 I'm Ross. I'm the chief of operations for the conference. I've been here for 17 years, which is why I'm standing here today instead of hungover in my room. How many of you are feeling okay this morning? That's not too bad. How many of you are new to DEF CON? That's not bad either. I got to tell you, after all these years I still can't predict what you guys are going to do. We're almost out of the badges, even though we up the numbers. I do my damnedest and you guys surprise me every single year. I wish you'd stop that. So we're going to queue off this year. We're going to show you the trailer. How many of you have already seen the trailer online? All right, so not many. So this is going to be really, really cool. The theme this year is kind of this film noir thing. That's why we're walking around with albums. All the artwork reflects it. It's very cool. If you haven't already started getting involved in Lost Badge Challenge and that sort of thing, please do. We have a ton of stuff going on in the villages and the event center over in Bally's. We've kind of divided everything up. Hopefully every one of you is wearing a Fitbit. Because there's a lot of stasis. Yep, me. Go over there. All the actions over there. We have the speakers and the information and the vendors and stuff over here. We tried to separate it out a little bit. The parties are going to be over in Bally's tonight for the most part. If you have questions, ask somebody in a red shirt. Be safe. Have a good time. And let's roll the demo so they can see that, please. Pathetic truth. Master coincidence certainly, but it couldn't be. No, these were not imagined patterns. The mind seeking to connect accidents and the thoughts of the bloodlines. This was something real. Lick it then it's simplicity. It's a scared perfection. Everyone else is so able to untangle this complexity. Understood this cypher that surrounds this key. This 23. So we're going to kick things off this morning with our keynote speaker. He's got a very long and rich history in security and also in research areas. So, and in legal. So I hope you'll listen to what he has to say. This is Alejandro Mayorkas. He is our deputy secretary of homeland security. He was confirmed in 2013. You can hear a lost boy over there starting their video too. He comes from University of California, Berkeley. We have anyone from that area? I heard somebody hooting a holler. He's got a law degree. He's got all sorts of education. And he's got a lot of insight into what the government's thinking about information security, cyber security right now. So if you help me welcome the deputy secretary. Good morning. Thanks very much for taking a little bit of time to hear me out. And hopefully you'll ask questions and share your concerns or thoughts with me. And we can have more of a conversation than I just give a speech. I will tell you at the outset that I was instructed by my colleagues not to bring my government phone with me this morning because it might suffer an intrusion. And I said, I don't believe it. Let them take their best shot. And I challenge any of you to make my phone ring during my remarks. And if you do, you'll get a free job with the government. So give it a shot. Give it a shot. You know, I have to tell you, I tend to be retrospective when I experience new things. I tend to reflect on my own past and my own life and the decisions I made. And as I walked through this morning the lobby area and I went into the DEF CON swag room and then the vendor swag room, I thought quite frankly of my high school years and I thought about 1974 through 1977. And it's hard for me to believe that I walked by what was then a very nascent computer room and actually walked by the future. But we are the decisions that we make and there's always days ahead as well as days behind. So I look forward to developing greater skills in this arena than I have now. You know, yesterday I had the privilege and the experience of sharing some thoughts at Black Hat. And I've been looking forward to this morning as well. And I have to tell you, I find the talent that is resident here, the talent to be stunning. It is in my view a combination of brilliance, expertise, ingenuity and creativity and also just a risk tolerance, a tolerance or appetite to experiment and to see what happens. And I want to talk a little bit more about what that means or what it means to us in the Department of Homeland Security in a minute. But I also want to express the fact that we have in the Department of Homeland Security in my opinion that same level of brilliance, expertise, ingenuity and risk tolerance, perhaps not in me, but certainly in, for example, the three members of our U.S. CERT team, computer emergency readiness team that I interacted with yesterday at Black Hat, our ICS CERT team, our industrial control system CERT team that's resident in D.C. These teams fly all over the country, respond to intrusions not just in the public sector, not just that the government suffers but also that the private sector experiences and assists companies and entities and institutions in identifying the intruder, expelling the intruder and remediating the system. It's a tremendous core of individuals. What troubles me a great deal and it's something that was quite frankly underscored yesterday and the questions and comments I received during and following my remarks at Black Hat is that there's a divide between the two groups, the two collection or communities of individuals. And it's a divide of mistrust that there's a trust deficit, as I called it yesterday, between all of you and us in the government. And I know that it's born of quite a number of things over the years and of course in recent past, whether it's an intrusion that we suffered that speaks to the state of our own network security, whether it's some of the practices or principles that we execute or espouse. But I'm very dedicated to doing what we can to bridge that divide. You know the, it should be after all a more unified community. If we speak about the internet as a global commons, then I think we have to have a common purpose and a common understanding to achieve at least those things about which we agree and hopefully reconcile more effectively our differences. I think that's the only way quite frankly that we in the Department of Homeland Security at least will achieve. I think our primary goal of building an ecosystem of information sharing. This is quite troubling to me. I've actually never seen Nyquil in that bottle before. That's probably not going to happen by the way. I'm sorry, may I interrupt? You did. Well played, sir. We have a little tradition here at DEF CON. We have a tradition here at DEF CON. Do you all know what it is? We have a first time speaker. You know, let me share some thought with you. I'm going to share two things with you. First of all, I'm going to share a story about my landlord when I was a federal prosecutor. His name was actually Jack Daniels. It's true. And every morning he was 94 years old. He had a beautiful mane of hair. His skin looked as though he was 27. And he lamented the fact that he had to wear reading glasses to read the paper and read novels in the morning and in the evening. And every morning I left my office, I left my apartment early. I lived above him. I left my apartment early to go to work to the smell of frying bacon. Every single morning and every single evening I came home late and had to pick Jack out of the bushes because he used to have a couple very tall vodka tumblers to end each day. It just goes to show you what the key of life is. It has something to do with Jack Daniels. It is very difficult to talk about a trust deficit and how to bridge that deficit and really build trust when I'm a fraud and this is actually water. So it's the official story and he's sticking with it. So I'll tell you what. As long as you promise to make it small, I'll take a shot at the real stuff. And it's got to be small because after this I'm actually meeting with TSA colleagues. Yeah, that's exactly right. All right. You're a trooper, man. Cheers. That's my way. That's my way of really actually saluting all of you. I am captivated. I am really captivated by the talent that is here and the potential that it represents for the world. Can we put a round of applause? That's a reason we're a trooper. That was my first of the day, by the way. It may not be my last. So what we aspire to is an environment where the cyber threat indicator is not of proprietary value but is actually something that is exchanged publicly. What we feel we can do more ably than anyone else in the government because of our unique position as a civilian agency. We're also uniquely positioned at the intersection of the private sector, our responsibility as really the chief network security agency within the federal government, critical infrastructure, and other equity holders in this environment is really receive the threat indicators and we are building through a sticks and taxi system of the capacity in automated form to then disseminate those threat indicators out to the community so that we raise the level of network security. We raise the baseline more ably and we at the very least avoid the replication of an intrusion that one institution or one enterprise suffered. And the only way that we are going to be in a position to receive those threat indicators is if you trust us. If you trust us in terms of our capabilities and you also trust us with respect to the integrity of our actions. And we're also uniquely positioned in the federal government because we're the only department that has a statutorily created office of privacy and a statutorily created office of civil rights and civil liberties and those equities are brought to bear in everything that we do in the network security arena and in fact everything that we do as a department of homeland security. Yesterday somebody said look, you know, if I've got a threat indicator, if I've got the keys to the kingdom, quite frankly, I'm not going to, my risk tolerance might be high but I'm not going to experiment and turn that over to you to find out whether you're worthy of our trust or not. And I understand that and I appreciate it. And what I said was look, trust is not built or rebuilt or regained overnight. It takes time. And what I would ask if it's fair of me to do so is that you start somewhere. Start somewhere where your willingness to take a risk with us is manageable to you and let us prove to you what our capabilities are and let us prove to you what the integrity of our actions and our intentions are. And that's what I would ask of you. And let's see what we can do and what we can do together. You know it's interesting I heard and it's very important for you to give us that chance. At least it's important to us in terms of what we are doing. Another comment that I heard yesterday was, you know what? We'd like to validate what you do. It's very difficult sometimes to validate from the outside. And maybe you can have a hacker validate your capabilities and validate the integrity of your actions. And I think actually that's a terrific idea. So I've got a couple thoughts. I thought about it a lot overnight. I thought a lot about the day I had had at Black Hat and the people I had met and the ideas that we exchanged. And I thought of two things and I'll take them back to DC and I'll share them with you now and see if they fly and I'd be curious to hear if they fly with you. One is drawn from my experience when I was leading the immigration agency in the government. The agency U.S. Citizenship and Immigration Services that administers the legal immigration system in our country. We were, we administered visas for individuals that wanted to come and join businesses here in the United States from abroad. And it was remarkable how out of touch we were as an agency, out of touch we were with the startup community. Some of the questions and policies that we had would ask questions of individuals like, how many employees does the business have? Can we have the organizational chart? What's the floor plan? How much space do you lease? And the like. And it did not take into account that the next generation of businesses that will reinvent the world could be developing in a cubicle somewhere or in a garage, a basement or unfurnished a room. And so what we did, what I did was I said, you know what? We don't have a, certainly we don't have a monopoly on good ideas. We have a monopoly on very slow ideas, but not on necessarily very good ideas. But you know what? Let's bring in the talent into the, into the agency. And what we did was we brought in a number of entrepreneurs who were willing to take their time. They had done well enough or they were supported by the entities for whom they worked at that time. They came in and joined us full time for six months. And then they extended, so they ended up staying a year. So that was an entrepreneurs and residents program. And what I would ask is, how about doing a hacker in residents program in the Department of Homeland Security? And people who are willing to devote their time come in and lend us your talent, your skills, your expertise, your creative way of looking at things. And not only necessarily validating what we do, but actually helping us improve it. The second idea I had was to create frankly an advisory council of hackers, individuals who may not have the flexibility to join us on a full time basis, but can take a slice of their time here and again to provide us advice, to take a look at what we're doing and to essentially achieve the same goal of validating or improving that which we do. I am tremendously proud of being in the federal government. I'm now in my 18th year. I've been in and out of government and the private sector. And I think that there's an incredible opportunity to impact the life of many people just as I think you understand and appreciate and execute that very opportunity. And I'd like to partner with you. We would like to partner with you and see if we can build a bridge of trust and actually develop a community of interest and a commonality of purpose. You know, yesterday I heard, I was in a couple meetings with individuals who shared with me their perspective of how Wassonar is a train wreck in their view. And they shared perspectives with me to which I had not previously been exposed. I had a few thoughts. Number one, I've got to take those perspectives back home. And we've got to take a look at what Wassonar is and what it means. It was, hi Katie. Good morning. Katie is one of the individuals who provided me with tremendous insights into Wassonar. And while it had its or has its noble intentions of protecting human rights and fundamental human values, certainly I heard a chorus of views that it did not accomplish that goal at a price that proved worthy. I did note that Wassonar received 270 comments and there were thousands and thousands of people at Black Hat. And there are thousands and thousands and thousands of people at DEF CON. And adhering to the adage that the keystroke is mightier than the sword. If you have a voice that you choose to express with respect to very important government policies and initiatives, I hope you will exercise that voice through the channels that we have available and the channels that you yourselves can create. But I do very much want to build a community and I'm very dedicated to building that community of trust and I really appreciate the opportunity to share some comments and thoughts with you and I'd love to open it up to questions and comments and hear what you have to say and what you think. So thanks very much. Anyone give it a shot and I'll, not this shot, I mean a shot at a question and I'll repeat the, if you shouted at me I can repeat it. So the question was, do I think that we should, and tell me if I capture this correctly, do I think that we should be required to demonstrate the effectiveness of the security measures that we take and essentially impose upon the public before we actually impose them. For example, the security measures that we take at the airports, his buddy waited an hour in line because of our TSA processes. Let me say that it's not an all or nothing proposition. I think that with respect to some we do and we can and maybe we should do more and take a look at that. With respect to some, I'm not sure that we are able to by virtue of the fact that some of those security measures are seen and unseen by necessity. But I think, you know, it raises a very important point. That trust is very difficult to build if we're not open and transparent. So I think your point is well taken and we'll take a look at what measures we have and the effectiveness that we can demonstrate publicly. I will tell you that certainly the ineffectiveness of some of our measures was demonstrated publicly in a report that was published by our inspector general. And I think that there are reports available that shed some light on the effectiveness or lack of effectiveness of some of the things we do, whether it's inspector general reports or GAO reports. That's a fair point and I appreciate the question and the service of openness and transparency. Thank you. So the question centers on I think the OPM breach. There are individuals who have provided to the government the most intimate information, the most confident and private information I have on multiple occasions in anticipation of nominations and confirmations. And should people do that, what is the condition of the government's capability to protect that information? You mentioned, you termed it a leak, which it isn't. A leak is when an individual in the government voluntarily provides information externally. This was an intrusion. And what is the government doing about securing its networks and what's our role in the Department of Homeland Security? I'm sorry, it's the, oh, and also the contractual arrangements with other companies. Okay. So a compound question. The OPM breach, the network security of some government agencies and departments is not where it needs to be. Subsequent to the OPM breach, the government embarked upon a 30 day sprint to address some of the more easily accessible remedies that could be instituted. There are, as you know, better than do I. There are immediate fixes. There are short term, medium and long term. And all of those efforts are well underway. Not just the sprint, which is a blocking and tackling exercise, but medium and long term exercises. We are taking a look at our contractual relationships. We are, we have placed in our contractual language requirements with respect to network security of the entities with which we contract. The Department of Homeland Security is one of the leaders in the government in ensuring that other government departments and agencies raise the level of the network security. We have a pivotal role in that. The Secretary of Homeland Security was empowered to issue operational directives to other department and agency heads. He issued the first one. I think it was subsequent to the OPM breach. And we are exercising our authority in that regard. So the future is brighter than the past. Thank you. What, what exactly should be disclosed in the aggregate? So, so the question, I'm going to paraphrase it and shorten it if you don't mind and tell me if I've captured it in, in spirit. In terms of voluntary disclosures, are we planning to aggregate information in the aggregate information about intrusions that the government has suffered or intrusions about which we learn and disseminate that information broadly so that in the service I think of raising the level of awareness. And yes we are. Yes we are. I was going to actually share some remarks about the disclosure regime. And quite frankly, you know, candidly, yes today I learned that I'm, I'm ankle to knee deep in, in my facility with that issue. I know it's a very sensitive issue and there are strongly held and competing views. And I thought, you know what, I'm going to, I'm going to refrain from commenting until I build a greater, a greater facility with that particular issue. I will say this if I may, just a quick other note of admiration. I also found it extraordinarily impressive the, while there are competing views about some very core issues with respect to the internet behavioral patterns and the like, it's, it's extremely important and profound that the competing views are so grounded in ethical principles about the meaning of the conduct and the meaning of the issues and the ramifications for the creation of opportunities and the ability to actually exploit in the best sense of the term to exploit capabilities and talents. It's a, it's a very profound discourse. Sir. So I appreciate that. So the, the, the point made was that there are, and I, I'm very eager to capture this fairly, that there are two things at play. There's trust and there's respect. And it's very important that our department, if we seek to achieve both engage with this community and appear at, at deaf cotton and I think interact with this, with this community more fulsomely. And that's why I'm here. And I, and I'm very grateful for the opportunity. And I agree. Sir. I probably said it's not going to be on my watch but the, on the run up to the 4th of July, the visa system went down. I see, was it a system failure or was it a, an intentional effort to reduce the inbound flow of individuals? And my understanding is that it was a system failure. Thank you. Thank you. So, so the gentleman, I'm going to summarize and I said, you know, the trust quotient is not increasing with our articulation of our position with respect to encryption and the request for a back door. And while he thanked me for being here, he challenged me to say that a back door is a bad idea. Okay. Let me, it's the only thing that got an applause so far. I thank you. Thank you very much. Thank you. I do, I do take, I do take note of that. Let me, let me say, let me say this. Okay. I know what the problem is and I don't know what the solution is. Okay. There are individuals who wish to do us harm on small scales and by a small scale, I don't know what the victimized family would consider it to be small, a small scale and a large scale. And what happens is we lose track of critical communications that enable us to interdict a violent act before it reeks damage and that does have happened and there have been public examples in the last 60 days and we lose the ability to do that. And that is the problem. And I have heard certainly not only yesterday and today, but before this week, the concerns about a back door and I understand and appreciate that. And so what I can say is I am well aware of the problem. I am reminded of it every single morning in an information brief that I receive with respect to the terrorist threat, domestically and abroad. And I am, I do not know what the answer is. I cannot say yes and I cannot say no. And I'm just being honest with you. I understand, I understand what people have, the opposition to a back door that it compromises security to a greater degree than our concerns would dictate. That's one of the concerns. I'm just not an expert in encryption. I'm not an expert in the ram of complications. I well understand the concerns and I don't know what, all I can say is I don't know what the solution is. And I'm just being candid. So companies are suffering intrusions. They are becoming increasingly frustrated with the fact that the risk or the threat remains. And they're considering offensive conduct. And what do I think about that sort of vigilante actions which runs afoul of the law? So if it runs afoul of the law, I'm not going to support it. At least that's not to say that I agree with every law. But I do not in this area, I think vigilanteism is far more destructive than constructive. And I would strongly urge companies not to engage in that conduct. And the fact of the matter is it underscores the need for all of us, I think, to work together to strengthen network security. You know, when I travel around the country and I speak to companies and when I travel around the world and I speak to companies internationally and governments, it seems that it's increasingly a given that an intrusion will occur. The question is how quickly can it be detected, expelled and remediated. And what I think we can do is more ably defend against the replication of intrusion. So if one company suffers it, another should not. And that is premised upon the sharing and circulation and dissemination of information. And then sharing best practices and the expertise and talent that resides in this room. I'm getting the hook. I want to thank you all very much for giving me some time this morning and for everything that you do. I hope I come back again. Thanks again.