Just a quick bit on passcode. We launched in february of this year. We bring some of the biggest issues facing the internet. If you were here this morning, youll agree this is one of them. We hope youll come to more of them, especially in october where we have a full slate of them here in d. C. We hope youll listen to our podcast. Subscribe to our newsletter. This is clearly an issue where it seems like theres this immovable force about National Needs and Law Enforcement being im sorry, immovable object, unstoppable forceover technology and business. Were here to figure out how to move this ahead. How to move this discussion passed what seems like the past. So let me welcome in brett hanson from dell. Bret is the executive director of dell Data Security. Is your mic on . Sounds good. Its on. Its on. Umhmm. Is it going . Good, good. You guys provide a sweet of conduct. Little devices, cloud, everything in between. Channel functions in the software industry. So weve had, in this town, were very aware of big breeches recently. Can you talk a little bit about mallware tactics . Well, like you said, the number has certainly increased as well as the effectiveness of this. What is often overlooked, at almost every one of these major breeches, it comes down to individual. The end users, people like ourselves, are the focal point of the attacks. The reason why, technology can do a lot of great things. We can do a lot of improvements. As long as theres a human being at the end point, thats where the target is. Theyre the one who is are going to be curious and click on the picture of the pretty kitten and want to find out more about how to buy that. It has to be more thoughtful than empowering users. Raise the fact that theyre going to have multiple devicesment lets do so in a way that allows me to manage and thats if they step up. Thats a change in the strategy that we need to itch leapt. So, given that, how do you get them . Theres going to be a combination. Cyber security contains lots of different parts. J theres not one silver bullet. I think thats important for everyone to understand. There isnt a silver bullet. Its going to require its going to require advanced policy and advances in education. However, were seeing a lot of really strong advances in the last few years. Indefinite User Security is increased significantly. And thats providing new technology with access today that and networks to better protect. So in the mobile work force, obviously, nations that do that and still stay secure. Is that a viable approach . It leads the combination above policy. And it needs to be involving the employees thems to make sure that theyre in. But for too long you think about data at the end point. Pcs, mobile devices, public clouds. Thats more of an after thought. Providing i. T. And the chief Security Officer the full visibility they need. Can you truly be protected from that . Theres a lot of noise out there about if youre going to be breeched,its about when. We started off 5 00nologying the fact that theyre difficult to stop. We shouldnt giver up on stopping it at the input. It cant just be about the technology. For many years, we depended on tradition fall signaturebased antimalware. And then saying okay, is that a good or bad executable. Clearly, that approach is no longer working. Their approaches are containerized. Theyre going to keep all the untrusted data, your browser and email attaches in a sand box arena that sprats it from your work flow. So, yes, the challenge is significant. Yes, we are challenged nearby. Theres a lot of companies out there that employees can utilize. Lets just pause there. Any question frs the audience . Anyone like to jump in here . If you had a greater ability of data, what would that change . Is there that opportunity on the horizon . Better visibility around your data forthcoming . So, answer the first part of the question is if you had better visibility or data . Absolutely. If you take that to the physical world, Companies Know where their physical assets are. So sf youre able to understand where my data is going, you should be able to detect if a breech has occurred. Companies have to be thinking about their data as an asset. Encrypting it. Ensmuring that theres true access control. And mitigating risks going forward. One last one, millenials in the workplace. Ets a very unique issue for companies. How do you kpent on that . It is not just millenials. Most of us have accepted the fact that youre going to have your work p. C. What we need to do is acknowledge that the work force has changed. How people access data has e volg ved tremendously. Trying to be regressive and say im going to lock you down certainly will work for a select number of organizations. So we need to be thinking about, again, how do i protect the assets and data itself . But thats where we need to go. I think theres a question. Hold on just one second. Well get you a mic here. We want everyone on cspan to hear you, too. Hi, ill put my coffee down. I have a question. I took my child on a Disney Baltic cruise. And i actually had to get a dodcompliant wipe on my come pulter. And now i dont want to restore my come pulter. A lot of that data, i dont need. Just information that we dont want out. There are people carrying around stuff. Their laptops. And i carry two laptops. But when i got that dod wipe, i felt so refreshed. I would really like one formula. I will say that theres an opportunity around data of what youre creating and what youre putting in the marketplace. The whole concept of creating data that if its launched into cyber space and can be used against you is something that we should be aware of. It is a growing need to be thoughtful of what am i putting out there . Any questions . Sure, one right here. Go ahead. How about pronlsing technologies and the appeal of them. How do you prevent or break the psychology of Companies Wanting to invest and then becoming so reliant that they dont continue to invest in new ones. It seems to be a common trap. What can your do to break that psychology . Thats good news for me. I think enr education is actually foremost. There is at this stage, a lot of excitement in the marketplace around Cyber Security. And i talked to customers, large and small every day, about how to improve their Cyber Security. What i stress to them is this is not a sprint. This is a marathon. This is going to take time. And then, to be really effective with Cyber Security, you need to stop thinking it as a as an end goal of itsds own and start to bring it as part of your business goals and your business objectives. So as youre considering where your business is going, you need to be thinking about Cyber Security. As an example. I was talking to a company that is increasingly outsourcing the production. That is creating opportunities to be more efficient. However, its also creating new risk, as theyre having to put more of their i. P into the hands of their partners. There need to be Cyber Security strategy. I think thats the change that we need to help drive. Rather than getting caught and just embracing it and being done, its how does the technology enable you Business Strategy and so much is Cyber Security strategy, as well. That ae thats a change in the mind set, but its absolutely critical. So my question is the solution that is youve focused on, the end users, the devices and how do we sort of secure those items. At a Communications Network level. What can be done there on that front to ensure Cyber Security . My name is andy from g data software. You mentioned the end users perspective. Other than a slap on the wrist or youre fired, how do you manage accountability. What is your idea . Network management. I obviously work for dell. We do have a big focus around the end User Security. I think thats been a neglected part of the security environm t environment. Security security,as i mentioned earlier, is all about solutions. Its the ability of different pieces to talk to each other. So as im collecting information around the attacks and the Threat Service at the end point, my threat is going to enhance its security and vice versa. Increasely wharks youre going to see are these different assets starting to communicate with one another and through that communication, be more e fiblgtive in terms of both addressing threats as well as being proactive and permitting them in the first place. Thats a journey were working on. Del has a great asset which we work very closely with. So were going to be taking those steps ourselves to really further integrate the two offerings to in realtime to make them more effective as a team. Both offered as a team together. Second question, accountability. Thats a tough question to answer. Theres a lot of different discussions about how to encourage work force. A lot of what ive seen successful is the care and approa approach. Thinking about how they can be safe. Those who go a certain amount of time about how to reach a violation, either receive an award or recognition. Theres also those companies focused on a shachling approach. Using a little bit of, okay, johns been reached five time ins the last month. John, youre a bad guy. And thats obviously a little more draconian. Its probably in the car rot and stick approach. But, certainly, at this stage, there is a lowlevel appreciation for work force employee acountability. I think the carrot is a great way to go. Notify worker who iss doing well. Give kudos. Acknowledge the fact that. Affecting data and addressing to protect or advance persistent threats. Were going to need to be much more effective in the long haul. Thank you, director. Thanks for coming. [ applause ] so, first, we have amy hess. She is the executive assistant director of the f. B. I. Science and technology branch. Criminal justice Operational Technology divisions and the f. B. I. Lab. Shell keep a few remarks and get to questions and i do want to get to audience questions, as well. Great, thank you, sir. Appreciate the invitation to talk about this very important topic this morning. So the f. B. I. Really used the going dark issue as having been a concern for us for a number of years. Its well beyond encrimination. It basically summarizes the issue we have with the proliferation of technology over the years. And how that might be impacting our ability to do our job. Our ability to get information, evidence or leads in criminal investigations or National Security investigations. And so as we see this proliferation of technology, we see that case accelerating. And, so, to that point, we have actually been more and more vocal about the issues were seeing, the concerns were having, the challenges that were encountering with respected to be able to do our job. So, as i said, the going dark problem is more than just encrimination. When were going dark, were referring to encrimination for, example, data in motion. Data thats transported across networks. Realtime electronic surveillance that we must do in the course of our investigations. We also view it as a challenge with encrimination on data at rest. Stored data. We also view it as a challenge when it comes to mobility. So people will bounce back and forth between, for example, cellular service, wifi service back and forth. And that presents a challenge to us, adds well. And then anonimty is another challenge. And then, in addition to that, we see, for example, foreign companies. That presents a challenge to us. We see a challenge where it will disappear as soon as you send a message. And that presents a challenge to us. All of those things factor in to what we refer to as the going dark problem. At the same time, the nafgs we used to keep in our homes are more and more on our electronic devices. And the same goes for bad guys. In trying to prevent those threats from happening or to bring those people to justice. Thats where we live as a society. We also have the foreign Intelligence Surveillance act. It does the same thing with National Security investigations. Search warrants. All of those orders signed by a judge that enables us to get access or at least authorizes us to get access. Unfortunately, unable to execute more and more because of increasing problems and issue. Not proposing a solution to that. From the governments pore spektive, we really need the companies to try to come up with a solution. To try to build the most secure systems. Yet, at the same and present an ord i with the search warnt or signed by a judge that were able to get the information that were seeking. The evidence, the data in readable texts. To start, lets go with encrimination. So strong, they say the company itself cant get access to the data. Lets distill what were talking about. Thats actually a back door. This is a bimtin weakness. What is the problem as the f. B. I. Views it and the proposals that have been flying around washington. Sure. I think the ability for us to prevent an attack or to bring someone to justice, thats the piece thats at issue. And for the encrimination piece of the discussion that weve been having, the issue comes down to whether or not the company is talking about Realtime Communications or stored communications, data at rest, it comes down to being able to access that. So in order to access that information, the question is how are we able to do that in the most secure way. I think starting with the premise that in the society we currently live in, currently to be able to get that information for some other consumerbased need. At the same time, the question comes down to whether or not the government should be proposing those type of solutions. Theyre able to build build in some type of accessibility. What is the specific problem. What happens in that process that is holdsing up Law Enforcement from getting that app . Sure, when it comes today that at rest, we see the issue and weve presented a number of examples in the past. Be ill start with a passive example. For example, we had a case involving a child pornographer who eventually was communicating with individuals. Based on a photograph, question got access to that persons iphone. And then that investigation led us to eventually identify additional victims that that person had molested. All of these individuals, these children, were under the age of 8 years old. But without that information, we might not be able to do that. We have Homicide Investigation where an individual is shot and killed answering the door. Now theres no one to serve the warrant on. The police were unable to access to try to find clues as to who might have been responsible for her murder. So how big of a scale it shall whats the scale at this point. You have a new York District attorney whos saying that, in 80 of the cases, involving iphones running ios 8, Law Enforcement was unable to access that data. Thats over the course of the example. I will be the first person to tell you that weve done a really bad job of collecting empirical data. We need to do a better job of that. One, for example, we can refer to the annual wiretap report. The problem is, to get it title free, to get a wiretap, its a very prolonged, dlib rat process. So in order to do that, not to mention the level of f. B. I. Headquarters authorities that we have to go through. An ajoent is not going to pursue all of those things. We have that same problem when it comes to, obviously, what were seeing across the board. We are seeing an increasing problem. We need to do better at capturing the data. Obviously, things like the annual wiretap report kind of presents the problem. Our investigators arent going to pursue something thats that. There are some who say that theres actually more Law Enforcement available than ever before. That Law Enforcement, for instance, could collect met data which includes telephone recorders and location data. But arent these tools enough . Thats a great question. I think that, personally, ive had discussions with all of the f. B. I. Field offices to have enough knowledge of how we investigate and, of course, having been in those field offices myself, and having investigated a number of different violations, agents will always try to get the information they need. So theyre going to try everything possible. In some cases, if were stymied by the inability to get information in, really, the most effective way of being able to directly access a device or access of realtime communication, were going to try to find a way around it. Sometimes the problem is if we can get to it, well have lots of examples where we could have got the information if we had the capableties. What about creting teams to break into the data once its been collected. Certainly, thats an issue too consider to discuss. We need to prove to a judge that we have exhausted all lesser means. To me, hacking sounds like a pretty intrusive means to be able to get the information. But on top of that, if they change that device, or if they upgrade to the latest upgrading system, they decide they dont like that anymore, its very fragile. It may not be timely. Yeah, especially for the state and locals. We have a lot of really, really smart technologists who can help think through these problems and challenges. We communicate with our Law Enforcement partners on a daily basis. But the problem is, fechb we might be able to solve a specific problem, even though it might take us a while to get there, the state or local Police Departments may never be able to have that luxury to have those types of people employed or available to them to be able to do the same thing. So tim cook, earlier this summer, said that hes a ceo of apple. And he said if you put a key under the mat for the cops, a particularer can find it, too. Im worried about security risks in general. The f. B. I. Supporting strong encrimination. Clearly, we also have the remit for when it comes to bringing people to justice. That includes cyber threats. At the same time, how do we get the evid