We are far from us age where this is normalized and far from a stage where everyone is comfortable. What we end up doing is saying, if your paradigm is to require background checks or Proof Positive identification, we can provide that. Nine times out of 10 what happens is the customer comes back and says, we get it. That helped us get started but it limited the pool. Now that we understand how this works, we are going to start to relax those things. It is a complicated subject. What it comes down to, optimizing for the level of trust whichever vendor it is. Whether required to get the thing going. That is the important piece. Dan does the Bug Bounty Program only focus on systems related to risks . Only system risk . Business Operational Risk . Marten that is a great question. We make sure anybody can submit vulnerabilities and anybody can receive them. Customers get Additional Services where we go in and write long reports with recommendations. We go as deep as they like to go. We want customers to develop their own skill and practice. It needs to be an intrinsic function. Many of our customers say, we have just two security people. We need your help. There is a shortage of security experts. We need to make sure it really happens inside the companies. There are certain steps you take. One is you make sure it has attention from the top level. From the ceo and the Governors Committee on the board. We have customers who report to the board of directors once a quarter. You have a ceo who loves this stuff, saying Cyber Security is an issue of alex safety. That gives the mandate to whoever is in charge. You have to make sure the Security Team sits close to the Engineering Team. It is the Engineering Team who produces these problems. Engineers like to be focused on opportunities where a Security Teams like to focus on problems. Theres a lot of work to do and we do it with our largest customers. Dan we are out of time. I want to give 15 seconds to each panelist. If there is one takeaway, something you would want all the attendees to think about a week from now, what would be the one takeaway you could highlight . Casey in a weeks time, it would be interesting for everyone to revisit the thought of, how i am i going to get started with this . It not even is, it is how. Does this look like for my organization . It is true in five years time my entire industry and indeed most industries are going to be doing this, how am i going to be a part of that . Am i going to be a laggard or a leader . The Security Research team is an awesome resource and you need to find a way to engage in them and bring them to the staff. One time or two times or three times, listen to every word she said especially cybersecurity is a matter of public safety. Thank you our panel for a great session. [applause] good morning. Thank you very much for the opportunity to be here today to talk about the f dei and what we are doing fbi and what where doing in regards to cyber crime. Morally obligated to start out by saying i know im the last person between you and lunch and i will keep that in mind. I have 15 minutes, give or take for comments and a some time for q and a. I will hold up my side of the bargain and you have to hold of yours. Here we go. I will focus on four things. The current overall cyber threat, how see this threat impacting the Automotive Industry, what the fbi is doing to prevent and respond to cyberattacks and lastly, the importance of publicprivate sector collaboration and what do you or the industry can expect from the fbi if you suffer a breach or the victim of in a cap. With a little story. Everybody local a story about a meeting i went to in march of this year and it was with intel corporation. After this meeting was a commercial Futurist Panel and there were three individuals on the particular panel. One was Marc Andreessen from injuries and horowitz and peter getz. And jim all very successful in prominent Venture Capital firms in california. One of the questions that was asked of them was, where do you see future growth in it the next 10 years from a Technology Perspective . They were not all consistent in their responses, but one or two of the responses work work mobile, quantum computing and autonomous driving systems. The way Venture Capitalists see growth over the next 10 years. It gives us a pretty good idea of where we are headed and what we have to consider going forward. The big question for much from a bureau perspective the industry, what are we going to do about that today . Let me talk about the current cyber threat landscape. In general, more complaints, more intrusions, more victims, more losses and the bad guys are getting more sophisticated. We have that going for us. Who are the players . Nationstates sponsored intrusion. Characters, china, russia, north korea, iran. Were deal with multinational information for sale to the highest bidder. Hackers are motivated by Different Things whether political, financial or harassment. We still consider the cyber terrorist perspective. Arenow that terrorists highly proficient at using the internet for recruiting, propaganda and executing attacks. We know they aspired to gain access to our systems. We know is they are not there yet or we do not think they are there but it is a concern. How do these groups operated . Increasingly complex attacks combining multiple techniques and insight knowledge. Using social generic to target us and develop human vectors to get into your system. They are using social media to target employees. I would be remiss if i did not mention the Insider Threat. Not just limited to hackers on the outside but Insider Threat is a significant problem, disgruntled employees, employees who are targeted and employees willing to sell to the highest bidder. What are they after . Pretty much anything and everything from information first active. Access, economic, political or ideological. Today, where not so much concerned about the loss of data. After the sony case, an issue of corruption of data or lack of access to our own information. Why does it matter to everybody here in the room . More than attack on your infrastructure, these are caps on employees and customers. Attacks on your reputation. And attacks on our autonomy and security. Tol quickly, i would like talk about the impact of the Automotive Industry from the fbi perspective most of the folks a bunch of heard panels talking about that this morning. From our perspective, the vulnerabilities include network and autonomous systems. Because new cars and infrastructure are increasingly connected to networks, an attack could prevent vehicles from communicating with each other and infrastructure. Autonomous vehicles are especially vulnerable. In my previous job as a special agent in charge of the San Francisco division, i worked with california Highway Patrol commissioner who was very interested in these particular issues. A comes and are not from negative way, but he was constantly asking me when it comes. Times vehicles, who is thinking about these issues and were asking the hard questions . In the wake of the tragic accident with a tesla using autopilot earlier this month, safety is obviously front and center. It is also critical that security in particular cybersecurity be a consideration in the design stage rather than as an afterthought. It is not just tesla and google pushing the envelopes on autonomous vehicles, im sure you have heard about george who is making a self driving car in his garage. What could possibly go wrong with that . Supply chain. We are want to talk about it again. Another vulnerability clearly. Under many possible scenarios that we are thinking about involving malware introduced during gps updates. Another access point. Ransportation infrastructure hackers can compromise the gps or navigation and send drivers to the wrong place. Or bad actors can use rates and to extort money in exchange for information to get them to the right place. Here is what the fbi is doing. Director comey has recognized the severity of this particular risk and combating get one of his top priorities. We as an organization are constantly evaluating how we go about dealing with our responsibilities prefer those of you looking got a news this morning, the department of justice, Inspector General pushed out of report talking about how the fbi is looking at the cyber threat and giving us areas for improvement, all of which we will take very seriously and implement as possible. For the less winners is your years, the fbi has worked cases heard much in the same way. We assigned to investigators there are either aware of where the Victim Companies are at it does not work and cyber so we had to change in the model. It has not been without pain. We make a case assignments based on subject matter, expertise and where the expertise resides. We have created cyber action teams. We are taking our best technically trained agents and computer scientists and employ them to areas. We are maintaining a constant focus on recruiting, training and retaining cyber talents. We know we needed to hire more just as everybody else does. About constantly thinking this differently and how to go about it in different ways. Would replacelly technically trained folks into two different job families, as agents or what we call professional support employees, computer scientists is. We are taking a look of whether or not that is a good idea and generally the best is it is not. Were thinking about bringing additional computer scientists and data scientists onboard and expanding the subject matter expertise we have and we know we will need moving forward. Trying to provide additional clarity on the lanes and the road. It can be confusing to the private sector in terms of who will respond to particular event and who will do what following an intrusion. We have been working very hard with the interagency took come up with Additional Guidance. It is still ongoing and you can imagine how hard it is to herd and we are close and we expect an announcement soon. I would think within the next week or so there would be Additional Guidance from the federal government. We are doing our best to impose costs and we are getting fatter at attribution and figure out for the bad guys and prosecuting when appropriate. When we cannot reach out and touch them, we expose them publicly. I was skeptical of this approach are first but it has had a chilling effect. And march of this year, we did. His with seven iranian hackers it can be embarrassing for country for those countries to care if the activities are statesponsored and have consequences for the individuals if they would like to travel with their family or otherwise. Lastly, that guy is helping counterparts be more effective ,n dealing with cyber crime providing training, equipment and expertise and we expect to continue to do so for the foreseeable future. , what canou expect industry expressed from the fbi if you suffer an intrusion and where you should be at in regards to engagement with your organization . Veal Qlik Technologies contains revolve, the fbi and Automotive Industry must engage on cybersecurity. Vehicle technologies continue to evolve, thats not in Automotive Industry must engage on cybersecurity. Develop a relationship with your local fbi office before something happens rather than after something bad happens. Fbi will do everything we can to share the relative information we can share with you. We frequent push out what we call flash report to share tactics and malware signatures. We will provide direct briefings on request or otherwise to have companies learn from previous event youd in the provide with information, we will provide you with feedback on what you have given us. The bottom line is we need your help to allow us to better address these threats. We know the private sector owns almost all of the infrastructure, the primary target and all of the information and evidence we would need to move forward resides on your networks and servers. Unfortunately, more often than not, Law Enforcement is not notified when a niche region occurs. The estimates are about 20 are reported. Another 80 out there. A understand there is multitude of reasons why a company would not want to report an intrusion to lawenforcement but we have to figure out a way to get past that and work together. We need to make a routine for companies to turn to lawenforcement for help. Why . We need to find out who is behind in the attacks and prevented them from doing it again. It meant i be a companys first concern which is normally to get back to business. Thosedo not find responsible, they will continue to attack. Speed matters. Lawfaster you turn to enforcement, the faster we can turn to leave and get to the right course. We understand the best i understand competitive and the fbi understands Competitive Edge in reputation and disrupting your operations and dealing with regulatory agencies and liability. The bottom line and this what you will expect, you will be treated as a victim. We will amend a lot minimize the disruption and protect your privacy and not share data about your employees or operation. We will do our best to provide clear rules regarding the information you share for us and what happens to it and how it can be use and share as much as quickly as we can. Let me wrap up real quickly. I think im doing boko time. Thank you for the opportunity to be heard today. I applauded the Automobile Industry to minimize risk. To working with you on these issues. I would be happy to answer any questions you may have before lunch. [laughter] thank you very much. If people have no questions, please write them down and well folks who can pay them up. I have a question. Andhe cyber does not occur the supplier and we have supplier, what can the fbi provide not only in cyber but handling the media . Given the fbis extensive experience with it dealing with incidents across sectors . Yeah, a couple of different thoughts. Wonder, if iwill can. Yes, on the media for, we have the office of Public Affairs in each field office has a media itrdinator and in the event is determined it may be something that a company would want to help you effectively engage with the media, the bureau would be more than willing to provide you with a plan to make that happen. That wethe other things provide is we have an office of victim assistance. Each field office has victim specialist at if your employees or employee of a company are potential victims, the victim specialist can sit down and talk to your employees are about ways to mitigate those risks and help them get back on track not only from a realistic perspective but from a psychological perspective as well. If it is likely a nation statesponsored intrusion, we would be the interface with the Intelligence Community and other outside agencies that would have the visibility to the extent we could if we had cleared individuals in another company, we would be able to share that information as quickly as possible if we can. Lastly, i talked a little bit about the preexisting relationship. You want to have that in place before something happens and the reason why is you can engage in these conversations on a regular basis. You can learn more about what the fbi can bring to the table and what the dhs could bring to the table and was secret service could bring to the table. And develop a plan beforehand in the event something happens, you wont know exactly what you can and cannot do or should do. You will know that what you can can i do or should do. Anymore questions from the audience . Chris i had one question but then thought about Something Else while you were talking. I can see maybe some organizations are hesitant to report to this information. We know Reputational Risk and all of those things, reputational damage, i should say. But also is there any connection with your reporting and investigation to the federal regulators for instance . There can be concerned and they would be under more scrutiny if they are reporting these things to the f ei fbi. David that is absolutely a fair question. A gym trainerwith before i came out and we were talking about sony. And how dull bureau responded to and and we have tailored how the bureau responded to that and how we tailored. The answer is you will be treated, the company will be treated like a victim. The fbi is not going to provide opinion or commentary into regulatory agencies about conduct or omissions or otherwise, that is just not what what our lane in terms of we would do and how we would respond. I thought i was off the hook. I get to read it. I can make it any question i want, right . What are we having for lunch today . No. What measures do the fbi employee to protect the anonymity of a company that reports a cyber incident . Internally, we dont. We dont prevented the anonymity of companies. When it comes to pushing information out that is relevant , that may be relevant to other Law Enforcement agencies or Intelligence Community members, we do not identify the company that has either suffered a we haveas information or intelligence about. We may prefer to a company in a report that is going out to the community as company a tour company or company b. Internally, we do not. I do not have any instances of where we had to. Well, sonyefer to is an example. Well, we dont absent prosecution. Thank you. A rapid up. Thank you