Where would fall in the range of these things like narcotics, like human trafficking, like maritime piracy, and where would it come out . The cycle report took the lessons from the first one which involve lots of interviews with intellectual property lawyers and Law Enforcement officials. And it had to come up with a global estimate we collected data on a number of individual countries. In some cases we used interviews with Law Enforcement officials or intelligence officials that knew about csis. That when came up with a global estimate using the model we created the first report of about 450 billion, the global cost of cybercrime. Im going to give you a single number but, of course, you know we used a range, the low was about 390, and the high was about, the midpoint was 450. It seemed like a safe bet compared to other crimes we looked at. This is at the report and so at mcafee would look at whats changed, right . Theres been a steady increase. A fact the time we did the numbers we thought this cant be right, so we did them again and it looks like the estimate we came up with now is 600 billion which is a significant increase over a little more than two years. One thing that surprised us and the other speakers will talk about is the inventiveness of cyber criminals on the guys with the best at this got the top of their game and their automating what theyre doing, coming up with new techniques. They are doing things that we didnt see two and half years ago, three years ago. One of the big changes is that it looks like the fruit of cybercrime is easier to monetize it than it used to be. One of the problems is i might get your data, i might get your financial data, your intellectual property. How do i turn into cash that i can use . In the past there was this complex system of mules and people going to atms and the mules would be sacrificed sometimes, and it wasnt a very effective system. It looks now that using the combination of tour, the network and digital currency, that is easier for cyber criminals to turn the fruits of, to monetie what the steel, and so thats part of the reason we think of the increase. The other thing we noticed was when he went to and talk to people, when you went through and look at the numbers, to state actors have turned to cybercrime. One you probably all know about is russia, the mentoring for a long time, but the report in the past probably underestimate how significant the russians are, particularly for financial cybercrime. These are organizing groups. They are very skilled, one european gangs that are better than most nationstates when it comes to hacking. Other Law Enforcement intelligence officials told us theres roughly two in the people in the world, most of them are russian speaking, or at the epicenter of cybercrime, the high end of cybercrime. Thats one the changes anything some of it, if youre a criminal and you live in the west theres a good chance youll be caught within two or three years. But he to live in one of these sanctuary states, you can continue to refine your art. The other surprise, the other change which is been in the press often is north korea. The North Koreans develop hacking capabilities for political and military purposes. Probably about five years ago they were able to start doing impressive things using malware from the cybercrime blackmarket. At some point some genius in the reconnaissance general bureau figured out hey, you know what, we can use the same malware. We are breaking into south korean banks to cause annoyance and disrupt services. We can use it to steal money, and so north korea has found cybercrime to be a good way to fund the north has been involved in criminal activity for decades and it used to be gambling, counterfeiting 100 bills but one that one of the reasons your 100dollar bill looks different is because the north korean fakes were so good you couldnt tell them apart. Drug smuggling, illegal hardwood smuggling, they did the range of typical crime and they moved those criminal activities into cyberspace using their new capabilities. And they use, theyre good at bitcoin and they found that to be, its now, one interview, thats interesting i just got invited to give a lecture, a series of lectures in pyongyang on bitcoin. Should i go . Its like, well, jenna, your call. Id look at the sanctions clause. Its a very different, average of the world and even two years ago and it hasnt gotten that much better despite some pretty good efforts and theres a close split between whats not safe to do cytokines and thats largely states where it isnt safe and states where it is safe. Date is still a problem. Countries need to take this seriously. You can get a good estimate of the cost of postal crime in the u. S. For taxi fraud in london but you cant get a good estimate of the cybercrime. People dont collect statistics. We used a model based on gdp and dated we are able to find your career able to find good data on about 20 of the countries in the world and then use that to come up with estimates for the rest. We relied heavily on interviews with four officials, including in asia and in europe foreign and in the case of brazil people use that as a basis to great a model that came up with 600 billion estimate. The interesting thing here, the increased role of states, the importance of tor and bitcoin and inventiveness that really shocking inventiveness of cyber criminals, and these guys are really good. So with that why dont i i turn over to tom who introduced other speakers and we will take it from there. Hopefully by the time tom finishes his introduction of other speaker will be here. Very good. Look, the first thing to say its always such a pleasure to be here at csis year weve worked really now for well over five, six years with you and the institute. The center for strategic and International Studies is a prank on a regular basis the university of pennsylvania doing their annual review of think tanks on a global basis as number one nationals could be think tanks in world. And we take great pleasure to our academic offerings to support think tanks that are doing innovative, important wk in the area of cybersecurity. And csis has always done a spectacular job, so its a pleasure to support now a third study at csis, and the work you and your scholars have done together really is impressive. So my brief today, im tonkin, chief Public Policy officer at mcafee, and my objective today is to introduce the speakers and that also act as a bit of a moderator to elicit a good discussion for everyone. Jim has already discussed his background. Moving forward, Howard Marshall is the Deputy Assistant director for the Cyber Division of the fbi. Howard was appointed in this role in august of 2016, and in this capacity he and his team supports the Cyber Divisions mission to identify and pursue and defeat cyber adversaries who are targeting u. S. Assets. By the way, we worked with the fbi and found them to be topnotch in the area of cybersecurity in terms of analytics capability and technology deployment. Steve grobman is a very own Senior Vice President and cto. In this capacity he runs the Technology Strategy for the company, the direction to drive our technologies, to protect smart connected Computing Devices infrastructure worldwide. He is the holder of 24 patents. Now, what is interesting for me is the last i looked at your bio it was 20 patents, so congratulations on the next for that youve done. Thank you. So, you know, without further ado lets proceed. From an fbi and governmental point of view you would seem the report findings. We were discussing them. How do you see the trendlines, particularly in the area of innovations that these cyber criminals are engaging in to their game . So tom, first off, thank you for the kind words about the fbi. They are hard to find these days. Appreciate that. I can tell you as far as a trend line goes that probably like this. We are struggling, not the right word, were learning very quickly that are organizational chart in the fbi has been around for decades, might not be prepared to handle the problem as it is expanding. So were noticing in places like our criminal investigative division, counterintelligence, counterterrorism, the Cyber Division is expanding laterally across all of these different disciplines within the organization and so we having to kind of recalibrate how we look at the problem, how we address it. Again, the trend line is the situation is getting worse not better. A lot of that is through the advancement of technology and the integration of technology into cybercrime. Its a great that we have have. We consume it. We use to make our lives better but the criminals use to make their lives easier at will. At the end of the day criminals are human and they are lazy. They are looking for ways to make their job easier. They have already begun to identify things that we are already using to use against us. I think i need to mention iot and the deficit and fax back and have. We talk about ransomware and business email compromise, and the use of Artificial Intelligence and Machine Learning to may maybe better identify potential victims to increase return on investment for the criminal. We are seeing all of that. So the trend line is not moving in the right direction for us. I would also tell you that we as a country we see, the United States, we tend to think about cyprus could as an afterthought. What to get the machine out of the box and plug it in, use for whatever his want to use it for without really thinking and considering what the longterm ramifications are. And i had an opportunity to testify a couple of weeks ago to the Small Business committee in the house and is encouraged to hear theyre taking this up and theyre trying to push the message out. A lot of it is awareness but beyond awareness is actually following through. So trendline is moving in the wrong direction and we are looking for allies. Very good. Steve, in a similar vein, you have the honor of managing a team of cyber experts, analysts on a global basis. The report takes a look at technology trendlines and innovation. How do you compare the report findings relative to what you and your team see everyday . One of the things that we see is the bad Actor Community is able to take advantage of all of the innovation thats happening within the technology industry. So we see tremendous innovation and things such as Artificial Intelligence which has become a tremendous asset for defenders. So mcafee as well as the rest the Security Industry is using Machine Learning of the ai techniques to build better cyber defense, but as was mentioned its also a Great Technology for bad actors to even identify victims that will produce higher returns on the investment of the criminals identify weaknesses more effectively throughout the potential victim environment. And really look at Technology Asset having a moral compass. If you look at the report, a lot of the foundational technologies were built for legitimate purposes. So whether its using encryption to protect data but now being used to hold data for ransom. Or you look at the tor network, originally built by the United StatesNaval Research laboratory and provides valuable capabilities for free speech in a press areas of the world or enable whistleblower sites, but also becomes the Perfect Technology for bad actors to hide their infrastructure, or enable cyber trail to conduct operations whats much more difficult for Law Enforcement to track down the bad Actor Community. Or if you look at cryptocurrencies, cryptocurrencies can provide tremendous value to society in reducing the cost and over it a Financial Services of enhancing trust, also becomes a perfect means for cyber criminals to mask where funds are being transferred. And the innovation within the subcommunities to build off of a core capability and tailor it for Cyber Operations has been what weve seen and what the report calls out. So, for example, with cryptocurrencies weve seen new capabilities such as whats called tumbling, the bill to make it much more difficult to track Bitcoin Transactions being converted back into normal currencies such that Law Enforcement is able to track down the bad actors. We are seeing innovation where new forms of cryptocurrencies are being created with the intent to make tracking transactions more difficult. So when we think about innovation, we must always recognize that as defenders in the cyberSecurity Industry, we benefit greatly by new technology that we also recognize that our adversaries are using the technology to their advantage just as well. Very good. Jim, youve had the pleasure of now having worked on three of these reports. How do you see the trendlines relative to where were at today and where do you think will be possibly in the next few years on a matter of cybersecurity and crime . Well, to echo steve and howard, its an upward trend we were kind of helping it with latin. We didnt find that. The ability to use new technologies hoping it would flatten. Period some of the developments, particularly tor and digital currencies, but the whole dark web phenomenon create a safe space a sickly for criminals to operate. We will talk more about what people can do about this but between, as howard said, people, i think was you, people just want to get out of the box and plug it in, right . You can still, if you use some of the things like show dan which is a Search Engine that can find vulnerabilities, the number of people who have it moved beyond password as the password, or 12345 as the password. Thats the most popular by the way. Or the number of people who buy devices with a password is hardwired into the device and cant be changed. Once its cracked everyone is vulnerable. So the trendline is a good right now. Theres things we will talk later about what we can do to change that, as i said we were surprised can we were not expecting as dramatic and increase as we found. You know, one of the things that faceting me about the report was the role that major criminal organizations play in the cybercrime, and, indeed, the reality that there are top and National Actors involved and that you also see a confluence of those parties working together. Jim, for you and also for the rest of the group, how do you do the countries they seem to be the most active, what are the implications of that, for policymaking in general . Like brazil. You see is big upsurge in cybercrime. Its globallized and the best in the world are in russia. You can find countries around the globe and the question is how effective are you Law Enforcement and were struggling with that in this country and i dont know if theres a correlation. And brought up cryptocurrencies and how findable for Law Enforcement. How difficult it is. A lot it depends in the United States, we have Bank Secrecy Laws and got to know your customer. You have to be a lot of country it doesnt exist and thats where you see the activity flourish and makes it incredibly difficult, it makes it much more difficult than it should be. I think i would add as we see with cybercrime in general nations will move to something pragmatic for their goal. Theres a report that north korea is conducting operations again, stealing of cryptocurrencies and in north korea the ability to take cryptocurrencies that can been could converted into standard currency that would otherwise be difficult under the sanctions in place is a very practical mechanism for them to focus on. Similarly if you look at the report calling out the yahoo breach where there was collusion between russia and the cybercrime industry within russia, in order to provide the government with politically sensitive data, but also provide cybercriminals with content that could fuel monetary cybercrime benefits for that particular group, i think looking at the praguetism of different approaches that Different Countries will take will help guide us for what we need to defend against. Very interesting. One of the other things that stood out in the report in terms of an approach, its proven to be very effective with the use of ransomware. I know youve written on the question of how ransomware strategies have been my grating up the value chain. How do you and other presenters view the ransomware . Ransomware is a perfect cybercrime. The victim mays the criminal directly so it takes a lot of the complexity and cost out of traditional cyberdata theft types of criminal activity. What weve seen is, theres also tremendous flexibility in the model where we initially saw ransomware holding data for ransom and we now see a proliferation of many varients of ransomware. You can hold services that a Company Relies on for ransom. You can extort an individual or a company to provide payment or else releasing weaponized data, whether its real or falsified. So the flexibility of the ransomware model and seeing ransomware move beyond just a consumer problem, but also now impacting businesses of all size, we saw earlier last year, small hospitals being held for ransom, providing challenges with access to health care for patients. Some very Large Organizations where either factories or critical Business Systems are held for ransom. Part of the challenges, ransomware as a Business Model for cyber criminals creates new opportunities where we now need to look for criminal actors, potentially attacking assets that traditionally only interesting to nation states or terror factors. For example, Critical Infrastructure. There used to not be an incentive for criminal actors to look at Critical Infrastructure as a potential target because there was no practical way to monetize it. With the ransomware model, this now changes where really anything can be held for ransom and create a much greater sense of urgency for us to secure all sorts of Digital Assets in many different sectors. I agree with all of that. I would maybe answer just a little bit differently in the sense that, our role in Law Enforcement, especially when ransomware, we get a call complaining about ransomware, the first question we get, do i pay the ransom or not . While we take no specific position on that and companies have successfully paid a ransom and had data released to them, there have been a lot that have paid it and never got their data back at all. I say all that to go to my bigger point, which is about the fbi and even the federal governments engagement on the front end in the awareness piece in all of this. We spend a significant amount of time getting out in front of small and large businesses, and anywhere we can find a group to listen and talk about backing up data and simple cyberhygiene techniques and granted the bigger you are as an entity the more expensive to back up your data, this is not complicated for a security specialist. Backing up data totally takes the teeth out of ransomware totally. Its a problem that can be solved and i dont want to blame the victim, but part of our job in the fbi is to get out in front of that and trying to help people get out in front of that by thinking before the incident happens. What can you do to make yourself a less attractive victim. So technology is making that harder and harder, but there are simple things you can do to lower your likelihood of attack. And one of them is, again, backing up of data, having a Response Plan when this happens and understanding what youre going to do. I think in 2016, i think last year we did business email compromise, so 2016 we got out all 56 of our field offices with an Awareness Campaign for, again, small and large businesses. And its funny you bring up possibles of special agent in charge of the louisville field office, the area of responsibility was kentucky. Between 4 1 2, 5 million people, not a big state, but one of our victims was a small rural hospital chain, so 11 facilities all over the state. As you can imagine, you know, a lot of places, the hospital was the only place that provided health care for the entire community so if it goes off line for a day, or two days, or god forbid, more what does that community do . And financially, but also in terms of life and death in some situations. So, you know, engagement for us on the front end is really important. The notion of whether or not to pay, of course, we take the official position, but youre dealing with a criminal, do you trust this people. The calculation, what are my decisions going to do, if i pay a ransom am i going to get my data back, to steves point, weve seen instances where unlocking data is not an option. Theres a demand made and unbeknownst to the person who pays it, theyre not going to get their data back one way or the other. These are questions we try to get folks to think about on the front end. Again, 56 field offices, were wellpositioned to try to push that message publicly, but to the degree that you can get the horse to water, so to speak, and have it drink. Thats a different battle. One of the things that stood out so well in the report was the dark spaces, the quiet environment that cybercriminals operate in, whether the dark web, the use of tactics to cover up their presence, their methods. How do you see the Law Enforcement challenge in this regard . And likewise, how does technology how do the good guys respond from the technical point of view to that challenge . Well, i can at least give you my perspective, and id love to hear yours from Law Enforcement, but i think one of the things that we have to recognize is technology exists that ultimately changes the way that Law Enforcement needs to act in the Digital World from what Law Enforcement is able to do in the physical world. So, in the physical world, if a criminal has documents in a safe and the fbi has a search warrant, youre able to go and, whatever you need to do to enter into that safe. With things like strong encryption, the algorithms are well understood im going to crash the party. Please. Good morning. Welcome aboard. Welcome aboard. I was protesting around the white house and i couldnt get here. [laughter] so we were talking about the technical challenges that made it difficult for the evolution of cybercrime and i was citing the example that we need to think about the differences in the physical world from the Digital World, encryption as a prime example. With strong encryption, the keys arent available, its ultimately difficult or in many cases practically impossible to get access to that data and we have to accept that. I think similarly, recognizing that technology such as these exist and enable new challenges for Law Enforcement to work through and we cant put that back in the tube. Those capabilities exist and are well understood and we need to look at given the constraints that exist how do we move forward. Ill let you pick it up from there. You mentioned encryption, which is an interesting topic for the fbi, i think a couple of years ago our director came out and made a statement, i thought pretty profound statement about the idea of encryption. You mentioned the safe, you know, the example that was given was do we want to build a house that has an interior room that no one can ever get into . And i think its a fascinating conversation. I dont know that its a Law Enforcement that necessarily needs to drive the conversation, but its absolutely one in the United States that has to be had. Are we comfortable with that . I mean, are we ready to acknowledge the fact that there will be a space somewhere where people can conspire or hide things or do things that just cant be seen by anyone . I have my own personal thoughts on that i wont share. I think the country as a whole needs to have a conversation whether or not were willing to accept that reality, because i think thats a scary proposition. The flip side to that, you know, maybe the idea of using encryption to keep things safe, right, we want to the private sector wants to keep things from the bad guy. The overarching theme of all of this is technology and how its made things more difficult for Law Enforcement. That is, but not impossible. And you remember not too long ago we had the investigation that was the largest kind of dark market or well, yeah, i call it a dark market on the internet and everybody thought that was a really big deal. Last year we had alpha bay which made silk road look like a highway road stand. Right . I mean, it was exponentially largely, but not impenetratable. There are Still Old SchoolLaw Enforcement techniques that work. Dont discount the development of human intelligence. Dont discount the availability of signal intelligent. Dont discount the availability of just good oldfashioned detective work and asking the right questions and being in the right place at the right time and yeah, sometimes that means getting lucky, but you make your own luck. Not impossible. Its absolutely made our job much more complex, and much more difficult and again, i brought this up earlier, there are policy and legal considerations that the law has just not caught up to yet and hopefully in time well have that conversation publicly and well get the decisions and some clarity. Yeah, if youre just building off that point real quickly and then let the other speakers move on, i do think its important to recognize the criticality of nontechnical elements in cyberdefense, especially when we deal with execution. Many times technical, forensic alone isnt able to provide sufficient data to strongly identify where a threat came from and i think we saw a great example of that this week with it being attributed to russian actors. It is the need to combine technical forensics with human intelligence, Law Enforcement techniques, and rely on trusted Government Agencies to make claimants on aatribution. I see one of the researchers that helped us. When we were doing this, the thing that we found was so you have to look at the criminal web to see what tools people are using. Its harder to get than it was a few years ago, so, thats a dilemma, but when we were looking at it, you can rent bot nets. You can rent malware programs. You can buy malware. You can buy ransomware, so ransomware is a commodity industry now at the low end and we actually thought i dont know if you thought this, we thought at one point, were in the wrong line of work, this is so easy now, its become a market. So finding ways to recognize the commoditization of seib cybercrime is advanced stuff. Both of us decided wed rather be researchers and not in jail than cybercriminals and in jail. Now what, john, its good to have you here. John is the head of the daytoday operations of dhss National Cybersecurity and integration center. To a big point, this is our governments 24 7 hub by sharing, Incident Response and coordination. You know, dhs plays the central role for the u. S. Government detecting civilian agencies and managing the outreach with the private sector. So, its a pleasure to have you here. You know, one of the great issues we havent really dealt with that much yet is the question of what can Government Agencies, what can the private sector do to better protect themselves from cyberattacks. I would start with you on this and then, obviously, the rest of our panelists will have insight, also. Thanks. So this is nothing new. I think basic tactic is a good start. Patching vulnerabilities, when theyre supposed to be patched. Keeping up with the latest and greatest in software and Hardware Development in important. Paying attention to whats going on around you. Understanding where everything is on your network, those are all good starts to good cyberdefense. I think the one of the most important things that we push on a regular basis and this is a shared responsibility with the fbi and others, is sharing of information. When something happens in your spot, just because it happened to you, doesnt mean it isnt happening somewhere else. And so, how are you effectively sharing that information so that it can be used for others to defend themselves or in the case of the fbi, we have a regular we have a regular discussion about are we going to prosecute, in which case they care about attributeion and theres a field level where that occurs and we make a decision and get on with it. So you have to consider all of those things. I think there are several important elements that we talk about on a frequent basis, that is preparing your work force, a difficult thing, a longterm thing in the space of this of this problem. Preparing are work force, not only your cyber defender work force thats a constant evolution, that cant be weve ticked a box and there we go. Its constantly for your cyberdefenders to understand whats happening on the dark web, to read reports like this so they understand whats happening out in the world and can better participate in the defense. And then i think you also have to you have to deal with your regular work force. Most of the most of the attack vectors that we see are human generated. Its no longer the idea where the bad guys are going to hack into you through some really highly technical means. Its generally a phishing email or click on the wrong link or a website, you get drawn into the website and click on it and bang, your computer is loaded up. You need to teach your cyberdefense work force and your normal work force to prevent against that and the last thing thats important is making sure that your entity, whether you are a Government Entity or an infrastructure or private sector entity is prepared. And by that i mean you need to exercise what happens when you have a bad day. What do you do . Who does what to whom. Is the ceo involved . Thats really important. We wanna cry we dealt with a medical facility in the midwest. And while the National Health center was shutting down hospitals and services, this hospital was down to 85 capacity because they had done things like proper patching and management. They had segmented their architecture correctly. They exercised what would happen on a bad day up to and including the ceo so they all knew the right thing to do. When wanna cry happened, they had to separate some of their equipment because they couldnt by fda regs do patching on their own. The original manufacturer had to do patching, but they set it up so they knew what to do and knew how to continue to operate and from my perspective we dont necessarily want to put somebody in jail thats what we want to do is we want to stop the bleeding and continue to allow you to operate and do your mission or business whatever the case may be. All of those things, i think, are important if you look at the bigger picture. Very, very good. Yeah, i very much agree with everything you said, recognizing that there always is ultimately a human on the other side and that it isnt all about the technology, its using technology, embracing new technologies aggressively for defensive purposes, but recognizing bad actors are constantly changing their ga i am plan. Theyre using new techniques and preparing your Response Teams for a wide range of scenarios they can practice when its not the crisis situation thats key. And even working through some of the practical challenges that we know are critical to success. You mentioned Threat Intelligence sharing as one. Things that we need to do better, both in the private sector and public sector, but we need to recognize there are challenges with Threat Intelligence sharing. Its a classic case of what we call the free rider problem essentially meaning everybody wants Threat Intelligence, but nobody wants to give Threat Intelligence. So actually working through incentives where youre able to reward the entities for providing Threat Intelligence for the greater good. And working through those practical issues are some of the key challenges that we have. Yeah, i would fall along with two points, one along the lines of information sharing, and the private sector engagement is key for the federal government, for dhs to the fbi, and being in touch touch with those folks on a regular basis. We have a 5013c. And the cybertraining alliance, hundred i believe last count 156 entities that put their analysts and personnel on the ground with fbi agents and analysts and they share that information in an open and collaborative environment every day. Its been so successful now weve opened one in new york and in the process of opening one in los angeles, but thats the kind of realtime information. Again incentivizing that in some way is hard to do, but we like to think creating that atmosphere and working collaboratively even in a supporting role that we may help facilitate that. Pulling out the pings, the flashes, technical indicators, indicators of compromise through the province that the government pushes out i think is a great point. You have to be aware that theres so much of it out there. You dont have to look real hard to find it. We often joke when we write these how quickly will it end up on the internet . The answer is about five minutes after release. Well see it somewhere, you can google it and find it. We have to be careful and have conversations how intelligence gathering version remediation, versus prosecution and determine which direction were going with that. Those conversations are happening all the time. But there is a there is a lot of information out there and i would like to encourage folks to look for it and find it and the other is to tag along with what youve already heard, its security as a culture, right . It has to be more than simply, okay, were going to make a onetime investment and spend x amount of dollars and were safe. Its an ongoing routine, it needs to be embedded in the culture of the entity that security cant just be an afterthought at the cost of doing business. If youre in a transportation sector, you buy trucks, fuel, insurance, you hire drivers. You need to protect your data. That just needs to be something that you do as part of your ordinary course of business, and i dont think enough folks think about it that way. Howard, you mentioned two things, you mentioned incentivization, thats a hard problem. Everybody gets innocecentivized differently. Weve thought about how to incentivize the information flow that comes to us. And we still really dont have a good answer although were having discussions with Michael Daniel at the cta to find a scoring methodology to understand who is providing and who is not and hope those people who are a part of a particular program to account if theyre not participating in a way that we think is useful. I think thats thats something thats going to be grappling with over the next couple of years and i think the other thing we need to do point to a lot of stuff being out there. Were taking a really hard look at what and how we push information. I know its great to really broadcast information and there are certain avenues to do that and thats fairly effective, but were looking at how can we make it more effective and more targeted so that you dont really have to go looking, you know, going looking is one thing and if youre really into it, which a lot of cyber folks are, frankly, how can we do it so that you really dont have to look. We can deliver something to you that is useful to you right away and we still arent there yet, but were having a lot of discussions with folks about what that means. One of the things that weve done internally, weve reduced our profit portfolio from 47 to 12. And in my mind that eliminates a lot of clutter, theres you know, redundancy is reduced and were looking at how do we even reduce that further so we can be really focused and targeted on the information that we push out. So i think those are two things that we really need to think about in the next couple of years. We have a couple of ideas and a report on what you could do about this. The first, one of the sort of less happy things we found was in 2007, thing called the verizon Breach Report which looks at the most successful breaches in 2007. They said 85 of the breaches required techniques. 2017 they said 85 of the breaches required basic things, somethings not right here. We looked at Better InternationalLaw Enforcement cooperation and so you see things like the cloud act now in the senate. How do you improve the online process to howards point about updating the Law Enforcement capacities and mechanisms to fit with the technology. We talked about standardized requirements. One of the things we found with the financial sectors, two or three years ago, imf, they identified cybercrime as one of three major threats to the stability of the Financial System so all of the central bankers who were there took that to heart and went off and began to work on how they would regulate their banks, so, if youre a Multinational Bank operating in multiple jurisdictions, you might have 20 or 30 different sets of regulations you have to meet. My favorite is a lot of countries require pen testing, penetration testing, so if youre a Multinational Bank, you might have to have, you know, 12 different teams every month do a pen test on your system and theres duplication process, your security problems. And finally, we need to figure out some way to deal with the state actuaries, as you know. Weve narrowed it down to the hard core. And one of the things, it was a tribute to the fbi, but in countries like the u. S. , canada, the u. K. , the Life Expectancy of a cybercriminal is project about three years maximum. Meaning if you go into this business and you live in a country where people enforce the laws and have good technical capabilities, theres a good chance youre going to be prosecuted in jail within three years of starting to do something. And theres two problems with that. A lot of countries dont have the capabilities and so, the cybercriminals might live there. The second is the volume is so huge, we talked to one of the bigger field offices in the u. S. And they said they have a Million Dollar threshold. Theres too much cybercrime to look at anything below a Million Dollars. Thats wild. The tide of crime is overwhelming. My advice if youre a cybercriminal, dont live in the u. S. , that would be good advice. Just adding on one thing. I think its important to recognize the underlying dynamics of cybercrime of underlined by the market. The submarkets, the supply chain, the ability to have markets for vulnerabilities, markets for malware, markets for the operation of bot nets or other infrastructure that can be rented by cybercriminals. When we think how to fight back, if we understand that it is Market Conditions that are driving cybercrime, we can look for ways to disrupt those markets. For example, when we think about intelligence sharing, the way i think about it, its not so much about stopping cybercrime, but forcing the bad actors to shift investment from operational execution into r d. So if the cybercriminal has to constantly change their technique for executing a criminal activity, the energy that theyre doing to do that constant retooling, otherwise could be spent on executing crime against a broader segment of victims. And i think really thinking about the Market Dynamics that are the underpinnings of cybercrime can be part of the solution. You know, were at about 9 30 now. Jim, do you feel youve got a bit of time to ask questions of the audience . Sure. Youve got a good panel here so id take advantage of it. Well, lets turn it out to the audience. We have such a Sophisticated Group in washington that covers cyber. I saw you raising your hand. And if you can wait for the microphone and identify yourself, please. My name is tim johnson, im a reporter with mcclatchy newspapers. The report gives an estimate of the loss as 600 billion. And also it contains a mention of the cost of narcotics trafficking and you say that cybercrime still ranks number three after narcotics trafficking and corruption. Would you spitball a little bit, please, i mean, is eventually cybercrime going to surpass Drug Trafficking as a global scourge and how are the organizational structures different . Is there a Pablo Escobar hidden in cybercrime. Ill defer on the Pablo Escobar. I think the answer might be yes, but ill defer. Is there a physical limit how many drugs people can take and its probably plateaued. Whereas cybercrim is a growth industry. So it looks like as long as we continue to rely on systems that are inherently insecure as long as more and more value moves onto the internet, people are going to go after it, especially when, if you live in the right place, you face very little chance of prosecution. I dont know if anyone else wants to add on that. I would tell you that is there a Pablo Escobar . Depends what you depine what that is. A Mexican Cartel run online, certainly there are aspects of that business enhanced through technology, but i mentioned alpha bay earlier. You need look no further than alexander cases, i believe was his name, the man that ran alpha bay. You dont necessarily have to have a cartellike operation to support you if you can hide in the shadows and obfuscate where you are. Its changing what we do as Law Enforcement. We have to reevaluate how were even things how were structured. What do our agents know about this, the crime problem, how are they prepared to handle it . So, its absolutely changing the game. The final point i would add is one of the things the report does call out is theres still a tremendous volume of emerging countries that are just now becoming technically adept and are going to be the future victims for cybercrime. So the growth of the population of potential victims, along with the lack of requirement for physical limitations, the ability to execute cybercrime across borders, i think well continue to see it grow. What we found was that theres a question, that growth is fast, countries coming online and developing countries, but the value of crime is much lower because their incomes are not at that high. So higher rates, lower loss level because people just dont make that much. Go ahead. That will change. My name is patrick haley, im a student at georgetown university. A question about the has there been any thought into or what the constitutionality of cyberspace and cybercrime as far as convicting people for such . As far as convicting them . Well, just what the constitution as far as what the i guess the established cybercrime in cyberspace. There are criminal laws that we use to, you know, to convict and try people, hopefully convict them. There are certainly constitutional principles that we have to adhere to in cyberspace. Its really not any different its different in the sense its not a physical structure, a mans home is his castle and the Fourth Amendment protects all of us from unreasonable search and seizure. The internet is no different. I guess my worry is the freedom of speech type deal, first amendment, theres been some talk about what you can and cant do on the internet that constitutes freedom of speech and stuff. It does, but thats maybe a little out of my lane. I would add quickly i do think we need to think about the physical world and Digital World differently, especially when it comes to things such as selfdefense. In the physical world, if an individual is being attacked, they can defend themselves. A part of the challenge is if you take that analogy and move it into the cyber realm. If a company is being attacked and they track where that is coming from, in all likelihood theyre attacked by a victim who has been attacked by a criminal or actor. Recognizing the nuance of defending an organization by looking who is attacking you is quite different from the physical and Digital Worldmen. Let me come back to the panel and then ill move back over to the audience and i think youve raised me a question that reminds me of the debate of Cyber Security on one hand and privacy on the other. And in dialog, they have been in conflict with each other. And on the other hand to deliver privacy and the right kinds of protection for individuals and you also need strong Cyber Security. How do you see those models that in many in the view of many have been in conflict actually starting to come together moving forward from a policy point of view . In a lot of ways, the good Cyber Security is good Cyber Security. So you want to protect your data if youre a company or if youre an individual and that will reduce the risk of you being a victim of cyber crime and also improve your chances of not having your privacy compromised by criminal activity. So, how many of you have yahoo accounts . I cant believe it, yeah, there were 3 billion people and there were none of you there we have a few. And thats a strange one because it was a cybercriminal working on behalf of the russian state. The data he took was for criminal purposes and intelligence purposes, it was an allweather cyber crime incident. If you dont start by protecting your data, your privacy is going to be at risk. I think we need to rec into iz recognize that technologies exist to protect data and it becomes impossible to restrict using those technologies for criminal purposes because the technologies are already in the public domain. So, i think when we think about looking at policy items that would potentially inflict the ability to get better access to the systems that the general population uses, we do need to recognize that they that will likely push bad actors into using other tools, other implementtation of very well understood technologies that can protect data and i dont think thats something we have to recognize and live with. The name of the legislation in the eu escapes me, but i believe it comes online this month or next month. Jetr. We dont have that yet in the United States. Highly punitive legislative attempt at convincing people that Data Protection is important, you know, cybersecurity is important. I dont know if were standing around this country, everybody is looking at each other wondering who is going to make the first move, i dont think that anybody thinks that legislation is the right way to go, but if we wait around long enough and the industry doesnt figure out how to police itself, you know, my fear is that thats going to be the knee jerk response. I shouldnt say knee jerk because were standing around trying to figure it out. It will be interesting the next six months or a year who is the first one who is going to pay 4 of global revenue for a breach. There are a lot of businesses, 4 of revenue is a lot of money. I think on that point, very similarly, we need to recognize if we do pass policy or legislation that provides access to secured data, that sets a precedent that many other countries around the world can perform similar actions and we may not be as comfortable with things that are coming out of various parts of the world as we would be with things that are here in the u. S. Sure. Well, very good. The gentleman raising his hand. Thank you. Im from the russian embassy. So, first of all, id like to point out that once again without any proofs russia was called a bad actor in cyberspace, but if the United States is so concerned, according to the way the reports of the white house counsel, have experience when in i intelligence one of the catfish of the world were accounted for, 96 of again, the United States with this country the numbers quiet. In this regard, ive got a question. If youre so concerned, why the government of the United States declined all the suggestions from the russian side to start on cyberissues . Thanks. You know, jim, you worked the International Diplomacy beat for a long time. Darn, i was hoping you would ask one of the other panelists to take that one first. No, i think that there was interest, there was a dialog, as you know, between the United States and russia that was relatively successful prior to 2016 and so they had regular meetings, they had a hotline. They had exchange of doctrine so it was relatively successful, but it kind of fell off the rails in 2016. I dont know if theyve resumed it. That would be one of the things to look for in the future, but right now with all the turmoil and the bilateral relationship, its hard to see how you can have a useful exchange. Im not sure, you know, i always thought the hotline was kind after dumb idea because its a leftover from the cold war. A lot of people who do this are cold war arms negotiators. If you pick up the hotline and lets say someone does something to you, and pick them up on the hotline, was it you . And of course, it wont me. If they didnt do it, call you up, no, it wasnt me. And we need better mechanisms. One of the questions would be russias proposals in the u. N. To maybe move forward with another code of conduct and working group. So russia has been very active. Bilaterally i think its going to be hard for a while. One thing i would add i think the report does call out the example where the agreement between president xi and president obama on restricting the focus of government sponsored industrial cyberespionage appears to have been effective while recognizing that traditional espionage and intelligence activities of modern, mature nations is going to continue and actually separating those two realms can be a step forward in looking for ways to decrease the criminal element of cyber across worldwide countries even when they differ in other ways. Ive got to say i like the indictments, i thought they were good, solid indictments. All of us have been in the indictment business for a while. It was pretty solid stuff and so, you know, thats going to be one of the obstacles that well need to get out of the way. The indictments, i found them compelling in the degree of evidence. Having worked on pla case, cases, justice doesnt like to go forward until they feel they have enough evidence that they could actually win in court, right, and so the fact that when they are willing to go forward to make an indictment, based on what i thought was a pretty good investigation, that that means that theyre confident that should the case ever come to trial, they would be in a position to win. And so to use the pi as an example, the gene pool that they looked at was 200 cases and from that they were able to find five that they thought would be successful if brought to trial. So, this is a very complicated process, but i thought the indictments, the recent indictments were very powerful and thats one of the things we have to deal with. This is a good broadbased dialog that we all looked forward to. The gentleman here with his arm raised with the blue tag. Yes. Yes, through the study did you find a threshold for investment to substantially reduce your threat of being a victim of cyber crime and then, also you talked about patching and how do you avoid the vector of a legitimate what you think is a legitimate patch being cyber crime event. Do you want to take that . I can take the second one first. I think one of the things we need to think about with patching is every organization has to look at the risk associated with patching and not patching, whether its a vulnerability that is resolved through a patch. The risk of patching is youll break applications potentially that are critical to a business and the risk of not patching is youre vulnerable to the cyber exploitation. One of the reasons i believe that wanna cry has been so impactful, there hasnt been a high volume worm for quite some time, over a decade, so the i. T. Industry has been conditioned that there was very little penalty for delaying patching and they didnt necessarily recognize the risk of not patching. The analogy i use sometimes is, if you put a pot on the stove and go to work, your house probably wont burn down. You can do that every day of the year and likely nothing bad will happen. That doesnt mean thats a safe practice and i think thats the trap that i. T. Fell into is over the last decade, there was really no penalty for delaying these patches until we saw a selfspreading worm, as we saw in wanna cry. And you hit on the key thing, the reached decision and at this point its mostly based on cost. Its a model risk decision. So, equifax, should they have patched . We can say now that they probably should have, but they made a conscious decision not to for whatever reason, whatever their business calculus is and thats, i think, the complacency we have now because we havent seen this before sorry, havent seen it happen recently. So its always going to be a balance of whats the cost versus doing it or not doing it. So were close to 10 00 now and i think weve run over a bit. So i urge that we take one final question and call it a day. You, sir. Hi, so, usually when i talk to people about Cyber Security and really in context of internet connected devices, alexis, nest. So what if somebody gets my data on eavesdropping on me and my wife discussing what we need to buy for tomorrow or who is going to pick up the kids . What do you say to that . I think one of the most Dangerous Things about consumer i. T. Devices is that they can be breached in order to be turned into weapons for an attack. This is what we saw with the attack about a year ago where the objective of breaching those devices wasnt about getting the data off the devices, but taking all of these smart connected devices around the world and using them as a weapon to, in that case, target the underlying infrastructure that ran spotify, twitter, some of the other key sites on the internet. I think we also need to recognize that some of the new cyber crime models allow for incentives that would drive criminals to look at these devices. If you can hold a smart tv for hostage and basically say, pay 100 in bitcoin to get access to your 2,000 tv back, that now becomes a reason for a bad actor to go after those devices where they would get paid rapidly without having to sift through the hours and hours of mindless banter that they would otherwise be eavesdropping on with all of these Consumer Devices around the world. Were seeing also, just in the recent couple of months, were seeing not just iot, but, for example, county systems that are infected with a script that uses up almost all of their cpu and they come crashing to a stop and the purpose for that is bitcoin mining, or cryptocurrency mining. So were going to see, i think the next step is there are going to be some of those scripts built into iot to significantly grow the population of cpu power, if you will, that is use today mine cryptocurrency. I would, you know, maybe take a slightly different tact. Its always difficult for the organization to say this to people because you dont want them to jump you dont want them to go crazy, oh, my god, am i really at risk . But talking about what time youre picking up your minor child, johnnie is going to be sitting by himself at such and such a place what time can you go get them . I dont know that i dont want them out there. Im not going to discuss every day, but i dont think that people again, i mentioned 45 minutes ago about security as a culture. I dont think that people dont think that way, especially in their home, its not a way they go about doing their business. Maybe if theyre sitting in a restaurant or a public place theyre more guarded with their conversations, at home is a place where you feel comfortable to be who you are and say what you want to say and have the conversations that carry over several different threads in several different rooms and you know, again, to be individually utilized or to be breached to cause some harm to the user, thats our biggest fear. I mean, certainly we dont want to see any more iot attacks, but the idea that somebody could use that to geo locate a child, that should be a concern. What difference does it make . You tell me. Its a risk calculation is what it boils down to. I dont have one. Ill leave it at that. Well, very good. I think this was a fine discussion. First id like to thank you jim and your team of scholars for deliver what was and is a very substantial report. Our audience, thank you all for attending and your contributions and then, of course, our other panelists, thank you for your insights and work. You know, the last thing i would say is for mcafee, we take pride in supporting Academic Research of this find to further the technical and policy discussion on cybersecurity so we can end up in a much better environment thats much more of a win hwin situation. Its a long march and hard march that were dedicated to. With that id like to conclude our discussion and wish you all a good day. [applause] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] while the u. S. Senate is in recess, book tv is in prime time each week. And talking about the impact of early computer programs and modern technology. In his book the friendly orange glow, and Silicon Valley, the growth of personal compute, video games and biotechnology. Her book is called troublemakers. Former New York Times tech columnists looks at Silicon Valley the know it alls. The cspan bus is travelling across the country in our 50 capitals touring. We recently stopped in little rock arkansas and asked the folks whats the most important issue in their state. An issue important in arkansas right now, theres a Huge Population in the area, northwest arkansas and so what we see is hot of the hispanics arent coming to college and we have the program and all it does for all High School Students to know that they can come to college. For me its really important not only hispanics, but everyone has that opportunity to know that like, okay, regardless of whether daca or undocumentation or whatever circumstances you may be, you can go to college. Thats important right now for us. The issue thats important for me in arkansas is animal welfare. Im in Animal Rescue and we deal with a lot of abuse and neglect and we dont have Law Enforcement backing or we have laws in arkansas, but theyre not enforced and not very strict, so, its a big issue for us, because we deal with the animals and we see what they go through and we dont have anyplace for these animals to go, we dont have this for them and people are not held accountable for abuse they inflict on animals. Thats a big issue for me, stricting laws and more enforcement of those laws and backing rescues and shelters to hold people accountable for what they do. I really dont want anybody in government doing much of anythi anything. I believe in the state the government tries Different Things and create Different Things and see how they work because most of the Big Government ones, if they dont work out very well, its very hard on the whole country. And i believe thats what the founders wanted to do is to use the states. I think for services of little rock and the state of arkansas and in the area for our representatives in d. C. To take a look at and thats the Affordable Care act. This is they talk about the flu season, so health care is important for each and every individual while education is important, working is important, with regard to health care, we should perform those to the best of your ability. So i think thats a major issue for little rock citizens, arkansas and all of america. And what the leaders in d. C. Can help arkansas, our farmers, agriculture is one. Number one industries in a state. We have an upcoming farm bills to protect our farmers rights and we have things to protect the poultry industry and they cannot attach riders to that and allow that to pass and they can protect our farmers. I think thats most important thing taking care of our constituents at home. [inaudible conversations]