It is a great tester to maturity of the company you want to do business with is do they submit themselves to open hacking . Do they compensate hackers. If a volume and if you find a vulnerability of their product they will pay the hacker which is amazing. It gets hackers oriented the organization that puts that out there feels comfortable. They want to learn more. They have a culture that wants to identify and protect themselves. Any thoughts on the black holes . What is interesting to know my years of technology he will invent something new every five to 10 years and create a of natural holes. The social media today we couldnt fathom 15 years ago. It continues to be this notion of mixed Public Private and in trying to coordinate across your organization, most businesses meanwhile. So finding more ways to partner, finding more ways to Work Together to make sure we are covering this. If you look at my back in a database in your backend database, how come we dont have one bad guy database. Theres some interesting places where the federal agencies are now trying to encourage sharing of the information and encourage sharing of tpp that the bad guys are using adversarial expense. A fascinating world unto itself. The panel later will be given into the policy information sharing a bed found the longterm peace is the answer. We have some questions for twitter here in one of them is very interest him. Can you offer it is to bring along slow adopters who are still interested in protecting their turf . Maybe each of you can take a crack at that if you want to start. Share, the white house issued a few executive orders that are helpful for this. They created the framework a few years ago that provides a laundry list of standards and a framework for assessments. Companies of all sizes can go to the framework and help them assess my level of risk and what should i do in response to that. It is voluntary. Its also self policing so nobody has to do it but it helps raise awareness of what sanders and processes are available and may be appropriate for the level of assist you have here maybe focus on the problem around you and passwords as a consumer. Use a password management tool like one password. Theres lots of them to make it very easy to have unique and complicated passwords. Those three things most of your problems are solved as a consumer. We were talking about the things people at an email spirit but is that have to do with cybersecurity . Should people be careful what they put about themselves on social and emails . One of the rules is dont put something you dont want in the front page of the washington post. That is the reality. It happens more than you would think the inadvertent sharing. Then a trip in hawaii, posting that crazy chemists amongst surveilling your property nospace y a tend to wrap your house. He might be in the social world where you want your friends know how much fun youre having that you also need to think about the persians have that level of information. Is an interesting human condition where we have sharing communities now around social networks they need to make conscious decisions for your family and children on the appropriate level. I also used the privacy policies to restrict civil and my friends could see me. What a fascinating audience a fascinating panel literature scene ideas. [applause] hi, everyone. Welcome to the post. Happy to have everyone here this morning. Im a National Enterprise reporter and former cyberreporter off a fan of all things cyberand happen to be a teacher this panel to look at political weeks and hacks. The tc institutions sure cyberadversaries and something a lot of people in town are thinking about. Also hello to our viewers at home. Hope the folks in Silicon Valley are fully caffeinated. Lets introduce the member of the pnc cybersecurity and privacy forward. Brad dewitt as staff director of the Infrastructure Protection and Security Technology subcommittee for the u. S. House Homeland Security committee. Thomas hicks, commissioner of the Election Assistance Commission and finally, rich barger, chief Information Officer and cofounder of threat connect in which many people will be familiar with. I want to start with rich and talk a little bit about the modem of a cyberadversaries online. Russia and china are constantly probing if not gaining access to institutions around d. C. And its not really an overstatement to say theyre interested in intelligence value of the information they find. Could you talk a little bit about that . With regard to the intelligence value, it really depends on what motive, what operation to know what effect they are trying to deliver. He might look at the traditional chinese espionage weve seen that has gone after a variety of companies, businesses as well as organizations such as opm and make it to market quicker or perhaps if they wanted to look forward recruitments or operators within their borders. What weve seen recently with the russian attacks, we are still looking at trying to test out what their motives might be. They are being very and assist in terms of shaping and mary tape around that . Over our system. In the case of the love that hacks the american exceptionalism and the fact of whether or not our medals really going to have it cannot. There could be a variety of different motives and with these types of groups are trying to do in trying to effect for the national object is. Some of the things theyve been kicking around the offices for every story that runs in every conversation in and around elections, what is the thing we are not talking about . Were not talking about syria and ukraine. For some broader issues than the rest of the world where we are hyper focused on ourselves in the u. K. Received a lipid that admits everything convenient distraction is an interesting time and polarized event. That would follow up on that by asking do you think theyre special attention being paid to the Democratic Party to run for president sand is that possible adversaries first tuned in as they made the to the election that theyre interested in one party and the outcome that way. Ultimately what is fact and if they are seeking love rage. I would not see that leverage and one party alone. Ill make sure i cover my bases depending on however this falls. I would be very surprised if this wouldnt affect both parties and perhaps might be the new normal. We see campaigns targeted going back as far as 2008. The president indicated his campaign will be targeted. That we want to consider this in the next election cycle and start to focus that this is maybe a new way of life. Michael, i ask you similar questions. Do you think cyberadversaries are politically as it in that way . Do you think they take special attention because of the potential to see a Clinton Presidency . We really dont know what they are doing. I think the middle of the book someone will write a book and we dont know what it is big political theater to figure out. We know that russian state sponsors and the groups doing it are very sophisticated. In fact, this is their day job. When we were looking at activity resolve the most activity from 9 00 a. M. Until 5 00 p. M. Moscow time and when we talk to the big guns of the Political Parties, we would say unlike the company for a state actor would say lets find the doors are locked really type. For these organizations, it is someones day job to get into this organization and they will be persistent. They are very sophisticated and what theyre doing but its a guessing game dallas to what they are doing. Do you think we could see were emails . T. Think thats possible . Is a Broad Campaign to hack. Party and Campaign Systems personnel email accounts, people in iraq at all. We dont know what we will see you at the interesting thing is will please the documents we dont know who they are very often. Additionally when the documents were posted with whatever organization is working with comments is the series, is that yours . The document may have been created by one group, circulated to other groups. Some have been found to have nowhere on the period they are really busy trying to elect candidates. Its become a side job to have to do with it. There isnt a lot of effort he put into figuring out who of us come up where it came from, is it offensive. Youre trying to move on with the business of the campaign parties. Lets turn to you. Your boss said that the rnc was hot and then wondering whether you are aware of the operatives who have been either provoked or hacked and whether your boss was really telling us the true story at this point. The the point that chairman cole is trying to make a point and cnn was the point that both Political Parties had impact and make it a point that this is bigger that you have to look at what these hacker groups are doing. Looking at the psychological warfare, trying to undermine the integrity and conference republican or democrat. Looking at motives that harvested personal identifiable information, voter registries are the motives weve been briefed on and appoint the chairman was trying to make is both parties have been hacked. We cannot allow nationstates to target either Political Party and we stay strong consequences when actions take place. Whatever the actor is. That is the point. Do you think republicans are vulnerable . Absolutely. There have been reporting that republicans have also been hacked with their emails and campaign related issues. Both parties have had and i think looking at the political organizations, well need to be vigilant that this is real. This is the way of the future. We need to be vigilant. Its almost a warning that all Political Parties and all state, local state and federal need to be aware that this is a new world we have to live in and we need to be prepared for that and looking towards november 8th. There is a lot that we need to do to ensure that we are prepared for that. Everyone should be aware. Thomas, lets go to you. For younger viewers in particular, the question of online voting always pops up this time in the election cycle and many of the people watching the lenders and why thats a bad idea. Im hoping you could walk us through what you think of that idea. Thank you are having me here today. A lot of folks dont know the small federal agency that is what the administration of elections and respond after 2000. In terms of internet voting, there is a small portion of folks who were allowed to use the internet to vote in the same military and overseas voters gave most of them have to be in harms way but its a very small segment of the population. In terms of expanding that outcome has to be a discussion we need to get into when we have things about these incidents occurring in the last year or so. We need to look at best practices and see how we can expand that out with their agencies doing now working on a voluntary Voting System guidelines which have it been updated since 2007. 2007 was when it came out. At that point we should be looking at ways to make it more convenient to use their technologies to the also make sure those votes are secure in canada accurately as well. Internet is people talk about this is that trying to Voting Machines if they have access to the internet can be vulnerable on their own. I wonder if that is something you are thinking about added into next month. We think about all of that in the event thinking about that for years on end. Its not something that will change overnight. Im hoping the conversation does demand a november 9th to be continuing january february so we can look towards the 2018th election, 2020 election to make it more secure. Elections right now are the most expensive ever been but we can do better. Again, thinking about the issue, looking towards the elaborate that theres anything in your mind in particular when it comes to threats. With regards to threats, i never cease to be amazed. Never surprised when i start to see these sorts of things. We just continue to think creatively around how might the adversary continue to meet their objective short of a crystal ball it is very hard to say what we might see. Theres certainly precedent for the leaks. Leaking of some of the communications that we saw recently might be indicative of some things that closely matches that kennedy. Really we have to look at the precedent. What if we see around the elections and might they be playing an operating from a similar playbook. I cant say for sure but maybe thats a good rupert to look at and think creatively as to what we might expect to see. Michael, when you think about the d. C. Institutions in particular everything from Party Committees to campaigns, think tanks, what would you suggest that people who havent had ahead of the curve on this begin to do now . How would you introduce them to this problem . They been introduced by reading the papers and seeing what is going on. The big change is the idea that people looking after things and learning about you is one kind of threat. Now people are seeing that their personal emails and communications and papers have been posted to embarrass them and i dont think anybody here would like or be proud of everything in the email inbox posted on the internet. A superb for companies, a threat for people and the education is investing for it. For the Political Parties and campaigns there are really two time periods. There is the next month before the election in terms of cyberpreparedness, respond and really important work after the election because all these political organizations want to put all their resources into many races and building their party. Traditionally this hasnt been in a corporate analog for the annual budget has a line item for 4 million for cyber. Just hasnt been the case. So theres thinking about finance team, how we find the money to spend on the summit dedicated basis and thinking about longerterm plans. To continue the metaphor of building. A question i want to ask about the safety is that the elections this time, the Voting System on election day is safe from cyberattack because the 8000 or so districts we have are not interconnected. They all bring different systems this summer. Paper. My understanding is very sent a voting by race or a voting now thats going to go out for an attack on the nations Voting System. We are very safe in that way because of that diversification in heterogeneous nature of all the different districts, none of whom are connected to the other. One of the things i would raise our system is decentralized. You would need an army of folks to basically try to get into the systems. 47 out of 50 states used our Certification Program in one way or another. Every system is certified, none of them are connected to the internet. Spirit not be any sort of internet hacking incident to the Voting Machines themselves. Michael, one of the question when it comes to individuals looking at the rose diaper hygiene and email practices, is there anything you advise people as they say things in email so they might not want hacked. Do you think there is a culture change going on as we approach the technology . Are a couple simple simple things that everyone should do. Everyone in this room that is turned on your email and social media account. You need to raise to login. When i use my personal email, i put my email address and password with text message her coat and im prompted to put in the code. It makes a huge difference. The bad people years your social media and personal accounts and all sorts of information to create spearfishing attacks. They look authentic to try and get you to click on the link for a pen attachment. Attacks are so sophisticated with a simple piece of human engineering to get you to click on something. Think about your privacy in a social setting and they spoke as a one click solution. Theres one thing you can click to make all future posts and everything in the past friends only. When youre going to meet someone you look someone up and see what that person is about. Some people on facebook of a person in a bathing suit, drinking a and people dont have that awareness. You can take care of that with a click. Lastly, peertopeer encrypted apps like face time audio and signal and other apps that allow you to have nearly guaranteed private communications. Those are very quick tips. The culture on the hill, is there attentiveness to the idea that you are being all the time. Do your part of your system there . The house of representatives with any other organization there needs to be training. Its cultural and you need to have everyone in the organization aware of it because it takes clicking on now where and emails to really undermine the system. We are very vigilant with Training Programs and i think we set an example of what we do internally for that. I would say yes for sure. Thomas, jeh johnson recently talked about taking our election system as Critical Infrastructure. Could you explain what that would mean and whether you agree with the idea . I cant really speak with dhs wants to give but i can talk about the fact that states are looking for resources to make sure systems are secure. If they want to offer those resources, thats a great idea. We have legislation through the congress in 2014 and last year basically says he just can provide voluntary upon request assistance to Critical Infrastructure but also state and local. It is optional and tools that are available to fast upon. It could be those tools but the bottom line is they need to invest in technologies that ensure they are secured. The capability dhs has more than half have now signed up for the voluntary assistance. We have legislation that passed out of our committee back last year that passed the house of representatives in december that basically been further clarifies the rule of dhss voluntary assistance to states when they request it. Clarifying the law will make a big difference. Insuring that absolutely not to have to federalize the election system. It would be unconstitutional. They reserve the right of states to administer elections. We do think that writing tools and capabilities would be a good thing if it makes sense for those localities. Could you give us a quick forecast of a lame duck and what will happen there . We are working on legislation right now. One would reorganize the department of Homeland Security to more effectively carry out his cipher machine. We passed several bills through the congress back in 14. They gave dhs authorities. The bill would try to move through both back in june and we are working get it at the housework. They can carry out the authorities we just gave. That is when we are trying to get through with other committees involved. We are doing the best we can to get this done by the end of the year. Definitely a top priority that the other to those i mentioned this to state and local cyberprotection act which provide law is the state and local cybercrime that could provide judges to criminals. They will go along way, but those two bills are pending in the senate so we are trying to shape them loose over there. Does it that those were trying to get enacted. A couple questions from twitter here. I might go to you on this one. If the u. S. Involved in cyberespionage is for sydney to suggest u. S. And americans are innocent but dems. Comments . Innocent that dems. I think everybody come of large countries emerging economies theres been the power of cyberand and how the web has it that today and how we work with and play. Its every day of life. Its how you execute when you go up to objectives in that respect domain. Some countries may seek to bolster economy. They might seek to undermine an election. It depends on their luck is. Its a great guy and a bad guy and the motives behind leveraging the domain to enable that respect of the nation. The next question sounds a little bit like a plot for inaction. We talk about international attacks, but is there enough domestically between parties. Any party im not one . I hope everyone is working on the election. Is it possible for there to be another watergate like breakin . Sure. Hopefully people are smarter and we will leave that. Absolutely. I know that if india team has a clip cued up from the last president ial debate. The same trend comments and cyberwarfare in many but we might take a look family to enjoy last question here. We need whether its russia, china or iran. The United States has much greater capacity and we are not going to sit idly by and permit state actors to go after her information. We dont want to use the kinds of tools that we have. We dont want to engage in a different kind of warfare, but we will defend the citizens of this country and the russians need to understand that. I was so shocked when donald publicly invited putin to hack into americans. I agree to parts of the secretary clinton said. We should be better than anybody else and perhaps were not. I dont think anybody knows its russia who broke into the dnc. Maybe it was. It could be russia but it could also be china. It could be somebody sitting on their bed that weighs 400 pounds, okay . If we could go down the pan all, i would be curious about questions you think president ial candidates should be able to answer about cyberin this day and age and what do voters need to know most about this topic in order to evaluate candidates . Well. They need to take it seriously. They need to understand the seriousness of the consequences. One of the most difficult things about considering retaliation by the consequences of that retaliation and keeping in mind and im sure both president ial candidates are aware of this, better economy, art internet wide is very fragile. It goes to a country like russia or a country could result in grave consequences to our economy and Critical Infrastructures. It hasnt been that kind of largescale conflict waged before. Theres a lot of thinking and a lot of caution going into it the next could be. If you look over the last several years have been for the congress on a bipartisan basis to gain important foundational cybersecurity legislation through, going back to the five years would pass the cybersecurity act were bipartisan efforts to address this threat to National Security, Economic Security issue. Going into the next administration, it is important that we realize that this is that weve heard from clapper that this is now the number one threat we are facing as a nation. Looking to the next administration theres a lot that needs to be done. We need to beef up image stronger National Cyberdefense strategy. We need to do more to show adversaries there will be consequences and cyberattacks take place. Anyway, that would answer the question. I would answer a twofold. One, is my microphone not working . Can you hear me now . How about now . And speaking, speaking, speaking. No, no . I will try to speak loudly. Two of the best things that can be done is on the front lines is basically to have additional poll workers. So basically having additional poll workers so that they can see what is actually the best way to see the administration of elections is for me and die. Becoming a poll worker alessi to do that. This woman thinks i would say. The other thing i would add is president bush and president obama add millions to billions of dollars to the administration of elections. I would hope whoever becomes president looks at elections not just in terms of november coming up, but as we go on. Elections happen every two years and states and locals are at their wits end in terms of funding for schools, roads, military and so forth. We all know those things are important but our democracy is also important and we have to make sure we have investment into it. Rich, do you want to close us out here . I will go analog tier. It seems weve had an issues. I think our next leader and or any new world leader is going to see and understand how important the internet is too everything from our economy is to elections. It is really a gmail new domain and i think that it needs to be respect and understood and is certainly complex so these asymmetric threats that seek to hear that there needs to be norms established. There needs to be greater understanding about what is possible. Its certainly interesting that we can really see the effects that the internet holds not only here in this phase but the world atlarge. Great. Help me thank our panel. [applause] theres actually a long history of the bunch is trying to interfere a writ be at flint said the elections and seedier cold war. Paragraph several documented cases of previous elections where it appeared that they were trying to somehow. Theres actually a long history of aggression trying to interfere is actually a long history of the russians trying to interfere with or influence elections going back to the 60s and 70s in the heyday of the cold war. Several documented cases of previous elections where it appeared that they were trying to somehow influence the election. And of course there is a history there. There is a tradition in russia of interfering with elections. This shouldnt come as a big shock to people. Think it is more dramatic maybe because now they have a cybertool that can bring to bear the same effort. This is still going on. Its probably not real clear whether there is influence in terms of outcome for what i worry about more frankly its just so easy to doubt where doubt is cast on the whole process. And the National Technology reporter at the washington post. We are here to talk about cyberwar. This is a reminder to tweet your questions and comments using hash tag w. P. Cyber. Im not going to rome the audience. Immediately to my left or maybe the right if youre watching on tv is once arrive today, chairman of cofounder of the financial integrity number. Deputy assistant to the National Security adviser for combating terrorism under president george w. Bush. Richard bejtlich is the chief strategist at iri, previously heard who started his cybersecurity career as a military Intelligence Officer in the air force. On the far side over there is Frank Cilluffo who directs the cyberand Homeland Security. Let me start with the general issue that is a journalist or rush wessel with all the time. We know what hacks are. A lot of what we read about in the press is really about espionage. So what is cyberwarfare . Thank you, great. Im glad you asked the question because a lot of the tougher cybersecurity stay remains if kids soccer. Everyone is swarming the ball, chasing the shiny object. For nietzsche recognized model hacks at the same, nor are all hackers. Their intentions very covert capabilities. And if you were to start the threat environment, if that nation states the top of the list. Those at the top of that list are countries integrating Computer Network attack in x rated to their war fighting strategy and doctrine. Obviously foreign terrorist organizations, criminal enterprises. Model hacks is in. They are very different. Countries that are marshaling and mobilizing for war fighting strategy and doctrine are the countries that i think are the very top of the list. From the u. S. National security is, russia and china are at the tops of database in terms of capability. A lot of will be seen as Computer Network at way for espionage insiders raise the cost of intelligence preparation and theyve integrated diver into their war fighting strategy as we saw in crimea as russia did in georgia. Youve got other countries that may lack the capability of russia and china but unfortunately what they lack in capabilities that make up for with intent. This is where you put north korea iran more likely to turn to a disruptive or distract his cyberattack. Fewer constraints in terms of those capabilities. Not all hacks are the same. Not all nations he says dean. Ultimately impinges around intent. If you can exploit, you can attack. The wine is very end and is following the intent of the perpetrator. Richard, do things to blow up or break to be considered a cyberwarfare . The answer to the question is cyberwarfare is what you call your broker documentary if you want people to Pay Attention to it. For your conference. Youre sure to get someones attention. My definition of cyberwar is the imposition of will using digital means. There are two schools of thought. One school of thought which is my phd at his or her vote of both called cyberwar will not take place. The reason he called the book that is to be believed were equals violence and if you dont have items you dont have or can you believe cybercannot use to impose violent there for cyberwar will not take place. Theres another school of thought that says its much more expansive than this is where the russians and chinese tend to think about it. They believe that war is not just violence. More can be any need by which you are trying to get your way. In fact, they come from a tradition that say youre much better off not fighting and shooting your way. So i tend to take the position if you are imposing your will using a digital means, that could beware. Just to step a little further, we may be in a situation and five, chad, 15 years for the thing we called every so integrated into every aspect of life even more so than now and make no sense to talk about because it is 35, is that a cyberweapon . An f22 could be considered a cyberweapon. If the networks and other fighters to get a better picture. Thats the way i think about it. One, if iran uses cybertools to attack the big u. S. Banks, for example, is adamant to war . Good question. Some of the more forgiving of the federal soccer problem. We are intuitive unchartered territory because you have a blend of factors come the state and nonstate both in attempting to acquire data as well as disrupt and destroy the sense. You have the stranger cant get to work were fared even means. The very notion of russian hybrid warfare in terms of information work your command was cybercapabilities becomes interesting. We dont have doctrine certified the clear lead for good currently as we think of it, we dont think of these tools as true cyberwarfare tools and how theres an element of destruction. Something that is demonstrable. Heart of the we havent had much awareness as we engage in nation states and nonstate engage in cyberespionage and data exultation. To answer your question specifically, one of the challenges is the fact we have nationstates already attacking private at his. He had iranian entities come to see her entities attacking Western Banks as part of a denial of service not distract it is certainly intended to send a message. He said north korea attacks south korea banks as well as tony. You had others date actors like russia attacked various systems, government, nongovernment. But you have it play as an open field in the cyberdomain for actors are feeling up are feeling out the bounds of what is permissible. One of the great challenges in this case is how we defined the boundaries of what is assessable and not. How do we do not is with great stress on how do we attribute attacks and approved them . How do we respond in a proportionally commensurate way without unleashing forces are warped her. Part of the reason why you havent seen officials wanted to be too open about russian hacks despite what was said overhead. There has been a reticence to do that because it raises fundamental questions about the endgame here and that is not well defined. Can i pick up on a couple quick points. All forms of conflict today and tomorrow, almost 100 unanimous they will have a cyberdimension component to it. To pick up on some of the points may seem colleagues raise from his cyberis its own domain, but those that are integrating computer not attack tools into the other demand from the air, land, sea, space, that is where cyberis not disowned entities that enhances lethality of conventional weapons in different domains. Enhances the ability to seize territory and i think its important to recognize that the battlefield today has been added to incorporate all societies and companies are on the frontline. Thats what makes this different is the targets are not governmentowned government targeted or the like but the Financial Service sector. To me it is one of those incidents that rises above the poles. Not because the central bank of bangladesh lost 82 million. As we know it couldve been 900 billion. That we can absorb. A day bad day for the day, bad day for customers. The Global Economy can absorb it. It did recognize a systemic risk. The entire Financial Service or your is dependent on sprint and i have to respect talking billions of dollars of transactions being settled daily. These are different target in ukrainian have. That was a big deal, the greedy and great hat. Not because 250,000 people lose power for a couple days, wherein a cyberweb and how they can have it is opposed that they took down power. If there is a genetic fiscal effect that is clearly cyberwar. It sounds like cyberwar is part of almost any shooting more certain that the United States would get into in the first vehicle future. If we are at war with someone, we are going to be sending them back at us in some capacity. I want to pick up on your attribution. This is one of the things that is about a lot when we hear sometimes on the record, sometimes on the record this though was no attack soandso. Its hard for us as to find out if thats true. Its also hard for technical acts is to find out if its true and this creates enormous problems. We shoot back at them. That sort of fits into a kind of strategic framework that makes sense to all of us. I may start with you, pictured. Are we ever going to know who shooting at a well enough that we feel comfortable shooting back here, talking about private Companies Get on the nationstate level. Absolutely. We know all the time. Our 2013 report there were indictments levied based on that. So there are certain element that they would not even believe that they were a camera on a person typing on a keyboard, hacking into an american bank. They would say thats at the the cia created as a plot. After they landed on the moon. Lets remember, it astounds me that people doubt the ability to do attribution after the revelation. If the u. S. Government says north korea is behind the attack on sony, youve got to believe that. The fbi did not explain it not explain that with the release for not satisfy the community which i totally agree with. For example, looking strategically, president obama is not looking for a fight. To come out and say it was the north korean and introduce the love of really doesnt want to address. Resident of him would only be in for another few months. Depending the u. S. Government may go up or down. As someone who sometimes as a journalist was on the outs i did these things, lets talk about the attack which reciprocated the u. S. Does in vietnam in a much more forceful way. That turned out to be not true. In the press they didnt know better. Even if the u. S. Government could know, how could the public be reassured to any x and that its worth engaging in hostile action with another country to all other kinds of weaponry and death and destruction if we just have to believe the nsa or the president. Its a fascinating and important question because there has been an attribution revolution. The technology has really advanced in ways that are incredible in terms of cyberforensics not to mention overall cyberintelligence assessment the government can bring to bear but not just forensics online, but Everything Else at their command. The problem is all of this is quote. There is a sense in the public and internationally a potty you prove it . Part of the answer is much of this is the private sector. Some companies are either too close to the government or private sector entities serving as alligators. You do have private companies doing this work internally. This is the space that hasnt been left to just the u. S. Government. You are absolutely right. The challenge is twofold. One, how do you prove this in a way that doesnt demonstrate or reveal sources and methods that will make it more difficult in the future. That was the criticism in the sony have. One of my colleagues raise questions as to whether we could believe the fbis assertions. The second problem which is okay, lets say we do attribute the attack as we did with north korea, what then . What is proportional . Should it be cyber, should be sanctioned . Should it be Something Else . Youre absolutely right that a key element here is how do you prove it. By the way, adversaries know that. China and russia, their first question publicly and diplomatically every time is prove it. How can you prove weve done this . Not to mention really prevent the same everyone does it so ignore what we do. These sites are almost inevitably going to end up asymmetrical. I presume we are not shutting down north koreas select a city grid. If we got any real kind of shooting war, where we send cyberweapons across the internet damage people legally to have damaged us, how does that go when anybody with a computer can disable a water plant or changed the nuclear plant. Does this get very messy very quickly . Absolutely. Attribution improves exponentially in the past years but it is by no means one of . Knowing precisely whos behind the clicketyclack at the keyboard and finding the smoking keyboard is not easy to do especially because most the actors that are very capable are going to use proxies or surrogates to do their bidding anyway so they will send anywhere. No one will send it to their doorstep. There is the a difference between having the cyberequivalent where you can have lone actors cause disruptive harm to a particular target in a sustained attack capability. Any kid 400 pounds or less can attack someone. But thats not the same as the nationstate because ultimately, here is the big. Dont think the only means we have fractured nation of cybermeans. Weve got other intelligence capabilities. That is why we dont think so we dont win so forward because they would be compromising about their methods. It is a complex set of issues. If your entire attribution is based on cyberforensics, the best actors are going to run circles around. If you have other means in addition to that historical trend to see what their tax techniques and procedures are coming from but the picture together. Cyber command and the president , what about the air. You know who it is or you think you know who it is. Is it ever okay for a private company to be hacking back against the nations they . Everett to pay for it and cause controversy in arguing for a cybermodel. Keep in mind in our constitution section one, article viii that congress has the right with letters of market reprisal, which was in the context of a Maritime Security domain that was not controlled by state actors that was involving privateers another private at yours that have the ability to influence Maritime Security. We are in a similar context of cybersecurity where a percent of cyberinfrastructure is held in private sector hands with the internet of things is way more predominant. Frankly, the capability to understand vulnerabilities in realtime sit with the private sector are. We have to think very differently about what our model of defense looks like. We have to do attribution, shaped the International Norms of land gave. Create redundancy and resilient and take some systems offline. You have to think creatively about how you work public and private between each other to create a model that allows defense that doesnt wait for the proven concept to be indicted to be able to react in realtime. They will tell me they are looking for that kind of sanction not all the time and not in the wild wild west format, but to go after cyberactors in some cases to retreat data stolen. Richard companies to work for the airport. You are now in the private sector and have been her some years. The question i have. This is a good part did with five minutes left. What are you trying to accomplish . If youre trying to know whos hacking you, theres no better way to break into the adversary computers, find his list of targets come and see you around the list. To the exact same thing as the counterintelligence model appeared in the private sector . Have they not. Outside of battery trying to do with his longterm suppression . If youre trying to do longterm suppression of adversary, i dont think its going to work. You have to go to the other tools, diplomatic and financial and legal type tools if you want to have longterm suppression. If you use it to build a legal case, there might be questions about how you gather the evidence. Those are the problems i have when they hear about private actor trying to break into other peoples computers. , goldilocks. Too hot, too cold. And in between. In all sincerity and ive barely had an polka dots all try to brief on this issue. We are releasing a major issue at the end of this month on the 31st about over its been chaired by michael chertoff, admiral blair at the center for democracy and technology. I think that there is much more to the act to defend set of issues that right now are gray areas sure to type that come along for firewalls. At the end of the day will not firewall our way out of this album. We cant simply defend canada at higher walls simply defend canada at higher walls, deeper mouse and protect a bigger loss. Be every time our home is properly called a locksmith. That is doomed for failure. It is literally the only time i know that we still blame the big guns, not the perpetrator. If that ticket to the point where we can have the actor and that does include taking more per watt is steps. But i would say short of malicious act that is intended to be rich or be ashamed. But there are things technically. What is your network now . The perimeter is totally blurred. I dont know when the cloud outside your perimeter today. There are things we can do in terms of weekends, honeypot and all sorts of things that are technically capable but legally questionable. Our laws are still circa 1986 that really before the internet was created for the World Wide Web is today. We are running out of time very quickly. We will start with you on the end. But wichita Hillary Clinton and donald trump about cyberwar. One good use of advice as they prepare. Firstly, they better get comfortable with the issues. They better get comfortable with the fact that theyre not going to get the smoking keyboards all the time. Theres going to be ambiguity that charisma counterterrorism environment. Secondly, rules of engagement. We need to clearly define what our both of engagement are and thirdly, we need to articulate and more importantly demonstrate a cyberdeterrent capability where we start putting paint on the bad guys. It is a myth that if an individual can have a strategic of that in cyberspace, said the matters will take place of her days in the weeks, months, possibly years and require individuals working against hopefully the defense. We need to have the longerterm Campaign Model and the ultimate answer is generally outside of cyprusbased and the other tools we can bring to the arena. And running against the market trend of putting everything on the internet and connecting it. Thank you all for being here today. Thank you all for listening. A round of applause for our panelists. [applause] look at that. That was pretty good. So the next panel is going to be run by my colleague at the washington post, brian fung. I think bare headed in your in just a minute. Thank you all for being here. Thanks again. [inaudible conversations] good morning. You guys have been a very patient audience and get stuck with us all morning. So thanks for coming. Just a quick reminder again. You can tweak your questions which will show up on my ipad your at hashtag wpcyber. Without further ado, joining me this morning weve got three really awesome gas. To my left is brett leatherman, Cyber Operational segment of the fbi and he previously served as a supervisor special agent for the fbi Condition ProgramThreat Management over cyber National Security matters. To his left we have michelle digruttolo, senior managing director at ankura virtually to the geopolitical Advisory Practice and finally weve got michael wagner, senior cyber director at Johnson Johnson. Thanks for joining me. I thought i would start kind of with a personal bit. One of my jobs is explain to people what Critical Infrastructure is and why it matters and how we are vulnerable. It occurs to me that Critical Infrastructure isnt a very acceptable term. A lot of the companies that are in the space, youre trying to convince to get on board defending themselves. We were just talking in the green room about how hard it is sometimes to get buyin from companies when its maybe a low priority for the. What have we come up with a better term for Critical Infrastructure and Critical Infrastructure . From the governments of standpoint there is residential policy director plan one which defined critical ever structure we have 16 sectors of the Critical Infrastructure. Responsible for helping private sector in that regard. Oakley prevent and detect and mitigate threats to Critical Infrastructure within those 16 and really, really get those corporations that contribute to the stability economically from a National Security standpoint as well as health, life and safety to the american people. From a government of standpoint we defied Critical Infrastructure and some of the companies who support it through pbd 21. The fbi, department of justice and Homeland Security work very closely also with those sectors specific agencies. I know you serve on passionate also bringing together those Publicprivate Partnerships to help defend networks within Critical Infrastructure. First off, thank you for having us and thank you, its a pleasure to be here. The National Health eyesight is one of the those information sharing and Analysis Centers with the Health Care Industry comes together compose together. We share resources, threat information to provide services to medium and small and Large Businesses as well. We are Johnson Johnson, the largest most coverage of Health Care Company in the world. We have significant resources but we realize that we need to get back. We need to help the little guys out with providing services. Brett has spoken at few of our summits recently and its a Great Organization where we are able to protect and defend the National Health portion of the Critical Infrastructure. I think in the commercial sector we are getting better, but part of the reason why we havent defined what Critical Infrastructure is because its a work in progress. We are still building the bridge as we walk on it. Firms that provide Enterprise Risk ManagementConsulting Services have to help our clients understand what their critical risks are. I think the more we do that, the longer we identify those risks for them and what the Critical Infrastructure consists of, the better the definition will become, the firmer it will be. How does they need, our need to understand Critical Infrastructure and the way we define need to change as we learn better what the landscape capability of threats and risks are out there . I think, generally speaking if you take Critical Infrastructure and boil it down to a corporate perspective, we look at it through three phases of business. We have the commercial, sales part of the business, the supply chain part of the business and we have the research and Development Part of the business. Each of those, the threats and risks are different in each of those areas. And the protections need to be different. In the supply chain actually about availability. You are dealing with risks such as technology, Life Cycle Management issues where the basis is trying to squeeze every penny out of that Technology Platform that can make that deal or make that medical device or design and build that drug. So theres a certain risk their. In r d is very collaborative space. So we are dealing with multinationals, educational institutions, so protecting the infrastructure that research and Development Rides on this and much more different, agile, more flexible approach. Its similar to commercial and sales. The financial data, making sure that were falling in line with sarbanesoxley and other types of financial controls. These are all critical areas of our business that we make sure we looking at, when assessing and building our security program. Can i follow up on that . Can you tell us how those three areas of the business coordinate their cyber defenses . Another great question. We have a very centralized viewpoint from a Security Strategy and design where we have a baseline of working with different types of framework such as iso frameworks for security controls that we apply. So theres a basic set of controls that we put in place but theres also again the unique need that those areas require. So coordination is done through the various different business groups but with a centralized security staff that is driving, building that strategy consisting of the people, the process and the technologies to secure the enterprise. Whats fascinating to me is johnson, you guys probably have very robust interaction between your very schemes, but what we see in our Incident Response from the Law Enforcement perspective is Many Companies dont have that interaction. The Network Defenders are responsible for Network Defense but they dont engage Fraud Prevention things. They dont engage the general counsels office. In one case we responded to what turned out to be a large cyber compromise. Winner teams showed a picture work with the chief information circuit officer and his team to engage the threat and hopefully help quickly mitigate what was happening while also allowing us to pursue the threat actors. A few hours into that the general counsel learned that this is happening and came down and privately said lets stop right now what were doing, we have a government agency, we are sharing information and have yet determined what information we want to share with the government, from a Law Enforcement perspective. They said the fbi can only continue to work within their environment to try to determine what they could share. Five days later, over five days later they invited the fbi came back and by that time they had communicated on compromise infrastructure that the fbi came to hear, what we want to share. So unfortunately i think a lot of organizations right now dont bring into the Incident Response plans general counsels, physical security folks, Fraud Prevention detection, all line lines of bus together to prepare for an incident, and what that information sharing plan might be with the u. S. Government. When youre advising companies on stuff like this, is there something they can do organizationally, structurally speaking, to help these those like 50 medications . Absolutely. What we like to do we work with firms, and ill tell you ive seen these plans vary widely. Even some of the larger firms we work with dont have very good plans in place and they kind of waited till its almost too late before they have a plan. What we tried to do is help them first identify what might be vulnerable, what things could be at threat or at risk, if it was sort of, after the identify those things we help them prioritize. This again is a problem because not all companies are at the same stage in their life cycles. Companies that are smaller but more technical, they have high risks but have lower revenue streams. Sometimes they are a little loathe to put resources towards this eventual event. It is an eventual event. It is going to happen at some point. Its just win. Hopeful it will be at a time in their life cycles where they been able to plan. We do try to get into a corporate as many parts of the organization as possible but some of them dont have their own general counsel. Some of them just, they will contract out when you need to depend on how much of the art in their business cycle. Weve got a great question from twitter and to tie strictly the question i want to ask soldiers going to ask the twitter question. Considering how much nationstates depend on satellites for much of our Critical Infrastructure has any official International Policy been put in place . Whats the best a necessary step to take in order to protect satellites and other space assets from being involved in a spoofing or hijacking attack . Im not aware, im not part of the policy teams out there in u. S. Government. Im part of the Law EnforcementIntelligence Community but satellites in any form of infrastructure utilized for communications in the i. T. Environment are susceptible to some sort of nefarious activity, cyber activity. Satellites are an asset that we have to look at, and like any form of risk we have to build controls around those. I know that is being addressed by some of our Partner Agencies to build controls around that risk associated with those satellite communications. So to what extent should we be thinking about things like election systems as Critical Infrastructure, or you know systems as Critical Infrastructure . Weve had a number of reports about russia potentially having hacked email or political actions. People are clearly worried about the impact that other nationstates may take in cyberspace to affect the way we live here. How can you sort of address the email and election system question . In terms of email i think its just part of our daily lives. I think, i was reading an article coming out on the train last night at half of our time, over 1000 hours a year its been reading into the email. Of course, its part of our infrastructure. There several established and Great Technology in place to secure communications around email with encryption. There are a lot of different ways with messaging that goes back and forth from applications in infrastructure to secure that. Thats, theres a lot of options out there to secure. As was said, depending on your resources what technology is right for you i think largely depends on how many resources you have available. From an intelligence perspective i think it goes back to one of the tenants that he learned in the army is know yourself and know your enemy. It comes to email, know what your information you are sharing over email, and now who might want to exploit that information. Once you have a good understanding of the environment and your threat environment i think it helps you to be safer with email, with any communication or with any means that can be hacked or anything thats vulnerable. That goes for any type of company, corporation to industry, sector. Of course email remains one of the top factors of compromised for any business. I dont want to beat a dead horse because i know multifactors have been mentioned many times. Id like to see the sixers in the pokemon to the and i will be using multifactor for vacation on my fantasy football team. I hope this is to implement that. But on the issue should be considered email Critical Infrastructure, consider the election systems Critical Infrastructure. That goes back to our initial question about what is Critical Infrastructure. The line to become a little bit blurred. While we have these defined sectors of Critical Infrastructure, what we have to look at is more and more entities within Critical Infrastructure that rely on third parties to engage in daytoday operations of with a thick cloudbased environment, whether its a mom and pop shop who have to connect to the Health Care System for billing purposes for a local Doctors Office although major organizations might spend millions on Network Defense and cybersecurity, if theres a small momandpop shop that has trusted access to the network environment, trusted access to the critical data. That the actors have shown a propensity to use the path of least resistance. Why try to for sure into a very robust protected network when you can go after some Small Business is trusted access . We have seen that in the government space, in health and finance sector. Whats convenient for as many times whether its a third party or connecting internet of things a device to our trusted networks, whats convenient for us is convenient for the adventure. So we have to look in we evaluate how we have trusted access into our networks. This may be a bit of a sensitive question given with a number of Law Enforcement here, but would you say that our Critical Infrastructure is compromised when we learned of the backdoor essentially that even yahoo s chief Information Secure the officer did not know about . I will defer my comments to these folks first. Im happy to talk about that a little bit. [laughter] i cant comment specifically on that yahoo a bit, but what we strive to do in Fbi Cyber Division is recognize that private Sector Companies are equal in the planning and five at the encounter tuesday it was if you see something, say something. That was the extent of what we did with the private sector come with our Law Enforcement role and criminal capacity. We met with victims and witnesses and use that to prosecute criminal activity. Under u. S. Law we work with private sector partners who see the adversary on the network before we do in Law Enforcement on a regular basis to see as the after changes taxes, tactics and procedures, and targeting Critical Infrastructure tenuous private sector business. We have to be able to engage private sector and get that information quickly because it changes so quickly. Likewise, with a certain optic into deficit that private sector doesnt have. Have to replicate the information out there to protect private sector to protect private sector. Notwithstanding recent media reporting, we do of robust relationships with private sector but they will always be governed by the u. S. Constitution and by the legal frameworks. I think this affected discussion we were having an agreement about how much more important it is to detect quickly than it is to prevent. I think if we help companies and firms to put in place detection mechanisms and know what to look for, i think that makes the response number brings that Response Time cycle much smaller. I think thats where we need to focus resources and assets because we are never going to even prevent, even yahoo and these really big corporations are of course rollable. Again it goes back to know yourself and know your enemy. Know what they want. Then you can up to prioritize if you plan in place to prioritize the protection and the detection, the reconnaissance and surveillance of your own networks to know where to put those resources. I think a critical word that was to early but should we talked about is resilience. A Good Business continuity plan and testing of that continuity plan is essential. At Johnson Johnson were all over the world. Theres a hurricane bearing down on the southeast right now and, of course, were going through different procedures and protocols that were all tested in the past, and we will be successful in kind of sidestepping that risk because we practiced before. We have a Solid Program set up across all business lines, across all the nations we do business into, to have either a tabletop test exercise or some type of Disaster Recovery that exercise. These are part of Common Security frameworks that help us to be more resilient, to test our protocols and our standards and our practices, and allow was to remain editable. Because if theyre not available we are not going to be able to do our job. Also it increases the city as well, so we see where improvements need to be made and then we can focus our efforts on improving those. We have talked a lot about how u. S. Businesses and u. S. Critical infrastructure is in some ways insecure, and often in this type of environment theres a lot of kind of hype and rhetoric flying around about fear and paranoia. Can you cut through that a little bit and give us a big picture take about where you was right in his stance in relation to other countries . I think we stand in pretty, we are in pretty good shape. I have served in the air force, now for over 20 years, to have that government perspective. Im a part of the National Health the board of directors to understand the Health Care Sector and how we are working across countries within the u. S. And also been a part of several Different Industries in Health Care Finance and technology. I think there are great partnerships, Publicprivate Partnerships that are in the u. S. , and i shall i see expanding internationally, that ive been a part of and have the experience to share best practices and attack signatures and vulnerability information with these partners. It may seem simple to say you just need to communicate, but the what is one thing, the how you go about doing it is a completely different dynamic. Theres Great Organization such as the Critical Infrastructure isac, and for guard, several Great Organizations where their mission is to increase the resilience of these u. S. Critical infrastructure and compass associate with them. Both, bringing together that Publicprivate Partnership that is essential for making sure were secure. I think the u. S. Is actually much better armor because we are better resourced to do and it goes back to the same problem we had we have countries that are struggling to feed their populations, to keep social unrest at bay. They dont put resources towards securing Critical Infrastructure which we advise a lot of our countries are multinational and kind of global that this is a problem if youre looking to expand operations overseas something you take into consideration any Risk Management plans but i do feel like the United States is step ahead of our tier competitors but only for so long. I think some of our competitors are going, well catch up to us in and we can only hope that will proliferate to some of the other places that we have Critical Infrastructure or that we have businesses that rely on the Critical Infrastructure of those countries. Can you give a concrete example . And to what extent does the lack of readiness among other countries provide quoteunquote and opportunity for unamerican Cyber Warriors . I think some examples would be places where we rely on electric and sort of data grids in countries may be like there so many of them, africa. Like, we have companies that you mining and extract is in several african countries, and they dont have the resources to put towards protecting their electrical grids or any other other Critical Infrastructure, water supplies, anything that these Companies Need to conduct business. And some of them, if you shut them down for a day, they will lose millions of dollars to bring things back online. Some other examples would be, if we were talking to potential investors or investors that were looking at potential opportunities in cuba, and cuba is another country that has excellent Cyber Capabilities but they dont feel that they are a target, so you dont spend a lot of resources on protecting their Critical Infrastructure. Is the businesses and investors wanted to invest in cuba we would capital they say look, this is a risk. Brad, i wonder if we talk a little bit about your work in Publicprivate Partnerships, and tell us a little bit about Publicprivate Partnerships is kind of a buzz word. Off and it describes an ideal, and aspiration the what does it actually look like . What are the nuts and bolts of making that work, succeed . Insider is a willingness to step up the willingness to step up and step out earliest about often. On the part of private sector and u. S. Government. What weve learned over the last five years is that sharing threat indicators two weeks after receiving is no longer acceptable. If you look at the advanced persistent threat environment where addresses are able to gain a foothold in a Corporate Network and quickly enumerate the host in that network, move laterally, that significant and it can happen in two weeks. The fbi in partnership with the nsa and our partners are now rapidly declassifying since it indicators and getting this out to private sector but we also to give that information from private sector because cyber is a bit of a puzzle. And be able to see them our own networks, extract that, analyze that quickly is key to predicting Critical Infrastructure, fortune 100 companies, small and medium businesses. The Cyber Division has developed a Cyber Operations engagements sector and our job is charged with operationalizing a relationship with private sector. Check out infragard to go to share information quickly and rapidly. We see the partnership happening and if we dont partner together we will continue to lose that battle as opposed to gain footing on the adversary. You manage a database that solicits threat information to the general public. Tell us how that works and how many notifications begin a day . Our National Reporting mechanism, we get come up have to on the numbers. Tens of thousand of that 100,000 within a week. We get the information rapidly but we dont get enough. Cyber reporting is underreported. Were hoping to get a better object into some of these trends, with its basis government, ransomware or someone most of the trends. Passing click a great place rappa. Thank you so much for joining. I will now be joined by my colleague Ellen Nakashima on stage, and thanks so much. [applause] good morning. Thank you for being here. Im Ellen Nakashima of the washington post, and with me on stage is lisa monaco, assistant to the president for Homeland Security and counterterrorism. Good morning. Shes responsible for policy coordination and Crisis Management on issues ranging from terrorist attacks, cybersecurity to National Disasters like Hurricane Matthew thats heading our way now. The president likes to call her doctor doom. Prior to going to the white house she spent 15 years after the pardon of justice and the fbi where she helped to shift the fbis focus after 9 11 to preventing terrorist attacks on the United States and that the department of justice, she started the cyber prosecutors program. Lisa, thank you for being here. A reminder to the oddest to tweak your questions are at the hashtag wpcyber. I will get to your questions at the end i think of our discussion. Lisa, you brief president obama every morning a National Security threats. How have they evolved over the past three and a half years . Are using more threats in the cyber domain now than terrorism . I certainly am seeing a lot more cyber information than Cyber Threats that are figuring from late in that region. As you mention every morning the president received something called the president s of daily brief, which is a briefing delivered to them from the director of national intelligence, giving an overview of whats happened in the world overnight, what are the Strategic Issues theyre concerned about from the Intelligence Communitys perspective, and what are the biggest threats and concerns to our security that we are facing . I participate in the meeting along with the National Study advisors and Vice President , the deputy National Study advisor and a few others. Issues like ebola, pandemic concerns, hurricanes. But increasingly over time and over the 3 1 2 years i find myself almost on daily basis talking to him about some cyber threat issue and the fact, what i have noticed is, the, been struck by breadth of the threats that were facing. Certainly against the u. S. Government, against the private sector. The range of actors that we are concerned about from of course nation states, like russia, iran, china, north korea, to nonstate actors, to hacktivists and to your gardenvariety criminal actors. Then the other thing that is featured prominently in this briefing is the Cyber Threats in general has been the range of tactics that were seeing. So gone are the days, or not completely gone, but added to issues like denial of service attacks has been the increasing willingness of aggressive actors to use destructive attacks in the cyber realm like we saw with the north korean attack on sony pictures, to, something that is of great concern to me and to others who are focused on this issue, which is, how can we be certain of the integrity of the data that we hold in and responsible for . Increasingly i think that will be the near midterm and longterm concern. Integrity of data such as for instance the data flowing through your election machines. Is that high on your list right now . Well, certainly. Were obviously focused on, and you have heard myself and others talk about this last several weeks, we are always going to be concerned about Cyber Threats to our systems, to our critical systems, to our Critical Infrastructure and we have seen efforts at probing state election systems and the state election infrastructure. What people need to know about this though, is that our voting infrastructure, our election infrastructure, is really quite resilient. Now what do i mean by that . It is owned, operated, administered and managed by states, by localities, down to the county and municipal level. It is not a federal government entity. It is incredibly diffuse and diversified. So that is a good thing from a cybersecurity perspective because there is no one single point of failure. The other thing is, there is a tremendous amount of resilience and checks and balances in our system. The oversight from those state officials, from quite frankly the media when it comes time for elections, et cetera. There is a great deal of resilience in our election system. People should be quite confident in it. That said, we exist in a wired world. We know that there are actors out there trying to breach our defenses across the board. So what weve been doing is, alongwith the department of Homeland Security and others in the government has been trying to make available to state officials and to Election Officials expertise, resources, to bolster their defenses for their Voting Machines, for their voter rolls. And i was very pleased to see that last week we had a bipartisan letter from the congressional leadership in congress from the majority and minority leaders in both chambers on the senate and the house who wrote a letter to the governors and to state Election Officials indicating that we need to be vigilant and that the federal government in the form of the department of Homeland Security can provide assistance. To be clear, have we seen, have you seen any efforts by any actor, particularly nationstate, such as russia to manipulate data going through Voter Registration systems or other systems tied to the elections . I think what, director comey has spoken to this, obviously my former colleagues at the fbi are very focused on responding to and assisting states with investigations when they do experience breaches or other intrusions. Director comey has said weve seen a lot of probing and efforts to get at information but have not seen indications of manipulation. But do you see, are you looking at, do you think there has been, is there an effort by another nationstate such as russia, to try to just cast doubt on the legitimacy of our election and election process . I think were going to be concerned when were talking about Cyber Threats on critical systems, whether it is power grid. Whether it is on our election systems. Whether it is on our financial sector. You saw my former colleagues at Justice Department not too long ago indict a number of iranian actors for Cyber Attacks on the bowman dam in new york as well as on our sector. So weve got to be concerned about nationstate, nonstate actors trying to breach our critical systems, whether to generate insights for their use later, whether to develop a greater intelligence picture to use in the future, or whether to sow doubt or confidence in our systems. Our message we ought to be very confident, certainly in our election system, frankly our democracy, both in the form of its systems and those literal systems that we have in place, and in our greater democratic system at large is much stronger than any one of these actors. Thank you. Now your background is in counterterrorism. Lets talk a little bit about how you tried to take the Lessons Learned from that applied them to cyberspace which you have done in the last few years. Its a great question. This is an area ive been very focused on. I spent my career largely as prosecutor in the Justice Department and the fbi focusing on National Security issues. What we learned both as a country i would argue and as a government after 9 11 is we needed to shift our focus and our imagination and our prioritization of the terrorism threat. I think we did that quite effectively. And we needed to both reorganize ourselves and integrate our information and our unity of effort around making sure our Law Enforcement and Intelligence Services had the same information and have a greater picture of the threat and that we had an ability to respond quickly and agile and effectively to terrorist threats. I would argue through the great work of some incredible professionals across two administrations, we have done, we have done that quite effectively. So were applying those lessons in the cyber realm. How are we doing that . One, by prioritizing and recognizing the threat that cyber, malicious cyber activity poses. At the beginning of the president S Administration he labeled the cyber threat one of the greatest National Security and Economic Security threats that we face. So naming it and prioritizing it for the administration. In terms of integrating our information, we did something about two years ago in applying one of the great lessons we learned in the counterterrorism realm to cyber. We created after 9 11 something called the National Counterterrorism center. One place where terrorism professionals and analysts and intelligence personnel came together under one roof, to share their information, so we as policymakers all had the same picture, the same dots, that everyone refers to pre9 11 to connect and understand what are the greatest threats we face. So that the president s Daily Briefing i mentioned a few minutes ago, everyone who is critical in the president s National Security team is seeing that same information every morning about terrorism threats. So how is that helping you though . Is that helping you to make faster decisions who is responsible and maybe what to do about it . So what we did up until about two years ago we didnt have one place in the government that did the same thing for Cyber Threats. So we created something called the Cyber Threat IntelligenceIntegration Center or ctic and we brought all analysts and experts into one place that could fuse information we had about Cyber Threats so policymakers like myself and others have one critical picture. And what that does, to your question, ellen, it says, what do we understand to be the greatest threat . How should we be understanding it . What are the options for policymakers to act to disrupt those threats. The other lesson we applied in the terrorism realm, we apply all tools. What is the best tool we can use at our disposal to disrupt a particular threat . Is it a prosecution . Is it a military action . Is it intelligence operation . Is it diplomatic overture. Were doing same thing in the cyber realm and you have seen that play out. In fact i like to talk about because now, almost end of the administration and clearly you are, thiS Administration has dealt with just this incredible evolution of the cyber threat, coming at you every day, and but there are critics who say the Obama Administration just doesnt have a coherent deterrent framework for all the threats coming at us. Weve seen opm. Sony, russian hacking of the dnc. So, how do you respond to them when they say there is no framework . In fact do you think maybe youre doing it more on a casebycase basis where you have an event such as chinese cyber economic espionage and maybe you respond with indictments or against sony respond with sanctions . Are you in fact building a defacto system of red lines, a framework of deterrents . No surprise to you i suspect or to your audience i disagree with the critic, with the critics that we dont have a strategy or deterrence policy. And its this. One, we believe very strongly that there needs to be a set of norms around cyber behavior and what youve seen the president working very hard and very carefully over the last several years to build a set of norms and to build International Support for a set of norms. Things like, countries should not attack a countrys Critical Infrastructure with see per means. Countries should not engage in cybereconomic espionage for theft and commercial gain. Countries should not the engage in cyberoperations for suppressing dissent. That is a set of norms that we put in place. When countries violate those norms there is an isolation of that country. There is an agreement you can impose sanctions. Maybe there is a consideration theres an act of aggression if those norms are violated. So there is a framework there. But in terms of specific responses to specific activity, you talk about a few cases. I would argue we very much are putting if place a framework. We have seen it in action in some of the cases we mentioned. We take a whole of government approach to a malicious cyber incident. You see that in the case of north korea attack on sony pictures. What we did there, we gathered together all the information we could rather from Law Enforcement or Intelligence Community, combine that, understand it, reach a level of confidence, yes, this was the north korean government that did this, and then determine what can we say publicly about that activity that will not hurt our ability to expose sources and methods so we can do that in the future . If we reach a level of confidence we can talk about it publicly in a way that does not damage our National Security, and to make that attribution public is in our national interest, we will do so and we will respond. We will respond in time and place and manner of our choosing. When we do so, we will consider a full range of tools. Economic, diplomatic, criminal, Law Enforcement, military. Some responses may be public. Some may not be. We did the same thing in the chinese case you mentioned. Before you go on, explain a little bit what you mean by some of these responses might not be public . So there is a whole range of tools one can use. You see it in the connect tick space. Noncyber recommend as well as cyber realm. There are responses that are private messaging. There could be intelligence operations. So covertly hacking into north korea or iran or russian systems and what . I like ellens imagination. [laughter]. There is a whole set of things one could do but not have to talk about it or announce. That is true in response to cyber activity. That is true in response to intelligence operations of another country. Military operations after another country. And we apply that same framework. And Law Enforcement is also a tool. Let me get back to the covert. Say you do something secretly but you want to let your adversary know its you, right . Otherwise there is no point to it. So you put in some code that maybe disrupts their system just enough to know that you have capabilities and they know it is you. But if the wider countries donts know and other countries dont know, where is the public deterrent . What is the strategic impact. How are you upholding that norm . These are the kind of discussions that you can imagine policymakers happening around the situation room table. What is in our interest to do . Is it in our interest to publicly attribute that activity to name and shame if you will. To isolate the actor on the world stage . To garner International Support to say sanction or impose diplomatic costs . Is it in our interest to publicly indict and use our criminal justice process as we did with the chinese case . We began the case against five members of the pla when i was the head of the National Security division at the Justice Department. You reference ad program we started. It was National Security cyber specialists program. It was a set of prosecutors focused around the country bringing cybersecurity cases. This is lesson from the terrorism world. Which built on a set of terrorism prosecutors that we established across the country post 9 11 working with joint Terrorism Task forces that the fbi has across the country. Same idea in the cyber realm. We brought this case against the five members of the pla. The point there is youre calling out that activity. Youre identifying it. Youre naming it. Youre showing that you can attribute that, identify it, identify the actors, pictures of Chinese Military members at the keyboard. Even if you dont ultimately physically get your hands on those actors and bring them into a court, they arent going to be able to travel, because otherwise that warrant will be out for them. You have identified and called out this activity and i would argue it strengthens our hand in the diplomatic realm. You saw a diplomatic agreement reached with president xi a little over a year ago when he visited with washington and signing up to a the is of agreements that were monitoring quite vigorously. These things fit into each other. You slapped indictments on the five chinese pla members, you were about to imposed economic sanctions. I believe somebody reported that we were about to. It would have been the furs use of this new tool, cyber tool, created by president obama last year, which, you still havent used i might note. Are you going to use it by the way . Im eager to have all tools at our disposal. One of the reasons we set up the sanctions regime, right . That is another tool we used. You did the indictments. You are going to do the sanctions. As you noted president xi came to the table and created this agreement. How effective have all these gains been . Have you seen any change in behavior at this point . I would characterize it this way, we have seen diminishment in that behavior. However, i think this is something we have to be continually vigilant on and be very clear as we have been with the chinese, that we expect adherence to this commitment that we will continue to be watching for adherence to that commitment. And that we reserve the right to impose costs if we see that commitment is not being honored. You might impose sanctions after all, right . So you seem to have had some success with china. What about russia . Something you hear maybe the 400pound person sitting in, in any case, they have there is strong evidence they hacked the Democratic National committee. Ic, Intelligence Community is looking into whether or not, how intent they are maybe doing influence operation in the United States around the election. Why havent you taken any public action so far against russia in this i will go back to the framework i was laying out, which is to say, and, as you noted, that investigation and that understanding of activity is ongoing between the fbi, Intelligence Community. Were applying the same framework that i laid out a few minutes ago that we did with respect to sony, with respect to china. Gathering that information and professionals have to do that. Wont surprise you to know im not getting ahead of that here on this stage. Gather that information. Understand it, reach a level of confidence. Importantly look at it and decide, the intelligence professionals have to do this, what can be said about that activity that does not compromise sources and methods and our ultimate ability to use the tools in the future. And then decide, is it in our interests to describe that activity . Again, this is the broader framework that we apply as we did in china, as weve done with iran, as weve done in other cases. And then, again, response tools on the table. And, some may be public. Some may not be public. Talk about some. Considerations that may be going through you alls minds. Maybe there are diplomatic issues with russia and syria, political concerns, how much of a concern is it as we get closer to the election, taking any public attribution could be seen as politicizing . Look what i would say is that the set of concerns i laid out as we applied this framework are going to be the same in terms of general categories, right . Is it in our interest to act . We will act responsibly, proportionately. And do so in a time and place of our choosing. Now, questions about, you know, are there other interests, you know, i think what you have seen in the cases that we did with iran, china, et cetera, those with north korea, that, the primary guiding and overarching focus in those discussions is about what is in the National Security interests of the United States . That is the, that is the north star for those discussions. Okay. I think last week at the csis you mentioned that no actor gets a free pass. Right. Congressman schiff has said if the u. S. Doesnt hold actors accountable, in this case russia, it will only embolden them. What is your response . So i think that, i absolutely understand that comment and what i would say is, and what i think weve been discussing is, there is a whole range of tools at our disposal to apply to hold malicious actors to account. Youve seen us demonstrate that, using, using military intelligence, Law Enforcement, diplomatic, economic, all of those are on the table when we talk about particular responses with respect to ma licker schuss actors generally not getting getting ahead in this particular case malicious actors. As time winds down, a question on the minds of many reporters here this week, we had Chelsea Manning in 2010, Edward Snowden in 2013, now comes news of another arrest this time nsa contractor, booz allen contractor and this comes after the Obama Administration has taken steps to tighten controls to prevent the occurrence of such theft of sensitive classified information. What happened here and, do you need to do more . If so, what more . What can you do to tighten these controls . So, youre referencing i think the criminal complaint that was unsealed yesterday. Yeah. With regard to an nsa contractor. Im not going to comment on the specific case but criminal charges are in the Public Domain and your readers and audience can look at those and that investigative and criminal process will go on and im sure well learn more about that. What i will say though is, this is the type of activity we take exceptionally seriously. The protection of National Security and classified information. I would also say, because, as you mentioned, these cases have been, involved government employees, whether contractors or otherwise. The vast, vast, majority of the professionals serving in the Intelligence Community are patriots who have foregone i think lucrative salaries in other areas to work very hard to protect this country. So i think folks should remember that. That said, there is, what this case and others have pointed up is, we cant completely guarranty that we can eliminate a determined, the threat of a determined insider who is determined to steal information. That is a very hard challenge but as you noted what the president has been Crystal Clear about is the need to constantly review and learn from some of these instances. That is why you saw establishment of a Insider Threat task force after the Chelsea Manning and wikileaks case. Thats why youve seen just last week the establishment of something called the background investigations bureau, setting up a set of standards and modernization and strengthening of our background checks. So weve got to constantly apply, a, Lessons Learned, b, vigorous security measures. Were in a wired world. And it is going to get harder and harder. Were only as strong as our weakest link and we have to constantly be reviewing and understanding is there new technology we can apply . Are there new steps we can take . The president and the other leaders in hiS Administration and National Security realm take it very seriously and are constantly looking what more we can do. This contractor is suspected perhaps of also having stolen potent hacking tools used by nsa to gather intelligence. This is a very potentially significant action. How concerned are you that, how concerned are you about the potential damage to National Security arising from this case . Well, without getting to the specifics of the case because i think there is a lot more we need to learn about that, as a person who is responsible, as you said, starting out this discussion, to talk to the president every day about the threats facing our country, im exceptionally concerned about anything, and anyone who would do something to jeopardize critical tools that we have, and the tools that we use to keep this nation safe. Thats why, i think weve got to constantly be reviewing what were doing and applying new tools and new technology to it. Well were short on time but i have to ask you, were four 1 2 weeks out from the election and Julian Assange has promiseed that there wit be a massive leak of electionrelated materials on wikileaks sometime before the election. What might we expect from a october surprise . There are several reasons im not going to speculate on that. Ah. One of which is, one of the things that i do when i occupy my Windowless Office in the basement. West wing is not get into politics. So i think i will continue that in this relatively windowless room as well. All right. With that im going to have to wrap it up here. But thank you so much, lisa, for here. Thank you. Thank you to our audience. [applause] well have clips from the Program Posted later. Thank you. Thank you. [inaudible conversations]. Well the u. S. Senate will be gaveling in shortly for a brief proforma session. The hill has this news. Mitch mcconnell is advising republican senators to use their own gameplans to deal with possibly collapse of republican president ial nominee Donald Trumps campaign. Mcconnell telling vulnerable republican senators to focus on their own state races and avoid getting involved in the controversy swirling around donald trump. No legislative business. The lameduck session begins on tuesday november 15th. Live 2016. Provisions of rule 1, paragraph 3, of the standing rules of the senate, i hereby appoint the honorable Shelley Moore capito, a senator from the state of west virginia, to perform the duties of the chair. Signed orrin g. Hatch, president pro tempore. The presiding officer under the previous order, the Senate Stands adjourned until 2 00 p. M. On thursday, october 13, 2016. October 13, 2016. The senate has proforma sessions twice a week until midnovember. Legislative work gets underway tuesday, november 15th. Lame duck items, government funding past december 9th. Aid to flint michigan for contaminated water, medical research and Defense Department programs. Of. Live coverof