 Thank you for not setting off any smoke bombs. We really appreciate that We're sorry about the heat folks Yeah, let me talk to God we'll get it turned down Or what mumble mumble mumble mumble Popsicles or popsicles We are trying to get the air conditioning turned up. We get it cool Please make sure you do drink a lot of water while you're here. We're gonna do a real quick spot the Fed here Would dice man, please raise his hand Thank you These feds are not in season up here You can't spot them There are however other feds in the audience It's kind of like cancer cells. They attract each other Would anyone like to try to spot the Fed? Where's who? Where is justice? You're talking to the Fed sir. What are you talking about justice? Would anyone like to stand up and try spot the Fed? You have to stand up sir You know what you're afraid It's okay. You're among friends here. We outnumber them You had a hazy memory from them kicking down your door and butt fucking you what the guy in the white hair over there Walk over. Oh black shirt. That's good sir. That's about half the audience We've already got one Hold that thought sir. Hold that thought Bring him up here sir Jack is now a PFC Is anyone here from the military raise your hand military Jack's a former Fed. No Jack is now a PFC private freaking civilian Jack retired nice try sir. You obviously work for the NSA. You have higher standard. Thank you Jack. Yes, sir Stand up sir Point at him sir make the accusation just like an Orwell He's already been spotted sir. You haven't spotted yet bring him up Do you work with him sir? There's a two-for-one special if you can spot the other one. They travel in pairs All right, this is the audience participation point would mafia by the mafia boy like to kick it off. It's okay Actually the agent who arrested mafia boy is here Seriously and There is a possibility that mafia boy is please don't arrest him because I don't think he's supposed to leave Canada oops Canadians they walk among us. Do we know who they really are? Anyone from the audience wanted to question this man. Don't be afraid. He's not wearing Try again sir. They supposed to ask intelligent question sir Is not an intelligent question Unless you're from the Marine Corps in which case are you spotting choppers or the enemy? Yes, sir How often do you have to qualify with a firearm sir? Quarterly quarterly and the other question. Yes, sir. Can you carry a weapon on an airplane? If I so choose ooh That's suburban Oh wait, wait, does it have this the cargo racks on top? That's my personal car. Oh Does it have a governor on it? No Maroon suburban no governor bomb squad What sir? I don't think he's looking for a date, but thanks anyway You know we hacker fed hookup connections later on in the evening Is it still not allowed to be homosexual in the in the federal government guys? Don't ask don't tell Sir don't ask don't tell But thank you for coming out here deaf gone run of applause for the guy decided to come out of the closet That was truly a brave thing sir And just take it as flattery. It's okay. I mean you're a good-looking guy Any other questions besides what's your phone number? Yes, sir. Do you carry a rank when you strap that on your shoulder or something sir? Do I carry a rank? No as opposed to what kind of officer sir? Flag officer, are you officially issued a firearm? What is your officially issued firearm? This one's gonna mess you up 45 Would that be a revolver? You never know it could be wide freaking up up here. You know Customized Springfield dirty Harry without the 44 customized Springfield. Yes. That's not a fair question, sir That's too easy Where do you work? Where do I work in a building city San Antonio? San Antonio That would be in the great state of Texas. Do you have the power to arrest? Yes Do you speak Spanish? Yes Do you say things like la migra la migra No in the back. Do you play quake? No, I play Ultima. Oh right on Some people at Origin are my friends. It's a cool game fuck off and they have a really cool security setup over there You know they do what is it? Pumpkin dropping every Halloween they get up on the top of the parking structure You have to hit a target. You want to win a trip to somewhere? How cool is that? Every Halloween sir not every month What's that sir? Boy, have I been out of the loop sir. I work for a living. What's your excuse? What's that? I'm sorry You're on welfare. Thank you, sir. You know sir there are jobs out there. You just have to get off the couch. I Thought they rolled them up into EA. They were never a separate new sir, sir. They were always part of EA Very good Sorry, we're getting a little little coffee wars here. Yes, sir. Do you carry a round badge sir? No Are you on speed? Are you tweaking sir? You're looking for a hookup. I'm sure there's some guys back here from the CIA can help you out. Oh Wait, I'm sorry. That was Compton and coke my bad. I'm sorry DIA was doing the speed right? Or is that justice? All right For the love of Christ. Well, that's not going to do any good because I grew up in a pastel So I can tell you about four What's the color of the boathouse at Hedroport, sir? Yes, sir. I'm sorry In the back with the Hawaiian shirt the very styling Hawaiian shirt. Yes, sir No question. Okay Any other questions? Yes Good question. Do you have a national jurisdiction or is limited to state national hold up your sunglasses, sir He's got gargoyles Nice shirt Which background investigations you have to pass to get the job? justice What is the justice department sir? bi sbi don't even know what those are bi NGO What is area six sir? Come on you can tell us you're among friends You're getting closer, but yes, sir. What computer certifications do you have? How about none? You know, I've dealt with various agencies in the past and I usually yeah, I've done bank robbery for 25 years But they just put me in the computer crime squad Great as your supervisor there Yeah, but he did counter-terrorism Any other questions? Yes What's your handle? Cygnus Cygnus anybody in the chat rooms look out for Cygnus Yes, sir. What was the last course you had to take for your job? Unix Unix Sorry Again louder sir. No, that was units in a nutshell sir. I can get you copy that though if you need it Yes, let me translate that in your training. Did you have to wear B to use or khakis? cargo pants He works for Southwest. Yes, sir When you were hot, okay, that was actually for the man who stood up, but that's fine We'll get you in a second sir when you were hired. Did you have to take a polygraph exam? Yes Yes, sir. How often are you fluttered per year? How often are you what polygraphed? We're not they're not How often are you psychologically examined per year? Case-by-case basis case-by-case basis Do you work in the child porn group, sir? No. Have you? No. Do you want to? No You never know Yes You know yesterday we got from the Netherlands the Netherlands was fascinated by scat in urine looks like we've got another one Do you have to take a piss test? Yes, we do Would you like to know the color and consistency sir or? Yellow and how often? Random random Did you take one this morning? No Are you looking to hook up? I told you you got to talk to the deity over do you want to be? Yeah Just I'd be careful make sure the caps on it Yes, ma'am we sip we don't swallow he says Yes, ma'am Does your agency ship large ship does your agency block large shipments coming across borders? No They just arrest those guys No, do you deliver on Saturdays? Sometimes is it time and a half or double time? It's neither your salary. I'm sorry Yeah, yeah What's your GS level sir? 13 He's paid well. Yes, sir What was your major in college chemistry? So you'd pick up some stuff first later. That's definitely toes over here. Okay Does your major apply to your job? No Did it never anyone one has to guess it where he's from? Are you from the Air Force OSI? Nope. Oh Not even close. Mr. Are you from the Department of Treasury? I Said I took the Justice Department exam That would be a no That's Feddies for no in the back In the back with a beard. That's you sir Are you with the FBI sir? Yes, sir Do you have your creds? He has his creds. Okay. Oh, have you seen Scully and is she pretty hot? I've seen her as much as everyone else has So there's no ex files. She looks pretty hot to me. Hey, this is what a real FBI batch looks like don't photograph that That's a felony That's that's a felony. Don't make it easy for them That's a nice picture. Look at that. You look real serious there. I'm sorry sir. I'm straight, but there's a guy back there We want your phone number. Thank you folks. We're going to turn over to the actual Fed panel Okay, good afternoon. Yeah, thanks for getting started priest The answers to for me were yes. Yes Chevy. No M11 no, no. Yes. We're not going there Okay, welcome to the third meet the Fed panel. I'm Jim Christie I'm a criminal investigator with Air Force off special investigations, and I've been detailed away. I'm with the I'm the law enforcement counterintelligence coordinator for the defense-wide Information Assurance program and We put a pretty diverse panel together for you this afternoon And what we're going to do is I'm and what we're going to do is I'm going to introduce each of them They're going to make a two or three minute opening statement And then we'll just turn it over to you guys for questions, but before we do that I am in the market for trading t-shirts Obviously extra large So anybody see me afterwards t-shirts Okay on the My immediate left is Arizona State Representative West Marsh West has been a state legislator since 1994 has over 20 years military experience And he's chairman of the military Veterans Affairs and Aviation Committees in the House of Representatives in Arizona this year Representative Martian introduced a Bill which was the first bill ever in the United States to create a state infrastructure Protection Center for Arizona to protect Arizona from both physical and cyber threats Immediately to his left is Keith Rhodes Keith is currently the chief technologist of the US government accounting office And is the director of center of the Center for technology and engineering which includes the GAO's E-security laboratory In this role he provides assistance throughout the legislative branch Basically comes in and rakes codes and plunders on the executive branch for the legislators And then we have a special agent Jim Savage That's just a nickname US Secret Service Jim is the deputy special agent in charge of the financial crimes division of the US Secret Service in Washington DC and Part of his responsibility is oversight of electronic crimes branch He was also detailed up on the hill to senator Kyle as a staffer and has done Assigned to the vice president protective detail next to him Is Ray Simcoe? Ray is an interagency Opset support staff. He was a 30-year MI Special agent military intelligence a working counter espionage counterintelligence after Ray retired He was a CI agent for the Department of Energy and now is with the interagency Opset support staff Next to him who is that Paul Smulin? Paul is a chief of staff for the information assurance director for ASTC 3i He's a graduate of the US Army War College and University of Maryland and held multiple assignments in NSA On the end down there is Kevin Manson Kevin Manson is an instructor at the federal law enforcement training Center Down in Glencoe, Georgia Now before we get started and we we turn it over these guys might make an opening statement What they've asked is they want to know who they're talking to They've heard some of your questions, but so we'd like to do a little survey. Could everybody stand up just for a second Okay Wow, this is pretty good. Okay If you have never broken the law by hacking a system sit down Okay Now what we'd like you to do is really save us a whole lot of effort We want you to be good Americans and what all of you that we have pictures of that We're standing at broken the law what we'd like you to do is meet us immediately following this panel At the law enforcement booth at the pool Please please bring a photo ID And your toothbrush, okay, we're going to turn it over and West Marsh is going to make a couple of mistakes. Go ahead Tessie. Hey Jim. Thanks for the great introduction. It's a pleasure and honored to be here is like the first elected official ever at the Defcon so I'm honored and very humbled to be here So there are a few of us politicians out there that are not scared to face the public and face the media Now obviously before it changes mine after this Yeah particularly at the pool Obviously living in Arizona, you know, I we have to everywhere we go We want to see what our constituents because we all want to make sure we're in touch with our voters And I'm just wondering can I have anyone from it's from Arizona? Okay No, we're all citizens that are in Arizona But thank you again, I'm pleasure to be here as Jim said I was the first legislator ever to introduce legislation To enact a statewide infrastructure protection center that incorporated both the physical and the cyber portion traditionally they both have worked separately and never talked and That's a problem because those of you who are involved in information systems On both sides of the aisle Know that everything we do and everything we touch has something to do with information When you pick up the phone to call 9-1-1 to call one of these guys or to call an ambulance You want to make sure they're there and if someone's gone in to mess with the system They're not going to respond and that's a problem And that's why it's important that we have the information sharing with the physical the emergency manager In each state as well as the state CIO the chief information officer because the wire heads Have to be talking to the physical guys And again for those of you the government does not own the infrastructure. I Know some of you probably think they do we don't you you own it you as the citizens do and The utilities water treatment systems those are all owned by municipality So think about that too as well that it really the closest government is your state and local government not the federal government I know they all think that they're supreme, but the last time I checked the 10th amendment said that the states are superior and supreme But so if y'all can help remind them of that too that you know It was the states that were there first before the federal government, but thank you West for being a part of the meat the fed Keith you're done If you let a politician they just like go on and on Hello, my name is Keith Rhodes, and I'm the chief technologist of the general accounting office Over the last in the center for technology and engineering. We have two groups One we go in and do engineering analysis Usually of fail usually a fail program here. Yeah Sorry I have two groups that are housed in my center One is a group of engineers that goes in and does analysis of things like national missile defense and stuff like that But then the other group that's probably more germane to this conference is the people who work in the e-security laboratory and what we've done for the last few years is we performed about 100 Penetration tests against departments and agencies in the executive branch on behalf of The legislative branch and I guess just to tell you our track record We have a hundred percent success Ten out of ten on getting the main frame Nine out of ten on getting the Unix boxes Ten out of ten on getting the Linux boxes. Sorry, but that's the way it goes 11 out of ten on getting the Windows systems That's what we do I'm Jim Savage from the Secret Service and My pleasure to be here today as far as I know I'm the first Secret Service agent that's Participated in this conference depending on how it goes today. I might be the last but For those of you that do know or don't know I'll give you just a real quick spiel on the Secret Service I think everybody's familiar with our Protective mission. However, the Secret Service is a treasury law enforcement agency was established in 1865 to suppress counterfeiting That mission continues today. However over the years as our payment systems have evolved So has our mission in our jurisdiction. We currently share concurrent jurisdiction With most of the computer crime law out there with the with the FBI as well as access device fraud The cornerstone of our investigative program as it exists today is built around what we call our XSAP program. That's electronic crimes special agent program We have about a hundred and seventy-five trained agents today That are deployed to various field offices throughout the US and a few overseas to to work our high-tech investigations And I'm not going to preach to anybody today But just thought it'd be a good idea to open up a little bit of a dialogue with you guys out there This is I think kind of the cyber equivalent of community policing in the physical world The cop walks the beat amongst those in the neighborhood in the cyber world. This is our cyber community Yeah, there are no no boundaries no geographical boundaries So without any further ado, I look forward to entertaining some some questions from you Dispelling a few notions one of which I can do right now that feds don't work on the weekend here I am and Maybe maybe confirm a few notions that you have but I look forward to participating. Thanks How many of thanks Jim how many of you've heard Ray Simcoe speak? Okay, well then you all know why he's had multiple orgasms here in Vegas looking at all these dice tables He's the nice man. Go ahead great Good afternoon. I represent the interancy opsec support staff were located in Greenbelt, Maryland We are the executive agency responsible for implementation of operation security throughout the federal government We do this in corporate America We do it in the federal government. Our job is to protect Sensitive but unclassified information to help people protect their intellectual property to help people protect that which is not Classified but that information which isn't unclassified Basically, I personally have been in the United States government since 1967 when I received my draft notice I was drafted in 1967 how many people here have been drafted? any wow What an audience I mean how many people been in the military in this audience can I see a show of hands all right I Decided at the age of 19. I was going to stay in the federal government not because I loved it so much But because I knew that I could not affect change unless I was inside it That's why I looked the way I do I Don't fit the mold listening to simple nomad yesterday He said you got to think outside the box. That's what I do I try and think outside the box what I'm trying to do is protect this country Protect all our rights so that you people out here can do what you enjoy doing Okay, we all are in this country together. We all have to have each other's back I go around the world telling people what the threats are and how to counter them and I do it a little bit differently than the average bear. So as Jim already stated, I have loved my time here Just dealing with some of you people Not that I'd invite a lot of you to my home to eat It's great to see this part of America and it's great to work on weekends because if you believe in your job And that's what keeps me going to work See I retired from the United States Army after 21 years in 1988 I don't have to work for a living. I can live on that military retirement. I can only live in central, Pennsylvania But I can't live on that retirement folks. So I'm here to make a difference Just like you guys are we can all do this. That's for the betterment of America Not to detriment what I cannot take is all these other countries out there who think we're weak who don't think that we're united and that we're easy prey and That's what I fight against. Thank you. How the hell do I follow that? Hi, I'm Paul Smully and it's great to be here as I look out at over this Really filled hall actually I'm pretty scared to death The Department of Defense is dedicating dedicated to providing secure and confident services to the war fighters of this country To protect critical to that end the assistant secretary of defense for command control communications and intelligence and the director of information assurance Work not only within the department but within other government agencies and our international allies and coalition partners to protect our Critical infrastructures that support our everyday requirements such as electricity water Transportation which are vital to the department's ability to provide automated services While providing those services and protecting those critical infrastructure critical systems were often challenged By many of you that are out there in the audience today As we meet your challenges we continue to strengthen the network defenses so vital to protecting our critical infrastructures So in a way you guys out there who are trying to cross that proverbial line Actually give us an opportunity to make things a little stronger on the information network Security side that is not an advertisement for you to go out there and try a little harder Okay, as a matter of fact if you continue to try a little harder these guys on my right might come and get you so It's great to be here I look forward to your questions and feel free to ask everybody else on the panel anything you want My name is Kevin Manson. I have a very prominent relative in law enforcement custody At least that's what I tell my students at the federal law enforcement training center I'd like to thank several people first of all for being here. I'm a newbie here and I'm kind of the on the SINAC track here. I'm very receptive to talking to any of you who Want to get a sense of what it's like for people who are involved in training the kind of people that I guess the people that we call cyber cops that that term cyber cop is a term that I coined a number of years back and I've been very fortunate to speak with a lot of cyber cops, but I want to make it clear here today I do not presume to speak for them. I work for the Treasury Department We train law enforcement agents at the federal law enforcement training center, which is down in Georgia We train 20,000 agents a year. We have a full-time population on the campus there of about 2,000 students. I Consider myself to be a netizen and I think it's very important that we all share one goal And that is to protect and defend that very very valuable resource one of the most important things It's been created by mankind in my opinion I Want to thank a very dear friend built a foyer who called me not very long ago and Invited me to join him for the keynote at the black at conference several days ago Bill was called in when Richard Richard Clark was not able to make it to the black at conference So I was very privileged to be able to join him there I also want to thank Jeff and BK for their invitation and for their very very gracious hospitality while I've been here The Keynote at the black hat conference Bill and I spoke about what I guess we've Toined a coin does the cyber civil defense core and one of the things I've tried to do in the number of years I've been doing this and I've been on the on the net since about 1988 where I joined a number of others people in a little Small community out there in Sausalito, California called a well And one of the things I've tried to do since then thanks well beings out there glad to hear that already talked a Couple I'd be glad to talk to any of you that wouldn't be interested in talking to me about it I'm gonna I'm gonna finish up with this I just like to say that One of the things in my sig file that I include when I send email out and I'll just read it here The truly elite are not those who attack and destroy in spider space Rather, they are those who protect and defend so I would welcome and join you to come since we all have a common mission To help us do that as we carry out our duties. Thanks very much Okay, now we turn it over to you guys, please You know stand ups and yell out your question. Okay, right here in front Okay, well The question was as you remember if in my comments earlier that you as the citizens have Loan on the government and actually if you go back and look at the Constitution actually got You know, I don't want to get religious on but God gives the government down to the people and the people loaned That they give the government the power So the government isn't been empowered by people the people or citizens His question was if the people have given the government the power Then basically the people on the government therefore you're hacking your own system. Well, I guess my question is We all ever all of us have Records that are all personal information and I certainly don't want other than what I have to call publicly that by law But I think I have a right and title of my privacy and even though my stuff and your stuff is on there like your taxpayer records I think you have a right to that privacy your health records. I don't think you want anyone knowing your medical history and or the legislation the HIPAA legislation basically provides security and confidentiality those medical records So I think in that sense you deserve a right to that privacy and the security of those information Anybody else want to take that question? Hi There's a lot of talk here about Americans here. I'm split between Norway and the UK and I'm just wondering do you have any foreign operatives? So you do any, you know Let me answer that for the panel. Yes, okay For the GAO you often do penetration testing and you do recommendations and there've been reports put out for the last Got at least 10 years over systems that have been penetrated over and over and over again Why don't the other departments follow the GAO's recommendations? well, I mean one of the One of the points is that yeah, we go in and we test but the tests are sort of like the tests that everybody does They're a snapshot in time and so they'll we make the recommendations. We've made Christ, I don't know 4,045 hundred recommendations, but when they're down to the level of you know Something that something that something has this particular hole and it please, you know Please patch send mail for the fifty thousandth time They patch send mail, but of course they patch it on that machine So in reality they have met the recommendation. I've realized that this is circular argument But what they have to understand is that we don't go away We have a requirement under the Chief Financial Officers Act to test the what's called the internal controls That's the security controls The 24 departments and agencies that fall under that. That's a DOD. That's EPA. That's people like that it's not until we get into a situation like the Environmental Protection Agency where Before the report was released even the public report. I sat down and said You know when this report hits our web page and when the information is released from the committee You're going to have about eight minutes Before everybody in the world starts coming after you and that's assuming that you don't know all the people who are already in So EPA pulled itself off the net and was off for approximately a month now They had to shut down their operation for a month It's not until it's a catastrophic failure that somebody actually gets the internalization of security Well, if we you know continue to do broad brush examinations and they don't have a completely catastrophic failure like that Then we all we can do is have them meet the recommendations. It's just like Comments comments from the community, right? They're going to say, you know, please don't run XP Well, you're going to say please don't run XP and everybody's going to run XP anyway And that's a non-securable operating system, you know, it's a non-securable environment because it it does so many things to help your Functionality it tries to make the world so much easier for you. So all we end up doing is fixing those little holes but We have standing legislation we do have to go back again and again and again and again now Maybe eventually they'll get it no understand that they have to take it from cradle to grave, but All we can do is embarrass them Anybody else on the panel want to take that and one thing I might add You need you all of you I assume are American citizens or voters and you need to write your elected officials and let them know say hey I've read the GA a report IRS. They went in and got these taxpayer records. What are you doing to make sure this is stopped? And I know a lot of you out there Are not doing it to be mean you're not doing it to be even though it is illegal And it's a federal crime to hack into a system You're doing it say listen you got a vulnerability fix it and that's you're trying to do something Well, at least the ones that I've talked to that's what they tell me but What am I'm supposed to politician just kidding but you need to be in touch with your elected officials You need to say listen. What are you doing to make sure policy is in place to enact because that's what he's doing That's his job. That's why we're using taxpayer money to him to test these systems So you don't have to test them. So I was to encourage you all to do that. I Would just like to I would just like to add very quickly The federal government is not that much different than the than the private sector in the sense that in terms of the understanding in the need for Say information security or protecting the systems is not necessarily Readily embraced by all those at the top that need to have it. So unless a business case is made Not until that happens Will you make a believer out of either a private corporation or even someone in the government and with government you're talking about bureaucracies that means they have to reapportion a part of their budget dedicated towards the security aspect and The government is is sometimes slow to change in that regard Next question My question kind of spawns a small conversation with the integration of computers into everybody's lives There's going to be crimes ranging from a smaller level to a very large level It's gonna be a more common thing over the years even just little pranks Maybe instead of TPing somebody's house you drop their whole network at their home on the larger end What this is basically is that the government over time? I think it's been more educated on these crimes and how to deal with them But I think sometimes we've heard some media horror stories on how some hackers have been dealt with When they've hacked into a machine and basically like Kevin Mednick three years or so with no no In jail with no trial and and he's probably an extreme case But are you guys becoming I think you are just kind of reassured the crowd here It's becoming more educated as far as how to deal with these crimes in a fair and proper manner I'd be glad to take that one My day job is training cyber cops and one of the most important things we do is we train law enforcement not only to enforce a law to it obey it as well and The people that I work are some of the last people that see federal agents You know the people with the badges and the guns and the laptops We're some of the last people to see those before they get out into the field and they start having to carry out their day-to-day duties and One thing I'd like to do is I'd like to I'm gonna kind of a listening port if open for the conference I'd like to leave an email address for any of you would like to carry on a dialogue like to provide us with some insights Provide us with some viewpoints that perhaps we don't get during the rest of the year The email address I set up is deaf con underscore niner NINER somebody else took deaf con nine at hotmail.com I Think I think this issue of training is absolutely critical We need to rely upon a lot of technique a lot of technology that many of you have skill sets for and that's the reason why the Keynote that Bill and I Delivered earlier this week at black hat said we do need your assistance But we're not looking at the assistance from the perspective of you joining the cyber core as a cyber cop Rather, we're asking you to join it with the idea in mind of assisting those of us who are Responsible and do have duties to protect and defend and cyber space so that we can get a better sense of what you really do And what your views are I set up a cyber cop cypher punk panel at computers freedom in privacy several years ago and invited some good friends Bruce sterling has been our friend for a number of years. We brought in Phil Zimmerman a number of other individuals I'd like to see that kind of thing continue at conferences like this where we can continue the dialogue both offline as well as online Let me just add from the from the enforcement end of it Your point is well-taken your point actually relates to an even broader theme and that is the integrity of our justice system Training is an important component But they're in part of the justice system is the enforcement end and it's the it's the laws that are on the book But ultimately what it boils down to is, you know, who do you have investigating the case? You know, who do you have actually presenting the facts of an investigation to an assistant or US attorney? How do they interpret those facts? Does the judge understand the case is? Justice meet it out in a fair and even way in a consistent fashion and those are important Points and I don't know there's an easy answer to that but even though we're from the From the government We're also citizens ourselves and we have family members that are That use the computer use the internet as we do as well And so to me I have a personal sense and I believe we're trying to instill in our right our own agents We have a a huge amount of responsibility in the cyber arena Maybe perhaps even more so than in the physical area because we're oftentimes dealing with issues and circumstances that are not readily understood by those and that part of the traditional and conventional Law enforcement and justice community, so I don't know there's an easy answer, but it's it's certainly a point well-taken I think the insurance industry is going to solve a lot of those problems quite frankly with stockholders suits and things like that If they're not adequately protecting your systems. I'm not saying that's the only solution, but Well, as you've already learned you're not going to be what we like exclusively on the government to solve this problem There are there are people out there who have asked for that conferences like this for for your help and That is in fact the solution. That's that's what PDD 63 con and played it was a true Partnership between the public and private sector and so that's one of the reasons why I'm here quite frankly And if you're really interested in that I would be more than glad to talk to you offline I'm working with a group of people who have set up a virtual private network so that we can continue these kinds of discussions Not just within the law enforcement community, but also with folks like you That I'll tell you to follow on to that That's kind of a tough call in terms of the private sector because you have to walk that balance between what are you going to mandate to private business to do and what are you going to hope that the that the marketplace encourages them to do and For anybody's in business for themselves out there what they don't want to look for is additional government regulation telling them what they have to Do and how they have to do it? And when it comes to the implementation of PDD 63 within the federal government such efforts as Is what the GAO undertakes to try to get agencies to clean up their own act is is part of it But you have to understand You all are quite comfortable with some of these concepts There's a lot of people in the government in some very important positions They're just now coming to understand what all this means and how it actually affects their day-to-day operations in the government and PDD 63 was was a good thing and it pretty much set the stage for for the ideal Concepts, but it didn't necessarily provide a roadmap Hopefully the new national plan will we'll try to address those things as well But we all kind of know where we want to be but but honestly there is no detailed step-by-step checklist to get there Let me let me just add one other point What are you talking about? Oh mba 130 or? E-sign or jpea or any of these laws that are out there the the larger struggle is that The department or the agency. I mean I think they finally understand that absolute security Is impossible? Well, I mean we we've broken into an agency through its printer, you know one side was internet one side was intranet Well, it was a device. They didn't they didn't really view it as a computer They didn't view it as something that had memory and a CPU and all that but what they what all those laws really require of The departments and agencies is that they do a risk assessment They have to have security commensurate with their risk for example if you look at the government paperwork elimination act it Defines a digital signature as whatever you think it can be, you know It's up to you as the department or agency to say, you know user ID and password is acceptable Well, that's the biggest struggle that we in the GA are going through right now Because we always get in well we get in we write our report and we always up front in the report Tell them that they have to have a risk assessment. They have to be able to manage based on risk. Well, that's What do I have? How long do I want to protect it against whom at what cost and at what cost is the thing that always gets in the way? Because everybody talks about a public key infrastructure But they ain't coming cheap and you can't get one off the shelf and they don't scale Well and Kerberos breaks, you know at a certain threshold and all the rest of that crap and we break into encrypted systems Because you know the keys stored in the swap and they left the file in and all the rest of the jump that goes with it They aren't managing based on risk The government is still having a very tough time saying what do we do for a living? So that's really the point that you as citizens as voters as People who are supposed to care and be interactive with your government. You're supposed to say I Think the risk is this if you start making an argument about privately held information by the United States government Like your tax records like your health records like what Wes was talking about then Then you're going to be part of this risk assessment Because the government's going to look at this room of people and we're going to say okay We'll take we'll take a statistical sample and we'll base risk on It has to be less than a particular percentage threshold Well 10% of this room having their identity stolen as a catastrophic failure for that 10% But that still means the government has a 90% success rate. That's not how it's going to work Let me let me take just a minute Part part of your question deals with skill sets and certifications and security Under PDD 63 we talk about skill sets and we talk about Certifications certainly the new center of excellence concept That's being sponsored out of the national security agency as well as scholarships that will be available for college juniors seniors those pursuing graduate and PhDs is Going to help with improving the collegiate skill set of those who are coming to work for the federal government As far as security is concerned if you guys think that you are the major problem To the United States government. I'm here to tell you that the insider threat Issue is actually a bigger problem those who already have the keys to the cookie jar who have some Acts to grind or who think they want to have fun who are actually in there and causing some real damage to some of our systems There's an awful lot of money being spent on personnel surety To try to catch some of these insider folks The most notorious of which not cyber but the most notorious of which in today's news is Robert Hansen And some of the damage and some of the lives that he's caused to be lost as well So, you know from the defense side we are looking at all of those things as well PDD 63 certainly goes a long way into helping us do that. There's a tremendous amount of funding being generated from From Congress to allow us to implement some of those things you know The government nobody out here wants the government to say do something Government sits back and gives you guidelines and hopes everybody does the right thing Well, everybody doesn't do the right thing and that's why we have laws like HIPAA, you know the health insurance Portability Protection Act, you know, which protects privacy and health information You know go back to your hotel and you'll find a sprinkler system in that hotel and trust me It's not because the hotel wanted to protect your ass Okay, it's because government came in finally because people didn't build sprinkler systems in and and had to regulate it But that's the last thing the government wants to do is regulate They want want everybody to kind of move in the right direction do the right thing Who has the microphone? a little while ago I attended the talk with Lawyer, I don't remember his name. We're talking about the digital Millennium Copyright Act now. This was a This was a room full of geeks and a lawyer and none of us could figure it out There was so convoluted and so many loopholes that nobody could figure it out I'm wondering as enforcement. How do you guys figure it out? You're supposed to enforce this mess Do you have any comments on that? Well, I have a comment like every year for the Department of Defense I put on a computer crime workshop Okay, and what I invite are the information assurance population the criminal investigators and Our prosecutors and we bring them all together and and at night what we do is we have the computer crime Olympics and one of the events is called the lawyer spinorama Okay, and what I do is I have each member of the team Bend over put their forehead on a baseball bat spin around ten times and run to the end of the room And it's a timed event and this is to simulate how agents feel after coming out of a conference with their lawyers It's also how the agents feel after coming out of the conference with a victim You know talking different languages. So what we're trying to do is get everybody to work together you know have common language to understand what everybody's roles are but You know absolutely there are different Disciplines everybody's got a role and everybody's got to learn about a little bit about the other person's discipline. I think that's it That's a very good question There's an old saying Among those who have worked in Congress or close to Congress and I'm a former Senate staff judiciary staff member Back in the early 80s and the committee that I worked on was responsible intellectual property But there's no saying about about laws in Congress You know if you love the if you love the law and if you love sausage You don't particularly want to see it or want them being made and I can assure you that that is that is an issue And it's a serious problem but The co-kinode over black at dr. Delta foyer Is going to be in a position in a very near future I think to have a lot to say and do with that particular issue and that is a very good question I hope that we can build some real Bridges between a lot of different communities to make those kinds of laws more accessible more understandable and our job in the federal Government and the training side is to train agents so that they can in fact enforce those laws and again I'll just ask you for those of you who are interested in this area and are willing to help and work with us We would more than be more than glad to do it We're almost out of time. We only have one more question here Well given that it's illegal to poke at a machine for which you don't have permission Given that we're interested in figuring out both how to break into these things and how to prevent these break-ins And you're interested in figuring out how to prevent the break-ins Have you guys ever considered setting up a domain where you get us permission say it's okay? We're going to try and protect this thing you guys can get training we can get training and everybody's happy Actually back in 96 97 time frame we were looking for a public Private partnership to do exactly that where it wouldn't be against the law We we let people inside the first perimeter and your job was and everybody benefits We can test our countermeasures. You can test the attacks against us and then we know how to deploy absolutely but all that requires resources and unfortunately, you know, that's that's You can ask any one of these guys. That's one thing. We none of us have is the resources to do that But yes, we have thought about that Well part of the problem we looked at doing this at the National Security Agency about maybe four or five years ago Setting up a site probably in conjunction with this conference. It was just kicking off in its earlier years To let you guys come in and do a capture the flag type exercise with us The entire problem when we presented this to our legal guys at the National Security Agency They kind of ran, you know, they said no way are we going to let these guys come in? So, you know, we have some tremendous legal issues when we set up something like that that we have to overcome Are people still looking at doing this? The answer is yes, they are Exactly but but there are some there are some extremely Difficult legal issues and of course lawyers run scared all the time not just NSA lawyers But the Department of Defense lawyers are extremely conservative when it comes to doing anything that potentially Has has, you know vulnerabilities and risk associated with okay. Appreciate y'all for coming being polite