No matter what industry youre in. Cybercrime. Im barrie moskowitz, an officer of the Harvard Business school club of new york. Before introducing our speaker would like to introduce our moderate, chitra nawbatt. Chitra anchors for National News channel in the york. Prior to her career in broadcast television, chitra worked at the Deutsche Bank the ibc and ernst young. She is a cpa and a graduate of Harvard Business school. Welcome, chitra. Spin and now a featured speaker for the evening, mr. Marc goodman. Marc is a global strategist and author and consultant focus on the disruptive impact of advancing technologies on security, business and international affairs. In addition marc found a future Crimes Institute to inspire and educate others on the security and risk implications of newly emerging technologies. Since 1999 marc is worked extensively with interpol where he is a Senior Adviser to the Steering Committee on Information Technology crimes. In this capacity marc has Trained Police forces throughout the world and has chaired numerous interpol expert groups on nextgeneration security threats. Marc holds degrees from Harvard University and the London School of economics. In his newest book future crimes provides an insight into technological innovation and unintended consequences of the connected world. Im sure we will find out more as the evening unfolds. Before we begin please take a moment of silence your cell phones. If you did not do it yourself, marc may just do it for you. [laughter] also please note that this event is being recorded by cspan. During the q a there will be a microphone located in the center aisle. Please announce your name before speaking. We are also pleased to announce that we have copies of this book right off the press that are available for sale right outside the conference room. Thank you so much, and please join me in welcoming marc. [applause] how is everybody doing ask wow, thats pretty perky compared to i dont have to ask twice. How many of you work in Tech Knowledge . Specifically in cybersecurity or security . Entrepreneurs . Financial services . Its like the second row. You guys look so excited to be proud. And Harvard School of am . Kennedy school . Only one. Harvard undergrad . Okay. What are you most curious about on this topic . A few hands. As a new yorker who has had credit card [inaudible] id like to understand more about, and i didnt go to harvard [laughter] or best buy. Slept like to understand whats happening [inaudible] im just really concerned about what types of [inaudible] okay. Thank you. Briefly. [inaudible] him okay. One more. [inaudible] so we will start big picture and then drew into some of these issues that you talked about definitely companies, technology that is on the forefront specifics of the risk and issues you talked about, both operationally and to talk about decimation reputation. So we will start big picture, high in the sky, and drill down. Marc, what does the future of crime and cyber terrorism look like . Wow, what a catcher question. Completely unprepared for that. [laughter] the future of crime. Well it looks somewhat like today but it also looks quite different. The bad guys criminals terrorists and rogue governments have always been quite good at Adapting Technology to their own preferences. Criminals have been early adopters of technology. If you go back to chicago gangland, murders of the 1930s, those gangsters had cars while the cops were still on horse and on foot right . Fast forward today when i was a young Police Officer, we saw bad guys from drug dealers on street corners carrying pagers and cell phones back in the days when doctors were the only people that had pagers. They were carrying like a fivepound brick phones. I see some young people in the audience. You couldnt talk on it but it would be. It was a star trek those were quite rare. When i saw street drug dealers carrying pagers amount i guess you were not physicians, they were in the former soviet industry but, in fact, they were not doctors. I said theres something going on. So i got involved in cyber Crime Investigation early on in my career. I started telling a story of how that happened, and then it went on and on and on. What i saw go every new technology they picking up the bad guys are right there ready to go. They have researched and developed the departments, the cartel has a 5 million r d budget just for robotics trying to figure out how to get drugs across the border. So they do r d. They hire ph. D. There is a school of aviation that is in mexico, a very premier school, or the drug dealers are recruiting aviation and jeers for the purpose of building the drones. Theres a whole bunch of new technologies come online, robotics, Artificial Intelligence, synthetic biology, internet, big data. There will be a crime plot ready for all of them. What are the top three threats that you can think about right now . Im a technological perspective. I would start out as a societal level and work down from the. I guess the big, Single Thread that i see is that we acquired the world but we failed to protect them. We are very good at connecting things to the internet. We know how to do that. The internet protocols are set up to do that quite well. Security, we will figure that out later. Just kind of the broad overall threat that i see his that we cannot even protect the things that weve online today. And yet we are running full speed ahead to connect more stuff. Theres never been build a Computer System that could not be hacked. Theres never been build a Computer System that somebody couldnt figure out a way into common yet we are using computers, not only to computers we think were using that stops, laptops smartphones but all of physical objects in the space around us are transforming themselves into Information Technology. At automobile, something they used to be a mechanical device is now a computer. It contains over 250 microchips that control everything from the breaks to the airbag to the Radio Station you listen to. And they did a demonstration of this on 60 minutes. And elevator is a computer writing. An airplane is to compete you fly in and a pacemaker is a computer that you implant in your body. So the founder of netscape famously said that software is leading the world. So when every physical object transforms into Information Technology, things that were never hackable before suddenly become packable. Lets go more specific, the perspective of the countrys government. I interviewed spent i dont think your mic is onto well. [inaudible] yes, that needs to be on you. [inaudible] i think its been hacked. [laughter] wont be the first time tonight. So this one wasnt thats for the camera. Apologies. Barrie, if you want to do the intro over again. Spoke how is that, better . Thank you. Getting into the three, lets go more deeper, right. I was saying a few months ago i needed and ceo of firefly, dave dewalt which is a company that works on cybersecurity and he is talking about the three countries, the top three countries that are victims of Cyber Attacks are United States, south korea, canada. We are number one. [laughter] when you think about those three countries, what are they specifically under attack come in what area, what are the three biggest threats that our government are dealing with . You know, i understand clearly that youre asking for three specific things. I will deal with the countries and then well talk about what those things might be. I want folks to be able to touch it feel it can really understand it. You got it. It is allencompassing so how do we break down into something tangible that companies, governments, all of us need to know how to prepare better, respond to . And hopefully Business Opportunities. We will definitely get into some of those opportunities for startups. Why would canada and south korea and the United States be amongst the greatest victims of cyber crime . I will ask the audience. Do you guys having ideas . Yes, sir. The biggest users of the internet. Internet. Exactly. If you think we have a lot of Technology Look at south korea. They are Lightyears Ahead of us in terms of the speed of their internet, the percentage of their population that is online. They have a very Strong Technology culture, a very strong gaming culture. So the way you might go to a hockey gang or a New York Knicks gang, there are stadium filled and south korea where people are pulling video games across from each other. On the nightly news theyre talking about its a different culture. And, of course they face a very unfairly neighbor to the north i believe it is, which is very differently connected to the internet. So in essence it is an asymmetric threat. The more technologically advanced you are the more you can be subject to attack. This is a concern during the invasion of afghanistan of the u. S. Government, which is they develop this whole cyber arsenal but nobody is online and they dont have electricity what are you going to attack . Thats an exaggeration an overstatement. There were targets. I think thats the reason why this country either. They also happen to be very economically welloff countries so there are things to steal. In response how our government is trying to respond to the . Poorly. Very, very poorly. Whats interesting to me is that one of the reasons why we created nationstates come if you go back to the treaty, we had very clear borders individual countries sovereign rights, border states, this is the territory of the united kingdom, the United States south korea. The internet broke all of that. The role for which the government was brought together to be of service to its people taken at the federal level in this country and others for the purpose of National Security has kind of been broken in the internet age. When you have for example organizations of u. S. Government, army, navy, air force, marines who are responsible for protecting our national borders. They know how to do that. They been doing it for centrist. What does that look like in cyberspace . Nobody really knows. The systems of control customs and immigration, air traffic control, all of that stuff doesnt work on the unit. So they are struggling to figure out what it looks like. The branches of government that would protect his boat at the nationstate level from a National Security perspective and then also at the domestic level from a Law Enforcement perspective are completely broken by the internet, and they have not figured out any good ways to respond. I will talk about sort of on the policing side. If you had a bank robbery here in manhattan come in times square, a guy walks in hopes of the telecom walks over the telecom walks over the back of many, what do we know about the crime . This is csi cspan edition. What do we know about that crime . We know that the criminal was physically present in the city of new york. That means midtown south has jurisdiction. Its a big swing to the fbi will be involved. The victim was in new york city. The criminal was in new york city. Theres code jurisdiction. We know them in evidence left behind because of fingerprint dna, photographs taken at the scene. Those with the good old days. Now the very same crime to be committed by somebody in el salvador or someplace halfway around the world, and we have very little evidential trail to follow up on. Even if we did come and i experienced this myself when i was a Police Officer if i identified that a suspect what was with the police department, if identified the suspect was coming from paris for example, do you know how hard it is with local cop to get evidence out of paris . It relies upon mutual legal treaty to i develop for the went to my chief of detectives went to lieutenant, chief of police, California Department of justice, fbi, over to the state department who would give it to the French Home Office minister of justice, to give it to the Parisian Police to the whole process was a twoyear process to find of the owner of an ip address was. With some technical people in the audience, right . Does it take two years to change in i. T. Address . It takes about two seconds. So the systems are fundamentally mismatched from a Public Policy, legal perspective, regulatory perspective weve got nothing on the horizon to sort this out. Nothing on the horizon. Nothing interesting. I was going to say whats the solution . How are you, what are the agencies, what are the specific groups that are lobbying, rowling to get the right action and what is it that right action . And its a combination of domestic responds as well as working internationally, right . The challenge is on the National Ticket front and on the Law Enforcement front is that your government is pretty much abdicated response but it was bob and dont think its something that most citizens realize that if he came home, barrie god forbid your house was burglarized, you call the cops and they will show up. New senate detectives, dust commodities and wisdom look for the bad guys. If you call of the nypd, midtown south in queens and said ive got a virus comes in a police car immediately, i hate to disappoint you but the incoming. You may think every shows up with allies are looking for things, thats not what happens on the internet. So lawenforcement has suddenly excluded itself from this. You here periodic about wanted suspects and one or two people subject to arrest. It gives 110 thousands of the people of the crimes committed im guessing some estimate ends up in a prosecution in any way. So what was seen in our government, our response to this arbiters been mostly to the offensive capability. Athave you guys heard of the guy called snowden . There was this guy called snowden who took and still classify to release them and suggested that the United States government was quite expert at offensive cyber operations. What most folks may not realize is the nsa is dual headed. They are the primary agency in the United States for International Perspective that is responsible for cyber protecting our borders if you will. You have an organization that is schizophrenic. Why . Because once a part of the nsa discovers a bug apart of the certificate would all walk on we see that little, we see it as been foldable. The nsa knew about it. The nsa should have could have put out a notice to all american citizens and saying hey, attention, we have a problem. Update your browser get a new certificate. Heres the heart bleed fix. They didnt. Why . Because in other parts of the nsa, we can use this operationally and go after bad guys. So that six at the what happened to the offense apart is winning winning over the defenses apart, which is why youre kind of on your own and which is why Companies Like fire i and dave are very wealthy people because the opportunities are tremendous i want you to understand that their government is not doing much at all. Spent on that you talk about fire i other countries but what i, other comes to what other countries, who are the compass and the technology at the forefront of fighting Cyber Attacks . Sure. How many of you have antivirus on your computer . Those are not the companies at the forefront of this year to hate to disappoint you. But i write about this in future crimes. There was a steady debt of 40 different antivirus vendors and what they said is they looked at what the success rate was at detecting new viruses. They ran a bunch of new viruses through 40 different antivirus vendors and the detection rate turns out to be 5 . 5 of new viruses are detected by software, Antivirus Software but eventually it learns and it gets on board but that could be weeks and months later after everyone is affected. They have a 5 success rate. In future crimes i save your own immune system work like an Antivirus Program you would be dead in 24 hours. Thats not a good response rate. We need better systems. All those legacy players in the same way that we saw brandnew startups like google and apple disrupt ibm and were seeing the same thing right now with the first generation of cybersecurity companies, symantec, norton, one of the largest is now broken down broken into two separate companies. One focus on big data and Data Analytics come and the other on security. Even security researchers their what is the most respected cyber secure research and water runs an antivirus company, and he said publicly they antivirus terror is over. What of those new tools . One of the new companies . I would say fireeye is very much at the forefront. Theres another Company Called crowdstrike. They are more on the services perspective. You need to understand who the winners are going to be by analyzing the technology. I know we are able to from Financial Service industry. They analyze industries and learn all the time. So particularly for the entrepreneurs we can talk about the technologies that will need securing individual like the internet of things and get to that. But for today its the services problem in a sense its been what do you mean when you said . The recovery gets hacked. You thought as the ceo i have a cio, a chief information officer. At the chief Information Security officer. These guys are protecting me and if anything happened theyre going to take care of it. You need only look at jpmorgan chase, Anthem Blue Cross, target home depot aol Heartland Payment Systems and on and on and on to say that that system doesnt work particularly well. When compass at jpmorgan chase, fairly will resources compared to your mom or your uncle, can solve this problem, then we have a real problem. Heres why. It has a lot to do with the human factor which is why say this is a services problem. If you think technology will solve your cybersecurity problem then you dont understand technology and to dont understand security, right . At the end of the date many problems come down to the human factor and thats something thats broken. Often is where the hands meet the keyboards that the problem occurs. So if you get an email from a niche here in france that says congratulations, you are the one person on west 4060 that i really, really trust to exfiltrated my billion dollars from the Nigerian Ministry of energy and you buy into that that is not a technological problem. Theres a name for it its like, they call it picnic. Problem in chair not in computer. [laughter] so theres a picnic problem we need to deal with. But even beyond that theres a massive dysfunction between any organization and its users. Think about that term i. T. People call you the users. Who else calls their customers the users . Drug dealers come right . Drug dealers refer to their customers as users. I. T. Refers to their people as users. They think everything is a picnic issue. Its you not them. Said the systems are designed for geeks by geeks. Who has had a Software Firewall on the computer, a popup that says somebody is trying to break into your computer ask a lot of of popups say things like this warning, extreme danger, requesting access. Do you wish to proceed . [laughter] right . No. Thats not particularly useful. In physical space we say things like fire help her square, right . Tornado. We know what to do then. At other error messages are horrible and theyre not useful. One of the things i called for in future crimes, jumping ahead, is johnny eyes of security. If you think about all this beautiful products that we have in this world apple telephones and rolex watches what do they all have in common . Beautiful design. But theres a human centered design in cybersecurity. So which really a problem. Then they blame the users. We come up with policies that say your password needs to be 67 digits long uppercase lowercase, contain a haiku and high school you went to end indonesia even if he didnt go to high school in diminish. And they change it every two days and they wonder why people take those stickies right down the password i put on their screen. I say its a Services Issue because theres this whole human public that needs to be dealt with first. What does the human centered design look like . I think it is a work in progress. I dont think anybody has a clear idea of the. Who has used airbnb or uber . Think about how beautiful the design interface looks like. Then think about what those products are. I think if we guided people can if we took like super cool hacker cyber geek White House White hat folks and compared them with the design team at apple im certain they could come up with something much, much better. Then that needs to scale on the corporate level. Were talking about companies having problems. I say onethird of all Security Products purchased by a company, and very expensive cost, millions of dollars, are never used. They are called shelfware. They buy them because when you have it but then it at the time to set of the. The guys to busy. Weve got other things, putting out fires. Onethird of the tools purchased are not even used. You talk about were a lot of issue is whether human needs the keyboard. Double and raised earlier with her credit card since last summer right . Move to florida. What about target . It was the cyber criminal, the criminal, not all of the consumers speed is 100 . When you talk about human hitting the keyboard. In that case it was how to end up getting hacked was where the keys with keyboard. On the corporate site not on individual site. I will take people through that the editing to get an understanding of whats going on. Remember i talked about the challenges of trying to get a war for evidence, took forever. We have the same, the problem is even worse in the phone regard to the bad guys have audited the attacks in the good guys have done a terrible job of automating the defense and that will take you to the. That the attack that occurred in target, by the way, who is a victim of that . About the harvard club, probably not commission target shoppers year. There were over 100 Million People that were victimized in that attack. Onethird of america was the victim of a crime which was perpetrated by a 17 year old kid in moscow. How is that carried out . Not because the kid was a master hacker but because software the committed crime. One of the key things that talk by a future crimes that most folks dont realize is crime is increasingly committed by computers, not by people. Its committed by algorithm, software, and by Artificial Intelligence. Thats why we are seeing it scale to the level that it does. The old days of the master hacker banging away at the keyboard drinking red bull staying up three days in a row it still happens but its mythology. Indicates of the target hack, a 17 euros kid in moscow paid 2000 for piece of software and that software send phishing email. He said a phishing email to accompany that was part of the target network. Targets pointofsale does anyone know what phishing is . District phishing is when you get an email that lands in your inbox and says hi this is the bank of america security team. Youve been locked out of your account. Click here and change your password. Or dont do that. Its a trap. Be aware, be afraid. No, dont be afraid, be aware. It was a phishing email and it was a spear phishing email. Spear phishing is a type of phishing which is targeted just for you. Thats because the bad guys are on your network and give your name is david and your ceo and your ceo on singin of this is hey, davey, whats going on . They will mirror that language. Its gotten so much more sophisticated so they watch the network, watcher patterns of communication so they can fool people. I got received a phishing email. What was hacked in that case . It was the pointofsale terminal right . Pointofsale terminals. Does anybody know how the hackers got into the pointofsale terminal in the target hack . Let me tell you. It was via the airconditioning. To . A gasp from the audience. Guestcoyes, heres what happened. It turns out target outsourced all of their hvac operations to a Third Party Contractor. This Third Party Contractor managed the air conditioning and heat at all targets across the training period one human being getting enough, clicks on the wrong thing and ends up impacting the corporate computer that he was on. Which was connected to the heating and airconditioning system at target which was connected to the target Contractor Network which was connected to the target may network which was connected to the target Financial Management system which was connected to the cash registers which is connected to the pointofsale terminal. So its not a coincidence why i called my book or the subtitle of the book is future crimes everything is connected, everyone is vulnerable and what we can do about it and what we can do about it. Thats one of the Biggest Challenges is we think okay, my laptop is secure but now someone wants to hack you, they will not come and for your laptop, something that security and firewall and encryption. They can come into your smart light bulb or television or smart dvr. Those are the weak links in the chain. Backers of cigarette and say its not cool of a typical disguise light bulb. Theyre going to use these way to get into your network. Thats what happened with target. To your point, i know is a long answer is to in the east way to get in . Lowhanging fruit. It depends on the network. Each one is unique. But often it is the user devices. Sometimes its Many Companies all executives and a place to bring their own mobile phone so you can work laptop and tonight your kids use it to do the work and sometimes they download a free movie that is riddled with viruses and it gets onto your machine. The point i want to make about target is that attack was carried out by a cyber genius hacker. It was software written by cyber genius hacker who now has a new Business Model. Is Business Model is to sell criminal software. In the same way a total which their so photoshop theres a criminal software. The whole thing is automated point and click. When i was working with interpol going back to figures were working in Rio De Janeiro outside, were working a cybercrime case and resolve the criminals selling dvds which we thought were pirated movies but upon closer investigation we found that they were pirated movies. In fact, it was crime where. The software that they had was Identity Theft software that they were selling to lower level they use without a computer background. The fascinating thing about it is their Business Models, these may sound good to those of you who graduated. If you bought crime were in both, the more you bought it at a discount. With every piece of software that criminal organizations sold, they have a servicelevel agreement. So we guarantee the 85 of our stolen credit card will work or your money back. And my favorite part is the actual head 1800 numbers for tech support. You could call up and say im trying to commit Identity Theft and its not working but they would say, have you tried rebooting your computer . [laughter] all those Business Models of the criminals are using adapting modifying to the benefit. A crime is can a software. Thats why it is the skill. Thats a fundamental issue thats going on. Crime used to to be a onetoone affair. If i was a criminal whether it be in the bronx, harlem, doesnt matter where if i want to rob people of go out and get a knife or gun and hide in a dark alley way for somebody to combined 60. That is a great career being a street robber. Its also the you can make your own hours can be your own boss. Whats the problem with that Business Model . [inaudible] yes, you could be caught but what is your scalability plan . That plan didnt skill. A new technology came along and helped criminals scale the business, and that was the locomotive. Now we can do train robberies and rob 200 people at a time. Massive scalability. Now with the internet weve seen one individual be able to rob 100 Million People. That is a fundamental paradigm shift in crime. Its never been possible for one person to rob 100 million of anything let alone brought 190 people simultaneous. Crime is become automated. We have crime cops but we dont have thats why we have this problem. There are solutions to is getting copper box but it doesnt look anything like the solutions that are proposed to be but as i said were doing very well on offense. Doing really bad on defense. If this were a football team. We would certainly be handicapped. There are lots of solutions, steps we can take an outline in canton but i will give you an example of the problem and the thinking of government. You guess what to do Business Schools you are the capitalist and an economist who went to the kennedy school, trying to save the world and Public Policy guide coming under talking about government and its limitations. This is not a problem the government is going to solve by itself. They wanted to do a hand in hand with the private sector, nonprofit and ngos multilateral satellite. And, of course, individual citizens. We had the sony hack that occurred, and to carried out that attack . North koreans. Can jump on. We produced horrible movie and now seth rogen and james franco are persona non grata in pyongyang. They decide to hack sony. They hacked the sony allegedly a president obama said its an attack against the tried and we need to do something about this. Im going to talk about this at my state of the union address. I said finally well get some traction on this state of the union address. I tuned in and i listened quite intently. The president gave a 6600 word speech during the state of the address. Of which 108 words were dedicated to cybersecurity. Now, the man has a lot on his plate, isa, iraq syria. Theres poverty monetary policy, lots of things he dealt with. But when i saw those 108 words i was not heartened by what i heard. I listen closely to what the president said he said we need better information she. Gene what else we need . Enhanced penalties for identity thieves. And i went i got rumbled. If you think that increasing the penalties for identity thieves from three years to six years is going to solve this problem, you fundamentally do not understand this problem. This is nonpartisan, not picking on him to come talk about policy claiming that has been loose for their defense will protect us from these massive cyber lakes is a bit like applying sunscreen and claim it will protect you from a global thermoNuclear Blast. It is totally inadequate to the scale and scope of the problem but that said, to be hopeful and the end had been on hopeful that because only to think of myself as optimistic, resolve the problems before. Going back to world war ii we face an existential threat from germany eating a nuclear bomb first. How did we respond to the . We created the Manhattan Project. We gathered 120,000 people in the United States, Canada United Kingdom the work and classified settings around the clock to develop a bomb before the germans couldnt. Kind of the military aspect of that aside, the take away point is that the big difference between those people the face an existential threat from a Nuclear Blast and existential threat that we faced from the mass manipulation of technology is that they were serious about the threat before them and we are not. The president is not an the congress is not. I think its a fundamental misunderstanding of the technology. If you look at the congress of the United States is a where between nine and 13 approval look at the most common profession, its lawyers. Was respected lawyers in the audience, i took classes at Harvard Law School are not antilawyer but if you look at the chinese ruling party, the economy is committed there the 10 members all 10 have ph. Ds in electrical engineering, some sort of advanced science. So fundamentally they understand science. I think the lack of student letters on the part of our National Leadership and our individual district stem literacy. You talked about earlier about, the subtitle of your book that everyone is connected and were only getting more connected him because what comes to businesses, technology conference, this concept of local, mobile social is so pervasive. Thats only going to continue. So many new companies and startups and existing countries are all about local mobile social, which from the sounds of what you are saying invite, facilitate cybercrime. In a sense. One could certainly draw the conclusion. No, i agree with the fundamental thesis of your question. We are creating tremendous amounts of data. How many remember willie sutton, the bank robber . He was eventually arrested by the fbi in the 1940s it was the biggest bank robber in the country and they said willie, why do you rob banks . What was his answer . Because thats where the money is. Why would you rob a girl scout stand selling cookies. World Economic Forum has said that dave is the new oil. If data is the new oil, thats where the value we are creating in the oil. You look at the valuation and growth of big data copies, good Data Analytics, what is facebooks Main Business . Its not status updates. What is andrew birds Main Business . Its not shooting pigs at birds. Their main Business Model is getting data out of you. Thats their Business Model. The challenge with that is that criminals go where the money is. If data is the new oil we should not be surprised the criminals are going to go towards the data. How many of you have heard of gordon moore . The founder president of intel computerchip corporation and he said that eventually figured out that computer processinprocessin g power is doubling every 1824 month. So computer iphone format will be twice as powerful as the iphone 3 was and the same with your desktop chip and the like. That guys are much of the work that a do. I thought if gordon more content into law, i can treat one. Let me an issue to my blog the more dadt, the more organized crime is willing to steal. Okay . The more data you keep the more its going to leave. Why . There is no such thing as a fundamentally secure computer. There is no such thing as trustworthy computing any society that is built on computers for all of our critical infrastructures, for businesses, for markets for air traffic control, for our electrical grid. So we with the you can read and see all these great case studies about the data big Data Analytics making better decisions based upon the data, the fact of the matter is if Anthem Blue Cross is going to keep 89 patient records on the computer, and theyre not going to encrypted by the way highly negligent in my personal view, theyre not going to encrypt the data by providing the basic level of security and we shouldnt be surprised when it leaks. Raymer i said software is eating the world . If you want to the Doctors Office when i was a kid there were no computers they wrote him a piece of paper and put them in a file. That is not online which means it will lead. I think is the Data Companies edited start out writing future crimes wanted to come to this conclusion to the conclusion i thought its going to come to was those bad criminals, look what theyre doing. As i went through the process, a couple of the early chapters, i had to see the role of Technology Companies particularly the social media companies, and how much of your data is leaking through them. Leaking in ways that they understand that facebook doesnt understand how much do you guys pay to use facebook . Or google. Right . Most people i talked to said yes, im a facebook customer. I use facebook. Youre a customer . What you pay . They say nothing but i see the other problem, what is facebooks 800 number. I dont know but if you call the airlines they have an 800 number agitating to get to get free coffee at starbucks, you dont get free hamburgers at mcdonalds. You dont get free dresses at macys. You pay for that. You are paying for all of this with your own data. Thats the price of admission. What people dont understand is a lot of these companies are really bad stewards of your data. To our success as a Facebook Accounts hacked. That annually, not monthly, daily. Daily. That comes from facebooks own chief secured office. You think youre providing this data and its going to be protected. Conversely then there is their Business Model which is taking obligated that youre providing them and slicing and dicing it and selling it into a group of data brokers that are completely unregulated. Speak your talk about going against a way that is happening. Paper wasnt it. We got technology to automate that data can be more efficient in our recordkeeping. Its also good better because its more environmentally friendly. Thats one. You are also saying the more data we keep, dont keep all this data but its inevitable. Regulation companies have to individuals have to for the personal record, whether its accounting et cetera. Going forward, there so Many Companies now betting big on date and big data. Its a vicious cycle. You say in the book you talk about some of the solutions. What are some of the solutions . At me acknowledge the fact i am introducing a black swan. All of this data is great until that all leaks. We havent seen a company beaten up too badly as result of these deletes although i will say for every record it leaks it cost the company 206. Thats 206 to investigate the leak, call in an outside consultant, plug the hole notify the customers can replace the credit card 5. 11 each. Bring npr Crisis Management firm, defend the lawsuits. Higher outside counsel customers turn and then director and shareholder losses that come as well. If target loses 109 records at 206 each, thats not chump change. I think that people will start think about this differently potentially. I talked in future crimes about solutions at a social level, societal level and solutions at an individual level. At a social level i talked about one of the solutions is we need a Manhattan Project for sauber. That is militarized but has intention bring together publicprivate sector that assure so focused on it at that level. If the software industry, the people that created all the software that has the bug, if they took 1 of their gross product and put in, net profit and put into a fund then we could solve this problem. We could do a lot with the billions for us to use for Something Like the. The other thing we can do is vastly change how we respond to the threat. We currently handle cybercrime as a lawenforcement issue but think about how we describe these crimes. We talk about computer viruses, talk about infection. Viruses and infections but what happens if someone has measles . We dont send out the cops to arrest them. We treat them isolate them protect ourselves. I suggest in future crimes, its a much better way to go. We understand how that works. My goal should not be to arrest you if you get a virus. My goal is to make sure i myself dont get a virus. So on call for World Health Organization for cyber because of its a proven model that works. I think we need a National Cyber reserve corporate we reserve Police Officers, reserve marine, air force, navy. We dont have a reserve side or and that is going to hurt us because that National Cyber disaster will come. When it does we will not have a plan. At times to repair it before a disaster rather than during or after. I would just throw out old but i think theres a huge opportunity for incentivizing. Lets take a 29 pot and work with the foundation to incentivize the smartest people with the baby in india or brooklyn and lets you configure this out. Lets give people are not part of the system because the smartest that is not in the room with you. The smartest girl is not in them with you. They could be halfway around the world. We need to crowdsourced and think about that. Last at the social level to leave on a positive note is this solvable . I think it is solvable. It just takes the attention can focus and the most amount of resources. Not huge amount. I think and i quote president kennedy who said in the 1960s, by the end of this decade we will put a man on the moon. Think about that nation. Just a few millennia ago we were barely walking upright and now we put a man on the moon. Shirley if we can do that we can figure out antivirus. We should be able to figure this out the problem is when a focus on it so i call for all of those things and more in future crimes. Your questions. [applause] thank you. A little. Hello. I think im a little more pessimistic than you. That doesnt happen often. I dont think that you can solve the human problem because we are human. The idea to get everybody, 6 billion people the good passwords and to not do the wrong thing on the keyboard, its just not realistic. And even if you incentivize and put prices out there to find problems in our networks and things like that, theres new tools, new digital lightbulb coming out tomorrow that will be hackable. To me, the problem is we cant catch the bad guys. Lets talk about for a second how do you find these guys. Crypto crunchy like dark going anonymous like bitcoin that cant be tracked. It got Dark Networks and all these things being developed so i would like to hear your thoughts on that. Thank you. A great question, great point but i dont fundamentally disagree with you. One of the Biggest Challenges with this there is something called attribution are trying to figure out who is responsible for a particular attack. Did sony really contacted by the North Koreans or was it an internal threat . Did china hack the pentagon or wasnt russia . Maybe it was somebody else. We have really poor method of attribution in this space. To figure out exactly who did it is hard. Why . Of using the televisions with bad guy calls up the cops and he decides is going to route these calls all other places usually in brooklyn but is running his call for afghanistan and in paris and tokyo and really he is around the corner from the police station. Thats what hackers do. Before north korea, lets say allegedly hacked soda, then those sit there in pyongyang and type sony. Com. What theyre doing is compromising thousands between pyongyang and sony that its very hard to trace it back and figure out whos responsible. Of attribution is a big problem. As to the human factor in solving this whenever i suggest were going to solve this problem, there is no such thing as perfect security. If we even drove toward perfect security the cost on a personal friend would be so great that they would be and humble. Benjamin franklin said those who pursue security in service of liberty and of having neither. I think thats true. So the challenge for us is not perfect security. Its better they could i will give an example from the real world. You take a beautiful new uw park it in a really bad neighborhood uptown, downtown doesnt matter where. Its a dark street, no lights. You leave the bmw running with the keys in the ignition, the window stack, the doors open. The hazards on a 10,000 cash on the dashboard, and abroad you might not be surprised if he came back 10 minutes late later and your car was gone, right . That you could take the same bmw and part in a really nice neighborhood on the upper east side, lock it can use the club, put on lojack and your car can still be sold to somebody can come by with a flatbed editor truck and take your car. All im trying to do is get people to understand how to lock the front door of the house and how to not leave their keys in the car. If we just took those steps it would make a massive difference right . I talk about something that occurred in future crimes call the update protocol. Its based on research by the Australian Ministry of defense and its very specific steps people can take regarding the password and encryption and other protocols that are quite easy to implement. If you just take those six steps according to the australian m. O. D. Study would drop your cyber risk like 85 . Im not calling for perfect security but i think we could do so much better and we would benefit greatly economic and personally from it. Next question. If you can kindly and if you have questions, if you could kindly lined up so we can make sure we get all the questions in. I just pulled a dusty book off the bookshelf called tuxedo park and almost a template for what you are advocating that the gentleman who was very successful investment banker who is a physicist and he gathered all of the physicist defined in United States, doctor Lawrence Livermore [inaudible] they founded something called rad lab at mit and established radar first from airplane to airplane, then shipped to her, and then airplane to uboats. And the british sent a team over to collaborate with us. When they a cheap much with the went to they worked on the Manhattan Project. And when the war ended, mit knocked it down. But it was the task force where they did work 24 7 to solve what they did as a looming problem. This occurred in the 19391940 period where they anticipated what we now know transpired. Thats a good reference to i will stop for me with it but i will check it out the amounts of work in the past to do something i write about in the future crimes, weve been focused on the technology of today and have not gotten into robotics and Artificial Intelligence, nanotech instead of biology and genetics which you so whats the next threat . Those at the next threats. I want to flag those but much like in the tuxedo book come with the did was get a bunch of really smart scientist, geneticists who saw in the 1970s our ability to manipulate the genetic code to create new creatures, new forms of life, new bioweapons which were vastly outpacing our Public Policy and law. So the leading scientists in the field that together in california created a code of conduct. You may have seen recently that Stephen Hawking and elon musk and bill gates of all quite publicly against Artificial Intelligence, specifically Artificial Intelligence artificial general intelligence, the computer. The last invention of man. It will be the thing that man built and we will not need men anymore because these computers will be supersmart. We are running down that path and people are flagging you. I do think we need to think about some of these technologies technologies. First of all, congratulations. That was an excellent talk that you gave. I also have to agree with the gentleman who said im not sure that this problem can be easily solved but i am encouraged by your response that can result to the point where to make it difficult for a hacker. A lady in manhattan doesnt get hacked six times in five months. We should be able to solve that. Maybe two times last night. The other day i asked my friend and most of these guys said look if i told you that if you get on facebook, if you get off twitter, if you get off youtube, for three months, you can definitely, it will not be, isis will not be able to be had the next 10 people theyre looking to be had. What would you do . So the answer almost all of them said of course we will get on facebook. One of them said i will think about it they didnt ask teenagers. So thats one observation. The second observation is 20 years ago i think you will agree with me that this kind of networks, these kind of bad guys did not have any of these weekends to go to propagate and have a vital growth with a lot of internet countries have. So my question to you is why is the phone is not bent on onus on the Tech Companies to be able to come up with ways where they will prevent these kind of cyber terrorism and these kind people to log on . They are trying and i would also like your point about a fund with these Companies Put in 1 of their net income. Again i dont only by the. I dont think that will work because they become sort of management by committee. Youve got google and facebook apple, they all hate each other to sit there and try to figure out a solution of cyber terrorism, i dont think well were. I dont understand why facebook themselves, these are very cashrich companies comply with an output in 1 of their net income of gross income, whatever it is at attack this problem . Wanted things i talked about in future crimes is something built upon what your suggestion is in the book. I talk about the possibility i know i will hear gasps from the audience by the possible considering maybe thinking about a little bit of regulation, right . In this domain, whether its regarding data privacy, in the eu they have very strong data privacy laws. Almost every western nation with the exception of the United States has a cabinet level managers the Privacy Commission or privacy minister. Weve no such thing in the United States. Business schools and thats just the way our country runs. What i would say in response to that is the companies that are building these tools have not face any consequences for putting out bad tools. Since you mentioned facebook a model at this book when it comes to computer code is just ship it. Like thats literally their motto. Just ship it to we know its full of bugs. Well deal with a lead. How many of you that popups that say your phone Company System software is out of date please update. Please update is a lovely way of saying you have been completely hosed for the past six weeks or six months and so we figure out the obvious bugs in your system and now you need to fix them. And one year for halloween they inserted into their terms and conditions on their site when you made a purchase, by clicking here i grant gamestop permanent ownership of my immortal soul for now and into eternity, right . [laughter] and they had 1300 people that day that clicked on it. So that is a big problem. I talk about the Auto Industry. For some of you who are a little bit older you might remember raffle nader in the 1960 ralph nader in the 1960s, unof safe at any speed, i think is what it was called. We lost tens of thousands in car crashes, and ralph nader kind of a single man chasing against windmills wrote this book and got the Auto Industry to make our cars safer. And ive seen Research Papers that said it was the most positive Public Health impact of the 20th century that that saved more lives than anything else. Therefore, i think that there is some room for some regulation, for making people responsible for the code that theyre creating, and i think that would be a big step forward. Great, thank you. Just a quick followup could i ask you to, because weve got time for just one more question yeah. Hi. Can you just talk a little bit more about your Silicon ValleySingularity University and its partnership with nasa and google . Cool, yeah id be happy to. I teach at something called Singularity University. Its cofounded by nasa google, the Kauffman Foundation with funding from Nokia Autodesk and a bunch of other companies and what its mission is, is super cool. It is an educational institution. We call it a university. Of its a completely Fake University, but its the best Fake University out there. Its not accredited, but youll learn so much more. It is teaching about exponential technologies robotics Artificial Intelligence, synthetic biology. And the school has one simple mission, to use exponential technologies to positively impact the lives of a billion people over the next ten years. So every student that comes through Singularity University or su for short has their homework. Go help a billion people. And we use exponential technologies to do just that. I teach with some of the most amazing astronauts, physicians, surgeons orbital scientists, super crazy, cool people, and theyre so smart. And theyre all kind of Silicon Valley types, so the world is awesome, and its great, and there are no bad people. And so we see presentations on robots that will clean your house, and i say, well, what happens when the robot gets angry and kills you in your sleep . So im that guy at the university. [laughter] its a really enjoyable position because i find my colleagues actually welcome that discussion. Sing lair die. Org, which can it out sing lair today,. Org. Briefly, youre the last question. Yeah. A lot of these hacks could have been prevented by fairly basic security measures. In the case of target had this airconditioning company used twofactor authentication had credit cards use thed the chip used the chip and pin systems, that hack could have been prevented. Similarly with anthem and with sony, had basic encryption and walling off of important files from the public internet, had steps been taken along those lines, these issues could have been avoided. So i guess my question is do we really need this Huge Investment in a Manhattan Projectstyle undertaking, or do we just need companies to implement these basic and well known technologies that have been around for years . Yeah, its a great question and i agree fundamentally 100 with what youre saying. If you are 5 6 and weigh 500 pounds smoke three cartons of cigarettes a day and you say to a doctor, you know, i want to run a marathon, all right, there are some steps you need to take here first. And i think the same is true with what you pointed out. Absolutely, we should be closing our windows and front doors and locking them and most people as i pointed out earlier, are completely wide open. So all of those obvious things should be done before we get on to an elite level. But i also think the ability of companies to do it, as i understand it with no disrespect their fundamental understanding of both the threat and their opposition meaning how organized organized crime is, is kind of limited. So they can make great progress by taking those basic steps, but they dont take them. And i will point out we were talking about some of the Business Opportunities here. According to a study by gartner, theres going to be 100 billion spent on cybersecurity by 2017. 100 billion globally. And cybersecurity by 2017. Were not getting very good roi on that pending. And is to to on that spending. And so to your point, theres tons of low cost things we could also do that would make a difference. Thanks, glenn. Im sure marc will stick around to answer some of the questions that we werent able to capture in the broader forum but thank you, marc, for being with us tonight. Thank you my pleasure. Thank you everyone for attending. Thank you. [applause] thank you. [inaudible conversations] booktv is on facebook. Like us to get publishing news, scheduling updates behindthescenes pictures and videos, author information and to talk directly with authors during our live programs. Facebook. Com booktv. The judges decision back in 2010 is really instructive because hes the first person who is a neutral person to have reviewed all of the evidence in the case. And he decided that the evidence in the case was either not credible because it was obtained through torture or coercion or for other reasons. And i remember reading, you know the first time i was able to read the diary years ago, so much more became clear to me because mohamedou talks about the torture that he was subjected to that resulted in him providing false information about himself and others. Because, essentially, he was told that he was told what they wanted him to say. And so he was also in a position, he says in the book, of the more incriminating the function he could make up the fiction he could make up the happier his interrogators were. Theres one point he talks about whenever they asked me about somebody in canada i had some incriminating information about that perp even if i didnt know about that person even if i didnt know him