Cybersecurity and promoting information sharing. Host how has the focus changed over the last couple of years when it comes to cybersecurity and protecting against a cyberattack . Guest well especially after a lot of the incidents we have seen for example the sony incident and the incidents in the federal government there has been a lot of focus on making sure we have areas protected and parts of the economy protected that arent necessarily in that critical infrastructure, arent necessarily a major federal agency. A lot more broad coverage across a wide range of different entities. Everyone is at risk of Cyber Attacks and how do you go about making sure you have the resources that the institutions need that traditionally has not gotten a direct funds for the direct information that they need. Host in your personal view what is their biggest vulnerability . Guest thats a tough one. Right now i think we have a lot of old systems in place and the newer systems are better equipped. We need to be able to update those systems based on the known threats that we have builtin security and to the networks themselves. As the networks begin to grow how do you go about building in security and to those systems . You have to be able to upgrade. Host when you talk about the old systems in the new systems worked in particular deeming . Guest the case where you have a system that was 25 to 35 years old, you are trying to protect it today and you dont have the resources to do that. So you have to be able to upgrade some of those systems. You cant expect in a frame to be able to hold Sensitive Data that we have had over the past 30 years. You need to be able to upgrade to a new system. Host journeyer conversation this week is cory bennett the cybersecurity reporter for the hill newspaper. Thanks so much. Ari wanted to talk about the issues you talked about congress trying to move this cybersecurity bill that would encourage information sharing between the private and public sector. Tell us what benefits you think that hell could bring in terms of mitigating Cyber Attacks. The attacks. White the white house then onboard mostly for this bill. I dont want to overstate information sharing. Obviously i worked on it. You think its important in the key point here is as they begin to upgrade the systems and as i was talking about earlier the systems that have the ability to receive information and to automate this process of knowing whether it comes in. You get that information that can be automated to the edges of the network. As we learn about a threat they can get immediately to the edge of the network where it normally takes sometimes years. Thats really the main goal here is to create the ability to give people incentives to share that information that we need in order to find the threats faster. Guess who you mentioned you dont want to oversell to a layperson whos watching this and may think how would this stop stop the breaches ive seen a target etc. . What is it about those breaches and what effect would it have . Guest if you can get to the point of having an upgrade system even that some commercial institution that can take in the information it happens at one store and all the information goes to other stores. Both of those incidents were now were malware that have been known out there and the systems were not fully protected. Hard to get to the point today but if you update the information were needs to be to protect themselves we will be in a better situation. Its not the only means you need something you need to do the regular patching. You need to be able to have systems in the first place and make sure you have the right protections in place and look for the right things and have the training and a staff that can do this. Stop the incidents from happening in the first place. Thats the best protection so then obviously its an added piece that can help us. Host ari schwartz what is the purpose of a cyberattack . Guest there are range of purposes for a cyberattack. At the National Security council we reserve the word attack for something thats really damaging, things are breaking and computers go down or computers are broken and cannot be used again. That is what you will hear me refer more to incidents in this case because when information is taken it obviously causes harm, a lot of harm to the company individuals when information is taken that we are we are not talking about necessarily an attack traded could be a crime. It could be espionage but those are not things we think of as necessarily other venues. To be able to separate out that language. You have these different purposes, espionage or industrial espionage cases or could just be crime. In some cases people want to make a point and they use the means, the internet as a means to make their point denying service to people. Host are these individual players who are creating these incidents . Are they state actors . Guest we have seen an increase of state actors. We feel a lot of countries now ramping up their abilities in this area and it makes it a lot harder for folks to defend themselves. Want to say its growing exponentially but it is definitely we are seeing growth. It seems exponential to others because we have new tools now that we didnt have in the past and that is given us this insight into the kinds of attacks that we may not have seen before and now we are seeing a lot more of it. Its become public and its certainly a lot larger than it was before but it is growing in some way. Host for those countries youre talking about, those nationstate actors . Who are the primary actors in cyber space and what they want with u. S. Data . What would china want with opm data fork sample . Guest china and obviously russia and iran and north korea the sony case were identified as the actor in that case. They want Different Things for different purposes. Clearly from an intelligence point of view it makes sense to want to gather data and figure out who the individuals are trying to pull in that information and make decisions based on the information that you have for that point of view. Thats the main reason that we have seen other instances where they just want to take down a particular company or service of some kind that they feel is in their national interests. There is a wide range of companies that have been targeted that you would not think would be on the list of companies that the nationstate would be ingested in so it is something that almost every company in the u. S. And organization the estates of think about. Host a casino was one that comes to mind Sheldon Adelson and you wouldnt think of them as a natural target. Im interested in understanding can you explain the difference between a cyber attack in cyber espionage. We havent necessarily seen a type of takedown of power ramon attack yet people warned its very possible. Congress is moving legislation on this. We havent seen it though. Why havent we seen it if we are so well marbled and will we potentially see it because the vulnerabilities that we have on our power grid . Guest is taking things up a level to do that. They need to want to take down the power grid in order to do that. The power grid, someone said its eminent, an eminent threat are not quite sure that its eminent in that way. It is a major concern. The electric sector is done quite a bit to build up its resiliency to work in this area. They are improving but there still a big risk out there that things can be planted in advance and used by nationstate when they want to use it a thats really that concerned, are these companies scanning their networks regularly looking for things we know are out there were things we may not know that are out there, things that look look strange in how they go about finding those. Two seating advance and use it when they need it not trying to implant it and put the attack in place later. Guess that there has been evidence Russian Hackers for example are sitting on the Power Grid Network busting out potential vulnerabilities. Guest nationstates are bringing each others utilities in general. That is just a fact. Host ari schwartz what is the responsibility in your view of the isbn preventing Cyber Attacks . Guest is interesting because we want the isp to play a role. As consumers we expect them to look out for our interests and Companies Expect the isp but theres this question of how much you want them to look into your traffic india are the questions. What kind of a role to play as a gatekeeper for the network and what kind of a role do they play delivering communications and making sure they information gets to where it needs to go. The internet has grown the way that it has because we have had these open networks and we want to build to keep it going at the same time we want to be able to build and protection. Iasbs are doing a lot more to try to figure out how to balance the to and get to the right place so they are keeping the Networks Open and building and more protections. Sometimes means they charge for those services and sometimes it is they provide them as a Baseline Service and theres an ongoing debate on that service. Host given whats happened in San Bernardino the use of the telekinetic haitians infrastructure is the pendulum swinging away from privacy again and . Guest you know its an ongoing backandforth and the key really is to try to do both at the same time. I have always been i worked on privacy issues before he came into the government. Mostly working on Security Issues but working on privacy issues too. We keep having this kind of ongoing discussion is that we have to have one or the other. You either only have privacy or you only have security. My view is they are both rodents to the constitution with the government doing this kind of protection. We have to be able to do both at the same time. In fact we should do our best to do both at the same time and not make the excuse basic we that we can only have one. Guess who were sure we draw that line and . Senator Dianne Feinstein for example had a bill that would require social media platforms twitter and facebook to report suspicious terrorist activity on their networks. Is it crossing the line advocates have said so. Senator ron wyden has said so. Across the line . Guest social media does that today. They do a lot of it voluntarily today and they are improving their ability and investing in doing it voluntarily. I guess theres a question of what more would you expect him to do if you mandated it versus what they are doing voluntarily and what they plan to do in the future voluntarily. I understand that in some ways i worry about capping that as well in legislation. Thats all theyre going to do is say where other lines here and how to go about promoting it in a way that urges them to do a lot more voluntarily and protect their users as much as protecting the public as well. To understanding continued to perfect it. Guest speaking the pendulum swinging encryption has become another issue in the wake of paris in San Bernardino. What is your opinion on encryption being part of this conversation and people using these attacks to kind of promote the fact that we might need an entry point into encrypted devices, we night i might need a backdoor potentially. Guest we often talk about the security versus rossi debate. In reality its more of a security versus security debate is the main key point here which is in order to secure systems all the things you need to do to proactively secure systems rely on encryption. The greater use of encryption and for protecting systems better as well. The question comes when something happens behind the scenes. If you have layers of encryption on top of that Law Enforcement cant have access into the investigation. How much has that impacted on enforcement . So far theres not that much evidence of cases where it has impacted Law Enforcement that we are seeing is greater push for endtoend encryption. I think it will end up securing the networks better and its exactly the type of thing we want to see. I was talking the beginning about moving to new technologies and one of the benefits of new technologies as you can build and a lot more layers of encryption into faster technologies without an impact on the performance. Thats what want to do is really building a greater level of encryption into the system so its harder to attack, harder to penetrate. Those are positives, but when that happens and its going to be harder for Law Enforcement to get that information so we have to figure out other ways to go about getting Law Enforcement the information they need to do the job and thats where it is tension comes in. Guest how do we do that though . What types of alternatives are available . Michael mccaul has called for a commission on technology and Law Enforcement encryption will obviously be a topic they will look into. Some people say theres not alternative and away for enforcement to get that encrypted data . Is there an alternative . Guest there are a lot of alternatives out there but when it comes to certain kinds of encryption. When you talk about and to and committee qishan there are less choices and that is where a lot of the debate is, wiretapping information to transit. When youre talking about information, being on the cell phone there are ways to store that information and in the San Bernardino case information on a cell phone and they try to destroy their cell phone as though theyre still getting information off of the cell phones. The same would be true, i dont know can cell phones they were but it would be true with if it was encrypted or not and that was the case in the french and sitin as well where someone was using a cell phone that had some encryption on it in terms of transit but Law Enforcement had access to that immediately. It was being backed up and where they could get access to the device itself when they have the device itself that you get information from it as well. Law enforcement was not hammered necessarily buy that it even though there was some encryption involved in that case. You have to figure out what exact information you need and how you can get it depending on the type of encryption youre talking about which makes it a lot more complicated. Host ari schwartz the move to the cloud, zometa for easier for Law Enforcement to get that information . Guest you know its different and different instances. Obviously as you have more information in the cloud if its not gaining encrypted in a way that the provider can get access to it if for some reason they need to that could give Law Enforcement greater ability to access that. But if its encrypted and there are stronger protections around it, they will be less active son short term the problems they have had greater ability to access. To put it simply and i hate to narrow down the simply that Hillary Clinton has called for a spoken twitter and other social Media Outlets to get rid of the sites being used by terrorists. Is that realistic . Guest what they can do is what i was referring to earlier, take down things as they pop up and monitor. Host is that whackamole . Guest it is somewhat whackamole but they have been able to automate a lot of that and i think they can go further in that regard. There is an effort to make it easier and we can take advantage of technology. It would be in our favor in this realm as well. Guest something to speak to as well the governments ability to conduct digital surveillance. This year there has been a big debate about a phone metadata collection program. Usa freedom act was passed. We now going to have a battle coming up on internet surveillance on section 702. What do you think, there is not been as much of a unanimous push to eliminate that program the same way there was to limit the phone metadata. You think that is eliminated or is it being proven that we need that in light of the recent terrorist attacks . Guest theres a difference in the way those programs advocate particular the commissions. There is the prior privacy and Civil Liberties board which is a commission by the Advisory Board that was created by congress and that gives Public Comment on this type of activity. Especially as it relates to terrorism. They said 702 there generally was a good idea. Guest it explain exactly what 702 does, the contours of it. I know its kind of big. Guest it allows Law Enforcement and intelligence to get more information from folks working with Companies Directly to get communication information under a certain corporate vision. Thats the nonlawyer version of it to thats what 702 does. So the issue i think, and the other review that went on was the president called for a review after the nsa disclosures came out and that lord made very clear it was a big concern. Again i think those two different groups making those kinds of recommendations on this front change the way a lot of people, change the way people are lumping those two together and it can be changes to it but we are talking about it much differently than the telephone metadata. Guess what he he said a privacy advocates that are concerned about the government moving up more private data on americans not only under section 7 and two that the current debate about the cyber bill that are the privacy concerns there. Its just another way to shuttle private data on americans to intelligence agencies such as the nsa or the app vi. What do you say . The white house initially had concerns about that provision but since come around with some of the language has been put forward to explain your concerns there. Guest the white house is still concerned about it. They continue to raise privacy concerns there but they are supportive of the general bill overall. Again the point being that we can do both at the same time to the question is what information is coming into the government and what is the government doing about it and whats the oversight you can put over at . Wanted to the keys the white house had when i was there and continues to be a concern is you have to make sure when the information comes into the government that you have civilian entities and the reason thats important is that allows for public oversight. If its all going three an nsa nsa through nsa or the Intelligence Community is much more difficult to do in public oversight because you need to make sure the privacy controls are put in place that we might have. That is the key point for the white house. Its an important component but not enough. They are concerned about how it shared afterwards. That becomes a key question. Host ari schwartz would we be having this conversation were not for Edward Snowden . Guest think we would still have this conversation in this case. Yet german from this particular bill there was an earlier version of it that happened before the snowdon episode where the white house threatened a veto of it. It said nsa, if this information goes to nsa as the original bill wanted, they would have no oversight over it and it would be a major problem. That was before the snowdon revelation came out. The president has said something he cared about beforehand. That is one thing i really point to all the time. This is proof that he actually meant that. There has been concern in the white house on how to go about about that will continue to be the case even in the future as we start to raise concerns on Security Issues. Host is this an area overall of cooperation between the administration and the congress . Guest this is an area, think Cyber Security has been an area where we have had a lot of bipartisan work in a lot of work between the demonstrations in congress and we have actually seen starting from where we started with the bill that the administration threatened to veto we have seen a move towards the center here. Thats the reason on the part of congress the ability to come up with a bipartisan solution has made the white house changes point of view which gets your comments and questions as well about why it is the white house changes viewpoints click the fact that there was this coming together on solutions that address the privacy issues and show transparency in the state to do a better job of getting it. Guest what does congress, you mentioned the congress and what has worked to give them has worked given us. Others say the white house would like to see the things from congress. What else should they be doing on Cyber Security what else could they be doing . Guest my view has been we have seen a number of cases where the agencies and the entities that are ones that would normally not expect anna turns out almost every time the entities dont have the technology that they need. We need to really think about how we are investing these agencies and technologies. When it comes to terrorism we give our money to the fbi, dhs, nsa the Intelligence Community. Those entities are the ones are protecting us. Thats not enough. [laughter] finally we are almost out of time. I apologize. You have a Company Called which is what . Guest is actually law firm. Im no lawyer but it is law firm and the goal is consultancys thats going to work with companies to figure out ways to protect them in these different areas and build the protections up in ways that work with the existing law or that can happen where people dont have to be afraid to look because they know they have the ability to do things under the protection and at the same time use technology. Host ari schwartz is now available formerly the former senior director for cybersecurity at the National Security council and cory bennett is with the hill newspaper. Thank you. [inaudible conversations] hello