about women and it's not so, that was a t.v. show that he everything is taken out of context, there is -- she is one all the dirty stuff on the t.v. for the kids to see. and everybody is taking of context and we need to bring god back into this country. muslims want to kill us, sure, there are good muslims, we lead them to christ, but we need common sense and we do border control and trump is willing to do all of this and he the christians, he's met with christians and hillary won't even meet with the christians. morals.got to have host: mary, got the last word on the program. hanks to everybody who called in. 10:00 here in the east. couple of program notes to tell you about.

thesenator, losing to polls. his reelection will be there. they will have it live for you at 3:30 on c-span and second -- and sunday night is the second presidential debate, in st. louis. our preview program begins at 7:30 eastern time this sunday. we hope you'll join us for tomorrow's edition of "washington journal." enjoy the rest of your friday and we will see you back here tomorrow. [captions copyright national cable satellite corp. 2016] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

>> what the imf and world bank meetings happening in washington, ahead of the wto, juan zarate will talk about slowing growth and the potential implications of a prolonged slowdown. tonight, we will bring you this week's supreme court argument in the case of buck versus davis. argument is that 8:00 eastern. u.s. adding one hundred 56,000 jobs in september. the jobless rate ticking up to

5%. chairman kevin brady send out a statement saying too many americans are struggling to find full-time work to support their families. job of his statement on the 's numbers in september. presidential debate is sunday night at washington university in st. louis, missouri. watch our live coverage at 7:30 show.eastern for the pre- the second presidential debate, watch live on c-span. watch on-demand using your desktop, phone or tablet at www.c-span.org, and listen on your phone with the free c-span radio app free on google play. every we can come up with tv

brings you 40 hours of nonfiction books and authors. here are some of our programs this weekend. saturday, hillary clinton e-mail panell is the topic of a discussion. at 10:00 p.m. esther -- eastern, mary thompson jones details the day-to-day work of u.s. diplomats and looks at the u.s. at leaked diplomatic cables in her book. interviewed. >> i think leaks will be a part of government life and the speed and multiplicity at which we communicate with each other now,

but short white males, text, social media, tweets, is going to be part of the body of politics. novell -- the future of the euro. tv.org for the complete we can schedule. -- weekend schedule. lisa monaco joins cyber security experts from the public and private sector at the washington post annual cyber security summit. this is about 2.5 hours.

>> hi, good morning. it i realize people are still coming in, so please don't be shy. my name is chris and i am the vice president of communications at the washington post. thank you for those who are watching us online. cybers our sixth annual security summit and it could not have come at a more interesting time. this summer, the democratic national committee was hacked, likely by a foreign government. last week, yahoo! news announced a breach affecting hundreds of people. sa contractor was arrested for stealing codes. the question is, what is next?

you will hear from industry leaders talking about the top cyber security issues facing us today. we want to hear from you, including those of you watching online. questionstweet your and will be taking questions throughout the program. i would like to introduce john davis, the vice president of palo alto network. he is going to say a few words. thanks. [applause] everyone. morning, it is an honor to be a sponsor for this event and i am excited about the agenda and looking forward to hearing all of the speakers. i joined palo alto networks a year ago after a 35 year career in the u.s. military. most of that career was in special ops doing really cool things. the last 10 years was in cyber operations, cyber strategy in cyber policy.

the u.s. military really takes cyber seriously. it became a mission for us. at palo altocause networks, just like in the u.s. military, we have a mission to protect our way of life in the digital age. it is very important to us because the digital environment is the underpinning for everything we do as a society, economy, and a national security. i would like to quote another general, a much more famous one than me. -- know yourrase enemy and know yourself and in 100 battles, you will never lose. what do we know about the enemy? the modern cyber threat? it is athat professional marketplace of information sharing these days. and we know that the decreasing cost of computing power and the

use of automation and cloud capabilities by the threat means an ever increasing number of cyber attacks coming at us. with the explosion of malicious code, we know these attacks can happen at the thousands and millions in terms of every day, every hour, and sometimes every minute. there is some good news about the threat. i can teddy from being on the inside, there are only certain numbers of limited techniques said every cyber actor or organization uses. only two dozen of those. every cyber threat and organization uses a set series of steps copy cyber threat lifecycle. for the attack killed chain. yourself,f knowing

what do we know in terms of cyber defenders? i believe we have been living with a failed model. the attacker only have to be right once and the defender has to be right everywhere and all the time. that is a bad model. talked about the attacker leveraging automation and the decreasing cost of computing power to come at us in increasing ways. while the defender uses a series asisolated products that complexity to the environment. and we use technology that is oftly oriented from a legacy you detection and response is that of prevention. the adversary uses a marketplace of information sharing, very effectively. cybere trouble with threat information sharing from the defense side. what is a good model of

ourselves look like? there is no silver bullets. it has to be comprehensive and include people, processes and technology. one of the keys on the people side of village hit -- one of the keys on the people side of education and training, dealing with i.t. and ot and leadership. today is about education. on the processes side, one of the most important processes we need to improve on his cyber threat information sharing. we need to do it at scale and speed. that means automation and standardization. finally, and technology, we need to move from a legacy the love always standing at the crime scene by detecting and responding after the fact to a prevention first mindset. we need to be able to leverage automation in ways that the threat is using today in order to keep up with and exceed the threat.

we need to get out of a manual response largely based on having to hire more and more people to deal with this, and move to an automated capability that lets us save our people for only what people can do. those of the keys to success in moving toward a successful view of ourselves as cyber security specialists. i look forward to today and the conversations coming up. i hope you enjoy today, and once again, it is an honor for me to be here and sponsor this event. thank you and out-earning -- thank you and i will turn it over to chris. john and areyou, supporting sponsor raytheon. there are people coming in and there are still chairs. i would like to introduce robert o'hara, he will be our first discussion today. thank you.

robert: good morning, everybody. i hope everybody had some coffee. as she said, i am robert o'hara, a reporter here at the post, and for years, i have written about technology, the rise of the internet in several years ago, cyber security. interestingly enough, the issue of cyber security was very urgent in the early 2000's. it has only become more and more important. , we have all heard about massive attacks and buried attacks that have exposed information, let to theft, and created national security vulnerabilities and left us uneasy.

today, we have some people who are on the front lines of trying to fight that on behalf of their clients and by extension, on behalf of all of us to make the cyber world a little safer for all of the social engagement we have, all the business we rely on international security. patrick is ahead of trust and security at dropbox. he is responsible for ensuring compliance for the dropbox service. executive,the chief a consultant -- kristin is the chief executive of the consultant company in washington and a veteran of the telecommunications industry, which is fundamental and the cyberspace. brian read is the product office and zero fax for social media channels. we will start with a little bit of news.

we could almost cherry pick the more interestingly bits of news. it was announced this week that he yahoo! scan the e-mail of users at the request of the nsa. the company said they were abiding by the law. what are the margins here that companies comply with the law, even if they have philosophical and internal ethical differences with those requests? why don't you start off. >> i will not comment specifically on the yahoo! case. i don't have enough details to have an opinion. , ithe philosophical issues think companies do have a responsibility to abide by law, but a fundamental responsibility in providing a service to their customers. to the extent that they are compelled to do something like with it has to be balanced a certain degree of transparency to the users. >> in this case, it was a request from the nsa, if there

is a subpoena, that is a legal obligation. how did modify customers and protect this big notion called privacy? >> it is a balance. the first thing you do is figure out what is a law that applies and the legal due process. if that is the case, you have to comply. then how do you react your customers? it is a balance. you want to do right by your customers. sometimes in terms of data breach notifications, it helps the customer if it -- it helps the customer if you don't notify them right away. is it a big issue are not before you notify them? it is a little bit of a judgment call. first, find out what law applies. there are laws in most every state. 15 plus bills in congress talking about how that should be

structured. that is a question that congress is still debating. editions haveover a death do corporations have a civil role as part of an effort to either embrace or encourage the change in the type of laws that give the government access to information? >> this is a situation that you could raise classic, public, strategy in terms of business. businesses should be working with the government. i don't think we want a world where the government automatically creates new rules or a world where businesses can do whatever you want with your data. financial services, there are established norms and how the banks deal with your financial information.

how can we get those kinds of relationships developed between individual, business, and the government? let's stick with the news for a moment. we all know that there are a whole variety of cyber attacks that can occur. daily attacks where the bad guys use of abilities and code. there are social engineering attacks, which we will come back in a little bit. we all agree that the social engineering attacks, which are about as simple as you can get, poses a profound threat to our security systems. i want to talk about a threat that does not get a lot of attention because it is not considered a hack, which is the insider threat. insider hack, i should say, we know that the nsa

, it was reported that they arrested another contractor who either took or was trying to thatreally powerful code the government was using to hack into systems abroad. i would like to hear your thoughts. about theke to hear nature and gravity of the insider hack, and how corporations and other institutions can prevent it. >> from the perspective that i have met zero fox is how to become a source of daily leakage. you have the inadvertent leakage, or someone will share confidential information. we have had this happen to our customers, someone takes an instagram picture behind a white board, and is now on the internet. then you have the intentional. there is an interesting situation to deal with, to what

degree should the company be monitoring their activity in who they are associated with on an external basis? am i communicating with social bad actors? should companies be allowed to monitor that object the arson be held responsible? companies argue that have a total right to monitor their own networks and the behavior of their employees because they are the ones responsible and in charge. let's think about that for a moment. companies are allowed to do that. let's accept that for the moment. when does that kind of surveillance inside the company broadly,extended more the government has a right to go to yahoo! and look at e-mails. wouldt think anybody here disagree that that kind of surveillance can prove cyber security. when does it become onerous and how to strike balance between the security and the emotional

well-being of the rest of us who don't want to be spied on the time? >> that is a line people are trying to figure out. anyone who looks at insider threat, there is a lot of data in which to draw. data of when you show up and when you leave, when you log into your computer, the sites that you go through. hr may be aware you have issues at home or you are bullying an employee. if you look at the factors holistically, you paint a good teacher of when someone will do something. >> that is very interesting. it is true and corporations have access to the data that is not fairly sensitive. not, we have a choice to to take the steps?

the human element in cyber security is pretty important, isn't it? >> i don't think the abstract the balance yet between the capabilities of technology and the what can we do in the policy behind it. the capabilities may exceed the policy discussion. the assumption made around an employer's ultimate right to monitor is not something that is held to be true in other countries that have different legal frameworks around privacy. >> that is a good point. we talked about social engineering. you have given it a lot of thought to social engineering. would you describe the difference between social engineering and a zero day, and as the prevailing now attack vector of choice? we have one billion users around the world and we see a lot of the attacks that happened and the majority are very unsophisticated and associated with getting passwords and leveraging password to compromise accounts

to gain access to data. this does not involve very sophisticated attack tools. it involves automation and very organized individuals. is high, butation the technical sophistication is relatively low. >> you use terms that some of the people may recognize. quickly, what is password reuse? >> that is the number one risk that consumers face. there is a tendency to use the same password across different sites. is the weakest link. if one of those websites is compromised and those passwords stolen, they are automatically tested against other sites to see what can the bad guy get into now. --y sophistication sophisticated on the testing tools. so i use the same password, not a good idea? >> not at all.

the white house has an initiative to drive higher enrollment and look at the data. there is a challenge with consumers. >> give me an example of that. some of us are lagging behind the current jargon, but it is important. on top of your password, there is something else that they need to get into your account, and that can be message or ana app on your phone with a code that changes every minute, or a hardware device you have to activate. those options are made available on many sites. but they do not have a high degree of visibility. at dropbox, we offer three different methods nbc 1% of our users opting in to turn those off. >> what about social engineering? >> the social media security company, our mission is to protect and safeguard our

customers. facebook, twitter, instagram, linkedin. when the look at what is happening with social engineering, research team spent a couple of months. we have technology called snapper, a can profile the user and learns from your tweet streams and can get you to click a malicious links. we have done testing in numerous organizations. >> what is a malicious link? >> it would be a link to download malware, and link to capture your credentials, like a fake credit card site for logging into a fake bank when they gave your bank user password. >> so when i am procrastinating and cruising through twitter and

clicking on things, i could be exposing myself to a virus? >> exactly. i would bet that you have learned in a e-mail, you should not click on links from people you don't know. what we found on social is people think it is safe to us of a click on the links. the human condition of socialization has not carried over into the social media world and the bad guys know that. would we have learned is that social media attacks are typically six times more effective than e-mail board attacks. >> kristen, would you tell your clients? >> has a lawyer, i want to expect there is expectation of privacy. poses avice they use really interesting angle. if it is their own phone, what is expectation of privacy?

lock that down in the beginning so there is no question. employ the tools from the beginning. authentication is key. educating the employees about that. the white house campaign has been fantastic. lock down your login, go look it up. there is a great site that can tell consumers but services they are using. educate consumers and make them more aware, and employees. >> account like there is a fema merging here, which is that to stay out of the thread, it is not a technical response, but an education. learning how to behave properly with good, digital hygiene. that counsel boring compared to the sophisticated cyber world. stuff andant is this

what about the technical solutions? >> it is important in the challenge has been billions of individuals online across the planet, the education i have seen affected his and corporations. when i look across a broad consumer space, getting individuals to change behaviors has been very difficult. i am not sure if that is a long-term answer. i think much more research has to be done on the part of large technology companies on how can we identify, how can we realize humans are going to be an element of failure? how can we help them? how can we compensate for some of those weaknesses and make detection response better? we build sophisticated systems that attack fraudulent login activity. 85% of the time, we have enough tonal to my -- enough signal

identify a bad guy. large tech companies have the research abilities to do that type of work and protect users when they have not done their part in protecting themselves. >> terrific. >> what we are finding when it comes to the corporate enterprise and the agency side, education is just as important as the technology behind it. socialization strategy, where most of the organization is probably promoting good hygiene on e-mail and web. simply amend that with good hygiene on social. it is a simple step. just like you don't click on bad links, educate them that you should be using two factor authentication on your personal social networks, not just corporate technology or agency technology. the same things you have learned before should apply to the social network.

>> let's go away from the grassroots of the user and behavior. it has been my impression going back a long way the corporations will sometimes make short-term decisions that are very profitable that create a massive cyber vulnerability. i am thinking about the credit card companies issuing instant credit cards at the point-of-sale, retail outlets, which help spur the blossoming of identity theft. winter corporations be held accountable for cyber threats that they create for their own fact, line that, in create threats to the rest of us? how to be addressed that? i would say that they should be held accountable if they have not made the right --if they had not taken the

right precautions. if they are not looking at cyber security at the board level as a wrist issue, that is where they should be held at fault. >> eradicating deeper regularization's -- you are advocating deeper government regulations? >> i am not saying that at all. reminding companies a had to include cyber security breaches and issues in their material statement disclosures. >> what about private companies? >> you don't have the sec guiding them. >> and you don't have the insight. by law, they do not have to tell us what they are doing. >> and what is the risk to the corporation? threat and the risk and reacting accordingly? >> not to be gloom and doom here, but i visualize a giant

map and it is all the companies and users in the world, and based, you described, there are huge, black holes that lack information in this giant interconnected world. holesose giant, black represent unknown security threats because of the behavior and corporate use. how do we went through one all of us -- how do we all win when all of us rely on cyberspace? grids, how do we fill in those black holes? >> the question is, how black are those holes? in the consumer space versus the enterprise space, there are differences. when a company is selling other companies, they go through certifications. they do testing. as a consumer, one of the

indicators that is a great test for the maturity of a company is do they submit themselves to open hacking? do they compensate hackers? there are businesses called a bug bounty. vulnerability, they will pay the hacker. it is to help solve issues. it is a great indicator that the organization that puts them out there feels comfortable and want to learn more and have a culture that is trying to identify new holes in the system to protect their users. the blackughts on holes on the map? >> what is interesting in all my years of technology, we will invent something every five to 10 years and create potential black holes. social media of today, we could not fathom 15 years ago. this notion to be of mixed, public, private,

right? and try to coordinate the processes. most businesses mean well. finding more ways to partner, finding more ways to work together to make sure that you are covering things. my bad guy at database in your bad guy database, how come we don't have one bad guy database? there are places where federal agencies are trying to encourage sharing across organizations. encourage sharing of tactics that the bad guys are using. >> it is a fascinating world. i am sure the panel will get into the policy of information sharing between government and private. -- profoundolonged long-term peace. we have a question from twitter. can you offer advice to bring along show adopters who are so

interested in protecting their turf? maybe each of you can take a crack at that. >> the white house issued a few orders helpful for this and created this framework that provides a laundry list of standards. andy frame fork for -- and a framework for assessment. companies can go to this framework can make in a sex what -- companies can go to this framework and assess what is my risk? my advice would be to focus on the problems which is around her whole password is a consumer. use unique passwords and a password management tool. there are lots of them out there that make it very easy to have complicated passwords.

and turn on authentication. we were talking earlier on the things people put in e-mails. what does that have to do is cyber security? should people be careful about what they put out about themselves on social and in their e-mails? aboutwere talking earlier one of the roles, don't do something you don't want on the front of the washington post. talked about the instagram is inferred posting. it happens a lot more than you think. in hawaii andrip posting like crazy, will someone surveying your property knows you're a why and knows it is a good time to rob your house. live in a world where you want your friends to know how much fun you are having, but you have to understand the prudence of sharing that information. we have this sharing economy,

the sharing community around social networks, and you need to make conscious decisions for yourself, family, children on what is the appropriate level of sharing of information, and who do i want to be able to see that? do i use a privacy policies to restrict my social post a my friends can see me and of the rest of the world? audience,fascinating excuse me, a fascinating panel with very interesting ideas. you so much for joining us. [applause] -- thank you so much for joining us. [applause]

>> hi, everyone. happy to have everyone here this morning. let me get this out of your way. i am a national enterprise reporter and former cyber reporter. happy to be on stage with this panel to talk about political leaks and hacks. of theserabilities institutions to our cyber adversaries on something that a lot of people here in town are thinking about. also want to say hi reviewers at home. hope that people in silicon valley are fully caffeinated. let's introduce our panel. ,o my left is michael sussman member of the dnc's cyber security. , staff director of the cyber security infrastructure protection and

security technology subcommittee for the u.s. house homeland security committee. then thomas hicks, commissioner of the election assistance committee, and rich barker, chief information officer of threat connect. i want to start with rich and talk about the motives of our cyber adversaries online. we know russia and china are constantly probing, if not gaining access to institutions around d.c. an overstatement to say that they are interested in the intelligence value of the information they find. can you talk about that? >> right. with regard to the intelligence value, it depends on what motive, what operation, what effects they are trying to deliver. you might look at some of the traditional chinese espionage we

have seen that has gone on after a variety of companies, businesses, as well as , so they can leverage that information for variety of purposes. it to market quicker with a certain technology, or perhaps counter intelligence activity they wanted to look for various targets for recruitments or operators within their borders. with regard to what we have seen recently with the russian attacks, we are still kind of anding at this activity trying to tough out what their motives might be. -- theyinly looks at are very aggressive in trying to tope the narrative around say hanging? teedo over our system -- narrative around that hanging

question mark in the system. there can be a variety of different motives and what these types of groups are trying to do and find to effect for their own objectives. some of the things we have been kicking around the office is for every story that runs in every conversation in and around the elections, what are we not talking about? when a talking about syria, what's going on in the ukraine. ande are broader issues what russia is doing and the rest of the world, where we are hyper focused on ourselves. it is an interesting time. yeah.

i would follow up by asking, did you think they're special attention being paid to the democratic party given hillary clinton's run for president? is it possible that adversaries are tuned in to the goings on of our election? --you know, i know ultimately, what is at hand is the are seeking leverage. i would not necessarily seek that leverage in one party alone. i would buy insurance and makes her i have covered -- i would buy insurance and make sure i'm covering my basis. i would not be surprised if it affects both parties and perhaps might be the new normal. we have seen campaigns targeted going back as far as 2008.

president indicated that his campaign has been targeted. consider thisto in the next election cycle? that thiseally focus is a new way of life? >> michael, do you think our cyber adversaries are politically astute in that away? do they pay special attention to the dnc because of the potential to seek a clinton presidency? michael: they are politically astute, but we do not know what they are doing. we are in the middle of a book. someone will write a book about these events. we don't know how they are going it is a big but political theater to figure out who is trying to do what it why they're trying to do it? we know they are astute because it is russian-state sponsored and the groups doing it are very sophisticated. in fact, this is their day job.

when we are looking at activity, we saw the most activity 9:00 a.m. until 5:00 p.m. moscow time. in thelk to the victims political parties, we would say aat unlike the company where state actor would say, left on a company we can get into. the doors are locked really tight, we will move on. for these organizations, it is someone's day job to get in, and they will be persistent. they are very sophisticated in what they are doing. but it is a guessing game as to why they are doing it. >>* do you think because seymour e-mails out of the dnc hack -- do you think we could see more e-mails at the dnc hack? >> i would not just called the dnc hack. there are more campaigns to break into the systems.

thing, when we see documents, we don't know who's they are very often. postedose documents were , the big question, is this yours, is that yours? it is not clear. the documents may have been created by one group and circulating throughout other groups. the campaigns and parties are really, really, really busy trying to elect candidates. it has become a side job to do with this, but it is not a full-time job and there is not a lot of effort looking at two every document stolen and trying to figure out where it came from. on with trying to move the business of the campaign for the parties. >> brett, let's turn to you. your boss said the rnc was hacked and then walked that's back. are you aware of the specific

operatives who have been either probe for hacked, and whether bossboss would -- and your was really telling us the truth? >> the point of the call the chairman was trying to make was both political parties have been hacked and trying to make the point that it is bigger than that and you have to look at the motive behind what these groups are doing. looking at it as psychological warfare trying to undermine the confidence of the election system. looking at motives of how identifiable information, voter registries. those of the motives we had been briefed on. both parties are being hacked. tonies to be a -- it needs be a bipartisan issue and we cannot allow nationstates to target either party. there needs to be strong consequences when those actions take place, whatever the actor is. that is the point my office was

trying to make. >> do you think republicans are equally vulnerable? >> there have been reporting that operatives have been hacked with their e-mails and campaign-related issues. both parties have been, and i think looking at the political organizations, we need to be village alone -- we need to be vigilant that this is the way of the future. i would give a warning that all political parties, state, local, federal, need to be aware that this is a new world we have to live in and beauty to be prepared for that. we need to be looking towards november 8. there is a lot we need to do to ensure that you are prepared for that. it is about being vigilant and being aware. >> thomas, let's go to you. for our younger viewers, the question of online voting always

pops up. many of the people watching will understand that is a bad idea. can you walk us through that idea? thomas: and you for having me here today. a lot of things people don't know is that there is a small federal agency that deals with --withctions on dr. 2000 elections that formed after 2000. there are a small portion of folks who can use online, military and overseas voters. it is a very small segment of the population. it has to be more of a discussion we need to get into when we have things about these incidences occurring in the last year or so. we need to look at best practices and see how we can expand that out. is doing isncy working on voluntary voting

guidelines that have not been updated since 2007. 2007 is when the iphone came out. technology has changed in our processes have changed. we should be looking at ways to make it more convenient and more for people to use their technologies to vote, but also make sure those votes are secured and counted accurately. >> absolutely. internet voting is one piece of the puzzle. electronic voting machines, if they haven't -- if they have access to the internet, could be vulnerable on their own. it said something you're thinking about heading into next month? >> we think about all of that and we have been thinking about for years on end. it is not something that is going to change overnight, so i am hoping this conversation does not end on november 9 and we continue it on into january and february, so we can look towards the 2018 election and 2020 election to make it more

convenient and secure. our elections now are the most secure the have ever been, it we can do more. and we must. 8, isking toward november or anything on your mind when it comes to threats? >> with regard to threats? i never ceased to be amazed. i am never surprised when i see the sorts of things. i just think we continue to think creatively around how adversary can continue to meet their projective. -- meet their objective. short of a crystal ball, it is hard to know what we may see. there is a precedent for the leaks. speaking of the audio communication seesaw recently might be indicative of things that closely matches some activity we saw occur in the

ukraine during the elections. we have to kind of look at a precedent. what did we see in and around some of the ukrainian elections? might they be playing from a smaller playbook? i cannot say for sure. maybe that is a good rubric to look at and think creatively estimate we may expect to see. >> michael, when you think about the threats facing the sea -- ,acing d.c. institutions everyone is being probed all the time. what would you suggest that people who have not been ahead of the curve begin to do now? how would you introduce them to this problem? michael: reading the papers and seeing what is going on. idea thatange is this people looking at your things and learning about you, this intelligence collection is one

kind of threat, and now people are seeing the personal e-mails and communications and papers are being posted to embarrass them. i don't think anybody here would be proud of everything in their e-mail inbox posted on the internet. it is a threat for companies, people, and the education is investing for it. for the political parties and campaigns, there are really two time periods. before the election come in terms of cyber preparedness, ready response, and really important work after the election doing and what to do. all of these organizations to put their effort in building their party. traditionally, this is not been in a corporate analog where animal budget had a line item for $4 billion for cyber. that is not been the case, and needs to be the case now.

how we are going to find the money to spend on a dedicated basis and that the cannot longer-term plans. that is not just keeping the but to continue the metaphor, building a stronger ship. the one point i want to make with the question, my that theding is election system, the voting system on election day is reasonably safe for cyber attacks -- from cyber attacks because the 8000 districts are not intersected and run different systems. some actually paper and some are not backed up. voting virus or voting malware that will go out on an attack on the nation's system. we are safe that way because of

the diversification of the different districts, none of whom are connected to the other. decentralizedis with a decentralized system. you would need an army of folks to try to get into the systems. equipment, 47 out of 50 that states use, are certified. none of them are connected to the internet, so there will be no sort of internet hack into voting machines themselves. when it comes individuals looking at their own cyber high chain and one no practices, is there anything you advise people as we go about our days and say things in e-mails we may not want to be hacked into? has the culture changed as we approach this technology? michael: there are several

simple things people can do. turn on to factor role authentication. it means you need two ways to login. when i use my personal e-mail, i put in my password and i get a text message and profit to put in the code. two factor makes a huge difference. user social media and your personal account and all sorts of information to create spear phishing attacks. these are targeted e-mails that look authentic to try to get you to click on a link open an attachment. these attacks are so sophisticated, most of them start with a simple piece of human engineering to get you to click on something. think more about your privacy and a social setting, and facebook has a one click solution. your privacy settings, there is one thing you can click to make all of your posts and

everything in your past, friends only. if you look someone up and see what this person is about, and some people on facebook sees, there is this person in a bathing suit, having drinks, their kids, those people don't have that awareness and you can take care of it with a click. lastly, there are peer-to-peer equipment and apps that elijah have fairly private -- that allow you to have fairly private vacation. >> the coulter on the hill is attentiveness to the idea you're being probed all the time. system?ave a two factor like any other organization, there needs to be training. and you need to have everyone within the organization aware of it.

from a phishing attack, that can undermine the entire system. we are very vigilant and have we set anrograms and example of what we do internally. i would say, yes, for sure. >> thomas, jeh johnson talked about the idea of making our election system as critical infrastructure. what would that mean and what you agree -- and would you agree? can talk about that states are looking for resources to make sure their systems are secure. that, thats to offer is a great idea. >> we passed legislation through the congress back in 2014 and dhs canr that says the

--can write voluntary for various tools that are all optional. ite -- there is a suite samples available. states, localities need to invest in these technologies to ensure that they are secure. has,apabilities that dhs more than half have signed up for this voluntary assistance. congress, we have legislation passed out of our committee back last year that passes house of representatives in december, pending in senate, that clarifies the role of dhs in providing this voluntary assistance to states when a request it. it is about clarifying the law. it will make a difference ensuring that absolutely not, we want to federalize the election system and it would be unconstitutional.

we do think that providing tools and capabilities would be a good thing if it makes sense for those localities. >> can you give us a quick forecast of the lame-duck? [laughter] >> we are working on several pieces of legislation. one would reorganize the department of homeland security to carry out its cyber mission. we have passed several bills in congress in 2014. the cyber security act in december giving agencies authority. our committee pushed it back to june and we working to get it to the house floor. the organized to make it carry out the authorities we just gave. we are getting other

organizations involved in doing the best we can to get this done by the end of the year. it is a top priority for us. the other two bills i mentioned are the state and local cyber protection act that clarifies that the assistance to state, localrengthening crime-fighting act that will provide voluntary assistance tools to law after cybero go criminals, so we think these assistance tools will go a long way. bills in the pending the senate so we are trying to shake them lose over there. these are the bills we are trying to get not just in the lame-duck we will see if we can though. >> we have gotten a couple questions from twitter. i might go to your rich on the something is that cyber espionage as well pack discussion seems to suggest that the u.s.

and americans are victims -- >> i think everybody, large countries and even emerging economies, are seeing the power of cyber and how the world has adopted it and how they work and is in play. the internet permeates every area of life. how you go after those national objectives within that perspective domain. some countries might seek to bolster their economy. others might seek go after terrorists. others might seek to undermine an election. it really just depends on probably their perspective to who is a good guy and a bad guy and the motives behind leveraging that domain to enable that respective nation. >> the next question sounds a little bit like a plot for an action film. we talk about international attacks, but is there a chance

or sophistication domestically to see hacks between parties? michael, any comment on that one? >> i think and hope that everyone is working on the support of their candidates winning the election, and so to make it possible for there to be another watergate type break-in? surely: table are smarter, what we will leave that to good fiction reading. >> absolutely. mp's: on cyber -- clinton: the united states has much greater capacity, and we are not going to sit idly by and permit state actors to go

after our information. we do not want to use the kinds of tools that we have. we do not want to engage in a different kind of warfare. but we will defend citizens of this country. and the rest is the understand that. i was so shocked when donald invited putin to hack into americans. mr. trump: as far as cyber, i agree with parts of what secretary clinton said. we should be better than anybody else and perhaps we are not. i don't think anybody knows it i don't think anybody knows it was russia who broke into the dnc. she is saying russia, russia, russia. it could be or could be china, it could be lots of other people. it can be somebody sitting on their bed that weighs 400

pounds, ok? >> if we could go down the panel, i would be curious what questions you think presidential candidate should be able to answer about cyber in this day and age and what do voters need to know to evaluate the candidates. >> they need to take it seriously. they need to understand how serious it is and understand the seriousness of the consequences. one of the most difficult things about considering retaliation are considering the consequences of that retaliation. and keeping in mind and i hope that short both candidates are aware of this, our economy, our internet economy and internet lives is very fragile. so going to cyber war with a country like russia or a smaller, sophisticated country could result in grave consequences to our economy and our critical infrastructure. it is a difficult difficult thing.

something that has not been something a large scale concept that we have not waged it before. there is a lot of thinking going into what the next steps will be. >> what about you? >> i would say look at the last several years. we have worked in the congress in a bipartisan basis to get important foundational cyber security legislation through. going back to the five bills we passed in 2014, the big belt we passed the cyber security act are bipartisan efforts to address a thread in national security and economic security issue. i think going into the next administration it is important that we realize this is the number one thing that we have heard from -- this is now the number one threat we are facing as a nation. i think looking to the next administration and investment into cyber security. there is a lot that needs to be done. we need to beef up and make stronger our cyber defense strategy. we need to do more to show our

adversaries there will be consequences when cyber attacks take place. i think i would answer the -- i think that would enter the question. >> i would answer it twofold. one, one of the best ways, is my microphone not working question what can you hear me now? how about now? speaking, speaking, speaking. no? well, i will try to speak loudly. two of the best things that can be done is on the front lines is basically to have additional poll workers. having additional poll workers so they can see what is actually, so the best way to see the administration of elections is from the inside. becoming a poll worker allows you to do that. that is one thing i would say. the other thing i would add i would add is both president bush and president obama added

millions and billions of dollars for the administration of elections. so i would hope that whoever becomes president looks at elections not just in terms of november coming up, but as we go on. elections happen every two years. states and locals are at their wits end in terms of funding for schools, roads, military, and so forth. we all know those things are important. but our democracy is also important. we we have to make sure we have that investment into it. >> do you want to close us out here? >> sure i would just go analog here, it seems analog here, it seems like we have had some issues. i think all our next leader and or any new world leader is going to see and understand how important the internet really is to everything from our economies

to elections. it is really a new domain that wields a lot of power. i think it needs to be respected and understood. it is certainly complex, and so these threats, who seek to wield it there needs to be norms that are -- there needs to be greater understanding and an o round what the possibility is that it certainly an interesting time to see the effects the internet holds, not only here in the states but maybe the world at large. >> a great. help me thank our panel. [applause] >> there is actually long history of the russians trying to to interfere with and influence elections, going back

to the 1960's. -- >> there is actually long history of the russians trying to interfere with war and influence elections going back to the 1960's and the heyday of the cold war. there has been several documented cases of previous elections where it would appear that they were trying to somehow influence the election. of course, there is a history there, there is a tradition in russia of interfering with elections. their own and others. so it should not come as a big shock to people. i think it is more dramatic

maybe because now they have the cyber tools that they can bring to bear in the same effort. it is still going on, but i will say it is probably not real clear whether there is influence in terms of outcome, but i worry about more frankly is just sowing seeds of doubt, where doubt is cast on the whole process. >> ok, i am tim berg, the national technology reporter at "the washington post." we are here to talk about cyber war. this is a reminder to tweet your questions and comments using #wpcyber.

i will not roam the audience like phil donahue to get your question appear if you'd like. immediately to my left were may be right if you're watching a tv is one, he is the cochair and founder of -- he worked under george w. bush. richard is the chief strategists. he was a director with general electric and started his cyber security career as an officer in the air force. on the far side is frank, our associate vice president at george washington university where he directs the center for cyber and homeland security. let me deal with the general issue that i wrestle with all the time. what we mean when we talk about cyber warfare. a lot of what we read about in the press and some of what i write about us espionage.

let's start with frank. >> thank you. i'm glad you asked that question because a lot of the coverage of cyber security. we have nationstates at the very top of the list. it is at the top of that list are countries integrating computer networks attacks and exploit the war fighting strategy and doctrine. organizationsrist . not all tax are the same. they are very different. mobilizinghat are capabilities into their strategies are the countries that i think are at the top of list. when u.s. national security chinactives -- russia and are at the top of that list. a lot of what we do is computer network export, or espionage in

cyberspace, but they had done preparation of the battle flight -- battlefield. those would be the very top, but you have other countries may lack the capability of rush and china, but what they lack in capability they make for with intent, and this is where you moreorth korea and iran likely to turn to a constructive cyber attack. they have fewer constraints. i will shut up at that point, not all caps are the same, not the same,ilities are and it hinges around intent. if you can't exploit, attack, the line is then come and it is all upon the intent of the perpetrator. >> do you think it can break to warfare?er > book or documentary if you

want people to pay attention to . -- to it. will gett cyber war peoples attention. my definition is the imposition of will using a digital me's. there are two schools of thought. phd chool of thought of my .d. advisor, where he says if you have war, you have violence, and he believes cyber war will not take place. there is one school of thought. there is another school that it is more expensive, and that is where the russians and chinese the divide. violencek is not just or can be any means by which you are trying to get your way. they tend to come from a tradition, especially the chinese, that's a you are better off not fighting and achieving your way.

i take that position if you are imposing your will using a digital means, that could yobe war. be in a situation in 5, 10, 15 years where this thing we have cyber is integrated into every aspect of a life, that makes it silly to talk about cyber war. weapon?a cyber f-22 -- iran uses cyber tools to attack a big u.s. bank, is that inactive for? war? that an act of >> we are in uncharted territory because you have a blend of

actors, both in attempting to oruire data as disrupting destroyed the spirit you have a change concept of what war me. -- means. this becomes interesting. we do not have doctrines that the fine what those clear lines are as we think of it currently, we do not think of these tools as true cyber warfare tools until there is an element of destruction. demonstrable. is that is one of the reasons we have not had as much awareness as we have engaged in cyber, nation states engage in cyber. one of the challenges is the fact we have nationstates already attacking private actors. and syriand iranian

entities attacking western banks as part of the denial of service attacks, not destructive, but intended to send a message. you have had north purely a banks.south korean you have other systems, government, and nongovernment. it is an open field in the domain where actors are feeling the bounds of what is permissible. one of the challenges is how do we define the boundaries of what is cyber war or not, how do we respond, and that puts great stress on these on how do we prove attacks, how do we respond in a proportional way without unleashing other forces or warfare. it is part of the reason why you have not seen officials wanting to be too open about russian hacks. there has been a reticence to do that because it raises questions

about what is the endgame, and that is not well defined. all forms of conflict today are going to 100%, have a cyber dimension to it. to pick up on the points my esteemed colleagues raised cyber but those domain, that are integrating computer network attack tools into the other domains -- aired, land, sea -- that is where cyber is not his own entity, it enhances the legality of conventional weapons in different domains, enhances the ability to seize territory, and it is important to recognize that the battlefield today has been extended to incorporate all society, and companies are on the front line. what makes this different, the targets are not on government on government

targets or the like, but the financial services sector. the recent swift attack is one of those incidents that rises above the fold, not because the central bank of bangladesh lost $82 million. they can absorb that. it is a bad day for customers. canthe global economy: absorb it, but it indicates financial risk. we are talking about billions of dollars of transactions being several daily. these are the different targets. the ukrainian hack, that was a big deal, not because 250,000 people losing power for couple day, but the rubicon was crossed where a cyber weapon had a kinetic effect on what happened. >> if there is a physical

effect, that is cyber war, and it sounds like cyber war is shootingbe part of any war. certainly, the united states would get into this in the foreseeable future. sitti --ing to be and bytes to them. when we hear that so and so itacked so and so, yahoo!, was a state-sponsored actor. it is hard for us to find if that is true. it is also hard for the experts to find out that it is true. this creates enormous problems. in the old war, they shoot at us, we shoot back at that. it fits into a kind of strategic and framework that makes sense to us. let me start with you, richard, are we ever going to know who is

shooting at us well enough? do we feel comfortable enough shooting back? >> we know all the time. there are certain elements in the private sector who know this all that hundred a report -- all the time. the report -- there were indictments that were based on that. there are elements of the techno community where they would not believe if there is a camera on a person, hacking into an american bank, that is what the cia created as a plot. they did not land on the moon, apparently. it astounds me people doubt the ability of the government to do attribution after this note snowden-- after the revelations. you have got to believe that.

the fbi may not have been the best vehicle to explain it, and what they release will not satisfy the techno community. level, at the policy president obama is not looking for fights. to come out and say it was the north koreans and it traduced a whole level complexity that he does not want to address. going to beonly president for the next few months. depending on your point of view of clinton or trump, the assertions of the u.s. government may go up or down. sometimes the journalists live on the outside of that supplement the attack that precipitated the u.s. move into vietnam in a more forceful way. that was basically not true. we reported it true at the time because we did not know better. even if the government can know, how can the public be assured to any extent that it is worth

engaged in hostile actions with another country that may involve other kind of weaponry and death and destruction -- if we just have to believe the nsa or the president? it is a fascinating and important question, because there has been an attribution revolution. has advanced in ways that are incredible in terms of cyber frameworks, not to mention cyber warfare assessments. it is not just forensics online, but everything else they have at their command. the problem is all this is cloaked. in a sense in the public and internationally of, how do you prove it? much of this has migrated to the private sector. companies like fireeye argued they are too close to the government. you have private companies that

are doing this work internally. this is a space that is not -- toleft to just use s just the u.s. government. how do you prove this in a way that does not them in straight or reveal sources and methods that will make it more difficult in the future? that is the first barrier. that was a criticism in the sony hack. harvardy colleagues at law raise questions whether we could believe the fbi's assertions. the second problem, which richard said, which is let's say we do attribute the attack, as we did with north korea. what then? what is the right response? -- what is the right response? -- should itctions be sanctions? the key element is, how do you prove it? our adversaries know that.

china and russia, the first question, is prove it. how can you prove that we have done this? argument --on the these fights are going to end up being symmetrical. we may have the best weapon in .he world ware got in a shooting where we are sending cyber weapons across the internet to damage people who we believe have damaged us, how does that go with anybody with a computer can potentially disable a water plant or maybe change the way the water is going through the nuclear plant? does this not get very messy quickly? >> absolutely, it is complex.

has improved exponentially, but it is not 100%. knowing precisely who is behind cut of theng the keyboard and find the smoking keyboard is not easy to do. especially, as most the actors that are very capable who use proxies or circuits to do their bidding anyway, so they will -- no one worth their salt will send it back to their doorstep. that said, there is a difference between having these cyber equivalent of a drive-by shooting capability where you can have lone actors caused attractive harm to a target, and a sustained computer network attack capability. or lesskid, 400 pounds -- >> or more. can attack someone, but that is not the same as a nationstate, because ultimately, here's the other thing -- do not

fork the only means we have attribution is cyber means. we have other capabilities. lean sowhy we do not forward because we would be, rising other sources and methods. it is a complex set of issues. based onttribution is cyber forensics, the best actors are going to run circles around you. if you have other means in addition to that historical trends, to see what their tactics and procedures are, you can put that into place. >> illuminate the reasons why this is a complex matter for the u.s. government -- what about the private sector? if you get hacked by the north is,ans, and you know who it is it ever ok for a private company to be hacking back against a nationstate? >> absolutely.

i have written a paper and caused controversy and argued moda cyber privateering el. -- whichhas a right to was in the context of the american cyber security domain that was not secured by state actors, involving privateers and other private actors has the ability to influence maritime security. we are in a similar context with cyber security. 40% of the infrastructure is held in private sector hands, while the internet of things is becoming more and more dominant. the capabilities to understand vulnerabilities in real-time sit with the private sector. we have to think very differently about what our model of defense looks like. we have to do these things -- attribution, shake the international norms, you got to create redundancy, you got to take some systems off-line --

but you also have to think creatively about how we work public and private between each -- with each other. ask ofel that allows of defense,acts that does not allow the proved to be indicted in court to be able to react in real-time. i think the private sector in are looking for that kind of section, looking for a bit of a safe harbor to work closely with governments, not own all the time, but to go some cyber actors, and he cases to retrieve data that has been solo. -- stolen. >> you are now in the private sector. you have been on both sides of that big divide. --that question i have >> i got to get in there.

>> what are you trying to a published>>? -- there'strying to -- than to break into the computers, see his list of targets and see your on the list and they have an active attack on you. is that the role of the private sector? probably not. outside of that are you trying to do any long-term suppression? if you are trying to do long-term suppression to -- and you are trying to use cyber means i do not think it will work. you have to go to diplomatic and financial and legal tools if you want long-term suppression. if you are trying to use it to build a legal case there may be questions about how you gathered the evidence. those of the problems i have when i hear about private sector trying to break into other people's -- >> call me goldilocks, too hot, too cold, i am in between. he had an unspoken thought,

so i will try to be brief. we are releasing an active study october.st of think there is much more to the active defense set of issues that right now are gray areas, buildof halfback, long of .igher walls or modes -- moats we cannot build higher walls and deeper moats and protected by bigger locks. that would be like every time our home is robbed we call the locksmith. that is doomed for failure. cybercrime is the only crime where we still blame the victim. we have to have deterrent and impact on the actor and that includes taking proactive steps.

i would say short of malicious halfback that is intended to be retribution. there are things technically -- the question is what is your network? the parameter is totally blurred. i do not know what is outside your parameter today, but there are things they can do in terms of beacons and honeypots and dye packs and all sorts of things that are technically capable, but legally questionable. our laws are still circa 1986 before the world wide web was what it is today so we have to start questioning these things. >> we will do a lightning round. we will start with you on the end, what would you tell hillary clinton and donald trump about cyber war? one really good piece of advice. >> they better get comfortable with the issues. they better get comfortable with

the fact that you are not going to get the smoking keyboards all the time, there is going to be ambiguity just like there is with the counterterrorism environment at all times. secondly, rules of engagement. we need to clearly define what the rules of engagement are for computer network attack and thirdly we need to articulate and demonstrate a cyber deterrent -- >> richard? myth that ans a individual hat -- can have a strategic affect. the stuff that really matters will take time, maybe even months or years. it will take teams of individuals. we need to have the longer-term campaign model and the ultimate generally lies outside of cyberspace and the other tools we can bring to the arena. >> i would say you have to think differently and come up with different models for how we deal with the issue and how we shape the environment.

i agree with frank that the area and field of the current is not well-defined. we are in a period where we will have to define doctrines, response capabilities, and deterrence. we will need to find a new model for public-private engagement that may be comes up with creative elements of active defense and we will have to think about new forms of resilience that may actually mean pulling key systems off-line and running against the market trend of putting everything on the internet and connecting it. thank you all for being here today and thank you for listening. if we could give a round of applause to our panelist. [applause] >> that was pretty good. the next panel will be run by my colleague at the washington post brian fun and i think they are headed in here in just a minute. thank you for being here and i

hope that was worth everyone's time to listen in. thanks again. >> good morning. you guys have been a very patient audience and stuck with us all morning. thank you for coming. just a quick reminder you can tweak your questions -- you can tweet your questions which will show up on my ipad here. joining me this morning we have three really awesome guest, to my left is that letterman, the assistant chief of the cyber engagement of the fbi and previously served as a special agent of the fbi for cyber and

national security matters. to his left we have michelle, the senior managing director at clear consulting group and finally we have michael wagner who is the senior director of information security at johnson & johnson where he specializes in digital asset risk management. kind oft i would start with a personal bit. one of my jobs is explaining to people what critical infrastructure is and why it matters and how we are vulnerable, but it occurs to me that critical infrastructure is very accessible -- is an accessible term. a lot of companies in the space you are trying to convince to get on board defending themselves, we were just talking in the green room about how hard it is sometimes to get by and from companies when it is maybe a low priority for them. it is 2016, why haven't we come

up with a better term for critical infrastructure? >> from the government standpoint there is presidential structureswe have 16 in the u.s. government is responsible for helping private sector in that regard and hopefully prevent, detect, and mitigate threats to critical infrastructure within the 16 and we are looking at those corporations that contribute to the stupid -- to the stability economically as well as--- life, health, and safety. we have defined critical infrastructure and the companies 21 andported through ppd the fbi, the department of justice, and the department of homeland security work closely with those sector specific agencies. i know you serve on the health isec who is bringing together public and private partnerships.

us andk you for having it is a pleasure to be here. is oneional health isec of the information sharing and analysis centers were the health care industry comes together and we share resources and threat information and provide services to medium and small and large businesses as well. doesn't and johnson largest, most comprehensive will care company in the world and we have significant health care resources. we realize we need to give back and we need to help the little guys out with providing services . brett has spoken at a few of our summits recently and it is a great organization where we are able to protect and defend the national health portion of the critical infrastructure. >> i think in a commercial sector we are getting better, but part of the reason why we

haven't defined critical infrastructure is because it is a work in progress. we are still building the bridge as we walk on it. firms that provide enterprise risk management consulting services have to help clients understand what their critical risks are in the more we do that and the longer we identify those risks for them and what the critical infrastructure consists of, the better the definition will become in the firm or it will be. how does our need to understand critical infrastructure and the way we define it need to change as we learn better what the landscape of capabilities, threats, and risks are? generally speaking if you take critical infrastructure and boil it to corporate perspective we look at it through three phases of business, commercial, sales, supply chain, and we have the

research and development and each of those, the threats and risks are different and each of those areas and the protections need to be different. supply chain for instant is really about availability. you are dealing with risks such as technology lifecycle management issues where the business is trying to squeeze every penny out of that technology platform that can make that pill or make that medical device or design and build that drug, so there is certain risk there and r&d is wey collaborative space, so are dealing with multinationals, educational institutions, protecting the infrastructure that research and delegate -- development rides on is a more flexible approach. it is similar to commercial and sales, the financial data and making sure that we are falling in line with other types of

financial controls. these are all critical areas of our business and we make sure we are looking at and assessing and building our security program. >> can you tell us a little bit about how those three areas of the business coordinate their cyber defenses? is there much coordination or is it more comes from the top and is spread out? >> we have a very centralized viewpoint from a security strategy and design where we have a baseline of working with different types of framework such as iso-frameworks for security controls that would apply. there is a base set of controls we like to put in place and there are unique needs that those areas require. coordination is done through the various different business groups with the centralized

security staff that is driving building the strategy consisting people, the process, and the technology to secure the enterprise. iswhat is fascinating to me you probably have a very robust interaction between your various an hourut what we see incident response from a law-enforcement perspective is many companies do not have that interaction. the network defenders are responsible for network defense, but they do not engage thought prevention teams are the general counsel office. in one case we responded to what turned out to be a large cyber compromising when our team showed up they started working with the chief information security officer in his team to engage the threat and hope really help quickly mitigate what was happening and personalized the threat actors and a few hours after the general counsel learned this was happening and came down and said let's stop we are doing right

now, we have a government agency in here. we are sharing information and we have not determined what information we want to share with the government. so they sent the fbi team home a continued to work within their environment to try to determine what they could share, over five days later they invited the fbi team back and by that time they had communicated on compromised infrastructure that the fbi teams are here, what do we want to share and so unfortunately i think a lot of organizations right now do not bring into their incident response plans general councils, physical security folks, fraud prevention protection to prepare for an incident and what that information sharing plan might be with the u.s. government. >> when you are advising companies on stuff like this is there something they can do organizationally, structurally speaking to help ease the lines of communication? >> absolutely. what we like to do when we work with firms.

i have seen these plans vary widely. some of the larger firms we work with do not have very good plans in place and they kind of wait until it is almost too late before they have a plan. what we try to do is help them identify where they might be vulnerable, what things could be at threat or at risk, and then after they identify those things we help them prioritize. this is a problem because not all companies are at the same stage in their life cycles. smaller, butt are more technical have higher risks , but lower revenue streams. sometimes they are a little bit low to put resources toward this eventual event. it is going to happen at some point, it is just when and hopefully it will be at a time in their life cycle where they have been able to plan. we try to get them to

incorporate as many parts of the organization as possible. some of them do not even have their own general counsel. some of them will contract that out when they need it. it really depends on how mature they are in their business cycle. >> so we have a great question from twitter that ties directly into a question i wanted to ask so i will ask the twitter question. considering how much nation states depend on satellites for critical infrastructure, has any official national policy be put it -- and put in place yet and what are the best or necessary power -- steps to take to protect satellites from being used in an attack? >> i am not part of the policy teams in the u.s. government, i am part of the law enforcement intelligence community. satellite in any form of infrastructure utilized for communication are susceptible to some sort of nefarious activity.

satellites are an asset that we have to look at and like any form of risk we have to build controls. i know that is being addressed by some partner agencies to build controls around that risk associated with those satellite communications. [laughter] >> to what extent should we be thinking about things like election systems as critical infrastructure or e-mail systems as critical infrastructure? we have had a number of reports about russia potentially having elections political and people are clearly worried about the impact that other nation states may take in cyberspace to affect the way we live here. can you sort of address the e-mail and the election system question? think itms of e-mail i

is just part of our daily lives. i was reading an article coming down on the train last night that half of our time, over a thousand hours a year is spent reading and doing e-mail. of course it is part of our infrastructure. there are several established a great technology in place to secure communications around .-mail with encryption there are a lot of different ways with messaging that goes back and forth from applications in infrastructure to secure that there are a lot of options out .here to secure depending on your resources, wet technology is -- what technology is right for you depends on how many resources you have available. >> i think it goes back to one of the tenants i learned in the army is know yourself and know your enemy. when it comes to e-mail, know

what information you are sharing over e-mail and no who -- and know who might want to exploit that information it when you have a good understanding of your threat environment it helps you to be safer with e-mail, any communication or any means i could be hacked or anything that is vulnerable and that goes for any type of comparable, corporation, industry, sector. top-mail remains one of the vectors of compromise for any business and i do not want to beat a dead horse because i know multi-factors have been mentioned. there is a thursday night football game on tonight and i will be using multifactor verification on my football team. shouldissue of reconsider e-mail critical infrastructure, should we consider the election systems critical infrastructure, that goes back to the initial question about what is critical infrastructure because the lines are becoming blurred. while we have defined sectors of

critical infrastructure, what we have to look at is more and more entities within critical infrastructure that rely on third companies for day-to-day operation. whether it is the cloud andronment or a mom-and-pop although major organizations may spend millions of dollars on network defense as cyber security, if there is a small mom-and-pop shop that has trusted access to their network environment and critical data, the threat actor has shown the propensity to use the path of leaders resistance to read why try to force your way into a very robust protected network when you can go after a small business who has trusted access and we have seen that in the government space, health care and finance sector. what is convenient for us whether it is a third-party or connecting internet of things ,evice to our trusted networks

what is convenient for us is convenient for the adversary so we have to look and reevaluate how we have that trusted access into our networks. >> this may be a sensitive question given we have a member of law enforcement here. that our critical infrastructure is compromised when we learned of the backdoor essentially that even yahoo!'s chief information security officer did not know about? >> i will defer my comments to these folks first. i am happy to a little bit but -- [laughter] >> i cannot comment specifically on the yahoo! event, but what we strive to do in the fbi cyber division is recognize that private sector companies are equal in the plane environment. in counterterrorism it was if you see something thomas say something, that was the extent we did with private sector with law enforcement in a criminal capacity.

u.s. law we work with private sector partners who see the adversary on their network of four we do in law enforcement on a regular basis to see as the adversary changes tactics, techniques, and procedures. we have to be agile, we have to the able to engage private sector and get the information quickly because it changes so quickly and we have a certain optic into the adversary that private sector does not have and we have to rapidly get that information out there. notwithstanding recent media reporting we do have robust relationships with drive it sector, but they will always be governed by the u.s. constitution and the legal frameworks. to athink this goes back discussion we were having earlier in the green room about how much more important it is to detect quickly than it is to prevent. i think that if we help companies and firms to put in

place detection mechanisms and know what to look for i think that makes the response -- brings the response time cycle much smaller and i think that is where we need to focus resources and assets because we will never be able to prevent even yahoo! and linkedin and is -- and these really big corporations are vulnerable. it goes back to knowing yourself and knowing your enemy. no what those who would seek to harm you would want and then you can put a plan in place that prioritizes protection and the detection, reconnaissance and surveillance of your own network to know where to put those resources. >> i think a critical word that was stated earlier and should be talked about is resilience. a good business continuity plan and testing of the continuity plan is essential. at johnson and johnson we are all over the world. there is a hurricane bearing down on the southeast right now

and of course we are going through different procedures and protocols that were all tested in the past and we will be successful in sidestepping that risk because we practiced before , we have a solid program set up across all the business lines and all of the nations we do business into to have either a tabletop test organized -- exercise or a recovery type exercise. to testcommon framework our protocols and standards and practices and to allow us to remain available. if we are not available we are not going to be able to do our jobs. it also increases the security as well. we see where improvements need to be made and then we can focus our efforts on improving those. >> we talked a lot about how u.s. businesses and u.s. critical infrastructure is in some ways insecure and often in

this type of environment there is a lot of hype and rhetoric flying around about fear and paranoia. can you cut through that and give us a big picture take about where u.s. readiness stands in relation to other countries? >> i think we stand -- in pretty good shape. i served in the air force now for over 20 years so i have government perspective. i am a part of a national health iac board of directors so understand how we are working with cross company's and i have also been a part of several different industries in health care, finance, and technology and i think there are great partnerships, public-private partnerships that are in the u.s. and actually i see expanding internationally that i have been a part of and have the

experience to share best practices and attack signatures and boehner will -- vulnerability information with these partners. it may seem simple to say you just need to communicate, but the what is one thing, how you go about doing it is a completely different dynamic. organizations such as the critical infraguard,re isac isaca, their mission is to increase resilience of critical infrastructure and the companies associated with them and bringing together the public-private partnership that is essential for making sure we are secure. >> i think the u.s. is actually much better primarily because we are a better resource to do that and this goes back to the same problem we had when you have

countries that are struggling to feed their populations and to keep social unrest at bay they do not put resources toward securing critical infrastructure , which we advise a lot of our companies that are multi national and global that this is a problem. if your looking to expand overseas something you need to take into consideration in your risk management plans. i feel like the united states is definitely ahead of our." pattern is, but only for so long. peerink some of our competitors will catch up to our -- to us soon. we have businesses that rely on critical infrastructure of those countries. >> can you give a concrete example and to what extent does the lack of readiness and other countries provide "an opportunity" for american cyber

warriors? >> i think that some examples would be places where we rely on electric and data grids in -- there are so many of them, africa, we have companies that do mining and extractive's in several african countries and they do not have the resources to put toward protecting their electrical of their other critical infrastructure, water supplies, anything that these companies need to conduct business and some of them, if you shut them down for a day they will lose millions of dollars to bring things back online. some other examples would be, we were talking to potential that were looking at potential opportunities in cuba and cuba is another country that

has excellent cyber capabilities , but they do not feel that they do notarget so they spend a lot of resources on protecting their critical infrastructure. it's businesses or investors wanted to invest in cuba we would definitely say it is a risk. >> i wonder if we can talk a little bit about your work in public-private partnerships and tell us a little bit about -- it is kind of a buzzword and often it describes an ideal and aspiration. what does it actually look like? what are the nuts and bolts of making that work? >> in cyber and is it is the willingness to step out early and step out often on the private sector and the u.s. government. what we have learned in the last five years is that sharing threat indicators those co-weeks after we see them is no longer acceptable. if you look at the atp where adversaries are able to gain a

network in a corporate and quickly enumerate the host and escalate privilege and move laterally, that is significant and it can happen in two weeks so the fbi and partnership with the nsa and our partners are now rapidly declassifying sensitive indicators and getting those out the private sector. we also have to get the information from private sectors because ciber is a little bit of a puzzle and being able to see the malware on networks, extract that, analyze that quickly is key to protecting critical infrastructure, fortune 100 companies, small and medium businesses. the cyber division has developed a cyber operational engagement division and we are charged with operationalizing our relationship with private sector. we also have an infraguard program. it is an fbi partnership with private sector nationally across the board to be able to share information quickly and rapidly.

nering all thepart time. we see that with rant somewhere and if we do not partner we will lose the battle as again -- as opposed to gaining footing. >> you also manage a database that solicits information from the general public. it is our national reporting mechanism. we get tens of thousands if not hundreds of thousands within a week and we get that information rapidly, but we do not get enough so cyber reporting is underreported so we are helping to get a better optic into the trends. thank you so much for joining me and now i will be joined by my colleague onstage. thank you so