economic change in saudi arabia. 12: 40 5e returns at p.m. to consider consideration of the deputy director nominee. on c-span3, a hearing on what is ahead for the fbi headquarters and plans to build a new building on the current site. >> cybercrime is estimated across the world economy $600 billion. a report offered by the strategic and international studies and security software found thatfee ransomware is the fastest-growing cybercrime, with russia and north korea being the world leaders in malicious cyber activity. examines the issue officials from the homeland security department, the fbi, and mcafee. it's one hour, 15 minutes.

>> thank you for coming out this morning. welcome to csis. we are missing one of our speakers who is caught in traffic. we will be respectful of your time and start and he will hopefully show up while we are still talking. third report the we have done with mcafee on the cost of cybercrime. scoped cybercrime by looking at other major crimes like narcotics, piracy. they used the u.s. as a test case because we have relatively good data. they said if we were going to estimate of global cost for cybercrime, where would a fall in the range of things -- it fall in the range of things, and where would it come out if we used the u.s. as a model? the second report took the lessons from the first one,

which involved lots of interviews with intellectual property lawyers and law enforcement officials. and it tried to come up with a global estimate, so we collected data on a number of individual countries. in some cases, we used interviews with law enforcement officials or intelligence officials that knew about csis. >> that when came up with a global estimate using the model we created the first report of about $450 billion, the global cost of cybercrime. i'm going to give you a single number but, of course, you know , we used a range. the low was $390 billion and the , high was about, the midpoint was $450 billion. it seemed like a safe bet compared to other crimes we looked at. this is at the report and so at mcafee would look at what's

changed, right? there's been a steady increase. in fact we did the numbers we , thought this can't be right, so we did them again and it looks like the estimate we came up now at $600 billion, which is a significant increase over a little more than two years. one thing that surprised us and the other speakers will talk about is the inventiveness of cyber criminals. the guys who are the best at this got the top of their game automating what they're doing, coming up with new techniques. they are doing things that we didn't see 2.5 years ago, three years ago. one of the big changes is that it looks like the fruit of cybercrime is easier to monetize it than it used to be. one of the problems is i might get your data, i might get your financial data, your intellectual property. how do i turn into cash that i can use? in the past, there was this complex system of mules and people going to atms and the mules would be sacrificed sometimes, and it wasn't a very effective system. it looks now that using the

the network,f tor, and digital currencies, it is easier for cyber criminals to monetize what they steal, so that's part of the reason we think for the increase. the other thing we noticed was when we went to and talked to people when you went through and , look at the numbers state , actors have turned to cybercrime. one you probably all know about his russia. but the report in the past probably underestimate how significant the russians are, particularly for financial cybercrime. these are organizing groups. they are very skilled. there are gangs that are better than most nationstates when it comes to hacking. other law enforcement

intelligence officials told us there is roughly 300 people in the world, most of them are russian-speaking, who are at the epicenter of cybercrime, the high end of cybercrime. if you are a criminal, and you live in the west there's a good , chance you'll be caught within two or three years. but he to live in one of these sanctuary states, you can continue to refine your art. the other surprise, the other change, which has been in the press often is north korea. the north koreans develop ed hacking capabilities for political and military purposes. probably about five years ago . they were able to start doing impressive things using malware from the cybercrime black-market. and at some point, some genius in the reconnaissance general bureau figured out, hey, you know what? we can use the same malware. we are breaking into south korean banks to cause annoyance and disrupt services.

we can use it to steal money, and so north korea has found cybercrime to be a good way to fund -- the north has been involved in criminal activity for decades and it used to be gambling, counterfeiting $100 bills, but one that one of the reasons your $100 bill looks different is because the north korean fakes were so good you couldn't tell them apart. drug smuggling, illegal hardwood smuggling, they did the range of typical crime and they moved those criminal activities into cyberspace using their new capabilities. and they use, they're good at bitcoin, and they found that to be -- it's now, one interview, that's interesting i just got invited to give a lecture, a series of lectures in pyongyang on bitcoin. should i go?

it is your call. there are still states where it is safe. i will put a caveat on this. everyone said the same thing. countries need to take this seriously. can not get a good estimate of cybercrime. people don't collect it. so we use our model based on gdp and data we were able to find. we were able to find some data on about 20% of the countries in the world and use that to come up with estimates for the rest. we relied heavily on the reviews officials,n

including asia and europe. and in south america and brazil. we use that as a basis to create a model. we came up with a $600 billion estimate. theinteresting things here, importance of tor and bitcoin and the inventiveness of cyber criminals. some are really good. i will turn it over to tom who will introduce our other speakers and we will take it from there. hopefully by the introduction the other speaker will be here. >> very good. it is a pleasure to be here. we have worked for well over five or six years with you and the institute in the center for strategic and international studies. it is ranked on a regular basis by the university of

pennsylvania doing their annual review of think tanks on a global basis as the number one national security think tank in the world. we take great pleasure through our academic offerings to support think tanks that are doing innovative, important work in the areas of cyber security. pleasure to support now our third study with cii yes and -- ciis.-- see iis gannon, the chief policy director. it is a pleasure to serve as a moderator. -- tom gann.

howard marshall is the chief security rector for the fbi. supportsapacity, he the cyber division's mission to identify, pursue, and defeat those who are targeting u.s. assets. by the way, we worked with the fbi and found them to be top-notch in the area of cyber security in terms of analytical capability and technology deployment. own seniorr very vice president and cto. he runs the technology strategy for the company, the direction to drive our technology and smart connected devices and infrastructures worldwide. he is the holder of 24 patents.

what is interesting for me is the last thing i looked, it was 20 patents. so congratulations on the next four you have done. >> thank you. >> so, without further a do let's proceed. from an fbi and governmental point of view you have seen the report findings. we are discussing them. had you see that trend lines, particularly in the area of innovations the cyber criminals are engaging in to up their game? it thank you for your kind words about the fbi department. i can tell you as far as the are --ine goes that we

struggling is not the right word -- we are learning very quickly that our organizational chart in the fbi has been around for decades might not be prepared to it is the problem as expanding. like are noticing places our criminal investigation division, counterintelligence, counterterrorism, the cyber division is expanding rapidly across these different disciplines in the organization so we are having the kind of recalibration of how we look at the problem. how we address it. again, the trend line is this situation getting worse, not better. a lot of that is through the advancement and integration of technology into cybercrime. we have it butt criminals use it to make their lives easier. up ways tore looking

make their jobs easier. they have already begun to identify things we're already using to use against us. and thention iot devastating impact that can have. we talked about ransomware and business emails compromised and the use of artificial intelligence, machine learning, to better identify potential victims. we are saying all of that. the trend line is not moving in the right direction for us. i would also tell you that we as a country, at least united states, we tend to think about cyber security is an afterthought. we want to get the machine of the box, plug it in, use it for whatever we want to use it for without thinking or considering the long-term ramifications. to talk toportunity

the small business committee in the house and i was encouraged to see her are taking this up and trying to push that message out. a lot of it is awareness. beyond awareness, following three. the trend line is moving in the run direction and we are looking for allies. vein, you have the honor of managing a team of cyber experts and analysts on a global basis. the report takes a look at technology trendlines, innovation. how do you compare the report findings relative to what you and your team see every day. >> one of the things we see is the bad actor community is able to take advantage of all of the innovation happening within the technology industry. so we see tremendous innovation and things such as artificial intelligence, which has become a mcafee as asset so

well as others are using machine learning. as well as other ai techniques to build cyber defense. it is a great technology for bad actors to either identify victims that will produce higher returns on the investment of the criminals or identify weaknesses more effectively throughout a potential victim environment. really looking at technology as not having a moral compass. if you look at the report, a lot of the foundational technologies were built for legitimate purposes. so whether it is using thatption to protect data is now being used to hold data for ransom or if you look at the toward network, originally built network - tor built forriginally

other things, becomes the perfect technologies for bad actors to hide their infrastructure or enable cyber criminals to conduct operations where it is much more difficult for law enforcement to track down the bad actor community. or if you look at crypto currencies. crypto currencies can provide to society ande reducing the cost and overhead of financial services by enhancing trust. it it also becomes a perfect means for cyber criminals to mask where funding is being transferred. the innovation within the sub communities to build off of a capability and tailor it for cyber operations has been what we have seen and what the report

calls on. for example, with crypto currencies we have seen new capabilities such as what is called tumbling. the ability to make it much more difficult to track bitcoin transactions being converted back into normal currencies. trackforcement is able to down bad actors. we are seeing innovation where new forms of crypto currencies are being created with the intent to make tracking transactions more difficult. so when we pick about innovation, we must always recognize that as defenders in the cyber security industry we benefit greatly by new technology but we also recognize that our adversaries are using the technology to their advantage just as well.

greg is very good. jim, you have uses and three reports. where do you see the trend? eight ability to you cyber security is a hallmark of cyber criminals. phenomenonark web created a safe space basically for criminals to operate. we'll talk more about what people can do about this but between as howard says, people just wanted out of the box and to plug it in. see some of the things that can find

vulnerabilities, the number of people have moved beyond password. 2345 is their password. that is most popular. are people who buy devices where password is hardwired into the and you can't change it. so once it is tracked, you are vulnerable. we were surprised. we are not expecting this dramatic increase as we found. >> one of the things that fascinated me about the report was the role that major criminal organizations play in cybercrime and indeed, the reality that there are top-end national actors involved and that you also see the influence of those parties working together.

jim, for you, and also for the rest of the group, how do you view the countries that seem to be the most active and what are the implications of that for policy-making it general? jim: there is a good correlation for how good your law enforcement is and how strong your cybercrime factors. so countries with weak law and horsemen either intentionally like north korea or in places where they struggle, like upsurge in see a big cybercrime. it has become globalized. find countries around the globe were you have a thriving cybercrime population. it is a question of how effective are you in law enforcement. >> i would agree with that but i would go a step further in the idea that we are struggling with

this and this country. i do not know that there is not a correlation. we brought up crypto currencies and whether or not they are trackable and how easy it is for law enforcement. in the unitedon states, laws. customers. know your you have to have rules in place and help law enforcement do their job. in a lot of countries, does not exist. in places where they don't, not coincidentally, that is where you see these kind of actors. it makes it incredibly difficult. not impossible, but much more difficult than it should be. >> i think one thing i would add that as we see cybercrime in general, nationstates will move inactions that are pragmatic supporting their goals. the report called out that north korea it is conducting

operations against crypto currencies. in the case of north korea, the ability to take crypto currencies which can much more easily be converted into standard currencies to support actions that would otherwise be if a called under the sanctions in place is a very practical mechanism for them to focus on. similarly, if you look at the report calling out the yahoo! breach where there was collusion and therussia cybercrime industry within russia, they were ordered to provide the government with lyrically sensitive data but also provide cyber criminals with content they could fuel monetary cybercrime for that particular group. i think looking at the pragmatism of different approaches that different countries will take will help guide us to what we need to

defend against. >> very interesting. >> one of the other things in terms of an approach that proved to be very effective was the use of ransomware. i know you wrote about how ransomware strategies have been migrating up the valley chain. presentersand other view the ransomware challenge? >> there's a report out. ransomware really is the perfect cybercrime. part of the reason is they model criminaltim to pay the directly. so it takes a lot of the complexity and cost out of traditional cyber data theft types of criminal activity. what we have seen is there is also tremendous >> ability you in the ransomware model. we originally saw a ransomware holding data for ransom.

proliferation of many different variants of ransomware. you can hold services that for ransom.lies on you can extort an individual or company to provide payment and release weaponize data, whether it is really are falsified. so the flexibility of the ransomware model and seeing ransomware move beyond just a consumer problem but also now for businesses of all sizes. we saw earlier this year, small hospitals being held for ransom. providing challenges with access to health care for patients. very large organizations where either factories are entire business systems are being held for ransom. part of the challenges that ransomware is a form of business for cyber criminals creates new

opportunities where we now need to look for criminal actors potentially attacking assets that traditionally worldly interesting to nationstates or terrorist actors. for example, critical infrastructure. there used to not be an incentive for criminal actors to look at critical infrastructure as a potential target, because there is no practical way to monetize it. with the ransomware model, this changes where anything can be help for ransom and create a much greater sense of urgency differentuse in all kinds of sectors. >> i would agree with that. i would answer little bit differently in the sense that our role in law enforcement, get a callwhen we complaining about ransomware, the very first question is, do i .ay the ransom or not

while we take no specific position in companies have successfully paid a ransom and had their data released to them, lot have paid in and never gotten their data back at all. i can sale guide to go to my bigger point, which is about the fbi and federal government engagement on the front-end and the awareness of all of this. we spend a significant amount of time getting out in front of businesses or large or anywhere we can find a group willing to listen where we can talk to them about backing up data and simple cyber hygiene techniques. granted, the bigger you are as an entity, the more expensive it is to backup your data. but by and large this is not -- it pretty much takes the teeth out of ransomware. it is a problem that can be solved. i do not want to blame the job, thet part of our

fbi, is to get out in front of that are help people get out in the front of it by taking care of it before the incident happens. what can you do to make yourself a less attractive victim? technology is making that harder and harder. there are some simple things you can do to look at your likelihood of attack and one of backing up data, having a rapid response plan when this happens. knowing what you're going to do. in 2016, we did business email compromise. out to all of our of us is awareness campaign for small and large businesses. was the special agent in charge of the local field office. the area of responsibility was the state of kentucky said between 4.5-8 million people. not a big state but one of our victims was a small rural hospital chain.

there were 11 facilities all over the state. as you can imagine, and a lot of places, the hospital was the only place the provided health care for the entire community. so if it goes off-line for a day, two days, longer than that, what does that community do? it does have a devastating impact. financially, certainly, but also in terms of life and death in some situations. so engagement for us has been really important. the notion of whether or not to pay, we don't take an official position but we want to remind people if you are dealing with a criminal you want to trust this person. you need to be thinking through that calculation. am i going to get my data back of i pay a ransom? to steve's point, we have seen lots of ransomware variants. there is a demand made and unbeknownst to the person who pays it, they are not going to get their data back one way or

the other. so these are questions we try to get people to think about on the front end. again, 56 field offices were well-positioned to push that message publicly but to the degree that you can guess the worst, that is a different battle. >> one thing that stood out so well the report was the dark spaces. the quiet environment that cyber criminals operate in. the dark web. the use of tactics to cover up their presence. their method. how do you see the law enforcement challenge and likewise, how does technology, how do good guys respond to the technical point of view of that challenge? i think one of the things we technologyognize is

exists that ultimately changes the way law enforcement needs to act in the digital world from what law enforcement is able to do in the physical world. in the physical world, if a criminal has documents and the fbi has a search warrant, you are able to go and do what you need to do to venture into that safe. with things like strong notyption, the algorithm is understood -- >> i'm going to crash your party. >> welcome aboard. -- there wasesting protesting around the white house and i could not get here. >> we're talking about the technical challenges that are making it difficult for law enforcement with the evolution of cybercrime and i was citing the example that we need to

think about the differences in the physical world from encryption as a prime example. thestrong encryption, if keys aren't available, it is ultimately difficult or in many cases practically impossible to data.cess to that we have to accept that. similarly, recognizing that tornology such as our -- exists and enables new challenges for law enforcement to work through. we cannot put the toothpaste back in the tube. this capabilities exist and are well understood. we need to look at how to move constraintsn the that exist. >> you mentioned encryption, an interesting topic for the fbi. a couple years ago, our director made a statement, i thought a pretty profound statement about the ibm encryption.

the example that was given was, do we want to build a house that has an interior room that no one can ever get into? i think it is a fascinating conversation. i do not know that it is law enforcement that necessarily needs to drive the conversation but it is absolutely one in the united states and these to be had. are we comfortable with that? are we ready to ignore is the fact that there will be a space somewhere where people can conspire or hide things or do things that just cannot be seen by anyone? i have personal thoughts on that i will not share but i think the country as a whole needs to have a conversation about whether or not we are willing to accept that reality because i think that is a scary proposition. be thep side to that may idea of using encryption to keep things safe, right? the private sector wants to keep things from the bad guy. the overarching thing is

technology and how it impacts law enforcement. it makes it much more difficult. that is unquestionable. and i will tell you, not impossible. everybody remembers silk road. it was not too long ago that we had the silk road investigation. at the time it was the largest -- i callrk market or it a dark market. everybody thought it was really a big idea. last year we had something that made silk road look like highway road stand. right? exponentially larger. but not impenetrable. there still some old-school law enforcement techniques that work. don't just discount the development of human signal intelligence. don't discount the availability of just good old-fashioned detective work and asking the

right lessons and being in the right place the right time and sometimes that means getting lucky. it you make your own luck. it has made our job much more difficult. there are legal considerations the law has not caught up to yet. hopefully in time we will have that conversation publicly and we will get some decisions and clarity. it is important to recognize that criticality of non-technical elements in cyber defense. especially when we deal with issues such as attribution. many times, technical front six alone is not able to -- tactical forensics alone is not able to identify where something came from. we saw great example of that finally being -- attributed to russian actors.

it is the need to combine technical front six with human intelligence, law-enforcement technique and rely on trusting government agencies to make claims on attribution instead of jumping to conclusions based on what something looks like from a technical perspective. >> in the back i see one of the researchers that helped us. you have to look at the criminal people arewhat tools using. it is harder to get into than it was a few years ago so that is a dilemma. you can rent malware programs. you can buy malware. you can buy ransomware. ransomware is a commodity industry. we actually thought it one

point, we are in the wrong line of work. it has become easy now. so finding ways to recognize the commoditization of cybercrime, pretty advanced stuff. it is one of the challenges i think we're going to face. ultimately, both of us decided we would rather be researchers and not cyber criminals in jail. >> good to have you here. john is the head of the dhsto-day operations of pause national security communications integration center. have forur governments cyber security -- hub for cyber security incident response. dhs plays the central role for the u.s. government protecting civilian agencies and managing the outreach to the private sector.

it is a pleasure to have you here. one of the great issues we have not really dealt much with yet is the question of what can government agencies and the private sector due to better protect themselves from cyber attacks. i will start with you on this and that obviously the rest of our analysts will have insights also. >> thank you. this is nothing new. i think basic blocking and tackling is a goods start. vulnerability. keeping up with the latest and greatest in software and hardware development is important. ising attention to what going on around you. understanding where everything is on your network. those are all good starts. i think one of the most important things that we push on this is abasis and shared responsibility with the

fbi and others, is sharing information. when something happens in your spot, just because it happened you does not mean it is not happening somewhere else. so, how do you effectively sure that information so you can be used for others to defend themselves? at the fbi, we have a regular discussion about how we are going to prosecute. fieldis a debate on the level of where that occurs. we make a decision and get on with it. we have to consider all of those things. there are important elements we talk about on a frequent basis. preparing your workforce, a difficult and. a long-term thing in the face of this problem. preparing your workforce not only your cyber defender workforce but it can't just be a we ticked the box and we are

ready to go and there we are. it is constantly revolving and evolving for your cyber defenders to pay attention to what is happening, to understand what is happening, to read reports so they understand what is happening out in the world and have better participation in defense. i think you also have to deal .ith your regular workforce most of the attack vectors we see our human-generated. there is no longer this bad idea where bad guys are going to hack into through some really highly technical means. it is an efficient email. somebody the clicks on the wrong link or website where you get drawn into this website. you click on it. and banged, your computer is uploaded. you need to train both your workforce and nonwork force.

it is important to make sure whether you are a government entity or part of the hybrid sector, make sure to be prepared. you need to talk about what happens when you have a bad day. who does what? is the ceo involved? that is really important. we dealt with a medical facility in the midwest. regional trauma center. and while the national health service was shutting down services, this hospital was only becauseut 85% capacity they had done things like proper patching and vulnerability management. they had segmented correctly. they exercised what would happen on a bad day to include the ceo so they all knew the right things to do so when it happened, they had to segregate

some of their equipment to do the patching on those. the original equipment manufacturer had to do the patching on that but they had set it up so they knew what to do. they did the right thing. they were able to continue to operate. from my perspective, we don't necessarily want to put somebody in jail. we want to allow you to continue to operate, to do your business whatever the case may be. >> very, very good. >> i very much agree with everything you said. recognizing there is always ultimately a human on the other it is not all about technology. new is about embracing technology. and recognizing that bad actors are constantly changing their game plan. they are going to use new

techniques and preparing your incident response teams for a wide range of areas they can practice when it is not a crisis situation. working through some of the that wel challenges know are critical to success. you mentioned threat intelligence sharing as one of the things we need to do better both in the private and public sector. but we need to recognize our challenges in a classic case of what we call the free rider problem. everybody wants threat intelligence but nobody wants to give threat intelligence. so actually working through incentives where you are able to reward the entities for providing threat intelligence for the benefit of the greater good and working through those practical issues are some of the challenges we have. two would follow along with

points. one along the lines of information sharing. information is key for the federal government. being in touch with folks on a regular basis. we have a 501(c)(3) we sponsored for national cyber training. at last count, 156 private entities with their analysts and personnel on the ground with fbi agents and analysts and they shared that information and it open and collaborative environment everyday. we have now opened one in new york and los angeles because they were so successful. waystivizing that in some is hard to do but we want to create that atmosphere and for collaboratively, even if it is just a supporting role that we can help facilitate that. the alerts. the technical indicators.

the indicators of compromise through the products that the government pushes out. to be aware of those things, there is so much out there. you don't have to look that hard to find it. we often joke about how quickly it will end up on the internet. the answer is about five minutes after release. we have to have conversations about intelligence gathering versus remediation versus prosecution and determine how were going back. those conversations happen all the time. there is a lot of information out there and i encourage folks to find it. the other is to tag along, security us a culture. it has to be more than simply that we are going to make a one-time investment, spend a certain amount of dollars and then we are safe.

it is an ongoing routine that needs to be embedded in the culture of the entity. security cannot just be an afterthought. business.st of doing if you are a transportation you drivers. this is something you just have to do in your ordinary course of business and i do not think enough folks think about it that way. and centralization is really hard to problem. everybody gets incentivized differently. we have taught about how to incentivize the information flow that comes to us. we really still don't have a very good answer. we are trying to figure out some kind of scoring information. people who are part of a particular program, if they are we participating in a way

think is useful. i think that is something that will be grappled with over the next couple years. the other thing, lots of stuff out there we are really taking a hard look at what and how we push information. it is great to really broadcast information. there are certain places that do that and it is fairly effective but we are looking at, how can we make it more effective and targeted so you don't really have to go looking. if you are really enjoyed, which a lot of cyber folks are, frankly, how can we do it so that you really do not have to look? we could deliver something that is useful to write away. we're still not there yet but we are having a lot of discussions about what that means. one thing we have is we've reduced our product portfolio from 20,000 to 12. there was a lot of collateral.

a lot of redundancy is reduced and we're looking at how to even reduce that further so we can be really focused and targeted on the information we push outside think those are two things we need to really think about in the next couple years. ask a couple ideas in the annual doort of what you could about these. first, some points we made earlier. some things we found in 2007. this thing called the verizon reach report. it looks at the most successful breaches in 2007. of those 85% of the breaches required just the most basic techniques. -- 2017, they said something's not right here. we look at international law enforcement cooperation. improve and update the law enforcement mechanisms

and technology? we talked about standardized requirements. ago theyree years major threats.e all of the essential bankers who took that to heart went on to work on how they would regulate their banks. so if you are a multinational bank operating in multinational jurisdictions you might have 20 or 30 different sets of regulations. favorite is if you are a multinational bank, you might have 12 different teams and everyone can do a test on your system. this duplication of your security problems, you finally need to find out a way to

grapple with this. that is a hard problem is we all know. we have narrowed it down to the hard-core. i thought it was interesting, we found, it was a little bit of a tribute to the fbi but u.s., canada, the u.k., cyber criminals it takes some about three years maximum which means if you go into this and you live in a country where there are good technical capabilities there is a good chance you are going to be prosecuted and in jail within three years of starting to do something. there are two problems with that. a lot of countries don't have the capability so cyber criminals might know that. the second is the volume is so huge. we talked to one of the biggest field offices, we have a million dollar threshold. atis too much to look anything below $1 million. this is wild. the crime is overwhelming.

my advice, if you're a cyber criminal, don't live in the u.s.. >> adding on come i think it is important to recognize the underlying dynamic of cyber cybercrimeen by the market. it is a lot of what drives the second market supply chain. the ability to have markets for malware, markets for the operation of other infrastructure that can be rented by cyber criminals. when we think about how to fight back, if we understand it is conditions that are driving cybercrime, we can look thoseys to disrupt markets. when we think about intelligence sharing, the way i think about it is it is not so much about stopping cybercrime but forcing the bad actors to shift investment from operational

r&d.tion into so if his cyber criminal has to constantly change their technique for executing a criminal activity, the energy they are using to do that constant retooling otherwise could be spent on executing ofme against broader segment victims. so really thinking about the market dynamics that are the underpinnings of cyber crimes can be part of the solution. about nine: dirty. 9:30. >> you have a good panel here so i will take advantage of it. >> let's turn it out to the audience. we have such a sophisticated group and washington the covers cyber. i saw you raising your hand.

if you can wait for the microphone and then identify yourself, please. >> my name is tim johnson, i am a reporter. estimate ofives an the law says $600 billion. it contains a mention of the cost of narcotics trafficking. stilly that cybercrime is ranking number three after narcotics trafficking. would you spit ball a little bit -- is eventually cybercrime going to surpass drug trafficking as a global scourge? how are the organizational structures different #is there a problem ask a bar somewhere out there hidden that we do not know cybercrime? escobar out there

somewhere hidden that we do not know about? >> it looks like as long as we continue to rely on a system that is inherently secure, as long as more volume moves on to the internet, people are going to go after it. especially when if you live in the right place, you face very little chance of prosecution. that -- istell you escobar?ablo beingre a mexican cartel run on line? certainly there are aspects of that business and our enhanced online. but you don't need to look any further than the man who ran alfa bank. you don't have to have a organization to support you if you can hide in the shadows and off seascape who

you are and what you are doing. obsfuscate who you are at what you are doing. we have to change how we are structured. what do our agents know about the crime problem? how are they prepared to handle it? it is absolutely changing the game. >> one of the things important stilll out is there are countries that are just now becoming technically adept and are going to be the future victims for cyber crimes. populationwth of the of the country's victims, along with the lack of requirement doors physical -- requirement and physical limitations. i think it will continue to grow. that growthound was

is fastest in the countries coming online, the developing countries. in the value of the crime is much lower. so higher rates, lower loss. that will change. is patrick. i'm a student at georgetown university. a question, has there been any thought into what the constitutionality of cyber crime is as far as convicting people? >> as far as convicting them? >> well, the constitution as far what establishes cybercrime? cyberspace? >> there are no laws we used to people.and try

hopefully, convict them. there are certainly constitutional and suppose we have to adhere to in cyberspace. it is really not any difference. difference in the fact that the fourth amendment protects us all from unreasonable search and seizure. the internet is no different. my worry is about of freedom of speech type deal. first amendment. there has been some talk about what you can and cannot do on the internet that constitutes freedom of speech and such. does that make sense? >> it does, but that might be a little bit out of my area. >> i do think we need to think about the physical world in the online world differently, especially when it comes to things such as self defense. in the physical world, if an individual is being attacked they can defend themselves. part of the challenges if you take that analogy and moved into

the cyber realm, if the company they tracktacked and for that attack is coming from, and all likelihood they are being attacked by a number -- another has been victim that has been compromised. nuance ofzing the defending an organization by looking at who is attacking you is quite different from that digital world. >> back to the panel then i will move back over to the audience. i think you raised and interesting question that reminds me of the debate on cyber security. on one hand, so often in our public policy dialogue, those concepts have been in conflict with each other yet on the other hand, to deliver good privacy, to deliver the right kind of attention for individuals you also need strong cyber security. how do you see those models that of the views of those in

the conflict moving together from up policy point of view? good cyber of ways security is good cyber security. you want to protect your data if you are our company or even an individual. that will reduce the risk of you being a victim of cyber crime and improve your chances of not having your privacy compromised by criminal activity. so the yahoo! accounts, 3 billion people. that is a strange one because it was a cyber criminal working on behalf of the russian state. the data he took was used for both criminal purposes and for intelligence purposes. he was sort of the all-purpose criminal.

but if you don't start protecting your data, your at risk.s going to be >> i think we need to recognize that the technology exists to protect. it becomes impossible to restrict using those technologies for criminal purposes because the technologies are already in the public domain. so i think when we think about looking at policy items that would potentially inflict the access to get better the system that the general population uses, we need to recognize that it will likely simply push bad actors into using other tools, other implementation of very well understood technology that can protect. i just think that is something we have to recognize. the legislation

in the e.u. escapes me but i believe it comes online this month or next month. we do not have that yet in the united states. highly reputed to have legislative attempt at convincing people that cyber security is important. i do not know if we are standing around in this country and everybody is looking at each other wondering who is going to do note first move but i think anybody thinks legislation is right way to go but if we wait around long enough in the industry does not figure out how to police itself my fear is it is going to be the knee-jerk response. i should not say knee-jerk because we are standing ron kind to figure it out but i think it will be interesting of the next few months or year to see who will pay most of the global revenue is the penalty for a breach there are a lot of companies over there. a lot of money. >> i think on that point,

similarly we need to recognize thatwe do have legislation provides access to secure data. that sets a precedent that many other countries around the world can perform similar actions and we may not be as comfortable are coming outt of various parts of the world that we could do better here in the u.s.. >> very good. gentlemen, raising his hand. thank you. i'm from the russian embassy. so first of all i would like to point out that once again, without any proof russia is called a bad actor in cyberspace. what if, if the united states is call into thei latest report of the white house.

counsel of experts. countries of the the world who accounted for 96% espionage was united states. in this regard, i have a question. concerned, why has the government of the united states declined all the [indiscernible] -- >> jim, you have worked this beat for quite some time. one first.ake this no, i think there was interest. as you know between united states and russia, there was relatively successful prior to 2016. so they had regular meetings.

they had a hotline. they had an exchange of doctrine. fell off thef radar in 2016. i do not know what they rescinded. that would be one of the things to look for in the future. thet now, with all of turmoil in the bilateral relationship, it is hard to see how you could ever useful exchange. i always thought the hotline was kind of a dumb idea. it's a left over from the cold war. a lot of those who do this are sort of cold war negotiators. calls on the line and you say, was it you? they will say no, it was not me. if they did do it they would take no, was not me. one of the questions would be , asia's proposal in the u.n. code of conduct, some sort of

open-ended workgroup. russia has been very active bilaterally. add i think the report does call out the example where the agreement between thea and -- on restricting -- of cyber industrial espionage recognizing the espionage of a modern, matured nation is going to be active and actually separating those two realms can help in looking for ways to decrease the criminal elements worldwide even though they differ in other ways. like the indictments.

i think there were good, solid indictments. all of us have been in the indictment business for a while. it is pretty solid stuff. so, you know that is going to be one of the obstacles we will need to get out of the way. the indictments, i found them compelling. cases, justicen does not like to go forward until they have enough forward -- evidence that they can go forward in court. with any can go forward indictment, based on what i thought was a pretty good investigation, that means they're confident that should the case of her come to trial they would be in a position to win -- should the case ever come in aial they would be position to win. what they looked at were 200 cases, they found five they thought would be successful if

brought to trial, right? this is a very complicated process. i thought the indictments, the recent indictments were very powerful and that is one of the things we have to deal with. >> this is a good come of broad-based dialogue. just the kind of thing we all looked forward to. the gentleman over here with his tag.aised with the blue >> yes. through the study did you find a threshold for investment to substantially reduce your threat of being a victim of cyber crime ? you talked about patching. avoid the vector, what you think is a legitimate patch being the vector for cybercrime?

--ist you want to take that >> do you want to take that? >> i will take that. what we need to the about with patching is every organization has to look at the risk associated with patching and not patching. the that are resolved through a pats. as you will,assing potentially, that are critical to a business, and the risk of not patching is that you are vulnerable to the cyber exploitation. one of the reasons i believe acry was so -- wann impactful this year was there has not been a high volume worm for some time. the i.t. industry has been conditioned that there was very little penalty for delaying patching, and they did not necessarily recognize the risk of not patching.

if you put a pot on the stove and go to work, your house probably will not burn down. you can do that every day of the year, and luckily, nothing bad will happen. that does not mean it is a safe practice. that is the trap that id fell into, over the last decade there was really no penalty for delaying these patches until we saw a self spreading worm, as we saw with wannacry. thing, it on the key is a risky decision. at this point, it is mostly based on cost. it is a cost model risk decision. equifax, should they have patched? we see now that they probably should have. but they made a conscious decision not to, for whatever reason, and that is the complacency that we have now because we have not seen this

before -- sorry, have not seen it happen recently. it will always be a balance between what is the cost versus doing it or not doing it. , iwe are close to 10:00 now think we have run over a bit. i urge that we take one final question and call it a day. you, sir? so usually, when i talk to people about cyber security and in the context of internet connected devices, everybody says so what if they get my data? so what if someone is eased dropping on me and my wife discussing what we need to buy for tomorrow or picking up the kids? what do you say to that? >> i think one of the most dangerous things about consumer is that they can be

breached in order to be turned into weapons for an attack. this is what we saw with the attack about a year ago, where the objective of reaching those thoses was -- breaching devices was not about getting devices, butof the taking all of the smart connected devices around the world and using them as a weapon to, in that case, target the underlying infrastructure that ran spotify, twitter, some of the other key sites on the internet. i think we also need to recognize that some of the new forrcrime models allow incentives that would drive criminals to look at these devices. if you can hold a smart tv for hey,ge and basically say $100 in bitcoin to get access to your $2000 television back, that becomes a reason for a bad actor

to go after those devices, where they would get paid rapidly without having to sit through the hours and hours of mindless banter that they would otherwise be ease dropping on -- eavesdropping on with the consumer devices around the world. couple ofthe recent months, we are seeing not just for example, accounting systems that are infected with a script that uses up all of their cpu, and they come crashing to a stop. bitcoinose for that is mining, or crypto currency mining. i think the next step is there will be some of those scripts built into iot to significantly grow the population of cpu power, if you will, that is used to mine crypto currency.

>> i would maybe take a slightly different tack. it is always difficult for us to say this to people, because you do not want them to go crazy with the notion of oh my gosh, and i really at risk -- am i really at risk? but talking about when you are going to be picking up your child -- johnny will be sitting here by himself from this time to this time, when are you going to go get him? i mentioned about 45 minutes ago the security of a culture, that way indo not think that their homes. if they are sitting in a restaurant or public place they are more guarded with their conversations, but at home is a place when you feel comfortable to be who you are and say what you want to say and have those conversations that carry over several different threads in several different rooms. again, to be individually

tolized or to be breached cause some harm to the user -- that is our biggest fear. we do not want to see mariah, any more iot attacks, but the idea that someone could use that to geo-located child, that should be a concern. what difference does it make? you tell me. the risk regulation is what it boils down to. i do not have one. i will leave it at that. good, i think this was a fine discussion. first, i wanted to think you -- jim, and your team of scholars for what was a very substantial report. you all for, thank attending and your contributions, and our other panelists, thank you for your insights and work. mcafee, we take pride in supporting academic research of this kind to further the technical and policy discussion

on cyber security so we can end up in a much better environment that is much more of a win-win situation. it is a long march, a hard march, but something we are dedicated to. would like to conclude our discussion and wish you all a good day. [applause]

[inaudible conversations] [captions copyright national cable satellite corp. 2017] washington journal, live every day with news and policy issues that impact you. coming up this morning, we will talk about the legacy of late reverend billy graham and president trump's relationship with evangelicals with tony perkins. and then we are live in santa fe, new mexico for the next stop

on the c-span 50 capitals bus tour. joining me is governor bill richardson. speaker of thes house will be on to discuss how national issues are playing out in the state legislature. watch c-span washington journal at 7:00 eastern this morning. join the discussion. >> live wednesday on the c-span networks on c-span at 11:00 a.m., members of congress honor the reverend billy graham at a memorial service in the u.s. capitol. at 1:00 p.m., a house energy and commerce subcommittee looks at efforts to combat the opioid crisis. on c-span two, at 10:00 a.m., the atlantic council hosts a discussion on social and economic change in saudi arabia. at 12:45 p.m.urns to continue consideration of