 So I'm Alfred Hero, and I'll be chairing this panel. The way the panel is going to work is that each of us is going to give, you know, a five to ten minute kind of overview position, if you like. And then we'll open it up for questions, and then discuss if the questions are not eliciting the kind of panel discussion that I'm looking for, I'm going to open it up with some of my own questions. So to keep this sort of on track, I would propose that all questions be postponed until all of the speakers have had a chance to speak, and that way we can sort of segue very naturally into the panel. So this panel is on data privacy and security, and I'm very happy to be chairing this. It's a very important area within the human side of data science, and for financial institutions of course in particular. Before I launch into my few remarks and introducing the other panelists, I want to use my position as the co-director of the Michigan Institute for Data Science to put in a plug for another meeting that's coming up in November, or November 15th and 16th on big data advancing science and changing the world. We have some fantastic speakers that include Robert Groves, the 23rd director of the U.S. Census Bureau, now a provost at Georgetown, and in addition to Suda Baderji, who's chief of the Center for Big Data Research at the Census Bureau. So I hope to see any of you who are interested in the broader aspects of big data and methodology through applications and transportation, computational, social sciences, personalized health, and analytical learning. So of course we have been living in a world where when I was a child, privacy and data security looked like this, and we had a single point of entry. The firewall was a bank clerk and admission was based on personal recognizance. There were no passwords, there was a physical key. Today of course we are now in a world which is much more open and where data is being transmitted, shared, stored, and information extracted from that data is a bit of the wild west. Unlike in scientific research with human subjects, there is no nationally accepted consent policy for ensuring that the public retains trust and is protected from, let me say, poor practices. So this now is representative of course of what this panel is all about, and with increased availability of data across the ether in the cloud and stored in a third party storage media, there are of course lots of issues that arise that involve cybersecurity, intrusion detection, ensuring privacy, ensuring the safety and stability of our financial system. So big data of course has had an enormous role over the past few years in commerce and society, but in particular in financial services. Of course data has now become a commodity with which we can try to improve services by bartering and trading and selling information about clients, about competitors, and that has of course given a lot of advantages in terms of being able to better perform, for example, cybersecurity, so intrusion detection, network pattern recognition and pattern analysis. IARPA has announced recently a new program in developing early warning system for cyber attacks that's based on a variety of data including social media data that can be used to detect incipient behaviors that might lead to unconventional and unanticipated attacks. Of course fraud detection in the credit and banking industry has certainly benefited from the ability to use and leverage information from social media, email conversations and interview notes and so forth to be able to predict trends, identify hidden relationships, and then eventually detect again patterns in the network of interactions among different dimensions of the big data scope that might indicate that there is anomalous and perhaps fraudulent credit card activity, for example. Customer segmentation and targeted marketing are of course other areas where big data has been very useful. So those are the areas where we've been able to identify where big data is going in the positive direction, and of course with every improved activity that occurs in the use of large amounts and diverse data for these types of objectives, there are risks and of course that's what this panel is all about. The challenges that we're facing effectively can be divided into several categories. I'm just going to focus on a couple, ensuring security of data and then protecting the privacy of data. So of course we're all aware that attackers are getting much more sophisticated. There are dozens of attacks reported every day on infrastructure including banking, finance, and trade infrastructure. The most common cyber attack is the distributed denial of service attack of which we heard just less than a week ago about the attack on the dined DNS infrastructure that controls the switchboard to the internet which was attacked by recruiting big data which can be defined in this particular case as any opportunistic device that's connected to the internet that might be used to generate requests to a server through its internet or HTTP port or what have you. And of course the internet of things botnet has now become a tool for attacking sites and bringing down networks that are of critical importance to the functioning of our financial system and in general of our economic, social, and secure national situation. So protecting the security is clearly a very important issue and I hope we'll be able to explore some interesting themes over the next hour or so. Privacy is the other part of the coin, the other side of the coin where of course we look at privacy both in terms of privacy in terms of proprietary data and when data is being shared that companies, institutions are confident that their data will not be used for an affairious purpose against them or unfair competition but also of course there's consumer confidence which was brought up in a question to the previous speaker on the need to maintain the public support and public trust in our institutions and I just collected a few statistics from a recent report from the Pew Charitable Trust which reports that only 38% of Americans trust their credit card companies. They don't have confidence that their credit card companies will make a serious effort to maintain privacy of their data which might sound quite low but it's actually pretty good if you compare to the confidence in, for example, search engine providers, social media sites, or government services in general which is about 31% confidence in government websites and government institutions like the IRS to keep data private, secure, and protected. So clearly there's an uphill battle here in trying to maintain or even regain trust and I'm certainly aware that it would probably only take one major breach of trust in the financial sector that's widely publicized to bring these numbers of 38% down into the bottom of the pile and so I think that this is clearly an issue. The other aspect that I just want to bring up is the importance of recognizing that privacy is not monolithic, that there are various ways that privacy can be protected and that it can be abused and there's I think a nice characterization of the challenges that one faces as someone who is entrusted with protecting private data and those are the four R's, reuse, repurposing, recombination, reanalysis which are a analog of the four V's of big data but these basically refer to the, back to the sort of IRB consent type of interpretation for scientific research, these correspond to data that's consented for one purpose and then it's reused for some other purpose for which that consent does not exist or reanalysis is when of course a subsequent analysis perhaps of other consented or unconsented personalized data is combined with the analysis of the original consented data to say re-identify or de-anonymize the data and then of course the public loses their trust in the ability of the institution to protect their assets and resources which they entrust to the system. So with that I will conclude my overview and introduce our speakers. So we have a panel of four very complimentary and distinguished panelists here. Peter Swire from Georgia Institute of Technology, Professor of Law and Ethics has been teaching banking law with privacy czar and Clinton administration worked in Obama's administration on the Do Not Track program and he'll be talking to us about trade-offs between privacy, security and commerce, the individual good versus the social good trade-offs that occur in privacy and particular as associated with finance industry and then Jonathan Katz who's a professor of computer science at the University of Maryland directs the Maryland Cyber Security Center. He will be talking about basically how one computes securely without leaving any one party with all the data so that one can look at distributed approaches using bits and pieces of the big database that you need in order to say do your customer search and development but not to leave any part of it exposed to a breach of privacy. And then we have Mike Wrightbatt who's the co-founder of Forter which is a company that prevents online fraud for credit card transactions and he'll be telling us about how credit card fraud really is an arms race to the bottom and ways of counteracting that trend. And then John Carlson who's a vice chair with the Financial Services Corsector Coordinating Council, the FCC will be talking about some of the existing cyber threats with case studies on particular malware strategies that have been used to usurp the security measures that have been put in place within the internet and other networks. So with that I'd like to call up Peter to make a few remarks. Thank you. Thank you Professor Hero and my thanks to Michael Barr for the invitation and for being part of this great conference today. My topic in less than 10 minutes will be big data in finance, privacy, security, and discrimination issues. And the timing is great because on Monday night I'm supposed to teach for 90 minutes from the same deck but I'm going to give a different version I think so that's for a financial analytics grad course at Georgia Tech. So much of this conference as I think has been said is on the benefits of big data and that could be sort of an endless list of that. And this session as we just heard is about some of the major risks and so I'll briefly talk about data security, data privacy, and data discrimination. And to do that I encourage you to think about a case study if you were working for a big financial institution. Let's have an all customer funds database. It would help our customers know about their own financial things. It would help our brokers give the right products to the customers. It would have everything about their profit loss balance sheet. It would have all their accounts. And so if you think of this as we go through the conference for the next two days, it's a wonderful big data tool. We'll get great analytics out of this, everything about each customer. And we'll have great analytics about the company to figure out what our wonderful new products should be. And more data is better because we can do all this great stuff. And so if you're thinking in a financial system and you think about our biggest financial institutions, this might be a helpful just model in your head to say what would be great or what would be risky about having all the customer data put together in this way. And for analysts, for the people who do the big data, this is a great temptation to something like this if you're in an organization. So here's my slide, I'll say more, but big data is good. Big data breach is not good. I mean, that's sort of the thing. And so if you have the enormous big data, you get all those great things, but a big data breach is a little scary. So let's just think about it from the point of view of this all customer funds, fabulous database in our big financial institution. So when I talked to Chief Information Security Officers or business people, I asked them to consider the consequences to their customers if this database is hacked and put on the internet. Let's just post it all on the internet, WikiLeaks style. One thing that could happen is there could be fraud, and we'll hear more about that. The hacker could pretend to be Mr. Barr and take all the money from his account. Mr. Barr might get sad about that. There would be identity theft. They could impersonate Mr. Barr by knowing the answers to all those secret questions. How much was your mortgage payment in this date? You know, what was the other financial things you get asked on the high quality secret questions? What if, as a hypothetical, Mr. Barr will one day be a senior government official and might be of interest to nation state attackers as John Podesta has found out this summer? Are your defenses ready for that? Because if you have this wonderful database and you have one interesting person in the database, now you're a target. And, you know, in terms of job security for the CISO, what if the CEO of your company has her information in it and it all gets revealed? She might be unhappy with you. So these are some of the harms from a big data breach. It's not just hypothetical. These were things that real customers, real people would care about. So you hear sometimes the idea of a big data lake as just this enormous big reservoir of data. Is that a good way to think about it? And so in computer security, people have talked for a long time about the M&M defense. That's a hard, crunchy exterior and a soft, chewy middle, right? You get through the crust and then, oh, it's all that wonderful squishy soft stuff you get to enjoy so much. Not a great defense. Most cyber security people don't like that at all anymore. A firewall is not impregnable. There's too many holes in it for too many reasons. So if you can't have an M&M defense with that soft, chewy interior, what do you do? Well, one thing you do is a data segregation strategy. One attack shouldn't get everything. If they get into one part, they shouldn't get everything. A second thing is data masking. Most analysts trying to do the cool numbers don't need to know the names of the people. They don't need to know their social security numbers. There's identifiers or sensitive things that you can mask and still get the analytic goodness out of it in many instances. And you should consider this sort of scary negative going in the wrong direction idea of data minimization because there's cost to data as well as benefits. And so there's a decision point about when to add data because if the breach happens, then you have these difficulties. That's what I have on security today on big data and privacy. And Professor Hero mentioned both of these things. Big data is a major challenge to the fair information practice of purpose limitation. Your privacy policy in a bank under Gramleys-Bliley says what you're going to use it for. In the European Union and the over 100 countries with comprehensive data privacy laws, purpose limitation is a big strong legal rule to have to consider as you're doing business there. But I think conceptually big data is a bigger challenge to de-identification or anonymization. And under Gramleys-Bliley or any privacy regime, if it's anonymized you can have fun and play with it, but if it becomes non-public personal information, if it becomes the regulated stuff, you've got an issue. And here's how big data helps re-identification. I think for the tech people this is very familiar. So one thing is you have more data points. That's sort of the point. There's big data. There's more data. So you're going to have all the customer funds database. Plus let's get their social media stuff, their Twitter feeds. Plus maybe from the banking app we can get their location. We certainly can get their public records. So we have many, many, many data points about each individual. We also today have good search. Google was incorporated in 1998, but almost 20 years later we have really good search. Lots of data plus good search. And if you have lots of data plus good search you can often re-identify if any of those data points help us re-identify people. The very worst one, never ever tell anybody is your birth date. Okay, so I hope you've all followed that strategy because 366 days of the year times 80 years it might be. It has 25,000 cells just for your birth date. That means in a city of 100,000 people on average, three other people have your birth date. That by itself drastically re-identifies people. And Latanya Sweeney and others have sort of pointed that out over time. Okay, so therefore don't assume that anonymized information is really anonymized. For more on this, Yodely got in a flap with the Wall Street Journal about a year ago. You can go look at that. We worked with that. And the Future of Privacy Forum that I'm associated with has a project notification that I think has good guidance on that. My one slide on big data and discrimination, which we'll be back in the discussion this afternoon. So a major benefit of big data is we have all customers' funds. We provide customers exactly what they want, the matching of what the sellers want and what the buyers want, and we give it to them. I testified for the Federal Trade Commission in 2014 on lessons from fair lending law for fair marketing and big data. And that's available online. And the big law here that people in this room know about is the Equal Credit Opportunity Act. And here's just one naughty question to think about for the banking. So there's a history and fair lending of extra advertising. If you were redlining, then go advertise where you didn't use to advertise. And that's been a common remedy against discrimination against a particular group. But extra advertising, if you target it on race or gender or age or the rest, is a violation of a COA. And so you need a theory of what's the good targeted advertising, remedying past wrongs, and what's the bad targeted advertising, targeting people like GE Capital before it renamed, got hit by the Consumer Financial Protection Board for almost $200 million in fines because they didn't give a very attractive offer to Spanish-speaking people and people in Puerto Rico. And they paid very heavily for that. So the wrong targeting is race-based. The right targeting is giving people what they need. There's not been a good theory of which is which. So conclusion, and I'll stop. For big data security, avoid big data breach. Easier said than done. For big data privacy, there's a caution that the regulatory scope can expand enormously because of this risk of re-identification. And then you have to manage it like personal data instead of anonymized data. And for big data discrimination, precisely the benefits of targeting may be illegal in this equal credit world. And so we have to think through how we want to do that. Thank you. Next, we have Jonathan Becats. So I'm very happy to be here. What I want to focus on in my brief initial remarks is just to give you some perspectives from the cryptographic community about ways to ensure privacy in data mining. And introduce you to some tools that I think I assume most of the people in the audience are maybe not familiar with, although some of them you may have heard of before. And really just touch on them and try to explain at a very high level what they can offer. And if there are more technical questions, I'll defer those until the question and answer period with the audience. And I want to be clear actually just to set the stage for my remarks that what I'm going to be focusing on here is specifically the issue of privacy rather than security. And just at a very kind of broad brushstroke to explain the way I'm distinguishing those for the purposes of these remarks, I think many of us are familiar with the concept of security as enforcing a distinction between people who have access to some data and people who don't have access to some data. And so it's a binary classification. You're either in or you're out. And privacy is much more fuzzy. Privacy allows for much finer distinctions between people who may have access to portions of data, people who may have access to a certain amount of limited access to data but not complete access to data. And it allows for much finer distinctions between what you're allowed to learn and what you're not allowed to learn. And it's useful when thinking about privacy and when thinking about privacy in the context of big data to separate the concerns or separate the issues involved into two orthogonal components. And that's how I've structured my remarks here. So the first question we can ask is what sort of computations on big data can be done without compromising privacy? And then the second question is given that we've understood what computations we can hope to carry out, how then can these computations be done in a privacy-preserving manner? And so let me focus on the first of these in terms of what computations can be done without compromising privacy. And this relates actually to the remarks of the earlier speaker who was talking about things like collecting data in one location and then analyzing it. So here, just to introduce the notation, we have some collection of data, X, where just for simplicity here, I'm assuming we have a collection of items X1, X2, etc. Where just think of XI as being data corresponding to some Ith agent where the agent can be a user, the agent can be a company, what have you. And the observation was made earlier, right, that if we collect all this data in one place, we may have to be concerned about the possibility of a data breach, and that's certainly true. And so therefore you might want to try things like anonymizing the data, scrubbing the PII, but I think really that's only a zeroth order defense. It was already mentioned before that you have these de-anonymization attacks, that even if you do simple things like that, those simple techniques are simply not sufficient to prevent somebody from ultimately linking your data to other data sources and discerning a lot of information about the individuals in the data set. But one way to view the question about what computations can be done privately is to think, well, if we were going to compute some data on this data set, what functions of this data can we say don't reveal too much information about any individual entity's data. So what randomized in general, what functions of this data wouldn't reveal any information about XI for all I. And there's been a lot of research looking at this question, how to formalize this question, and then how to decide which functions meet the criteria, which satisfy the definitions. I think the leading contender right now for a satisfactory definition of what privacy means in this context is the notion of differential privacy, which I think many of you may have heard of, which basically defines formally what it means for a computation for a function of data, not to leak too much information about any one participant, by roughly saying that a function of this data set ensures privacy, ensures differential privacy. If it's the case that the function on the data set that you would compute is roughly equally distributed to what you would get if you computed the function on the data set minus one user's data. So imagine focusing on some particular user, for example, the output distribution of F computed on the entire data set would be roughly equally distributed to what you would get if you computed F on the data set minus the data of user one. And if that holds for all I, then the function is said to be differentially private. Now, there are a lot of practical issues with differential privacy. I think many people have argued that it's too strong, and I would certainly agree with that. There seem to be fundamental limitations in terms of how well we can approximate certain questions of interest, certain functions of interest in a differentially private way. But nevertheless, I think it's a useful starting point, and like I said earlier, the leading contender for what a definition of a private function should look like. Now, what this gives you, what this perspective gives you, right, it says that if you have some entity who's trusted, who's secure, if you will, and can securely hold all this data, then it would be okay, right, it would be private for that entity to either publish F of X or perhaps to use F of X in making some decision. Right, because as we've just argued earlier, if F is differentially private, then publishing F of X or using F of X as part of some decision process isn't going to compromise the privacy of any individual user I. And the problem, of course, is that we don't have a single trusted entity for many reasons, some of which were also touched on in the previous talk. So we may have incompatible trust assumptions, right? I mean, I know that I'm trustworthy and you know that you're trustworthy, but we don't know anything about each other, and so it can be difficult to get around that. There may also be legal or regulatory constraints to certain entities having access to data that may prevent the collection of data at one single entity. There's also a liability and a cost issue, right? If you're collecting this data, then you have to spend money perhaps and you may be unwilling to do so. Similarly, you may be unwilling to take on the liability of a potential data compromise. And of course, collecting all that data in one place gives the attacker a single point on which to concentrate their efforts and becomes a single point of failure or a single point of attack. So it's undesirable to collect all this data in one place. Now, this brings us to the second question. Given that we've identified some function that satisfies the definition of privacy, how then can we carry out the computation of that function without having a single entity storing all the data of interest? Well, what we can do is we can imagine distributing that data across multiple sites and or across multiple entities. And there are several ways this can be done. I've just sketched three possibilities here, but they're by no means exhaustive. So for example, you could have one entity storing data about some subset of the users and another entity storing data about a different subset of the users. Or you may have both entities storing all users, but it's different data. One may be storing financial information. One may be storing personal information about those same users. Or maybe in another setup you might have actually nobody storing the data in clear and instead what you have is a situation where one party is storing an encryption key and the other party is storing an encryption of the data. So in fact, nobody has access to anything in the clear and only when you pool their information together can they potentially encrypt and learn anything about the underlying data set. And then of course the question is well given that we've set up this situation where different entities have different portions of the data, how then can they go about computing this function of interest? And it turns out there's been a lot of work over the last 25 years actually in the cryptography community on techniques for doing exactly that and the protocols that allow you to do that fall under the category of what's called secure multi-party computation. And just at a thousand foot level without going into any technical details I can describe what secure multi-party computation allows. Basically you can imagine any setup where you have any number of entities. So in the previous slide I was focusing on two entities but you can in fact have any number of entities holding any collection of data in any of various ways. And imagine that if you had a central authority, if you had a single trusted entity that all parties would be comfortable in terms of giving their data to then you could imagine all those parties sending their data to this one central entity and having that entity carry out the computation of the function f that we've all agreed is a privately computable function or is a private function. And what secure multi-party computation gives you is exactly the ability to replace that central trusted entity with a distributed protocol run between the parties themselves, the entities that hold the data themselves. And it gives you the exact guarantees that you would have if indeed you had this idealized trusted entity collecting all the data and performing the computation on these parties behalf. And so it insures correctness, it insures privacy so no party learns any more information other than the result of the computation. It insures various other properties as well. And the only thing I want to leave you with is just the fact, the statement that like I said this has been an active area of research over 25 years and it's known now that in fact secure computation of any function is possible with security against arbitrary behavior of any number of the parties in the system. So if you have your data distributed among n parties they can collaboratively compute some function of their data and even be assured that if the other n-1 parties are all colluding against them and trying to learn information about their data the data they hold still remains secure. And so from a feasibility point of view the question is settled and the only but the question that remains is just one of efficiency and how quickly we can actually carry out this computation. And so I'll just leave you with this final picture here. So imagine again if you're thinking about and I invite you actually to think about this about how these techniques might be applied to problems of interest to you. So imagine that you have this collection of data with data stored by different parties in some system and imagine further that if those parties have one central entity with whom they could all share their data and then have that entity carry out some computation on their behalf then what they could in fact do is get rid of the trusted entity not have to assume any trusted entity at all and instead carry out some distributed protocol between them that would allow them to compute that same function in a private way. And for people who are interested I have a paper I read a couple years back with the Office of Financial Research it really intended more as a survey paper introducing these ideas talking about both about the differential privacy as well as about secure multi-party computation and just sketching out some potential use cases of these ideas in the financial realm. And I think this paper may have been linked from the conference website as well. So that concludes what I have to say. Thank you. Excellent. Mike, write that. Thank you. I won't use any slide that way I can improvise. The main thing I want to do is to give you some insight in how it all looks from the cybercriminals perspective what they are doing and why we as an industry kind of losing this war for now. The first piece of bad news for you Alfred is actually at any given time there are more than a thousand concurrent cyberattacks going on not just 12. Not all of them are as massive and get to the news like the one last week but when you look at what cybercriminals are after and there are mainly four types we can kind of distribute all of them into four groups. The first ones that are completely not interesting in the industry level is the amateurs or the kind of pranksters. Usually people in their teens or in college they want to they learn something new maybe in the computer scientist class and hey let's try that let's try to access some router to try to see if I can change the wallpaper my professor. This is not interesting or steal an iPhone for myself or whatever. The second class is criminals that are making a living off cybercrime. They as a group cause the greatest damage to the economic system. They will try to steal credit cards and then monetize them to get money get access to bank accounts get access to other identities and credentials and they're doing it for economic reasons. The third group is all the government sponsored cybercrime and they're usually trying to get distort the service of another government or some corporation that competes with theirs and these are usually the massive ones that we all read about and all big countries play in that game it's not just Russia and China so everyone is contributing somewhat to that industry and acting very very creatively with huge budgets. And then the fourth group which I personally find the most interesting is the people who do that for the street cred they get on the cyber community. So if someone and I think it happened five or six years ago, someone filed a fraudulent or tax return on behalf of the director of the NSA. You don't do it for the money, you do it cause now you're a legend in the cyber community. One of the most famous example that happened was a teenager is an Israeli hacker hacked into the Pentagon and the only thing he did there was place his picture as a wallpaper on all of the computers. Now it gives him nothing and they caught him within the hour and sent him to prison for a year and a half but first everyone knows who he is second he is now a cyber security consultant and talks on television and he's not one of the best and brightest minds he's just one of the most famous ones. Kevin Mitnick which I'm sure is a name that's familiar here for some was one of the early people who went to prison for phone pranks. He was basically stealing phone calls and doing some really minor social engineering to get access to data. And I think and now he has his own cyber security company he's on television, he's sits on boards of other companies, he's a legitimate person even though he was a criminal and he's got famous because of those crimes. And when you're trying to stop that I think what's important to realize is that no individual or no company is beyond being hacked or their identity is stolen. If I want to steal all of Michael's money I can do that it may require a lot of effort so not be economical but that's why this group of people is so dangerous. They're doing it for something else, their motivation is completely not effort related and personally I don't think there's anything to be done against them but all the other three groups there's a lot we can do and currently I think we're dealing in an almost, or not an almost exactly an asymmetrical warfare because if you're a criminal all you have to do is find one easy target to get money from. We all remember the target got breached three years ago 40 million credit cards got stolen and the person who conducted it wasn't very technical and it was a really big human error. They didn't update some service for three years, passwords were generic and they didn't monitor it properly and here you go 40 million cards and as the person who did that he tried to hack other companies and wasn't successful so from his perspective he only needs to find one but all the companies has to protect themselves against all the MOs and all the people all the time because if you get breached once first I think the CEO essentially left because of that definitely the head of CISO left and huge damages was caused there and part of what we are trying to achieve at Ford or in a lot of other companies at this kind of these days are trying to go after the business models after the gross margin as you will of cyber criminals make it you can still hack it we just said that no one is impenetrable but it will just be so much more expensive than it was before so you'll probably go do something else a good example for that would be you all probably have a chip card now in your pocket. Chip cards can be copied it's just so much more difficult with a magnetic stripe I can buy a device for $100 of the dark web and just copy everything it's very easy so a lot of people did that we introduced the chip now it's probably not so simple of the device maybe it cost a few tens of thousands of dollars so most people can't do that anymore so they move somewhere else fortunately or not fortunately for keeping me employed is they usually go to the online crime world they never seem to retire or get a decent job they always migrate they always migrate and as we are going and trying to hurt their economics this is why we try to push them somewhere else and essentially as we make everything more expensive for them it solves it there was one idea Peter we talked about the spam world one idea of let's charge every email that is being sent a fraction of a cent when we send emails it's nothing you'll pay $5 in the end of the month when a spammer wants to send a billion emails all of a sudden it doesn't work the idea didn't work because you couldn't have charged a fraction of a cent at that time when they started implementing there are actually some bitcoin related applications in that space now but if we go back to how can we make cyber attacks more expensive for criminals and this is where big data comes in play we now can monitor almost all criminal activity across all websites or assets it was not possible so I've been doing that for a little over 15 years it was not possible even 5 years ago the computational power wasn't there you couldn't have collected everything and monitored it in real time or close to real time because what we're required to do now is not just hey I have this huge data set of a billion records let's run a model over the night and see what comes from it I need to make a decision within less than half a second do I let this person and do I expose this data that he's requesting for him or not now computing this is actually a pretty easily solvable engineering problem we have so much the infrastructure to do that is so accessible and so cheap you can almost calculate everything you want if you build it properly at almost no cost part of the problem with that is cyber criminals also have access to all of these technologies and they usually implement them way faster and they try them they have to improve right it's a business for them and they move definitely faster than government I'm sorry and significantly faster than all the large organizations so they started using I think the right name for it now is cyber crime as a service you see people in the craigslist of the criminal world you would see I have 100,000 computers for rent at $2 an hour so if I want to implement a DDoS attack, a denial service attack it's very easy for me I have access I don't have to build anything they share information extremely effectively and Bitcoin is a great tool that enabled a lot of commerce and cooperation between criminals now I don't have to do everything myself I think there is a statue of limitation and let's say 20 years ago I had to build all of these things myself you have to build your own tools you have to get your own servers you have to get your own access now you don't, you buy a server from someone a rental server from someone or a thousand servers you get a shipping location that someone transact and everyone gets a piece so it's an extremely efficient economy there is a lot to learn from them I think in the economic sense of things same thing that goes to pirates 300 years ago they were way more efficient economically than us and the way you make it harder, coming back to it the way you make it harder for them is you request, you can make one hurdle more difficult for them to create that identity they have tools to once again if someone wants to create Michael's identity we are all using you as a target here ok perfect we were just preparing for this panel that's all each of us leaves a small piece of our identity everywhere we go and usually these pieces are stored there forever and not all of them are being protected well because you don't think of your university alumni forum as something that needs to be protected but you probably register there and you have your birthday it's extremely unique identifier your birthday there maybe you wrote some stuff about what you like and I can guess the answers to those secret questions or as a creator of that forum or someone who has access I have those questions and you never change your answer and you usually use the same password for all of your non-critical non-banking related systems and by starting to collect and assemble one piece after the other I can build all of your identity I can create a fake Facebook profile for you connect to all the people and they don't wouldn't understand it maybe but I'll have all the connections so I can recreate and there are tools to do that automatically in the cyber criminal world then and out if we can make that effort for me as a criminal to do it within a day all of a sudden it won't be as easy I can't bounce and use that many identities at once so I have to make sure that every time I use that identity I get more money for it now I have to use it at places that gives me more yield or enables me to steal more money I think $20 is extremely easy stealing $2,000 a little harder going after $200,000 not so easy so I'll have to invest in it and all of a sudden it's not worth and this is where we're breaking that now to your point if we gather all of the data and data is extremely available for us as the industry fighting cyber crime it's actually a little less available for the criminals but they're more persistent at getting that it's extremely available well back to my industry of protecting credit card fraud we can have visas data we can have Facebook's data for instance and we can have all the merchant individual data and at any given time have all the data we need to make the right identity decision of whether you're that person who is legitimately trying to do something or not but once we aggregate all the data in one place now we're exposed and as I mentioned in the beginning is impenetrable so someone will hack whatever that system is and that's part of the reason you can't and rightfully so a lot of these agencies and companies are really hesitant in cooperating if they were cooperating fraud prevention is extremely easy problem but they're not cooperating because of that storage of data and as more of them I actually really liked what you were talking about as more of them start to implement how do you share information how do you combine an identity actually sharing any particular data and storing all of it in one place you almost create an instance of an identity for the authentication period of 300 milliseconds and then it goes away and I can't steal it so if we can achieve that by cooperating not on the data itself but on the kind of re-creation of the identity in real time and the algorithm the computation power is already there it requires more inter-agency or inter-company cooperation than anything else and I think if we can do that and I think we're moving into doing that there are more and more people that starting to realize that it's actually important and it's the right way to solve that conflict between preserving privacy and data versus solving security problems so I started on the worrisome note and I actually want to end in a very optimistic one that I think we are moving in the right direction here thank you John Carlson is next great well thank you very much I appreciate the opportunity to be here today since one of the advantages of being at last is that the other panel members have covered some of the key points so I won't reiterate these points maybe let me first start by just giving you a little bit of background about what I do and where I fit into this ecosystem of big data and I tend to think of the organization that I'm the Chief of Staff for which is the Financial Services Information Sharing Analysis Center it's a real mouthful we tend to talk about it in its acronym the FSISAC is that we're almost a little big data fusion center for combining information from voluntary sources so this is an all voluntary army representing 7000 financial institutions we're now in 38 different countries primarily in the United States to gain situational awareness of how the threats are evolving to bring people together to talk about what their collective analysis is and most importantly what steps should be taken in order to mitigate the risks and because of our size now because of our collaborative nature and the way we actually work with multiple government agencies we also are now becoming a platform for collaboration and creating new entities to solve different issues that we encounter as we gather more information and learn about the things that we need to do in order to address some of the emerging cyber but also physical related threats so just to give you a little more background we have very high concentration within the commercial banking side but we're growing in the other sub sectors of the financial services industry including credit unions, the broker dealers the asset management companies we include all the major exchanges all the major credit card companies and have a very strong trusted network of practitioners that are constantly working together what we do as our name implies obviously information sharing analysis but also threat monitoring and crisis escalation we have spent a number of years developing what we call our all hazards crisis management playbook which spells out how committees within the community have responsibility for identifying a crisis and then activating the response and we have been working very hard with our government partners to match that up with various presidential policy directors including the most recent 41 that was issued in July that lays out the process in which the government will respond to a crisis and how they will collaborate with us increasingly we're working across sector so we work very closely with other industries like the electrical power grid the communication sector we even formed an information sharing organization with the major law firms we support the oil and natural gas sector we support the retailers in response to the target breach they formed their own information sharing organization a few years ago so we play a really important role in terms of connecting different parties together I also serve as a vice chair of our sector coordinating council that was a body that was formed after the 9-11 attacks in order to have a strong coordination mechanism amongst all the associations and the major operators of critical infrastructure and then they have a partner relationship with the Treasury department that chairs a committee that includes all the regulatory agencies in fact Michael Barr was the chair of the Treasury committee the FIVIC as is known we have also been investing in terms of automation and leveraging standards there's two standards that the Department of Homeland Security through the MITRE Corporation developed called sticks and taxi these are standards that categorize the information that's the sticks part and then can transport it through machine readable fashion and so we've been trying to urge more and more sectors the government now produces information and sticks and taxi formats and that radically reduces the amount of time it takes to disseminate information about attacks and to respond to that information because you're eliminating a lot of manual processes that end up taking a lot of precious time it also allows practitioners to focus on the more difficult risk issues as opposed to the noise the nuisances that are out there in the environment we do a lot of conferences in fact it just came from Nashville where we had one of our big conferences and we produce a number of best practices papers oftentimes in collaboration with government partners so we've interviewed several with the FBI and the Secret Service around different types of attacks various wire fraud attacks such as the business email compromises one you may have been reading about the attacks on international banks leveraging the SWIFT network the Bank of Bangladesh was a very high profile case 81 million dollars could have been much worse if it weren't for some a few details that some of the practitioners and others have noticed as they were processing the payments but a real need for the industry to be constantly on guard because these types of attacks and as Michael noted the adversaries are studying us very closely they share information very effectively it's a whole marketplace and I think you rightly noted certainly funded through bitcoin as a vehicle for exchanging service for fee a lot of growth international I've already mentioned other sectors and then communications and part of the communications of the piece that we're now working on really diligently is how do we assure the markets and consumers that their money is safe that the infrastructure is safe in response to different cyber attacks and we've been conducting a series of exercises in fact there was a notice that Treasury put out last Thursday after we had a meeting at the White House with a dozen CEOs and heads of all the regulatory agencies in which we talked about the culmination of several years of exercises in which we simulated various different types of attacks in each of those different types of simulations we uncovered new things that new either weaknesses or gaps or capabilities that we needed to enhance or policies that were very unclear on the part of the government whether it's the regulators or law enforcement or the intelligence community and we're really working very hard to try to mitigate and build greater capacity in launching a number of different initiatives. One initiative we publicly announced on Monday is the formation of a group within the FSISAC that is comprised of those firms that the government has designated as critical infrastructure to do deeper information sharing, deeper analysis and deeper collaboration with government partners in bringing in significant new resources into the fight against these different adversaries. This is more of a marketing slide so I'm going to skip this but our members see a lot of value in what we do I think Michael very ably went through what we see as the major adversaries obviously cyber crime is the big one nation states is the one that is really causing us the most amount of pause particularly around malware attacks that attack the integrity of the data and this is a new domain we're really not sure how this is going to play out in that in the financial services community like many other communities we are built on trust in the integrity of data and if you lose that trust as we saw in the financial crisis of 2008 being more of a credit issue that led to a liquidity crisis we can see some parallels in terms of the integrity of data in an operational risk environment through a cyber attack so I think there's a lot of opportunity in the space particularly in the operational risk world to kind of better understand these risks and figure out what sort of mitigation steps need to be put in place both on the public and the private sector sides and it is a true collaboration the one piece that's missing on here is the trusted insider and we have seen time and time again the trusted insider is the one that's going to probably cause you the most damage as the NSA has discovered through Edward Snowden and most recently through another Booz Allen contractor in terms of what we're seeing of the adversaries malware obviously big one various forms of wire fraud the latest version has been the attack on the individual banks leveraging the SWIFT system actually the SWIFT system was never compromised it's more the endpoints and the challenges of securing those endpoints a lot of spearfishing campaigns that we see targeting executives being very precise leveraging as Michael noted a lot of personally identifiable information that we as individuals freely provide or maybe unknowingly provide through the services that we sign up for or the deals, the discounts that we get with different merchants and other providers a big focus has been of late on ransomware attacks this is an issue we're monitoring very closely in the financial sector it's really hitting other industries much more hard than ours health care has been probably in the news the most where they encrypt the data basically demand a ransom or they'll say we'll DDoS you if you don't give us a ransom many organizations will pay because if you're a hospital and you don't have access to your data you basically cannot operate particularly in a world of health IT so something that we've been partnering with the FBI Secret Service and others to do some outreach on that topic lots of challenges within the supply chain just remember we're in a world of technology where there are multiple providers individual organizations don't actually run these systems their service providers do having good visibility in terms of those threats is a constant challenge and one that multiple industries are struggling with and we see in the future a lot of the threats and exploits are going to come through the mobile platforms and the social media platforms so what we do is bring this all together in terms of having these trusted communities of practitioners where we organize based on what our members want us to do is we have communities that just consist of the payment processors communities just consisting of the major exchanges like the New York Stock Exchange and others we've got groups that are focused on small community institutions that are dealing with certain types of attacks so we create these communities in which folks feel comfortable sharing the information they have to control over the information and that they can tag it in a way that it can be shared but without attribution or it can be shared in a 100% anonymous fashion that has created and again this is all voluntary I want to make it that very clear it's very different than what is required in the mandatory information sharing particularly around FinCEN which is a treasury agency that requires financial institutions for crimes including computer crimes that is the mandatory side that is not information we will see it's what the government uses in order to launch investigations and understand the risks that are out there we're on the voluntary side in which we gain a lot of insight in terms of what the threat environment is and share the information gets shared very rapidly giving example the dine a DNS provider was mentioned when that hit on Friday the emails were lit up and our members were sharing very very rapidly in terms of who is impacted, what they thought the source of it was, what organizations could do in response and our industry actually has a tremendous amount of intellectual knowledge about this having been the victim of a major DDoS attack extending for about a nine month period by a group of Iranian backers we know this because the department of justice issued indictments earlier this year in which they targeted wave after wave of DDoS attacks against about 42 major financial services firms and that was the event that made cyber at least in financial services a CEO level issue the target breach made it a CEO level issue within the merchant and the retailer community so we've been getting a lot of interest in this space we get a lot of support from the CEOs as well as the practitioners and I'll just close by just hitting on a few of the points that haven't been mentioned in terms of some of the big data related issues one of the issues with big data is about the pollution of the data and making sure you are not introducing information that can lead you to false positives or false negatives and that's something that's very important it's an issue that we've been raising with the department of Homeland Security with a new program that they've launched called the automated indicator sharing program in which we have some concerns about the level of vetting of the participants that contribute information to knowing who's contributing having some information about the reputation of the parties that are providing information is immensely helpful I think in terms of the opportunity side clearly a lot of good can come from big data particularly around knowing who the actors are both the good actors people that you're trying to do business with as well as the bad actors understanding who they are and how they're proceeding as well as having better and faster detection of the type of techniques that are coming forward that's really what we focus on in the sharing community it's about the techniques techniques and procedures we don't share personally identifiable information we don't really need that information we don't want that information in many many respects because we really want to understand how to protect the institutions and I think Peter did a great job he's truly an expert on privacy so I will defer to him on anything having to do with privacy but the one issue I would say in terms of the competitive and cost is these are not inexpensive the tools and that puts in some cases smaller organizations at a competitive disadvantage they can sometimes mitigate that by being part of organizations like mine to be a part of an information sharing community to get the benefits of that collective information to be there at the table to get the information when you need it the most so I'll stop there great well thanks to all the panelists for giving very cogent overview of many of the dimensions that we're dealing with in privacy and data security so I now open up the panel and panelists to questions from the audience on any of the comments or any questions going beyond the comments that were made yes hi I'm Karen fireman John Carlson I was wondering when you mentioned the utilities what type of data are they sharing and is there a financial implication of that because we could have a disaster or what type of utility information and energy I mean they the typically share information around you know what type of attacks they're seeing what sort of vulnerabilities that they need to be focused on the most oftentimes just trying to dispel rumors that may be out there in the marketplace there's a lot there's a term we use called flood fear and certainty and doubt so we actually spend a fair amount of time you know monitoring the press what's being reported we monitor social media and oftentimes we'll have to step in and say well that's factually not true this is what we know in terms of what's going on in this space or to try to correct oftentimes some misperceptions in terms of what's considered a hack versus a breach in our world that's a big distinction a breach is something that requires notification and a bunch of different regulatory interactions but it's mainly around as I mentioned the techniques tactics and procedures how the changing threat environment is evolving and just making sure there's a trusted strong community that can respond very very rapidly to events as they unfold I'll give you one example about a year and a half ago there was an incident there was multiple incidences with an airline company a major newspaper company and a major exchange the social media really lit up people started saying it looks like a coordinated cyber attack against these three different industries and we very quickly got the word out actually CISO from one of the exchanges got the word out very quickly it was not an attack it was a software upgrade that malfunctioned that's why it was offline for about an hour and a half and through our coordination with our government partners the CISO knew exactly who to communicate that to at DHS so that that information got transmitted to the White House and in an hour and a half the press secretary was saying it's not a cyber attack it's a software issue so having those lines of communication so that we can dispel false rumors is also a very important part of what we're doing in order to maintain investor and consumer confidence in the back for most of the community institutions they are going to be relying upon a major service provider to manage their IT infrastructure in most cases so they have the big guns if you will behind them through their use of these third party service providers that's in general a general statement but we do see a lot of situations where smaller institutions are very much resource constrained it is an issue they're all heavily regulated so they're all must adhere to similar standards in terms of security and vendor management business continuity so it is a burden it is the regulatory compliance aspect of cyber is actually significant and growing as we've seen just recently New York has issued a comprehensive new rule the FED the OCC the FDIC issued a proposed rule a notice of a proposed rule last Wednesday and we've seen through the examination process the regulators are paying very close attention to cyber I think it's probably their number one next to maybe credit risk these days probably their number one risk issue but it is a challenge and to be in this space you have to have capabilities to defend against these types of attacks because everyone's vulnerable any other comments I mean they're having to invest more that's number one I think some of the regulatory agencies have been trying to provide tools to help those institutions so there's a cybersecurity assessment tool that the regulatory agencies issued about a year ago and that's being used as a tool to help organizations we've been strongly promoting FSISAC membership in fact I'm going to be speaking on a webinar on Monday with thousands of institutions to just review what we do and how they can leverage the community and I think that's a tremendous resource and for small institutions it's only $250 a year is a membership due so it's a great way to be a part of a community and be connected at a very very low cost but that's just for most organizations that's a fraction of what they need to spend you know with their controls and the training and the technology and the contracts with service providers just really briefly that the word cloud can be scary for security because it's out of your control but if you're a small institution the ability to build it in house versus the ability to go to someone who's spending all their time defending so cloud's a big part of the answer and then I think not only within the industry sector but within geography there tends to be tiers of relationships where you can in Georgia where I am now there's a variety of ways that the different people in Georgia talk to each other and the different banks in Georgia do and so your people can be getting help from the community of folks that are nearby them physically. And I'm Maria Cassani's a follow-up of your previous example with the exchange and a few other organizations in this world of instantaneous exchange movements where institutions of financial players of all sizes move scenes in less than a fraction of a second to wait an hour and a half for something to be identified or called a software update it's almost a joke because when an institution is having a software update my experience in more than 16 years here at the University of Michigan has been that in my departments anytime they are going to change anything in the software I know it doesn't catch me by surprise so that in the major exchange they didn't know and all of a sudden oops and hour and a half later we are already dealing with it we are prompt and hour and a half in the market is way too long A statement or a question Please comment on it I mean what I want to know is how could something like that take place considering that everybody knows when they are changing software Well I mean I'm not a position to defend that particular organization but I will say these technologies, these systems are highly complex and they are very interdependent the fact that they work at the percentage of uptime that they work to me is a miracle but organizations do spend particularly in the financial services space tremendous amount of time and energy on the controls, the backups there are requirements for certain types of firms you have to be able to be back up and operating within 2 hours or 4 hours these are things that were implemented after the 9-11 attacks there are requirements to have out of region backups, independent staff independent telecom communications systems so things do go wrong and being able to respond when things go wrong both in terms of trying to get your systems back up as quickly as possible but also communicating to your counter parties that something is happening that it is a bounded problem meaning it's a software upgrade we are working on it versus it's a cyber attack we are not sure we are going to be back up we are investigating the regulators law enforcement people are on site that's a different set of issues that organizations need to take into account in terms of how are they going to operate and remain resilient so it is a fact of life that we will have failures from a technology point of view but it is also a requirement that firms of these type have very robust programs and well organized well exercise response procedures for when something unfortunate does happen because it will happen question over here the litigation or whatever the confidentiality agreement might say once data gets accessing correctly what could you look at at different agencies or companies set up for infrastructure to make sure you are giving it to somebody that is going to protect it what safeguards or standards would you look at to give you some degree of comfort well first off if you are in the financial services space you have to report certain pieces of information particularly if it is a computer intrusion a cyber attack even FinCEN I think released on Monday or Tuesday an additional advisory spelling out what you should and shouldn't report and encouraging organizations to share more information on the private sector side I think what is interesting is what we have been trying to do and what the administration has been trying to do particularly over the past few years has been to try to share more information bidirectionally and to try to get the government to declassify more information to share what is considered actionable information so for example and they do share information most classified information and the government multiple government agencies have been working very hard to do that and to try to expedite the process and there have been a number of events that have occurred in which we have encountered situations where one government agency said you can't share and another government agency said you should share and they have become case studies for how we have tried to work with our government partners to say look in certain circumstances you really need to know the victim party not to share the information because that is information that could be immensely important to others within the community in order to know what to look for and even though there may be an investigation going on whether it is a criminal action meaning organized crime or it is a nation state action and that is the piece that often time trips up the government because there are different agencies that have been involved in this enforcement event and I think the government has been working very, very hard and through some of the exercises that I mentioned we have been trying to really work collaboratively to encourage the government to think whole of government not each agency has their equities they are only responsible for this but to think about how this is going to impact the economy, the sector, the individual firm and the response and I think there is still a long way to go but I think at least this administration has been working very hard to try to work through some of those issues There is a question here Let's presume there is an attack of some kind that corrupts a market over some period of time either with respect to individual transactions Ethereum kind of of a piece or more systemically what would be the appropriate regulatory response to that having happened and I am open-ended on this would you imagine a rollback we just unwind everything until 9am that Thursday never happened would we try and have more individualized corrections I think of the Ethereum circumstance where they essentially organized a posse and went out and just reversed a bunch of the things that had happened we need traditional authority to move quickly I am just wanting to speculate a little bit about what would be the tool kit for something like the treasury or whoever is the appropriate regulatory body to have in hand to move quickly to reestablish or correct or whatever it is that is appropriate Sure, please So one thing is in security it is often taught as CIA confidentiality, integrity and accessibility or availability Data integrity has been a problem for computing since the start it is not a new thing also fraud was not invented with the computers that existed before then so there has been bad data inside financial systems since forever I think where the problem is that there might be extremely clever, extremely pervasive and subtle fraud deep into who owns the stocks and all sorts of other things and there is not going to be some one size fits all but I think the predicate a lot of times will be when you had fraud inside a system how do you unwind it and that will give you a lot of hints about when there is fraudulent data inside the system how do you unwind it I would add to that there are a number of tools that the regulators do have I think they are also thinking through what additional tools they need to have in response to a number of different scenarios but the current tools they have today would be assessing what is happening to the institution so that automatically triggers intense dialogue and just to be clear for the large institutions examiners are there on site every day of the week so it is not as if they are parachuting in second as a blunt force instrument they could mandate a bank holiday so they could close the institutions close the markets if you will that has its own complications and issues associated with that we know from physical events like Hurricane Sandy we did close the markets for a few days in response to that there have been other instances where we have come close to closing the markets in response to different events that are occurring if it leads to a liquidity event the Federal Reserve the discount window could be a tool another blunt force tool and then there is a special program that has been developed over the years called a request for technical assistance in which through the regulator through Treasury through DHS a target or victim firm could receive specialized assistance from law enforcement and the intelligence agencies to help with forensics or help with response to an event again that is a tool that takes time for something that is going to help you resolve your problem overnight but it is an additional layer of support that the government has been trying to build out and we have been trying to socialize with the institutions their general counsel so everyone is aware this program exists and if they need it they are not in the position of trying to understand it or evaluating it they would have already done that ahead of time several questions let's start with this one down here we are currently at the start of the Internet of Things so we have many small networked and unpatched devices which is probably the largest problem do we foresee there being constant and increasing DDoS attacks because of all these devices in the future are we going to be looking at internet services become increasingly unusable as a result of that and if not what measures are we taking or what we will be able to do to prevent that from happening so the first is the conversation about all of these devices being compromised and used as a huge botnet for attacks was discussed ten years ago so there was nothing surprising here besides that it was surprising the second is I think the number one measure toward security is people being aware of it so I don't know if it's 100% but definitely 99% of all attacks could have been avoided if people in that process would be security mindful when they write their software when they decide their passwords when they give someone else the right for authentication the biggest issue with all of these devices in none of the manufacturers or the people involved in this think security they try to make it as user friendly they rarely have even an individual in the company that cares about security because no one surprisingly to me thought that some of them will be used for this I think because the magnitude of or at least I hope that the magnitude of the event last week would start having this conversation within those companies and then remove all the default passwords which is extremely easy to do just think about it all of your data exchanges and all of your networks that don't have to be public are not public and there are so many procedural measurements you can take within this whole ecosystem to prevent a lot of it now it won't prevent everything the more devices you have the more easier it is to manifest the DDoS attack but then as technology evolves it's also easier to protect it make sure you don't collapse so it's an evolution but I think I am positive that what happened will change the perception of it just wanted a brief follow up I think it's interesting to think about the fact that right now there seems to be no liability from a company's point of view when they're manufacturing products and I install that product in my home and then it's used for a DDoS attack the company is not liable for the fact that their device got taken over so why is the company incentivized to spend any money putting into place even basic security controls on the device and why am I as an end user going to take any steps to secure that device and so I think either the liability question has to change or policies and regulations have to be put into place to make sure that basic security practices are followed I would add another point there it also raises issue for the pipes the ISPs they would argue that they are dumb pipes they have to deliver the content they can't filter the content we had a lot of issues in discussions with the ISPs after we had our series of DDoS attacks and said you guys need to step up to the plate and do more in terms of filtering what's known malicious traffic and to drop it it also raises some issues particularly when you're dealing with what's believed as a nation state attack what's the role of government in defending the private sector or individuals and that's a very complicated equation I think the government has really struggled with that issue I think what was very fascinating for me is that when the Sony entertainment was attacked by the North Koreans it was a destructive malware attack it was the first time the government publicly responded acknowledged it and it stated the basis for which they were responding to the attack on an immediate company and they didn't want that to send a green light to any other adversary whether it's Russia or someone else that the United States government would not respond to that type of an event so these types of things that start small in terms of all these different connected devices with no liability very little responsibility it can very quickly cascade or escalate up to a very significant policy issue that the government is still struggling with how to respond to maybe to add one thing for this if you consider self-driving cars to be a huge IoT industry if they won't protect it and then all of a sudden you can have someone hack 100,000 cars and drive them all into bridges then first you have to solve the liability issue because now it's not the internet went down for an hour it's okay no but when you compare the magnitude of these two events it's not even the same scale I'm afraid we're out of time and we have a coffee break that's coming up right now and I'd like to thank all the panelists for their participation