 What we're going to do is real quick introductions of everybody here on the panel and then if you start lining up at the microphone over here in the aisle and we're just going to open it up to questions in about two minutes. So I'm Jim Christie, I'm from the Department of Defense Cyber Crime Center. I'm Mark Sox and from the Fed side, retired DOD, used to work at the White House, used to work at DHS, now at Verizon. Is there a difference? He's always getting fired up, that's good. Rich Marshall, warrior lawyer, legal architect, eligible receiver 97, currently the director of Global Cyber Security for the Department of Homeland Security and we're here to help you. Good afternoon, my name is Riley Repco, I work for the Department of the Air Force but I'm now detailed to the Deputy Secretary of Defense. Hi, John I. Donacy, I'm from the Navy SEAL teams, I now do independent work. Go ahead, I dare you ask a stupid fucking question. Randy Vickers, director U.S. SIRT, former director of DOD SIRT. Colonel Mike Convertino, U.S. Air Force, I'm commander of the 318th Information Operations Group. Andrew Freed, former IRS agent and actually with TIGDA, retired two years. Jerry Dixon, former director of the National Cyber Security Division, now with Team Cummry. Lynn Wells, National Defense University, former DOD Chief Information Officer. Kevin Manson, point of term Cybercopter, retired DHS. Okay, it's open to you guys, we need questions. We got to line up at the microphone right behind you. I was listening, cool. Hacker pays attention. The Air Force Colonel, in your testing, have you ever had a team fight back on the network? Not just sit there and watch them or watch you penetrate the network, but actually fight back against you. If they did, what did they do? You mean in pen testing, when we do our pen testing? Yeah, pen testing or red team testing. Have you ever had anyone fight back as opposed to just watching you come in and own their network? Yeah, I mean, we have some really stellar professionals at some of our bases, so I do own underneath me a pen testing unit, the Air Force's pen testing unit, and so yeah, we've had plenty of times where our professionals at various different Air Force bases have pushed back against some of the hacks that we were pushing forward. Have any of them been particularly effective or are you just able to just run through? Actually, over time, the skill levels of our pros have really gotten much, much better. Back in the mid-90s, things were a little iffy from that point of view, but things have gotten dramatically better, so between mid-90s and now, you wouldn't recognize it. It's much better. Thank you. All right, this one's for the IRS guy. I just wanted to know when my taxes are going to be going down. I'm sorry, what was your Social Security number? 394742768. We'll send you an email with a request for your credit card. We'll just refund it there. That was Kevin Mitnick's Social Security. So I see a lot of X so-and-so up there. I have a bit of experience in the government world before I went X, and I'm fairly young, so I'm curious if all of you guys retired or if you quit because it's just totally foobard like me. Well, let's everybody take that, so I'm not an X, but go ahead. So I retired, and then I worked, and then I worked, then I quit. I'm curious if any of the reasons quit just because, you know, nothing, I don't want to say nothing ever gets done, but it's so hard to get stuff done. Honestly, too frustrating. It was early days of DHS, and things were too frustrating. He said, hasn't changed. Oh, Riley. I'm in a different role. I spent 25 years out in the private sector, and now I'm in now 17 months working for the deputy secretary because my focus is trying to leverage all the wizards out there because I'm surrounded by a bunch of knuckleheads, and the opportunity here is to be able, and I say that pejoratively, you bring so much to the table, but the key is how do I leverage and incentivize the capabilities that are out in the private sector, and so I'm building that engagement roadmap, and I'm going to share that with you in my next presentation. So if you're in the special operations community, you have to be 100%, or you shouldn't be in the community. I think I'm in a different category here. I got shot and was wounded and had to go do other things, so. Yeah, I figured you're kind of different. Thanks. How come chicks tell me that too? I don't get it. I spent 20 years and retired. I'm trying to think of the word that tells me why. Working for the government is difficult, especially if you're just have a low threshold for bullshit, and since I've retired, I've come back like a Jedi Knight in a different life, probably more powerful than before. I'm not inhibited by rules, policies, procedures, or as some would say morals, but I've stayed involved in the cyber crime world. For those of you that don't know, I'm a researcher with Paul Fixie's group, ISC, and I also have my own consultancy, but we are still working very closely with law enforcement, because we're able to now gather data that as law enforcement I never could have done legally before. I think everybody else kind of summed it up with regards to frustration stuff. It gets to the point where if you're not going to be able to continue to make a substantial impact or execute on certain things. I feel especially for Randy, because I know what he's up against, it's a very challenging environment. It takes a lot more effort than you would in the private sector, so there's some challenges, but at the same time there's a lot of good things that you get to do in government that you can't do anywhere else. Yeah, like read people's emails. Thank you. Hi, so instead of all the investment in cyber warfare, has anyone thought it might be a good idea to set up a system sort of like the FDA to stop steady products and services from ever hitting the market? I like that idea, but I think a common theme that we've just heard is one of frustration and think of the execution of that idea. How does that construct work? How do you get people to review the sheer volume of data coming in? I'd like you to take your idea and maybe explore a crowd sourcing model behind it. I think that's a good idea, though. The other challenge is the scale of being able to test. If you think about what the FDA does, they're focusing on a certain type of drug or food product that's very focused. If you're talking about an operating system or some other system that has to be configurable to many different missions and many different things, the scalability of testing each one of those configurations to meet all the other mission impacts, virtually impossible. Yeah, but you look at how much money goes into the attack part of the research, and it just seems like if you stop it from ever even getting to the point where things are widely deployed, it seems like a much cheaper fix. Yeah, but I think I'd like to follow up on John's point with that. The solution in this space is not something the government can do by itself. It's got to be a public-private sort of whole-of-government, transnational approach to this problem. There's not enough spare cycles among the people in government to get to the, say, the amount of code that's out there. And besides, folks in this room are a lot closer to the problem than we're ever going to be. So I would love to just be a way to take the approach you're talking about and get more involvement out of the tremendous skill and enthusiasm in places like this to make a partnership out of it rather than we they. And let me take a slightly different tack on that particular question. In my current position, which is the second best job I've ever had in the world, and that's why I do what I do. One of the scary things that really, well, I sleep like a baby at night, so I don't worry that much. I wake up every two hours crying. He drinks a lot. He drinks a lot. Well, that helps. But just to kind of, to spend a little bit on your particular idea, we need to spend more money both on the private sector and the public sector on research and development, basic research and development to counter a lot of the cyber security issues. The American public, the people, not a government, but the American public spends more money on astrology than the U.S. government spends on basic R&D and cyber security. We need to reverse that trend. I'd like to add a comment that part of the frustration isn't knowing what's happening. I think Stevie Wonder could look at a network and know it's bad. The problem is mitigating it. What can we do about it? That's where the frustration comes in. We don't need a lot of research to know what's happening. We have thousands of people that will tell us. Some of us are part of those people that are doing it. It's mitigation that's a problem. Next question. This question is for anyone that may have ever participated in a raid against a hacker's home. Any raid against a hacker's house, if you guys have been one, have they ever violently resisted possibly with firearms and what would be the outcome of that? How would that possibly affect the policy in the future? Definitely its death. I hear predictions on the one. Yeah, the undertaker gets well. Taking odds on that one. Their username was no longer CSDN now. Generally they're very cooperative, very polite, and things usually go very smoothly on those. Why? Because we have guns and they don't. What if they did? It would get noisy. So it doesn't sound like that has ever happened before? I've been on probably 40 or 50 search warrants in the final five years of my career. We've never had a problem. We go in there professionally, we talk professionally, and we have a warrant for a magistrate. That's not the time to fight a problem. The time to fight is in the courtroom. You go in with overwhelming odds so that you don't have a problem. In a lot of cases, you're ruining somebody's life. So you don't know what they're going to do. So if you go in in numbers, it's going to prevent anything from happening. I'll just give a side story that we actually went to arrest a hacker one time, and the guy lived like two hours away from our office, and I really didn't want to have to drive two hours to get him two hours back. I mean, he knew we had him. There was no question about it. So we actually called and scheduled a time to make the arrest. And I said, well, how about like Thursday? He goes, well, I'm kind of busy that day. How about like Tuesday? I said, oh, gee, I can't. I got something going. So we actually scheduled to meet at a restaurant across from the courthouse, had lunch, and then went across the street and got arrested. So it's not all like what you see in the movies. And we didn't have to listen to him for two hours in the backseat of the car. So he was happy. We were happy. Justice was done. Did you send him an Outlook calendar request? I think he friended him on Facebook. Okay, sticking with the theme of federal policy. I know a couple of years ago, DIAP wrote that 8570 that required for the Department of Defense anyway, but I know a lot of other departments caught on board, to have a civilian certification in order to meet the prerequisites, CISSP for some or a CEH for other pieces. Is that a theme that we're looking at sticking with in the government to have these civilian certifications? Any standard the government comes up with is going to be a clusterfuck. You see, we're talking about technology here that depreciates like a head of lettuce that you throw into a fire. And so if you're going to sit there and spend time and effort in trying to standardize something, only to throw it over the transom to the National Institute of Standards, and then maybe 13 to 18 months later they kind of give you an answer, that just sounds absurd. So we've got to think differently. N-D-U representative. I just got done hiring a bunch of qualified security professional guys, and they're really, really expensive. What do you see as the, is it better to hire people that have kind of come up through the ranks and made their own name for themselves or is it better to hire them young and put them in, put them through all the training and hope to grow internally? Well, at DC3 we do both. If you went through DC3, you would find old farts like rich, you know, and you'll have kids right out of college. You'll find enlisted troops, young enlisted troops right out of tech school and everything in between. It's a pretty eclectic group and you look where the talent and potential is. I have my sentient portfolio. I mean, you're not going to, first of all, you want to have a range of people from just starting out the experience expensive ones, if nothing else, because people are going to leave and you're going to need the balance. So, you know, if I was trying to do it, what I try to do myself is pick a couple of people who are expensive and have law skillsets, I think as many young people I can grow into what I want as possible. Thank you. What the hell is DC3 again? It's an airplane. The Department of Defense Cyber Crime Center. In here I thought you were going to say it was classified. Yeah. You know, listen to gentlemen from NTU, you know, and talking about the need for a partnership and develop a partnership and we're talking about government and the private sector. And when we say the private sector, you know, I'm thinking businesses. And I'm thinking there are a hell of a lot of people that are active in this area that they do it just as a result of the interest. And one of the things I've seen, you know, over the years is the open source community, which is driven by interest and collaboration. I'm wondering, you know, is this a model we're looking at adopting? Are we setting up collaborative programs with people who are basically interested in this stuff and willing to work on it? And if so, what is explicitly, what kind of outreach programs do we have to like gather and coordinate these folks? So some of the best people I work with in this space are people I met at Burning Man. Seriously. And I don't know how many of you know, it's a little bit off-cyber, but in Haiti, in the Haitian disaster relief, the U.S. Coast Guard, 10 days after the disaster, was launching medical evacuation helicopters off of data being compiled by graduate students at Fledger School of Law and Diplomacy in Boston in a 24-7 voluntary ops center they set up. Using a situational awareness tool called Ushahidi, open source development Kenya for election fraud monitoring, based on data drawn from the slums of Prada Prants by SMS texting and Skype, translated worldwide through the Haitian diaspora from Creole, overladen images being processed at San Diego State and coordinated with OpenStreetMap. And that was more accurate and timely than what they were getting from their official sources. So the open, good story. So the open source community, the crisis mapping community, this whole OpenStreetMap whatever is a fabulous source that as a matter of fact this morning I just had a phone call about how to make sure that the next set of programs for disaster relief we develop have the APIs, the hooks, the metadata handling and all that to be able to take advantage of stuff we can't even think about now as it's invented on the fly. Great point, great source. I'd also like to echo what Lynn said. My personal belief is if we look at this from the war fighting construct in terms of irregular or colonials, et cetera, I mean take a look back and think about if Paul Revere had the internet, I mean he probably would have tweeted the British recovery and nobody would have known his name. So I mean we have to look at tools like that. We have to look at the construct and the mass of the collective and how can we harness like is this such thing as a digital citizenry? Is there such thing as coming together for the greater good and safety of ourselves, our country, our nation? Is that real? I think it is. And I think the things that Lynn's doing and some of these other small micro-examples give us and demonstrate to us that yes, when people work hard enough on a single end state, things happen and it often is done better and more efficiently and cheaper. And just in that same vein, I think there needs to be a change in some of the way the government handles personnel systems in the sense that we need to be able to tap into people and have them laterally come in for us to draw on their expertise at mid-career and maybe go back and not commit to a 20-year career in government or have a way to cycle in and out more smoothly than we now do. I've got a question on the strategic I.O. policy front. It's still hard for me not to call I.W., but I know that's not fashionable. I'd be interested in knowing what the operators and the policy folks on the panel think about the premise that our control of information call it classification regimes, but it's kind of bigger than that, around those activities are currently adversely affecting our deterrence posture. If you don't talk about it at all, I think there's a very real question as to what you can achieve with regard to deterrence and I'd be interested in knowing what you think about that. Are you talking about current actionable information or technologies, processes, direction? Well, you know, I've seen things on your side of the fence and the degree to which we utterly refuse to talk about as a country, entire classes of activity, whether we even do it, you know, and I think there are no illusions internationally. So the open discussion of capabilities, whether we have them or don't have them, and whether we're using them or not using them. That is, we are failing at that, but we're getting better. If you go back 5, 10 years ago, there was virtually no discussions short of what we would have in these types of communities. Today we are having more of that, but we're not anywhere where we need to be in terms of open discussion of ideas, thoughts, capabilities, whether we use them or not doesn't matter. So just in that vein, General Hayden's talk yesterday at Black Hat, you talked about computer network operations as a triangle of computer network attack, exploitation, and defense. And one of the things that came out of the comprehensive cybersecurity, national cybersecurity initiative, was the ability to talk about CNA and C and E and C and D together in an unclassified space. So I take exactly the points made compared to where we were a few years ago. Is it where we need to be? No, but we're making progress. A few years ago, there's no way that I could have been up on this stage with the unit doing what it does, but the one I command right now. So just the mere fact that I'm sitting here talking with you at all, and that I tell you the title of my unit is the 318th Information Operations Group, in and of itself, has a deterrent effect on others and other nations too. Mike's a real success story. I invented him. I convinced him to come out here and go public at Black Hat earlier in his Air Force career three years ago. And his question was, why should I do this? And I said, because there's a tremendous amount of raw talent to be tapped at DEF CON, recruit him. How many have you recruited? How many do you still have? The first year that I came here, we successfully recruited about a dozen people into the Air Force, either as civilians, officers, or enlisted personnel. Last year, we crested 60 when we came here. So it's a heck of a good deal, because, I mean, let's face it, you get to do what you love to do. You're sanctioned officially for doing it, in a positive way. You get to help your country, and by the way, you get paid to do it. So, I mean, it's not a... It's a really good deal. Smam. Have to jump. So first, I guess I have a pre-question, which is, what's the, I guess, lowest regulation height for military transport choppers over civilian neighborhood? That's my pre-question. Treetop. So 50 feet is fine. Two light gray military transport choppers, 50 feet over civilian neighborhood. No, that's not okay. That's not okay. At 1.50 p.m. near the 405 Colvern Spolvada. No, unless the FBI is coming for you, and they're going to land in your backyard, then no, that's not cool. Sorry. I don't know, in Fairfax County, I've seen them at 50 feet. Are these black helicopters? No, they're light gray military transports. Right. Two of them. Who do I... How do you, as a civilian, unclear civilian, how do you go about reporting that? He's seeking business. No, no, no. You just... Well, I'm going to the UAV talk, but I don't have it built yet. Just move your trailer so that you're not on the final approach to poker. No, no, no. So they should be up there about 1,000 feet, first off, right? They should be zooming your house. And number two, talk to me afterward and I can give you the points of contact that you need to report them. Thank you. So my questions are pretty simple. When can I wear my shoes when I'm trying to go through security to get onto an airplane? And when can I start actually carrying a full-size bottle of shampoo or booze or whatever? Is there a guy in a cave in Afghanistan that can probably answer that question when he stops? Sorry, what? I.e., all those things that you do at the airport that I hate and everybody else hates were the manifestation of, you know, people wanting to hurt us and bring down our aircraft. So I agree with you, it's a pain in the ass, but this has to be protective measures and really I'd like to ask that question back to the people that are attacking. So let me clarify. I brought up shoes and liquids because there have been a lot of tests after the fact to talk about what sort of potential for damage there is there or what danger or threat is present. And none of the things seem to be to go beyond other articles of clothing, for example, like a hat or other things that you might not be required to take off a pair of pants or underwear, right? And so I guess my question is broader, and that is, at what point are we going to re-evaluate some of the things put in place for the purpose of security as to whether or not they're actively achieving that goal and making it safer versus actually just creating a sort of making people feel better. Let me twist your question a little bit. Let me answer your question a little bit. Rather than asking the detailed questions, view the process you go through at the airport for security as a miniature memorial service for everyone that was killed during 9-11. Just to add to your question, every day at DHS, and I'm sure they still do this, they have a threat briefing and they take a look at all those things TSA, as you've seen in the past, they've even made tweaks and adjustments to how they're conducting security at the airport. So there's some very good reasons based on intelligence sources that they've got coming in. It's not done lightly. Thank you. Gentlemen, my question is involving the human capital crisis and cyber security report. And just kind of in reviewing that, I think it's great that the government is trying to build skills in the next generations and recruit from places like DEF CON and things like that, but kind of to frame the question correctly, there's a book by a guy named Thomas Kuhn and basically says that in order for a new paradigm shift to happen and for security in this case to really be effective, all of the old guard ideas kind of have to die off. And like I think that there's like through CISSP and a lot of these certifications and things, there's a lot of people that seem to be in government that don't have the practical experience that you're teaching in that report. And I was wondering since the government also it's really tough for their employees to die out because like the government basically doesn't fire their employees and they get automatically promoted, how is it from the bottom level that you're going to look at a holistic approach in security? I agree, it's a very long question. I've never received an automatic promotion. I'll tell you that. Oh, that's bullshit? Okay, that's what they told me because I was applying I guess. Let me talk to you a little bit about some of the programs we've recently initiated. I mean the concern that you expressed, the nugget of your concern, I share it. Okay. This country needs to refocus its emphasis on STEM, STEM education, science, technology, engineering, and math. And arts too actually. And I know some of you are going to look at me, I said I'm the Talking History Channel which is a euphemism for old fart as my good friend Jim referred to me. But back in the day, when the Russians launched the Sputnik, I was alive and walking this earth. There was a big push by the administration to focus on STEM education. It made a difference. Big investment, big difference. John F. Kennedy when he was president said let's put a man on the moon. We did. Big emphasis on education. We need to refocus and do that. Now I'm not just saying as a prescription, I'm also going to tell you what we're doing. There's a group called the Centers of Academic Excellence that's cosponsored by the Department of Homeland Security and the National Security Agency. That program is under my purview. The number of schools that are in that program, when we started the program about 20 years ago there were nine, now there's 117. But the amount of excuse me, 121? 125. 125, thank you. And that includes the two-year schools that have come in recently. That's a real plus. That's a real plus. But here's the catch. The amount of money that Congress has allocated has not kept up with the growth of the schools. It's like having a dinner party and having one turkey. And instead of inviting five people and feeding them handsomely, you've got 100 people. So there needs to be pressure from the American public to their members of Congress to put more money in that Centers of Academic Excellence program. The third thing that we're doing, and I'm very happy to report that because it just got approved this morning, is revitalizing and updating your point, the curriculum that are used in those schools. A curriculum that was developed years ago is not good enough in today's environment. We just developed a curriculum that's been approved that is pushing real hard on security engineering when you're designing software. But wait, there's more. Like papill's pocket fisherman, there's more. We need to continue that emphasis and we need to continue to get support not just from the top, but from you. We need to push them push them, urge them, take your kids and make sure they study hard. There is no excuse why we have to import foreign talent to run our technical programs. They come to the United States, they get educated, some people would advocate that you put a green card on their diploma when they go back to their country. They go back to their home country because they're more comfortable. Because our brightest kids don't do STEM, they do finance and create Wall Street. The other challenge to that is the incentives to hire. Right now, industry has much better incentives to bring people on board than the government. So the challenge I have of getting the talent we need is being able to bring them on at a level that's compensatory to their knowledge, skills and their experience without some of the other challenges we have and we cannot compete with industry. So that's the other thing whether you want to call it the salary system or other incentives that industry gives to employees we just don't have and that hurts in bringing excellent talent on board. And let's think about this logically. The private sector is the intellectual capital for the cyber domain, period. So this is all about collaboration. So the key here is if you think the military is going to be able to train enough capability fast enough think again. So what's the mechanism that allows us to incentivize your participation based on our needs and requirements? That's the kind of thought process and a couple of young folks who are asking questions are going down that path and I applaud you for that. Well my question is actually kind of related. I'm looking up here and I've seen a lot of X's in front of I think it's indicating a trend. The Department of Homeland Security last time I checked about three weeks ago said they had about 1300 cybersecurity jobs open. Air Force last week it was looking for 600 to 700 cybersecurity professionals. What are you doing to increase the incentive both to join but far past that to stay with the agencies and departments to help to protect the nation's infrastructure? I mean are there plans in place not just to train our kids but to get them protecting our nation? Yesterday marked my six month plus one week anniversary of being at DHS. During that time frame I have doubled the size of my staff by aggressively recruiting. I feel very good about that. Earlier this week I had breakfast with the Deputy Secretary of the Department of Homeland Security and one of the things that we talked about eyeball to eyeball was the need to be more aggressive in recruiting. So I can't promise that things are better but I can promise that things are going to get better. They realize it's a problem and they're trying to do something positive about it rather than just pontificating. I'm only going to talk from the DOD side of the house but the personnel system is so broken that you can't hire people in less than a year. I know. We're down to half staff and I can't get anybody on board. I had an opportunity to have breakfast with the Deputy Secretary as well and that's what I told her. I said you got to fix the personnel system. We have a terrific scholarship for service programs all over the place. Talented people that we want to hire and they have to take a job and they need themselves by the time they go through the hiring process it's a year, year and a half down the road. We lose talented people all the time. So what we do in DC3 is we bring them on board as a contractor and then they immediately apply for the government position and then jump over. Actually recently there has been a little relief in that regard so for example I got the authority to say jobs website or advertising from that point of view so it becomes a little bit more traditional that way like you would normally get a job and also we actually start really early with people in educating them about what we the Air Force are about so we have a couple of high school level cyber orientation courses if you will that really wet the appetite of the students and get them in that point in our direction. Interestingly we don't have a horrible problem with retention once we get people in because the work is good. It's not only noble work doing something for your country but also frankly in my unit especially there are things that you can do there that would otherwise be illegal. That's a big draw. A lot of the talk has been in partnerships within the U.S. but I was wondering if there were any organizations that you thought were better than the others in cooperating internationally. The FBI has a program called InfraGuard a private partnership that shares information and there are multiple chapters all over the country so that's one of the programs. Internationally like with other countries. Internationally with other countries and I lost my voice. The form of incident response teams they just had a meeting in Miami usually it's at some international location but brings in a lot of security practitioners and incident responders from all over the globe so that's provided a lot of people can participate that share a lot of the things that they're doing within their country also gives you a chance to hear with some of the challenges that they're facing. Right now I think FIRST sharing forum I know many government agencies participate in that. Purely on the cyber side we are a lot more ahead than other parts we did a lot of growing in the mid to late 90's leading up to Y2K in terms of building those international relationships they're just not as over as we see on the domestic side but certainly State Department DHS, DOD and many others have a very active ongoing interrelationship with their counterparts in other countries it's just not in the press you don't see a lot of it being publicly talked about but there is a lot of good information being shared back and forth and of course we can do better in all these things. As an operator we conduct war games all the time and the traditional participants internationally include Australia, New Zealand Canada, United Kingdom however when you start conducting these games in the Pacific knowing full well that the adversary are some of the folks that live in that area the challenge that we're faced with is of course the classification issue ok so how do we handle that so right now if you surround yourself with some clever security types who can sanitize those injects, those requirements to the point where now we can send it out to the in essence open market you start to see the art of the possible so I mean we've dealt with Malaysia we've dealt with Taiwan we've dealt with groups that we don't even have relationships with because we have that ability to sanitize and then validate afterwards so again that's a creative approach to a challenging problem I guess I'm just asking because for my job I focus mostly on former civil union which is really Russia and Russia is famous for not being cooperative but when there are people there who are I can't get anyone in the US to even care so one of the areas where there's been a lot of emphasis in the past couple of years since Estonia has been in Europe there's actually a talk here later on about the Baltic cyber shield exercise 2010 I was in Brussels about a month ago talking about NATO cyber type things and there's a growing interest now how effective is it how at least there are people there who are willing to talk that two years ago weren't and is it the same as people in Russia talk no but at least that's an area that seems to be opening up is some of the NATO cyber US CERT is heavily involved in the international community we are tied into several forms like the international watch and warning network 18 countries sharing information it's predominantly Europe but it also includes Asia Pacific Rim countries first as Jerry mentioned and other organizations we actually sent during the Estonia crisis in 2007 we actually sent an analyst actually was under Jerry's to Estonia to assist so there are a lot of things and we're meeting on a one by one basis a lot coordinated through the state department and others meeting with a lot of countries that are building up CERTs or expanding their already existing CERT and so that's a growing market for us and so I think we're getting a lot more of that communication because everybody is starting to see this as a broader broader issue so it's an improving environment let me put in a quick plug for the United States Postal Service not represented here they do quite a bit foreign in postal crime that relates to cyberspace they've done some really good inroads so depending on what you're trying to do they might be able to help you as well yeah I was going to say similar you know the last panel that we had at 11 o'clock was mostly law enforcement guys and there are traditional relationships that the law enforcement agencies internationally have and they're always cooperating where they can just to answer your question about how to get them involved seriously see Randy afterwards because he can get your point in the right direction or connect to the right folks unfortunately that was we just got cut off so we're out of time so sorry about Room 11 we're all going to go over to Room 11 and we'll answer questions for the next half hour if anybody has additional questions