On behalf of my friend and colleague, Jamal Khashoggi illustrates a commitment they , have made personally, which all of us feel very grateful for. I wanted to share that with you. Today, we are going to talk about cybersecurity, interference in our 2020 president ial elections, and Innovative New way of trying to deal with that and we will talk with two of the people who are most familiar with these issues. First, the former director of homeland, michael chertoff. Second, the former director of National Intelligence, james clapper. Each knows cyber and these and the difficult political and legal background as well as anybody. I want to start with a question that is on everybodys minds. It involves the question of interference in our elections. This is the complaint that has been raised by the still unidentified whistleblower whose complaint is before the House Intelligence Committee and is the subject of an intense discussion. Without asking what you think what youou think think about whether the president should be impeached, i want to ask you the baseline question, whether you as experts in this area find the whistleblower complaint, which we have now read, urgent and credible. Those were the words used. And whether you would think that it ought to be investigated to determine whether it is accurate. Maybe i should start. I am very familiar with the Intelligence Community whistleblower protection act and the complaint submitted with it. Of all the whistleblower complaints i saw during my 6. 5 years, this one was the best written, best prepared footnoted and caveated. As appropriately it should be. The law prescribes that once it whistleblower complaint is submitted, it goes directly to the Intelligence Community Inspector General, which became statutory during my time and accordingly, it acts independently. The Inspector General makes a determination, is the complaint credible. I do not remember having any one that was declared to be urgent. The whistleblower complied meticulously. For me, it was one of the most credible and compelling such complaints i have ever seen. Should it be investigated . Absolutely. That is the whole premise of the whistleblower protection act. A serious credible threat complaints of wrongdoing should be accordingly investigated. Mike, what is your feeling about the same issues . Should be investigated . I cannot judge whether it is credible because you have to determine what the basis of knowledge is. Were they in a position to know certain things . There will probably be other people who will have to be talk to. Obviously, it is a matter of significant concern. Any investigation ought to be dispassionate, fair, thorough, and expeditious. What should not happen, people announcing the result they will get before the investigation is done because that impairs credibility of the whole process. To be clear, the law stipulates a period of 14 days where the Inspector General can investigate the allegation contained in the complaint. That was done in this case. There was within the time limit of 14 days a corroboration in the igs mind before he forwarded. Let me ask you, because you were in the position the acting dni found himself after taking office, he made a decision when he received the complaint from his Inspector General to go to the white house , white House Counsel and then to the Justice Department, the office of legal counsel. Part of thetions whistleblowers complaint. Do you think that was appropriate . He was in a tough place. Acting director of National Intelligence for about six weeks. This arrives on his doorstep. I have been this is beginning to be an faq. A frequently asked question. I think institutionally, joe did the right thing. The problem, by consulting with the doj and white house, and there is a genuine concern about violating executive privilege. He does not have the authority to waive executive privilege. You can argue until the cows come home, is that the right thing to do . He is consulting with an element of the government implicated in the complaint. That is a judgment call that he made. If it were me, i do not know what i would have done. I trust that i would have had an expensive and deep conversation with my counsel about the pros and cons of doing at. Of doing that. I am sure joe did the same thing. Mike, i want to ask you about a question becoming more central. That is, how can congress compel testimony, either through subpoenaed witnesses or depositions, other documents, in an investigation that it deems essential but were but where Administration Officials are holding that information . What happens next . What has happened in the past, when you get a subpoena, even if Congress Wants you to testify, they hold the power of the purse through appropriations, officials go along with it because the sanction they face is, the money gets cut off. If you are going to be technical about it, the subpoena would issue, and if someone failed to appear, they would go to court, congress would go to court, get a court order mandating the person to appear and if the person still fails to appear, they would be held in contempt of court. The other possibility, someone could appear and declined to answer certain questions on the ground that they are privileged. That gets you into some tricky legal issues about whether congress has the direct ability to impose contempt or whether congress has to go to court. As with most things in the american legal system, you usually wind up with potentially extended litigation because you deal with unprecedented issues and that means everybody will wind up being careful about how they deal with it. Would you guess, based on your experience, that this issue will end up in the Supreme Court . It is quite possible. Everyone remembers back with the nixon case. The court, given its schedule, only has a certain amount of bandwidth and in some ways, by the time it gets up to the Supreme Court, you are talking about months having gone by. There may be a tension of the tempo of these investigations and the tempo of the court system. We have not yet been a concrete dispute that is right for court. I want to turn to our main subject of political interference Going Forward in the 2020 elections. I want to invite our audience and also watching this live, if you have questions, you can send them to me postlive. In theory i will see them here let me ask jim first and then mike to give us a sense as , we head toward 2020, of how well prepared you think we are to protect our elections from the kind of interference we have seen powerfully in 2016 and 2018. Having happily left the government, i still do not know. It is my impression that a lot has been done among the key federal agencies, fbi, department of Homeland Security, National Security agency, all of those who are stakeholders. Overnk a lot has been done the situation where we were in 2016. You have to remember, our voting apparatus is very decentralized. It is done at the state and local level. I was really taken aback during the 2016 and what we were seeing the russians doing when jeh johnson reached out to election commissions at the state level and got a lot of pushback. We dont want the feds messing with us, sort of thing. That, imd all confident a lot has been done to make it better. If i may make a point, whenever this topic comes up, securing the voting apparatus, that is important. But that, to me, is one been of the problem. The other is intellectual security. Meaning, how do you get people to question what they see written on the internet . And this is where the russians exploited our divisiveness by using social media. So that part of the problem im not sure about. Mike, let me ask you the same thing. How vulnerable do you think we are heading into 2020, whether the resistance that jim describes to federal help, whether that is changing . And also, maybe on the broader question that jim raises about the way in which our Information Space as a whole is contaminated. I agree with jim. The federal government has been much more active and the states have been more willing to accept help. I also agree that the machines themselves, in some ways, are the least vulnerable because they are decentralized and they are normally not hooked up to the internet. To tamper with them, you have to have physical access. The greater challenges, the registration databases, tabulation databases, and all the infrastructure around voting, which includes, is your power working . Is transportation working . These issues require not just preparing to raise your level of cybersecurity against hacking but it also means resilience if there is something that makes it difficult to vote on election day, either the database goes down and you cannot verify who is entitled to vote, or the trains stop running because of a cyberattack, is there a plan for what you do next . That is the essence of resiliency. You have to make sure you know what the plan is and you have the authorities and the capabilities. Pat is an area we ought to look at. , disinformation. I think this is a challenge that is broader than the election itself. Obviously, one of the approaches that the russians and chinese also take to geopolitical conflict is the Information Space. Active measures. If you can disrupt the unity of effort of the United States or europe or other democratic countries, then you win without firing a shot. People do not trust each other and they do not trust institutions. I think that is what we seen over the last 10 years. It goes back decades. What has changed most recently is social media and the ability to maybe late that to draw tailored messages to particular individuals. Thats an area where i think we are still trying to implement standards and approaches that would mitigate the effect of that. Job number one is to get people to be critical in their thinking when they see a story and not simply accept it as true because its on the internet. This point you both have discussed the more that we , talk about the insecurity of our election systems, the more people have it in their mind that there is something wrong here. A friend who runs cybersecurity for one of the big social Media Companies sent to me recently what the russians really are , doing is weaponizing uncertainty. The very fact that you are in you are uncertain whether the systems may be attacked leads to less faith in the outcome. I think its one of the hardest questions there is. Is there any way to reduce that weaponized uncertainty that is appropriate for a democratic government . One of the points that has been made repeatedly, you need to have a verifiable system for actually getting voting. Whether it is a paper ballot or various kinds of tools being developed that would encrypt a copy of the ballot the ability , to ensure people that if there were a dispute, it might take a little bit of time but you could go back and you could actually manually count. I think that is an important confidence building measure. Any thoughts, jim . I do not have any Silver Bullet suggestions other than imploring people to think critically, try to corroborate information they are absorbing. Pick and choose your sources. I have often fantasized about some sort of National Fact checker. Unassociated with the government perhaps. I dont know quite how you would constitute this. The fact checker would be seen as universally credible. Verifyy like that could or refute what is being said particularly on social media. Its tricky. We do not want a Single Authority telling us what is true and what is not. That sounds like big brother. I want to get to something that is encouraging. It is a creative effort to deal with this problem and draw the public in. It is called the cyber dome and maybe i could ask each of you to explain the basic idea of this, what sorts of Services Cyber dome will offer to candidate around the country in 2020 and for many years to come. I was approached by this group, which is a group of citizens, public minded citizens who have aligned themselves with cybersecurity experts and have put together an organization which is designed on a bipartisan basis to support and assist campaigns and the two National Committees to secure themselves. They are seeking funding outside the government. Mike and i were both approached about it and we are both serving on their board of advisors. We have had campaigns hacked for years. In 2008, campaigns were hacked. What was different in 2016, not only were the campaigns hacked by foreigners to see what the campaign was thinking about but actually some of the content was disseminated by the russians and put out there in the runup to the 2016 election in a way to try to unnerve and demoralize the Democratic Party and supporters. That took the weaponization to a new level and part of what we are trying to do, get the campaigns to raise their game when it comes to protecting against these kinds of intrusions which can be weaponized. I urge people to take a look at what the cyber dome is proposing. It is a creative idea. It is not the government doing it but the private citizens in a way that should make it easier for people to help. As we think about how we will protect our democracy, which turns out to be more fragile than we realize, is a pretty good idea. I am pleased to have these two People Associated with it here with us. I want to ask another question. It lurks under the surface of our National Debate and it is a hard one. There are a lot of people out there, it is clear, who think there is something they call the deep state. They think of people like the two of you, experienced National Security, no criticism intended, but they think of experienced National Security officials, people like jim klapper, who served over 50 years as an intelligence officer. They about the u. S. Attorney whos seen every part of our government. They worry that you have got a kind of hidden hand on the nations steering wheel. That surfaced in the whistleblower complaint. A could be really interesting for people, could you respond from this long experience you have had to this argument that is out there. What is it that you want to say . I never heard of the term deep state. Bliss byas an ignorant never heard of it until the campaign and afterwards. Allegedly this is a conspiracy of career government Public Servants who somehow organized themselves into a conspiracy to undermine or overthrow the president , which on its face is ridiculous. The Intelligence Committee power underruth to whatever difficult circumstances that may be even if the power ignores the truth we have to keep telling it. My experience has been sure people in the Intelligence Community are citizens like everyone else. I observation, they part those political prefaces preferences at the door for they walk into the office. Unfortunately, this recent whistleblower complaint, coming from a member of the Intelligence Community, fuels that fire that there is such a thing as the deep state. Of aep state comes out different context. It has towith do with countries where military is so powerful, they wrestle control out of the industrial base. The revolutionary guard in iran, they control industry. We do not have any of that here. Our military is completely under civilian control and they stay in their lane. The Intelligence Community is carefully hedged with a lot of rules. We have courts that supervise almost everything. If you look at some of the history of surveillance programs and the controversy, those have always occurred because somebody was uncomfortable with a decision being made. Many got to court perhaps or congress changed the rule. So we are kind of the opposite of the deep state. I understand americans traditionally have a certain suspicion of government. But thats not so much the question of the Civil Service as it is more of a question of not overstepping its role with the private sector. Our solution in our constitution, we break the government into three parts and we also have federalism. What people miss sometimes, much of the real power is at the state level in terms of the police and the Enforcement Mechanisms and that is one of the things that guarantees that our government cannot overstep or really commit misconduct. Final question, and one i think every member of this audience would want me to ask you, what is the damage to our National Security agencies to the people of the cia, the intelligence agencies, the fbi, of this period in which you have the president calling the whistleblower a spy and accusing him of treason, what damage does that do to the people who work for these agencies . And the partners we have around the world. Who are essential liaisons. It is not good. It is not a good thing. It affects a lot of people in the Intelligence Community. I had to say its a dangerous thing to try to characterize another faq. The Intelligence Committee is a large complex and there are thousands of people in the Intelligence Community who are not affected by the stuff at all. If you are at Mission Ground station someplace and you are just doing our job. You are not affected by this. So the specific elements really directly affected within the Intelligence Community are office of the director of National Intelligence. The agency, cia and the fbi. Does have effect on them. Of the Intelligence Community are not affected. Just because they are a part of the Intelligence Community and mouthingng regular bad , that is not good for morale. It is not good as well for our intelligence partners who share ,ith us, in good faith information that they believe is germane to our National Security. Is by andrvation by andagencies large, the agencies, people Work Together and know how to trust each other. This will pass but i will leave you with this thought. People look to the u. S. As a beacon for the values of democracy and freedom and the rule of law. When we stand for that, not only do we earn friends but we earn admirers. I remember meeting people when i was in office in central and Eastern Europe who had been High School Students during the cold war and under the boot of the soviet union and they said to me when i met them years later, the fact that americans like Ronald Reagan spoke up for freedom, tear down this wall, inspired us to keep strong and keep struggling for freedom. That is one of the most powerful weapons we have and it would be a shame to lose it. We have had two of the very best people in National Security to kick off our discussions. Please join me in thanking both of them. [applause] our cyberattack was not unique. Digital extortion affecting Many Organizations in the public and private sectors and Cyber Threats are becoming much more hostile and frequent. We must continue to understand how to protect ourselves against these attacks when they occur. Time and time again we see these attacks can be debilitating. Taking out the tools and Services People need to Access Health benefits, by homes or even call 911. This is not a state or local problem, but a national one and we should invest accordingly at the federal level. My name is joe my name is jo. At the department of Homeland Security. We are here to top at least partly about ransomware which i think a lot of people are familiar with. It is when hackers not only steal your computer files, they lock them up and will not release them until you pay a ransom in bitcoin. This has been a huge problem that has hit cities including baltimore and atlanta. Major industrial players. Small towns, police stations. What is the government doing about it . For those of you who do not know im from the cybersecurity and structure Security Agency established by Congress Close to a year ago to be the federal Government Central point for leading cybersecurity and infrastructure security. Working with our partners in the private sector state and local. The second day of National Cyber Security Awareness month. For those of you are not aware, you are now aware. Recent state of Ransomware Attacks really highlights the theme we have decided to focus on, which is about accountability both as an individual we are all consumers and employees of an organization. Some of us run organizations. So how do we think about how we own i. T. And how we protect it . Those also focused on organizations who dont have the hundreds of millions of dollars of resources to do all of these things. Often times in cybersecurity circles we talk about Sophisticated Concepts and the reality is as Ransomware Attacks have shown, a willingness to attack the most vulnerable organizations. People who are willing to stop schools from functioning, hospitals, municipalities. It takes a certain sort of low criminal to do that. Being prettyn to malicious, these people relying on the best new Packing Technology . Not at all. Much of the technology they are using is commodity malware anybody can find and run. There is more sophisticated stuff and some money in this and the incentives are misaligned. We dont want anybody to pay out because that encourages [indiscernible] i always say you should not pay out. That being said im not the person in the midst of making that tough decision about whats going on and i dont fully understand what their risk calculus is. When you have insurers and others that are going to cover that, it furthers the problem of that misalignment of incentives. We are trying to focus more on building resilience and getting the tools we will be releasing very soon a set of cyber essentials. A lot of small medium businesses come to us and probably spend a lot of time on highend threats to electric sector, to our elections, a lot of people say where can i start, what do i need to do if i have five dollars, where my putting that five dollars . So this month and really beyond with essentials we will continue to focus on that community. Is that a new thing for dhs to be focusing on the small and medium businesses the five dollar problem rather than the 5 million problems . I would not say its new. We have worked closely with state and locals, small and mediumsize businesses. We are really stepping up and prioritizing efforts. Oftentimes the five dollar problem can turn into a 5 million problem and many times the interconnectedness of everything many of these organizations might be public beety or they might connected somehow in the supply chain of a larger traditional critical infrastructure. So we dont think we can separate those communities as much. One problem your office has talked a lot about, the concern about a Ransomware Attack from russia, from anyone the targets statewide voter databases in advance of the 2020 election. What are you doing to prevent that . I want to be clear there is not a specific threat we are aware of. More sort of logical extension of ever seeing this that is a potential scenario. There is very basic things to prevent yourself from becoming a victim of ransomware. Backing up systems, updating. So thats not something the federal government can do for these organizations. Nor do we believe it is our role to do that. What we are doing is publishing more documents. In august we published specific ransomware partnering with associations and state and local leaders, mayors and others, to get the message out. Thinking about where they are taking i. T. Money and spending andn preventative measures also being able to understand how federal government can help in a response scenario. After two years of working on this problems the 2016 election, how confident should americans be that the 2020 election will not suffer from a compromise by russia or another hostile actor . Thatremain very confident the tally of the votes, the actual vote count itself, will be faithful to what the voter actually put into the machine. The former secretary talked about the broader architecture. Some of the things we really focused on that increases our aboutence, talking just election infrastructure. Gaps. 6, i saw three main the first was around visibility. Local al state and how the threat is manifesting in their systems. Recognizing that is not the Voting Machines that are necessarily connected but there are systems that are potentially accessible remotely. We focused a lot on visibility. We spent a lot of time and effort, to the point now where we have sensors covering all 50 states. So thats a huge improvement and that allows us to take intelligence information from the federal government or Intelligence Companies and quickly paying those sensors. The other thing was ensuring that we had an understanding of communications protocol. In 2016, if we had intelligence that sommely was an was a potential victim or target our practice is to go to the owner of that system and we need to work out to make sure the senior and senior official in charge also has visibility. This was something we worked out. The last thing was really about how to speak to the public and make sure that the public is getting the facts. This gets into the disinformation side. We did some unique things. Having an exercise with media, so that they would understand how election day would unfold. Ensure that we had quick abilities to run down someone is posting on twitter that a voting machine is behaving erratically we are able to quickly run it down and realize nothing was going on but we were able to get the facts to the public. Those three areas continue to focus on and i think in 2018 we are able to demonstrate a level sectors party, cross coordination that we were not able to do in 2016 and we will continue to expand that including the private sector. Those who make the Voting Machines and all of those in that coordination leading up to the elections from the time that first absentee ballot is mailed until the final vote is tallied. Despite all of the work, hackers looked at a bunch of Voting Machines used in 2020, found vulnerabilities of some sort in all of them. There have been other reports about Voting Machines connecting to the internet when they should not be. Possible supply chain issues. Should the American Public be concerned about that . How should they think about those vulnerabilities . I thick its important to think of these in context. The need to still work through surets want to make that what was done is how real life happens so that is an important thing. People who work in cybersecurity, we have a term, youre not dependent on one machine being fully secure all the time and not ever able to be hacked. He put a lot of things in place, physical and personnel as well as technology and that is what we focus on with state and locals. And something they have done for years. If you think about the transparency of the voting process. Every time votes are tallied you have observers from both parties looking at the tally of those votes. This going to be indicators in place if something was not adding up. If it seemed like there was misalignment of votes. We remain focused about any actor who seeks to spread disinformation or dissuade people from voting. That is always a concern and that starts way before election day. We will continue to work to make sure people understand where authoritative sources, that they can get a provisional ballot even if something in the registration is not showing that they are eligible to vote. He spent a lot of the last two years trying to get technology from companies that you dont trust and nations you off of government systems. Are you working on and has there been any progress in figuring out a way to get things more secure upfront so that you dont have such a long process . Things there a few that could take hours to talk about. The secured by design concept, in thinking about how do we have more secure code, theres a lot in the Software Community working on this. We are continuing to work and how do you build more secure coding practices. Transparency so you know a lot of product a lot of products are compilations of different places or different countries. How do you have transparency in that . That is something we have to continue to evolve. Hardware, how do you have that transparency were your hardware came from . Us, youreally taught cant have a very blunt approach everything from x country is bad and we cant use that. Our economy does not support that. Weve chosen to outsource a lot of things over decade and we cant just flip that switch. We want to get to a point where we have more trusted capabilities, but whitney really learned, the threat is important. You cant just sort of hope you will get to a point where you have this perfect case of a company is a waiting agents lets just get rid of that. Are a riskbased organization. What we came to is three components of thinking about we would encourage others when procuring your i. T. Products and ofvices, the countrys laws where the product comes from or where the data is stored is important. There are certain laws that regardless of whether a Company Wants wants to cooperate with the government or not, there are laws in russia and china and others that would compel the company to provide the data. We were not comfortable with that. The second part is the level of access to your system or data that i. T. Product or service has. Does a lot of things in i. T. That dont have a tremendous amount of access to data. Antivirus tool has a lot of access. That was kind of the second. The last thing is thinking about market penetration. We are coming at it from the u. S. Perspective. That is something to keeping an eye on but it is not something that we need to overly focus. When Congress Passed secure Technology Act last december which did not get a ton of press, it happened to be passed the day of the shutdown, other things happening. Really important piece of legislation because it set up the framework by which the government could do what we did but it gave us the tools to do it in a more sustainable enduring fashion. That is whats happening now. Represent dhs, counsel and that will allow us to have a more systematic and open process for being able to ban these things. The other thing we learned, its important to do it in unclassified and public way. The reason we did it publicly was for due process. We wanted to ensure that anybody who would potentially be negatively impacted would have a voice in our decision. What that resulted in, a lot of people now that dont follow under dont fall under our direct authority are following our guidance so we are able to impact a larger ecosystem that does not necessarily have to follow her orders. It looks like we are out of time. Thank you for coming. [applause] when bad actors try to use our site we will block them. When content violates our policies, we will take it down. When our opponents use new techniques we will share them so we can strengthen our collective efforts. Strongly believe privacy and security are for everyone, not just a few. Hello again. My name is joe. I am here to im here with a great panel. Googles head of counterespionage and Senior Researcher it occurred to me as i was thinking about this panel, you ofs all look at a vast array bad people and bad organizations that are targeting the people you work with, from criminals to Foreign Governments sometimes peoples own governments and Intelligence Services and even stockers. Malicious people in your life, stockers and sometimes exes. I thought a good way to start, starting with shane, who are, rather than what are, the main people that are causing problems for the people youre trying to protect online . In my case my team focuses a Government Back threats against users and google. What we see these days, pretty much every government or most governments engage in this activity. For espionage, destructive reasons, disinformation and is growing over time. Differentnd all the countries where we see a country year overve is year theres less and less countries that are white and more countries that are red. A very small number of countries growing. Ite it is sophistication is also growing between the gap is closing between the highend and low and sophistication. This has become more accessible. We see more players from the middle east, around the world able to build these capabilities so day in day out we see users targeted. Russia, china iran and north korea is the biggest threats or is it democratizing a strange word to use. It depends who you are. Those four are four of the biggest players in the space. Its a lot more broad. If you are somewhere in the middle east you might be targeted by your own government specifically. We warn all these users that we have this warning we put out every month saying we believe you are the target of governmentbacked attack. We warn 36,000 users that we believe there was a form of fishing or malware attack. That just means they were targeted. The fear of what we are looking at on my team. From your vantage point, eva, what are the groups youre most concerned about . I started out my work really focused on activists, mostly outside the United States. Often in north africa and the middle east. So, mye last decade or work has expanded to get broader and broader. First we started seeing International Activists being seeingd, then we started journalists being targeted, human rights lawyers, scientists. In 2016, we experienced a tremendous spike in the mystic activists suddenly very interested in their privacy and security. Ofhave actually seen a lot prochoice organizations that are really concerned about their safety. A lot of Civil Liberties organizations. Immigrant protection organizations are really concerned. Just immigrants in general especially including legal immigrants in the United States aboutre very concerned Digital Privacy and security. Somee a bigger problem in ways than shane in that people that she has to secure peoples google account its an easy job. Problem that i have is people come to me and they dont just need to secure the google environment but also Everything Else about their lives and all of their other accounts. Finally, in the ultimate expansion of my work, i started looking at victims of domestic abuse. People who arest being spied on in their lives are not being spied on by government or Law Enforcement. They are being spied on by stockers. Or by exes or people with whom they are currently in an abusive relationship. One of our biggest problems with building a threat level for that is that Companies Often assume when they are locking down devices that if you have the username and password and access to somebodys phone that you have legitimate access to the persons account. Abuse often involves access to all of these things at once. We need to rethink our threat models just in case we did not have enough to worry about. Obeyed address about this a couple months ago. Will start alerting people. Our company is Getting Better about this . Is it complicated because presumably there are some situations where apps like this have legitimate purposes. I would not want symantec and mcafee to get credit they dont deserve. The companies that did make tements were kiss berkey malwarebytes. We have three companies on board. Right now, since we are now kicking off Domestic Violence Awareness Month and Cyber Security Awareness Month, and halloween, so all the spooky things at once, we are working on getting the antivirus industry on the same page to take these threats more seriously. Are there legitimate uses for this stuff . It depends on what you mean as a legitimate use and whether or not youre just talking about is it strictly legal. Often the software is violating the law. The real question is the law where. What jurisdiction are you in . State and federal laws are all different. People exist in different countries. The place where i had decided to draw the line is software which is sold commercially and is designed to fool the user into thinking it is not there. If for example you are a parent and you are concerned about where your children are going and you want to see their Text Messages and you want to know where they are and do some parenting, thats fine as long as you dont feel the need to install this software on the device which leads them to believe they are not being watched. John, what should we be scared about . Its an interesting question. Eva hassimilar to what done, i feel like our conclusion sounds a lot like what shane has said. Wherever we scratch we find bad stuff. I thing a bit like neapolitan ice cream. Strawberry is like nationstate actors whove got a Development Pipeline and good stem capability and then your vanilla is like cant necessarily develop inhouse but can pay for it. Can you name names . Yearsk is been done for on nationstate spyware. Made by companies that allege that they sell to governments only for the purposes of tracking terrorists and child pornographers. In practice, it looks more like an International Espionage set of technologies and they sell to countries like saudi arabia and mexico, who sloshed around and use these things for targeting their own Civil Society groups. That often gets a lot of attention and press because maybe it involves zero day vulnerabilities and other exciting stuff. Chocolate, byor, far the most overrepresented, my cousin knows computers approach to cyber espionage. It does not need to be fancy. It just works. This is because Human Behavior is the same perception that works 20 years ago works in different guises. It also is a big overlap between the stuff eva and we are concerned with. At the simplest level. A decade we have seen seen nationstate actors using basically the same spyware that abusive partners wind up using. Increasingly, a lot of that problem space ends up in the hands of someone like shane and other Device Manufacturers and operating system manufacturers whose systems are still constantly locked in battle with those simple technologies. I feel like one of the biggest problems we face is that the entry cost is so stupid low that anyone can do it. It ends up looking like a Public Health problem, with all of the behavioral complexity that comes from something where people love using the devices and theyre not going to fundamentally change how they use those devices. The platforms they use are not designed in the highrisk focus ways but we dont know who the next clutch of activists is going to be. Are in a domestic situation that will end up in some spousal abuse dont necessarily know when they get their Android Phone that two years later they will have a spoof sharing their bedroom fundamentally. To take one specific example i think this is either vanilla or strawberry. Exposing aed on micro targeted attack with apple devices. Chinese government like packers who were targeting Muslim League of minorities. John, you have worked later and said they were targeting to bet this. Thee just know about tibetans. So tell me how common is Something Like this, and how concerned should we be about these really microtargeted attacks . Mr. Huntley well, i think what was really interesting about this attack and kind of all these details. We really did publish our research here is was the fact that this was one example where our team has found zeroday exploits. Mr. Marks can you explain what a zeroday exploit is . Mr. Huntley yeah, i was about to explain exactly what that is. A zeroday exploit is an exploit where most of the exploits out there, if you have patched your devices, if youve installed all your updates, then youre actually protected, because all the holes have been fixed in whats actually gone on. So really, they still work a lot because people dont update their devices, people dont patch. But what we consider a zeroday exploit is the exploit, there isnt a patch available. And thats what this was, which is one of we treat this very seriously because theres not a lot a user can do in many cases against a zeroday exploit. So we have this policy if we ever find one and over the last 12 months, my team has actually found five or six different zeroday exploits against different platforms, and this is with multiple different companies. And our policy is, we tell the company, we help work with them to get it fixed, but we say that theres a sevenday deadline here. We dont, like, expand this out, that youve got months. So its like were going to start telling people how to protect themselves within seven days. And the apple case was one of these, and thats why this was such a sort of kind of attack. But, again, this is the rarity, right . So its actually somewhat the exceptional circumstance where we actually do see the zeroday exploits being used, and thats why we treat it so seriously. And i think were having a really good effect of making it a lot harder to use these exploits. And, yeah, thats really the background of what that was. And then project zero did the complete analysis of the exploit, trying to understand the details of it. Because we really believe that learning more about these techniques, working at how to fix them, working at how to make sure these sort of bugs dont happen in the future is how we actually secure the entire sort of ecosystem in the world, because this is a very microtargeted threat. And this is not the biggest threat youre going to face. Like, youre going to generally be hacked because somebodys going to trick you for your password or somebodys going to trick you into installing something. But this really serious threat is one that we do have to take very seriously and something were fighting. Mr. Marks john. Mr. Scottrailton yeah, so i think part of whats interesting about this case that just happened is and part of why its such fun drama is how much trouble companies have with the public communication and narrative aspect of these cases, right . So google didnt attribute, got a lot of flak for it, later things did some form of attribution. And i feel like its kind of an interesting space, because were putting a lot of emphasis on companies basically stopping nationstates doing nationstate surveillance stuff. But those companies have, like, lots of different incentives, lots of different Public Relations incentives, different markets. And i feel like theres a bigger problem, which is the pipeline that public and policy makers have for getting like meaningful timely information about the full scope of the threats that they or other groups face is fundamentally constricted by the different incentives of the different players. So for example, shane, what was the number for nationstate warnings that you guys did . Mr. Huntley 36,000. Mr. Scottrailton 36,000. Which is great, right . Holy smoke, thats a meaningful number. But its also still challenging. For example, if i was to ask shane, 36,000, how many from each country, right . How many from each threat actor . Google is limited in what they can say, and completely reasonably. But at the same time, researchers and others, we need to know that. We need to know who are the states that are the worst actors. We need to know how theyre doing it. Users dont even know, right, when they get those warnings. So i think were in kind of a weird place. In some sense, like, the other going dark problem is like information, including attribution, about threat actors and what theyre really doing where theyre doing it. Mr. Marks go ahead. Ms. Galperin okay, im going to be mean. I promise not to swear, though. [laughter] nationstate targeting warnings dont work, and this has actually been one of my bitter disappointments from the last few years. I spent many years going around talking about the threat of nationstate actors and nationstate spying. And one of the things that i did was i called on companies to give users these warnings so that they know to up their game. And then it turned out that, often, these warnings were too vague, that they did not give the users enough information, that they just sacred the pants off the users, and they didnt know what to do next. Or, sometimes, they would often sometimes, often. On occasion, they would go in exactly the opposite direction, where they would not believe the warning and believe that this is just a thing that google does every once in a while to keep them on their toes. So i think that now is a good time for platforms to rethink the nationstate warning and think about what kind of information you can give to users that they will actually act on and that will help to protect them in the future instead of just scaring their pants off or getting to the point where you can no longer scare their pants off, and they have no pants. Mr. Huntley i would say, like, a slight defense, the person who initially rolled out these warnings like way back in the day this is the big challenge. Like, how much can we communicate without revealing how were detecting things . Because that causes like, if we give up our detections, then we cant protect future users and how to actually cause the user to make change. We have got feedback. Like some users definitely do secure things. I think we have come a long way in the last eight years. Like, ive been doing this. When i started this, nobody believed in nationstate threats. Now were having these sort of conversations where everybody takes it as a given. And if anything, its people are becoming blase to the whole threat. But when i talk to election campaigns, when i talk to activists, people do care and believe about that there are nationstate threats out there. I do think giving a warning sometimes is a wakeup call to people. And we have seen some users, this is the mechanism of the, oh, i didnt think about it and now im actually going to take some action. So weve measured that. But ideally, yes, we do want users to take more action. I think there is more research to go on to how to make this more the default. But i also think that we as platforms and as everyone else in sort of industry, we cant just put all the blame on the users as well. Its sort of like car safety. You cant just tell everybody to drive safer. You actually have to build safer cars. And i think we are trying to work very hard to build safer operating systems, to build more security by default, to make it so the user has to do some things themselves, but we can also do a lot for the users to help them secure. Mr. Marks and its interesting that you mention campaigns. Its organization and not just users that arent able to do anything with this information. Dhs has run into the same problem where since 2016 theyve been trying to get as much information as they can to campaign state and local election officials. A lot of times they say what the heck can we do with this flood of information . We dont know how to respond to that. Is there something in particular that well start with governments and then corporations but that governments should be doing to improve the situation . Mr. Scottrailton i mean, ill just take a freebie. I feel like its really great to have big think, thoughtleading conversations about cybersecurity with a bunch of government folks. But the problem is, when they talk about cybersecurity, its their show. And they like to think about cybersecurity issues as the great game, right . Its super exciting, and they play it with each other, and users always come second or maybe third. And the problem is, by volume, most of the bad stuff happening on the internet is happening to individuals who dont have anybody who really has their back and who have to depend on the largesse and quality of teams like shanes and others. But for the most part, their governments really dont have their back. Like the number of cases where citizen lab has gone to users and said youve got this problem, or weve worked with users, and like, nothing happens, right . They have no meaningful recourse. Its remarkable. And i feel like theres an ethos here, and its like everyone has watched videos online of people getting arrested in the u. S. , and basically everybody who gets arrested has some version of like, wait, i know my rights, you cant do that. They have that experience, like, i know my rights, you cant do this to me. Nobody ever says that or experiences that when they get a nationstate warning, right . No one ever says that or experiences that when theyre a victim of phishing. And i feel like thats a huge problem, and it doesnt get changed by folks in government basically continuing to view cybersecurity as them playing with other states. Mr. Marks eva, is there some discrete thing that either government or industry can do to make the people you work with more secure . Ms. Galperin i get really suspicious when somebody says is there is something the government can do, because i spend a lot of time protecting people from governments. [laughter] so im not here to come and tell you that governments and Law Enforcement are the good guys. And in fact, im really suspicious of giving them power, and im very suspicious of any remedy that involves asking the government or Law Enforcement to somehow be better and rescue us from ourselves. I think that what we need to start doing is really to start organizing as Civil Society. And there are kind of two ways to go about this. One is that the people who are speaking truth to power, the journalists and human rights lawyers and people who get out and demonstrate in the streets, and demonstrate in the streets, need to have a very solid threat model of whos going after them and how and why. And as part of that, it involves the kind of work that i do and that john does over at citizen lab, which is writing reports about the kinds of threats that they face so that people can then do the right thing. But the other half of that is the work that shane does, which is just making everyones Communications Private and secure by default, so that you dont have to sit there and worry about whats going to happen when the government comes calling. And then finally there is sort of the last group of people who really often get pushed to the side, and that is victims of domestic abuse. And they have the hardest threat model to deal with, because youre dealing with somebody who actually has physical access to your stuff. And i think it is really up to the companies and the platforms to start thinking about ways to deal with that particular threat model that they havent before, because i get way more calls, i get way more complaints, and i get way more work than a Single Person can possibly do. Mr. Marks just before we go on, quick, were taking audience questions over twitter. If youd like to toss one in, we still have time. Ms. Galperin nothing will go wrong. [laughter] mr. Marks tweet them using the postlive, postlive, and i will try to get them to some of our guests. So, john, you wanted to say something. Mr. Scottrailton i was going to say, so eva makes a really interesting point about changing threat models. And i feel like one of the things that we see a lot of in our research is device compromise, as ever is, right . But i feel like the new form of this, or at least what were seeing, is more of a smash and grab approach, even from sophisticated actors, where they get on a device and they grab logs and then they go. And so one of the challenges there is like, man, the chat apps and so on that we use end up putting a bunch of stuff on devices. So, i was super excited to read yesterday, as im sure some of you folks have, it looks like whatsapp has begun to experiment with ephemerality. Did you folks see this . There was a report yesterday saying they were starting this with group chats. I feel like that stuff is really important, because the number of cases that ive looked at where threat actors have gone on and then gotten all their juice, because they spent 20 minutes on a persons phone or laptop and pulled everything, is huge. And it also addresses some of the issues around intimate partner surveillance, because it means that if you get a device at time a, you dont get a minus one, two, and threeyears worth of personal stuff. So i feel like that kind of experimentation is really good and important, but i also feel like and i worry that there is a National Security narrative right now around the importance of access to secure and encrypted communications being pulled by, frankly, a scary narrative around dark players who use bad things for pornography and terrorism. Mr. Marks and thats sort of rebounded since 2014. Mr. Scottrailton its really come into its own recently. Mr. Marks and there is a Justice Department conference on it on friday, where both the fbi director and attorney general are going to speak. Shane, you wanted to talk about this . Mr. Huntley yeah, i think the encryption debate never seems to die, unfortunately. Like were against the backdoors. I think the argument here was, like, trying to balance the Law Enforcement like everybody thinks there is this magical solution where we can only give access to everybodys communications to the socalled good guys but keep all the bad guys out. But we really have to, as mentioned here before, create secure platforms, because we really have to weigh the risks here. And the risks here of just having these open platforms created, even if theyre created to be open or backdoor for supposedly good reasons, is just way too high to kind of run the risk. Mr. Marks why is that . Can you give the 30second explanation, that having a backdoor to encryption ms. Galperin it means you dont have encryption. Mr. Huntley because, one, you dont have encryption. Two, like, it means somebody has to secure that backdoor, right . So like who holds that magical backdoor key . Who do you think can keep that key a secret . And ive never heard any really solid arguments about, okay, what happens if the secret backdoor key is stolen. What happens if some insider risk at some Telecommunications Provider or manufacturer gets access to it . This is just creating some other new mechanism where people can have their data stolen in some massive way. Mr. Marks is this a debate inside the Cybersecurity Community . Mr. Scottrailton i feel like it keeps coming from without, right . Every couple of years, a certain set of folks, who are struggling with very legitimate Law Enforcement challenges are like, you know what, lets take another crack at this encryption pinata here, and maybe weve got the case that will do it this time, right . I think, within our world, it is fair to say most of us believe, from a mix of maybe its ideology, maybe its sort of historical experience or suspicion that this is probably going to result in bad things if we go down that place. And we come at it from different reasons. Like, my argument is we have no idea what the next couple of years look like in most countries, right, if weve learned anything in the past few years. And we have no idea what happens when capricious folks with access to the ability to request that data decide to do so in ways that their underlings have trouble refusing, right . And that, itself, is a good argument for the importance of encryption. Mr. Marks so before we run out of time, i want to ask, big picture, is there any light on the horizon for things Getting Better for the average person or for highly targeted people in the next five years . Mr. Huntley yes. I think theres light at the end of this tunnel. Maybe im the optimist in the room. Mr. Scottrailton tell us, shane. [laughter] ms. Galperin because were going to be all no. Mr. Huntley so one, what were seeing is the attackers are having to work harder, right . So sort of the dumb attacks of three years ago are now just being blocked. Like the rate of sort of phishing and malware and all those sort of things be blocked by platforms, by systems is so attackers are having to work by systems is increasing. So attackers are having to work harder, which is a good thing. Were seeing these bugs being killed at a faster rate. And were also seeing that there is more things users can do. We have things like advanced protection, that if you really want to defend your google account, you can sign out with security keys, all these other sort of mechanisms that the levers are there for somebody who really does want to get these extra protections, which, to be honest, i dont think was there four or five years ago, that there was not as much you should do. But i want people to walk away not thinking that its all hopeless, theres nothing you can do, youre going to get hacked, so give up. Where what we really do see is that, if you do take some protections and the platforms work at it, you trust the platforms that are doing a good job here, then your risks run a lot you are a lot more secure and you actually have pretty good odds. Of course, there is the bolt out of the blue zeroday super targeted stuff that might hit you the same way like getting hit by lightning does in the real world, but in the real world you should probably be worried about, like, getting fit and not having a heart attack, not about lightning strikes. You should also be more worried about the basic stuff. And i think the overall security level is increasing. Mr. Scottrailton oh, eva, did you want to . Ms. Galperin sure. So im going to take a dissenting view. [laughter] surprise. Yes, to some extent some of our accounts and some of our platforms are becoming safer and we have more options, and that is great. But our attack surface is also expanding exponentially with every passing year. We are filling our homes and our offices with microphones and cameras that are extremely insecure and that are often manufactured by companies that dont have security and privacy as a particularly high value and that certainly dont think about nationstatelevel apts in their threat model, and they dont think about Law Enforcement. For example, there is a great deal of argument about the installation of ringing doorbells in neighborhoods and sort of their partnership with local Law Enforcement. And amazon continues to insist that this actually cuts down on crime, whereas the research seems to indicate that filling your neighborhood with cameras that everybody can see does not actually cut down on crime very much. It just increases the amount of surveillance that you have. Mr. Marks real quick, before we run out of time here, i dont want to go through a panel without talking about election security. Big picture, how confident should we be, do you think guys think, from a private sector perspective, about the 2020 contest . Mr. Scottrailton my observation is every time we have looked at elections outside of the u. S. In the past couple of years, so every time we have scratched, we found all kinds of players, domestic and foreign, mucking around in those elections. I cannot think of an election that has happened in the past few years where there hasnt been experimentation and muckery. And the biggest thing that bugs me mr. Marks you said muckery, just to be clear. [laughter] mr. Scottrailton the biggest thing that freaks me out is that so many of our analogies and the way that were talking are still, by the virtue of the 2016 narrative and access, its just pulling our intuitions back towards that. And i think that the problem space just looks really different, and im not at all convinced that weve got a good handle on it right now. Mr. Marks guys, quick . Mr. Huntley i wouldnt say weve got a handle on it. I would say that, unlike 2016 and i went through the 2016 things that there is a lot more people working this problem. There are a lot more people taking this more seriously. The governments taking it more seriously, industry, people are working together. And it is like the top priority of everyone. So watch this space to see how it plays out. But if anything does happen, its not going to be due to a lack of effort by the platforms or anyone else, because i think people are taking these threats seriously. Mr. Marks thats all the time we have. Thank you, everyone. Please hold on for our final segment. [applause] deploying more improve having an is already huge cost on our society which will grow exponentially as growst proof in christian and criminals are emboldened by their ability to evade detection. Ms. Nakashima hi, everyone. My name is ellen nakashima. I am a National Security reporter with the washington post. So so the table by describing for us how crucial is it and how do you obtain it . Thank you for having me today. If you are in the business of trying to enforce a rule of law system, the way you prove cases in court is through evidence. Everything is digital here. Business records are digital. Communications themselves are digital, if you are talking on the phone. For us to build cases, we need access to electronic and digital evidence. So we want to make sure when we seek evidence, we do it in a lawful way. The Way Technology has developed, and obviously, encryption is something we are in support of. Protectingn government information, you want to make sure it is secure. On the other hand, those same technologies that protect information make it ethical for us to gain access to it, even with court authorization. That it that come in a nutshell, a encapsulates the going dark problem. Ms. Nakajima about what percentage of your cases pick a category, criminal, drugs what percentage of those cases does encrypted evidence pose a challenge for you. Mr. Raman it is difficult to quantify. It depends on the case. Whenan tell you is it comes to data in motion, so communications, this is publicly known. Endtoendre encrypted. So people are communicating by facetime or imessage, even if we go to a judge or fulfill all the rigorous acquirements, under federal law, if we try to serve the order, companies cannot execute. So that creates tremendous obstacles for us. When we satisfy the legal obligations to satisfy that. Ms. Nakajima so is that more than 50 of your cases now . Mr. Raman like it like i said, depends on the case. Whatsapp, that number of da wires fell precipitously. It was a massive drop. Because dea investigators, who are often running these wiretap investigations for those of you who know, when we are doing transnational organized narcotics cases, we need to be on wires, because that is typically how the traffickers communicate. Those numbers fell precipitously, once whatsapp, a very popular encrypted app, went endtoend encrypted. Ms. Nakajima lets move into another area where we may see the impact of this. This past weekend, the New York Times posted a major exportation of child abuse online. The report said that online how the pieces rapid with no sign of stopping and technology protects and supports abuser. Encryption has been a major roadblock for Law Enforcement. Facebook recently announced it was going to put strong endtoend encryption on messenger. How will that affect your child abuse investigation . Mr. Raman it will have a tremendous impact. That is one area where we have clear statistics. Last year, more than 18 million, cyber tips, were reported to the National Center for missing and exported children. These are tips that the Technology Providers send to a Nongovernmental Organization showing evidence of child sexual abuse on their platform. 18 million. Think about that number. Encryptook endtoend all of its platforms, including facebook and instagram, which the company said it will do, is that millions of those tips will go dark. So like i said last year, about 18 million tips over 90 of those tips were reported by facebook. So that company, under the current status quo, is doing good work in trying to identify child explicated material. Ms. Nakajima and it is supposed to report it to this Nongovernmental Organization, so that organization can then . Mr. Raman refer it to law take thent or appropriate action. So after that, we follow up and try to arrest the individual. Over 90 last year were provided by facebook. If facebook does endtoend encrypted, essentially 70 to 75 of the 60 million tips will go dark. That is a Practical Application of not how not having visibility into those public platforms will affect Public Safety. As the New York Times article said, this is why it spread. The stuff happening on the internet now is really scary. Ms. Nakajima these companies, facebook, apple, they talked about the encryption they are putting on their devices as a way to enhance the privacy and security for their users, everyone. So doing it, it helps criminals is that the price we pay for living in a free society the Justice Department, the fbi, in the last three years ago, they have tried to have a public conversation here they have asked companies to voluntarily try to work with them to come up with solutions to the problem. Bill barr, the attorney general, repeated that call. He said that companies have the capability and ingenuity to come up with nickel solutions. Where do we stand on that . Having made any headway . Mr. Raman it is difficult. We are not looking to demonize the tech companies. These are the same companies ive created driverless cars, drones, wearable tech here these are the most Innovative Companies in the world. The question that we have, or the call of where we would like to make the tech, is work with us. Try to find ways to protect security, protect privacy, while also factoring in the important component of Public Safety. Often in the conversation, that is what is forgotten. There are real impacts on real people, when we are not able to have visibility into what is going on in these networks. When it comes to the companies, we have been reaching out and have made efforts. The rector of the fbi has made multiple overtures. I wish the companies we do more. That is something we are working on. Looking tonot demonize the companies. On the other hand, we have an obligation to the American Public to call a spade a spade. This is a real Public Safety problem. Ms. Nakajima are you considering legislation to require companies to build in ful access we are actively engaging with the public. See variouswill parts of the government reaching out, obviously you have the department of justice, the fbi, the Congress Department will be reaching out to industry shortly , to talk about the need to solve and find solutions to this problem. The department of Homeland Security has a very important cybersecurity mission, it also a significant Law Enforcement mission. I think you will see them publicly reaching out and raising awareness. We are at a point where we are trying to make sure the public is aware of the cost and benefits of whats going on. A lot of decisions are being made by Corporate Executives for their own business purposes but that has tremendous impact on our Public Safety and our broader public policy. That broader conversation need to take place. You mentioned legislation, there are other rule of law nations that have made legislative moves in this area. Last december australia, obviously a rule of law partner of ours, enacted legislation in this context, they are still implementing it and they are figuring out what it looks like. Passed the ipa, the investigative powers act, which has certain provisions relating to providing decrypted information. We run the risk in america of falling behind, because our democratic rule of law partners are starting to examine this issue because they understand that its very complex, and a set of factors we need to be taking into account. Ms. Nakashima do those laws apply to Companies Like facebook . Apple and google . Mr. Raman you would have to ask the australians and the british about that. My sense is that they would have similar jurisdictional principles. If American Companies are doing business they subject themselves to the laws of this country of those countries. With the mechanics are, it depends. With the australian legislation its in an early stage of implementation. Ms. Nakashima lets go to a separate but related issue that grows out of this legislation that congress has passed a year ago now. The cloud act. At an issue of access to data but not necessarily encrypted, can you describe what the cloud act is . Mr. Raman a major legislative accomplishment last year, bipartisan with industry being very supportive because Many Companies found themselves in an awkward position. Processld get legal from the united kingdom, but barred from producing data to the British Government because american law had a blocking function per that you could not produce data to a Foreign Government because under u. S. Domestic laws those are privacy protections, you cannot produce data to anyone who asks. So Companies Found themselves in a difficult position, where they were under a legal obligation to produce data to the united kingdom, but forbidden by u. S. Law to produce that information. So companies came to us and said we are in a tough spot. Can you help us . At the hearing it Justice Department from our partners in the u. K. Who were saying we are trying to investigate a murder that took place in london. The perpetrator is british, the victim is british, everything happened in britain, but the guys is using a gmail account, so the evidence is being held by u. S. Based Service Provider and we cannot do our jobs, and american law forbids google from producing a response. So there were some interesting dynamics at play, we had foreign partners asking for help, industry asking for help, our own motivations, we dont want running around the streets of london, less of a concern sarah for us but still significant. So everyone came together and enacted the cloud act, which allows for rule of law partners that we engage in bilateral executive agreements with to serve u. S. Based Service Providers directly with legal process. So instead of having to go through the mutual Legal Assistance problem process, which could take a couple years, once these agreements come into place, say the u. K. Can serve google directly and receive data directly. Ms. Nakashima is that happening now . Is this agreement in place between the u. S. And the u. K. . Mr. Raman its not in place yet. But the u. S. And the u. K. Have been working very hard to move towards finalizing an agreement. Ms. Nakashima we hear that might even be this week. Mr. Raman im not in a position to make announcements. Thank you for asking. But this has been a priority for us. I expect there to be movement. Ms. Nakashima maybe even an announcement. Mr. Raman its possible. Ms. Nakashima will this Bilateral Agreement apply to russia and china . Mr. Raman the straightforward answer is no. Under the statute, and this is part of the negotiations, we were trying to get this enacted in congress, we had very positive conversations with the civil rights community, the Civil Society community, and Congressional Staff as well to make it clear that the direct exchange of data should only occur with rule of law countries that protect privacy, honors and civil liberty and has protections in place. Theres actually catalog of factors that the attorney general has to certify that country x meets these standards before he can engage in one of these bilateral executive agreements. Answer is that totalitarian countries have no business entering into these agreements and we will not engage into negotiations with them. And do you have any other announcements, maybe encryption going dark . With the department will do . On friday we are hosting a public summit, we will also be Live Streaming it for those who cannot make it unlawful access and on the question of encryption and the impact it has on Child Exploitation cases. We anticipate a very highprofile event, the attorney general be there, the fbi director will speak. And we have guests from around the world, the british home australiannd the Home Affairs Minister will be there. Trying to send a message that rule of law countries will stand together on this issue, that when it comes to accessed information, we are united on making sure that we protect , protect Civil Liberties, and key Public Safety safety imperatives in mind. Ms. Nakashima great, thank you very much. Lets move on to our final segment. [applause] we have economic espionage investigations in all 50 states that traces back to china. , americasy adversaries are testing our cyber defenses, they attempt to gain access to our critical infrastructure, exploit our great companies, and undermine our entire way of life. We cannot let that happen. Ms. Nakashima hello again, everyone. Ellen nakashima with the washington post, National Security reporter. And for the last conversation of the morning we are so proud and honored to have bill evanina, the top u. S. Counterintelligence top u. S. Counterintelligence official and director of the National Counterintelligence and security center, the United States. As well as david hickton, the first u. S. Attorney to obtain an indictment of Chinese Military spies for economic espionage, or as bill likes to call them, the og of chinese espionage cases, and the founder of the university of Pittsburgh Institute for law, policy and security. So our conversation today is going to focus on the top counterintelligence priority for the country, china. And we often hear of the challenge of a rising china. Its an indispensable trading partner, and at the same time its a rival on the global stage. So china has a complicated relationship with the United States, especially when it comes to Technological Advancement and Global Market dominance. So, bill, as the head of u. S. Counterintelligence, you have a unique vantage point. When it comes to china, where is the u. S. Most vulnerable . Is it from ip theft, or economic espionage . Is it the race to dominate advanced technologies . Is this the chinese spy agencies versus u. S. Spy agencies, or is it chinse spy agencies versus the u. S. Private sector and academia . How do you frame the challenge . Mr. Evanina so i will choose e, the answer all of the above. And i think when you look at it from a Strategic Perspective of the u. S. Government and private sector, we have to look at all of those vectors individually, but as a group of one. And i think its important for our audience to understand that geopolitically, military, economically, china is all of one, right . So in america we have had the opportunity to grow up in a society where we have clear bifurcation between the government, the private sector, and the criminal element. And thats not the case in the peoples republic of china, or in russia, or iran. So its an unfair playing field. And they utilize all those resources as one to combat us. And i think for this conversation, the important part of answer d was that right now our struggle is that its an Intelligence Services battle against our private industry, and thats not the way we do business. So were trying to combat that and allow and alleviate the threat by integrating the private sector as part of the battle. And thats our biggest challenge right now. Ms. Nakashima yeah. Well, and, dave, as i mentioned, you led the case against hackers working for the Peoples Liberation army of china, but thats just one of the many precedentsetting cases youve spearheaded in cyberspace. But in some sense, how many of them have actually wound up in prison . Once in a while you get lucky and some defendant travels to a country with an extradition treaty and it gets picked up and sent over here. But chinese hackers are not likely to do that. So how do we hold these malign chinese actors in cyberspace accountable . Mr. Hickton well, youre correct, but i think that the case we brought in 2014 led to the agreement between president obama and president xi, which is an even greater result, which everybody agrees reduced intellectual property theft down until virtually the election of 2016. But youre making a very good point that we dont have an extradition treaty, and this is one of the challenges of the borderless nature of cybercrime. I argue that unmasking cyber criminals has virtue in and of itself, because the principal currency of cyber criminals is their anonymity. And if you unmask them and declare that they did it, thats the first step. By the time i left the government, i was trying to expand the forums for adjudicating these cases beyond criminal investigations into the world trade organization, commerce, and treasury. My belief is that we need to hold foreign actors to the same standard we would hold american citizens so that if they steal from our industry, particularly intellectual property, they ought not participate in our markets. Mr. Evanina i want to jump on that, because i believe that that was a seminal moment in our governments ability to combat theft of ip and trade secrets, because it turned out to be a marketing endeavor where we were able to educate and inform the American Public, as well as the entire government writ large, of an Intelligence Services in this case, the Peoples Liberation army theft of our business and our economic and ingenuity and knowhow for their military purposes. And i think that was a watershed moment, that we kept always in the government, but this was the first time we were able to shed light on that theft. Ms. Nakashima and one of the key achievements in that, dave, was your ability to get these private Sector Companies who traditionally historically do not like to come forward and admit that theyve been hacked or compromised and have their names out their publicly it harms their reputation you got them to actually agree to be public about it, have their names mentioned in the indictment. Mr. Hickton right. Ms. Nakashima talk about that. How did you get them to come forward . And why is that so significant . Mr. Hickton i was an unusual United States attorney because i hadnt served in the department of justice and i had represented many of these people and known many of them since childhood. But i spent most of my time trying to make sure that we could not only bring the case, but tell the story by putting a picture of the defendants, which we did at the back of the indictment, that iconic picture that came off a wanted poster, which showed the public who did it, and also, departing from what would have been the norm, which is company a, b, c, d, e, but also putting a picture of who the victims are. And then when we announced the case, i described how this affected real people. Ms. Nakashima u. S. Steel. Mr. Hickton u. S. Steel, the united steelworkers, alcoa, westinghouse, and how this led to factory closings and lost jobs, and why we needed to care about this. Ms. Nakashima so, bill, expand on that. That was like 2014, was it . And now here we are five years later. Its not just steel and trade secrets that the chinese are after. Theyre moving into biopharma and genetics. Can you talk a little bit about what youre seeing . Mr. Evanina so publicly we talk about the span of influence and requirements that i would say the ministry of state security works with the communist party that developed to come here and actually steal our innovation. And it goes from biopharma to green energy to leading technology to future markets to gas, oil, shale, clean energy. And we saw a few years ago with the monsanto case, stealing hybrid greens and sand, because they have to feed 1. 4 billion people. So they would rather not create their own research and Development Arm when they can come over here to the west and take it. And they go first to market and their Patent Program is quicker, more effective than ours, and they immediately get gain of a local or International Market at 30 cents on the dollar. Ms. Nakashima right. This idea of, then, stealing or working with genetic Mapping Companies in the u. S. , i hadnt heard about that. Whats going on there . Mr. Evanina so its complicated. So not only do they use their intelligence arms and their nontraditional collectors to steal our intellectual property and trade secrets. In a case recently with utilization of duke and yales capability for genome mapping, sometimes we actually engage with them and do great collaborative work with their research and development and their academic work. And they take it anyway. So its a not winning environment. But they took that technology on genome and dna, and they used it to imprison over a million uighurs, right . So even Great Technology that we utilize for great purposes sometimes is used nefariously by Intelligence Services of rogue nations. Ms. Nakashima so this was done by the mss, which is sort of their major intelligence service. Mr. Evantina yeah. Ms. Nakashima they took this through legitimate lawful research partnership. Mr. Evantina some lawful, some unwitting, and some illegal, right . And i think thats the idea, that they utilize a whole of country approach to the theft of our intellectual property and trade secrets. Theyll use collaborative mindsets in academia, joint ventures, private equity, Venture Capital to be able to utilize all tools, whole of Society Approach to obtaining our secrets. Ms. Nakashima talk a little bit, both of you, i guess, about the academic approach that the chinese are making, this issue now with the chinese trying to or using, gaining access to university and university secrets, but also maybe trying to influence academics or Chinese Students and researchers there. How much of a challenge of threat really is it, and what is the governments role here to do anything about it . Mr. Hickton well, in my view, its a huge threat. Look, the good news is we are still the cradle of innovation and the best academic country in the world. Everybody wants to send their kids to school, here, and lost in the shadow of the pla case which i did in 2014 was, in 2015, i exposed the network of gunmen who were fictitious testtakers or fraudulent testtakers who existed in this country who were taking the sat and the gre for students in china. And somehow, they were getting passports, they would get admission to our colleges, and then they would get a student visa, and then go home after they were educated here. And this was an organized network and, at the least, deprived American Students who might have been paying taxes for some of these staterelated colleagues space in those universities. There is invasion of our research. There have been cases that have done there. So, i believe this is a real threat. I believe what the government should do about it is the same we do with intellectual property. It seems to me that if were going to have Digital Space and we are the number one economy and we are the number one research and Development Location in the world, american citizens should be treated equally with citizens around the world, and nationstate intrusions should be treated as a real and present threat. So, i cheer the expansion of this initiative. Mr. Evanina ill double down on the threat. We believe its critical up there next to, you know, 5g with moving forward. But what were doing about so, this past year, were working under the leadership of senator burr and senator warner, a bipartisan effort in congress. My ms. Nakashima the chairman and vice chairman of the senate Intelligence Committee. Mr. Evanina right. We utilized in my office, the fbi and dhs, and we met personally with over 150 University College president s to talk about the threat, what its like. We gave them a oneday classified reading so they could understand the intention of these foreign leaders, as well as, heres the threat and heres how its manifested. And heres the amount of investigations that are being done by the fbi. And lets Work Together to find a solution that is not only effective and efficient for you as universities and colleges, but also doesnt, i would say, perform the effort of any type of racism. Because the argument has been this is a racist issue and the chinese Intelligence Services have been pushing that envelope very, very effectively here in the u. S. , but its not. When you look at the amount of investigations the fbi has, which is over 900, 95 percent of them are from the peoples republic of china. Ms. Nakashima over 900 espionage or counterespionage investigations . Mr. Evanina yeah, with respect to economic espionage. Ms. Nakashima oh, economic espionage, right. But in fact, there have been a few cases where the department has had to drop the case, or the case got thrown out for lack of evidence, and these were cases of, i believe, economic espionage against chineseamerican, often, academics or researchers at universities, which has led to criticism that the Justice Department is overreaching and its sort of seeing a chinese threat amongst the chineseamerican community that doesnt really exist. Mr. Hickton well, im in academia now, and i think thats a valid concern. And we still, in our institutions of higher education, aspire to have a worldwide student body and the educational opportunity, and a diverse population is valued. So, i think we have to be real careful to get that point right. Mr. Evanina and ill double down on the importance of understanding the threat versus actually who is committing the threat. Recently, the fbi and doj charged and indicted an american citizen in a University Campus for spying for the chinse Intelligence Services. So, its not about the chinese individuals and students that are here; its about the communist party of china and how they manifest their efforts here in the u. S. Through the ministry of state security, as well as the Confucius Centers and the thousand talents programs. Its a holistic program, but its certainly not about the legitimate students coming from china to study here and, what my partner talked about, the greatest College University system ever invented. Ms. Nakashima bill, china is said to be making Great Strides in the use of artificial intelligence. Where exactly in the field of ai is china most advanced, and what is the role of the u. S. Government to enhance u. S. Competitiveness, here. Mr. Evanina so, ill pass on the role of advancing our competitiveness. Ill stay in the threat perspective. Ms. Nakashima okay, maybe mr. Evanina i think that it is a significant threat, and their ability and if you map their allocation of Government Funds to facilitating ai and ml in the billions of dollars is dramatic. What they do have, also, which is an unfair playing advantage, is all the theft of everyones pii theyve stolen, not only here, in america, around the world, that theft of pii helps facilitate ms. Nakashima thats personally identifiable information. Mr. Evanina thats correct. And that allows them to use that datasets, hundreds of thousands of petabytes of data. Just recently, the Anthem Health care was that 78 million americans had their Health Care Records they use that in the ai to be able to promulgate advanced analytics. So, the more data they steal from us, with from pii, whether child records they use that to facilitate testing of their ai platforms. Ms. Nakashima like the opm breach, as well, right . Mr. Evanina twentyone million americans records. Ms. Nakashima all went into big databases over which the chinese run their ai algorithms to mr. Evanina right. Some of the current estimates say that more than 50 percent of the American Adults have had all of their pii stolen by the peoples republic of china. Ms. Nakashima wow, half of us here. Dave, did you have mr. Hickton i mean, the current denigration of facts and science is a threat to us. The retreat on investment in Scientific Research is a threat to us. But you know, we in pittsburgh have been the home of a lot of great advances, whether its manufacturing, medical, and technology. And those have all been sponsored by partnership between the government, the academic community, and private industry. And we need to continue that so we can make pittsburgh or detroit or philadelphia the envy of shanghai, instead of the other way around. Ms. Nakashima well, china has one advantage in this sense, in that they are much more of a command and control economy. And they you know, the government can basically Order Companies and universities to do its bidding here. We have a much more freemarket system and we try to keep independence from that market. But is there now some is there more of a need, do you think, for the government to sort of maybe direct areas of research funded, give incentives so that were not left caught in the background . Mr. Hickton i mean, perhaps, but even when the government sponsors or directs it, its still driven by the scientists. Id like to really address the premise of your question, though. Some think that the initiative, particularly the work i did, was antichina and it was exactly the opposite. I personally believe that china is the lynchpin in developing norms and laws in the emerging world of Digital Space, because they are the number two economy in the world. And at some point, theyre going to appreciate that they have as much to lose as the number one economy has to lose. I mean, there is the old saw in Law Enforcement from Willie Sutton why do you rob banks . Because thats where the money is, there. If you look at the threat vectors, theyre all coming at the United States because we have things to lose. They can barely turn the lights on in north korea and russia, but china is not like that. So, applying a lot of Digital Space was the essence of my mission in my former job. And i think, if we do that correctly, it becomes part of a strategy as opposed to a tactic to make china our partner. Ms. Nakashima and that was the strategy for years, of engagement, right, with between the u. S. And china, to open our markets to them so that they would maybe become more like us, want to be part of the free market and abide by the rules of the wto. They havent followed those. They arent following the same norms in cyberspace about respecting free and open internet. So, how likely is it that well be able to get china to become more like a ruleoflaw nation and abide by western norms and traditions . Mr. Hickton well, i cant predict the end of that, but i can say that any effort like this requires persistence and is going to take time. The one thing i think has been successful is that if you just look at china writ large, they largely have become more western. Their young people are more western. And i think our engagement strategy has worked, it just requires continuous effort. Mr. Evanina so, i will differ with my partner on this one a little bit. I think, under the leadership of xi jinping, they have become the most amazing surveillance state weve seen in decades. And the social score they have and the ability to photograph and their facial recognition of every second of everybodys life over there is really and you see whats going on in hong kong, right now. You see the power. Secondly, i think with any change that we just talked about, has to come the agreement of ceasing the theft of intellectual property and trade secrets. If were somewhere in the middle of 400 to 600 billion a year in Economic Loss due to their theft, thats about 4,000 per american family, after taxes. So, we have to be able to stem the tide of their theft. If we cant, then i dont know how we get to a place where we get back to the diplomacy of hope. Ms. Nakashima what will stem that . I mean, sanctions there was a point at which the Obama Administration was about to impose economic sanctions for economic espionage in china. Mr. Evanina i think thats going to take a multifaceted, multiple levers to be able to do that, to include policy from the white house, legislation from congress. And i think a change of mindset of the American People to understand the damage and the value added or the value subtracted from this effort. And i think thats going to be, literally, a wholecountry approach to stem the tide. Mr. Hickton i dont really disagree with what bill said, but i think that we do need sanctions and i think we have to really appreciate that the current trade war has impacted us negatively. We have divided our assets in the current trade war as opposed to multiply them by combining application of the rule of law with selling below cost within our markets, when we could multiply that, the conversation, we have halved it, in my view. Ms. Nakashima okay, have the i want to get to a question from the audience, but first i wanted to get to the issue of huawei, the Chinese Telecom equipment maker that is a big issue for the u. S. Government, and in europe, too, especially as were moving into 5g superfast, superadvanced telecom networks. The u. S. Government has been pressing allies, in europe especially, to bar huawei from their 5g networks, with mixed results of success. The argument there is that allowing huawei into your networks will open a door for either chinese surveillance or cyberattacks that could disrupt the network at a critical moment. But sue gordon, who was the recent Deputy Director of National Intelligence you know well, bill has publicly argued that, you know, we have to take a pragmatic view. That even if we dont have huawei who have 5g, here, there will be other countries around the world that do have huawei in their networks and we interconnect with those networks. So, youve got to risk youve got to manage risk and presume a dirty network. What do you think, bill, is she right . Mr. Evanina well, in my space, whether shes right or not, i hate to even think about having to presume a dirty network. In the world i live in on counterintelligence, i think that is the beginning of the end. I think from a practical standpoint, she may be right, but i think our efforts in the Intelligence Community and the counterintelligence writ large is to not have that dirty network. And i think weve been able to prove along the globe the nefarious activity of huawei and what theyre capable of doing now, never mind when we have a 5g platform. I would also say that huawei, to me, in my position, is not the problem; its the communist party of china. So, if huawei goes away, theres another company thats going to facilitate draw the communist part of china and xi jinpings effort to be the Global Supplier of telecommunications. And i think that is the threat we face, not necessarily the company of huawei. Mr. Hickton i agree completely. One of the last cases i worked on ultimately led to the i ag. One of the last cases i worked on lead to the indictment of the it latergroup developed to be a Global Positioning satellite case. Bombs, drones, and someone talks to me about precision agriculture, which i did not know about. It later became written up as the spy arm of while way. This sounds like a 5g conversation that just emerged, but the huawei conversation has been going on for some time. Untile they will go away someone else replaces them, until we address with china what is going to be our understanding. Im confident we can get there, it is just going to be very hard. Ok, great. I have a question from the audience about the Law Enforcement tool of indictments. Have the indictments against chinese hackers done any good . Dave, i think you have mentioned that at one point, this led to the agreement, not to conduct economic espionage in cyberspace, which worked for a year or so. Where the pla started tailing up, soe msf ticked another agreement does not seem to be meaningful. I think it is an expectation issue. No one would suggest for a minute that the mpi with fbi would start investigating Bank Robberies as useless because we have never solved the bank robbery. Our expectation in Law Enforcement is to reduce, not eliminate crime. Admit, the start was extremely controversial and we did not bring them to pittsburgh. I might be the only ones left that believe they are going to be tried in pittsburgh. We give them three squares and a roof over their head for 10 years or to the president s of china and russia are together and reach an agreement which everybody agrees for a period of time will reduce property theft down to zero. Xi cameumer over in part and did the agreement because of the threat of economic sanctions. That combined with the indictments may have pushed them to come make the agreements. Two things. Number one, the agreement is forefront of the conversation, and i agree that he as president agreed to stop the economic espionage from a cyber perspective. Not a human perspective. That increased romantically. They did not stop stealing completely. Dramatically. They did not stop stealing completely. The recent huawei indictments have been earth shattering in terms of getting the facts out by doj of what the indictments are, what they mean for the private sector industry. When i go to australia, new zealand, canada, great britain, they look at the indictments carefully and how they manifest in their countries. Theuch as we are exposing peoples republic of china for their nefarious activity, there is contact with partners around the globe about the activity in their country. We haves all the time right now, but lets thank bill and dave for a wonderful conversation today. Thank you. [applause] [captions Copyright National cable satellite corp. 2019] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] today at 2 30 p. M. Eastern on American History tv, winston lord, author of kissinger on kissinger, on president nixon with his relationship with henry kissinger. [inaudible] able nationalry security advisor. And at 10 00 there was little to do except work and life seemed rugged indeed. Here, they prepared to search for oil. On real america, the 1948 film desert venture, on the origins of the Saudi Arabian oil industry. On sunday at 6 00 p. M. Eastern on american artifacts, we preview the vote for women exhibit at the National Portrait gallery. Business,rted her own she advocated for sex outside of marriage. Eastern, 6 30 p. M. Author Sophia Rosenfeld discusses her book democracy and truth, a short history. Know one person, no one institution, sector, king, priest, National Research body, specific cast would get to call all the shots. Explore our nation for the ont nations past American History tv. All weekend, every weekend on cspan3. Up next, former National Security advisor talks about u. S. North korea relations and the efforts by the Trump Administration to reach an arms deal. The center for strategic and International Studies hosted this event. [applause]
comparemela.com © 2020. All Rights Reserved.