 Okay, while people are filing in, we're going to explain to you the, you know, they've been playing spot to fed here for years to out and embarrass feds. So we thought it was only fair to turn it around and spot lamers. So, well that goes without saying. Okay, so Priest, you want to ask the first question. Go here and reenact it, Monty 5000's Holy Grail for fun. Which part? And oh, I forgot to tell you, you guys are voting. You guys decide who is the lamer. Okay, I'm going to take the second question and I'm going to ask the number one guy down there on the end. Have you compiled your kernel today? You're a lion sack of shit. We're not talking about corn. Okay, Rod, we're going to start that in. Can you pass the microphone down, please? Who am I asking the question for? The next guy in line here? Yep. So who doesn't expect the Spanish Inquisition? So who lives in their parents' basement? Upstairs, okay. That counts. Who can spell their first name in Leet? You don't get a microphone. You want me to give away my personal thoughts here? Yes. Marcus, have you ever participated in a Star Trek marathon? Sad. Sad. Who here didn't wait in line to buy their iPhone all night? All right, be honest. How often do you find yourself referring to enemy characters as half enemy? Enemy. Can the feds please articulate? Where are we next? Who am I asking the question to? Anybody? All right. First guy at the end over there. How many external devices do you own? And how many do you have on you right now? Zero on you? Okay. All right, so you tall guy. How many members of the Skywalker family can you name? Extra-baring, so extended family. Okay, this is for the group. What video game was inspired by the movie War Games? Come on up, sir. Tell me the answer. Anyone? The name of the video game is called Def Con. Everybody dies. Pass the microphone, please. Okay, this is a show of hands. Who can identify who Leroy Jenkins is? How many do we have in this group? Six. Which of you have all of your best friends on IRC channels? And the last question I'm going to take. How many of you have a three inch floppy? All right. Now it's time for everybody to vote. Whoever thinks number one, raise your hand. Cheer. No? Okay, you can sit down. Raise your hand, Marcus. Marcus. Okay, you're staying. Okay, number three, raise your hand. Okay, who's number three? Okay, I think you're a little less than Marcus, but you can stay. Number four, raise your hand, please. Who thinks number four? You to raise your hand, I want him to raise his hand. Why are you raising your hand? Okay, you can go sit down. Number five. Number six. How many want number six just to stay up here? Okay. Okay, now we're narrowing it down. For those new number one. Number one. Number two. Number two, take a seat. Number three. Number four. You're gaining. All right, we're narrowing it down. Number one. Number three. Marcus, you get to sit down. Number one. Number two. Okay, and you get to sit down now, honey. All right, congratulations to number one. Okay, what we do is we give you a T-shirt. T-shirt says, meet the fed spotted labor. You must wear this today. And on the back it says, feds burn another Lamer at Def Con 16. We also had the coveted DoD cyber crime response team shirt. And if you'd start at this end and work your way down the table, everybody has something for you. He does this on Sundays also. I'm not giving you anything else. Air Force Cyber Command shirt. DHS shirt. Yes, sir. NSA. Okay, we also have a free ride and vacation. He doesn't get to keep the shit either. We'll use it again next year. Okay, what we're going to do, we're going to let everybody introduce themselves, talk a little bit about, give you a quick bio on themselves, and talk about what their agencies do. Once we finish that, then we're going to open it up to you guys for questions. Now, unfortunately, there's no microphones in the audience, so what we're going to have to do is form a line right here, and I'll share my mic with you so everybody can hear. So think of the questions, and when we do these questions, don't ask big government questions, because there's nobody up here that's going to be able to answer for the government. They're here representing their agency, so kind of, you know, narrow the scope a little bit, like, okay, never mind. Rod, would you like to start out? Hi, I spoke yesterday morning to most of you, so I won't take much time now. My name is Rod Bextrum, and I'm the director of the National Cyber Security Center, which is a brand new organization being created within the Department of Homeland Security. That's a JV with DOD and the director of National Intelligence to foster situational awareness, information sharing, and collaboration across .ic.gov and .mil for cyber-defensive purposes. My name is Lynn Wells. I'm a professor at National Defense University in Washington, and I basically teach transformational things where we want the national security establishment to look like in 10 or 15 years, and I came to this after several years in office secretary of defense. Rich Marshall, I wear the shirt for Jerry, first-generation dad, and I've been wearing this shirt for five years when I come out here to do this thing. He knows it doesn't fit as well as he used to. It takes a big garage for a big car. Got to put on my new rag and my regular hat and my cover shirt so that you won't forget what we do. This is the latest in our collection. My background is I was the legal advisor and legal architect for LLTB Sabre 97, which demonstrated to the federal government that information warfare, Hacker for real, and then I worked for Dick Clark. You're right. These don't fit, Mike. You guys are lucky they're going on. Help develop the national cybersecurity strategy that all of you love and endorse. My name is Randy Vickers. I'm the deputy director of U.S. SIRT. My background is prior to coming to the U.S. SIRT I ran the DOD SIRT and probably the most claim to fame to that was when we blocked MySpace and YouTube across the .mil, quite popular thing. Currently with the U.S. SIRT we're a national asset to help the .gov and state local defend the networks across the federal government as well as collaboration and coordination with other partners to include international and law enforcement partners. Mike Witt, I'm with your internal revenue service. Quick show of hands real fast. How many here have got their stimulus checks back? How many receive two? I need to see you. Prior to coming to IRS, I spent five years with the startup of the U.S. SIRT and so a little background in that. Good afternoon. I'm Colonel Mike Convertino, U.S. Air Force with Air Force Cyberspace Command. Great commercials, eh? There you go. It's stuff surreal, by the way. I've been in the Air Force 17 years with assignments and NSA as well as the Air Force and other agencies. Doing things probably of great interest to you. Very similar to things that you do. So I've been to Duffcon eight times, first time in 94. I really enjoy it every time I come. So it should be a lot of fun here on the panel. So look forward to your questions. Hello. My name is Martin Morrill. No, he wanted me to speak in French. But if you have any questions in French, I can answer them in the session. We can do that after. Yes. So I'm with the Royal Canadian Mounted Police. I've been with them for 29 years. I've been investigating computer crime since about 92. Then over to the Canadian Police College as a course coordinator. And now in charge of policy and standards for all the investigators in Canada with the RCMP. Our group has about 145 people in technological crime in Canada with our organization that doesn't include other police services. And looking forward to answering your questions. Hi, my name is Barry Grunding. I'm a supervisory special agent with the NASA Computer Crimes Division. I know the tag says NASA, but I'm actually part of the NASA Inspector General's office. We're a law enforcement agency tasked with the oversight of NASA. And primarily the Computer Crimes Division does intrusion investigations. That's basically what we do. And general computer forensics support for general crimes. Pretty small unit. I supervise the east of the Mississippi, about nine NASA centers. And I have four agents and two techs. And we stay pretty busy. Mostly with intrusions, as you can imagine. That's it. My name is David Helfen. I'm a special agent with the Naval Criminal Investigative Service for the last three years. Before that I was... How many of you like the TV show? I play golf with him every Tuesday. And I work for the Atlantic Cyber Division for NCIS. Basically what we do is computer intrusions. Me specifically. That's pretty much all I work on now. Trying to protect the assets of the Department of Defense, specifically the Department of Navy. Hi, my name is Ray Kessnick. I'm the director of the Defense Cyber Investigative Training Academy, which is a component of the Defense Cyber Crime Center. I'm also an NCIS special agent, detailed to DCITA as a director 22 years with NCIS. And I know you don't play Tuesday afternoons, because I play Tuesday morning with Mark Harmon. Very busy schedule. He acts on our advice on a regular basis. So if you have any questions, please ask. Hi, I'm Jim Finch, the assistant director for the FBI Cyber Division, and I am responsible for all of the FBI cyber resources in its 56 field offices across the country. We investigate computer intrusions, both of a national security nature and criminal, as well as online sexual exploitation, investigation of intellectual property rights violations. And then there's a lot of outreach that goes along with that through programs like InfraGuard and our IC3 Internet Crime Complaint Center, which we take complaints for victims who have used the Internet, feel like they've been defrauded or their systems have been compromised, they call IC3, and hopefully we will address that. If we don't address it, we'll send it to the state and locals who do. We also do outreach in a lot of other areas in the intelligence community, but that's stuff that's probably not of interest to you, but we work with each of these agencies on computer intrusions, as well as many of our international partners because of the nature of the Internet. That's it. In a nutshell. In a nutshell. Okay, I'm Jim Christie. If you've got questions, if you start forming a line right here, otherwise this concludes this panel. My name's Jim Christie. I'm a retired special agent with the Air Force Office Special Investigation. It was assigned to Defense Cyber Crime Center for the last seven or eight years. I'm the director of Futures Exploration. And those of you that don't know DC3, our mission, we had the world's largest accredited digital forensics lab, about 100 forensic examiners. We have the best training academy, the Ray Kessnick Runs, where we train the criminal and counterintelligence investigators in the Department of Defense. And we have an institute that does the research and development of tools, as well as the testing of tools that are used in a forensics lab. Okay, first question. Where's the jeopardy music? Come on, need a victim here. Representing 10% of the population that's here. How many of you work with women, have women supervisors, and have opportunities for women in your field? Do you say under? I'm retired, you can't hurt me. Actually, Michelle Kwan, the director of the USHIRT was here and did Black Hat and got called back home, so Randy is filling in for her. Anybody else want to take those questions? Okay, next question. Thank you. This question is for the Colonel. With the relatively new threat of malicious software embedded into networking hardware, how does Air Force Cyber Command intend to ensure control of its secure networks with insecure components? That's a good question. Next question. I can tell you, but then I'd have to bomb you. Well, obviously, we have other measures to make sure. Obviously, the warfighting network, the network on which we conduct the command and control of the Air Force itself and all its warfighting equipment hardware is a segmented network. It's a wholly separate. And so things getting in and off of it are only through human buffoonery. So we have a lot of measures to try and preclude that, but there have been on and off incidents in the past which we found pretty carefully. Obviously, with new technology and new issues, supply system issues, which is what you're getting at, we are in the process of developing additional measures to prevent exactly that from happening. So if I were to describe them to you, that would be a faux pas, so I won't do that here. But if you'd like to ask... That's right, for a beer. But rest assured that we've got that pretty well in hand and we're improving our security every day as well, so... Anybody else on the panel want to take that for their agency? I didn't think so. Hi, first of all, I want to say, if you guys run out of questions, it's kind of intimidating to walk up here and talk to them, so you might want to just have them shout it out. But anyway, that being said... That being said, my question is, if someone discovers something like a vulnerability or something that is applicable to one of your departments, is there, first of all, is there a centralized place that they can go to report it without having a post-it on flash dot where everyone can exploit it? Secondly, is there a way to fast-track and get past all the government bureaucracy and really have attention paid to? See me after for... We'll talk about a free Navy lunch. You can all come see me after I'll be here all night. I'll take that one. In the microphone, please. Thank you. Sorry about that. It's like Congress. Yeah, everything's recorded. One of the things that we always have to take the challenge is how we share information, because information is being shared about weaknesses in our environment. One of the first things, as you look at your incident handling, or someone looks at the incident handling process, is how you do the reporting. And at a minimum, you've got to report to your Security Operations Center, or equivalent-type organization that can gather enough information to be able to do a mitigation strategy and execute that. Now, the rapid response to that and share that information is one of the things that we at USIRT does. So as we get information, whenever that information comes in, we do a similar activity on a much larger scale. And even before... And our goal is hopefully before it starts affecting other organizations, we're taking the mitigation strategy that was used and sharing that with other organizations. And as it becomes more widespread, we reach out to other partners to look at more extensive-type mitigation strategies. And we post those, whether it be on our website or we push that to other organizations. And we also learn that as we start sharing that information, that we're seeing that activity is probably happening in other places as well. Anybody else? As far as just reporting at least an incident, I think it's important... If you call your local Police Service of Jurisdiction, hopefully you will know who that is. And at least they will be able to point you in the right direction. I would like to think. I know that with the RCMP, you go to the website and you can find out the technological crime section and get a telephone number there. Start at least. I know that sometimes it can be... Well, we're with the government, so you might think it's a little slow, but at some point, somebody will be able to give you the right information. I'm sure it might take a few phone calls. But hang in there. I think it's very important, at least, to be able to answer and report it. For the FBI, if you report it to any of my people and it's published on Slash. Let me know. I want to find out how it leaked out. But that's one of the things I like to keep very close to the vest, because we hope we can develop a relationship with the public that they will have some degree of trust when it comes to reporting things like that that will benefit the users as a whole. And I have yet to see anything reported to my people that was then published as a result of it leaking from my organization now. It could have leaked from places where it was reported that are not within the FBI. But if you report it to one of the 56 field offices, I guarantee you it shouldn't be published on Slash. Because I want to pursue that investigation and I can't do that, or we can't do that if information is leaking out. So feel free to report it to us and hopefully it will be maintained in complete confidence. If not, certainly, I'm in Washington. Give me a call. Number is 202. Just one point on this is that even if you have a centralized location and most of us do in some respects, it's only part of the problem. Lou Gerstner used to be the CEO at IBM was in a symposium one time and he asked, how do I know if I have an effective information assurance program? And so the answer was walk down the hall, find a random employee and ask them three questions. Would you know if your computer was being screwed with? If yes, would you know who to call? If yes, would you care enough to call? And the point was unless you can answer yes to all three questions for every member of your organization, you can spend a gazillion bucks in technology and you're not going to get the answer because it will fail in the people piece. So in addition, most of us have these incumbent on us to train our people to make use of them and particularly to understand what's going on. So it's not just simple as having the phone number. Thank you. Okay. Hey, Jim, will this mic work better for them? Since you all have very... You all, all your jobs overlap to some extent so... and since you all feed off the same trowel do you guys believe there's any in-fighting amongst yourselves? The answer is no. Next question. This one goes to the entire panel. Obviously, you're all from very different departments and I'm kind of curious how all of you got involved with the work you're doing. Just coming from predominantly technical backgrounds into the fields you're working in or were these predominantly military backgrounds that became technical? I'll take that one. I was in New York in 9-11 and had a really powerful personal experience and ended up actually working for peace all over the Middle East for three and a half years building a decentralized network of CEOs organizing a cell-like format and out of that co-authored a book called The Starfish and the Spider and then was actually asked to help out the government to help be an advisor to the director of national intelligence and then got pulled into the cyber effort of high-tech companies for 25 years. It's my first time in the government and I have to tell you, I'm really excited to be here. It's a great opportunity to serve and as you all know, cyber defense is very, very difficult and we've got to really think about the models that we use for doing this. In my case, I'm not from a federal government background. I'm from a private sector, high-tech CEO and starting companies background and a lot of nonprofit work. I'm a new kid on the block but there's a lot of opportunities in government and we need people like you to come and get involved. In my background, it's career military, particularly Navy, but my interest has been the intersection of policy and technology and so I was happily working in the undersecretary for policies office in the late, mid to late 90s when someone said, there's this thing called encryption policy. Would you like to talk about this? Would you like to get involved with this? Well, anyway, that's what sort of got me involved in this led to eligible receiver in 97, I sort of got into it serendipitously but really enjoyed it and I second what Rod said. There's enormous amounts of talent out here in this room. If you want to have a chance to work on issues that are historic, greater than yourself, as long as you sort of haven't crossed a line into felony behavior, we would love to have you. How many have felony behaviors? How many have felony behaviors? There is a website called firstgov.gov that will lead you down to any job officer to open the federal government. I just encourage you if you're interested to take a look at applying for those. I don't have a technical background at all. It took me four years of college to complete two semesters of physics so you can tell I'm working upstream. I have a post-doctored international and comparative law that prepares me adequately for what I'm doing. The neat thing was when I was the Associate General Counsel and was charged with helping out to develop some legal techniques for doing computer penetration testing, I had kind of this weird notion as a lawyer that it might be helpful if I understood what my clients were doing and the approach I took was you need to make sure I understand what you're doing sufficiently. Don't tell me what you think I want to hear. Make sure I understand what I need to hear so that if things go bad, I'm an unindicted co-conspirator with you. You know, we go to jail together, I just don't come and visit you. That's a pretty powerful message and so I sat down with quite a few hackers, learned some very interesting techniques, got behind it and they were extremely gifted in explaining how things work and it was an amazing epiphany and I've just been in love with it ever since. It's just been absolutely phenomenal and what you're doing on the legal side is absolutely critical to making sure that our systems continue to work. So thank you for the good things that you're doing. I had a similar background. I started out as an infantry officer in the United States Army and decided I kind of like this computer thing long before networks and we still had rotary dial phones and that kind of stuff but not cards for programming. Not quite that far back. But the Army in its infinite wisdom decided to send me to grad school and send me to an organization where I got to work with public key infrastructure and then realized that though fun it wasn't where the rubber met the road and started working with computer emergency response teams in Europe and the DOD and then solved the challenges because of the challenge of defense versus offense. Defense is much harder and a greater challenge so since I can't be one of the cool kids like you I wanted to try to do what I can to do the operations piece and that's where my passion lies and so that's why I'm where I'm at. I was actually started out as a system administrator and network administrator in the Department of Defense and found myself actually as one of the people involved in the exercise. From there I moved over to an organization in the Department of Defense called ASIST it's DOD so you're going to have an acronym for everything. So ASIST later became renamed the DOD CERT and I actually within my first six months there was involved in a couple of things called solar sunrise and moonlight maze so from there that's kind of where I kind of got my start from that. Well even though I'm the military guy on the stage the active military guy on the stage I guess it sounds like I'm the most similar to some of you although some of my stuff the way I started was probably dated but some of you I was really interested in telephones when I was really young just put it that way I had a lot of girls friends that I like to call that were far away from my house you know I'm at a camp and stuff so anyway things to facilitate that that's how I started off and then went on to Heath kits and all sorts of neat stuff like that so I guess that makes me more like you than a lot of the folks here in the military thing I only came into it much later as a way to really pay for college I actually have an electrical engineering degree and a master's in computer engineering so I'm also the big geek on the stage I guess too so anyway that's mostly about me after entering the military like I said I continued the same activities but sanctioned under the federal government so it is a good way of life if you can get it so but we are of course always recruiting as you know from our commercial and I'm a proof positive that you can get into the military as long as again you haven't actually committed any of those felonies or at least nobody can prove it great with regards to myself having said earlier that I have 29 years service I can say that I was one of the guys way back when in college when they had the programming in basic I go back that far having done that I've always been interested in computers but I did general investigations for the first five or six years then the opportunity came where I could get into the field of technological crime and I lived through the years of the bulletin board systems that was a lot of fun a lot of investigations on that side then I mentioned before I moved over then to the as a course coordinator looking after the policy and standards for a national program for all of our investigators across Canada I'll keep it real brief the original question about what got us up here I think the key word that you hear again and again is passion if you really like this stuff you can do it I started out as an infantryman in the Marine Corps I had no technical knowledge at all until I went to college got into computers and luckily right off the bat started using Linux and UNIX and that's where it went from there but it's the passion that drove it if you really like doing this stuff you can go wherever you want I imagine being here at DEFCON most of you are in that same category I think as I mentioned I started out at the Cisco systems I was kind of a geek I still am I just started going to grad school about five years ago just looking for something different to do took some classes based on the nature of the program law enforcement for the first time and it was just something that hit on right away and said maybe I missed my calling so I started dropping applications and NCS was lucky enough to get me first there you go a lot of smart guys up here 29 years of law enforcement I decided I like putting bad guys in jail and figured out several years ago that there are a lot of smart cyber guys out there so I decided I need to get smart on that moved along to the field and that's how I got where I'm at I think my story is more of the passion side started out in college as a COMSI major when Fortran, Cobalt Assembler, Pascal were all required courses and ended up getting recruited by IBM my last year of college spent some time there and ended up in the FBI somehow and I've just never lost that passion love, eunuchs and usually running about four or five operating systems at home on four or five different computers it's just a passion and I work around a lot of people with that same passion and so that's why I'm here and that's why I actually paid to get I think 12 or 13 people here as well because this is what we enjoy and they could be sitting right next to you I guess I got into the field just by luck back in 71 I was in school and I didn't have enough credits to keep my student deferment and I wound up flipping the lottery you guys remember the draft and you guys don't even remember the draft so I joined the Air Force very quickly and luckily they made me a computer operator system administrator and then after I guess about eight years when I was trained I took a downgrade became a programmer working for TRAN cobalt you know assembler and then I was bored to tears I was writing the parking control program for the fucking pentagon so I started looking for a job and I had an opportunity to become a computer crime investigator with Air Force OSI I mean I get to stay with technology and carry a gun well these guys aren't really bright they could use me went over to OSI and became the chief of computer crime for the Air Force OSI for about 11 years just love it next question draft, damn you're old so my question is it may sound slightly borrowed by that but be narrow so as far as I understand the very presence of government agencies on such a kind of event it means like appreciation of the work being done by independent specialists but I would really like to know not to know but get recommendations from officials from federal officials how to avoid the borders between search and something which is not any more research which can be treated as a crime already something that happened to Skliarov-Sergey in like this meeting like 5 years 2001 or something that happened with Robert Morris when he wrote his worm and it just escaped the cage me Russia I just ask what could be Russia so that's the question just recommendations from people we'll think about it anybody want to take that one retitle 18 US code 1030 even better I'm a strong advocate of the lawyer full employment act so get a good lawyer get a good smart lawyer and talk to them and listen to them and pay them up front he said smart lawyer that's why he's here he's on every panel I'm just joking next question many of us in information technology security feel like our entire lives are under constant siege at work our systems are exploited our companies often don't have the resources to protect us at home social engineering from our peers or people we happen to talk to social engineer their way into our lives personally women are often have the feeling they're running around with a target on their back because people want to see just exactly how good we are do you also have this experience of having your entire lives exposed to the government investigations which we do running afoul through our in-maps scanning and following back some of our things as well as just as a matter of protecting yourselves and how do you deal with that impact into your life I would say we probably feel the same way as you from that standpoint there's a term that we use in the government and God we trust pretty much how it is from our standpoint of being a federal employee of what we do from that and what we have to go through to protect our networks to ensure that our public services that we provide back to you the taxpayers are there they're protected and they're there for your services surprisingly enough my agency doesn't have that problem anybody else want to take that as a government employee especially when we get clearances you have no secrets anymore and like Mike said polygraphs part of that background investigations that take forever and cost a lot of money there are no secrets Jim let me just I want to go back to address this with a passion that a lot of us have talked about I mean one never comes to a convention like this and goes home feeling better from an information security point of view I mean the enthusiasm the energy and the ingenuity that you all this play out there always comes out with some kind of thing that causes those of us who are in the defend business to have to work harder and yet it's that passion about this for protecting not just government secrets for the purpose of secrets but for the be able to promote what we hope is the betterment of the American people's livelihood that keeps us going so I think we see a target in ourselves all the time I think most of us go home and look at our own home networks and say jeez you know what are the problems we're going to have personally if something happens and then go back and try to do it again because there is no answer to this you never cross the goal line never get to spike the football and it's that passion that keeps people going I just want to say I have a lot of empathy with what you shared I think it's a challenge for all of us in this new world of incredible potential transparency and I also want to recognize that all my colleagues here to the left and myself have kind of signed up for a program where we've given up a lot of our privacy in some fashion in fact when I had to make the decision to step up and serve the government and do this it was one of the hardest parts of the decision is to go from being completely private citizen to saying I'm willing to go through just incredibly unlimited background checks etc to come and serve the government at the time as a volunteer as an advisor and so I think that for some of the federal employees it's even more challenging than for individual citizens because we have all the same threats from hackers and everything else going on plus we have signed up to a level of responsibility that we have and openness so I think it's a common challenge we all face and I think everyone in the federal government is very sympathetic and it probably took a significant cut in pay as well yes I don't know, but short guy we're probably living in one of the most profound revolutions that have taken place since the industrial revolution and one of the things I've seen in the business world is there's a constant need to change your models and your preconceptions what do you guys see in terms of what new models and what new preconceptions do your agencies have to adopt or endorse start down to the right I'll take a stab, there's quite a few and I spoke to some of this yesterday how many people were there yesterday morning okay, oh a few, then I'm not repeating too much but in talking about looking at the cyber challenge it's an incredible challenge and I like in cyber to basketball high scoring basketball game might be 113 to 99 in cyber the score would be 113 million to 99 million perhaps because offense is so much easier than defense and so then the question becomes how do you change the odds how do you change the rules of that game how do you change the dynamics of the system and I think I've probably got more questions for you than I've got answers the protocols of the network themselves whether it's BGP SAC or DNS SAC but how do we rewire the system and really make the investments there, it's like the ounce of medicine that's a lot cheaper than a pound of cure or a million pounds of cure but I think we've got to really think about where do we want to take this network where do we want to end up in 5, 10 or 20 years and how do we steer and tighten up the protocols at every level to make it a much more secure environment I think another area for us to look into and the community can help us here but how can we integrate privacy and security and adherence and support for appropriate law enforcement and there's people out there in the community who think that those can be well integrated through anonymous services for example and I think it's a challenge and an opportunity for us collectively to work on that and think through it but I think that's part of one of the pillars we've got to take a look at so three areas that are of concern to us right now one is the ability to share information to communicate, collaborate translate perhaps and engage with civil military partners outside the boundaries of the Defense Department and the point is unless you can effectively engage with these folks you can't achieve the social, political and economic goals which the military was committed in the first place this is not a nice to have adjunct to the kinetic phase of warfare it's got to be a core part of the strategic strategic thinking from the beginning so how do you do that? how do you protect on the one hand things that need to be protected at the same time encourage people to be thinking about how to share with the people who are working with you from business, government and civil society to get the broader mission done the second piece there's a very interesting initiative called S3 which is social software for security and if any of you take a look at Mashable.com last week there have been two posts on this one on Tuesday and one on Wednesday by a guy named Mark Drapo over the past couple weeks we've been able to put together over a thousand different instantiations of social software and the main point here is to understand how the government can make use of the incredible energy out there in the private sector we're here with an acquisition system that will deliver by the second quarter of the fiscal year 2010 some kind of a program in the meantime you guys are turning things in weeks so how do we find a way to responsibly capture the energy and make use of it because there are lots of other people who may be wishing us ill who are out there taking use of it and the third point which goes I take the point in anonymous behavior but the issue of identification and authentication from a long term sort of macro defense the network of who's out there trying to attack us on a nation state basis is a critically important factor we've got to find a way to work on I think one of the things that we have to first look at is we have to understand our environment our environment has changed and I alluded to the rotary phone and all these other things and what was a network and what is a network today and the speed at which things do if you use an infantry analogy of infantry warfare it hasn't changed since the first person picked up a club and you know attacked his neighbor over food the thing that changed is the speed and distance at which it's executed so if we keep fighting Napoleonic wars with modern technology all we do is annihilate each other if you take the same approach with what we do is we have to understand the environment and how it works we have to go from securing physical devices on our network to securing the data the intellectual capital that we're wanting to preserve and unfortunately that hasn't been accepted all the way across we're starting to do more of that but you've got to do everything from labeling types of data and doing stuff so there's paradigm shifts and how we execute the technology to prevent certain things it's not just about another device that we put somewhere in line to do some other type of thing so you have to look at the difference between the infrastructure and you have to understand what your mission is to be able to defend and work your mission so you've got to take it looking at the risk management piece from a security perspective risk management is the weakest thing you don't know how to define the return on the investment and we have to better articulate that to be able to be able to put the proper mitigation out sometimes you leave something open because the risk is worth because the cost to implement something is too hot but that has to be done and we don't do that well so one of the things that we have to do is start doing better risk management and risk structure so it's just understanding the environment and changing with the environment and not sitting as Dr. Wells said of going with a strategy that takes 5-10 years to implement a change well that goes way with policy and everything we do if you guys don't talk you lose your microphone thank you I would like each panelist to offer an answer should only count for a couple of words each so what organization or entity state or non-state foreign or domestic do you currently regard as the greatest threat to your organization and if you can't do that if that's too touchy that's a category of actor we'll start at this end oh thank you we've certainly identified certain countries as threats we have those and clearly we've identified those as physical threats and technology threats I won't go into the Middle East I won't go into Eastern Europe or Asia anything like that what I will tell you is we have categorized them quite well Barry says you had two words that's all yeah but what would you like the number of alpha characters in that country Canada but no there are probably at least five countries we've identified as having skills equivalent to the US and so they are certainly concerned I can't tell you that come on all right greatest threats other than the FBI five letters starts with a C chilly that's chilly real brief I'm going to swap that around and say one of the threats that we do suffer is an insider threat and I think everybody knows that's kind of a normal thing to say but if if we could educate people inside to not make themselves so vulnerable we wouldn't be victims so often getting into the specific number of countries somebody mentioned five and I guess that's probably very close see actually I think the reason I would say nation states but I think that there's a reason for that and that's deeper than that and that is the lack of concentration this room is full of people that are an exception to a growing rule in the United States where people are not getting as much technical training as they should when I went to college and went to engineering school I was a minority in that school as far as nationality believe it or not and that's only getting more so if you're asking the United States military what he thinks is actually the single greatest threat is a failure of having youth in some cases to go out and get properly educated or be properly motivated to do the things that all the people in this room enjoy doing so much anyone but me kind of an extension of Barry's comments and I think it's the inconvenienced user it's a different type of insider's threat it's the one that says when that pop up says do you want to do X instead of thinking through first of all it shouldn't pop up it's clicking yeah it's a feature it's clicking on that and causing others so it's the inconvenienced user or the user that's doing things more innocuously not the one that's doing things more nefariously biggest threat three words unknown undocumented features and software I personally think we underestimate the threat posed by organized crime but what really bothers me is the patient sophisticated long term insertion of malicious code either through supply chains or through penetrations insider or outsider that lay the conditions for who knows what at some point in the future and that's one of the real differences between the cyber problem and others is you don't know whether someone just screwing around and taking manipulating data for the hell of it or they're actually putting in code that can be executed later on so that's where my concern is I think the greatest threat is the failure of our own imagination to restructure and re-engineer and direct the whole system to a better end state and I think this is an amazing nation and I have tremendous respect for the whole world and I've lived overseas several times but you know this is the most important infrastructure in the world today the internet it's what binds us it's what makes us interdependent allows us all to communicate and to build a global society and we really need to think about where we want to take this thing and it's always easy to rip things apart and it's much more difficult to design them and choose where we want to take them forward so I hope that we can all collaborate in that effort Does the US Air Force still feel that we need a military botnet? You know I called that guy after he said that stuff you know I asked him what the heck he was doing you know that to me that's a non-elite way to do things in my opinion it isn't to me a professional manner in which we were to conduct our craft so no I kind of I kind of sneer at that let's just put it that way that wasn't an Air Force position that was a particular Colonel position I was just wondering what you guys look for in recruits or just some new technology maybe that you guys look for I'll take the first trainability willing to learn and willing to work hard and can get a clearance Yes because those that are compassionate about the job and really care are going to take that extra step to do the right thing day in and day out and 15 degrees, 35 certifications yeah that's great get you into the door you got to be able to work the hard hours and the time to want to defend the things that we hold most here I'll just add on to that I think you kind of got it from the other panelists up here is passion those that are passionate about doing the mission of what we do and so if that's the people we're looking for that is the people that we're seeking to find and also pass a tax audit as well and you have to be actively seeking a pay cut in many cases as well one of the things I'd like to throw out there as well is for anybody that was looking for a job in today's society people that are applying actually that open source is available to everybody as somebody mentioned before the use of the internet is available to everybody so I don't think it's a surprise to anybody here that a lot of the companies whether it's law enforcement or any other type of company they do use that open source to try to find out some of the backgrounds and again I don't need to be telling anybody here that is using a lot of the Facebook a lot of that stuff does come up so again yes getting security clearance is paramount if you want a job with law enforcement I guess one word that's sacrifice sacrificing the good salaries that you guys might be making out there compared to what we make up here willing to work long hours those kinds of things my question is a little bit more just in general but for each agency I'm curious just your opinions there's a lot of talk and it comes especially through the media but balancing privacy and anonymity and things like that versus transparency for law enforcement to look into citizens lives and to investigate data and mine data and harvest data and compile it all and keep databases on people and how do you guys each feel in your agencies about how you have to balance that and is privacy something that you guys think about when you're performing investigations and is that something that comes up a lot or is it something that you feel that gets in your way so you're looking for more transparency how do you guys think about that I'm going to give you an honest answer to that question I don't think there is any entity in the world that is more concerned about individual privacy and protecting that than the NSA any program that is conducted is rigorously reviewed independently by different lawyers to make sure everything is done correctly and I can tell you from personal experience I've worked for several of the directors if the lawyers don't endorse it it doesn't get done period I was just going to add that I don't know if some people here are aware but in Canada we just had a recent policy implementation from CIRA Canadian internet registry authority whereby the who is information under the .ca that has been taken offline and that's with regards to the privacy issues that keep coming up and that we have to struggle with and mind you the struggle is not only with law enforcement it's with everybody so we have to find ways to adapt and try different ways of doing it certainly from a law enforcement perspective that was certainly not the best option that we wanted to have and we know that it doesn't bode well for the other law enforcement agencies around the world however we have been able to come up with some exceptions for example child exploitation whereby we can get access to that information so those privacy rules are there and there are the reasons for it we just have to find ways to adapt and try to find some ways all of us who up here in a federal context have taken some sort of a note that involves supporting the life, liberty and pursuit of happiness of the American people and that's why we're doing this and certainly the privacy of those people is a core part of this I mean I've got to tell you the such a questions that when I was in the office secretary of defense we had to answer when someone lost a laptop for example with all such people's names and social security numbers what are you doing in your organization to keep that from happening here and then in cases when it did happen it was like are you willing to subscribe are you willing to pay for all the people in your employer under your care for a year's worth of credit checks for example in order to make sure in a credit check, credit verification in order to make sure there weren't disadvantage of that this is a daily part of the concern of everything we do and I'm glad it is just a couple thoughts I mean first I just want to support the comments that were made by all my colleagues here and for example we're standing up a brand new organization the federal government and one of the first things we have to do is work on the privacy process and privacy reviews with all the attorneys to make sure there's an appropriate structure and process in place for handling that but I want to talk more broadly about the privacy issue for a moment and anonymity because I think that I was at the Aspen Institute last week at a really amazing session and we had some of the heroes the internet there like John Seatley Brown and others brilliant people and we were talking about this issue of privacy and anonymity etc and if we look at the traditional privacy debate people talk about a trade off between privacy and security and convenience but a lot of leading thinkers think there's really not a trade off between privacy and security if you use appropriate anonymity but with law enforcement collaboration in the sense that if a warrant is ever delivered or subpoena is delivered the identity of whoever it is and I see Rich Notting's head who's animized is identified and actually I was involved in this the one company I ran in the security sector was called Provada and we partnered with an investment from American Express an investment from First Data Systems we raised $37 million and we pioneered a completely private and anonymous credit card settlement infrastructure between 1999 and 2001 and so you could serve privately purchase privately and ship privately and anonymously as long as it was legal and if it was illegal if you ever did any illegal activity then upon delivery of a warrant then the identity of that individual could be provided in fact it had to be because it was engineered to fully comply with compliance so you can architect and we can architect systems that provide that give tremendous privacy protection and which also support law enforcement the issue is a public policy issue and a social issue which is that I don't think that that's generally understood and that bridge has not been built and I think the challenge is to the privacy groups and the privacy advocates and there's some very articulate organizations that are here at this event is for those groups to help propose solutions in the future and open standards that comply with law enforcement and what DOJ, FBI and others need to do because crimes are real cyber crimes are real and none of us like to get ripped off so we have to have a secure structure but we also value our privacy so I think that there's a great opportunity for education and start changing and move to a new generation of how we understand privacy because we've got to solve this identification and authentication issue on the internet to make the environment more secure we've got to get on top of this thing because you look at the whole list of things that go on this is one of the core components so I want to throw the challenge back out to the group here and say we hope that you as a community will be putting together good proposals that the government can consider in the law enforcement bodies that can become active open standards that the private companies will go and implement and make happen the FBI is we are limited by the same rules, regulations policies and procedures as every other agency sitting at this table if anything privacy is the first thing we have to consider or we do consider when we are requested to accept information or share information with someone is this a violation of their privacy how will this be perceived and it gets lawyer to death before we ever do anything my concern is we have the general public looking at what the government what information they are providing to the government and I said jeez most of the public they provide more information to utility companies I don't see them out giving the utility companies cable company and so forth hard time but we the FBI we have a really tough time when it comes to information sharing doing that with our partners is a privacy issue but we investigate civil rights violations we certainly have to keep privacy as a consideration when we do our jobs that may not be something that most of you are aware of but it I live with that on a daily basis and when my agents are out I say look you need to ask another question when someone says hey you have evil doers people trying to attack my network let me hand this information over to you and I said well first of all you're going to have to go one step further ask them how did they come to be in possession of that information you know they have sensors out there because you would assume they're collecting information from their own network well did they hack a few other networks to acquire that information is this information from their own sensors that is how concerned we are about the privacy I would just as soon refuse to accept information and to violate someone's privacy because I don't want to deal with the heartache and the grief if it is determined I have information I should not have that is PII personal identification information, social security number, date of birth, address so forth so yeah it is something that we consider quite heavily when we do our jobs now because there's a lot of information out there and believe it or not there are a lot of agencies that would like to share that information with us but I'd rather refuse it than to take something that we shouldn't have and then deal with that so yeah it's something that I guess pains me on a daily basis or pains my agents on a daily basis but we have to take the privacy of our citizens into consideration and we have to do it very carefully and it happens on a daily basis and I haven't seen any major mistakes when it comes to the privacy well I've been there for two years now because I have I've sort of I won't say intimidated or scared my agents but they are thinking about personal liability and I said you know there's always that possibility someone can come after you personally so keep that in mind when you accept information when you look at someone's personal information so my agents are very conscious of that so from the FBI I know it's hard to believe but it's something that we take into consideration on a daily basis at least my cyber agents 27 of you on this side it's always a balance between privacy and privacy like Rod said and there's nobody up here on the panel that makes the rules we play within the rules that are set by the people that you elect so if you don't like the rules vote and we're not adhering to say these aren't FBI policy or privacy rules these are United States government privacy rules so and I have the inspector general who comes and looks at how we handle the privacy issues on a regular basis one last comment which is if you're living in the United States of America and you're worried about the U.S. government and your privacy you may be worried about the wrong government or governments true fact you have any names okay Mark says you don't have to worry about the Canadian government I'm sure agencies in the course of normal day just doing their jobs come across a lot of exploits in public domain software how you decide which ones you give back out to the public to ensure that we can patch ourselves and how you decide which ones you keep to yourselves to add to your own arsenal well if NSA gets it they don't share it with anybody so they can exploit it I think the first thing you need to worry about is a responsible disclosure and detection of vulnerabilities as a result of doing vulnerability research which of course we applaud I think one of the more important steps would be to let the vendor know that there's a problem work with the vendor to help them correct the problem and even though I don't work for U.S. SIRT we work very closely with U.S. SIRT and I'm probably stepping on somebody's turf here but make sure U.S. SIRT knows about it as well to help correct that issue you know that is there are processes that there are groups as we speak that are going through to talk about vulnerability equities and the processes at which those are handled and those discussions are being held at very high levels because that is an issue that we have to consider because if you think about three bubbles that float out there one is you know two of them are actually folks here at the table the law enforcement counterintelligence and the intel community but you also have the public and private industries not represented at this table they all have equities they all have things that they do to do their mission to help do what we do and you know to protect that intellectual capital so there is a thin tradeoff a fine tradeoff of what you give what you don't and what it's used for some organizations that discover it probably won't disclose it if it can be used for other means but it's a question that has to be asked and a group has to discuss it and it has to come to a common decision and it has to be handled appropriately based on the risk management piece that I mentioned earlier is what is the mission impact of what we're trying to do because from a net defense perspective my definition of attribution is different than those other three bubbles and I'm about defending the network not about handcuffs not about exploitation or things like that so we all have our different equities that we have to resolve and get through so it's got to go through these processes and sometimes it's back to the vendors and sometimes it's back to the public domain depending on what types of categories but it's a very hard one to answer but that's one of those things we have to answer on a regular basis we all know that the low hanging fruit is normally the one that gets picked first what if anything do you guys do third parties like non-government people protect themselves from an attack from outside of the US it's all about training and education and about sharing of information as we are made aware of the issues at hand and I'll just use US CERT we post a lot of information and not just off the US CERT websites there are other websites that US CERT uses for training and education of the public to talk about there's other sites that you know I'll pick on Mr. Leather Jacket over there one of the organizations he supports with SANS they produce a lot of stuff Carnegie Mellon and CERT CC there's a lot of information out there and you know between us and CERT CC and others we try to consolidate that to help educate the users those that are willing to take the time to look and hopefully implement it in their systems at home even so that information is out there and available and it's shared as freely as it can be couple things you may not be aware of you can go to our website and download some very instructive guidance on how to set up your computers configuration guidance and this was done in conjunction with vendors done in conjunction with NIST the National Institute of Standards and Technology and that's readily available for anyone who wants to download it from the internet we take education very seriously so seriously that in cooperation now with the Department of Homeland Security since they've been established we get a lot of money from congress not as enough as we think we need but a sufficient amount to support a number of schools 73 schools across the country now that have been identified as centers of academic excellence and information assurance and many of these schools are not necessarily the top tier schools like your MIT Stanford etc a lot of them, several of them are community colleges and you might ask yourself why in the world are you spending money training people at community colleges in some isolated portion of the United States, Northwest Nebraska for example well the idea is to spread that knowledge because the home users need it just as much as big government and just as much as big industry the crux of the question is what does the government do to give back to the community as far as feeding back you know exploits and what not and I think you've got to keep in mind that speaking for NASA we have a lot of contractors I mean it's private industry that drives NASA I mean those are the contracts that keep our work going and it behooves us to get the word out on these things I don't want a NASA contractor or DOD contractor any more vulnerable than a NASA system because that's a lot of times it's NASA data on there we need the private sector secure so that we can be secure because they're doing a lot of the work for us a large, a good percentage of our investigations, our joint investigations worked with our international law enforcement partners as you may know or suspect a lot of our pain comes from outside the borders of the US I have cases I work with Russia China Eastern Europe I have a task force in Romania so I am doing what I believe is an absolute must in terms of working globally our international partners there was a time when people believed if an attack originated from outside of our borders then it was beyond our reach well that's not the case because they are being plagued by the same thing and the internet works the same for them so they are what I consider they're motivated to cooperate now will their laws will the sentences their citizens receive be similar to those in the US some cases yes some cases no a good example is a kill we saw what happened in that case but we worked that case jointly but that's one of the things we have to do work with our law enforcement partners internationally training our international law enforcement partners a lot of time looking at their networks and helping them shore up their networks because they are working with in some cases inferior equipment and the skills aren't quite up to the level they should be but I figure if we help them improve their situation we may see them handle a lot more on their end instead of making it to the US so that's my part and I spend a lot of time on the road and that's both with counterfeit intellectual property violations as well as intrusions so that's where the FBI stands in terms of protecting its citizens from those those attacks from abroad just very quickly the NSA is the NASA of cyberspace it is the greatest focal point of federal research dollars and the same way NASA has developed incredible technologies that help shape the whole semiconductor industry and many others into our scientific advancement NSA is phenomenal investment in science and technology and resources let's talk about how that's helped consumers as well as small businesses if you open the VISTA operating system you look at the documentation of the manual in the front of that manual you'll see a tribute and a thank you to NSA for tightening up and improving the quality of that product in the same fashion they partner with Apple so you do see a big spillover benefit of that core R&D effort being done going directly into the private sector checks in the email so you guys talked about always wanting people like us in this room is for hires and obviously the industry is growing okay well no but I'll be one of several hundred thousand college graduates next year across the U.S. and across the globe how do I get maybe my resume or get in contact with you people because you're recruiting websites they really aren't that great I can't say I've looked at all of them but what's the best way to find passionate people like us and kind of make it past the cannon fodder so to speak networking and I'm not talking about computer network see any of us can get a business card before you leave and every DEF CON we come here and get literally dozens of applications and for DC3 we're about 75% contractor so the hiring is pretty hey hey equal opportunity getting into government takes a while so a lot of our guys come in as a contractor first and then apply for a position later real quick one of the websites I know you go to each each agency's website but and I'm just saying it's this maybe one of the crappy websites you're talking about USAjobs.com all the jobs that's where we get our postings from we post our jobs to USAjobs.com and that's where we hire from most of the time but the other thing is like somebody said networking people that hand me a resume I will interface with them because worthwhile I'll interface with them when we do put a posting up and make sure that they know that it's up there and we'll do what we can so my to understand that VISTA is the NSA's fault is that what happened I was thinking out loud my mistake anyway a few of you had discussed that some of your primary goals some of your primary jobs are taken up by monitoring network intrusion throughout the day and resources that aren't as high as you'd like them to be in the future integrated chips will all be built with grid computing in mind and eventually there's going to be you know every system is available on the planet what will be done to make sure that you guys are prepared for that adequately thank you next question answer that question y'all are the rocket scientist y'all help solve the problem this is one for the military guys there are the obvious tasks of you know figuring out how to face off against the Chinese information warfare regiments and defending the fixed networks here in the UK but one of the possibly the most dangerous I guess threats comes from deployed operations you know if you war drive around places like Camp Phoenix and Kabul and you know around Kandahar which I have done you can pick up you know wireless networks that have been operated both by the actual troops on the ground there whether in an official capacity or privately running games and stuff and also by the contractors how do you guys you know deal with that threat what sort of policies, what sort of measures do you have in place to kind of prevent information leaking out and you know the bad guys sitting on a hill three miles away with a Pringles can intercepting the information when the next convoy is going to be going out well we do have programs in place for that of course there's spot checking of course we have people running around with checkers we scan our networks or deployed networks certainly our military ones as far as private ones go in many cases those pieces of equipment aren't permitted in those countries anyhow because they don't meet standards for those countries for radiation of radio RF energy so so there's other impetuses to prevent those things from being stood up as well but but fundamentally the risks to those things are handled in a number of ways aside from those checks including you know inspections of gear and items that are going to the area of responsibility the war zones there are confiscations if you're caught with such equipment those things are simply taken from the soldiers and are not returned so there's when they do those things those are a pretty good risk to their own personal purse as well as and they know that but if you are sitting in a desert for 18 months you'd be pretty bored too in some cases so some of those things are understandable to the extent that they don't connect to DOD networks you know the recreational like you said for gaming or something we're less concerned about that from a security standpoint but we still have a responsibility to those other countries to not allow gear that doesn't meet their laws into the country either so it's kind of an international affairs problem when our folks show up with those things and it's a security problem if they're connected to the DOD network and we have measures in place to handle those things I can't say that it doesn't happen it certainly does but it's mopped up pretty good and the penalties are pretty severe actually for it you're prosecuted under the uniform code of military justice for those violations and so I think the soldiers are beginning to take it more seriously soldiers and airmen of course from my point of view so that's about all I have a remark and a question one I'm former U.S. Air Force electronic warfare 53rd wing which I believe is down under your cyber command you made a remark earlier that the botnet was beneath you in electronic warfare we had a motto in God we trust all others who monitor jam and deceive and if we can't do that we drop a bomb on them so the fact is is if you remove things from your arsenal and you're fighting this war how do you plan to win the war whenever there is no rules of engagement and for the gentlemen on the end any system that is architected anonymous that you can provide the details of an individual operating in that system by default is not an anonymous system right well what I was really trying to say when we were talking about the botnet is that there are better ways of doing what we need to do rather than use a botnet and if given the choice and a fixed budget I have to be responsible with my budget I don't think I want to take more money from the treasury than I absolutely need to to do the job there are much more effective weapons that you can pursue rather than a botnet far more effective obviously there's a school of thought out there that says anything that's connected the network can be hacked if that's true there is no privacy for anyone anywhere anytime so for those that are going to hold that position that I'm not going to argue with that may be a point and the only privacy we gain maybe through legal means but I think that then we have to figure out where we're going to go with this debate then if what you're saying is there's no privacy whatsoever then we have to go to McNeely's model which he says get over it you have no privacy get over it is Scott McNeely's model so anyway I'm sympathetic to your comments I don't you know there's a body of hackers who would say anything that's connected can be hacked and I'm open to listening to that debate I want to come back actually to grid computing thing real quickly because we didn't respond to that you know cloud computing is becoming huge okay and hosted services are becoming huge across the network it's a structural shift one of the greatest structural shifts we're going to see in whether you want to call it services outsourcing or application outsourcing I actually I don't know I just have this intuitive sense there might be some greater security opportunities for us in that from the government's perspective because the government you think of the United States government perhaps as being this huge centralized thing okay in fact it's massively decentralized okay there's not only 12 departments there's countless agencies tons of components and offices there's thousands of things going on out there in the government and you know not every group is going to have the same level of sophistication in securing their information assets in their networks hosted services that are run by world-class companies with tens of billions of dollars of market cap and a lot of liability on information security in some cases maybe doing maybe able to do a better job of that than a small office in some service so I'm sorry what liability what liability well like this that like the like the like the payment T.J. Max just made on the credit cards right this you saw 50 million dollar payment I call that liability so there is like any you can argue by the way there's an interesting policy discussion whether there should be more liability what should be the liability that various parties have in the system and would changing those economic structures lead to more of the behaviors that we want to see in terms of protection so just wanted to touch on that you guys are the security experts for computers for our government what is your department doing to educate the rest of the government on unsecure system such as e-voting for instance do you talk with Congress and educate them that we shouldn't be using these systems since they're clearly not secure well let me start with that we had about 10 congressional staffers both from Congress and the Senate at our facility this week trying to educate folks and prioritize limited resources where they need to go and what regulations what doesn't need to be regulated etc anybody else about a year ago I had the privilege of actually going up to the hill with Rich for a number of times on a weekly basis multiple times a week and actually educating and bringing up to speed a lot of our congressmen and senators literally one on one and again that's really kind of what we're doing is trying to get there and educating them not so much on the voting system standpoint from that but to ensure that they're aware of things that are happening in the cyber realm across the federal government across the nation from that standpoint so again that was something we did for a little over a year while I was still there and it's probably still going on today well last week I sat as a back venture to listen to the House staff and the Senate staff their security staffs brief a large number of members of congress representatives and senators their biggest concern is privacy not just the privacy of their constituents because they get overwhelmed with that kind of complaint all of the time but it's interesting how they communicate with their constituents it's not done via mail anymore because of the anthrax scare every member of congress regardless of their age carries and uses a blackberry and that's not an implied endorsement or an express endorsement but they use a pda they know the vulnerabilities associated with using wireless nets they're very concerned about that and they're very concerned about the security of their systems that are operated in their office by them and also by their staffers they view threats in a very interesting way they want to make sure that their adversaries which is the member of the other political party is not hacking into their systems they're very concerned about their security and their privacy for themselves and also for their constituents I would turn that around on you guys and challenge you we're at a critical time right now you have two candidates and what do you know about their cyber security initiatives and you should be asking those questions and raising their awareness to this that it's important and whoever wins needs to address this well since the subject of security clearances came up a few times earlier do any of you believe that the current restrictions involved in getting a security clearance are not useful for not always useful for the threat matrix that you're facing and that you're looking for in your employees are some of them outmoded for what you are looking for have you felt that that's impacted your hiring process and also how is TSA going to deal with all of these coming into bags at the airport on Sunday sir are you implying those restrictions should be loosened a little in terms of I'm saying that are these your restrictions or I'm asking you whether you believe that have you engaged in colonies behavior does that map to the threats that you would be facing on whether an employee is loyal etc well post 9-11-2001 I think those those questions are probably more appropriate and probably map better to the threat matrix we have to be we have to be just a tad bit more careful and I expect those limitations or restrictions to tighten as opposed to loosen at least that's what I've seen and there's a reason for that it's called national security I don't believe we can go the other direction and actually be effective in providing a higher level of security for you and the rest of our general public by loosening those restrictions so I think they still map well to the threat matrix I think the questionnaire certainly the subject questionnaire that you might be referring to is it's been that way for a while but I think it's pretty comprehensive also it certainly isn't the be all end all of the investigation it's just the subject's input right I mean we call it a background investigation for a reason because we're going to take it's actually one of the last things that's actually reattested to you know in the process an agent comes to see you toward the end of the period of investigation after they know and investigated you and asks you those questions directly and has you sign affidavits and what not so the purpose of that those questions are not necessarily to be the whole of the investigation obviously so but I do think it's a point of departure I can tell you where it's had differences cultural differences when it comes to polygraphs it has caused problems for us in terms of recruiting certain people certain questions based on cultural differences we have found that causes us to what I consider miss out on a lot of recruits but a lot of research went into developing those questions for the background investigations of polygraphs so I know we are we are missing out on recruiting people from certain cultures or recruiting people from certain occupations it happens and it's an acceptable loss at this point it's a trade off I think value set counts not just expertise and how good you are and what you know but values count as well yes we've heard from this panel a lot about kind of the outreach and the leadership in cybersecurity and that's great are you finding that in the convergence of logical and physical security are you able to influence your counterparts in the physical security world to adopt secure policies and practices and not do stupid things no I think it's in their job descriptions stupid things sometimes well that was one of the that was one of the requirements when I set out to depart from my current position because I'm eligible to retire I said I will not talk to a company where physical security and information security are under separate umbrellas I have the physical people reporting to HR and the information security reporting to IT I don't believe that is the best model my personal impression so I'm talking to my colleagues because many of my colleagues have left and gone to the private sector and they're on their physical security side I I am more an information security guy however I believe the best operational model is where all security is under one umbrella and I have actually talked to a lot of our private sector partners in infregard and a lot of our private sector partners in a couple of the other public private alliances we have about considering that model because I don't believe we can be as effective with one over here reporting to HR and so forth so and a lot of them have come about come around to that however I also noticed some of them have tried it and gone back to that separate physical and information security model why I don't know I'm still unsure as to why it's not being attempted more for our IRS our physical security operation center and our cyber security operation center is actually co-located together so they can work together as one team I'd like to first direct this to the RCMP to my fellow Canadian and then to the FBI but there's some more I've noticed a trend over globally towards ubiquitous surveillance so if you see the Beijing Olympics there's cameras everywhere in London, England I think New York is trying to implement something like this and I'm wondering is it possible to have effective oversight with just enforcement having access to these systems so there have been examples in London for instance of people peeping in through people's windows so I'm wondering who watches the watchers and how do you effectively control the balance of power then between enforcement and the regular people would you consider opening up the systems to everybody who watches over us obviously the laws whenever we get whether it's the warrants for surveillance and then those types of things we have the courts to answer to so it's not just done haphazardly we don't have the video surveillance systems that other countries do I think the UK is probably the most advanced in how they have it they have cameras virtually everywhere it comes back to what we mentioned before it's weighing between the privacy issues of a country what they are willing to bear and the laws that they have and also that comes from the public outcry as well are they willing to do this or not if you don't accept it you'll find that I think in some of the countries again in London is a good example with all of the cameras that are available there I think the public feels perhaps more safe now if that were to be done in some cities here in the states or in Canada I could guarantee you in Canada at least in some of the cities you know there would be a huge public outcry and they would say no we don't want that but from a police perspective and either ones any of the things that we do certainly we're accountable to the courts and I think that holds true to probably the states here and any other country some other countries are maybe not as advanced but whenever you get something a court order for example that has to be answered to before the courts why people believe our public believes we will abuse those authorities let me tell you I've interviewed too many people in prison to ever want to be in their place so a court authorized court authorized monitoring court authorized wire tap overstepping those bounds it's not something that any of our our agencies and we probably do more of them on the criminal side and we probably do more of them than anyone at this table will admit to I'm sure they're more done elsewhere as long as it's court ordered I have no problems with it and I don't believe those powers those authorities are being abused because there are too many checks and balances how many years ago is that exactly exactly yeah see you know things have gotten better but I didn't say it has not happened you will always find instances where someone has tried to sidestep the rules or overstep their the authorities we lock up our own I've interviewed former FBI agents in prison not a comfortable feeling but I have done it because I spent two years on what's considered our internal affairs and so I don't ever want to be on the other side and most law enforcement or national security people want to be on the other side where they where the door the cell goes shut and they can't walk out the front gates so opening it up to everyone as you say I think that's ludicrous I mean talking about an invasion of privacy I'm not sure how we would work that but no I have no problems with it as long as it's court authorized I don't believe those powers are being abused again nobody on this panel their agencies don't make the rules you guys make the rules by voting and influencing your politicians but if these guys weren't using the tools available to protect you you'd really be fucking pissed you know what do you think is the role of government in trust and what I mean by that is the population of this country everywhere in the world really is using all these devices commercial devices in public places like ATMs so there are reports that people install readers on ATMs to collect information but the ATMs may be bugger to start with do you think the government has a role to play there like maybe some kind of a trust I'm thinking of this because like we have an FDA and they sort of test drugs and they say okay this is not ready for production is there any thought to that or shouldn't we go on what's your thoughts so you're basically asking about regulation okay, show of hands how many of you think the government ought to regulate cyber security in the private sector and in your personal life turn around and look that's your answer they don't want it Congress didn't pass any laws to do that hi I've got a question about the continuous oppression of UFO you stood in line that long to say that I have a two part question the first part is directed at our military people and the second part is for law enforcement and the question is you guys were talking about for private institutions how do we protect them how does the government help protect them and you guys emphasized education the way I think about it the analogy I like to think about is okay you can educate someone in the real world for example put locks on your doors that'll protect you from your average thief even a medica lock but the question is what about when the attacks are not so much like an average thief but more like a missile launch like for example denial service denial service attacks from organized crime from nation states or from private criminal enterprises so what is there what does the military do in the real world in the non-cyber world let's say we have airplanes and other defense systems what do we do on the cyber front to improve our infrastructure and defensive capabilities to protect when education isn't enough that's my question towards military and on the law enforcement front because I'm sure law enforcement black hole the packets is that right because this is actually part of this I'm sure law enforcement is a big part of this of stopping this problem and what can you guys do about the guys like I saw this program to catch a predator but not that one but the one they did on the cyber thing I forgot what it was called and John Hansen found this and it was sick he just walked out and it was really gross to watch and I was thinking myself wow if he can find this guy so easily why can't we protect our own citizens from scammers like that question one I guess we'll start off with as far as protecting the general public from first of all there is a division between the people here up on this stage and between all the different agencies here obviously on the military side but in order to qualify as a military activity it really has to be done by another nation state or go against or go against something that the president declares you know a threat a national threat to our capabilities that way so in a way there's a lot of it's not entirely clear all the time where an attack is coming from obviously with the botnet let's say take for example so first problem is going to be attribution you know in that case so I mean if another nation were shown to be or were attributed to a particular attack against say the US military or against the nation in general say some of our major infrastructure you know then we certainly and others would be having a conversation about what do we recommend to senior leadership within the US not just the US military to handle that threat the answer to that may be the military amounts a counter attack and that attack can take many forms it could be an electronic counter attack it could be a kinetic attack and that's something that the United States Air Force that's why we're in this business that's why the Air Force is in this business because we do bring to the table a set of integrated effects across global integrated effects across the spectrum of conflict so that's really kind of our view of that situation so attribution is required and then a discussion about national level options between the non-military parts of the US government and the military parts of the government going together to senior leadership to determine a way ahead I'd like the US to talk about that a little bit too from his perspective we have two things that we follow the main one is the national response plan and it covers a lot of different activities on how we handle certain types of activities I mean obviously if you're talking to some type of response action that's when it starts getting beyond what we can probably discuss in this room plus you know it's a very difficult trigger to pull because of the attribution piece we don't see the muzzle flash, the smoking gun but to expand this discussion there's the national cyber response coordination group still learning some things that it needs to do but it brings the government to include the Department of Justice so we've got the guys over there it brings the DOD so that includes both military as well as other groups at the table and as well as Department of Homeland Security so very comprehensive process to determine what we can do one from a defensive mitigation strategy and is there something that should be recommended to the president to do because you've got to get to that point of saying this is an act of war or act of something that is severe enough that the politicians are willing to put something out on the line like that. Just real quick on the second part of your question was the press guy who was able to find the scammer real quick and all that's a question that comes up a lot it's a frustration of a lot of citizens two answers to that real quick number one is volume there's just a lot of them out there doing this stuff and we have a certain threshold people that were going to go after that sort of the volume is up on and the other thing is and it goes back to the privacy question is they're using different tools than we are you know they're not worried about the same constitutional rights violations that we are catching somebody for us is a little bit more difficult because I don't have the journalist tools I have law enforcement tools with regard to finding people tracking people you know what I mean it's a little bit more difficult that questions come up a lot one of the analogies is like drug deals you find why is it so easy for a ten year old kid to buy a rock of crack on the street but cops can't catch them volume there's a lot of it going on and catching them takes a lot more than just knowledge of the neighborhood and you have to have people talking to you it's the techniques you use to get it so I just want to say that real quick I'm sorry but we only have time for one more question so the rest of you guys can sit down I apologize these guys will hang around afterwards though so the so the typical office software including down at the operating system level and at the higher level with things like IE and Outlook and Word and all have this many many years long track record of being just absolutely dreadful for security and here you are supposedly caring about security but I guess that you tend to run a lot of this software despite having some alternatives even developed by the NSA for compartmentalizing things a bit better what about moving away from some of this stuff with a very obvious long defective record and not moving away from this isn't this basically just asking to have yourself hacked into just forget that yeah I'll just come right out and tell you just like Jim's told you before you get that government that you elect right so we have to follow rules laid down for procurement of pieces of software that the politicians that you elect put into place know but you elect the guys in the congress that require certain levels of competition you know for large bids for software and so sometimes those competitions are based they are based on many factors but cost is a major factor in some cases and verifiability is also another issue too so shoot back on that one but at any rate so that's part of the answer we don't mean to reflect all those questions back on your elected officials but that is a major issue with our procurement that's why we sometimes get the things that we get I'd like to thank first off you guys for the thoughtful questions except for you Neil and thanks for the panel for putting yourself out at risk like this thank you