 Are you ready? We're live. Go play Spot the Fed around here. I'm not a Fed anymore. I'm out. My name's Sean Henry, and I just recently retired from the FBI just a few months ago, back at the end of March. And in my most recent position in the FBI as Executive Assistant Director, I had the honor and the privilege of leading the Critical Incident Response Group, of which the hostage rescue team, or HRT, is a part of. And when I decided to put this presentation together when I was asked to come in, I wanted to do something that I could use my experiences in the FBI and kind of convert those to what we're doing now in cybersecurity in terms of the threats that we're facing, the complexity of the issues, some of the policy issues, and some of the technical issues and the like. And how could I take what I've done in 24 years in the bureau and apply that here to this space? And I thought that using the HRT just as kind of a quick hook to get into this was a good start, because I think there are a lot of similarities. One of the things I learned in the bureau is there are more similarities between the physical world and the cyber world than many people think. And I think if we apply some of those concepts, we can be much more effective in this space. The hostage rescue team, for example, is the best trained, the best equipped, the most elite civilian tactical team anywhere in the world. And I think that with some of the threats that we're facing and some of the folks that I know that are here, some of the threats and the issues that you're facing, that you all continue to need the best tools, the best training, the best be the best equipped so that you too continue to be the most elite because some of the threats that we're facing and the adversaries that we're facing, who they are and what they're doing to us on a regular basis. And I think that the HRT is a good symbol of that. They train all the time. And I know that what's been happening here in Vegas for this last week and over into the weekend has a lot to do with training. How do we make ourselves better? Because you play the way you practice. I learned that early on when I was on a tactical team in my career about 20 years ago when we had these flash bangs, we were going into a hotel. It was a training exercise. And you have a guy that lines up on the door and they do this countdown to go in and execute an arrest or a exfiltration of hostages. You wanna save these hostages and they're supposed to breach the door and they throw in this flash bang, a concussion grenade that goes off really loud, bright light, completely disorients you. And I had just gotten onto this team and I was the first guy up on the door waiting for that countdown in my ear. And I went in on one and did not heed the advice of waiting for the flash bang to go in first before you breach the door. When I got in there and I heard clink, clink, clink and I looked down. When at the time there was a violent explosion which disoriented me completely. And I can tell you, I never made that mistake again. So you play the way you practice. You train, you work, you get ready to meet your adversary. I think in this space, there's a lot that can happen in the private sector that we can do to train and prepare for when we meet the adversary in terms of tabletop exercises. I know many organizations have standard operating procedures. And I know in a lot of the organizations I've worked with, those things tend to sit on a shelf and they're not always exercised. And people, it's not until a real crisis emerges when people start asking questions. You know, what are we supposed to do? Who's in charge of this? How do we move this data? What do we do here? And if you can actually train and practice and do that, you're gonna be much better off when you face the real crisis. So in the FBI, we've been battling spies, terrorists, criminals for over 100 years. And let me first off say, I do not profess to say at all that the FBI has all the answers. The FBI has made lots of mistakes over the 100 years and they'll continue to make mistakes into the future. And I fully accept that and recognize that I've made mistakes in my life as most of us have. But again, I think that there are some capabilities we can talk about that will provide a opportunity to learn. After September 11th, the FBI made some pretty big changes to adapt to the physical world of terrorists. We had to change from being very reactive to being more proactive. And a lot of those techniques that were utilized to fight terrorist organizations, I took and applied to my program, which was computer intrusions. Primarily from foreign state sponsored organizations. Applied those techniques to the cyberspace on the law enforcement side. But I think that in the commercial space we can actually take a lot of those techniques and apply them here in this commercial space now. In the private sector, we can take the same techniques and some of the same tactics and apply them. So let me just talk quickly about the threat because I know that a lot of you folks have been victims, maybe even actors. People have been involved in intrusions into major organizations. I believe based on everything that I've seen in my time primarily in the last five years where I was working in the government and cyber policy and strategy, that computer network exploitation and computer network attack is the most significant threat that we face. And when I say we, I don't necessarily mean the United States of America. I mean civilized world. Other than a weapon of mass destruction, a nuclear device going off in a major city or some biomedical device that's deployed that kills hundreds of thousands or millions of people. I think that C&E and C&A is the most significant threat that we face. Everything that organizations have is maintained on their networks and it's either stored there, it's transmitted there, it's resident there, all of the IPR, all of the research and development, all of the corporate strategies, corporate communications and the like. And it's the very DNA of companies and it is all being targeted. I have said previously, I talk about the aggregate of the threat as an iceberg and that the vast majority of people are familiar with the tip of the iceberg. If you think of an iceberg in 3D, we know that that small percentage, 10 or 15% is above the water line and below the water line is that big behemoth of ice. The water line is the line of demarcation between what's unclassified and people get to hear about in the media and what's classified and what people don't typically hear about. Although there's been some more chatter about that. And what people hear about in the unclassified environment is theft of PII, personally identifiable information, somebody lost $1,500 from their bank account, website to facements, credit cards lost, 50,000 student user names and passwords were stolen. That's what people hear about. What they don't hear about is what's below that water line. And that to me is where when I talk about C and E and C and A being the most significant threat, that's the real danger for me. Because I've seen below that water line for a long time in the classified environment, intelligence that's been collected, working with international partners, working with members in the private sector who don't want to talk publicly but will talk confidentially about what they've seen, what they've suffered. And I know how difficult that is for people because I've heard people who say, hey, the government says they've got all this classified stuff and they don't wanna present it. I recognize what a challenge that is. And I think that we need to do more to reveal that and let people really understand the full scope and see the totality of that iceberg. Because I think if people really understood what that risk is, I think that they would be much more receptive to security. They'd be much more understanding of the needs of the security people that are responsible for making sure those networks are safe and they're not. I still talk to CEOs and boards of directors and corporate executives who say, why am I a threat? I don't see that I'm targeted, I don't understand why somebody would want our information. And they don't recognize that, not only do they want their information, if they don't necessarily want the information, they're using their infrastructure for something else, for some other nefarious purpose. And so there's still an awful lot of doubt in the private sector. I've seen companies that have had substantial breaches and actually gone out of business so that the very essence of that organization was taken and they couldn't function. So one example that I've used that I think resonates with people is a company that was involved in doing short-term lending. They suffered an attack over the weekend. On Friday they were in business, they lost $5 million literally out of their accounts and on Monday they were out of business. So a small example, but I've seen much greater examples than that in the classified environment. And it is really broad and deep. So talk about the adversary really quickly. I see cyber as the great equalizer and that anybody with a $500 laptop and an internet connection has the ability to target anybody else, anywhere in the world. 2.3 billion people, according to a couple of studies, have access to the network and have the ability to attack any government, any company, any organization, any person, anywhere in the world. So the pool of subjects is pretty significant and the barrier to entry is very, very low. I've seen a lot of organized crime groups, primarily operating out of Eastern Europe, but around the world who are collaborating online, who've never met each other in person, who are looking to target not just financial services sector, but really the types of information that impact everybody, health records, for example. Targeting people's most personal information and really threatening through release, through denial of service attacks to decline or deny access to those records. We've had a couple of cases in the bureau where data was encrypted, health care records, and people could not get to their health care records. So poor opsec on the administrator that they didn't have backups, that was bad. But the fact that people didn't have access to their health records, to their prescription information and those sorts of things was pretty significant. These groups are becoming much more sophisticated. They're able to defeat multi-factor authentication and they've stolen literally hundreds of millions of dollars just in the last year or two in the US financial services sector. And around the world in some of the conversations I've had with these multinational banks and multinational financial organizations, pretty substantial to them. I've also seen threats, legitimate threats by terrorist organizations who want to impact the civilized world for whatever reason, whether it be jihadi influence or sympathizing for that cause. They want to impact Western society and they're absolutely calling online for people to take cyber up as a weapon and to use it as a tool to impact Western society. And again, going back to that low barrier of entry where for 500 bucks, cheap laptop and internet connection, you can actually attack your oppressor, the group that you feel oppressed by. I'm concerned about and I've seen an increase in threats to industrial control systems where these organizations who have used kinetic attack, kinetic weapons for years to try and impact society are looking at cyber as that weapon whether it be the power grid or the water system, those sorts of things. But the very critical infrastructure that we rely on to survive day in and day out. There are people who say that's not a threat because they don't have the capability. They're talking about it but they don't really have the capability. But there are organizations and there are people now who are quietly marketing their capabilities, their skills and they're looking to give them out to the highest bidder or to loan them or lease them out to the highest bidder. And the fact that somebody might not have the capability but they've got the intent today, I don't think makes them less of a threat. I think it's something that you have to be considered of. The other group I think that I've seen a lot of is the lone wolf where we have people who have been disgruntled employees or individuals that are working on behalf of themselves who have gone in and shut down organizations. Corrupted data because they weren't happy with their organization and that has certainly been a continued increase as well. And the final group is foreign intelligence services. There are dozens of foreign intelligence services, of foreign governments who have offensive electronic espionage capabilities and have absolutely implemented programs actively to collect against businesses to steal their proprietary data. It's like playing poker with a marked deck. Organizations, companies that have set down to negotiate and an adversary opponent sitting down across from them has the plans to the negotiation strategy. They've got it in advance and we've seen that as well. We had a company just about a year and a half ago who lost somebody in the defense industry who lost $1 billion worth of research and development. They had 10 years worth of R&D in place and it was worth $1 billion, literally over just a couple of days. And of course it's not just the confidentiality of the data that's at risk because the integrity of the data is at risk and we've seen data that's been changed and altered and denial of service attacks where data is just not available at all. Defense in depth is absolutely key. I agree 100% that we have to have a more aggressive and a continued defense. But the reality of it is in everything that I've seen, the adversary's capabilities are such right now that the adversary is able to jump over the fence. So building a better firewall or building a better IDS, building a better IPS is not always the answer. We have to continue to do it. We continue to lock our doors at night but that's not the only answer. We've got to, in my opinion, I think we've got to be much more efficient and effective in using other capabilities. There's a movement to push data continually and to share it, which I understand. Companies want to use the technology that they've invested in. But I think that there's some type of data that's sensitive enough that companies got to be more restrictive. And if they're not more restrictive or they don't practice some type of compartmentation on their network, they're going to continue to suffer significant losses. I don't think that the private sector has focused enough on the threat. So I think that we've been very good focusing on the exploits and looking at the vulnerabilities. But that's, in my opinion, I think that's one piece of this. And I think it goes much more beyond that. And I think that we have to begin to focus on the threat itself. So there's the classic risk model that says that risk that you suffer is threat times vulnerability times consequences. There's three pieces to the risk that you face in anything. What's the threat that you face? What are the vulnerabilities to that threat? And what are the consequences if those vulnerabilities are exploited? And if you can reduce any one of those to zero, then you're going to be safe and secure. But I don't believe that we have the ability, using defense in depth to eliminate that and bring it down to zero. I don't think it's possible. The offense is much greater than the defense. And we've seen time and time again that really capable people are able to defeat the defenses that are in place. So I think that we've got to change this and make it a little more difficult for the adversary. In the physical world, if you were to use a physical example, and again, going back to the FBI and some of the things that I've been involved in, we require people to secure their own property, lock your doors at night, be careful when you're getting involved in some financial transaction, be aware of what you're doing. We ask people in the physical world to do that and law enforcement, whether it be the FBI or local police department will respond if you've been victimized. That's the standard course here. But that doesn't always work in this space. And what the FBI tried to do from a cyber perspective is to be more proactive in this space and identifying who that threat actor is and how do we mitigate that threat. I think that we need to do that here. You cannot make, again, physical world, cyber world. You can't make every mall, every university, everybody's home, everybody's place of business safe. You can't secure them all. We couldn't live in a society like that. I don't think anybody wants to live in a society where everything is so constricted that the physical space is safe. So because we can't do that, we've got to hunt for the adversary. Who's the adversary that's gonna walk into a school or a mall? How do you do that? How do you find the adversary and mitigate that threat so that you don't have to lock down every single physical component in our society? There needs to be a paradigm shift in how we do these things. In the FBI, we moved from a domestic law enforcement agency to a national security agency. And we moved from traditional law enforcement to Intel, Intel organization, to change the way that we do things. The old performance measures in information security have been how do we prevent an adversary from getting on the network? And I believe that you can't prevent an adversary from getting on the network in most cases and that you have to assume the adversary's there. And that the current metric needs to be how much time is it between when the adversary makes access to my network until we identify and discover them and can mitigate the threat? And can we shorten that delta? How do we do that? We know in the physical world, we're not gonna prevent every attack. We can share intelligence, we can share information that helps others prevent these attacks. How do we reduce that delta down to zero? I think that in everything we do in a security perspective, intelligence is the key component. So the first piece, strategy, identifying what the needs are. What do you need to make your organization safer? How do you do that? In a, it doesn't matter if you're going in the physical world against criminal organizations or terrorists or the like, having a better understanding of who the adversary is is gonna make you much, much better. The intelligence model in cyber is visibility into the network. How do you have better visibility into what's happening on your network? How do you get better granularity into what's happening on your network? We had an organization that shared intelligence across multiple organizations so that agencies could leverage the capability of others. Agencies that didn't have access to certain pieces of intelligence were able to share them with others to give them a much greater granularity and visibility into their network. By doing that, it gives you an opportunity to better understand who the adversary is and which enables a much more strategic response. So when you collect intelligence, you analyze it, you get a better understanding of who's who on that network. You can actually execute against that adversary. You're in a much stronger position as a defender, as a network defender, to take an action against the adversary that makes your network safer. So in the physical world, as an example, let's assume I had information that I found somewhere that there was going to be a person that was gonna bomb a warehouse, terrorists gonna bomb a warehouse. And we put that information out to all manufacturing organizations that someone's gonna bomb a warehouse. That might raise the awareness and that might cause some people to be a little more attentive. They might put an extra security guard on duty. But that information isn't all that valuable. Someone's gonna attack your place. But what if I had information or intelligence that we collected through different sources talking to other people who might have been attacked previously, information on an anonymous source. Somebody had information that there was gonna be attacked and it said, there's somebody who's gonna bomb a warehouse and it's a woman between 28 and 30 years old and she's got shoulder length black hair. She's got a tattoo on her left wrist. She wears a red dress regularly and the attack is gonna occur on a Tuesday in September and it's gonna be against an auto manufacturing plant, an auto warehouse. That's a lot more information that allows me to be much more strategic as a defender looking for a terrorist. I can be much more strategic. I've got a lot more information that I can action. I've got a lot more questions now that I can start asking. I've got a lot more questions I can start asking which is that cycle in that intelligence cycle. I can execute and I go back and start how do I change my strategy? I have to collect more information. What group does this person work for? Do we know? Yeah, we do. We know that this particular woman is sympathetic to a group that is concerned about the carbon footprint and that's why they're going after this auto manufacturing plant. So by having that type of information, it allows us in the physical world to be more strategic but I think that we can do the same thing in the cyber world. In the government, we've got very limited resources and I know you all and the organizations that you work in have limited resources which means we've gotta prioritize what we're defending against. You can't defend against everything. You've gotta be strategic in how you allocate your resources because they're limited. We've all got limited resources. By focusing on those threats that we believe are the most specific, then we can hunt for that adversary. One of the things in this physical example that I had provided, think about in a warehouse, you've got a guard sitting at a console booth right at a soccer operation center and they're watching the screens. But if they knew that somebody was already in the building, they wouldn't be sitting watching the screens, they wouldn't be watching the fences on the screens, they wouldn't be watching the front doors. They'd be walking up and down the hallways, looking in offices with a flashlight, looking at the file cabinet, seeing that there's somebody inside. They'd be patrolling constantly if they knew that somebody had made access to that network in the physical world, they certainly would. Why are we not doing that in the cyber world? We're not always doing that, we're still watching the perimeters. In the digital world, the equivalent is aggressively pursuing the adversary on our own network. So again, using some of these indicators that we're able to collect through different sources and I'll talk about those in a bit, looking on our own network, being proactive, looking for changes on the network, looking at who's accessing the network, who's downloading information off of that network, being much more vigilant and attentive to what's happening on the network every day, the changes that are being made. In the physical world, in the physical world, the law enforcement in your community and the Department of Defense are responsible for protecting your safety every day. Police officers are patrolling your neighborhood, looking for bad things. The Department of Defense is looking for ships or planes that are coming, they're looking at radar for missiles that are gonna attack. Your physical space. In the cyber realm, the Department of Homeland Security is responsible for protecting the dot-gov space. NSA is responsible and they have the authority to protect the dot-mil space. And there's no government agency that's responsible for protecting the dot-com space for a lot of reasons, which I understand, but there's nobody that's protecting it. And I think most people don't actually understand that there's nobody protecting dot-com, there's nobody watching dot-com. So I get it, right? I listened to General Alexander a little while ago and I understand the concerns that people have which are legitimate concerns and people need to be asking questions. But what that does is that requires us in the dot-com space, in the commercial space, to protect it ourselves because it's not happening by the government. The FBI will react and respond if your organization is hacked, if a company's hacked, they'll respond. The FBI certainly doesn't have the resources anywhere near the resources to do it, to meet the demand because it has significant and substantial those attacks are. It requires the private sector to provide the patrolling. It requires the private sector to personally be involved in hunting for the adversary because it's not happening by our government. Requires us all to do it. So one of the things I've talked about is us being more proactive. How do we be more proactive on the networks? And I want to be very clear, this is important, that I am absolutely not advocating that organizations hack back against attackers. I'm not advocating that. I worked for a long time in that environment. I don't really want to go to prison. I will if I have to, but I don't want to. So I'm not advocating that, but I think that there's an awful lot that net defenders can do to protect their network from the firewall end. There's a lot of actions and activities that can be taken to help make that network more secure. So whether it be honeypots or whether it be network segmentation, whether it be corrupt packets or misinformation or denial and deception, there are certain things I think that we can do to make the environment much more hostile for the adversary to operate on. Because quite frankly, if you're administering the network, you've got a home field advantage. You own that network, you know that network, you should know it better than your adversary does. And I think that there are actions that can be taken by people that are defending those networks that make it much more difficult for an adversary to operate. If an adversary spends four months and they use two zero days to get onto your network and the packets they pull back, the files they pull back are the complete opposite of the files that they're looking for, that's frustrating, that costs time, that costs money. And it does certainly make it much more difficult for them to operate. We're changing that dynamic a little bit. When I think about HRT, and you saw this with just training exercises that you saw there, but their job is to protect people and to save lives. People who've been taken by violent action oftentimes, but people who've been put in harm's way. And I see our data as hostage in a lot of cases where our data has been held hostage. HRT uses speed, surprise, and action to disorient the adversary and to keep them off their game. And I think that we can do the same thing. The lives of corporations, I believe, are at risk. I believe that the lives of corporations and organizations are at risk because of the value of that data to everybody who relies on it. HRT protects what's good and eliminates what's bad. And I think that we can do some of that here on our private networks. When I talk about intelligence and intelligence gained from proactive operations, it can help us predict what's going to happen. When you get enough visibility into what an adversary is doing, and if you can share that intelligence with others in your infrastructure or others that are in your trusted circle, because they've got a completely different visibility, a completely different optic onto what's occurring on their networks. But when you start to look at all this data in the aggregate, you get a much clearer picture of what's happening. And I think that for a long time we have been working very hard to secure our own network, our own piece of the network, and we're missing opportunities where we can be much, much, much safer. So, in the Bureau, one of the things we did was move from reacting to collecting intelligence and trying to make people safer and disseminating intelligence out to the private sector so that they could make themselves safer. There was a time five years ago when the government had, and there still are times when this happens, but when the government had information, but because they didn't want to disrupt an operation that they had, they refused to share it. That has changed where the government has tried to push data out. So, from the FBI side, intelligence that was collected on an organized crime group that was stealing money from many banks, we had very, very specific information. It was somewhat sensitive, but it was a particular vulnerability that was being exploited. And we knew that there were a host of banks that were gonna be victimized over the next week. We discovered that information in the course of an investigation. And we shared all that information with the private sector so that they could take proactive action and secure those vulnerabilities before they were exploited. And in fact, they did, and there were multiple attempts over the course of about a week period to exploit those vulnerabilities which had been fixed based solely on intelligence that was shared. So, it allows you to become predictive. And by disrupting them, I think you start to change the game. Once you're predictive, proactive helps you generate information because by being proactive, you're causing the adversary to take actions that they didn't intend to take. They expected to come into this soft shell organization and kind of walk through and maintain access on that network. And because of actions that you're taking, you're moving them off their game. They're taking actions, they're using new tools they might not have expected to use. You're getting better visibility, better clarity into what their capabilities are and what they're able to do. You're starting to see tell-tale signs of who they are, which allows you to start to predict and to start to prevent. So, by understanding the adversary's TTPs, you can take very specific actions like moving data to certain locations. We talked about serving files up, perhaps that an adversary was expecting to get but they get the wrong data. One of the other things that I learned that I think is critical for all of us is the need to operate under the law of the Constitution. Civil liberties, privacy, civil rights, which I, first of all, I swore an oath to the Constitution 24 years ago. I believe in the Constitution, I believe in people's rights and I absolutely positively believe in privacy. I believe it's absolutely critical to a civilized society for people to have the right to talk to each other and to talk in private about it and that information should not be shared. So, it's an important consideration, I think, when I'm talking about sharing of intelligence and being proactive, that there absolutely are laws and rules and regulations that must be followed. I listened to General Alexander talk earlier and he talked about privacy and he talked about the oversight that his organization has. From the executive branch, from the judicial branch and from the legislative branch, all three of those agencies or those arms of the government have authority over him monitoring him. I believe that it needs to happen and that we can never let some of these threats and challenges get us off of our basic tenets. I think we've gotta adhere to those because that really is what makes us a civilized society and I don't think we should move from that and I'm adamantly, I mean, I adamantly concur with that. Let me just talk about a couple of quick cases where I think we'll kind of highlight some of the proactive operations, proactive techniques that we were able to utilize that were of value. One of the other things that I've learned in my career and I think that we can apply to the private sector is the absolute need for partnerships. Partnerships, government to government, partnerships, private sector agency to private sector agency, government to private sector, all of us to international because this is not a US problem, this is a worldwide problem. Everybody faces this threat, it's a threat to civilized society. Just a couple of quick examples where proactive operations I think have changed things just a little bit. Corflud was a case where it was a botnet that was stealing PII from, they had about 2 million bots, PII primarily related to financial services transactions. It was an organized crime group and the FBI working with the private sector, Microsoft and a private organization actually, a consortium, went out and was able to show to a court that this organization was clearly a criminal organization and that the botnet was a weapon that was being used to perpetrate this crime. This wasn't a botnet that was being used to share positive information, but it was being used to break into other computers to spread malware to steal data. And the FBI got a civil order to take over those command and control servers and when those bots called in to the CNC, they just told it to stop, just stop running, stop running. And in that particular case, disabled the botnet. It was somewhat controversial, there was a lot of questions about it. At the end of the day, it was done lawfully, it was done in respect of privacy, but clearly it was a weapon that was being used, it was a tool that was being used to perpetrate an organized criminal enterprise. It was somewhat unique, somewhat interesting. Rogue Digital, a similar type of a case where this was a botnet of four million bots being operated by an organized group out of Estonia and they had distributed malware that caused these computers, so it wasn't a bot, caused these computers to run through their DNS server. So it was a DNS changer. And working with a private sector organization going to a court through the same type of a procedure where you've got to lay out very clearly, this is not one person in an office saying, hey, let's take over this four million node network. This is a really rigorous process that takes oftentimes months of talking to people about what the liability issues are and what are the legal issues and the privacy issues. It's a huge deliberative process. I think it's important to understand how really overwhelming it is sometimes, and I get it. You need to have control, dual control, but the bar is really high to get the authority to do something like this. They changed out the DNS server. So when those computers were running their queries, they went to the legitimate sites, as opposed to the Estonians, which were running all the DNS queries through sites that they had controlled and they were collecting all the ad revenue and they made $14 million off of that scam. And then Microsoft ran their malware removal tool and they were able to clean up those boxes on the backside. So interesting way of taking some action, being proactive, trying to impact the adversary's infrastructure and to change the game just a little bit, not just to continue to allow it to occur. I think that in the private sector, there are opportunities. I think there are ISPs who have looked at, they're aware of boxes that are being used as bots. They're aware of infrastructure that adversaries are using. I think there are some actions that they can take. Many of the ISPs have stepped up and taken more action and I think some other major organizations in the private sector have started to change quite a bit to be more proactive in this area as well. So the threat is constantly increasing. I see it regularly. I don't see it anytime changing, certainly not in my lifetime, I don't see it going away. There's more emerging threats, mobile devices as a new potential threat vector, new segments of society coming online, more people with access, more organizations pushing more data. So I don't see it going away anytime soon and I certainly think we need a paradigm shift in the way things are done. So I was thinking of a quote. I wanted to come up with a quote that would resonate with people and I looked at Sun Tzu first. Everybody refers to Sun Tzu, that Chinese war guy. And one of the things he said was if you know yourself, if you don't know yourself and you don't know your enemy, you will be imperiled in every battle. And if you know yourself but you don't know your enemy, you'll win one and you'll lose one. If you know yourself and you know your enemy, you will not be imperiled in a hundred battles. That's interesting, right? We're talking about it's important to know your adversaries, not just defending what's coming at you. Those HRT guys, they don't really care if they're nine millimeters or 45s coming at them. They just wanna know who's shooting and how do I stop them from shooting at me? Know your adversary. So I saw this quote, find out where your enemy is, get at him as soon as you can, strike him as hard as you can and keep moving from another famous Chinese philosopher. So I thought it was an interesting quote. Ulysses S. Grant in the Civil War, talking about the need to strike at your adversary. I truly believe, and again, I heard General Alexander this morning and I'm glad he said what he said about the need for training, about the need for people to become more innovative, to continue to build their skills and capabilities, to continue to raise their game and to try and change the game. We have brilliant people here in this country. We've got people who've innovated and created some unbelievable technology. I think we have to continue to do that. I think we have to continue to work in that collaborative way. I've told guys, men and women that I worked with for a long time about the need for them to stand on the line that separates good and evil in this country and it's not just this country, it's good and evil around the world. It's civility and incivility, that there is a line that separates those people and that they've got a step on that line and when I talk about the line, I think about terrorists primarily. That's what I thought about when I was talking to these folks, that there are people who are trying to kill other people, really seriously, harm innocent people. That line is narrow. And when I think about the cyber world, and Jeff Moss asked a question, how do we defend when there's a million battlefields, a million battle fronts? It's not just agents and military and intelligence people that are standing on that line. It's absolutely every single person here, regardless of whether you're a net defender or a user. And I think that we all have an obligation and a responsibility to stand on that line together because I truly believe, and some people have said, you know, I'm being dramatic, I really believe that certain attacks and things that I've seen could leave people dead when critical infrastructure is destroyed for weeks or months on end. And I don't think that that's out of the realm of possibility. That requires everybody to step on that line and to do the right thing and have an obligation to your friends and your colleagues and your family and the next generation, if you've got kids or grandchildren, but the people that are coming up behind us, I love what DEF CON's done with Teach and Young Kids. I love what DEF CON does here by being innovative and causing people to think differently and creatively because I think that's absolutely necessary for all of us to do. And I ask all of you to step up on that line and to take this seriously. Clearly the fact that you're here, it's something that not only you're interested in, but I think you take seriously, but I think it's a responsibility for all of us. I don't think we can change the adversaries whomever they may be. Criminal organizations, lone wolves, terrorists, foreign intelligence services. I don't know that we're gonna change them. They're coming at us and they're gonna continue to come at us and if we block them at the door, they're coming through the window and if we block the window, they're coming through the ceiling, it's happening, they're coming at us. We've gotta be creative, we've gotta be innovative and we've gotta step up. So I ask all of you to step up and to change the game and to help keep civilized society much safer. Thank you very much.