P. M. Eastern on cspan. Now, a discussion on cybersecurity and how the department of Homeland Security is changing to meet new threats. Panelists include leading experts from both government and corporations, followed by remarks from former National Intelligence director dennis blair. This is an hour and a half. [inaudible conversations] all right. Were going to kick start this. I know some are on break, but just given our time crunch, i want to make sure were able to cover enough time for panel to actually share some of their insights and thoughts. This is a bit of a, it coffers a wide range of issues from insiders threats to foreign counterintelligence to cybersecurity, but i think one of the things we hope to be able to do is show how they come together, where they do come together and where they dont. And, quite honestly, theyre treated as very pratt disciplines separate disciplines, but i thought we have a great group to shed some light on some of these issues. Firstly, let me introduce michelle van cleave. Michelle is one of the titans in the counterintelligence world with. She worked for, she was the first director, i believe, of ncix when it was the National Counterintelligence directorate, when it became part of the director of National Intelligence function. So under president bush she was running ncix. Following michelle we and shes worked on the hill, shes worked on numerous committees focusing on cyber issues and counterintelligence and National Security issues lock before they were long before they were cool. Shes young, but before they were cool. Stop when youre ahead, frank. Jeff hancock is one of our senior fellows here. Hes been instrumental in our active defense work and our task force looking at active defense issues. He comes from a background in the private sector and in the public sector. Hes a former special forces officer. He worked cyber at the pointiest end of the spear which i think adds a lot of flavor to the issue. And hes also worked at Small Companies like microsoft. [laughter] and last but not heath, we have brian cantos who i want to thank forporting us in the Conference Today supporting us in the Conference Today. And he, too, has come to his current role with extensive background in a number of Cybersecurity Companies ranging from riptide to, remind me. Youve been bell labs so all the companies. So actually brings a very good perspective from cuttingedge companies in terms of some of these issues. So what i thought wed do is start with michelle to sort of paint a picture a little bit, to provide a primer. I think when people think foreign counterintelligence, when they think counterintelligence, they immediately think security. Obviously, there are some similarities, but there are also some differences. Youve got to understand yourself, youve got to understand your enemy. But, michelle, id be curious what some of your thoughts are in term of how should we frame this in terms of thinking about some of these issues from an Insider Threat all the way through to foreign counterintelligence . Well, lets start by considering what we mean by foreign intelligence activities to begin with. Theyre all the range of things that foreign adversaries and whether they be nationstates or other entities do to try to steal our secrets, but also to hide theirs and to deceive us into thinking or doing the things that are going to be in their interests. So there are influence operations as well as collection activities that fall within the range of things that counterintelligence worries about in dealing with foreign intelligence threats to the United States, to our interests at home and abroad. So counterintelligence, therefore, becomes the full range or is the full range of things that are done, information acquired and activities conducted in order to identify and assess these foreign intelligence activities, in order to neutralize them either through denying them access to the things that her seeking that they are seeking by deceiving them or let me also add by exploiting what we learn and understand about these foreign intelligence activities. So then frank within the range of things that are done to protect our secrets, we certainly have a full range of security activities or that are performed in order to protect secret information, to protect against access to things that are important to our National Security. So the full range of security activities, operations security, physical security, information security, personnel security which we will get into these are things that are done to protect our secrets, to be sure. But beyond the protection, counterintelligence looks to understand how the adversary is going after these things, what their intentions and objectives are, how they are resourced, how they are targeted, how they are recruited, what the nexus of their relationships and liaison relationships may be. In fact, the full range of things that the Foreign Intelligence Service or entity does in order to be able to say, aha, now we can identify what are their vulnerabilities such that we can look to those vulnerabilities as ways of stopping them. And best of all, best of all is foreign intelligence adversary service to think that it is succeeding in what it is doing against us when, in fact, our insight into their operations is sufficiently refined that we can misdirect their collection and their operations in order to protect what we are doing. So you might see in that short explanation the potential sometimes for a tension, and ill call it a healthy tech, between what counterintelligence tries to do engaging, as you will, with the adversary and what security and security operators and personnel may do in trying to shut things down and deny access sometimes operationally. You need to have the ability to let things play along in order to better understand whats up. Thank you, michelle. Does that help . That works great. Jeff, youve put together, youve put together Insider Threat programs for a number of companies, small and large. I mean, talk us through what that looks like. I mean, at the end of the day, if you want to glean information, you can glean it as were talking about through cyber means which are vulnerable and susceptible, are intellectual property theft, but you can also just recruit an insider which, obviously, can have the same impact. And i think were starting to see a confluence and convergence of intelligence disciplines in this space, what used to be technical and human is coming together to a large extent. But i think the same things are playing out in the corporate world. Very much so. Help us think that new. Very much so. A program is really in part two things for this broad conversation. Its both the Technology Used which is actually a smaller part, but its the method and the process that the organization can use to identify its most important information, protect it, understand how its protected, understand how its used within the organization and identify those vulnerabilities. From a broader perspective, its very much a defensive position for an organization to be in. Whereas counterintelligence we were talking earlier, counterintelligence is more the offensive view of securing an organization, Insider Threat is understanding where your issues are, where your risks are and having the method of protecting that information. And then going through that process, developing a whole program plan with the organization, developing the technical means by which you can detect inside or outside. Because at the end of the day, in cybersecurity its a 1s and 0s problem, right . So theres very little determined to be if theres an Insider Threat or outsider threat. Looking for those things digitally, youre not going to tell a difference. Behavioralically is what you are looking for. Behaviorally. Theres some key foundational components when developing a program like this for any size organization, and its really helping the organization understand its risk appetite. Where that information sits and how they want to secure it. And, brian, i mean, and i think jeff hit on a point we were chatting about earlier, and thats looking at behavioral analytics. But where do the two converge . Where do they come together, and then shed some light a little bit on where we see the various threat actors and ranging from disgruntled employees to sure. Obvious nationstate sorts of threats. Ill answer the second part first. I tend to think of the four gs, grandmothers, gangsters, government and guerrillas. Minor actors such as hactivists and nationstate actors. Its simple for us to think of this as siloed groups but, in fact, theres a lot of overlaps between these disparate or seemingly disparate individuals or organizations x. Then it come down to a simple statement, why hack when you can recruit . If you have somebody that already is trusted, that has access, you can operate with much more ease, greater stealth and exfiltrate greater information or commit sabotage if that is your goal. Within the insider group, i see the careless insider, somebody that just made a mistake. They dont know theyre being malicious, they just left the back door open or did something by accident. We see the malicious insider that was either malicious when you hired them or perhaps became malicious over time. Maybe they were recruited x. Then we see the masquerading insider. Now, these arent actually employees or partners or trusted individuals at all. Its somebody that has simply hacked into or accessed one of the individual accounts like a Privileged User account, system administrator, a database administrator, network administrator, etc. , and theyre pretending to be that individual, and theyre using that individuals rights and privileges to dive deep into the environment. Now, the interesting thing about Insider Threat is the the information thats required in order to interpret this information, in order to capture these individuals potentially is actually out there. We have this information. We get this from network data, we get this from data from applications and databases and different security tools. But we dont have a good way of using Security Analytics or tools that can analyze this flood of information. Oftentimes pulling in physical security devices, h. R. Databases, performance review, and looking for predictive signs such as somebody thats expressing antisocial behavior, somebody thats going through a personal or professional crisis. This doesnt necessarily mean that these things evolve into a malicious insider, but they can be. Its definitely something that would warrant further research especially if youre dealing with a Large Organization or a Large Government Agency and you have to remove some of the hay so you can actually get to some of the needles. So by leveraging Security Analytics and getting past this notion of just prevent, detect and respond and getting in front of it to predict potentially nefarious behavior really gives the good guys an added advantage in this new war and allows us to operate more efficiently and more effectively to mitigate these threats regardless of how theyre being sourced. To pull a thread on that a little bit, id be curious on some of the privacy questions when youre thinking about some of these issues inside a Corporate Governance or a government environment, and then i want to pull, go a little further in terms of threat actors. And im going to open that up to all three. Who is it we should be i mean, the obvious, russia, china, iran, north korea, this is not rocket science. Yeah. But i think its also fair to say that every country that has a modern military has a cyber capability too. So id be curious what some of our thinking is here. Start with the privacy, the hard one, because thats yeah. To understand when somethings abnormal, you have to understand the normal. Exactly. And to understand the normal, you have to be able to collect the data so you can, therefore, analyze it. And its different country by country, organization by organization, agency by agency. Are we going to be able to collect all the data that wed like to so we can leverage it to detect these insiders . The answer is, no. Were going to have limitations. Were not going to get access to everything, but we have to be able to make do. In fact, were to the point now with Artificial Intelligence and identity correlation, these new types of machinelearning techniques where we can weaponize data. And what i mean is it used to be a hindrance. The more data you have, the harder to analyze it, the more people it took, the more processing power. It just hurt you when you tried to do analytics. Today weve actually come across that chasm, and were actually seeing the more data you give us, the more context we have. And with the more context we have, we can actually respond to this. Now, the privacy issues have to be addressed, of course. But in most organizations today, fortune 500 and government agencies, we find we have enough data to be able to address it. Now, to your other point about the threat actors, ill Say Something quickly about those. Samuel cole had a famous quote that said god created man, but samuel colt made them equal. Truth in advertising, his pr agency said that, he never said that. But well go ahead and say he said it. [laughter] were seeing cyber as a great equalizer. You neednt be a great country in order to facilitate war from a cyber war perspective. You dont even these to be a nationstate to mount a prison aggressive campaign. And depending on whose statistics you believe or as accurate at that time, roughly about 100 countries today have the capability of mount what we might define as a sufficient cyber warfare capability. Again, back to my earlier statement, why hack when you can recruit . Its much easier to go in through the back door, steal intellectual property, commit sabotage, these things are far easier when somebody has trust and access. Just to build on that, i want to get jeff and michelle in, but to build on your why hack when you can recruit, you may want to say why invest billions in r d when you can steal. And thats precisely what countries are doing. Its the theft of intellectual property which is very expensive. A lot of money poured into that. And youve got countries that are literally putting, theyre spending their savings on market share and gaining market share because theyre stealing but it really is a come combined arms approach, if you will. It is the use of integration of cyber attack and human access that presents the gold opportunity. So to the extent that foreign actors have a strategic objective and a strategic purpose and employ the resources that they have at hand to achieve those purposes, we will see that the linchpinover a successful cyber exploitation, for example, might be the human actor that is recruited on the inside that can provide that access. So you look at the, you know, news reports or, for example, that came out of the, that came out of the stucks innocent activity stuxnet activity. When the news reports said that planners involved in carrying out that attack identified as the holy grail, the individual engineer or other individual who may be working at that plant who was very careless with a thumb drive, and that is the, you know, that is the, that is the linchpin that enabled, potentially according to news reports, proper caveats that allowed that attack to go forward. So when you stand back from that and say, therefore, what does that say to the United States as far as the threat environment that we face, we do have this broad experhapslation of capability extrapolation of capability now among a variety of actors where there were a smaller number we might have dealt with in times past. But we also have a prioritization of our resources. And the prioritization of those resources needs to be based on, you know, what are the overall objectives of these entities with respect to harming the u. S. Or our interests, friends and allies. So we have still have a prioritization that says, look, its a different order of magnitude, a different order of magnitude when the chinese, for example, have a National Policy of economic espionage that they are carrying out with great effect across the United States versus the onesies and two says, as harmful as they may be in individual cases, but the onesies is and twosinging ies that other actors may engage in so you would put china at the top of the list . Engage anything economic espionage . On economic, yes. On overall capability, i think that the russians give them a run for their money. Thats where i come down. Now, one thing thats important to tease out of this is the line between Computer Network exploit or espionage and attack is all hinging around intelligent. If you can exploit around intent. If you can exploit, you can attack. Yes. And i would argue i can understand the theft of intellectual property. Its unacceptable, but i can understand it. The next question you would have to ask is when you see the theft of our Critical Infrastructure in mapping some of that from a very sophisticated standpoint, that has no economic value, thats purely for potential future crises to be able to put together part of their warfighting plan. So, i mean, thats where when you hear about our grids being penetrated, that may not have the same Economic Impact as the theft of the intellectual property behind it, but it actually has real National Security agreed. Jeff, where would you rack and sack . I mean, michelle kind of lined it up with where i am, but id be curious where some of your thinking. Where do you see the government of iran . Where do you see other actors that may be less constrained from engaging in Computer Network attack . So i think a couple of things. Im taking a step back. So if your organization is breached, and we look at the breach reports every year from a variety of vendors a lot of them say within that first five is Insider Threat. That theyre concerned about it, but theyre not sure about it, and theres reporting issues on it. So so theres always this gray area of how Insider Threats are leveraged within ab organization. As a bad guy, red teaming for a handful of years, so im pretty familiar with this method of operations, as a bad guy, its easier to sneak into a network, steal somebodys access rights and look like an insider. All day long. And go hide out on a network, right . The average length of time, supposedly, is over 200 days. 200 days is a considerable amount of time as a red team guy be, give me four hours in your network, we can map it out and make off with your data. Theres a bit of espionage going on, gathering of intelligence, we talked about it earlier from, again, that bad guys perspective, looking across the infrastructure and the networks of companies and corporations to pick selected pieces of data and information from an espionage perspective, see what they want to ransom out, black people people out. So theres a blackmail people over. Not be overwhelmed by all these optional issues that they need to deal with. From a nationstate perspective, right, i fully agree with, that nationstates represent the biggest challenge. The opm breaches was a great example of that. But were also aware of major nationstates going out and hiring smaller organizations, smaller individuals in Different Countries of the world, giving them toolings that they knead and having them need and having them conduct that hack, that investigation, that espionage, that intelligence gathering so the nationstates can sit back and really just fund the work from a variety of sources. And that actually gets to your point, right . An organization, a country, a nationstate can attack a Critical Infrastructure provider to create a ddos attack while all the while theyve asked somebody else to come in a side door to map things out for a potential broaderbased attack. But then on the nip side, you also see flip side, you also see nationstates, china, rush, you name it, really wanting the path of least resistance, steal our ip and copy, create and go create something with it. Jeff, i want to pull one thread, then im going bring brian in. You mentioned the ddos. Theres been a lot of attention on ddos attacks being primarily that, diversionary attacks. Can you say that with confidence . Absolutely. Empirically . Years and years ago it was harassment. Oh, my gosh, this guys falling i cant connect my email. Nowadays its pure and simple distraction. Theres so many other things going on within a network, its simply distraction. Brian, i want to pull a thread i asked of the panel earlier, and how Many Companies went into business thinking they had to defend themselves against foreign intelligence. [laughter] not many. But the battlefield has changed to incorporate all of society. Companies are paying for the real and or perceived sins of other government agencies, this, that and the other thing. And id be curious, i mean, our government, all governments dont have a great track record from defending against espionage. There have been many recruits in place, there have been many individuals who have leaked quite a lot of information. So if our governments cant do it, what can we logically expect companies to do . And what is the outcome . Yeah. With so you do this every day. So i know no one can wave a magic wand and provide 100 security. Theres no such thing. Unless we live under a rock and shut every phone down and what have you. But what can you expect out of that . I can tell you being from silicon valley, if you go up to sand hill vc and say our Business Model is to be the most secure in the world, youre not going to get funding. [laughter] so, you know, a lot of people ask, you know, should we, should we enable organizations to respond. Should they be able to respond in force not key netically, of course, but with a cyber attack. Honestly i think that, one, the Collateral Damage that can be caused by that could be significant. Weve seen the Collateral Damage from other attacks, and it can be quite severe. I dont think that organizations are in the position to do that. Now, i do think that our government is learning. We are are actually learn, more quickly than i think we give ourselves credit for. We think of the space race, the Wright Brothers were in 1903. Chuck yeager broke the sound barrier in 1940 something. We had a man on the moon in the 60s. This is increasing at a much faster rate. So were actually keeping up pretty well. But the sort of convergence, if you are and maybe thats the wrong word, but the information sharing, the ability to act more quickly, more efficient will hi and more effectively is really whats needed. And were in this paradigm again of trying to prevent everything we can. Patton had a great quote that said fixed fortifications are a monument to the stupidity of man. I think if we think about cyber, it is such a moving target that we need a much more adaptive approach. We have to be lean and mean, and the cooperation between the public and private sector i know this is like motherhood and apple pie but that cooperation needs to really be enhanced. Im seeing pockets of it in certain areas. Im seeing fing si facts for the fsi facts for the financial industry, automated manufacturing, i dont think we have enough of it. I think a lot of people are Still Holding their cards too close to their chest, and they dont want to reveal what they know, the new tactics, techniques that the attackers are using. And i think until we get to the spot where were sharing information and we can learn from each other, the bad guys are going to have the advantage, and they know it, and they know theres a window where ec execute. Youre forcing me to ask a followup on this. So theres a lot of space between hack back and do nothing. Yeah. And build stronger walls. Yeah. Higher walls, bigger moats. Again, i dont think whats internal external, i dont know what the perimeter is anymore because our attack surface is growing exponentially, and its all shared in the cloud and this, that and the other thing. But the question i would is ask is where do you stand on forensickings collection which can be proactive, but youre not hacking back . Yeah. So you turn that information over to the authorities, to the fbi, to whoever it may be. Do you feel companies ought to be doing more in that space. Now, granted, not all companies have the wherewithal to do it, but i would argue the Financial Services sector is as sophisticated than most governments be not more than most governments. Yeah. The devils in the details, right . Absolutely. If i hand over information, that could very easily contain lots of sensitive, lets take a Financial Services, lots of financial sensitive information, pii, etc. , health care the exact same thing which is probably even considered more sensitive than Financial Services im saying your data that you already own. Yeah. The data that we own could contain Sensitive Data about employees, partners. And it will. Being able to filter and screen it might make it unusable for forensic analysis. Its a very, very difficult problem to sf. I think in most cases most organizations dont feel comfortable sharing that level of data. I think that in the future there might be Something Better we can use to adopt this information sharing where things are scrubbed and, you know, this is a bit of a utopia. Im sorry, im asking a different question. Im saying if your data is exfiltrated yeah. Do you have the ability to do forensics collection on the perpetrator . Ah. So its putting beacons on your data, its lighting up your information. Its your data. Im to not suggesting i think that is a bridge afar, to your point. Sure. But there are lots of technologicallypossible techniques that arent being fully exploited. Things like honey tokens and things like that. You bet. Absolutely. So in that case, im a big fan of that, actually. Okay. I think thats a great tool. But if that goes to certain countries, iran, for example, there becomes legal issues now because thats actually considered sending technology to those countries. So from that per perspective, legislation needs to catch up with what we can do from a cyber perspective. Because a number of countries would love to see fake data with these tokens so so they can track it through these black market ands over the deep web and dark net. You know, it sounds a little bit like science fiction, and actually some of it is. [laughter] but the reality is we can do a lot of this today, but were legally prohibited from doing much of it. Jeff, any thoughts on the cyber side . And this is an unfair question because hes working with us on a project on this. So, certainly, the legislative issues aside, when you look at the ability to do that and its being done today which i know it is being done today, leave it at that theres value in gathering that data. It is counterintelligence to a degree. Its gathering data on bad guy behavior which is instantly value are bl in a variety of formats. However, there are those legal challenges that we have to address at some point in time. But its certainly plausible and not too difficult to be able to put beacons on data, to be able to track the information, track it opening, destroy data when have data deleted if its accessed outside of your network. Theres many different ways of being able to do that. I think, again, when you talked to the first part of your question, right, youre getting into the issue of Insider Threat and counterintelligence. Absolutely. Is that a whose role is that, right . Is it a corporate role . Is there convergence between the two . Is there a struggle between how an organization offensive versus defensive. Not easy questions, but there is a framework for these things. Absolutely. And you have a linebacker in football, american football, where, yes, there are defenders. Theyre trying to keep others from scoring on them, but they can have an offensive mission if they fumble. Is there are all sorts of analogies to play with there. But, michelle, it takes us back to where you started. There is a difference between security and the role of a chief Security Officer and someone who understands foreign counterintelligence. Well, and i think its also very important to discuss the vulnerabilities in order to protect proprietary information to defend privately owned and held and operated networks against potential Cyber Attacks x theres a full range of things that this conversation has touched upon, but we would be remiss if we did not also acknowledge the use of cyber attack for collection against traditional National Security targets. And i will say from the standpoint of u. S. Counterintelligence, perhaps the devastating moment really was the breach of opms records which is rather in one sense a traditional type of a cyber attack against a set of records and the exfiltration thereby of some 22 million individuals records held at opm that includes the most sensitive things. Now, i got my notice from opm, we regret to inform you that your data may have been compromised, blah, blah, blah, and maybe many of you here did as well. But whats, what is perhaps less appreciated and what we dont want to think about too hard because it gives us nightmares is the way in which this information will be used, maybe is being used by the nation that took it. So its likely as has been said and speculated publicly that the chinese were behind this exfiltration and that the records that they now have acquired are essentially all kinds of the most sensitive personal insights on any individual whos ever done any classified work for the United States government whether on the inside or as a contractor because virtually all of that, with some small exception, were held by opm. So your information about, you know, where you travel, for example,ened up in these ends up in these federal personnel files which means that it will also disclose reports of any foreign contacts that you might have had. And so if you are, if you are behind this, if youre the adversary behind this and youre putting together the network that shows who is speaking to whom and where and when and why, you begin to develop an understanding potentially of u. S. Intelligence operations, human operations worldwide. You certainly have an opportunity for defining potential recruitments of people who have access to information that you have, that youre interested in in reaching. So the way in which these files are going to be used,s this is a nightmare for u. S. Counterintelligence Going Forward for years and years and years because of the extensive reach. So then you saw people talk about this on behalf of the administration, spokesmen saying, look, this is traditional, this is terrible, but lets recognize it was traditional espionage. Its the kind of thing that nationstates do against one another all the time. So we shouldnt, we shouldnt think and we do it too, so we shouldnt think that this is all that, you know, devastating. But i will say from the standpoint of wearing a counterintelligence hat, every single american out there should be saying this is unacceptable. It is unacceptable that we are this vulnerable. And it is unacceptable that we dont do anything about it. Because on top of this, you have all kinds of attacks in this case by the same actor against our Health Insurance companies, for instance, acquiring more personal information or against extramarital dating services acquiring other kinds of information and buildings doiers. And dossiers. And building dossiers, 22 Million People is 7 in one vacuum. 7 of the u. S. Population. Add to that more people and more people and more people, and whats going on here . What is going on here . Why, why are the chinese and potentially others building dossiers, personal dossiers on so Many Americans . Whats the end game . I think i understand the end game from an intelligence perspective, the recruitment kinds of things, understanding what our Intelligence Services are doing in the world. They want that information for specific reasons. But why theyre building these kinds of personal dossiers on others, why the attacks against our Health Insurance companies, for example . I am sitting here somewhat mystified. And yet it is going on, and it is an invasion of our privacy daytoday to day. And we should sit up and take notice and demand action. Yeah. So carrying on a few things there, yeah, key point, right . I think participating in some of those resolutions of the opm breach, it was that aspect that she just described is so lost on so many people being, oh, its just a data breach. I protect my personal information, thats great, ladidah. The volume and impact of all of that information puts together a traditional diorama of whats going on in the world. And that cannot be understated as an area of priority. If you do try to do some of the Damage Assessment coming out of that . And the impact of what that means and what it looks like for individuals, for elements of the government, for our nation. And it is quite, you know, weve talked, many people talk about the cyber 9 11 and ladidah, that old, big concept. I get that. That was about about the most closest thing that anybody could be considered a cyber 9 11, in my opinion, because of the data that was available and accessed and what that informations doing today. The challenging thing there is the process from which that was accessed and exfiltrated, again, goes back to my previous point. Its a 1s and 0s. Was it an insider . Was it not an insider . They had access, they had logon credentials to get to that data. So traditionally a threat situation; you may not have ever seen that happening. However, if you put the counterintel hat on you now, wait a second, bad guys want this information. How am i protecting it, how am i confusing the enemy about this . There is definitely a crossover between Insider Threat and counterintelligence for every organization that holds data they think is important. And just to add to that nightmare, this came just in the wake of Edward Snowden i was about to say coa compare and contrast there. Yeah, i mean, that is just so staggering, it is beyond our ability really to describe how serious that is. I mean, we were talking about Damage Assessments. When i was the National Counterintelligence executive, one of the responsibilities of my office was to do Damage Assessments, and i will tell you it was difficult enough doing a Damage Assessment on a longserving spy on a plant by the chinese for 17 years, and 17 years is a very long time to have access to such sensitive information. And what are the permutations of everything that she compromised. Its a very difficult process. Take that and expand it exponentially into what Edward Snowden was able to abscond with and hand over to the russians. So i, i dont envy the people who today are trying to assess the extent of this damage because it is just extremely brian, anything you want to pull into this in i want to save time for at least two quick questions. Ill just add one item on to that. We are working with a very large oil and gas company. I guess theyre all very large. [laughter] not all. These, they suffered a spear phishing attack, so an email campaign that was going after the executives in this company. And one of the executives was compromised. Malware was inserted on to his laptop i have. The via the spear phishing campaign. But once he was compromised, it was able to move laterally to the other executives because they thought they were receiving emails or connections from this other executive. For over two years, 90 of the executives at this company had had their systems compromised. They are capturing every document, every email, every password, every communication. They turned on keyboard monitors so they could track everything that was typed, they turned on the video camera x they turned on the microphone, so could you imagine 90 of the executives at this companied company had theio camera turned on for over two years. So when youre talking about measuring the damage of Something Like that, we dont even know the extent. A lot of the bids are closed like that in terms of, hey, we found a new oil deposit, wed like to bid on that. The ramifications of that could be billions and billions of dollars in revenue but could also have an impact on National Security because it is about power and energy. So just to share that example. And i might note the significant exploitation of our intellectual property is an attack on our Economic Security as well which is inextricably interwoven with our National Security today. Well are time for two questions questions. Lynn and who else . And well and right up front. Sorry. Lynn ma tice, senior fellow here at the center. To carry on with the opm thing, everybody forgets to say there may have been 20 some Million People that were affected by it, but it doesnt count all of the people that they had listed on their forms. None of those people got their data but to follow up on a point that was talked about the Economic Security since thats an issue thats near and dear to my heart. Michelle, you probably remember in 1995 when i was sitting on the Advisory Board for the thenbrand new National Counterintelligence center, we came in front of the intelligence policy board you were chairing, and we got the private sector inserted into the National Intelligence policy as a legitimate consumer of intelligence, and youll also probably recall that the i. C. s response was theyre not our customer. 2014 when clapper put out his latest strategy document, the private sector still is not listed as customer of the Intelligence Community. But we went from in that briefing with you in 1995 of having eight countries that we are aware of that were actively and aggressively stealing technology to the latest report out of the National Counterintelligence executive office that says theres well in excess of 140 countries now actively and aggressively stealing technology. Why is the Intelligence Community continuing to bury its head in the sand and not acknowledging that they have a responsibility to the Economic Security of this country in educating the senior im going to have to ask you to we have two minutes. Educating Senior Executives about the risks theyre facing so they can take actions . One of the things i thought the congress was wise to do when they created the National Counterintelligence executive was to give that office an explicit responsibility to reach out and help educate and provide information to the private sector. So its explicitly in the statute. I think what you imply for the what you find for the Intelligence Community is they say, look, our job is to collect secret information as tasked. So policy tasks the Intelligence Community, they come forward with the information x then there needs to be an appropriate entity that is responsible for the dissemination of that information. And in addition to that, we need to have a wiser way of government industry partnerships that really are genuine partnerships that arent simply, oh, Everybody Needs to get along and share information. I think as far as analysis and when we say National Security we think of things directed against the u. S. Mainland and its commercial operations here, here the threats are around the world. We are in a Global Society and what im not hearing in this conference and in the Intelligence Community more generally is the realization of mistakes that we have, for example, with regard to the South China Sea which doesnt involve direct attacks on does come with regard to iranian domination of the economy in the gulf area, which is their main thrust. More so than a Nuclear Threat against the United States, although either one is pretty terrifying. But the point is there are many issues of security that are not in the United States, even with the government or with private industry, but very much affect in the broader sense our National Security. Anyone want to comment on that . A very good point. Put another way, yes your and i also think when we think about Insider Threats, when we think about cyber, when we think, i mean, technology will continue to change whatever we are thinking about today. I hate to say, we are all wrong. It will change. Thats a constant. Human nature will remain the same. There are only a handful of different motivators. I dont care through what means and or vehicle. Once we understand the motivators, the behaviors, and if we can do in such a way where we are doing it where we dont undermine our privacy, i think were on our way forward. Please join me in thanking an amazing panel. [applause] and wear down to one last. [inaudible conversations] all right. So we are down to our last keynote speaker. And thanks, everyone, for joining us. You are not going to be disappointed. Our final speaker is admiral dennis blair. Admiral blair is i think itll here knows is a former director of National Intelligence. He also served as the were calling them before combatant commands, he was cink in the pacific region. He served in senior positions at the joint staff, at the nsc. Everyone knows admiral blair as a thinker and doer. A soldier and a diplomat. And im thrilled to be able to have him cochaired one of our major initiatives on active defense. In addition to that, his bio is an annoyance adults are not going to go into that integrate specificity, but the israeli chairman of the board and ceo of a u. S. Japan entity and were thrilled, delighted. Thank you, admiral blair for taking time to join us today. So thank you. [applause] this is my cyber day. I was done this way at the Naval Academy with an Advisory Panel on their new cyber center, cyber measure. It is wonderful to see the next generation coming along. Part of my vision is never to be part of a meeting on cyber in which im the youngest person in the room, and i think i can achieve that. Thanks to those of you who are showing an entrance to stay on at this point in a daylong conference. Generally everything has been set. It simply has not been said by everybody. But i will try to avoid that trap and perhaps raise a few new ideas on this very important topic. As i was looking over the agenda that frank put together, i saw so many current officials, retired officials, all of them veterans of this two decade old struggle to keep americans safe. I know, ive worked with many of them. As i thought of the contributions i was reminded once were of a great injustice of the common American Public opinion towards these men and women and towards their colleagues. They are to a person dedicated, idiotic, incredibly hardworking, motivated by a burning desire to protect their fellow citizens and determined never to let Something Like 9 11 ever happened to this country again. And yet somehow they have been characterized publicly as a group of civil liberty and privacy trampling roads who try to pry a sequence of the lives of their fellow citizens, not to spend their days poring over, and the, poring over information about innocent citizens for nefarious purposes. They are running wild on the head, and used against innocent citizens. But most of you who are now working in this business i think are shrugging off the characters. You go about your jobs as diligently as you ever did, but i do think it is up to those of us do our public voices to use them to oppose this misconception, to tell the truth. That the Public Service and the National Security area are working incredibly hard to protect americans, that they carefully follow the limitation on the activities set forth by the constitution, the laws of the land, executive directors and in both the legislative and executive branches. But thats another speech for another location. Button gwinnet wanted to give tt speech, and i go by colleges and talk about that, i find that there really is, can be understanding of what these dedicated Public Servants are doing it. Not ignorant rejection. I think americans can understand the realm of the efforts made to protect them and we need to continue to explain that reality so the correct ideas for widespread. And to those of you who may still be here, still working at places like dhs, nctc, the fbi, state or local on forstmann but, keep up the great work. Its nice to be appreciated that the nation is more important than that appreciation. But a subject i would like to talk about what the big developments in the of Information Technology that are cascading on us at, how applicable effect Homeland Security. The two biggest ones of course our big data and internet of things. As a first order of observation to widely exaggerate it, i would say that big data will over all help us in all my security mission, but i think in contrast the internet of things will overall heard of. It will make our jobs more difficult to protect our fellow citizens. Let me talk first and were briefly about big data. After all, the intelligence business, much of our Law EnforcementCrime Investigation business, has always been about what is now called a data. Processing large and complex data sets including analysis, search, sharing, storing, transfer, and query to repeat a few of the words that appear in the wikipedia definition of big data. Using mostly endless brain and in recent years weve been trying to supplement, to strengthen that was connected databases, algorithms. Weve attempted to find and track the traces of criminals and terrorists live in the Digital World with the goal of identifying and solving them before they can launch their attacks. The large unstructured data sets can be understood and manipulated, the more the questions can be asked across of these databases, the more the algorithms can do this work, training that human brains to do the detective work that only a trained analyst can do, the better we will all be able to do our jobs. But because of this false perception of what intelligence and Law Enforcement is all about, special in the terrace area i mentioned, well have to gain public support for the authorize use of whatever big data tools may be developed in future. That would be wonderful, ideal if nctc analyst could sit as his or her keyboard of you which every american who made multiple visits to jihadists websites, and perhaps traveled to pakistan a couple of times in the last few years, or maybe to belgian or exchanged emails with extremist and maintained a facebook site that maintained sympathy towards the United States. I would argue this information is not so different than the information that Law Enforcement authorities received from other sources, a concerned relative, a tip from a source. And Contact Information from data sets is less subjective, less subject to misuse event information is that comes from human beings are however right now Homeland Security and Law Enforcement regulations, organizations cannot freely use even data sets for which there is no reasonable expectation of privacy. And yet as we know ironically they are strongly criticized if they do not follow up every lead from much more questionable source of the, that way when something happens. Theres a great deal of public debate on these issues as some propose legislation to try to set up ground rules for some of it, but it will take a while i think of Public Policy to be decided in this region and for the government to be able to know just what it can do. So big data will have potential to make the country more secure but we have to figure out how to use it, how to use it in ways that is trusted by the public as well as simply being effective. The situation is different for the internet of things. It is true that ubiquitous surveillance cameras, many of them controlled and reporting data over the internet have become important for protecting sites, for deterring attacks on them. In addition they have become key sources for reconstructing events during investigations of terrorist incidents in trying to pursue those leads on to prevent additional activities by the same group. That the huge number of new centers that will be attached to the internet, really that will make up the internet of things ca,really when i provide that mh additional sensor data that i think will be helpful in identifying, finding or tracking terrorists. And they can open up huge vulnerabilities, to potential attacks to groups and even more to criminal organizations and to criminal individuals. As with most vulnerabilities of the internet and the devices attached, this prediction is not inevitable. However, it will take a great deal of work in order to change that prediction and i would be safe in making it right now. As with more i. T. Development of the positive applications, the whizbang, the features that are receiving the most attention, the most funding, the most buzz come under the essential that security can be added on later, a coat of paint following final assembly. Where have we heard this before . Well, for virtually every major i. T. Development that for has happened to the idea itself, mobile devices, the cloud, the wonderful of you were of what advantages will bring us overwhelm the debate early on and later on from the dull, boring security people who are then told to fix it. But the assumption, because of some the earlier matters, the assumptions that security will come later for the internet of things has become slightly more sophisticated than just turned over to the security guys. Heres a report from wind river put it last year but given the novelty of iot and the pace of innovation today there seems to be an expectation some entirely new revolution Security Solution will emerge that is uniquely tailored to the internet of things. That we can send a compressed 25 years of security evolution into a tight timeframe in which next generation devices will be delivered to market. But whats the situation now . After all we already have an internet of some things. The current state of security devices on the internet is not encouraging. This self proclaimed Search Engine of the internet of things, show don, searches the web and you can log on, you can see many unsecure devices. You can find thousands more. You can look at what web cams are showing in sweden. You go into video game servers in eastern europe. You can look at what Wind Turbines are turning up in the United States all completely open. A recent report by hewlettpackard stated as many as 70 of devices currently for sale in the iot are vulnerable to attack. The latest report says there are 6. 4 billion things attached to the internet, about a third of a billion dollars every year spent on the internet of things. Predicted to go up to almost 12 billion things in two years, spending to go up to about a half a billion dollars. From the terrorist perspective the most dangerous vulnerabilities of the iot have to do with the potential for physical damage to largest assistance as more and more web connected sensors are added to these systems. Consider the vulnerability of networks of Utility Companies that will be offered by the smart grid with millions of customers, houses, factories, buildings all look up to the central servers of the Utility Companies. What are the chances that security functions of every single one of those computers will be configured correctly . Yet every integer home electoral Monitoring System is a potential factor into the complex systems controlling and routing of electricity on that degree. The recent attacks on the ukrainian electrical power system show the damage that can because once you get inside the low distribution systems. There are security features that prevent a hacker with accessories marketed the box which you get access to the entire grid control system, but with millions of points of access to the Utility Networks the tax base to defend it becomes enormous at the number of points in which an attack can be made is multiplied exponentially. The second vulnerability opened further by iot is the proliferation of legitimate and insecure computers that can be used for botnets. Today most botnets do not have adequate security, then used in tos attacks against commercial or other websites. The computers that connect and control data on devices on the internet of things will provide hundreds of millions of new potential bots they can be turned against legitimate websites in schemes to have ransom payment, shut down traffic or for other purposes. Yes, there are security features that if implemented can prevent unauthorized access to computers on the iot devices but it takes money and attention and checking to do so. Most of the devices being sold, the computers, programs that govern them, have known vulnerable operating systems, open Access Points every night provisions for future patching. The third and most frightening vulnerabilities Controlling Computers on individual devices i criminals, by potential terrorists are without adequate security, pacemakers could be manipulated, internet cars can be run off the road. Systems could be disabled. So the internet of things as looking like a pretty attractive place for terrorists, as i looked out of there. Brave new world. Regular criminals of course will be well ahead of that and will design many more which they will make available to terrorist used for more nefarious purposes and making money. So whats to be done . That same report i cited earlier makes an observation backed up by reports of other major i. T. Companies. There is no Silver Bullet that can effectively mitigate every possible cyberthreat. The good news, however, is that tried and true i. T. Security controls that have evolved over the past 25 years can be just as effective for the internet of things, provided we can adopt them to the unique strength of the embedded devices that will comprise the networks of the future. There are certain advantages of the internet of things that can be used for greater security. As one example a Smart Energy Grid has its own set of protocols, their unique and identifiable that govern how devices talk to each other. Thats what industryspecific protocols that filtering deep packet inspection protocols are the key to the traffic that should be going on that net can be much more effective in identifying malicious payloads hiding in noni. T. Protocols. But a more complete description of what is needed for a secure internet of things is provided by microsoft that it was and what other publications advertising their internet of things cloud service. They have great confidence in the ability to protect the iot data that makes it safely into their cloud, not accompanied by other malicious data. However, they do point out that for other organizations involved in every single iot system need to operate perfectly in order for the system to be entirely secure. The hardware manufacturer integrator has to make the device tamperproof, build and upgrade security to build. The Solution Developers to we bought the right platform, languages and tools for a secure system, not to choose outmoded or inherently vulnerable component. Ththe solution deployed have to deploy them securely often in a place that does not have inherent physical security and has to keep the authentication keys safe. Finally, the solution operator has to keep the system updated, audited, physically safeguard infrastructure to protect the clouds credentials. Thats a pretty long list of things that had to go right in order to be secure on the internet of things. As we all know the grateful to build characteristics of the internet is it is only as secure as its weakest link. By my reckoning we have about 6 billion very weak links that are about to get onto the internet in the next several years. So like Everything Else associated with the internet, and i heard this and some of our discussions today, achieving a secure internet of things as a public and private enterprise. For the private sector there are conflicting incentives. If the internet of things is to be profitable, expenses have to be held down, doing things cheap dominates, and as one knowledgeable observer wrote a lot of money is pouring into the iot. The pace of investment appears to be picking up. The trouble with many of these investments especially those from the vcs is that they open on devices that can be marketed soon with a spectacular roi. These investments dont do much for security or infrastructure which was basically have two trail iots demand. Again weve heard this, weve been through this movie before and the ending is not pretty. The major incentive operating in the correct direction for the internet of things, an editing theres been discussion of the earlier today, which motivates against us doing it on the cheap is risk, both financial risk and reputation risk. Who would be sued if a smart refrigerator was used for a successful attack . The manufacturer, the developer, the deployer, the operator . Is being attended, probably all of them would be sued. And even if not sued their reputation could potentially suffer, and thats not a good thing for motivating better security. Although the fear of being sued, losing market cap because of an incident is powerful. It would be better i think of government standards and smart regulation were established. The chairman of the u. S. Federal trade commission gave an actual speech earlier this year at the Consumer Electronics show in las vegas, or get all of the security dangers of the iot and much more detail than ive got over but our solution was to urge the industry to do a good job. She did not speculate about a useful government role. Earlier today the word deputy secretary of Homeland Security mallorca say that than this framework is all we can expect of the government as far as standards for the next year, next several years, and thats a pretty general set of guidelines which is easy to give yourself an a on without breaking much of a sweat. However from the governments point of view security consideration should be brought to bear, and im talking security considerations. Government standards need to be motivated not simply to protect consumers, not simply to protect corporations from the own greedy nature but because an insecure internet of things threatens physical danger to americans and societal danger to the United States. At a minimum the government should develop and endorse set of best practices for the many Different Companies that will have to be involved in building the internet of things systems. We need to go way beyond this framework and specificity, and in scope, and yes the technology will change continually so yes will have to update this continually. Stuff that we are less intrusive but more effective with a certification process for i. T. Systems, sort of like leads for iot. I understand the Underwriters Laboratories is thinking about a project where the devices themselves, and thats a start. At the higher in the government would give government requirements for iot systems. These requirements should be for the system the government itself purchases and puts to use but they could be extended under the same authorities that medicine and Food Products are certified, that they pose a danger to the country if they are done wrong. And no, they would not last beyond the next cybersecurity felt good, the next scandal but it could be updated continually. I think with time to do this because the internet of things, the rhetoric of the internet of things, as for exceeding the actual deployment. It is in the early stages and it is time to develop standards and regulations so it can fulfill this great promise of greater efficiency, effectiveness, convenience. However, it will not do so if security as an afterthought, if the government waits until disaster strikes to take action. Thank you very much for your attention. I look forward to comments and questions. [applause] thank you, admiral. Thank you for painting and import canvas, one that i think isnt getting nearly as much attention as it ought to. And i think you i think you couldve brought a sense of urgency to the internet of things. And the need to start good architecture, a good design to you were at the Naval Academy. Thats how do we start designing at the very roots sorts of issues, the secure device. Question i have is how are we going to get the political will to get this done . At the end of the day the challenge with the internet of things is then added that the devices. There may be a handful of companies, take cisco, handful that could really drive this, but how are they going to cut through the of all the competing priorities right now to recognize that this is going to have huge potential implications . Our attack surfaces are going to grow exponentially. Exponentially. So what is it we can do, what is it those watching the cspan, those in the ring today can hear your call and advance the ball . I think certainly cyber is hot and government is. Is running up against come its way to take on some of these huge questions of privacy versus security which is, frankly, going to be very hard to make progress in. So its been some of that steam in the cattle, some of the energy to do something about cyber can be diverted to some of things that are uncontroversial, it can be done like standards for the internet of things, or more imaginative things like, you know, some sort of back up the Government Insurance program the on what private Insurance Companies do but in return for that, the government would insist on very strict standards. The inspectors dont always have to be civil servants. The our models in which we have other groups that are doing a checkin, but the government is the one that runs the program. I think thats what we can do on the government side. I on the private side, i dont know, maybe im late quality arty think theres some incentivebased approaches you ought to be thinking about . I think that if some companies can actually market a safe editor thinks as opposed to an internet of things, and assume a certain responsibility beyond their own little piece of that five Company Matrix that i laid out, and just as prime contractors take was bought to build for their subcontractors, some of the Big Companies that are going to offer internet of Things Cloud Services could be the ones, they had the technical expertise. They have to take things so they can offer the total solution rather than sink i will look up whatever cheap devices you by and i were run your cloud individual responsibility of crappy day to get inside my cloud. I will protect it perfectly and will deliver now work perfectly to the next stage spent almost a safe neighborhood where you would bring in all the various components. Thats very interesting. Another point that came up in many conversations today, and i think the role that you played with jon huntsman in chairing the commission that was on u. S. Intellectual property, i think it does have profound impact, even leading in part at least of the president signed an executive order to looking to sanctions. Talk us through a little bit about national and Economic Security, how theyre inextricably interwoven. Obviously, there are two sides to the same coin, but increasingly i think that becomes a big set of issues when we are talking about cyber related matters. Because theft of intellectual property, its killing us. And secondly, what is left undone in terms of your commissions findings . Never underestimate the power of public shaming. Thats what ive learned in government. From the outside if you can show that there really is a very dangerous situation that is not addressed, i think, many of us in this audience to work in the government. Its all a case of priorities. Youve got a full in basket. Its a case of what do you put at the top. The set of incentives you have when youre inside the government dont always align with what really ought to be National Priorities if you have the time to sit down and kind of look at it. I think this idea of a blue ribbon commission, looking from the outside trying to raise the priority of things that really are potential problems is very important. I think that was what, 300 billion figure that we had in our commission, i think its the most powerful thing. The trick in these things is getting something thats a graspable that really motivates action. I havent quite come up with that for the internet of things, but that would push because i think solutions i prescribed by what any can of you all would put up if you were put in a panel and given a couple months to work on a. I think its known, the motivation and the drive that is put together. But dont underestimate, not all commissions are created equally. I think that would get it back. I contacted others that are gathering dust. So time was important but also think it was framed and captured in such a way that wasnt written to a tech specialist, an economist, or even simply a policymaker. It was all of the above. Something people could grasp and see the impact. I think that was very important. We have time for a couple equations. Weve had a long day, so i think, please, here. Wait for the mic of on. And if you can identify yourself as a. Im from pragmatic a corporation. I was very intrigued and how you put together internet of things with big data. May i suggest that this could be expanded into things for big data . For there is the general concept that the more the merrier, the bigger the database the better. However, some 10 years ago there was an ad for i heard presentations on the fact that with big data you can use to get the data in and answer comes up. So we need to be scrutinizing when we put the inputs for big data, where they come from. Whether they are from samples, carefully designed, or whether they come from the internet of things or from the internet or volunteer information. And if we did not in the efficiency of the david is going to be hindered. And that information could be taken seriously. This is more of a comment and a question, and i think you for your presentation. Admiral gunn anything you want to as you were talking, when i was preparing my remarks i was thinking could big data help us with securing the internet of things. Sort of an intriguing concept if you have all of this data come in, maybe you know what a standard pattern of a system looks like. And something thats happened that im not most of them were quickly detected. You could get some help in deciding if this is something that athat is out of something happening in the physical work that you ought to be worried about, or whether some is screwing with your system and if we take a different set of actions. Thats an intriguing idea to sort of put those together which would argue are not singling keeping all of the data and trying to figure out the pattern for it. And looking backwards to be able to reverseengineer. So we might get to the point that we could do some of that. The one thing i would urge a vote is youre always going to false positive. At the end of the day were learning every step of the way. So dont expect to push a button. Im waiting for that day. People tell me they have the answer but im still waiting for that day. Thank you for your talk. Im a student in the program here at george washington. Hes a ringer, watch out. Hes one of my students. Frank is a great guy. I thought your talk on the iot roi was interesting. It seems like we have a multidimensional problem. We have decisionmakers at private Sector Company to want to make a profit. Profit. You have to consume that does not want to pay that additional cost for more security. And then you have our concerns about security. There arent competing interest. I just want to get some more thoughts on how we could close ththat gap there i guess. What are some ideas on how we can, im not sure if a regulation or some type of policy change would allow us to close the gap quicker . If you expand on your thoughts on that. One of the other things that i think we need to do at a minimum that the government should do this is sort of warning stickers on refrigerators that have computers on them. You know, weve been along for a hell of a long time with refrigerators that we had to go look at. I better turn on the defrost cycle. Its nice if somebody as monitoring that for us and doing that at 2 a. M. Without us having to worry about it, but isnt essential considering the risks that irans . I think as you get more and more devices that are closer and closer to your health and welfare, it doesnt become so trivial. You know, how many of us have tried to use a complicated digital piece of care and found that it just wasnt worth the trouble and we went back to something we used before because i was good enough . I think those trade off on a personal life our important i think companies can also, to make those rather than just blindly buying the next cool thing. I mean, we are often very with computer equity, and as the laptops are getting bigger, it was at your office size that was important that it was what the power of the computer was. We bought those things mindlessly. Far more features or power than we would ever use. They be part of it is sophistication of the consumers in addition to some of these systemic things i talk about. Could ask to pull a thread on that in a little different direction . Government also can drive, so you have the regulatory side, but the purchasing power through acquisition processes. So you did start to see largely at the department of defense through weapons platforms are the last thing you want when you push those button buttons come d those you want to drive should work on their supposed you. At the end of the day what more do you see more that can be done, at least government as a purchaser and then from a private sector standpoint, i mean, at the end of the day Third Party Vendor issue as well. So if im a big think im going to start maybe asking some these questions from an i. T. Perspective. Which gets back it may be the provider concept that you have whether its the cloud, amazon, who ever it may be. Those might be the drivers Going Forward. I would be curious which are thoughts are. Government does not take advantage of its purchasing power. This could be in a where maybe they could. Yeah your its not just the department of defense of ice loss of star of of course in government, and our other Government Departments and agencies that buy huge amounts of digital equipment, and so on to try to increase their efficiency. I think at a minimum they should in the context be able to insist on the highest standards. Now, those of you who work in the contracting world know, this all boils down to some clause in the thick document and forth by some g7 who is not shy we say computer trained or digital trinket i think it requires government more than just check the box and fill out a form. You need smart cas does and see if those were doing this stuff your i think in those areas in which it applies, the retooling of your contracting workforce, working with them is important. The same is true for Big Companies. When i talk to people in Big Companies who are not deeply personal and bald in i. T. Matters, they are no more smart on this stuff than the average Good Government official is. I think it cuts across both the domains, buying smart in the i. T. Area means you need to up the game of the people who are actually doing it. We have time for a very quick question. Last one. Thank you so much for your comments. I would like to ask you to elaborate on some of them with regards to comments about standard setting entities such as underwriters, and maybe even have some regulation regarding internet of things and security. I find that fascinating. Would you elaborate on what current Government Entity might be capable of regulating or what type of consortium you would consider for developing standards . Well, i can talk with great wisdom of never having worked on the domestic side of government. You have some insurance looking at underwriting your. Somewhere, somewhere in the Commerce Department i think as a convening power to get the different agencies and regulatory bodies together, but it would probably have to be a new sort of, a new type of regulation and standard. If any of you have been involved in the writing of government regulations, its not a pretty process. But i think we have, but when it is done well, its done by bringing in the private companies who are going to be the regulate these at an early stage. Not giving into every single one of their demands because they want cheaper appears, but takiny into effective reality that they do. I would sort of put together a group from several different agencies acyclic under the Commerce Department, call in lots of the companies to help calm and as i say, i think we but way too much time in trying to make the 1. 0 addition really good instead of just getting it out of their working with it and making to put all better and 3. 0 better than that. I think if we can learn one thing from the software industry, its to get something out that is pretty good and then really built it and increase it. Admiral blair, unfortunately security of time requires i be a bit of a tyrant. Thank you for a phenomenal q a as well. I think you made clear that you truly are a soldier, scholar, and a Rhodes Scholar to be i may know. Thank you for taking the time. Let me also thank all of you for joining us today. Let me thank our viewers on cspan, and then particular some of the comforts that make this possible for us, securonix, delta risk, and, of course, my phenomenal team, rachel johnson, christina parker, alec, and the list goes on. So thank you. Thank you, admiral, and thanks everyone for joining us all day today. [applause] tonight on the communicators republican fcc commissioner Michael Orielly on several key issues facing the fcc like net neutrality. When that becomes the first primary goal of the item when the policy and direction, rather than consideration of any collegiality or attempt to develop consensus. You wind up with the scenario we had today, with little interest to bring in my opinions on board and find less likely support. Watch the communicators tonight on cspan 2. Cspan washington journal live every day with news of policy issues that impact you. Coming up this morning, that you gone, Addiction ServicesVice President for the National Council for Behavioral Health joins us to discuss the efforts of the organization to Lobby Congress to pass opioid legislation. National council for Behavioral Health is pushing for changes to legislation that would make it similar to what the senate has passed. President of Citizens United to discuss the latest of campaign 2016 and the influence of money in politics. Be sure to watch a cspans washington journal coming up at 7 00 a. M. Eastern this morning. Join the discussion. Later today i look at the rise of terrorism in europe and why certain groups are blamed for promoting a jihadist agenda in the region. Hosted by new america and began because a 12 30 p. M. Eastern on cspan. Coming up a look at social welfare programs for members of the military. What programs are available, how effective they are and whether they should be privatized late to do like today at 4 00 p. M. Eastern on cspan. Now, we will hear about the us wanted water supply, water industry executives and journalist talk about the nations water supply, if the structure policy. This is one hour. [inaudible conversations] [inaudible conversations]