There is no way to turn this clock back. I dont want to turn it back. We need to recognize inherent in each virtue, and i summarized them on the side, is the risk. To the degree that i concentrate or communicate or take people out of the loop, et cetera, to the degree i buy the benefits of this technology and each and everyone of those steps i introduced security consequences that are, give risk, give rise to greater risk, the virtue of the system is intertwined with its limitation, its liabilities and its risk. That is fundamental. It is not just that the complexity of the system gives me these problems. One reason Technology Fixes just dont get me there, every time i buy more security i tend to do so in ways that are involving sacrifice of virtues. I want to spend a minute having talked about software to say a little bit about hardware because the hardware insecurities are quite, quite real as well. Youre aware of that. Easy example i can give is just people tend to think about supply chain in all kinds of sophisticated ways. What is being made in china goes into the f35, our latest fighter aircraft, et cetera, what i am struck by even if you preserve your whole system. If it turns out something you use to give more power for your iphone, as for example, simply a plugin a adapter is made with a device in it enabled hacking to your iphone, that connection is a fundamental problem. So the range of issues is extraordinarily great here. And from a espionage standpoint, youre all familiar with the stuxnet experience. What is less talked about the iranians moved to a particular set of frequency converters and the like because they became convinced some foreign power had hacked into what they were buying to install in their Nuclear Establishment from, from abroad. They had to begin to produce their own stuff. Which then of course set them up for the vulnerabilities of some of their own stuff, and also introduced a variety of kind of inefficiencies. So the Global Supply chain gives us a chance to, forget more vulnerability associated with the hardware world. I want to show this sophisticated audience this point by just giving you a chance to reflect for a moment on a statistic youre not often probably exposed to which is, i want to ask a very simple question, which is, with respect to the question of transistors. There is a nice little cartoon that says, this guy says, it is time for to us begin to spend more time with our children, he says, to his wife. How many do we have . If you think about that as a problem, think about our transistor world and imagine the question, how many transistors are manufactured globally every second . I just want you to think about this answer. Im not going to embarass anybody by having you stand up or embarass me by having one of you already known the answer. Let me tell you when i first began to think about this a couple years ago i spent a fair while and did sort after back of the envelope calculation and the number was so unnerving to me i managed to get some friends at intel to work on it and they eventually commandeered the Intel Research department, they came up with a number so disorienting that we had a couple hours of phone calls and we finely agreed on a number. How many tran sistores are manufactured worldwide for a second, just as measure how well you understand this . Got the number in your head . Every second 14 trillion transistors. The complexity of this system, the difficulty of policing it on hardware side needs to be appreciated. The human side, this is nice picture of snowden. Before snowden we had manning. The openness of the system to third parties is pretty striking. One of the leading theories about stuxnet, that the iranians thought they had system air gapped, there was distance between centrifuge system and software, physical difference and outside world. All things happened. Patches need to be updated. Contractors come in. One theory about the stuxnet, a contractor got infected and brought in a virus. If youre running a Aerospace Corporation you have to integrate with all kinds of suppliers from all kinds of portions of the world and that then causes you to share information, large numbers of people have access to this information. Huge problem. And even if those people are not malevolent, the ability to manipulate these people is pretty great. If people have not read mitnicks book, or i encourage them to do so. Impossible to read that that realize you could be fooled by mittnick and clever social engineering. Everythings that configurations inside and outside of the hardware. Ive given you my password example already. Youre familiar with many of the efforts to deal with this the Counter Measures are a long history. We know that we tried barriers in training but we had fundamental problems with these. They leak very badly. The screening and antivirals, youre familiar with the set of issues associated with that, dependency on preexisting signatures. The way the antivirals lag the attacks. The way in which many of them actually import vulnerabilities themselves and can be used as bases for exploits. We have done a lot of hunting for vulnerabilities. Nice to see the rise of that effort. I think, as i show you in a second, produced some benefit. So is active defense. But that monitoring the situation and the like yields also limited benefits. We can create enclaves and encrypt to greater degrees, very useful kind of thing. Again information needs to be shared. Soon as we get into the sharing we get into all kinds of vulnerabilities that are described and inherent Software Vulnerabilities that may exist. Hard for me to believe. When you talk with a sophisticated inside operators, and it is hard for them to believe they cant get into most anything, if you really cared enough and had enough resources. I talked to somebody that makes a career of it. Goes around dealing with complex industrial systems. I asked him how many times he is unable to penetrate his client . He said it might have happened once. It is so unusual. The Vice President for security at google has said in a public context, that when google organizes red teams they succeed in getting in 60 of the time. Theyre thwarted 40 of the time. That is google defending itself against its red teams. I think we overstate the degree to which we can defend these systems and what happens is corporations like to hire red teams that affirm the qualities of the people who hired them. So you dont wind up getting good penetration analysis ultimately about what serious attackers would do. I will come back to the the deterrents point. I would note a lot of what were doing is raising cost for attackers, not actually preventing them from ultimately penetrating. I began to try to think about ways to document that. One of the things i do was to get a company that has done some, involved in vulnerability, huntings exploit development. I asked them to go back through the records and show me just rough indicator, i dont want to make too much of this, it is just illustrative, what happened over time in terms of their production function for Vulnerability Discovery . How many researchers of mediumquality, do they need to find major vulnerabilities . And basically this chart from 2006, to 2011, shows you the production function and shows you that in fact it has to then harder to gotten harder to find vulnerabilities as we get things like fuzzing and different kinds of vulnerability hunts out there. But if one researcher could find one or two significant vulnerabilities in a year back in 2006 and only find as half, that is to say, takes him two years to find a vulnerability on average in 2011, weve significantly raised the cost for attackers. It is now four times as difficult as it was before by this rough illustrative measure but just means if you hired four times as many people you can produce the same number of vulnerabilities. Im simplifying but i think you see the illustration. Another manifestation look at the vulnerability market, look at government productions. Here is a cert report. Every week we get a description of substantial vulnerabilities. Look at successes enjoyed at it by the top level people or, or the even the people who dont win the, who are not at the very end of the distribution of top prices. Hopefully this is a way of conveying the problem. I want in my closing minute to talk about my own things of we could use to improve the situation given where we are. First of all fundamental proposition that emerges from this is presumed vulnerability. Presume that digital vulnerability. And in Critical Systems treat this as contested territory, a phrase of mike assantes, he used in some congressional testimony. Create lean systems, that is one with fewer attack surfaces and recognize if this is poison fruit, go on a diet. Ask yourself do i really need this functionality because it is introducing vulnerability . That doesnt just mean enclaves and the like. An easy example pour knee is print ir. Mess people think they want a print tour print. Seems pretty evident. They dont think enough about what marrying up the fax capability with that print capability does in terms of communicativety and connection with the outside world. What about the fact that my printer has bluetooth capability that enhances its vulnerability . How do i feel about memory in my printer. Most people buy memory in the printer and dont want it. I come back to the example of snowden. He could steal 1. 7 million documents. I dont understand why he would copy them . As a administrator he could get access but nothing as administrator there was no need to take the stuff out. As far as i can tell from the outside the answer to that the nsa people are not dumb. They disabled the computer capability that would enable replication. But snowden is not dumb. And he, with a screwdriver, reenabled it. So my question is, why did it have the capability to begin with . The answer is because we buy standard kind of computers in these contexts all the time. They come equipped with a huge range of capabilities. What we should do is more about buying leanness and slimming down our systems. I think we also ought to think of virtues about systems and analog. Let me come back to stuxnet. One of the striking things about stuxnet, it was not just penetration of the systems that controlled the centrifuges. It was, and we know this from the public documentation, a system that also deceived the iranian operators as to what was happening by playing back to them simply standard operation of centrifuges when in fact the centrifuges were spinning out of control. Fundamental design implication of this is, do not convert your situational observation capabilities and your Safety Systems to the same modality as your operating systems. If the iranians had had a plain old analog system, that measured vibration of centrifuges. When the vibrations began to get out of control, sound ad physical alarm that rang, no digital attacker from a distance could have thwarted that system. Maybe somebody gotten in the room, to disable one or five or 10, but centralization and concentration of digital system and communicativety would be offset by a plain old analog system. I have a friend coming out of the Central Intelligence world. He is paranoid. His paranoia leads him to have video cameras everywhere in his house but being a smart guy he is paranoid about his video cameras and worried that people from the outside world might tap into his cameras and observe everything in his house. So what does he do . He puts an index card next to the video cameras, when he goes out, so that if the camera is swivelled the index card false over. An analog system. All im suggestings is, where systems are critical, we ought to be going through our safety and control systems particularly and where possible inserting analog capabilities or creating resilience in the operating systems by having analog stand alongside. This is back to the future kind of prescription, but if you believe that, as i do, that the Digital Systems are inherently insecure, you want this comply men territy here. You cant to separation of systems so contamination of one doesnt lead to the contamination of others. You want to decrease the amount of coupling, the degree of integration. So i like having an apple system alongside of a microsoft system simply because ive gotten in some diversity of vulnerabilities or to use a phrase dan gear repeatedly used and made famous, i want to avoid a monoculture. I want to create resilience in the system from a Public Policy standpoint, i ought to be saying hey, there are some systems out there, the power system, the financial system, that this country depends on so fundamentally that im going to impose some degree of requirement on them that they measure up in security terms. They are what we recognize in other arenas, to big to fail. We regulate the airplane systems and alike, demand safety standards. We need to do similar kinds of things in my view in the internet world. Tough recognize the speed of change. So you cant, in my view, regulate it by saying you must do, x, y and z. When you do, x, y, and z, it becomes too straitjacketing and limiting. There are too much variation between two many different systems. I would delegate this regulatory kind of requirement to relevant cabinet requirements. I wont have some overall cyber czar impose it. I would encourage them to use persuasion, subsidies, everything possible, including ultimately regulation, to get companies to the point where they provided a convinces case they have done what they could to reduce these vulnerabilities, they dediversified and the like. Disaggregating the problem is very important. We need, i think to recognize the fundamental differences between Different Industries in these contexts. For example, the finance and the Power Industries are dramatically different in their business cases. Come back to this point about the infer action between interaction between technology and Business Culture. If i run a finance company im being attacked all the time, every day, millions of times. Im constantly refreshing my software, policing my boundaries. Understand that my fundamental assets are digital. Theyre not physical. And, im, at the very cuttingedge of software and the like. What i want from government is information about attacks and by and large i want them to help share that kind of information. And i want them to leave me in the a high degree of freedom. If i run a power company, im not as used to these kinds of frequencies of attacks. I have much slower sigh quill of operation. I might, my Financial Base is regulated. I cant pour money in at annual period of time. I will is act much more slowly. I have a whole different set of requirement. S. I need a lot of basic education from the government what is out there and some raising of my standards with regard to it and my attention with regard to it. And that is just an example of therefore, im very inclined to push this problem within washington to each of the relevant government departments. Im, very much an enthusiast about longer Term Research and development in this arena. I have sketched why it is i think the problems are inherent in the technology but there are opportunities in terms of making encryption easier to use, something we talked about here, use of formal languages to scale up our capabilities to provide more protection and the basic upgrade of systems with security focus will have a lot more benefit. For example, im a former secretary of the navy so as the navy develops the next generation of submarine or destroyer, make it a National Goal to say, how will i design this system so as to reduce its vulnerabilities, to minimize amount of poison fruit it consumes, max my use of analog and out of band systems and maximize use of formal language at key junks et cetera. When i design the system something very different from a battleship or change the context of the power industry. For example, in the navy world i want integration of information at bridge. Historically the captain on the ship to see it all but of course in a digital age, that create as particular comprehensive set of vulnerabilityies. So how would i design my ship fundamentally different conceptually if i take in account of this . That is project worth doing over course of a decade while we evolve another system. Or i talked recently to the iaea, International Atomic energy agency, and my basic theme pushing analog notion, you guys are really good historically at safety analysis and regulation and the like, so you say, for example, we need, i will make up number, 10 different cool be capabilities, if one, two or three fail i have the ability to bring in the others. And when you get some significant number you think you have built in resilience and safety. Now you go ahead and improve the modernization and Digital Systems that will control these and you have created one single failure point in previously 10 different failure points. You need regulators recognize that but also as we design new systems you need to create good thinking about how we build in better protection against those vulnerabilities. I also, because i care so much about the Business Culture and the like, i would suggest it isnt just a technological problem and tendency overwhelmingly in washington is to invest in the technology and the r d money in technology dollars. I would, i would like many more investments in the sociology and anthropologie associated with the use of these systems. It is why john any doesnt use encryption but it is applied to the larger system as a whole. We need to understand better what is going on within these systems. We need, and, a number of people have recognized this, better pooling of attack information. And ive suggested in that paper a year ago, there is nice example of how this done, a private corporation, mitre, in the federal aviation world, recognized that the faa collected all data on aerial accidents but didnt on nearmisses. There was big issue, how do we share information about near misses . I dont want faa regulating it. They set up a private entity. Initially one or two airlines cop rated. Every time, several others did and covers the whole industry. Faa has a seat on the board but doesnt control the information. But that information is anomized but shared broadly. That is readily achievable model. I dont need all the information and the like bu