 He did a terrific job closing Black Hat for those of you who are over at the Caesars. Our money is Assistant Secretary of Defense and CIO of the Department of Defense with responsibility for command, control, communications, and intelligence. And just about takes care of everything. He has an extensive background in industry as an engineer and he's also been president of a major defense contractor. Next, Dick Schaefer. Dick works for Mr. Money. He's the Director of Infrastructure and Information Assurance and DOD. He's been in the information security business for over 25 years and he is a former U.S. Marine. Next, Jim Christie. Jim is a special agent in the Computer Crime Investigation Wing in the Air Force Office of Special Investigation. He is detailed to Dick Schaefer, the Defense Right Information Assurance Program. He is the Department of Defense Representative to the President's Infrastructure Protection Task Force. He was detailed to Senator Sam, none in the past, and the Permanent Subcommittee on Investigations and he's Director of Computer Crime for the United States Air Force. Last but not least, Dave Joel. Dave is the Director of FedCirc, or the Federal Computer Incident Response Capability of the General Services Administration of GSA. This is the way we're going to do it. Each person is going to take a couple of minutes to make a statement and then we will calmly, respectfully, and with great dignity, question the panelists. Mr. Money. Thank you. It's, I think, indeed a pleasure to be here. Come on, lighten up. I've been asked so far today, at least a dozen times, why did I want to come here? To me, this is a unique opportunity to talk to you all, as was it last night with the Black Hat Affair. My job in the Department of Defense is, in fact, to keep what we call information superiority working, make information superiority work or happen. What does that mean? The premise, the vision, the vision 2010, that General Shalikash really laid down who was the chairman of the Joint Chiefs of Staff about three years ago, has how America will fight and win in future wars. And what that talks about is dominant maneuver and precision engagement and things like that, but wrapped around all that is information superiority. And what does that mean is to ensure an uninterrupted flow of information to the warfighter and deny an enemy, or an adversary, that same. It also means an uninterrupted flow in a business sense. So I have two hats. The C3I hat is the warfighter hat. The CIO hat is more the business affairs of the Revolution and business affairs hat. And the two need to work in a seamless manner. The DOD has roughly a $300 billion a year budget, which means about $35 million an hour, 24 hours a day, seven days a week, 365 days a year is flowing somewhere. Like 20 commerce is very much important to us. So along the end, we're getting information what the warfighter needs in the cockpit or in a foxhole or on a hungry or on a ship. At the same time, paying people, having the contractors paid and so forth. All that needs to work in a seamless flow. That may seem a little bit strange to you, but ordering a spare part from a battle should not need, or does not need, cannot be interrupting anyone. So that part gets to the right spot and so forth. Same thing with blood supplies. And we've had hackers hack into hospitals and change the polarity of the blood supplies. That might sound like it's fun, giggles, shits and giggles, that kind of thing, but it's serious stuff. People don't die because they get the wrong blood. Some of those people may be your brothers or sisters, your parents or whatever. So that's one of the reasons I wanted to come here to say, yes, it might be viewed as a challenge. It might be viewed as fun to hack in and screw around with some data, but we're affecting the lives of people. Maybe those are your brothers or sisters. So that's one of the things that I wanted to get across. The other thing is, to some degree, is to thank you. Last year, Jim Christie and I think Jeff Hunker asked that you lighten up during the White 2K during the millennia turnover. And we have, since the very minimal, hacker problems into the DoD last year over the turnover of the millennia. That was good news because we were very, very heavily concentrating on terrorists infiltrating the United States. Well, I mean, one has come across quite an angel from Canada coming into the United States. So our focus was clearly what could lead up to not a cyber attack, not a physical attack. So we want to appreciate your cooperation. My final message in the world of the Q&A is, in fact, there's a couple of new messages I wanted to send. If you're new and obviously some of you are extremely talented, extremely talented and skill-gifted even at what you do, if you're thinking about what are you going to do the rest of your life, then maybe we ought to think of this in a slightly different manner. And that manner has come to work for us. Come to work with us. I'm serious. There's a couple of great examples. Well, in the White House yesterday, John Norton, who I used to attend this conference, was a security consultant. There's a great need for security folks, for security consultants, for system administrators, for people who understand the Indian Endos that we all practice, in fact, to protect the country, to protect the military, to protect the country from the standpoint of what's going on. We're going to end our attack in a hacker sense. We had 22,144 attacks last year on DOD. We know that could be an intrusion device is extensively placed now. These were attacks, blatant attacks, not an occasional pain. So we're getting whatever that works out, Southern or Indian Bay. Some of these are now state-sponsored by other countries, or transnational problems, transnational groups coming in and attacking, maybe not just for shits and nibbles in that context, but actually to do much more serious damage. So the whole game has changed. A hole in the service operating system that caused havoc two years ago isn't going to be as serious today, but having much more subtle attacks, much more sophisticated attacks, and frankly, what keeps me up at night, the ones that are out there that we haven't even detected. The integrity of the non-sense, which is the greatest nation in the world, this is a great weakness of that. Where else could this kind of a convention be held? Where else could this happen? So at the same time to preserve your rights, I support the Constitution of the United States, I've been confirmed twice, support the laws of the United States, but at the same time to think about what are we doing in the future? What are we doing now that will affect our lives in the future? When I invite you to join the government, we're a private industry for that matter, but get on the defense side. Yes, the government has some offensive capability. I don't talk a lot about that here, but yet it's another weapon system in the corner that we need to protect ourselves. It isn't used. It is only used with presidential authority as if it was needed to release. That's the severity of cyber attacks in how we work those in the United States government. So I invite you to think about what you're doing today that may affect you in the future. If you really enjoy what you're doing, and as I said, a lot of you have talent that way, join us in preventing and educating our people and preventing more serious damage to be done to the country in the future. Thank you very much. Thank you. Dick, next step? No. I just want to add a couple of words to what Art said and sort of put in perspective the operational environment in which we conduct our everyday operations. I don't need to tell this group that it's a globally connected, interdependent environment. It's commercially-based. It's infrastructure, commercially-infrastructure-based. And so when you're out there sort of running around the neighborhood, we're your neighbors. And the sophisticated or the serious adversary that Art spoke to, and there are a lot of very, very malevolent characters out there. Could be nation-state, could be trans-nationals. Our friend Osama bin Laden doesn't necessarily always have to use physical means to get his way. But we're all out there on the same highway. And the more that we interact, the more that we bump into each other, the more we have to understand sort of the rules on the road and how we play. Because in that environment, we don't know whether it's you or whether it's Osama bin Laden or one of his compatriots that are trying to do something malicious against the U.S. And there are many, many serious operations in which the U.S. engages that we absolutely seriously depend upon that infrastructure in order to conduct that business. And unless it's there, unless it's there when we need it, unless it's there providing the capability that's essential to conducting the operation, whatever it is, we're in trouble. We're all in trouble. And the U.S. close partners and allies could be in trouble. So I'd like to sort of foot-stomp with what Art said. Those of you out there who consider yourselves to be really good, anybody can download scripts off the Internet and put them into the system and fly away and that's pretty easy. But for those of you that are above that, are sort of the best of the best, we've got some of the most sophisticated toys in the world, much more sophisticated than what you've got in your basement, I guarantee you. And if you'd like to get access to those toys and become part of a very, very elite team, then we invite you to have a discussion. And that doesn't necessarily mean U.S. government. As Art said, there's a lot of contractors that we rely on to support us. But I can guarantee you there's nobody here with the level of sophistication that can be matched within the U.S. government and there's nobody here that has a set of toys that's anywhere near as neat as the stuff that we've got. So with that, we had hoped that we'd have some military recruiters here just to sort of handle the onslaught. So we do, back in the corner there. Just to please your motivators. So anybody at the conclusion of the conference that wants to sign on, I guarantee you we're very interested in talking to you. But I'll just qualify that. We're interested in talking to the best of the best. If you're average, we don't really need you. If you're the best of the best, then we're very interested. Thank you. Who's that with you, Jim? I'm going to make my statements right here real quick. First up, I'm going to piggyback off of what Mr. Money and Dick said. But before we recruit you, you know, in God we trust all others, we polygraph. So I just want to make sure that we're good. And I'm just here to trade t-shirts. So anybody who wants to trade t-shirts with me, you know. Okay. Okay, Dick. I have a question. How many hackers in a room? No hands? Oh, come on. Aren't you proud of what you do? I just want to do it. Yeah, I said close your eyes. I just wanted to emphasize something. Building on what Art Money said a while ago. There are first things that are done for education, for curiosity. And that's good. That's how we learn. But those of you who would enter into an event for the purposes of anarchy or causing disruption of services to critical services were life and death and our way of life depend on it. There's no glory in being an asshole. Think about what you're doing. And think about the methods that you use for drawing attention to yourself whenever you discover a vulnerability or a weakness in a security posture of a system. There's a right and wrong way to go about it. What I would ask of you is if you discover a weakness in a system, rather than posting it on some chat line or an IRC or sharing it with your buddies, pick up the phone and call me. I'll give you the number. It's toll free. It's toll free. It is 888-282-0870. Call the Federal Computer Insert Response Capability. We will take what you have learned and make a difference. We will put into place protection mechanisms while we will put into place patches where they're needed. We know the government is way behind on this and we know that. And we need help. You're in a position to either help people or to hurt people very seriously. And we would ask that you take a common sense approach of that and do the right thing. Call us when you find something wrong. We'll fix it. I'll give you a number for dialogue prayer. How's that? If you're good enough, you can find it, right? Okay, you've had the challenge. If when he gets home, his answering machine is connected to clublove.com then he'll know he's got somebody a lead out there in the audience worthy of their attention. Okay, ready for questions? Sure, do it. Okay, yes. And so what is your question addressed? Anybody in particular? Okay, who would like to take that one? I think your, let me work on your second point. It was well taken. Up till two years ago, assistant administrators and I'll speak specifically and totally of the DOD. Dave Gerald with the other means, general service administration, he's broader in the government context. The DOD system administrators were very likely to have two or three other jobs and then be assistant administrator. I've jokingly said with some precision that you may in a post somewhere, post camp base or station somewhere, you may have the mess officer or the motor pool officer and then be the assistant administrator. So it was viewed as an add on task and not as a full time job. Consequently, the DOD has not had not trained folks very well, nor had put into a discipline since when a motor boy was found that it needed to be patched corrected within a period of time. Since solar sunrise that has started to change. You can get red teamers every day. You all are here and wherever other folks might be. A red team is every day, so every day we're getting more robust. But frankly it's a pain in the ass. It's a constant haranguing and we have more important things to do. I'd rather have my resources devoted on what another state's trying to do to us, another solving state that has attacked the United States has taken gigabytes of material, unclassified open material, but nevertheless has taken it out in a data mining rule. I'd rather go after that kind of thing than being seven times a day building in bare places trying to say what the hell is this one doing to us. So we're getting better. We've got longer to go, and I'm training and I'm full-time jobs for system administrators and the discipline to fix those things when they become obviously need to be fixed. The solar sunrise problem that took us three weeks and so forth and those we heard yesterday, the three weeks was mostly because of the arcane wiretap instructions to go back and figure out who the attackers were. Just took time. So you have an antiquated law that takes physical appearance before a judge with a pile of paper and makes switching since it could be no seconds. There's a greatness master that's starting to be changed. Until that time, 70-80% of that attack could have been wanted if the system administrators had put in the patch that was well more than the Solaris Operating System. They hadn't done it. So we're getting better. Yes, you can still find holes that I'll submit. It's getting tougher every day for you to get in and screw around like you're used to. I print it because we've got more and more robots. We have a hell of a lot more search centers. We have a lot more training and more discipline in the system. Frankly, we'd rather devote our attention to a nation state that has probably a hell of a lot more of a different motive than a malicious attack. Okay. Another question? Yes. I didn't say shoot them. In a physical sense. Can I repeat the question? The questioner said that yesterday at Black Hat, Mr. Money spoke of influencing legislation toward the direction of greater purity of measures directed against hackers, up to and including assassination. And you asked for clarification and amplification, especially the assassination part. I think they might be paraphrased a little bit here. Maybe that is being shot in an electron in a physical sense. So let me get a score there. I don't want some sound bite going on here. The assistant said period of time to start about assassination. Back to them so that we may have a little electron attack going back the other way. Electrons go both ways, you know. Okay, come on, lighten up out there. Let's see, the loss. One of the problems we have today from my perspective is every attack, as first viewed, is a law enforcement issue. Every attack, as first viewed, is a law enforcement issue. Whole numbers set a prerogative coming to be. Jim Christie came here, went and turned around here. What that means is the protection of the privacy of the citizen. I support that. I want to be protected as a private citizen as well, but at the same time with that, he's also bringing us down, creating havoc. I'll tell you, it was very painful for me when we saw the blood supply in the hospital get corrupted, the polarity of the blood supply, the blood that was changed. That's well and playing around. So we want to change some of this. We have legislation proposed, not yet passed, not against the privacy of American citizens, but if an ISP or a certain phone number is used and it's in a protected entity, meaning it belongs to the United States government as in the Department of Defense or something, it is immediately a national security issue, no law enforcement issue. Then the game changes. It's now not a law enforcement issue, it is a national security issue, and then immediately tracing back, hacking back, in electronic sense, is within our property. So that's what's likely to change. There's a great, we'll get to you, there's a great dilemma out there. And the dilemma goes this way. If it's a law enforcement issue, the law enforcement folks, will most likely want to continue whatever it is that's going on so we can gather enough evidence to prosecute. From a DOD, national security statement, women want to scroll around and wait for more women to speak, women want to terminate whatever that problem is immediately. They don't know about the prosecution, women want to terminate that outrage immediately and get on to something else. So there's a bit of an tension between the Department of Justice and the Department of Defense, between the FBI and one side of the US within the DOD. So that's, some of us will clarify that. Immediately, today, it's a law enforcement issue, not everything is a law enforcement issue any longer. Jim, do you want to add anything? Just that today's laws make us, you guys don't have to necessarily play by the rules, but I do. Otherwise, I go to jail and they much rather put me in jail than put you in jail, trust me. So it's much more difficult for us and hopefully with what Mr. Money and others are doing, legislation will change and make it a lot easier to go back and identify, get attribution for an attack and do whatever we need to do, whether it's kill them or whether it's arrest them. Electronically, sir. You're going to kill them, so to speak. This fellow will be here. Two questions. The first is, if we do come to you with information, are we protected from prosecution in the act of so doing? And second, what's your stance to releasing source card for programs like Cardervar and all the other sniffers that you have developed? With regard to the first question, if you're probing a network, if you identify an operating system, a version that you know has an unvulnerability in it, and you report that, you haven't done anything wrong. You have not penetrated that system, but once you cross that gray line and you gain unauthorized access to the system, now you've committed a crime. Let me jump on that too. Let's say you break into some place and you discover, because you discover the vulnerability, don't tell me how you discover the vulnerability. Yeah, and if you don't like that one, then call in an anonymous since to see me at Carnegie Mellon. Pardon? Call in any anonymous since calling or seeing the new information to a halfway house, if you will, like at Carnegie Mellon, where then that information can get to us, but the source of that information doesn't get to us in that context. We're for sharing information to prevent vulnerabilities so we can strip off that in that context. In other words, if you're really serious about getting information through used cutouts and make sure they pass through several hands to get there and the information will get to the right hands, you can count on it. I appreciate anonymous e-mails also that will give me a clue if something is weak, and I pass it on to the responsible network administrator so they can make it not so weak. Okay, and the second question is about current events open source code for programs like it. One second. Well, in law enforcement, first off, it's nothing but a sniffer, okay? You know, OSI has the same sniffer. We had it first. We call ours sniffing, you know? For obvious reasons. So, you know, system administrators, sniffers are probably more sophisticated. Ours have all kinds of filters built in because of what we can look at what we can't look at when we get a wiretap authority. So, you're gathering as a system administrator a whole lot more data with your sniffer than the FBI is with ConWords. It's really filtered down and we don't share our techniques. I'm not going to show you our electronic surveillance techniques. We just don't do that because the reason is you guys build countermeasures. So, we're not going to do that. Have a nice day. Have a nice day. Sit down. So, whoever called it carnivore really bounced it. That was the problem. Calling it carnivore. Yeah. Best in here. We here in America become desensitized towards violence. COD has identified we better shoot, commit, or bite somebody. That's one of the reasons we're here. I want to repeat the question, but I want to make sure I understood it. You're saying that we're desensitized to violence, that the DOD has evolved an alternative to violence, different paradigm, which is to use cyber war in effect rather than lead bullets. And you're asking what can we do to shift the entire paradigm, the way we think about warfare and antagonism and defense into that mode of operating. Okay. In other words, to use non-lethal weapons wherever we can. Okay. I think you approached this in the right way. The president, the sinks, the commanders and chiefs of the various regions of the world, as you all know, we have conflicts on land. We're trying to maintain peace in Kosovo and in the Balkans, in Bosnia. We had a return to maintain peace and keep Saddam from invading another country in southwest Asia. Yes, we work, worry, and watch North Korea in other countries. The state of affairs today in the world is used to be focused on in a cold war with an unethical threat called the Soviet Union. Well, we serve. They can annihilate us. They still have 1,000 A.C. guns and some of them are 10,000 nuclear weapons. They can still reach. But a bizarre concept called mad, mutually assured destruction, which is bizarre as hell in my mind. It says, if you attack and drop more than you and attack and drop several than you, that service work, we have a stability that we don't have today. Some of them, one, does not worry about being assassinated or having part of his village wiped out. So there's no mad, there's no mutually assured destruction there. So we have what we call an asymmetric threat. An asymmetric threat, a terrorism attack. The rule there was not to take on the United States in a criminal context and we're silent right now. That was wiped out in 100 hours. So the idea is to come after the United States and round about asymmetric air, take down two embassies, kill 400 people in two embassies, two American embassies in Africa, or take out a Marine barracks in Lebanon, or whatever. Maybe someday, hopefully not, but maybe someday it could be on the coast on the continent of the United States that there's problems. So one of the concepts is is to work more, give the president, give the rule, we shall come in with more or a broader spectrum of responses. The response today used to be dropping an iron bomb on somebody. The iron bomb had a precision guidance packet so it could go in a particular window as you've seen and seen in a particular window if it built it. Well today we like to have even more broader response and sometimes that is to take down something in an electronic sense. So a computer network attack will in fact come in out of the closet. Last year in October 1st we transferred computer network defense to a sink, to a war-fighting sink that then has different authorities that would space command. This October, computer network attack will be transferred to space command. So at the same command we'll have defense, we'll have offense very close to each other and there's logic behind that because some of this may be fractured side to yourself. This is coming out of the closet. It's been bearded and it won't be discussed very broadly because as you probably know here some of these techniques and so forth are extremely fragile and it doesn't take much to counter them. So we don't talk openly with any detail, any precision or any specificity about what we have yet we have another what I'll call another arrow in the river of how to respond to the way we live in. Thank you. Any other questions? Okay, other questions? I think the question is if we're going to protect ourselves why do we not do it unilaterally in ubiquitous things? So the first question is are we in fact giving proprietary weaponry or aid in comfort to the Chinese at the same time we're saying to our own citizens no. I think there's been anybody wants to I think there's been I think there's been an even approach to this much to maybe your disbelief there's not a monolith of government in the United States there's several different facts people are people people are doing what they think is right by and large I think people are well-intentioned by and large any responses are removing I think you've proved here it doesn't have to be the Chinese it can be the Israelis, the French, anybody our technology is very much wanted in the rest of the world what complicates that is a lot of the technology is dual use if it's dual use we have some civilian or commercial value or application as well as a military value application it's called dual use one of those uses may in fact be classified or highly sensitive it's over with the other issue the application is wide open that makes it very difficult to control or regulate so that's part of the unevenness there's also been some lack of discipline and sloppiness and relaxation and so forth all of that is a treat that goes with the kind of a time cycle a lot of that's being tightened up now you listen to some of the scientists at Los Alamos having been polygraph recently they didn't like that they had a hard disk with lots of nuclear design secrets on it so it's you're going to be trying to be trying to stay ahead of the game but yet some of the things that dual use dual points of view in that kind of complicates life anybody else want to add anything to that okay over there okay I just wish you how we supposed to kind of know about it so we're scared as hell we're scared as hell now we need you to help us we don't know if we can trust you okay so we have a question that comes out and for the rest of the anxiety he said we want to work with you we love you we're patriots but you just scared the hell out of us and besides we have a high priority on consistency and rationality and we see as you said things going from all different sources in so many directions we're trying to get our minds around that and understand what the hell is going on what he's really saying is help us here we're in the work with you but help us out here right yourself how can we trust you let's see I have four grandkids about 12, 13, 14 two kids and so forth so I mean hell it could be out there in that audience I'm here to protect the United States protect our right, protect your privacy now at times we want to be in the opposite side of the fence that's one of the reasons I wanted to come here and if I scared the hell out of you in some respect that's good I thought it was common knowledge that somebody has hacked into hospitals and changed blood types or the polarity of blood types and that kind of thing if that was news to you then we need to be more open about some of the dire consequences of some of the quote unquote fooling around acts and so forth back to the other point of the question of not transferring information to the Chinese or whatever that was started off as a belief that the launch systems of the Chinese principally a system called the Long March which is a rocket was needed to in fact launch some U.S. commercial payloads consequently those companies in the U.S. were given the authority to an export control system to talk to the Chinese some there's different points of view and what happened made more information was transmitted than was desired but that was not in the government being malicious since there was a government and trying to accommodate the lack of launchers in the United States by getting those commercial companies more capability but to me it shows an example of how complicated things have become in the context of dual use again dual use for a rocket means to launch a commercial satellite that's somebody rocket then means it has the capability to launch a satellite into a particular orbit i.e. guided to a particular spot in space is obviously a better rocket to launch a missile to hit the United States with some precision so again back to the dual use to me the hardest problem we have today is to sort out what we're doing on side A in a commercial sense in the effect of that on side B give me another example of aviation our whole aviation industry with bone bills and in scenes of anybody in the world in a 777 that was a very advanced avionics suite you put that into another opinion to be a bomber so it's those kinds of things that are troublesome and it's just the judgment of human beings of you all that are trying to sort through that give me an example do you want to? no well you brought it up so let's behind it I'll let you know just one second we have to interrupt these proceedings for an announcement for Mr. Was I'm sorry to interrupt I just have a quick announcement and that is we obviously have cameras here filming every once in a while the camera is going to sweep the audience and we've told them not to do that until we make this announcement so if it's uncomfortable for you if you see the camera coming your way duck your head leave but they're going to randomly sweep the audience I just wanted everybody to know and be aware of it okay did you get your question asked? you're asking your question again about do it you and it is presuming that there's a singular focus in government a singular point of reference from which all decisions are made and come and you did just address the fact that it's a multifaceted animal it's a commercial product that's very likely to be the department the kind of thing that has the export authorities with the department of state if it's a military if it's viewed to be a military issue then it'll come to the department of defense with the department of state but that's a depending on how the initial request was made this initial request that we spoke to here was from the commercial standpoint sometimes the left hand doesn't know what the right hand is doing can I add something also just like in this audience the government is not created equal everybody doesn't know the same things I think that's why the department of defense is represented here because I think we understand it a little bit better like you guys do and we kind of wish that other folks in the government would understand this also it's a matter of education and awareness this is really new so you can't expect everybody the government is pretty big can't expect everybody to have the same emergencies, priorities and the same knowledge as everybody else if also along those same lines you have the power to make the changes in those areas you not only have a responsibility but you have an obligation to challenge your congressman to do something that doesn't fit not a right an obligation so you can make a difference on that and one of the things that enthuses me I find quite interesting is that every four years you come to an election and everybody is all up on electing the president the president is not all powerful very few people can even name their senators much less know what they stand for become more involved in that arena as well elect the people that will do the right things that's what you do you guys get a chance to review any of the dumbass decisions that are made like the one thing there's restrictions on the sales of super confused scientists this is a great book what are they going to use it for including the animation he asked if you ever review any of your dumbass decisions I'm not going to say this I'm not going to say this obviously this is a political decision and it's something that should have gone into the infrastructure and national security and I think I think it's kind of the question we'll be getting is that the super computer is a mean target what was mean to be a super computer about five years ago was now sitting on your desktop so part of that is where is it where do you want to draw the line and so forth what they got in the context of finding the same way to make fuel recently is probably already totally commercialized and available to them with multiple parallel systems so again it's a judgment call my viewing exporting stuff goes something like this we ought to keep it from the national security standpoint the American industry as strong as anybody else therefore we ought to allow American industry to export anything that in the other industry anywhere else in the world can't export that will eventually hurt American industry constantly hurt us from the national security standpoint so that is a very much of a fluid changing so every day that number will change so part of that is wrapped up in this decision ultimately it's a risk management what's the downside what's the upside when you make a call sometimes they hope sometimes they're viewed as a mass decision well this makes you really ship us to windows they can either affirm or deny the ultimate price of windows I don't care if it's whether windows or unix or unix they all have flaws well I didn't say any the question was it sounded extreme to the questioner that it would be a national security issue any time government computers are hacked it's sounded as if everybody's head was going to be put on a spike in front of the city gate and that weighs some anxiety where the measure is and where the balance is in response to appropriate in an appropriate way my response was I didn't say we were every government computer but there are some communities that need to be protected in the context that it's not a law enforcement issue it's an immediate national security issue then we have a different response so it's not everything but there are some that but we ask a lot of you from your standpoint going in a muck and land in somebody else's area and changing data and so forth could have some serious consequences so think about that act as well let me add one other thing to that we're not the only ones watching what we do there are I talked about some pretty bad characters some malevolent actors there are folks out there who watch sort of the calls and the response when someone breaks into a government computer somebody is watching how do we respond what are the tactics we use to address the penetration to the perpetrators and you can bet that there are big databases around the world that have every incident that's ever been publicized within the US in terms of an attack on a US government system a DOD system and what DOD did and so if you were one of the bad guys and you wanted to do something malicious wouldn't you make it look like maybe somebody coming in into facing a website at first and we let that pass because that's just somebody tinkering or maybe it was just somebody coming in and probing around to see whether or not the computer was alive and we begin to let that go because that becomes sort of commonplace and if you really wanted to launch something wouldn't you make it look exactly like that so think about all the capabilities all the events that have occurred over the past pick your favorite period in time and say if I was an adversary and I wanted to do something what sort of aid and comfort would all of that information provide for me in terms of being able to camouflage exactly what I wanted to do another dimension of this thing that isn't always quite thought through in the way it should make me say something about law enforcement I think law enforcement has a critical role in national security it's different what happens domestically and what happens overseas the intelligence community and military we deal overseas and our job is to violate individual rights of privacy break things and kill people I mean that's the job domestically is different and the constitution protects everybody domestically so I think what we need is legislation that's going to expedite the process that protects allows us to get that attribution in a time frame that's going to be critical question back here in the government's view our ISP is liable for the actions of their subscribers that's probably a good question for a department of justice person but I don't see personal viewers I don't see how we can extend to an ISP responsibility for everyone who operates from or through that ISP I guess the metaphor would be if I don't have locks on my door in my house and someone goes through my house and breaks into Dick's house should I be liable because they went through my house well if I don't know that the guy went through my house then I shouldn't be liable I don't think if I saw the guy going through my house all the time in attack in Dick's house well maybe then I incur some kind of liability so I think awareness okay was that a follow up question this is the general panel if you consider the opposite of providing sanctions against providing perhaps an incentive for disclosing re-distance as a way of providing rewards for people have you considered not only providing sanctions against but rewards for people coming forward and helping out what kind of reward wait wait wait you make a good point and I think you have to think a little bit deeper than that for every event that occurs that has to be responded to I think the estimate was what a million and a half dollars per event and that's just on the surface including a lot of law enforcement time and everything that has to go into it so the government can just go down to the to the mint and print off more money to provide for these resources the money has to come from somewhere that money comes from you that's your tax dollars and if we have to divert tax dollars to handling these events we're taking it away from other programs like social security, Medicare and things that are I think there was a question there's a finite budget that has to be adhered to and one of the reasons that we can't protect our systems any better than we have is the resources are going towards those social programs like Social Security and Medicare toilet seats that's kind of an absurd property problem over here what was that question about the police legislation okay if you're going to tap back how do you justify that and how do you compensate people if you make a mistake you have citizens so the analogy I use you'll see you'll see restricted areas they're soon just north of here they're low posted if you violate that geographical area you're likely and especially if there's nuclear weapons storage you're likely to have some harsh consequences so I think that also applies in a cyber sense let's back the question up is that in fact the way you understand what you said that you've had to proactively attack people all we said was we will then have the ability to track back trace back and if do then we can have an electronic attack back does it say every time just like if you go to a restricted area today sometimes you might be a wrestler sometimes you might just be told to turn and go the other way in other words it's a dangerous thrill somebody else back here yes you've had your hand up a long time it's not a good word it's not a good word today the thought is it stops at our door if you will it's at the intranet in the DOD not the intranet the legislation is written today to be intra the DOD in the collective entity sense to me it's no different than a physical attack on Pearl Harbor so yeah I'm now a physical attack on the electronic database of the hospital of the military hospital or the military database where the airplanes are being deployed to or whatever it's in that context all of this we're private citizens as well we're here to protect the private United States but not have the United States go to its knees so there's a balancing act and part of that's the reason we wanted to come here be straight through what the consequences of what you might be doing are okay that's where I joined Wade Joe it's funny to hear about we all know that you're about to be involved with the representative parts of the agreement okay over here so the question is what exactly I don't think we ever said that we don't know how to use them and I think it's been mentioned several times that your federal government the decision makers within the government comprise an awful lot of people with an awful lot of pressures an awful lot of agendas and the decisions from each of our perspectives may not always be balanced in the way that we would like them to be balanced but we elect people we put them in Washington and we have an opportunity to influence the way they think and we hope that they make decisions in our best interest I'll just speak just very briefly to the encryption regulation where probably everyone in this room would like to see free uninhibited access to the most strong encryption that the nation has to offer well let me tell you that makes it extraordinarily difficult for other parts of your government to protect your rights and so the decisions that have been made recently how? well I think we already had that question just think if everyone to strongly encrypt every transaction every activity both legitimate that includes that includes not only the legitimate things you want to do but also a lot of illegitimate things there are a lot of privacy rights which we have but all of our individual rights and where it becomes more important for the common good all of our rights come as a double-edged story there are rights and privileges which we all enjoy but we also have to balance them against the common good otherwise we have total anarchy which isn't right the way this nation was founded so some criminal activity then uses that same encryption that makes it more difficult to do that