 Thanks, please appreciate it. Okay, that was just a warning anybody asks really stupid fucking questions that you know That's what's happened so Okay, what we're gonna do is we're gonna go down the line real quick here and now I give a quick introduction of everybody I'm Jim Christie. I'm with the Defense Cyber Crime Center and Turn it over you guys. My name is Tim Casiba. I run a forensics lab for the FBI I've been with the FBI 12 years in the government doing forensics for about 18 years I'm Bob Hopper with the National White Collar Crime Center We teach state and local law enforcement pretty much everything they need to know about computer forensics I'm Tony Sager with the National Security Agency. I'm the chief of vulnerability analysis and operations for the defensive vision NSA My name is Barry Groney. I'm a special agent with the NASA computer crimes division We primarily conduct intrusion investigations and no we are not air marshals for the space shuttle Well, good evening. I'm the token international partner here today Alangelo with the royal name on please representing the royal name on please the technological crime program I hit up the Atlantic region integrated tech crime program My name is Tim Fowler. I'm a marine special agent assigned to the Naval Crime Investigative Service in Washington DC for the work in the cyber department and My name is Andrew freed. I'm a senior special agent with the Treasury Department primarily dealing with the Network intrusion and other issues with the internal revenue service I'm Keith Rhodes chief technologist at the GAO. We test the security of the executive branch on behalf of the legislative branch And they haven't stopped us yet Rich Marshall first-generation dead head was a legal architect in a formal life for eligible receiver 97 along with their clerk helped write the cyber security strategy for the nation and Currently do legislative liaison for the agency to the Hill My name is Kevin Manson. I'm a webaholic You're supposed to say hi Kevin Thank you I coined the term cyber cop of the decade and a half ago I guess it was and I was fortunate to be able to co-key note to deaf con and tooth or black hat rather than 2001 with a very good friend built a foyer with retired from the FBI and The thing I left with the con back then is what I'd like to leave with you all and that is the elite the true Elite are those who defend the net My name is Lynn Wells. I'm now at National Defense University Doing transformation, but I had several years with the networks and information integration of people in the office secretary defense I just like to remind everybody out there that about 40% of the Defense Department acquisition workforce can be retiring in the next 5-10 years, and if you guys aren't convicted of a felony there are lots of good opportunities Hi, my name is Jim Finch, and I am the assistant director for the FBI Cyber Division, and if there is a cyber investigation being conducted on anyone in the United States You can blame me. I'm responsible Okay with on that The plan is we're just opening it up to you guys for questions at this point So we need microphones for folks that are going to be asking questions. Are there microphones out there? Okay, that concludes our briefing See Okay, stand up and yell real loud So I'll repeat the question the question is how does cyber warfare fit into US offensive national security strategy? There actually was a major study that was chartered out of the defense quadrangle defense review Last year QDR 2006 the lift of developing theory of cyber power and space power With the kind of point of getting to those sorts of issues. So that is underway It is being done not yet finished, but watch this space and I would expect within about a year We'll have that ready Yeah, let me add a little bit to that One of the first live test fires for information warfare was eligible receiver 97 and that Demonstrated to our senior military and political leadership the efficacy of information warfare I mean it really was a real-life fire exercise It worked and has made a big difference a later this year in September 19 through 21 I think I have the dates correct. There's going to be a national program called info war con Which is check the web on that? It's going to be an absolutely awesome opportunity to see some of the implications of the question that you asked That was a very good question, by the way I'm actually interested in the GAO's activities regarding testing of their sister agencies and departments Anyway Anyway, as somebody who does penetration testing for my organization I'm interested in your methodologies how you're working with your sister organizations and Also, you know what what you're doing in terms of relationship building with those agencies So they don't see you as coming in as being you know the outsider while intruding on their their workspace I Like the the point I'd make is that When you when you're testing someone's security, there's no way they don't see you as the adversary so Tough I work for a different branch of government, you know smile Methodology is pretty straightforward, you know you imitate the outside you imitate the inside and You know crunchy on the outside soft in the middle. I mean how complicated do you want to get? People think in map is you know just a tool for mapping a network. It's really nice for collecting information You know and then it gives you the pointers to where you need to go people go wireless screw You know people don't go wireless screw people use Microsoft screw people use Linux screw People use Apple screw them, you know, they're not they're not prepared You go in you go in and you give them the snapshot of the technical representation at a point in time that's the symptom of the disease and You explain to them that the real problem is that there hasn't been an eligible receiver on the civil side There hasn't been an eligible receiver for the private sector You're trying to convey to them. Okay, this is what could have been done and by the way Here's all the stuff you need to do to fix them in some cases. We made 500 recommendations on one job They're very specific. They're very technical. They're very detailed The front of the report that we give to them, which is what all of you can read Because that's what we post to the web. You'll see it has a recurrent theme Is somebody responsible for security? Do you do risk management? Please sweet Jesus. Don't use passwords You know come up with something better than that. I mean these are the kinds of recommendations And rocket science, you know, it's just a bunch of buggy software that people haven't configured properly Let me put a pile on on the methodology and my group at NSA includes the red and blue teams So that are similar penetration testing kind of work. We've actually bundled up this may I may or not help you But bundled up the blue team methodology into a thing that's now being trained like it was trained to black hat the Assessment methodology and evaluation methodology or we're developed at NSA. That's the way we conduct our job And then we've kind of worked that to outsource or to license it out to a commercial company to train for whoever wants to go We don't get anything from it. We just it's just a way of pushing out the the methods that we use for anybody else Who wants to do similar kind of work and then we do, you know the same kind of technical work We also our blue team spends a lot of time, you know, it's more than given folks recommendations, right? It's helping them walk through Analysis of their configurations of all the components and how do I put things in place? You know, it's not it's not simple fixes It's training people and doing a lot of things if you're going to solve these problems, you know after penetration test I have a two-part question for the NASA representative First, I mean, I know you guys aren't consistent target for a lot of attacks Recently you were a few years ago in my second. So do you take kind of a holistic approach to a lot of that? And my second part to the question is sir, you drunk right now Oh Too shame unfair in response to your first question. I'm actually honestly just a cop what one of the things NASA NASA's IT security infrastructure is it's really fluid and what a lot of people don't really recognize with NASA Is that it's actually it's a research organization and a lot of their systems are by Definition open. They're a research organization. They have to share data when you start sharing data You're leaving yourself open to attack. So yes, we get attacked an awful lot because we're a high visibility target And for some reason people see hacking NASA as something that's Like the golden orb or something. I you know, I don't quite get that but you have to understand We're not like DoD where everything's locked down, you know, and you've got all these policies in place We get a lot of PhDs that security is pretty low on their list of things. They've got to do So that's something that we deal with. I don't really do IT security. I do the aftermath of bad IT security. So Hopefully That's not mine I Having to deal with a huge bureaucracy that often doesn't listen to common sense What advice would you give to us as we go into the boardroom to try and convince the CEO that his ALL account is in his best interest and Where are the UFOs hidden? I Think the answer to your question kind of falls along the lines of the Sarbayne's Oxley Act Which I kind of politely referred to as the Accountants Full Employment Act I take it your accountants The other point to be made is anytime a person is on a board or anytime a person is a CEO They are tagged with some very severe responsibilities, which they use to justify their enormous salaries But part of that is called a fiduciary duty to the stockholders a fiduciary duty to those who have invested their money and Who have invested their lives into the the company to try to make it profitable and try to make it better and There's so often they're so concerned and I think part of this is due to the accountants It's also due to the stock market the way that operates and that is the fact that they're driven on short cycles for return on investment They call that ROI and that's very important as a business model But as a lawyer, I want people to remember that ROI also stands for risk of indictment. So if they screw it up They run into this issue of deprivation of liberty also known as jail I'd like to get your opinion on How do you think the legal system is keeping up with all of the new technology issues that's coming up because depending on who you talk to We're either keeping up with them or we're way behind in terms of where the legal system is and having worked in a law Office for some time. I've experienced that we're really far behind And I just want to know like what you guys are out on the to use the cliche out on the front lines and Our mission on this panel is to bring the legal community into the 20th century You know the 20th century would be great. We can just get them that far I'll take a crack at that. There are components within the Department of Justice that are not only training federal investigators But are also training prosecutors. I've been involved in training prosecutors I'm with Homeland Security at the Federal Law Enforcement Training Center and I by the way should add there were no tax dollars that were Injured in my travel to Las Vegas I'm here in my own personal expense, but we've been we've been training prosecutors and the final frontier quite frankly the justice system is Training the judiciary and that is even being done by the computer crime and electrical property section in the Department of Justice And there's an old saying in the legal profession. You know, how do you call a person who has graduated last in a law school class? The answer is your honor. I Can take shots at the judiciary. I used to be a judge But that's a very very good question. It's it's something that quite frankly we base our decisions in the justice system on what's called Starry decisis, which means the precedent stands and yet We are trying to analogize into a realm that is totally different than what the legal systems had to deal with in the past So there's going to be some truth found between the prosecuting community and the defense community We have an adversarial system of justice some have an inquisitoral system, but that's a very interesting question I appreciate the fact it was asked. Thanks Man I like to broaden the question a little bit is I don't think that there's a forum in the United States Whether it's legal or political or ethical or philosophical to address the issues that science and whole is teeing up for this country And whether it's biotechnology or was information technology or whether it's nanotech or cognitive sciences There are a whole raft of issues out there. They're going to be affecting our lives liberties in pursuit of happiness before we know it And there's no way to even gauge that in the political system. So as you go back to your representatives you go back to your To the presidential debates, whatever You know a lot of things that most people in the American public don't know and get those into the debate Get those into the question because without having it we're going to be you know, as you say always behind the power curve Let me kind of give a holistic observation on your question Part of the problem is that the legislature whether it's state or at the federal level and I work at both Is the fact that they only are in a position to react to the immediacy of a problem They're just a very small part of it rather than a large part of it Let me give you a couple of examples to help illustrate what I'm talking about Many members in Congress are very sensitive to their constituent concerns the constituent concerns in a cyber security arena tend to revolve around a couple of issues protection of personal privacy privacy issues and Identity theft those are hot-button issues and so members of Congress and Also at the state and local level are going to focus on those issues But they're going to be short-term solutions to just a part of the problem and part of your responsibility Part of your responsibility and part of our responsibility as well as to help educate those members In a legislative environment that it's not a small problem It is a big problem and it needs to be worked together not just piecemeal There are some attempts and here's how it plays out in the business world There was a big concern about the loss of personal data with companies that aggregated your personal data and When that was lost that would result in identity theft so California was a leading state that said alright any financial Institution that abuses or loses Personal information of someone who does business with that banking institution that financial institution has to report That loss to the affected individual even if that individual does not live in California Now that is quite a burden on the financial services community. They complained about it But it won a tremendous amount of public acceptance to the point where I think they're 27 states that have their own version of that Which means companies who are doing I mean banks do business all over the world all over the United States So they have to comply with 27 variations of a theme So you need national level legislation on that point and it's not just at the national level you have to think about Our world is net connected So the European privacy laws the European privacy directive has tremendous impact on our lives here in the United States They're more interested in privacy than we are because they've experienced totalitarian governments much more recently than we have So those are some big issues that that need to be addressed You can't do it piecemeal. It's got to be done in a big way and you're in a position to help influence the outcome Don't just complain about the system make a change in the system. The time is now the challenge is yours To my question as well First if the country came under cyber attack, would you Reach out to the community if you presented here for help and what would that look like and to Regardless of that first answer, what will the government response be should the community decide to take matters on their own on their own hands I Can't answer the second one the first one It seems to me that if we were under serious cyber attack the nation would be Foolish not to take advantage of the skill sets that are here in this community My guess is that initially we would not we would look internally and then depending on the level of the attack We'd probably realize that we have to draw on this skill sets here And so I think we would very quickly get to the situation to talk about I honestly can't say how we'd address the second one perhaps You say if the country was under attack I would say There are many days. I feel like the internet is under attack and as far as reaching out to the community We always reach out to the community Sources of information We know there are people sitting in the private sector the private sector owns the internet and they are most familiar with it They're looking at the security of the information of the internet. They're looking at the net flow. They're doing the net flow analysis They're they're configuring the security on the internet We would be fools not to look to the community so to speak the very people who are securing the internet for help because the private sector sees it first and As far as taking the law into your own hands Well, we would handle you like any other criminal That's what we do But we would reach out to you for your assistance because we know That skill set is there even though I have it on my staff. There are a lot more of you than there are of us so We don't have to be under attack for We don't have to be under attack to reach out to you. We need your help. So we I'm constantly looking for talent and Believe it or not. I do get a lot of I do get a lot of takers But then again, I can always use more because as you know the internet It's growing and the maturity of the internet Continues as so those the skill set of the bad guys Continues to get better So I'm going to be looking for more help in the private sector folks like yourself To assist us so if that's a if that's a reasonable answer That's how we handle things well when I your community I Look at you and I don't say that you're necessarily different than the private sector if you're not working for the government then I Look at the The net community so to speak as the non-government community. I'm looking in various areas Whether it's a security company, whether it's a a group doing nothing, but Compromising networks I Want to get to know those people I Need that skill set I would just reiterate That point that I think most of us here in the panel has spent our lives in public service We've founded a worthwhile and rewarding profession The people with the skill sets out there in this audience we would invite you to seriously look at joining that Because you bring a lot to the table and we have needs for your for your talents and as we said before as long as you haven't crossed some sort of felony line that There's some real opportunities here Along that same line. I'm a network intelligence officer for the city of New York And I guess my question goes to the impending retirement of a lot of members of the federal team so to speak so my question is recruitment and I guess I guess it was a recruitment of mostly and then retention Secondly, which is probably more important How can we possibly compete on the federal level with the private sector? I mean trying to get someone in for 40k a year when they can go to the private sector for 120 How are we going to change that? How can we because to get the best and brightest? I mean you all are the best and brightest But you certainly probably not paid as well as you probably could be in the private sector How can we change that? How can we either get our get our Our count our congressmen and senators to realize this that we can really you know retain the quality People within organizations Let me let me throw that back to you because you obviously took the challenge and accepted it So I'd like to ask you because you probably have the answer the question. You're asking us quite frankly I appreciate your service and Give me one of those. Thank you very much for your service I'd like to make a comment on that You know, I think that most people that are in federal law enforcement I've been there for 18 and a half years If we look at somebody and all they're worried about is the money They're probably not very well suited to federal law enforcement to start with I think most of us that do this do this because we're trying to serve our community the American people and in many cases Even people of other areas and I think that there has to be a certain desire to want to do the right thing At at at a certain risk your risk of not making us much money I think that in the federal government We're not at a very good position of bringing people in at a high salary We're at a good position bringing somebody in a low salary and letting them work up to a relatively high salary But you know, we have soldiers overseas that have your PhD degrees that are extremely intelligent That earn a fraction of what they would in private sector They do it because of their dedication and loyalty and I think that if somebody wants to be in law enforcement And they're willing to make those sacrifices. It's a damn good job And I've been doing it for 18 and a half years and you know, if I was young enough I do it for another 18 and a half years. It's a fun job. It's a challenging job And there's things that we can do or I get challenged with that you will never ever be exposed to in the private sector So if you're worried about the dollars don't apply for a federal job But if you want some really good work and and when you're retired and have your grandchildren on your knee And you want to tell them all the stories that you did the worst stories then that's why you get into law enforcement This gentleman touched on my question about three questions ago With more programs coming to light with the NSA with IRS and even the FBI Your massive data aggregations How high on the grand scheme of priorities does security of information fall and what are you doing? or not in detail of course, but What are you doing to this convince me of the people that we can trust our government with that kind of personal information Let me take kind of a philosophical stab at an answer to your question I doubt if any of you or maybe just a handful of you in this room are going to remember an incident a Program called clipper chip which Well, that's refreshing that you do remember this because so many times we get to relearn history We forget to learn from past mistakes and in that particular situation the issue Focused on who was going to be the escrow agent Was it going to be a federal entity or was it going to be a commercial entity? It turned out that no one was happy with any result What I found very fascinating during that during the national debate that arose as a result of clipper chip was that in spite of the fact of Constitutional amendments that protected the privacy of US citizens against encroachment of the government the public at large seemed to be more willing to let their privacy be protected by Private companies where you had little if any legal recourse when the information was lost and Very little concerned about the fact that those companies might go bankrupt as many of them did and their data was lost And it was I found it just philosophically fascinating that people trusted private industry more than the government to protect their personal Information, I'm not sure that answers your question completely, but it kind of gives you a thought piece to work with Another thing many people unfortunately not aware of is the fourth amendment does not protect you against industry It only protects you against government intrusions the unreasonable intrusions So that's something keep in mind and one of the things I do at the federal law enforcement training centers I teach cops how to obey the law while I enforce it. It's very important because Federal law enforcement agents have a very long reach and they can reach into people's privacy very very easily in many many ways But I remind my students I also tell them that if you don't like the fourth amendment then I can tell you where you can get a job Well, you do never have to worry about these so-called technicalities about Following the fourth amendment you know to work right now in North Korea, Cuba They call them police dates So it's very important to remember that the fourth amendment is the bulwark and and we train the agents that way And sometimes they make mistakes But when they do we've had agents who have paid the same price that other people who violate individual civil rights pay It's also worth them along the same vein European privacy laws were alluded to earlier. I think by and large in Europe There's a much greater suspicion of industry than there is a government and that's reflected in the in the laws And so there's a balance here. I think it's important to realize that our Privacy can be affected by a number of things not just the government and the aggregation of data Doesn't just exist in government databases and the real solution needs to be a holistic one to the problem Not just one piece My question is a serious one I'd like to know what you gentlemen think about whether or not the federal government is prepared today To deal with a major cyber attack against our infrastructure And if we're not prepared what work still needs to be done to get us prepared Yeah, I wanted to start with the fact that in it's not just the federal government That protects this infrastructure the vast majority of the infrastructure United States is in the private sector And one of the things that came out of going back to this 90s with the president's assistant director of 63 with these Information sharing and analysis centers to try to bridge the gap between the public and private sectors for a number of reasons those haven't worked But this has got to be some kind of a partnership between the federal government and the private sector But I would argue emphatically that the nation as a whole federal private state Local is not in fact ready for that kind of an attack I Let go every point he made and I'm going to give you a couple of graphic examples Many years ago the threat was kinetic heat blast and fragmentation You could see missiles coming over the horizon and you crawled under your desk and protected yourself and you knew it Yeah, duck and cover. I mean when I was a kid Which in my mind was not that long ago Some people think was still the case Was that a Gettysburg Yeah, I think it was during the war of Northern aggression, but But but the point to be made was we knew that if someone fired a ballistic missile at us It was nation-state sponsored It was an element of war and people could agree on that Today the world has evolved in a very dramatic way as a result of political changes Economic changes religious tensions technology information economics We're all tied together and now if a missile were to come into this country We wouldn't know for a certainty in all probability whether it came from a rogue nation Whether it could was actually nation-state sponsored or whether it was a group of fanatics or whether it was a Crazy group somewhere and you pick a country And the same thing is true of information warfare and it's even scarier when you think about information warfare Because this was illustrated in the Estonia situation. It doesn't have to be nation-state It can just be a group of people who want to bring down an economic system as whoever did it clearly demonstrated in Estonia And it was a situation where It wasn't so much the Estonian government that responded It was the entities that were attacked that were Responded and when we think of our critical infrastructure and you can pick any number you want I've read anywhere from 85 to 95 percent is owned by the private sector the private sector again has a legal responsibility a moral responsibility to protect their assets and Unless and until they are in a position of investing enough money and Investing your talent and to protect in those assets. I think it's unfair to blame anyone unless you're willing to take care of your own house first It's interesting you asked that question because the number one number one priority Within the cyber division of the FBI Would be computer intrusions, but the intrusions where most of my resources are dedicated. Are those intrusions with a counter-terrorism Nexus or those intrusions with a counterintelligence nexus and Although I look at the intrusions to the banking system and the other cyber fraught that goes on When it comes to our national security, that's where I direct a great deal of my resources So when I look at a major cyber attack I'm certainly not looking at it from I don't expect this attack to emanate from within and So I have a concern as that same concern you have whether the United States government is prepared to address a Cyber attack, but based on what I've seen in terms of the private sector stepping up To assist the government and whether their reason for stepping up is profit-motivated or not. I am still seeing The private sector step up to assist even in those instances where national security is involved because it is a What should I say a flat a flat world now in terms of connectivity and Most of the countries in the US have subsidiaries in other countries and they Want to see us succeed because they want to continue to do business So I don't think we have to worry about a quote cyber attack taking place Right now one that we can't deal with because of the economic ramifications associated with that It won't just affect the United States. It will affect Many other countries, but are we prepared to deal with one it depends on What part of the US infrastructure that attack actually hit Unfortunately, we're out of time. I have two two quick announcements on First is hacker jeopardy tonight 10 o'clock special agent Tim Fowler NCIS is leading our fed-up team and so come out and support your federal government and tomorrow several the feds have agreed to Sit in a dunk tank for the National Center for Missing and Exploited Children I want to thank the audience for the well thought out and considered questions and sorry We don't have enough time to answer but we're going to be around most of the weekend. Thanks guys one more quick on behalf sounds I'm the rookie here I was asked to thank all of you for allowing us into your house this weekend We've had a great time and as a coordinator Jim Christie here has coordinated all our efforts So we wanted to give him a gift. He also has a significant other here this weekend. So Jim pasties Thank you very much