 Okay, so this is a former keynote and it's pretty much fed heavy Because I wanted to sort of ask people what they've seen what has changed over the years for them Things that they talked about previously in their Keynotes looking back now where they accurate where they inaccurate, you know where they screw up and what they get right where do they see going forward and Since information security seems to be moving really quickly nowadays and we are really in the spotlight We're getting a lot more attention than ever before I think that's sort of a blessing in a curse Maybe a curse in the sense that if everybody's hanging on every word you say if you you say the wrong thing It's like finally this is my day in the you know in the Sun And you try to do everything in 15 minutes that you wanted to do for 15 years that you know You're setting yourself up for disaster. So so I think we have to be more careful now than ever before and how we portray ourselves and kind of the The things we're saying we've got their attention Now we have to decide what to do with it. So let me start at the end with a Tony Sager to introduce himself Now why don't you just take some time talk about maybe your perspective a little bit and then we'll move into a more conversational We'll talk about your intro just Yeah, let's do intros first and then kind of give more in-depth. We'll do okay. Good afternoon my name is Tony Sager and as of September it'll be a 34 year veteran of the national security agency Thank you All of it in what we call information assurance today So in the defensive mission at NSA and I've spent that 34 years Involved in security testing of one type or another everything from cryptographic algorithms to product testing and then out to an including Operational testing like the NSA red teams and so forth. So and over the last five years I've had the honor of running the organization that does all that for the defensive mission at NSA So my perspective is a little warped by having watched things break in the myriad number of ways And probably the last ten years of my life have been focused on How do we solve some of these problems that we have seen countless times over and over again? And when we come back, I'll talk a little bit I was keynote in 2007 and talked about a number of things that we were doing around public standards and guidance and so forth. Thanks Great next we have a Linton Wells. So my name is Lynn Wells. I'm over at National Defense University Where I run a small center on technology and national security policy Before that I spent 16 years in the Office of Secretary of Defense including a couple years as a DOD chief information officer I think my first time here was 2000 2001 And I was just reflecting in the discussions here about you know, not only how much has changed But how much has remained the same in terms of how much more slowly the government is responding than the threat is evolving So something to talk about And finally we have Bob Stratton. I I'm Bob Stratton. I'm an independent consultant out of the DC area More recently I was director of government research at Symantec I've done a couple of venture funded and bootstrap security startups and was a part of a novel experiment a while back to create a venture capital arm for the Central Intelligence Agency, which is now covering the whole intelligence community and So I guess part of my focus you got to talk about your your early days Oh, well, yeah, there is that I founded the security organization at Uunet, which was one of the first tier one internet service providers Had an audit and pen test consultant. Yeah, you did the first peer play security practice a wheel group. Yeah the first network IDS commercial network IDS and Which we sold the Cisco then I did a pen testing consultancy, which I sold the Si link So I guess I'm kind of the yeah reluctant business semi-fed guy On at one point the one thing I like about Bob is at one point almost all of Usenet went through his basement So thanks Bob for keeping Usenet running for all those years Yeah, it was heating his house okay, so so that's your perspectives and so we'll go back now to Tony and Give you a little bit more time to if there's any questions or things you want to flesh out and then I'll start we'll do that again with everybody a little bit more in-depth now that we know your perspective and And then I'll tease out some questions and we'll open it up for audience participation, and we'll just see what happens That sounds great. Yeah, so maybe talk a little bit about you know your previous keynote and maybe What's changed or how you see the role of what you're doing change and okay? We're looking for big big picture ideas here. Well, I'll just let me summarize briefly You know the great opportunity that I had to come out and speak in 2007 both the black cat and Defconn and You know a lot of ways it was sort of a coming out party That is we were really going public with a lot of things that we had been doing and again I've been spent my life in the defensive side of this and actually we just celebrated a big 10th year anniversary at NSA Well, it was a June 26 or 7th. I pray exactly when but 10 years ago. That was a summer of 2001 we started releasing to the public security guidance at NSA through the to the public web of presence And I know that doesn't sound like much today, but that was a real culture changer for us and convincing, you know some really Understanding bosses that I worked for that that would be a good idea That is to take guidance that we have been developing as an outgrowth of red and blue team testing and product testing for the DoD Putting it together in a more general and broadly usable form and then just giving it away And what I was seeing at that time, and this is the early 2000s was you know We all talk a good game about public-private partnership, and you know, we're all on the same net We're trying to solve the same problem, but there isn't much work That's really aimed at solving the problem together and the messaging that I was trying to get across was we're part of the community We're going to put our share out there for inspection. There were people looking for an NSA backdoor in it I don't think anyone's found one yet But the idea was a really good job. You did hide in it. We're incredible I'll tell you but the idea was you know, we have a shared problem We need to share solutions and the only way to do that was start putting things out there that we would just give away And the point I made to my boss at the time and he Strongly endorsed it was we would we would we would be able to gain more influence and cause more positive change By giving things away than we would by trying to gain control of the environment that is being charged of everything So we had started that in the early 2000s by 2007 the message that I brought was you know This idea of cooperation across the private sector and government and in particular for the government to bring its share of technical content to the table and we had started on a massive campaign to start Working in open standards for security. So if you ever heard the term SCAP security content automation protocols A lot of that groundbreaking work came from my folks at the time. So how do we take things like good practice NSA guides this Disastix if you know what those are a NIST checklist I think they call them and how do we take those and then automate them, right? So we the problem that we're having and one of the many problems we're having in this business is that we're asking poor overworked underpaid humans to Manually configure protect and deal with things that are just beyond the scope of human ability to manage So we need to do more things at scale ask automation to help us Get them directly from the vendor in a more secureable fashion than trying to do it in the field You know for us It's the DOD and so that was the message that I was bringing and a big part of that message was also We're not just trying to foist this on you in the industry But this is what we're going to do to ourselves at NSA That is we're going to break down the barriers between things like red teaming and blue teaming and product testing and use the same Standards to create information in the same form so that we could naturally move from detecting a problem to fixing a problem So that was that was the message that I brought out here in 2007 It seemed to go pretty well brought us a lot of new partners and it gave us a chance to kind of put the the case on the table One of the lessons I've learned over this You know I must be the most hopelessly naive guy in the room But everything that I think could be solved in a year always takes three and I'm just learning now to multiply all my Estimates by three and it's not because people are lazy. You don't care It's because many of these things are really really complicated that is You know, we've got a lot of problems to solve and they're not Conceptually as hard as they are in our terms operationally hard if you're trying to do something on the scale of a DoD There's just a lot of things that have to go right, you know Everything from money to acquisition the training to technology and you can't you know You can't any ignore any one of those kinds of things. So that was that was the message of now What would you say? Did you take any lessons away from your speech at DEF CON where you received positively negatively did your think you were a leper Back at work for coming out and well It took some convincing right? Imagine but number one the reception at both Black Hat and DEF CON was just overwhelmingly positive, you know, I really this idea of Community and working together, you know people I think weren't used to hearing that message as directly from the government On the government side it is complicated also though that is So here's a premise that I have and I think I know you'd appreciate this Jeff I mean the world that we're living in right We're all using the same technology good guy and bad guy. We're on the same network good guy and bad guy Anything like the DoD any enterprise is now hopelessly dependent upon all its partners and suppliers, right? They're they're in your network. They're part of your supply chain So the world is very deeply connected in a lot of ways. So the lesson for me that You know, sometimes I have to work to get people to understand is that there is no boundary to something like the defense department, right? There's no network perimeter. There's no boundary. I mean we have yeah We have perimeter devices and all that sure but but the perimeter Really doesn't exist in the way. We would like to think of it and so Because of all these factors you can't secure the DoD, right? You can't make it better Without everybody getting better. I mean everyone has to get better and that's not a bad thing, right? That's exciting and positive, but here's the real test This is a test of kind of culture and where you come from at the end of that sentence I would put comma everyone has to get better including the bad guys right if you're really gonna reshape the industry Have standards for security improve the content. That's the technology that they're using when the water rises Even the bad guys boats rise so learning to operate, you know from our perspective in the DoD in Such a complex environment. I think it's one of our great strategic challenges So that's the lesson for me is to kind of how do we think about this differently than you know There's no Neutral ground between us and them, right? We're really all connected in a deep way that is just hard That I don't think we can extricate ever again so thanks so in about 1997 or so I was with Lou Gershner then head of IBM on a panel. Can you hear me in the back? Okay? On a panel and he was asking how do I know if I have an effective information assurance project program? And the answer was walk down the hall find a random employee Ask them three questions Would you know if your computer is being screwed with? If yes, would you know who to call to get help? If yes, would you care enough to call? And the point was unless you can answer yes for all three questions for all your employees You can spend all the money you want on technology and you're gonna fail on the people side and This is struck me as an area where the government in particular Needs to put a lot more emphasis not just on building the you know the the high tech team of cyber defenders or Warriors whatever but convincing the entirety the workforce a and the leadership that these are issues for you know commanders and policy makers and Decision makers not just for the techies and they have to be part of what permeates our day-to-day operating procedures So I was really encouraged to see this defense strategy for operation in cyberspace that was rolled out a couple weeks ago And I realized there were various critiques of it But it does include much more emphasis on the entirety of the DoD workforce becoming more aware and more capable in cyberspace and linking that to R&D So if there's anything I'm cautiously optimistic about it's that Another thing though is that This one of things that's always struck me and have come to DEF CON Is the enormous amount of talent and energy and enthusiasm that's here in this room? And I've never regarded this as a as a we they sort of thing in the sense of As I would love to get people here To work more closely with the government my point has always been as long as you haven't crossed the line Some line to felony conduct we'd love to work with you and every year people come in and submit resumes and Last year was out here in the Air Force. I think had Building a higher 50 people out of the audience So I think this has been a change over time. It's the government becoming more Recognizable we don't have the all the answers you guys have a lot of the answers talking we tap and work together on it So I think that's the hardware is common gone the the gig the higher walls and wider modes Thank you alligators the perimeter fences has fallen by the wayside But but this business of people and the emphasis on Partnership I think it's one of things I've always found valuable here Okay, Bob So it's trying to tough act to follow huh? Yeah, it really is I was trying to remember the first time Well, I think we met at what DEF CON 3. No, we met at a pump con. Oh, that's yeah Yeah, there you go and probably in a parking lot somewhere And I but I think around 94 94 95 I was here and I was in the had the unique perspective of being the guy at a pretty big ISP Who saw what was going on and I always kind of called it the Wild West? Because there really weren't a lot of rules yet. In fact, there weren't even a lot of laws yet for To deal with what was going on out there But at the same time I was always sort of inherently optimistic that it would somehow be okay and some of that meant there would be new products and new services that would try to help people protect themselves and that wound up becoming an entire industry sector But also that people would kind of try to help each other In the process of figuring out how to make all this stuff work together and I think what's one of the more interesting things that We had seen back then was that some of the groups that were doing standards work weren't doing it in quite as Have to have to be diplomatic here bureaucratic away as some of the traditional standards bodies and I remember this one phrase that that sort of Told me that I was in the right place, which is From the internet engineering task force. They said we reject Kings presidents and voting. We believe in rough consensus and running code And I thought wow, I like these guys. I can work with this But then I was getting phone calls at four o'clock in the morning when people were being hacked all the time and And it wasn't it was sort of newsworthy, but people didn't even know to To talk about it. Yeah, it wasn't it was so weird and unusual. It wasn't newsworthy yet But as time went on I Realized that, you know, the internet is not a good place or a bad place. It's like the street Good things wonderful miraculous things happen on the street people save each other's lives people meet and get married Wonderful things happen But there are alleys that are kind of bad and it doesn't make the whole place bad it just makes some neighborhoods kind of bad and That has always sort of informed my perspective and I've tried really hard not to color it and I look back now having spent some time Trying to work with some of the folks addressing the government's concerns about some of these things and then also working in one of the bigger companies that tries to build products for that and I realized that It's still pretty much like the street, but the good news is the citizenry have gotten more savvy and That I think my optimism has not been misplaced That some of how we thought we would deal with these things is different than what we expected in fact I don't think when I started I would have ever expected the folks at Fort Meade To be producing really good readable guidance about how to do things like configure commodity operating systems that you can buy You know off the shelf and I thought that that was awesome, but I tell you I never would have predicted that um So I look back and I think that you know if you look at the history of this conference and And it's sister conference Part of why things have been manageable and part of why things have continued to It's bad out there sometimes But we get better even if some of their individual problems get worse is Because we've created environments where people can talk to each other and I remember def cons where there were no feds that admitted to being feds Until someone pointed them out in the crowd and yeah, you could probably count the total number on oh, yeah No, I hand well in the very first fed that that I spotted I didn't spot he came up and revealed himself at the end of the first def con and And he said yeah, I'm from the Secret Service and I just wanted to say hi And I wanted to say hi, you know Sunday evening after everybody was gone But I see I had invited the Secret Service and they're saying no we can't comment We can't be there officially that sounds like policy and we're enforcement And so you know if you want somebody to show up officially just talk to you know the administration not not us and But they still sent somebody and that gave me the idea for spot the Fed actually it's like okay So if you are gonna show up We're gonna you know make it a little bit more fun Okay, so we kind of know their perspective where they're coming from So I want to open up to the audience and see if anybody here has any questions You want them to look forward backwards point fingers? Whatever you'd like so there's a microphone right here all you got to do is come up to it and Say who you are where you're coming from what what you want? so Take it away. Hi. My name is power cycle. I've worked for two of the biggest D-dolls defense companies In us, I've stopped more than like 500 different attacks and what I wonder I'll ask about a cyber war Oh, can you speak just a little bit better in the mic? Yeah, it's it's down a little okay what I want to ask about is the term cyber war and In past F cons that the term has been actively in the titles and it doesn't seem to be in the titles now Which I'm happy about specifically because first off the the term cyber is kind of a punchline and a joke in this community and I can see how you know outside others to the press and everything you can we're use the word cyber and it doesn't really hurt anybody but when you start to talk about war and It's paired with a joke. I think it's really detrimental to the United States so what I wanted to ask you is what's the difference between espionage and Cyber war and do you think that by continually using the word war and releases from the military from the NSA from The president or from from anybody in the government. Do you think that leads us down the wrong path where you're not? stopping thievery and bullying by Using military might and then just in the end crushing American freedom and not really even solving the problem Okay, so a pretty broad question, but Linton will start off Well, I think if you look at the statements that W. Secretary Lynn and General Cartwright made in the rollout on July 14th the cyber strategy they went way out of their way to avoid the discussion of war and to be to Caution people against using words like cyber attack when there's no distinction between somebody being pinged or whether you're actually been planning malicious code Or whatever, so I think they were trying to walk back from the characterization. I wouldn't count DoD as being the principal Proponent of the turb cyber war in fact I think there's a discussion that basically says espionage whether in cyber space or Anywhere else has been going on among the states for a long time and like to continue take that off the table as a distinct Issue the the question here is at what point that the consequences of some kind of an attack mounted through cyber means You know lead to loss of life destruction Whatever that becomes serious enough to be considered, but the generic sort of easy Flow of cyber war is not something DoD is using at all A lot of people using it about DoD, but I don't think you're finding that from the official spoke people didn't in the Release basically the United States say that a cyber attack on the United States would be retaliated against I think they were very ambiguous. They were consciously ambiguous in the response specific Because one of the thing one tries to do is to impose an uncertainty in the mind of the from a deterrence point of view Against those who may wish you harm and in addition the the act of declaring war is a Very complicated activity in the United States You have all sorts of different people to get involved and you're not just going to go in and say, ah, this is it We're going to do it. You've got all attribution. This is what we did in Tunisia, but me isn't that what we're doing in Libya I mean, so it was just staying in cyberspace, right? I'm just I'm not going to get a big discussion about US policy I'm just saying that in the case they were they were very clear in the discussions on July 14th about Not being explicit in their red lines as to where What a cyber attack what would constitute various acts but also to reserve the right to respond through a wide variety of means If the level of damage warranted So it's sort of like let's say you attack the United States with I don't know a Biological weapon that doesn't mean we can only respond with biological weapons. We don't have any Right, but that's a physical attack where people actually get hurt in in the sense of stealing a bunch of data from a corporation Or from a from a government department, right? There's there's no actual well and well when you started your question on the cyber war versus The terminology and the definition I think that's what we'll stick with otherwise the conversation will explode But from my perspective, and I'm not really a panelist so I'll just be short It's that for me the the language informs Decisions and if the language is war like language it sort of leads you down mentally a war like path And that's why I find it interesting that the language that people who write about the DoD in the military always tend to stick the Word war in there, but when people write about sort of civilian and companies being attacked It's always like cyber thugs and cyber criminals and organized crime because they're taking a law enforcement mentality And the law enforcement mentality always is sort of like block watches and community watch and ground up and you know watch out For your neighbor and lock your doors and the military mentality is it's much more, you know very command and control So I think you're seeing these the people who write about both areas are now having to somehow reconcile that and it's interesting to Listen to the vocabulary because it's it is it's changing There's a reason why you don't see a lot of talks that say cyber war at DEF CON anymore because everybody realizes That's kind of nonsensical and they're starting to sound dumb if they put that in their titles So I'll let Tony respond and then we'll move on to the next question. Thank you Thanks. Oh Just just a word or two to echo dr. Wells I mean these and I don't think you'll see that kind of language come You know the war has a particular meaning in the defense department. Yeah, that leads us to places that you know No one's going right now. I will say that I'll just comment briefly in your the use of the word cyber though You made a comment about that I was in a room full of defense contractors and and I said okay I really raised your hand if you have a Gigantic room full of fancy screens and blinking lights and the name cyber is somewhere the phrase cyber is somewhere in the name of that Room and all the hands go up and I said and then how many of you a year ago that that room had the name I Oh or information operations in the title instead of cyber and most of the hands stay up and I said and then two years before that How many had that same room but the title computer network operations was in the title the phrase was in that title instead and Sheepish hands are still kind of hanging around, you know, it's people kind of gravitate to the buzzword of the day because that drives Attention funding, you know, and so forth and it is overused. I don't there's no question about that Do you want to say something? Yeah, just real quick and I have no affiliation with these guys But I recently discovered a site called Something like if I use the prefix cyber will it make me look like an idiot calm And there's this great sort of expert system decision tree and it's like Are you trying to get money from this particular type of customer? And it walks you through these decisions and it gives you kind of Probability ratings of how much of an idiot you'll sound like if you use it and one of the questions Qualifying questions way down in there is are you preparing a presentation for the US government? So you're not alone They're also consistent because they use the site right so just to amplify that one more time We had a conference on cyber something and in DoD and about 150 people in the room and my question was right How many of you are under 35? It's like seven hands go up And so the question was okay, you know what what question should we be asking here that that we're not and 20-something year old lieutenant got up and said well, you know Nobody in my generation uses the word cyber We may be connected maybe be online maybe LinkedIn or whatever but cyber is just not a term That's part of our vocabulary And so if you're building all this great vocabulary on cyberspace and cyber whatever and a large part of the young people who are operating and they Don't really understand what you're talking about. Maybe you should give some thought to that so And I would just I think our war is not a term DoD will use in this case Next question My name is Joe Norco Anna and My question is if you were to give another keynote speech, what would it be? Oh, that's a good one. Another what if you were to give another keynote speech, what would it be? Yes, sir Actually, I I talked that I've given recently is My perspective on what I think the future of cyber defense is going to be about okay So I'll just give you the quick summary of it and the bottom-line conclusion is I think that the key to success in defending ourselves in this mythical cyberspace is Solving what I call the the massive information management problem. So we happen to be and here's a quick summary of the talk We happen to be at a state Where the vast majority of problems that plague us today that cost us money that bring our systems down Here's the sad news for the defense, right? You all know this the vast vast majority of those problems are known problems with known solutions And that's a pretty sad indictment of our community, frankly It it doesn't again It's not an indictment that people are lazy or don't care It tells you how operationally challenging this problem is right? So from having a tool to solving a problem can be night and day, but my observation over 30 years of this is You know the things that The knowledge that we need to defend ourselves Predict the next attack Minimize the next one etc. Is already out there somewhere It's just not in the right spot at the right time in the right form And so there's a whole talk that I give it's kind of around. How do we organize the way we collect? Store move query for information that would allow us to understand what the real problem is that we're trying to solve And we thought of this too much I think it's a technology problem if you just buy the right buy the right thing Then we would be able to defend ourselves and that's just not going to happen And it turns out you know the term that's used in the intelligence business is how can I look over the horizon? right how how can I see what's coming and The I only know two ways to look over the horizon one is have friends who happen to live over the horizon and who are both ready willing and able to communicate with you right to Share information and not through meetings and not through email, but through technology right? We can't we can't move it fast enough by calling our friends to warn them It's just not gonna not gonna happen So you have to have friends that are over the horizon to help you look and and then you have to have an intelligence business Right you have to be able to look more deeply into what's going on outside of your own boundaries And be able to understand and we have to remember that bad guys are just like us They're just bad that is their tools don't appear out of thin air Right they have to conceptualize them design them build them test them equip them and all this kind of stuff And if you can't sort of get in the cycle of understanding that then you'll never be able to defend yourself So the bottom line premise for me and I've given this talk a couple times So I'm cheating a little bit on your answer But if I had another keynote I'd come back to talk about kind of what I think we need to do around them the sort of massive management of Information we have massive amounts that that are just is not available in the right form in the right place at the right time But I think we could manage the 95% of this problem with that Thank you. I think I would talk about mission assurance in a time of exponential change Taking into account the behavior of real people You know I originally started off focusing on information assurance But in point of fact the you need to be able to accomplish the mission irrespective level attack you're under and My own background is Navy and you never design a ship with the expectation the water is not going to get inside the hull So I think we should expect that the kind of systems we're using are going to be compromised in some sense and not maintain this this ideal objective of a firm perimeter and so if This hack is not going to cause you to be operating a hundred percent one day and then zero the next It's gonna be some kind of a degradation which is going to come back over time So the goal should be to minimize the depth and the width of that bathtub And then again to be able to accomplish Whatever plan BCD you need to get the mission done But the point about taking into account real people You know the one of the things the deputy secretary Lynn talked about in his Foreign Affairs article last fall was declassified in the whole buckshot Yankee business with the thumb drives I mean that was essentially a case where people were charged for getting the job done and say fine I'm gonna you know the security is too open years for me to get the job done and go around it and got bitten How do you find a way to balance things that people can And then the technological change You feel the 15 year horizon and you believe Moore's law at 18 months so 18 months is 10 double and at 15 years is 10 doublings 2 to the 10th is 1024 That's a hundred thousand percent change in computing capacity per unit time reading the cost in 15 years Linear projections are just not going to work and in getting to your your person living over the horizon We just need to be thinking more in terms of that You know anything say Bob or do you want to just move on to the next question? I'll just say I think the for me the The big message that I would probably come out with is that and I'm saying this particularly in the context of interacting with the United States government in all its many forms is that change is possible and You know it sounds kind of simple, but I was a part of this grand experiment To try to figure out how to get early state access to early-stage technology to a part of the government that felt like they weren't they didn't have that the way they did 20 years before say in the 70s and You could argue that some of it kind of worked. So I have to do this as a show of hands. How many people here have used Google Earth? Okay, so when I was at this experimental thing called Incutel making venture capital investments We were faced with this problem. How do you take high-resolution imagery send it over low-speed connections and Render it on commodity computing hardware Because your alternative is a guy with a mainframe and a basement and an air-conditioned building printing out maps Who's nowhere near the guys who need the maps and I looked at probably five different Technology approaches to this and we found this little company that admittedly ironically had named itself keyhole That had only been used by realtors in California to show houses and We made an investment. I think it may have been their first round of investment and eventually Google bought them and that's called Google Earth So don't think that things the government is doing to solve hard problems that it has May not directly also address hard problems that we all have and so one of the messages I had to take into them was your problems are not that special sometimes and if you persist on believing they're special You're gonna get solutions that are only good for you Which means they're gonna be expensive and you're gonna be the only customer and that kind of thing and the message I took to everybody else was They're not that weird and the things that will help you will help them too And I would argue that at least a little bit of change happened there And there have been a couple of other examples, too So I would say change is possible would be that the next key note Just to reinforce that point yesterday and day before I was over in Camp Roberts in central, California where we do quarterly field experiments around geospatial information and The whole two days that I was there One of the tracks was spent on a discussion with National Geospatial Intelligence Agency And how to get imagery released to people who need it in time and this was Hundred questions about well, what about the How would the companies who sell us the imagery at very preferential rates feel about the downstream use of vector imagery vector products that may have been released to somebody in a disaster for 30 days and then afterwards it gets sold and things like that and It was it was just and the whole point at the end of that was we actually got a whole batch of like 30 different lawyers to agree Estonishing We need to lock them in a treasure trailer in the desert and open the door It'll let them come out. But anyway that This this was a way forward that more and better product could be released more quickly to the public So I agree with him change is possible. It's often appears to be slow But there if you go back and look to 2000 enormous amount of change Next Thank you next question Hey there, I'm CZ. Oh been down a bit My name is CZ and I've got a question for you about threat profiles and how they've been changing recently I've kind of been around the block and you know, we've done with the standard, you know amateurs professionals Nation-states that sort of thing giving us trouble and as of late we've seen a new thing come out Which is one might call it? Position-based IE I don't like your position therefore, you know, I'm going to used to just be I'm gonna randomly plug you But now it seems to be moving into I'm gonna raise a million dollars on you know, whatever and then fund some real attacks against you So what do you see? In the future as the impact of money on these sorts of threats sort of as more money pops in, you know, where do things go? Sort of like a crowd sourcing Enough nickels and dimes to get a war chest. Yeah, here's five dollars, you know get everybody here to give me five dollars And I've got a lot of money So how does that start changing the threat profile from the standard one that I've been dealing with for the past 15 years? Good question and With that question Well, I'll take a stab at it I'll put my former Symantec guy hat on we actually did a study for a year when I was there looking at the underground economy and actually quantifying in some cases the value of inventory that some of these people had and we're trying to sell and that kind of thing and It's it there are viable markets and they scale really nicely Which is perhaps not a good thing for us, but it gives you food for thought You know, I think that There have been pecuniary motivations for malicious software and and Computer intrusions for a really long time. It's really important to remember the Pakistani brain virus Which many in this room will not remember And I don't remember what year. What was that? Like 87 or something. Well, I think Miko Hyponen just did a talk on the 25th anniversary of the first virus It was basically these guys who ran a computer repair shop in Pakistan Who wanted to drive business to themselves? so they wrote this virus and So you can argue that in some ways the the monetary motivation has is really not changed. It's just scaled up At the same time there have been defacements and and Message-oriented Digital denial of service sit-ins against the WTO right for a really long time as well I mean, we were seeing some of that like when I was a unit in their early 90s I mean there were people starting to do some of those things So I think the difference really is just it's it's like any other industry that mature You know, you can look at the history of any industry look at history of air travel, right? It matures. There are sketchy Aspects to it along the way both in terms of who's providing services in terms of who's using services and I think that this is Well, I guess from my perspective is like the street. We don't think much when we see graffiti on the street I mean, I don't know about most people here, but I see it and I kind of it's like a fact of life and I'm not seeing these things are good But I think at some level these we still notice these because these are still arguably new to us I'm not sure that some level of these things won't be noise going forward into the future We'll just accept them. Hopefully our systems will be built with some minimum level of robustness in the face of them But in that respect, I'm not sure it's changed that much We'll move on if anybody else has a comment. We've got only about five or ten minutes left for questions I want to get through the the remaining folks here. So Linton or you have any comments on the last question. No, no go to the next one. Okay So I I think we've all seen a sort of a degradation of Privacy over time and obviously the technology has changed and technology keeps changing faster and faster But I was wondering if you Each see a possibility of having a world where we still have free Privacy and security at the same time or if it's one or the other and we're just you know going from having a lot of Privacy to having none. Thank you It seems to me that one of the privacy questions and I'm I've got to tread very Carefully and this is a guvvy because clearly we were committed to for a whole variety of laws and ethics around privacy But the concern to me in privacy is the extent to which while giving it away in the interest of commercial Gain, I mean we're convenient. So whatever we we share our locations via our cell phones You can with all sorts of companies who say where this location-based service information is marketed to a Barbon store to know that you know the on the third floor men's department They're in people's 10 o'clock in the morning the average of 3.4 customers who've driven six miles to get there and stay for 13 minutes But if I offer a 20% sale I'll get six copies I mean all that stuff is out there and we don't seem to be caring about the privacy ramifications of what Chicken could come home to roost with that. So you know from my standpoint in the government we will defend very Vigilantly the the sets of laws and rules were under I just worry in the broader societal context about how much this is being undercut by But what's happening in in voluntarily giving away information. Yeah, but I Don't have much to add. I mean whatever you think of the National Security Agency, you know Folks like me don't stay there because we don't like the Constitution and don't care about laws You know, we really do and you'll if you want to hear heated debates about such topics You know get inside our borders sometime But the the challenge is this the short-term incentive that people have you know to get a sale price or whatever You know when you give information away, you sort of give it away forever, right and the long-term implications are really Frightening part of this which is you can't pull it back and you know, I've got three kids I want them to grow up in a world where they feel safe and you know their Information they have some sense of control over it and in a lot of ways we are giving away control of information at Massive scale, so I'm not sure where the you know These are questions for big big thinkers about the sociology of the future to talk about but you know Clearly there's things that we need to do on the technical part of this right so that you know What happens information right that that machines that there's a certain level of do care about the handling of information That clearly doesn't exist today, right? And so any anyone who's you know the previous question about Hacktivism and political interests You know people that have no business having access to information today can do that and cause long-term Implications for you as a you as an individual and we at least on the technical side We've got to find ways to manage that much better, but it's just not so trivial to give out away and lose control of it forever Thank you Okay, I think these will be the two last questions here My question might actually be for the Department of Education, but I thought I'd ask these guys to Basically back in the day there used to be things like home ag and driver's ed and things like that that you had to do in high school Is there any push to get things like cyber? I mean not cyber security information security or information insurance into the curriculum in schools so that we actually educate the population Well, I'm certainly in the STEM education programs there are a number of efforts out You know if you see not you've got Defcon kids here with aimed at 8 to 16 year olds So I think there are but I'm not sure it's anything more than hit and miss and Somebody particularly is interested in doing this. I mean NSA has a very the nation has a very What the robust Training project for cyber security. I don't know if that really gets to your question about how do I how do I raise a Responsible digital citizen through our normal education processes Well, there's a what this NSA centers of yeah, I'll mention that we co-sponsor with With DHS program called the Centers of Academic Excellence in Information Assurance There's sorry. I don't know the numbers, but there's a hundred plus schools that are involved with that There's you know, we review curriculum and they you know, they qualify or not under that program and That started I think over 10 years ago The concern there was both the general education But also increasing the pool of people that can work in this business Now there's a lot of recognition nationally now that the pool of Practitioners is just not big enough right for the DOD for private industry for everybody And so we both need practitioners with also general understanding So there's a number of activities that we're involved with and other parts of government to Look at this There's a number of private sector organizations that have popped up You know and the kind of the common wisdom is the pool is several multiple smaller than it needs to be if we can't increase that pool then we Stay at what I would call the cannibalization stage right where we're we're filling our needs by hiring them from the other guy Not by bringing new people into the pool So we really have to get over that nationally find a way to increase the number of Folks and we've invested pretty heavily from NSA with other partners across government, but you know that's been a big success for us in fact turns out again I don't know the exact numbers, but I believe most of our Hiring of people directly out of school as opposed to transfers from the military or whatever most of our hiring is now from those centers Centers that have you know whose curriculum that we've worked with them on. Yeah, I actually attended one Oh, yeah. Oh very good. I think you can see I'm so you I think you can also see the DHS trying to struggle with Messaging with their stop-think connect program. So it's You know, it's entering the consciousness of education and awareness training But I'm not sure that there's those what are those the cyber collegiate defense of the CCDC Cyber challenge for universities to compete as an incentive to give these guys an outlet You know legitimate outlet to compete and in attacking So I think the education system is factored and they're trying a bunch of stuff or sort of in that laboratory phase. I would say Okay My wife and I were watching the discover I think it was the discovery channel We watched there was talking about this poor these this poor community some part of the world And they had figured out a novel way to do fishing they would use kites And then they would send the kite out and they would drop the bait from the kites And then they would catch the fish and to me that sort of is the essence of hacking using something that you know Using something in a way that it wasn't intended to be used and in this case. They were using it to improve their lives Is there anything that you guys from your experience or from your insight can see You know, is there any technologies that you guys can see that can be used simple technologies That can be sort of quote-unquote hacked to improve our lives We talk a lot about information security and people trying to break into things But what about breaking things to make things that would be like maybe like I don't know Taking up a product that does one thing and make it do another and that other thing happens to be really useful Yeah, you mean that there's a great destroys about people hacking bicycles in Africa to turn them into Knife grinding scissors sharpening and and generators you pedal and charge people's phones and things like that So I think the whole issue of hacking equipment is really interesting to me in this case one of the explosively innovation areas And they're going to see is three-dimensional printing. Mm-hmm. Yeah, I just I don't think I certainly in the last couple weeks Haven't begun to realize a potential implication this has not only what you can make for what you intended to but in this idea of hacking it for unintended uses Yeah, the three-dimensional printing stuff's amazing Yes, yes, we hear you All right, so with that I'd like to get a round of applause for the audience I'm from the audience and Are you guys are you guys going to be in the Q&A room for a little bit to see if there's any interest? So there's a Q&A room of course following each session speakers will be there for a little bit in case there's any questions you can follow us I've got I've got to go do something but you can follow the speakers and ask a more one-on-one type questions with them if you'd like and then Down the hall second the last room on the right or you can just follow the speakers So again, thank you very much and I'll see you around at the con have a good good adventure here this weekend