 I'm really looking forward to this panel. I'm looking forward to both panels. But this panel I'm looking forward to in particular because I'm on it. And I won't actually have to, and I won't have to do anything because these people are so great and know so much. Ashara Zeese is the founder of FireEye, a CTO. I was kidding him about it. I think I met him at Sun a long time ago. So you have Sun Microsystems that's sort of populated through the IT community. And a lot of the joke about the company was that they were really, really smart, but just didn't figure out a way to maybe monetize that. So anyhow, you've solved that problem. And grateful that you can be here. Shane McGee, general counsel of Mandiant. Mandiant, you've probably never heard of. It's a little company. But we're very grateful that he's here. James Mulvannon, probably, I'm going to say, probably the leading expert on China when it comes to this stuff. That puts you on the spot and he'll spend the rest of the panel dodging questions. But he is indeed the leading expert and a friend. And Ellen Nakashima, globally famous now. When I was standing out in the hall, I heard people at the coffee thing saying, you were the go-to person in Washington for this stuff. And I thought, oh, I can't ever get away from it, can I? So Ellen, we're very grateful to hear. And finally, Sean Henry, now at Cloud Strike. But Sean, of course, is familiar to all of us. The guy who was really one of the people who turned FBI into one of the best cyber outfits in the world. So when you think about FBI capabilities, maybe 10 years ago, 15 years ago, and where they are now, a lot of the credit for that really goes to Sean and deeply experienced with a lot of these issues, both from his cyber side and from some of his other assignments. So with that, what I'm going to do is ask each panelist maybe to give a few opening remarks. We're talking about identifying the threat. Maybe five minutes or so identifying the threat. And then we'll turn it into a discussion both among the panelists and with you, the audience. So Ashar, why don't we start with you and just go right down the row? Yeah, so good morning, everybody. And thank you, Jim, for that kind introduction. I'll just speak about the threat from the perspective that I have since I started the company because the threat was the problem that I was looking to solve back in 2004. So as an entrepreneur, I believe my job is to solve difficult problems. And I actually was on the hunt for a problem at the outset or the founding of FireEye. And I found this problem, interestingly enough, in the archives of the DoD. The DoD felt the pain of the potential of evolution of advanced and stealthy malware. And the implications of that malicious code were actually wide and deep. The more I studied the problem, the more it became obvious that this was perhaps the defining problem of the 21st century. So in finding a problem, I think I found a big one. And it's a complex and challenging one. So while there's some good news to be had in terms of the technical advances that we have made in countering the threat, there's still sobering news that this is still one of the most challenging problems of the 21st century. And I think the recognition that cybersecurity right now opposes one of the deepest threats to the security of this country above and beyond terrorism is a recognition of the growing problem here. So I started the company in 2004 with the belief that malicious code would acquire a purpose beyond self-propagation, which was its entire purpose in 2004. It was kind of like Amoeba flitting around on the internet with no purpose, with no obvious goal in mind. But if you could give this piece of software a goal, what goal would we give it? And the goals that came to me at the time were obvious, that if somebody can plan code on somebody else's computer, then they can steal the information from it. And so theft of both information in financial assets became the obvious evolution of malware as the problem was being studied in 2004. And this should not be a surprise to anybody. This is not something that we should be shocked by. Theft is endemic to human nature. We've had thieves since the dawn of society. And we have had spies since the dawn of organized society and cities and nation states. So to the extent that information has flowed into cyber realm and that assets have moved into the cyber realm, we will have thieves in cyberspace and we will have spies in cyberspace and there is no treaty that will abrogate that just as there's been no law that has abrogated crime. So there is going to be no law that will ever abrogate crime in cyberspace. People will continue to conduct this so as long as there is a cyberspace, people will continue to infiltrate cyberspace and they will continue to evolve their techniques. At the time I started studying the problem, it was also obvious that the defensive measures that were in place, unfortunately nine years later, are still mostly the same defensive measures, would be hopelessly inadequate when the malicious code acquired a purpose. So if I'm a thief, my job is not to announce my arrival. If I'm a spy, my job is not to announce my arrival. And if the agent of the thief or the agent of the spy is a piece of malicious code, then the first thing it will acquire is a stealthy countenance to itself and it will come in unannounced and leave unannounced and it will not be something that'll be easy to identify. So the ability for code to be shape-shifting or morphing constantly to evade the pictures of the code that exist in the blacklist signature databases was the obvious evolution that was anticipated. So my hope and my goal was to create a new generation of technology that could better combat this threat. And I say that very carefully, better combat this threat because the threat is truly insidious and I don't believe that there's ever going to be anything like a perfect defense. But we can have a defense that is a lot, lot better than the defensive measures that we have today. So that was my goal and hope in starting FireEye and just sort of leave it there. Thank you, Shane. Thanks, Jim. Yep, red button. There you go. All right. There's only one button. I should have figured that out. So we're talking about the origin and the problem and I'm from Mandiant and we issued a report relatively recently about China as it relates to APT-1, the Advanced Persistent Threat Group 1. How many people read that report out of curiosity? Okay, great. So you think when you ask me what the origin of the problem is, I'd say, well, China. China's not really the origin of the problem. China's just successfully, if you can call it that, taking advantage of the problem. I think the real problem here is what we call the security gap. The security gap is the difference between our development and continuation of innovation of technology and how much we're willing to put into recent, how many resources we're willing to put into security. So the gap between those two things is what we call security gap. We're always going to innovate faster than we're going to look back and try to plug any goals that come out of that innovation and that's how it should be. We don't want to cripple our own innovation by doing more than that. So how do we eliminate the security gap? There is no technology out there that is gonna eliminate this gap for us. There's no law out there that's gonna eliminate this gap for us. The best we can do is invest, I think, in a combination of good technology and good people. I think good people being probably the more important of those two things. One of the most important consequences of the security gap, I think, is that prevention is impossible. 100% prevention is impossible. You heard this morning, people talk about this defense architecture, the Maginot line, all these things are incredibly important. We have to put these protections in place. That will stop a good deal of the threats out there. But there's always gonna be this gap, these 10%, 5%, 10% of attacks, these advanced threats that cannot be prevented. And how do we solve that problem? Well, we need to be able to detect, contain, and remediate those types of intrusions in minutes. Detect them by far the most important part of that. Make sure you have technology, people, and an ongoing business process in your company so that you are always looking out for intrusions, things that get past the Maginot line. You detect them, you contain them, make sure they don't spread to different systems, and then you remediate. You kick those people off your network. Again, I think this is very important as part of an ongoing business process. People generally think as incident response is something you bring someone in to take care of, be it Mandiant or someone else. You kick these people off your network, and then you're done until and unless something else happens. No, you have to be constantly vigilant, no matter how many defenses you put in place. There will be people to get by. Also wanna talk about a couple trends that we've seen at Mandiant. We respond to a number of events so I think I could be most helpful in talking about what we see in terms of the threat. One of the strongest, most important trends we've seen recently is this concept of outside in. Attackers getting through to your company, your networks, through outsourced service providers, vendors, companies that you're acquiring, if they can't get to you directly, and depending on the team, they probably could, but it's probably easier to go through another smaller company or a weaker partner to get into your network. We're seeing more and more of that, and it's easy to see why. In 2012, companies spent twice as much on outsourced service providers as they did on security. So they're relying on the security of these other companies who are really just struggling to get by and a lot of them haven't necessarily put in effective security measures themselves, offering the adversary a back door into your network. A second trend we've been seeing, sophisticated network reconnaissance. So the APT, the Advanced Persistent Threat, I think like Dave said this morning, the vast majority of that is China, so it's really just a suit of them to some extent. But the reconnaissance we've seen by these attackers has certainly grown in sophistication in the sense that they're no longer just trying to get in any way they can fumbling around until they see something interesting or see what they're looking for and they pull it out of your network. More and more, they're focusing on system administrator accounts or compliance level accounts that have information about, for example, your PCI audits. Why do the work themselves to figure out where you're vulnerable if you know exactly where you're vulnerable and they can just pull the report from you and exploit that. So it's a much more sophisticated approach than what we've been accustomed to seeing. Also persistence, the P in APT is persistent threat, but there's a new level of persistence. It's not just a persistence mechanism, something that these attackers put on your system after they get in there to make sure that they're ever present, to make sure that if you clean one or two systems off that they're gonna be able to continue to navigate your network and pull down your treasures. Now it's more, even if we do successfully kick them off our networks, they're just waiting in the wings with another attack. They'll wait a couple days, a couple months, and then they'll come back and they'll attack you again and more and more, it's not just the same team coming back and attacking you. There's some level of coordination among the APT teams so that they will come back and attack you from a completely different direction with new tools, techniques, and procedures, and they'll gain access to your network again. And this goes back to my previous point about being so important that this is an ongoing business process. You do not let down your guard. You absolutely have to have people that are watching at all times. Finally, the fourth trend, more targeted drive-bys. We're all familiar with phishing at this point. We know that the APT and other advanced teams use phishing quite frequently. They send you and your employees email messages that look like they're from trusted senators. You click on a link, you're compromised, they navigate from your system, they go through your network and they compromise your entire network. Now, as we're getting more technologies in place to detect and stop those types of phishing attacks, they're relying more on drive-bys. Drive-bys are where they compromise another weaker website that they know that your employees frequent and your employees will go to that website as soon as they go there or as soon as they click on something on that website, they'll be compromised that way. And it's a much more difficult problem to solve unless you're just gonna cut out all web browsing. Sometimes they can compromise entire industries or multiple companies within an industry at least by going to, for example, an industry website or an industry portal if they want particular information from, say, the automotive industry. They can go to a vendor of automotive parts, compromise that site so that all the automotive manufacturers are compromised. So those are just some of the trends we're seeing just to add some color to the threat. Thank you. This is always such a gloomy subject, isn't it? And now, to bring us cheerfulness and light. That's right, exactly right. Well, let me go first against my Irish nature and start with some good news. Since we're at CSIS in the spirit of Kurt Campbell, I have three brief remarks. We have come a long way. Things do look bad, but we have come a long way. I've been working in the Chinese Intrusion Set since 1998. And then it wasn't even known as the Intrusion Set because the China's cyber threat that was causing us to cower in fear was that they were defacing whitehouse.gov's website. It was the script kitty patriotic hacker types and we thought that the world was coming to an end. But oh, for those Halcyon days when we were worried about the whitehouse.gov website. But up to about five years ago when senior policymakers would ask me about what we were gonna do about the China's cyber problem, I would say to them, ma'am, we have an attribution problem. And the attribution problem undermines our ability to come up with the downstream set of policy objectives and policy implementation that we could do something about it. The good news is we no longer really have an attribution problem. We have scads of attribution. We have deep, deep attribution. Now the challenge for the last two years in the policymaking realm has been what do we do about it? What are the steps that we can take? And people are basically with a copy of Tom Shelling's strategy of conflict tucked in their back pocket trying to figure out how we actually repair the airplane at 30,000 feet and do something about this cyber threat even with exquisite attribution. Now in previous four I've talked about a range of things that we've thought about. We've thought, well let's just declare that we have a deterrence policy and we know that the problems that are associated with that or let's just focus on buttoning up the defenses. It's really about the choice of firewall or it's about the edge and all this. And I think that the previous speakers have highlighted the extent to which we actually needed to change our entire mindset from a perimeter defense mindset to a defense in depth mindset where you knew there was gonna be compromised hardware and software inside your networks. You knew that you were gonna have advanced persistent threat but you couldn't just curl up in the fetal position on the ground. You still had a mission to carry out. You still had things to do and that's led us to things like virtual encrypted enclaves and other unique ideas that have come along that say okay my network is compromised but I'm still gonna be able to operate inside of it. But that wasn't enough. Now of course there are always people who say well the best defense is a good offense. Let's scare them straight through our own enhanced computer network exploitation campaigns. Let's steal all their stuff. Then they'll really feel the pain and everything will come to a balance. One is someone who recently took his two teenage daughters to the Fairfax County Juvenile Detention Facility to emphasize to them why they needed to listen to their mother. I mean I'm sympathetic to the scare them straight philosophy but the problem is the Chinese in particular already believe we're ubiquitously intruding their networks. So you're not changing a mindset by doing that to them. What we've happened upon as one of the tools is we have to get the Chinese and the other adversaries off this idea that when they exfiltrate the data out that it's pure. They believe this is ultra. This is the most profoundly successful intelligence campaign they've ever had. They believe with metaphysical certainty up until the recent times that what they're exfiltrating is actually true. But using deception and poisoning the well and doing things like that in terms of the data exfiltration is obviously not new. It can be technically difficult but we've seen the tried and true methods that we've had in the counterintelligence and counterespionage realms have really helped us. We obviously can't affect everything but we do focus on key areas. We wanna corrupt the inner workings on their end because we know that if we sow that kind of distrust if the intrusion sets tell their leadership that the carrier strike group is at one lat long and it's at another that will lead to circular firing squads on their end. Who's the leak? Who's the mole? Of course every ounce of bureaucratic energy they spend on finding that is an ounce that they're not spending and treating our networks. And hopefully in my view it will accelerate centralization trends that we see on the Chinese side for them to move decision making about these operations to higher levels to play into their natural control freak tendencies that we associate with the Chinese government and move them from a system in which they have a bottom up entrepreneurial grassroots oriented intrusion system where people are encouraged on their own initiative to go out and find data and tools and accesses to something much more resembling our system which is top down, authority centric. In other words, I would offer that our policy goal should be that we wanted to make it as difficult for the Chinese military and the MSS to get a C&E operation approved as it is in our system to get a C&E operation approved. To me that would be a much better world. So finally though to support that we need a different type of intelligence than we've had to this point. We still need the technical intelligence. We still need the Mandians and we still need everybody like that who can tell us the specific malware signatures and things like that. But we also need an intimate understanding of the adversary. And unfortunately this means largely doing it in native language. And we're just beginning to develop new techniques and capabilities in these areas. I'm a Chinese linguist. I have large teams of Chinese and Russian and Farsi linguists who look at this problem. But understanding rather than laying back and doing the forensics of the intrusions after they're already in and remediating it there we also need to be forward. We need to be inside their system. We need to be looking at their websites and chat rooms and bulletin boards and blogs and IRC and Silk and everything else. And anticipating and doing indications and warning of intrusion planning that's ongoing rather than simply trying to remediate things necessarily only remediate things that are happening inside our networks. We need to obviously do it both. And we need to do it smartly, which means not going there via conus-based IP addresses and things like that, but utilizing the technologies that we have that allow us to do it securely. Because I think then and only then with the combination of that kind of technical intelligence but also having deep adversary intelligence that can inform the deception and offensive counterintelligence operations the things we wanna do, only then can we change the cost-benefit calculus of that adversary and really impose the kind of costs that our leaders are talking about in terms of rolling back the scope and scale of this intrusion set. Thank you. Great, thank you. Ellen. Jim, thank you for placing me right after Dr. Mulvennan. It's just impossible to follow. But thanks again to CSIS and FireEye for hosting this panel. I'm not a technologist or a cybersecurity expert or policy expert unlike the people on this panel who are the experts and who I actually gain a lot of my insights from. So what do I have to... I do not accept that. Well, it's accepting Sean who has never been a source of mine, right? No. I'd like to just put that on the record. On the record. So what I have to offer is as a generalist is just some of my insights and observations from several years of covering this, not because of any special technical expertise, but just from the average person what I think is kind of interesting to note. James mentioned Chinese espionage and counter espionage and now of course the Chinese know we are interested in doing deception to them. So maybe we should also think about what sorts of deception they are doing back to us. But it's interesting to note that with all of the attention paid of late to Chinese cyber espionage, theft of IP, the widespread persistent campaign, it should also be noteworthy that the Chinese are also into our networks for counter espionage purposes. Spy versus spy, hacking into the servers of technology companies like Microsoft and Google in order to find out who the US might have under surveillance through Gmail or Microsoft Mail, for instance. It's not something we often focus on, but that is yet another direct link between cybersecurity and national security. If you think about how interwoven the US surveillance system is into the private sector and how dependent then this surveillance system is on the security of private sector networks, just something to think about. Another to me significant development in this advanced threat space is one that is playing out right before our very eyes and that is the palpable shift in the US government's stance in confronting China. People like James have been saying China publicly the same sentence as most aggressive collector of cyber economic espionage for years, but it's only been recently that we've heard senior administration officials, most notably national security advisor Tom Donlin publicly calling out the Chinese to warn them that if they don't stop their campaign of economic espionage it could damage the relationship and that's been also going on at senior levels in bilateral meetings more privately. But as James pointed out and others have as well, the next question is well, so if they don't shape up, now what do we do, right? Will our words be backed up with actions, visa denials, trade sanctions, prosecutions as the justice department has been talking about bringing against nation states for cyber economic espionage where they can prove that perhaps the IP that was stolen actually benefited a company in China. I think those are all interesting trends to sort of to note and watch if that actually happens. With a state like Iran, I think the challenge is much trickier because the US does not have, for one thing, diplomatic relations with Iran, it's harder to read their intent, but while they are not in the top tier of advanced threats yet, they are trying and they are likely to have more motive to want to disrupt critical infrastructure systems in the United States, say than the Chinese. And we have seen evidence of an effort to raise their game with Shemun last year, the wiper virus, some analysts do not believe that the Iranians were behind that threat, but the US intelligence community believes that it was the work of the Iranians. So something to watch there and in any case, just a week or two ago, the Department of Homeland Security put out a threat alert first ever, I believe, to the critical infrastructure community that there was a cyber threat potentially to disrupt industrial control systems. Again, this goes beyond the threat of just stealing intellectual property. And the alert did not mention any country, but there has been renewed concern among government and industry officials of increased activity coming out of the Middle East and in particular Iran. So now that we know the Iranians have gone after Wall Street with DDoS attacks, if they're moving on to industrial control systems, I think that's worrisome, something to watch. And finally, I wanted to just say while we're talking about advanced capabilities, Israel is worth noting their top tier, but because we assume they don't want to attack us, we don't mention them as a threat. But when people with top tier capabilities don't adequately protect their tools, that can sometimes lead to unwanted discoveries. So in at least one case, some suboptimal tradecraft resulted in the discovery of a sophisticated cyber espionage tool called Flame, jointly created supposedly by the US and Israel to gather intelligence on a wide variety of targets. Including Iran and US intelligence community experts believe it would have remained hidden had Israel not launched a wiper virus against Iranian oil export facilities last year that caused minor disruptions but led the Iranians to investigate through Kaspersky labs, for instance, and thus to discover Flame, which had done the reconnaissance work on the system. So in the interest of keeping my remarks brief and getting on to the real interesting part, which is Sean and Q&A, I'm going to stop here. Okay, thanks, Ellen. Thank you, Jim and FireEye for hosting this. I really appreciate it. I had a list of some talking points and after Dave DeWalt and Chris Inglis and this esteemed panel, I kind of checked off each one as if somebody already said it and the very last one I had Ellen just said, so I've got nothing to say. Good night. Let me just reiterate a couple of things that I think are really important, at least for me. I spent 24 years in the FBI, much of my time in the last 10 years focused on the cyber threat, now at CrowdStrike from the private sector side and kind of looking at this confluence between what we've seen in the government, what I see now in the private sector and how much has actually changed since I left the FBI over the last year, certainly from an awareness perspective to hear the US government come out publicly and make assertions and to hear the President of the United States during the State of the Union address to talk about this threat and about China very, very specifically. That to me is a dynamic change. I think a lot of that has to do with a lot of people that are here in this room, not just here but also in the audience who have been talking about this to raise awareness to the private sector, to really alert people to how significant this threat is, what the risk is to our national security, to our economy, to our way of life, quite frankly. And that's really, for me, been one of the most dynamic changes. We hear about China all the time, but the reality of it is there are dozens of countries that have aggressive electronic espionage programs in place. And it's not just nation states, but there are terrorist groups and many of you may have seen recent reporting about those that are sympathetic to the jihadi cause who have actually called for electronic jihad against the West, where they've actually called for young men who are sympathetic to the cause to rise up and to use their capabilities, their electronic capabilities to use the tools to target critical infrastructure, target the financial services sector. That to me is very, very interesting. We talk about nation states, many of whom have reasons not to attack in a very, very destructive way, but terrorist organizations have a very different perspective. They've got a different agenda. They've got different motivation and that is equal or more of a threat. Ashour had mentioned in Director Muller has said as well about this exceeding, cyber exceeding the terrorist threat, but I would actually ask you to think about it in a different way because it really is a tool and it's the tool that's used by terrorists and foreign intelligence services and criminals. So while it absolutely will enhance the capabilities of terrorists and make their threat to us more imposing, it also enhances the capabilities of criminal, organized criminal groups and of these foreign intelligence services so that all of those threats, their capabilities are raised and they are taking advantage of the same technology that makes our lives more effective and efficient. They are becoming more effective and efficient themselves. One of the other pieces, much of what we've seen, what you've read in the media through the good work of many of the people here to get this message out, there's still, this is just really the tip of the iceberg and much of what has occurred and is occurring, you still have not heard about because that's below the waterline. I equate the aggregate of all these cyber threats as an iceberg and what you've heard about, a million usernames and passwords have been stolen and somebody lost $100,000 through some fraudulent ACH transfer, some denial of service attacks, that literally is the tip of the iceberg and what's occurring below that waterline, which I've seen because I've been circling it in a submarine for many years, is ominous and again, really important for us to continue to have discussions like we're having here today. I would also highlight the point about the supply chain, what I call the supply chain and while you may increase your defenses and raise your capabilities and reduce your vulnerabilities, the threat is not just to you but to everybody you are doing business with and the adversaries are becoming increasingly sophisticated in their interest and willingness to target the everybody that you're doing business with. Let me end here because I know we wanna get to questions. I have a couple of letters myself. I heard Chris and Dave using their acronyms. When I was in the bureau, I had what I called the four P's and I think that they actually absolutely apply in the private sector as well. Being proactive to James Point, being able to raise the cost to the adversary, right now there's no cost. The risk is about zero because people have been called on it for years and years and nothing's happening and they continue to do it. The value is up here, the risk is here and until we invert it and make things more difficult and challenging for them, this goes on unabated forever and I think the denial and deception is key. Changing the way that we look at these things and being proactive on the networks, not in an offensive aggressive way. I am absolutely not suggesting we're hackback but on the network that we create capabilities that make things more difficult for the adversary. Being predictive, using intelligence to understand due attribution, to raise an awareness about who the adversary is. Technology is a piece of the solution but it is not the sole solution. There's policy, process and strategy that if you employ them on the network, you can be much more robust and resilient and that really comes down to using intelligence to become predictive and then preventative where you can prevent the consequences. You are not, as my colleagues here have said, gonna prevent the attack but if you identify and detect the attack early enough, you can prevent many of the significant consequences and the last piece is the partnership piece which really is the government and the private sector, intelligence sharing and making things much more collaborative in that way. So, Jim, let me turn it over to you and stop there. I know there'll be a lot of questions. Yes, great. I in fact have seven questions already and so I know we've got a lot. I'm not sure which one to start with so I'm gonna start with one that's a little building off some of the things Sean said but when you look at, so one of the things I think we've heard today is it's really not that hard to do this and if you kinda look at some of the tools that are available online, you could develop some nice capabilities. Why haven't hacktivists, why haven't the non-state actors been more aggressive? Why do you think, when we think about threats, we've talked a lot about nation states and they do appear to be in the lead. When should we start looking for what are the signs that the anonymous is or the all sex or somebody like that will be the people we have to worry about? Because I don't think it's lack of technical capability. What is it that's going on? Do you wanna just go down? Let me just give you my perspective. So yes, there are a lot of tools out there and you can buy them if you have money. Having said that, there is a difference between the kind of tool that allows you to infiltrate into an organization and plant malware there versus a tool that can cause real destruction, right? We cannot underestimate the difficulty even now with all the tools available to truly develop a very destructive cyber weapon. I would say the cost of that is probably between 10 to 20 million dollars. So it's not your average hacker that will do this. Why is it that? Because it goes beyond having code. You need to have physical infrastructure. You need to have the SCADA controller. So Stuxnet was developed with incredible QA performed on the physical machines. This is not gonna be developed in a basement. You need to have the physical infrastructure. You need to understand and have the reconnaissance to know what systems run where, what versions of the code run where so that they can be attacked, right? So now, having said that, 10 to 20 million dollars is not that much money, right? And it is certainly a lot lower bar than developing a nuclear weapon, right? So it's not trivial. You can't go use Zbot and have Zbot crash the grid. On the other hand, you don't need to work like the Iranians have for almost a decade to go build this if you are focused. So I think the comments made earlier about the nation states not having the motivation to do what they're certainly capable of doing, which is destroying the grid is what has kept the grid up till now. The non-state actors, particularly the jihadis and the other people who have a nihilist agenda, right? So you have to have a nihilist agenda if you want to do something beyond financial or information gain. So those guys have not had either the ability to conceive of such an attack, but my sense is that that is not very far away, that if they can imagine a physical attack, not just imagine it but see it happen to a country that they perhaps care about, that they will be motivated to go construct a cyber to physical attack and probably the clock is ticking down on that event right now. I think, excuse me, I think Ashar headed that on. I also think being state sponsored gives you just so many different advantages in terms of your ability to create this type of malware. And it's not just the resources, the financial resources, and it's very much so the architecture and the backbone, like Ashar said, but it's also the ability to coordinate amongst yourselves without any sort of external influence, be that external influence your day job and a lot of these activists have day jobs. They're not able to give the same type of time and attention to these issues as state sponsored actors, but it's also just a matter of being able to coordinate with large teams of people that the hacktivists are being investigated. They're at risk of being arrested in any time. They can't disclose their identities or shouldn't disclose their identities to each other. So it's much harder for them to coordinate internally than it is for the state sponsored actors. So it's the coordination, the ability to coordinate the resources, the backend architecture, everything. I think it's very difficult for the hacktivists to get the resources they need. Jim, I think another feature of it is, if I was channeling my former Rand colleagues, Bruce Hoffman or Brian Jenkins, I would say that historically, particularly the extremist element, the sort of shock value of explosions and other types of terrorist attacks that have that immediate television political impact. I mean, I think Bruce Hoffman in particular has talked about how the real purpose of a terrorist attack is to get people to see the attack on television and to be scared and everything else. Whereas in many ways, historically the plausible deniability of cyber attacks undermined the political impact of a terrorist attack because it could just as easily be our shitty critical infrastructure that failed, rather than, you know, as someone who just spent two and a half hours on the 395, it could just be our critical infrastructure that just folded underneath us rather than something malicious or deliberate. But I would say that the reason I would, the reason I would caveat that now is moving forward, the trend lines that we have are pushed towards connectivity over security, our move to mobile, the way social media allows adversaries to enumerate targets means that basically we have more on the grid, we're more vulnerable, we've put, you know, we have much more of the critical infrastructure that is now accessible. Therefore, the impact of these attacks every day could be potentially graver as residents of Northern Virginia know when you lose electricity, everything else completely collapses around here. And so, given that, the trend lines over time, I think argue that this becomes a much more attractive target for people who wanna do devastating damage to the United States and its allies. Thank you. I don't have much more to add, except to say that I would also highlight the difficulty of doing the reconnaissance work and getting the intelligence on your target that is so crucial to a successful destructive attack on an electric grid or critical infrastructure. It's not just a question of buying and exploit on the black market. You have to do a lot of exquisite intelligence work that is not often just within the easy grasp of the average hacker or hacktivist group. And then to James's point about the anonymity of the internet, I actually think that if, you know, every time there's a Metro derailment or some act of nature and trains crash or people die, I always, first thing I think is, was this cyber? I mean, if it's not active nature, if it's the trailed derailment, is it cyber? Because imagine if a terrorist group actually put out a message on a forum to claim responsibility. I think the impact of that would be just a lot bigger than something that was caused by a malfunctioning system. So. What they said. Well, coming from a guy who's actually arrested some of these folks, I guess we could just take it at that. I'm gonna do one more and then we'll turn to the audience. So in a few weeks, the president will meet with President Xi of China in California and for a summit. That's good. And people have asked, do you think cyber will be on the presidential agenda? I think that's a fair guess, we don't know. What would you guys have the president say to the Chinese? What would you have him, would you have him, you know, direct confrontation is not gonna be that useful. So what would you recommend to the president? Shaan, why don't we start with you and go the other way since you dodged the last one? Ni hao ma. I think that this is an issue that has to be on the table and I think it's actually a priority issue on the table. I think that what's been occurring here in the commercial sector over the last five years is incredibly detrimental to our long-term prosperity and it's been in the shadows too long. You know, again, we've had attribution over and over and over again. We've heard the reports, we've seen, we've heard the government officials and I see no change in the activity. One of the things we did when we did the comprehensive national cybersecurity initiative, initiative number seven had to do with really defining what the red lines are and I think that that still is critical. Look, every country has been involved in espionage for centuries, right? Going back to the Greeks and the Romans and probably before that. But what is happening is nation states are using their nation state capabilities to attack the commercial sector and they are empowering their commercial sector to an incredible advantage against US economy. The US hasn't done that and I think that those red lines need to be defined and there needs to be a discussion about what the impact is, what the potential retribution might be if you cross those red lines, whether it be diplomatic, economic, civil sanctions, et cetera. But that's got to be a discussion, it's got to be clear and I think that it's got to happen sooner rather than later. Xie Xie. Xie Xie. Exactly right, I think that the, laying out the potential list of sanctions of measures that could be taken to hold China accountable for its actions is what I would want to see put out there being more explicit about exactly what the stakes are and how companies are really starting to come frustrated with the degree of siphoning of their IP that's taking place to the point that some, I think, are starting to rethink their investments in China, maybe refocus, move out, or just put things on hiatus in Beijing, which should concern the Chinese if they're still concerned about becoming, retaining economic powerhouse status and I think that's where, between hitting them where it hurts with financial disinvestment and potential for trade sanctions, visas and actual prosecutions, you're kind of doing a holistic approach to holding them accountable and I think if the president can be explicit about that, that in a diplomatic way, that might be a good step forward. Well, let me begin by saying what we shouldn't tell Xi Jinping. We shouldn't walk into the room believing that he doesn't know about the intrusion set and our first goal is to educate him because the Chinese military or the MSS hasn't told him about it. I continue to be gobsmacked by senior policy makers who begin with that question when they talk to me about it and they say, well, if I tell him what's going on, he needs to know this, right? I'm saying no, he doesn't need it. He already knows. The Ministry of Foreign Affairs, Wini's sitting next to him may not be read into the program but he certainly knows, don't worry about it. The dilemma we have is, we've tried to make this very cute distinction in our discussions with the Chinese in the strategic dialogue level between traditional espionage in the cyber realm, which we've said we cannot legislate or govern through treaty and commercial espionage which we've tried to make a separate category. And this has been a real clanger with the Chinese because they don't see the distinction because in their system, the same people are doing both. And therefore, and they don't believe in treaties despite Jim's best efforts at the kicker CSIS dialogue, they don't believe us when we tell them that we are statutorily precluded from doing commercial espionage. And then we even give them a very practical reason. We say, if the United States conducted commercial espionage on behalf of its companies, we wouldn't know how to share the proceeds without somebody who didn't get it suing us, suing the US government for antitrust violations. Most of the countries we deal with in the cyber realm have single large state-owned enterprise national champion companies in each sector. It's very easy for them to figure out who to share the intelligence proceeds with. Very complicated in the United States. So you make that distinction again which is not going to be effective. But then you say, look, it's the commercial espionage that has finally disproven what political scientists have said in the United States for years which is that you could never get a whole of government response from the US government. This has unified the US government including the economic and trade departments of the US government in ways that I thought as a political scientist were impossible. And what has to be emphasized as Xi is you're now undermining the last remaining pillar of strategic cooperative sign of US relations. When the trade and business community are some of the loudest critics of what's going on on the Chinese side who traditionally have been the strongest proponents of cooperative sign of US relations, you then say to President Xi, this is imperiling your own economic development which is imperiling your social stability which is your number one priority. That is the only message that will get through to a general secretary of the Chinese Communist Party is that economic development and social stability are threatened by the brazen scope and scale of this intrusion set. The other thing I say to them is that their technology isn't worth stealing. So I hope that doesn't always go over something. I now sympathize with Sean being towards the end of the line. We have such an esteemed panel up here. They're making all the points I wanted to make. I will say that I do agree with Sean. We have to draw this red line but I think we also have to tell them they've stepped well over it already. I mean, well over it. This is the largest transfer of wealth in history. Was that Keith Allen Sanders? I mean, it really is and it's, a lot of people have echoed it. Ellen, I think you're absolutely right. We have to have a comprehensive approach here. We can, we being, all the stuff we talked about today, security measures, safeguards, we can slow the bleeding but the only way this problem is truly gonna be solved is through the use of diplomatic and economic pressure and we have to take advantage of that. We have to tell them that they stepped over the line and we have to distinguish between the economic espionage and the traditional espionage. We have to make them understand that. That's the only way we're truly going to recover from this issue. Right, let me just strike a contrary note here. I don't think anything we say to them will make them change their mind. I think every country has its own sense of national security and no leader from another country will come in and change the other leader's mind. We could be clever in what we say. We could be threatening in what we say. The Chinese have a notion of national security which is grounded in the nation of economic security. The United States is a very different perspective of national security. We are worried about attacks from various parties and countries. We're worried about nuclear development in various countries and we, by the way, have exercised our right to attack the countries that we feel threatened by. Chinese are exercising their right to steal from who they wish to steal from because they believe it is in their economic interests. So while they can have a very polite meeting between the president of one country to the other, I'm not optimistic that any action will change fundamentally because their beliefs about national security and their national agenda are very different and they're going about exactly what they intend to do. That's great. Do we have questions? Go ahead. And please remember to identify yourself even though we all know who you are. So. So my name is Harvey Rishikov. I'm with the, my name is Harvey Rishikov. I'm with the American Bar Association, Standing Committee on Law and National Security. First of all, a great panel to put it together, Jim. I love the fact that Ellen is there so we can ask Ellen questions. Maybe you should point out who your sources are, Ellen. It'll really be helpful for me. I guess my question is, sort of falls on the last point, which is that we've been doing this like for 15 or 20 years. We've known that the private sector is the real target in a way for what it, where the jewels are. But yet we've had not very good public private sharing of information because the private sector has been very reluctant to make public its range of attacks. Though the people on the panel represent certain interests that have made it public and that the cost-benefit analysis has often been for the private sector, their preferred to do the market is so large that it's hard to offend in a certain way. So my question is, how, based on your own experiences, how do you change that cost-benefit analysis? And the fact that the legislation that we wanted to have with potential immunity for sharing of information has failed, has not gone forward, which is clear what the private sector wants. So I'm curious to see what the esteemed panel's view was about how do you move forward given that dilemma. Thanks for an easy one, Harvey. I think James, you wanna go first and then we'll just, people can chime in. Well, I wanted to start with the perspective of a classified defense contractor that's under the Dib sharing program that DOD has, which many people would say, well, that's not really transferable to the private sector, because there's all these special security rules and they have all this leverage over us. But I would say the following, and I think Deputy Secretary Lynn would agree with this, the real brilliance of the Dib program and why it has succeeded is not because the government shared classified signatures with us. The brilliance of it was that they stood back and they let all of us collaborate with one another with at least a notional umbrella over us that said we would not be sued for antitrust violations by the Department of Justice if we shared information with one another. And that's the key issue and that was the real sticking point in the congressional legislation was somebody's always gonna be excluded, someone's always gonna feel like they got left out. But what we're really seeing now are the rise of these confederations of people who are coming together and finding creative ways to anonymously share signature data with one another, to share threat data with one another. And the government just needs to provide the indemnification and the top cover over the top of it that says, we will not penalize you for engaging in collective self-defense, provided as Sean said, you don't go too far. And we also frankly need to rewrite parts of the Computer Fraud and Abuse Act so that we can actually know where the bright lines are of what is actually permissible and what is not under law rather than waiting for someone to go first and probe the outside edges and find out exactly where the Department of Justice's pain threshold is on that issue. I am hearing from industry, including the financial sector in particular, that actually information sharing, for instance, the latest round of DDoS attacks has really helped spur greater information sharing between and among banks in a way that they hadn't done so before. So that's sort of the silver lining of that. But they would appreciate more information coming about advanced information about threats coming in from the government. And sometimes the impediment to that is lack of clearances. But I think the government is making an effort there to try to get more people in even smaller organizations cleared to get this information because it takes a while to get classified level threat information washed through and declassified. And by the time it comes out to the general public, it's useless. Then the other impediment, obviously, is to get information from the private sector back to the government. I think that's one of the biggest hurdles, if not least because of the privacy issues and the need for possible legislation to make, to change laws so that sharing of information back to the government doesn't violate wiretap laws or privacy laws in it. But those, you know, we do hear that the government, both the Obama administration and the Hill, want to get some information sharing legislation passed. Whether or not they'll get it through with everything on the plate remains to be seen. The term information sharing really is kind of a burr under my saddle. I've never used that phrase before. That's funny. It's not about information sharing. It's about actionable intelligence, right? The sky is blue is information. That doesn't really do a lot for me. I want something that I can actually do something about. And as it relates to classified signatures, the reason things are classified is to protect sources and methods. I think that there's an awful lot more that can be shared without compromising sources and methods. It's difficult. It's a bit of a challenge. It's very different from what we've done historically. But I think that it can be done and it needs to be done. As it relates to the private sector, the private sector owns the vast majority of the infrastructure. They've got all of the indicators, all the artifacts of these attacks. They could help the government immensely. The concern, of course, is the anonymity and how do we do that? And I think that there are capabilities, there are protocols that would enable us, the private sector, to share information in an anonymous fashion with the government actionable intelligence. Not information, but actionable intelligence that helps towards attribution that will help towards some of the things that we've talked about here. It's an incredibly complex area. There's lots of concerns about privacy and civil liberties. Of course, that's all got to be taken into consideration. But I don't think it's a bridge too far. I think it's people sitting down with a different mindset and really looking at this as a capability to make the situation much better. Yeah, I just want to make a few comments here. So we have built a very large network for threat intelligence sharing. We have lots of organizations that are actually providing us with the threat intelligence. And we are able to do it without impacting their privacy and their personally identifiable information because you can extract anonymous metadata about malware and share it generically. So people get caught up very frequently on this sort of trap of privacy versus information sharing. And we've been able to actually do both. We've been able to preserve the privacy of the organizations that we have the threat intelligence taken from, and we are able to do that very effectively on a global scale. So threat intelligence sharing, I think, is a good thing, but it is not a silver bullet. You need to have, and this is imperative, you need to have the ability to generate threat intelligence because you cannot share things about which you do not know and you do not discover in your network. And for the most part, the attacks are not being discovered by the legacy techniques. So if you just walk in with this blanket recommendation that, hey, by the way, why don't you share everything you found with the government. For the most part, I can tell you that the vast majority of organizations are compromised and they don't know that. They don't know what to share if they cannot see the attack. So it's imperative that they have the ability to see these attacks in real time beyond the legacy security architecture that they've built. And then to have an architecture that generates threat intelligence, not just consumes it, generates it in real time, and then is able to take an anonymous version of that and share that across the globe. And we have actually built a proof-of-concept system of just that. I think a big part of this issue is education and awareness. And I think it comes in two parts. One, two companies in terms of how will you, first of all, the importance of it, how important is this to your security program? And I don't think that can be overstated. It's not a silver bullet, I agree. But I think actionable intelligence is something you have to have to have an effective security program. So I think you start with the companies and you convince them how important it is and some of this is gonna happen itself. It's gonna happen organically. We have some of the industries that are sharing actionable intelligence very effectively right now and others can do it as well. I think the other part is educating the public. And I'm sorry I get a migraine when I hear from some of the privacy activists on this issue because I'll sit down and talk to them. I'll look at my Facebook page. I'll have all my friends from the school days saying, oh my gosh, you have to stop SISPA. You have to stop all this stuff. They're stealing our privacy. They're taking all our information. It's all going to the government. And I engage in these discussions with them. I say, okay, so what do you think's really happening? And they really have no clue. They're just following the crowd here. So I think there needs to be a lot of education in terms of what exactly we're proposing is shared to the government and amongst private industry. Actionable intelligence, if done correctly, there's no personal information in that. It's IP addresses, it's registry entries, it's different things that you're not going to associate with any particular identity. So I think that's really important. I think once that happens and if we have an educated dialogue amongst the public, we're gonna get some legislation passed. And I think it's incredibly important that we do so. Just one minor point, and I say this to all of the over-gradified new millennials who work for me, that as long as what they're doing electronically is on a machine that I own, they have no privacy. All right, I think we have time for a couple. Alan, and then did we have one on the other side? Is that, well, Alan, why don't you go ahead? We got three. We'll do those three and that'll be it. Alan Friedman from the Berkins Institution. So this has been a great panel and I've enjoyed hearing about how data has been leaving Western companies. Could you offer as much insight as you can on what's actually happening with the data once it hits the Chinese intelligence organization? James, we talked about myths of political science, the monolithic state, which assumed that all of China is the same. Maybe some of the different interplays between the different org agencies and how different sectors inside China may be using information differently. I like to break it into five quick categories because I think each of them have to be dealt with differently in terms of the policy solutions we look at. On the traditional side, location and movements of US military assets, extremely valuable, you get into Nippernet, you get in the databases, you know where things are, you can queue other intelligence sensors, immediate benefit. You break into Lockheed, you steal information about the J35 synthetic aperture radar, you can use it to fine tune your electronic warfare systems, instant benefit. You break into the secretariat of some organization, you get the State Department or the President's talking points three days before the APEC meeting, instant benefit, your leadership loves it, near real-time, strategic intel, all good, right? On the commercial side, you have to break it into two pieces. For me, one is what we traditionally call sensitive business information, so you break into Exxon Mobile, you get into the C-suite, you find out what the magic number is of what they're gonna bid on that tract in the South China Sea, you hand it to your national champion state oil company, they underbid, they win the bid, instant benefit. The one that's been most troubling to us analytically, Allen, is that last one. You steal the source code, you steal the intellectual property, you take it back to the nest, you may or may not give it to the right company, they may or may not be able to reverse engineer it, productize it, marketize it, and then having the metrics to say, and then they demonstrably reduced this US company's market share in China by this percent, and then they then competed with them globally and reduced it by this percent, we're only now beginning to get fragmentary elements of data to support that line of analysis. And I will say the one thing, again going against Irish type, the one thing that I'm optimistic about is that this indigenous innovation state-driven research and development and innovation system that Chinese have been trying to build since 2006 is the worst possible mechanism for exploiting advanced Western intellectual property. And so it may in fact break down at that stage. And they may be able to reverse engineer one generation, but the organic knowledge and creativity that undergirded it will likely prevent them from getting a second and a third generation of innovation out of it. So we may see a shallow innovation, but we may not see the deep innovation. And that may ultimately be one of the only pieces of good news that we have on the commercial espionage side. Anyone else? Go ahead. I can just speak anecdotally. I appreciate, James, the five points there, certainly from the military and the government perspective. On the commercial side, again it's anecdotal, but I've spoken to a number of companies who have reported to me some of the impact that they've seen from the theft of their intellectual property. I also agree that this is oftentimes many years down the road because of the time it takes to monetize that IP, if you will. But I spoke to the head of a biotech, not the head, but a senior leader in a biotech organization back in February. And this person told me that in their business line, it typically takes them five years from concept to actual sales to go to market in their industry and what they're doing specifically. And that their Chinese competitors are actually churning out product in 18 months. And it's not because they've come up with some new fangled manufacturing process, it's because of all the front-loaded resources to the concept and the engineering are already being done, they're being stolen, and they're going right to manufacturing and to market. And that that's having an impact on their organization and they are just starting to see that now. There are a couple of other examples I won't go into here. Some of them are somewhat long examples, but I've certainly seen it, commercial entity, saying it's absolutely hitting our bottom line and we're losing market share in certain areas. John Savage from Brown University. My question was very similar to Alan's, but I'll phrase it old-if only. I agree with James's observation about code. So is that, and are there other examples that can be used as a basis to educate the Chinese that it's not in their long-term interest to engage in this kind of stuff? He said the French do this on a fairly substantial scale. I look at their economy and say, what good has it done them? Yeah, Brooks Dahlsworth from PWC. Question, we've heard a lot about China, a bit about Iran and terrorists, nothing about Russia who's shown capability and willingness to use cyber weapons against some of their less fortunate neighbors. Just any comments about Russian capabilities and any comments on Russian capabilities and intentions? Thank you. While we're waiting for the microphone, I'll say I talked to one of our Asian allies once and they're complaining about China. And I said, well, how about the Russians? Do you see the Russians on your network? Some of you heard me say this. And they said, no, we haven't seen the Russians on our network. And I thought that's a true statement, just not the way you... Michael Snell, Coast Guy Cyber. At what point do we actually start engaging the overall public and commercial industry from a national level? For example, if you look on television, you see today very strong campaigns against smoking, against drunk driving, against texting while driving. At what point do we actually engage the public? Patch your computers. Make sure you're running up good operating systems. Stop using bad software. Do this at a national level. So we deny the actors the ability to even leverage our private and commercial sectors as a vector. Why don't we go down the row and if you wanna hit all three or as many... Let me just start with that. So let me echo that. I think that's probably the most important thing we can do because we have failed to pass legislation to mandate any kind of security control. So I think the most important thing we can do is mandate some level of education and awareness, right? Now, it may not be, hey, you gotta patch your system because the perfectly patched system is still vulnerable, right? That's the unfortunate reality of today's threat landscape is a zero-day attack will work on any system. It doesn't matter how well-passed it is. But the broader point that you're making is a valid one that if we had the critical infrastructure operators understand the threats that they face, they may be motivated to do something about it. And I don't think today there's widespread awareness of the structure of the attacks and the big dislocation that is now there between offense and defense is an incredible gap between contemporary offense and traditional defense. And I don't think that is widely understood. So if there is an education mandate, I think that will be the smartest thing we can do because I don't think we'll be successful in passing legislation to have any kind of technical mandate out there. I wanna just address the Russian question real briefly. I think the Russians, their biggest move in this area is to just ignore what's happening right under their noses. I don't think a lot of it is necessarily, at least some of the purely economic crime is not necessarily tied to, is not maybe state sponsored, but certainly state ignored and protected to some extent. So they certainly are out there in that respect. I know if there are other actors, then they're purely more of the traditional state to state or they're getting in and getting out without anybody seeing them. I think that's a real possibility. Education awareness, absolutely, in the scenario as well, whether it's mandated, however it comes, it needs to happen. People need to understand that they have an impact on other people's lives, that if they leave their system unprotected, then that system is gonna be co-opted and used to get as a hot point to get around other systems. And we see that all the time. So any way we can make that happen, any way we can create a culture of security here in the US, I think that would definitely benefit our national security and our economic security. The Russians are a puzzle. We know more about the Chinese because their trade craft generally is so noisy. And the sad thing about that is I always have to remind people it's not that they're that good, although there are some very really good intrusion sets that are trying to get into my corporate networks as we speak, but most of them are quite noisy and it's because we are so bad. They literally, they don't have to leap over the bar, they just have to step over it. And so they found exactly the amount of energy they need to expend to get into the networks and nothing more, it's very efficient. The Russians are much stealthier. They use a lot more crypto. It's much harder to do adversary intelligence because they actually don't regard their language as their first line of national defense. They actually use aggressive levels of encryption. They coordinate in silk channels. They do all kinds of things that the Chinese don't do that make it so easy for us to enumerate them and to identify their building in Shanghai and everywhere else. Although I will say that the Chinese, in my view, who have always been terrible strategic communicators, but they reached a new low recently when their response to the Mandiant Report was, and this is an official spokesman at the Ministry of National Defense said, there is no unit 61398. You know, I mean, talk about Kafkaesque, ignore the man behind the green curtain. I mean, we have hundreds of pieces of open source data identifying that unit. It's a public knowledge, but the Chinese response is not, we can either confirm or deny those allegations, but as a rule, we don't discuss intelligence operations from this podium. They're literally the response at the official level is to deny reality, just to deny the existence of reality, which to me is just a new low for them. It's actually on the building. Yeah, sure. It's on the pipes on the front of the gate. Kind of like NSA, right? It used to be no such agency. I think you were a question about denying the benefits of all of this stolen intellectual property. On a tactical level, some companies are starting to do deception by planting fake, but juicy looking information in sort of honeypot sites on their websites that they know or they think the adversary will be interested in stealing, but which would then end up being a completely bogus plan for something. And I think James also mentioned doing this on a more strategic level. There are also, I guess, problems with making sure that if you do put some deceptive product information out there, you don't have any liability for some formula, a baby formula that ends up killing thousands of babies. But anyway, that just came to mind as one area that has not received as much discussion as I think it should or could. And then more generally speaking with respect to just educating people about better hygiene and security, I think it's definitely something that the administration talks about and we'll see whether or not they can turn it into see something, say something kind of campaign that actually makes sense. Some companies are doing things like turning this into a service where if they notice that your computer is infected part of a botnet, they'll alert you and tell you you can go to a certain site for remediation, but at least to let you know that you are potentially part of a larger cybersecurity threat. On the far end, some countries actually are much more into creating secure nets where you need strong user identification in order to gain access to sites where you might wanna do banking or voting or filling prescriptions or getting government services. Some government officials I know think that something like that is a good way to go, but I think there would be a pretty rigorous public debate about whether that's creating too much of almost a national identification system that we don't wanna go down the road of. So that's my thoughts. Should I get the last word? Yeah, not much more to add, except I think the education piece is critical. Unfortunately, I don't think it's gonna happen until we see real-world physical implications of an attack, the digital equivalent of planes flying into buildings until we actually take this seriously that we see a lot of movement related to legislation, et cetera. And if you can imagine in August of 2001, if some government official stood up and said, we're gonna ask everybody because we're concerned about this terrorist threat, I know it's hard to go back in time and remember before 9-11, but imagine August of 2001, we've got this terrorist threat, we're gonna ask everybody to take their shoes off, we're gonna take your jackets off, take your shampoo and put it in a plastic bag, that's the one that always gets me. And people would have been up in arms. This is outrageous, this is an invasion of our privacy, we're absolutely not gonna do it. And then a month later, we have this devastating terrorist attack and all of a sudden people are stripping down at the line at the airport because they recognize what the threat is, they recognize the impact and they're absolutely willing to take extra steps and measures to make sure they're more secure. I think it's unfortunate that it may be something certainly not as significant as that, although perhaps, but some physical impact where before people, it really grabs their attention and they recognize we need to do something differently. Well, let me do the following, which is the drill given the amount of expertise we have on this panel and the next panel is we're going to go directly into the next panel and so we'll switch the name cards. If you could keep your seats, that would be very helpful. But also join me now in thanking this group, they were incredible. Thank you.