way. beau: i will say it is an attempt to bridge the stakeholders that live in these various ecosystems to work on coming up with various

solutions. it is a fairly young, a mature industry. if you look at engineering, it has been going on thousands of years. 20.r security, like we are still very young. we do not have it all worked out yet. the way to work out is to get together and think these things through together. i will also say that something like a cyber security framework might not work for iot-type devices. a singlenot consider approach but multiple approaches to solving some of these problems. the way i put it is what works for the first five billion will not work for the next 5 trillion . that might be a challenge coming up, but i think we've got some of the smartest people that i have certainly ever met in d.c. andin the hacker community bring invested up together as well as people in industry and other places. i think it is a good start, a good framework to start working on.

to the audience again. we've got one at the very back. >> michael eisenberg. i walked in as the discussion of electronic voting was going on, and i am, frankly, perplexed by the willingness to dismiss it so quickly as not germane, apparently. there were a number of articles that appeared during the week of black hat in some of the trades franchise is the critical infrastructure and a lot of replies about how you do not get to have an economy with waterworks and electric tower and aviation and health and manufacturing unless you can preserve the democracy. if the franchise is being corrupted by hacks, everything

else is at risk. i would think that would be something that ought to preoccupy all of us. jay: i definitely associate myself with that. frankly, if i were back at the white house, i would want to align the critical infrastructure to the homeland directive andy those constitutional functions, the enduring constitutional government and continuity of government framework. it might be interesting in the new administration, whichever one that is going to be, if we look to try and realign those critical infrastructures to those national essential functions. i had a lot of comments that came out two weeks ago during i think of aspen where we got four main things that the president ought to do. be sure to make the case, as we find out what happened, for example, with the

dnc hack, two major people understand this is about policy, not politics, the defense of democracy, not democrats. second, to work with our european partners. there are critical french, german, and austrian elections coming up, and outreach to those nations and let them know what happened to us is i think critical. three, if it turns out the russians were responsible for the dnc hack, i think there is a bunch we can do -- the u.s. cyber command, national cyber missions forces is supposedly already looking in red space to be able to disrupt in case something happens, and i would certainly ramp up the planning for them. we mentioned earlier, there's a lot more direct ways to mess with an ng, then than doxxi releasing documents. we already have the president's cyber commission. i would ask them to formed a separate task force just to look

at elections and maybe have two congressional cochairs. we've already talked about will hurt, republican from texas, and i would add to that representative jim landrum he had been secretary of state under rhode island, he understands electoral system through and through. he kicked off our event here when we were talking about the safety of electoral system, and start looking at what we can do from now until november. even if we worked with congress on emergency funds to buy ddos protection on the day of the event. and places are reporting in election results over the internet, which i bet a bunch are doing, a simple ddos that you read cannot take that down. for a relatively low amount of money, we could start doing that commonsense things should make sense, whatever political party you are. with that, i think we will end it.

it is 1:30. we will be around a little while longer with our badges and our hoodies. thanks, everybody, for being here. [captions copyright national cable satellite corp. 2016] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

>> congress is on break and many back in their home districts. illinois senator dick durbin held an event at haymarket center with the u.s. surgeon general on how to turn the tide on the opioid epidemic. met with alzheimer's members in his district to talk about alzheimer's funding and tax credit for caregivers. to learnstopping by how to operate a tank. congress returns to capitol hill next month.

easternbe live at 2:00 with the secretary of the air and general david goldfine, the chief of staff of the air force. brief the media on the status of the military branch and announce some duty changes. live coverage at 2:00. looking ahead to tonight, with the obama administration, the clinton campaign is engaged in planning. discussions with former white house chief of staff about what is happening behind the scenes. josh bolten, who served under george w. bush. did, wehing that we asked the homeland security secretary, michael chertoff, who had planned vacation with his 1:00 p.m.ning at third we asked him to

stick around for a day. during an off day, he was with the incoming secretary of , in a controlity center where they could monitor the threat information, and so on. even though his authority would noon onnated as of january 20, we asked him to stick around, be there for advice, and so on, for secretary napolitano as she takes the reins. it turned out to be important because there was a threat on inauguration day. be anned out not to actual threat, an actual incident, but there was credible anelligence suggesting attack at the inauguration on the mall. all of that discussion on

white house transitions coming up at 8:00 eastern. saturday, c-span2 issue spotlight looks at trade deals, their impact on the economy, jobs, and the presidential election. >> we will defend american jobs and american workers by saying no to bed trade deals like the transpacific partnership, and unfair trade practices. the state of pennsylvania has lost one third of their manufacturing jobs it's the clintons put china into the wto. >> the program includes a look , a 1994 free-trade agreement. >> this will produce more jobs for our people, for exports, for our markets, and more democracy for our allies. a discussion on how the founding fathers you trade. >> the u.s. simply was not a

free-trade nation for most of american history. tariff protected economy. this goes back to our constitution. >> and an in-depth discussion of the wto. >> at the time it was being ofotiated, 800 more pages specific rules and regulations. my book would be very different. when these two were being negotiated, the u.s. had its official advisers, 500 corporate advisors. watch our special on trade deals, saturday at 8:00 eastern.

.> good morning, everyone i am the president and ceo of the national business group on health. on our to this briefing 2017 health plan design survey results. i should say to start, there are no pokemon in the room. i did a scan before we started. my son is obsessed with pokemon

. so just a bit about the business before we get into the survey. business group is a membership-based nonprofit about 425 primarily large employers who come together to share best practices to learn from each other and to leverage those back in their own organizations to improve the health of their employees and health care management of their programs. we bring their health leadership, thought leadership to the table to a dance delivery system reform, improvements in health care and the well being of their employees. a little about the served if you follow along there's a chart back in the mercurial you can follow along with my remarks. the survey was fielded in the may to june timeframe. we always do the survey in that timeframe because i june 5 when most companies make their final decision for the upcoming year. the results that you see are what employers are planning to do or will do in 2017, not what

they're considering or thinking about doing in 2017. we asked questions around medical trend, around co-sharing in plan design, around delivered reform and even get into some other ancillary issues like private exchanges or cadillac tax and some of the things. we had 133 members respond to the survey. these are all large companies, average employ size of around 20,000. they are self-insured, multistate, in many cases global employers. they provide or offer health insurance to over 15 million employees. to put that into perspective that makes it probably around 10% of all of the people that receive coverage through the of or sponsored health care system. it's more than people that are covered currently through the public exchanges. from a demographic perspective,

this survey covers a wide range of industries from retail and hospitality to energy manufacturing and technology, banking or financial, consumer products. these are large employers, three quarters of the employers responded to the survey of over 10,000 employees. 30% have over 50,000 employees. i'm going to walk to through some of the device and then we would go a little deeper on some of the issues. employers are projecting that medical cost trend will increase 6% for next year, 5% when you factor in plan design changes they will be making. medical costs continue to increase at multiples the cpi in general wages, about three time cpi and twice the general wages. the ongoing continued year over year trend that's running around six or so, i've to 6%, israeli

unsustainable from a cost perspective. it's still the number one priority what employers are focused on. it really threatens the overall affordability, long-term affordability of health care . specialty pharmacy is now the number one driver of medical trend. when you go back three years, specialty pharmacy wasn't even in the top five. specialty pharmacy only affects about two or 3% of your population but it's the number one overall driver at this point and we will spend time talking about that. employers are beginning to shift away from plan design changes and really moving more into focusing on the supply side of health care or the delivery system. so we are seeing the emergence of more offerings of accountable care organizations, of select high-performance networks, the expansion of centers of

excellence, beyond transplants into bariatric surgery , orthopedics, cancer, even in fertility. and when we look at where employer sponsored health care is today versus the public exchanges, employer-sponsored health care is still the most effective and efficient way for employers to provide affordable health care to their employees. when you look at the public exchanges, there still a fair amount of volatility in the number of planes coming in and out of offering coverage. premium contributions are about proposed to be about double what we are seeing in employer-sponsored care to do deductibles would you compare average deductibles within employers, they are about a third of what you find in the most common plan within the public exchanges which is the silver plan. from and employ perspective what

can employees expect in 2017? you will see pretty much business as usual annual enrollment. not a lot of change from a plan offering perspective, not a lot of change from a design plan or contribution perspective. premium contributions will be on par with what they were last year, top of the around 5% on average. we may see some expanded options in terms of centers of excellence in some of these other alternative delivery models as part of their offerings but over all it should be a pretty normal annual enrollment or open enrollment period. if we take a deeper dive into medical trend, you will see that medical trend has been consistently running around 6% topline and around 5% after plan design changes after the last three or four years. consistent or stable doesn't mean good, as i mentioned

earlier. health care trend running at six topline were cpi is below 2% and general wages projected to be 3% in 2017, you still have this challenge around the affordability question and how long will it take before health care from affordability perspective is really a challenge, really a concern. 2015 costs came in at 4% for large employers, even though the y projected five. the jury is still out what it will be for 2016 forecast is still overall 5% and a net 5% for 2017. so what are the major cost drivers for health care costs? as we go into the 2017. as i mentioned at the beginning, specialty pharmacy is the number in 2017.r

high-cost claimants are always up there as well but in that group of very specialty pharmacy has jumped to the top. it's jump to the topic of strength for specialty pharmacy for 2017 are projected to be around 17%. these are very expensive medications. they run into thousands to tens of thousands per treatment. they are typically have challenging administration or dispensing. they require monitoring and often cases, patient monitoring to make sure those is correct and maybe some care management. they're expensive, complex. when you look at trends for 2017 a lot of that is driven in part by pipeline of potential new breakthrough medications. and some of the categories those

medications are in, hemophilia, gastrointestinal disorders, ms, oncology, muscular dystrophy, psoriasis, asthma and diabetes. so potentially seeing new drugs coming out in those classes that potentially can be expensive also be very beneficial in many respects. when we look beyond specialty pharmacy, or we try to look at what our employers during to manage calls as we going to 2017, obviously no surprise the focus and pharmacy management is number one if you look at the next slide. full replacement consumer directed health plan is still considered the top way of controlling health care costs but we are not seeing a lot of movement to full replacement as we look into 2017. i will show you data related to that. the big focus is specialty pharmacy management.

slide,look at the next it gives you a sense of what are some of the specialty pharmacy management techniques employers are focused on as we move into 2017. we are seeing a number of companies, doubled from last year to 2017 who require medications to be obtained through a standalone or freestanding specialty pharmacy. we are seeing a doubling of the number of companies up to 38% who require a fourth tier, a specialty tier for pharmaceuticals. we are seeing more in the way of high touch case management again because of the complexities around these medications, some of the side effects. we are also seeing a fair amount of sight of care management, 30% of companies focus on sight of care management. when you look at price differentiation you can see a x difference in price depend on the site after a selected.

if there is a more appropriate efficient sight of care moving from hospital to possibly a standalone and fusion center or moving from a outpatient facility to a physician's office or possibly moving from a physician's office or even to the home, that there's quite a variation in price if it's appropriate to have care delivered in one of those alternative settings. you can see there's a lot going on in terms of specialty pharmacy management but there's also some focus on opioids as we look at 2017 as well. if you look at the next slide you can see a number of companies, 30%, are implementing restrictions on prescription opioids, really inform of pharmacy management, maybe requiring employees all to go to a particular pharmacy to get opioids, or managing multiple prescriptions. the shift we see from employers is more towards looking at the delivery system for solutions, moving away from plan design and moving to the delivery system.

part of the reason is want to go to a high deductible plan which most employers offer today, where do you go from there? a plan to already high deductible. you can tweak things, but you really need to turn your sights on the delivery system if you want to drive efficiencies and control health care costs. so they're looking at alternative models for delivery health care and alternative payment models as well. one of the alternative models that has really grown over the last five years or so is telehealth. telehealth five years ago 7% of employers offered it. by 2017, 90% of employers will offer telehealth. by 2019 to will be pretty much universally offered by companies to their employees. so what's the value of telehealth? telehealth is a much more convenient access point that a number of different venues. emergency room costs $700 on average per visit.

urgent care costs 150 on average per visit the physician office $100. telehealth $40. telehealth is not meant to be a replacement for primary care. it's meant to supplement primary care and to give people access when they can't get after our coverage when they have a long time to get an appointment or a long wait and can't get time off from work by going to see a physician for a select group of services. telehealth is one alternative vehicle to access health care. one of the interesting things about telehealth is a mobile application. today if your strategy doesn't include mobile, in your strategy is not complete. 80% of workforce has access, or has a smartphone. most of the information, from a decision support perspective as well as access for telehealth and other services is being pushed to mobile. when you look at alternative

delivery models, we are seeing growth in the use of accountable care organizations the use of select high-performance networks. accountable care organizations are when providers come together to take on responsibility for the cost and quality for a defined population. i say ultimately because these are works in progress. acos when you first come together are not really going to take on risk or not be accountable to that extent. there's a lot they have to do to gear up to drive care coordination, primary care at a high level, have the analytics to manage the population. this takes time. so there's a developmental period for accountable care organizations, but about 25% of employers now have acos as part of the strategy, mostly through the health plan, some going direct. high-performance networks it in

the same category. in many cases they are leveraging an acl as part of that network and about a quarter of employers are also using those. a number of employers are still unsure, most employers are still unsure what do you get from these new delivery models? how do they differentiate from the market? how do i know that they're providing or delivering a better service or even a better cost than the market? one of the questions we asked employers, look at the next slide, trying to get a sense of what the expectations were for acl performance versus the market. both from a trend perspective. so how much can acl affect trend or bend the cost curve, and alse market should be from a totalbel cost of care perspective? in this slide you can see for three levels of an aco would look at these as featured in that or levels of maturity. an aco that is launching within the first couple of years, what

do employers think the impact will be on trend on lowering trend? most respondents said no impact. that there would not be much of an impact the first couple of years out of the gate for an aco. for developing aco, an aco that has established their care model, has established their patient-centered medical home, has better data analytics, better data sharing, the expectation is that they will trend by one to 3% of the trend , so it is 6% take it down to , five or 3%. most respondents believe that was probably a realistic exit addition of acos. but for mature aco, and aco that is driving at all competency levels whether its network, whether it's the care model, whether it's technology, the financial model, that they should be able to be trend by two to 5% which means if 5% think it's getting in line with

cpi or getting in line with general inflation. even 2% is taking it down to four that making any plan changes. the other question we asked was round the maturity, how much more efficient than the market should they be. in other words, you have a well functioning aco in the market, what's their total cost of care versus the market? most employers said that it should be between either three to 5% or six to 10% better than the market in total cost of care perspective. we are trying to get the sense sense of alignment, a sense of what do employers think and what you providers, health care plans think another we find that thinking about expectations when it comes to the delivery of care with these new models? doing more as more and more employers move onto this space. if we shift out of the delivery system and look at plan design

said,st sharing, as i there's not a lot of change for 2017. consumer directed health plans are inversely offered if not by today but 84% of companies offer them. certainly over the next couple of years that would be pretty much universal offered. we've seen a small intimate increase the number of companies offering them for 2017, and so we know that the focus is shifting away from plan design to the delivery system. if you look at the medium cost sharing for employers for 2016 from a deductible and out of pocket perspective, for all plans the average individual median individual deductible is 1425. employers pay on average 70% of the overall premium employees picking up the difference. that's been consistent over the

last four or five years what it's a little higher for employees, a little door for dependents but on average about 70% and that hasn't changed over the last several years. when you think of high deductible plans, employers contribute to health accounts, and 85% of employers who offer consumer directed health plans and health savings account contribute to those health savings accounts. on average they contribute $600 per employee, $1100 for a family. for those health savings accounts. this is important because it helps offset the deductible. when you think about how that compares to a public exchange, the net deductible is $1000. you give a $16 employed only deductible, the company is putting $600 into the savings

account, so that deductible is around 1000. so the average employee deductible next out to be a round $1000 for an individual. would you compare that to public exchange is silver plan, that deductible is around $3000. would you compare out of pocket maximum's with an employer plan, it's about 4000. within the public exchange it is around $6500. when you look at the change we are seeing in the volatility around premiums right now, on average employee contributions go up around 5%, we are seeing a double of that and what has been proposed for public exchange is. a lot of volatility still in the public exchange market, and back to the point where the employer based system still the best solution for providing affordable, quality health care to employees. a couple of other changes or considerations. when we looked at -- employer actions were not sing along. we see more on the retiree side where we see more earlier retirees moving into public

exchanges. and part-time employees who don't have access to coverage, can access to private exchanges but not a lot in between. employers would have done much to push employees to public exchanges. one of the tactics that has emerged over the last soldiers as more countries have moved to high deductible plans is wage-based co-sharing. one of the reasons for the is employers are sensitive to the affordability and the challenges with a high deductible plan. about 45% of employers have implemented strategies to balance that out a little bit either by adjusting premium contributions based on wages or adjusting health account contributions based on wages, meaning lower wage people get more into it health savings account than higher wage people are adjusting out of pocket maxims or deductibles more tied to wages to try to make these plans more affordable for lower wage employees.

the other areas we are seeing some resurgence is in the area of mental health and behavioral health benefits. we talked about telehealth in that most companies offer telehealth today. we are seeing a growth until have been offered a month large employers on the behavior health site. about 34% are offering how the behavioral health services where it's allowed by state. we are seeing i would see a resurgence of on site mental health counselors. most all companies offer it today but a lot of it has become telephonic. we are seeing a migration back to putting resources on site, possibly in health centers, merging them with primary care or just making them available on site to give people access. access and mental health is a big challenge in this country to providers, and by bringing them on site it's an enabler but also it makes it more convenient for people to access as well.