We need stronger on that issues. The cspan Battle Ground states tour. And were live this morning as the Washington Post hosts the Cyber Security summit with remarks from former Homeland Security certificate Michael Chertoff and National Intelligence, james clapper. Live on cspan2. One year ago this morning journalists in Washington Post contributing columnist Jamal Khashoggi was brutally murdered in istanbul. The post has been paying tribute to jamal throughout this week and just moments ago post publisher fred ryan and the posts owner jeff baseos spoke at a memorial for him in istanbul just steps from where jamal was killed. Jamals courage and his work will not be forgotten. For me, jamal inevitably brings to mind the importance of a free press. But more broadly, our ability to access information and communicate openly is the life blood of our democratic society. So much of our communication is done digitally over texts or emails, on social media platforms. Our digital lives are encoded in data. Theyre pingponging around servers all over the country, on networks throughout the world. Securing these spaces is critical for Free Expression and for Free Enterprise and understanding the threats were facing is an important first step. But issues of Cyber Security are not always clearcut. The same technology that keeps classified government information from getting into the wrong hands can be used to field criminals in the darkest corners of the web. The hacking tools used to track journalists and distents are similar to what Law Enforcement use the to track criminals and terroris terroris terrorists. Were going to get through the front lines of Cyber Security and governance working to keep everything from our elections to our smart phones and emails safe. Before we get started id like to thank our nonprofit sponsor the Washington Institute and our supporter sponsor the university of virginia. Id specifically like to thank our presenting sponsor ratheon and hes going to say a few words. Thank you. Good morning. Thank you kris and the Washington Post for a discussion on such an important topic to our National Security and thank the university of virginia, my alma mater, and those alongside raytheon. The speakers ar are keeping us from Cyber Threats. And addressing the community and the challenges we face. What better time to come together than the national Cyber Security month. This years theme is to owner it, secure it, protect it. And making it a lifetime campaign and not just something we focus on once a month. I believe that Cyber Security is truly a shared responsibility. Not only is it in our democracy, over the years weve seen interference in our elections, Critical Infrastructure and private sector. Todays experts will address three key themes, the need for trusted publicprivate partnerships, the importance of information sharing and helping combat the threat. The place where it truly lies providing Technical Solutions to cyber service, secures the Security Posture and improves the government organizations. Thank you, agn, i look forward to a Great Exchange of ideas this morning. To washingtons most blata blatant the election may be 14 months away, but the campaign is now and we are probably, as we speak, suffering from the foreign influence on our democracy through pushing out extremist views and fake news. So ladies and gentlemen, thank you for coming this morning. I just want to join in what kris said at the outset. This is an anniversary that has a lot of meaning for us at the post, the fact that our publisher, fred ryan and our owner jeff bezos traveled all the way to istanbul to talk about my colleague and friend, Jamal Khashoggi and all of us here at the post feel very grateful for and i wanted to share that with you. Today we are going to talk about Cyber Security, interference in our 2020 elections and a way to deal with that and well talk with two of the people who are most familiar with these issues. First, former director of Homeland Security, Michael Chertoff. Second, former director of National Intelligence, james clapper. Each knows cyber and these issues and the difficult political and legal background, as well as anybody who has served in government. I want to start, gentlemen, with a question thats on everybodys minds this week. It involves the question of interference in our elections, but this is the complaint thats been raised by the still unidentified whistleblower whose complaint is now before the House Intelligence Committee and subject of an Intense National discussion going all the way to the issue of impeachment. Without asking you what you think about whether the president should be impeached, i do want to ask you each the baseline question, whether you as experts in this area, find the whistleblowers complaint which weve now read, urgent and credible, both of the words used and then second, whether you would think that it ought to be investigated to determine whether its accurate . Well, maybe i should start since its im sort of familiar with the Intelligence Community, whistleblower protection act and the complaints that are submitted with it. I would say that of all the whistleblower complaints that i ever saw during my six and a half years at dni that this was the best written, best prepared footnoted and caveated as appropriately as it should be. And the law prescribes that once a whistleblower complaint is submitted, it goes directly to the inIntelligence Community and Inspector General which became statutory during my time as dni and accordingly, acts independently. The Inspector General makes a determination about is the complaint credible . I dont recall ever having one declared to be urgent. And so that was done. The whistleblower complied meticulously with the provisions of the law. And for me, it was one of the most credible, compelling such complaints ive ever seen. Should it be investigated . Absolutely. Thats the whole premise of the whistleblower protection act is that a serious, credible complaints of wrong doing should be accordingly investigated. Mike, whats your feeling about the same issues . Was it credible, urgent and should it be investigated . Well, i cant judge whether its credible because i think you have to obviously investigate, you have to determine whats the basis of knowledge is. If the person were they in a position to know certain things or not know certain things. There are probably other people that will have to be talked to. What i would say is this though, obviously its a matter of significant concern. Any investigation ought to be dispassionate, fair, thorough and expeditious. What should not happen is people announcing the results they think theyre going to get before the investigation is done because that impairs the credibility of the whole process. If i could add just one other point just to be clear, the law stipulates of period of 14 days, i believe, where the Inspector General can investigate the allegations contained in the complaint and that was done in this case where there was, within the time limit of 14 days a corroboration, at least in the igs mind before he forwarded it. And, jim, let me ask you, because you were in the position acting dni that maguire was in. He made the decision when he received this from the Inspector General to go to the white house and the Justice Department, the office of legal counsel, both institutions part of the whistleblowers complaint. Do you think that was appropriate . Well, he is in a tough place. Here he had been acting director of National Intelligence for about six weeks and this you know, arrives on his doorstep. So i think the way ive answered this, ive been asked this, beginning to be an faq, frequently asked question and the way ive responded in the past, i think that institutionally joe did the right thing. The problem of course, by consulting with the doj and the white house, and he had a genuine concern about violating executive privilege or he doesnt have the authority to waive executive privilege. Now, you can argue that the cows come home, but was that the right thing to do where hes consulting with an element of the government thats implicated in the complaint . And you know, thats a judgment call that he made and if it were me, i honestly dont know what i would have done. I trust what i would have had is a very extensive and deep counsel with my general counsel about the pros and cons of doing that and im sure joe did the same thing. Mike, i want to ask you about a question that is becoming more and more central now, and that is, how can congress compel testimony either through subpoenaed witnesses or depositions, other documents in an investigation that it deems essential, but where Administration Officials are withholding that information . What happens next . Typically whats happened in the past, particularly when you get a subpoena, but even if Congress Wants you to testify is, they usually hold the power of the purse through appropriations and generally government officials go along with it because the sanctions they face, the money gets cut off. I guess if youre going to be technical about it, what would happen a subpoena would issue. If someone failed to appear, they would then go to court, that congress would go to court and they would get a court order mandating the person to appear and if the person still failed to appear, they would be held in contempt of court. The other possibility is someone could appear and decline to answer certain questions on the ground that they are privileged. That gets you into some tricky legal issues about whether congress has the direct ability to impose contempt or whether congress has to go to court. As with most things in the american legal system you usually wind up with a potentially extended litigation because youre dealing with unprecedented issues and that means everybody is going to wind up being careful about how they deal with them. And would you guess, based on your experience that this issue is going to end up in the Supreme Court before its done . Its quite possible. Obviously, everybody remembers back in the early 70s with the nixon case, but the court, given its schedule only has a certain amount of bandwidth and in some ways by the time it gets up to the Supreme Court youre talking about months having gone by so there may be a tension between the tempo of these investigations and the tempo of the court system, but again, its hard to speculate because we dont we havent yet seen a concrete dispute that emerges thats ripe for court. So i want to turn now to our main subject of political interference Going Forward in the 2020 elections. And i want to invite our audience here and also watching this on live tv, if you have questions you can send them to me, right at this little ipad pos postlive and i in theory will see them here and ask them. Let me ask jim first and then mike to give us a sense as we head toward 2020 of how wellprepared you think we are to protect our elections from the kind of interference that weve seen now powerfully in 2016 and in 2018, too. Well, having happily left the government, i dont know. Its my i mpression that a lot has been done certainly among the key agencies, fbi, Homeland Security, all of those that are sta stakeholders and i think a lot has been done over the situation where we were in 2016. But youve got to remember, you know, our voting apparatus is very decentralized. Its done at the state and local level, not at the federal level. I was really taken aback during the 2016 and what we were seeing the russians doing when jay johnson, then secretary of Homeland Security reached out to voting, election commissions at the state level and got a lot of pushback. We dont want the feds messing with this sort of thing. So, i think but having said all that, i am confident that a lot has been done to make it better. If i may, david, just make a point here, which i, whenever this topic comes up. Securing the voting apparatus, Voting Machines, computation votes, the transmission of votes and all of that, thats hugely important. But thats to me is the is one bin of the problem of the the other bin is what i might call for lack of a better term, intellectual security. Meaning how do you get people to question what they see, read and hear on the internet and this is where the russians exploited us, exploited our divisiveness by using social media. So, that part of the problem im not sure about. Mike, let me ask you the same thing of how vulnerable you think we are headed into 2020, whether the resistance that jim describes to federal help, to the state and local governments, whether thats changing. And then also, maybe you can comment on the broader question that jim raises about the way in way our Information Space as a whole, now, has been it looks like contaminated. So, first of all, i agree with jim. I think that the federal government has been much more active and i think the states have been much more willing to accept help. I figure well hear more in the later panels about that. I also agree that actually the machines themselves in some ways are the least vulnerable because, a, theyre decentralized and b, not normally hooked up into the internet just briefly. Youd have to have physical access. Where the greater challenges are the Registration Data bases, the tabulation date a bases and the infrastructure around voting which includes, you know, is your power working . Is transportation working . Can people get to the polls . And these issues require, not just preparing to raise your level of Cyber Security against hacking, but it also means resilience. If there is something that makes it difficult on election day, either the data base goes down or if we can verify who is entitled to vote or the trains stop running because of a cyber attack, is there a plan for what do you do next . And thats the essence of resiliency. You have to have that in advance. You have to make sure you know what the plan is, that you have the authorities and that you have the capabilities and i think thats an area we ought to look at. And on what jim called the second bin, which is disinformation, i think thats a challenge broader than the election itself. Obviously, one of the approaches that the russians and frankly chinese also, take to geopolitical conflict is the Information Space, what they use today call active measures. And the idea here is if you can disruptive the unity of effort of the United States or europe or other democratic countries then basically you win without firing a shot because people dont trust each other and they dont trust institutions. Thats what weve seen over the last ten years. In fact, it goes back decades. What has changed recently is social media and the ability to manipulate that to drive carefully tailored messages to particular individuals and thats an area where i think were still trying to implement a standards and approaches that would mitigate the effect of that and job number one is to get people to be critical in their thinking when they see a story and not to be accepting it as true because, its, quote, on the internet. So just going to this point that jim and you both now have discussed, the more we talk about the insecurity of our election systems, in a sense, the more people have it in their mind that theres something wrong here. A friend who runs the Cyber Security for one of the big social Media Companies said to me recently, what the russians really are doing is weaponizing uncertainty. That the very fact that youre uncertain whether these systems may be attacked leads to less faith in the outcome. I just want to ask you, i think its one of the hardest questions there is. Is there any way to reduce that weaponized uncertainty that you can think of thats appropriate for a democratic government, jim, mike . I would say this. I mean one of the points thats been made repeatedly is you need to have a verifiable, auditable systems for actually getting voting and whether its a paper ballot or various types of tools that would encrypt a copy of a ballot. They need to assure people if there were a dispute it might take time, but you could go back and actually manually count. I think thats an important confidence building measure. So any thoughts . You know, i dont have any Silver Bullet suggestion here other than imploring people to think critically, try to corroborate the information theyre absorbing, pick and choose your sources, that sort of thing. Ill often fantasize about some sort of a National Fact checker, unassociated with the government, perhaps. I dont know quite how youd constitute this, but the fact checker would be seen as uniformly and universally credible, but somebody like that that could verify or refute what is being said out there on the particularly on social media. Its tricky, we dont want a Single Authority telling us whats true or that sounds like big brother. I want to get to something that youre both involved in. Its a creative effort it deal with this problem and draw the public in. Its called cyber dome. And maybe i could ask each of you just to explain the basic idea of this, what sorts of services they will offer to candidates around the country in 2020 and hopefully for many years to come. Jim, why dont you start that off . I was approached by a group, a group of citizens, public spirited and like minded citizens who aligned themselves with Cyber Security experts and put together waist designed on a bipartisan basis that support and assist campaigns and particularly the two committees to secure themselves. Its not a government thing. Theyre seeking funding outside of the government and mike and i have both approached about it and are serving on their board of advisors, mike. Yeah, i mean, the idea here is, Nonprofit Organization that will offer free of charge to campaigns Cyber Security advice. Now weve had campaigns hacked for years. Remember back in 2008 campaigns were hacked. Well, different in 2016 was not only were the campaigns hacked by foreigners to see what the campaign was thinking about from a policy standpoint, but some of the con frent was dissem nighted by the crush shuns and put out there in the 2016 election again to troo i to in order to demoralize and that took it to a new level. What were trying to do is get the campaigns to raise their game when it comes to protecting against these intrusions which as ive said have been weaponized against. So i urge people to take a look at what this cyber zone is proposing. Its a creative idea, its not the government doing it, but private citizens in the way that should make it easier for people to draw on help and as we think about how were going to protect our democracy which turns out to be more fragile than we realized. This is a pretty good idea and im pleased to have these two people who are associated with it here with us. I want to ask another question. Works under the surface of our National Debate now and its a hard one, but there are a lot of people out there, its clear, who think that theres something that they call the deep state. And they think of probably people like the two of you experienced National Security. [laughter] not no criticism intended, but they think of experienced individuals, jim clapper who served as i remember over 50 years as an Intelligence Officer and i think of mike chertoff, in security, seen every part of our government, and they worry that youve got a kind of hidden hand on the nations Steering Wheel that surfaced in the whistleblower complaint. What the heck is this cia guy doing with the nsc staff investigating the president . It can be interesting for people, if each of you would just respond from this long experience that you had to this argument thats out there in america and what is it, jim, that youd want to say . Well, i never heard of the term deep state, maybe i was in, you know, ignorant bliss or something, but i never heard of that sl the campaign and afterwards. Allegedly this is a conspiracy of career government Public Servants who somehow organize themselves into a conspiracy to undermine or overthrow the president , which on its face is ridiculous. You know, the Intelligence Community, its almost truth to power and under whatever difficult circumstances that may be. The power of the truth, they have to keep telling it. My experience has been, everybody has their political views, but they, again, my observation has been consistently they parked those political preferences at the door before they walk into the office. So now, unfortunately, this resent whistleblower complaint coming from a member of the Intelligence Community just fuels that conspiratorial fire that there is such a thing as a deep state. A deep state that comes out of an entirely different context, it has to do with countries where the military is so powerful that they also control a lot of industrial base. If you look, for example at the revolutionary guard in iran. They, in addition to military capability they control industry. We dont have any of that as jim knows. Our military is under civilian control and they stay in their lape. Likewise the Intelligence Community is hedged with a lot of rules and we have courts that supervise almost everything. If you look at the history of surveillance programs and the controversy about those. Those have you wills an occurred because somebody was uncomfortable with the decision being made and it got to court or congress changed the rule. Were the op at this time of the deep state. I understand that americans have had a suspicion of governor, thats not civil servant, but having the government not overstep its role with the private sector and our solution in our constitution is we break the government into three parts and we also have federalism. What people miss sometimes is, much of the real powers at the state level in terms of the police and Enforcement Mechanisms and thats one of the things that guarantees that our government cannot overstep or really commit misconduct. Final question, again, one i think every member of this audience probably would want me to ask you. Whats the damage to our National Security agencies, to the people of the cia, other intelligence agencies, the fbi that you worked with closely, mike, this period in which you have the president calling the whistleblower, a cia officer, a spy and accusing him of treason . What damage does that do for the people who work for these agencies and also to the partners we have around the world who are our central liaison . August is not good. Its not a good thing and i think it affects a lot of people but i have to say its a dangerous thing to try to characterize another faq, whats the morality of the intelligencecouny. Intelligence community is a largely dispersed enterprise and there are thousands of people and tell the community that arent affected by this stuff at all. If youre at Mission Ground someplace, denver, pine gap, in embassy x someplace as an Intelligence Officer youre just there doing your job and youre just not affected by this. So the specific elements that are really directly affected within the Intelligence Community are of course my old office, office of director of National Intelligence. The agencies, the cia and fbi, it does have an affect on them, but there are vast parts of Intelligence Community that arent affected. Just because theyre a part of the Intelligence Community and theyre getting regular badmouthing thats not good for morale and its not good for our intelligence partners who share with us in good faith, you know, information that they believe is germane to our National Security. Things. Id like to say two things. My observation is by and large the agencies when there are ups and downs and controversies, people still go about their business professionally and the vast majority are dedicated to their work and whether things are comfortable or not thats not going to change the mission. And the other thing i would say, generally jim and i attest to this, our relations with our good partners overseas at an operational level have been generally able to evade the vicissitudes of politics even when theyre at their throats. In the security space they know how to trust each other and this will pass, but i would leave you with this thought, i happen to be the chairman of the board of Freedom House we set up over 15 years ago to promote freedom around the world. People look to the u. S. As a beacon for the values of democracy and freedom and the real of law and when we stand for that not only do we have friends, but i remember in an office in Central Eastern europe, who had been High School Students during the cold war and under the boot of the soviet union. They said to me when i met them several years later, the fact that americans like Ronald Reagan spoke up for freedom, tear down this wall, inspired us to keep strong and to keep struggling for freedom. And that is one of the most powerful weapons we have and it would be a shame to lose it. So weve had two of the very best people in National Security to kick off our discussion this morning on Cyber Security. Please join me in thanking them. [applause] our cyber attack was not unique. Digital extortion has been affecting Many Organizations in the public and private sectors and Cyber Threats are becoming much more hostile and frequent and we must continue to understand how to protect ourselves against these attacks when they occur. Time and time again weve seen that those attacks can be debilitating for people to access medical, buy a home or even call 911. This is not a state or low it will problem its a national one and we should invest accordingly hat the federal level. Level. Hello, everyone, my name is joe marks, im wifrom the Washington Post and im here with jeanette from Homeland Security. Were here to talk about ransom wear, when hackers not only steal your computer files, but they also lock them up and wont release them until you pay a ran some in bitcoins and this has been a huge problem hitting cities like baltimore and atlanta and Major Industrial players and police stations across the United States. Whats the dhs and the government doing about it. Sure, for those of you who dont know, from the Cyber Security and the Infrastructure Security Agency established by Congress Close to a year ago, to be the federal governments Central Point for leading Cyber Security and physical infrastructure security, in working with our partners in the private sector and state and locals. And so first, also, if i may, today is the second day of national Cyber SecurityAwareness Month for those of you who are not aware, you are now aware. [laughter] and so, and the recent sort of state of ransom wear attacks highlights the theme that weve decided to focus on, which is about accountability and both as an individual, were all consumers. Were all employees of an organization. Some of us run organizations and so, how do we any about how we own i. T. And how to secure and how do we protect it. Importantly, were very much focused on those organizations who dont have the hundreds of millions of dollars of resources to do all of these things. Often times in the Cyber Security circles we talk about advanced sophisticated sexy concept and the reality is, as the Ransomware Attacks have shown is the willingness to attack the most vulnerable organizations. People who are willing to stop schools from functioning, hospitals from functioning, municipalities. It takes a certain sort of low kind of criminal to do that and were trying to step that up. And its also in addition to being pretty malicious, are these people relying on the brightest and best new Hacking Technology . No, not at all. Much of the technology that theyre using is, you know, sort of commodity malware that anybody can find and run. There is some more sophisticated stuff and theres definitely some money in this and in many cases the incentives are a bit miss misaligned and ments and with the payout i always say you shouldnt pay out. That being said im not the person in the midst of making that tough decision about whats going on and i dont fully understand what their risk calculus is. And when you have insurers and others that are going to cover that, that furthers our problem of misalignment of incentives. Were trying to focus on building resilience and tools. Were releasing very soon a set of cyber essentials in just a place a lot of small, media businesses they spent a lo of time on focuses to the electric center. A lot of people say where do i start . If i have 5 where am i putting that for . And this month, along with essentials, well focus on that community. Is that a new thing to focus on small and medium businesses, the 5 problems rather than the 500 million. I would say weve worked with state and local and medium sized businesses. Oft oftentimes the 5 problem can turn into a 500 million. Many of these might be Public Safety or might be connected somehow in the supply chain of a larger sort of traditional Critical Infrastructure. So we dont think we can separate those two communities as much. One ransomware problem that your office talked a lot about is the concern about a ran someware an n i attack from russia or anyone in advance of the 2020 election. What are you doing to protect that . First of all, i want to be clear theres not a specific threat were aware of. Were sort of logical extension as were seeing this. Thats a potential scenario and the there is very basic things to prevent yourself from almosting a victim of ran someware. Back up your systems and updating. And nor do i believe its our role to do that. What were doing is publishing more documents. In august we published ransomware partnering with associations, state and local leaders and getting the message out thinking where theyre taking the i. T. Money and spending on preventive measures and being able to understand how the federal government can help them in the response stereo. Big picture, after two years workingn this since the election. How confidence should americans be that 2020 election will not be comprised by russia or another actor . I reconfident that the tal im confident that the tally of the votes, what they actually put in the machine, and secretary chertoff talked a little about the broader sort of architecture. Some things that weve focused on that increases our confidence and im talking just about election infrastructure and not the disinformation which is separate, but related in 2016 i saw three sort of main gaps, the first was around visibility. How do federal and state and locals have a common visibility and how its manifesting in their system, you know, recognizing that its not the ting machines that are necessarily connected, but there are systems that are potentially accessible remotely. So we focused a lot on visibility. We spent a lot of time and effort to a point now where we have sensors covering all 50 states so thats a huge improvement and allows us to take intelligence information from the federal government or threatened companies and quickly pinging those sensors. The other thing is ensuring that we have an understanding of the Communications Protocol so in 2016 if we have somebody with potential victim, or a target, our practice is to go to the owner of that system and we need to work out to make sure that the senior official in charge of elections in the state also had visibility. Thats something that we worked out and exercising that. The last thing was how to speak to the public and make sure the public is getting the facts and this gets into the disinformation side. So we did some really unique things, having an exercise with media, so that they would understand how the election day would unfold. Making sure that we had quick abilities to run down. If somebody is posting on twitter that a voting machine was behaving erratically, making sure that to get the facts to the media and the public. So those three areas we continue to focus on and in 2018 i think were really able to demonstrate a level of a cross party, cross sector coordination that we werent able to do in 2016 and continue to expand that and including now the private sector, host who do make the Voting Machines and epoll books and all of that in the coordination leading up to the election from the time the first ballot is mailed and the final vote is tallied. Despite all the work, hackers at the security conference in las vegas looked at a bunch of Voting Machines in 2020 and found vulnerabilities in some sort in all of them. There have been other reports about Voting Machines are expected to the internet when she shouldnt be and possible supply chain issues, should the American Public be concerned about that . How should they think about those vulnerabilities. I think its important to think of these in context. Need to still work through the report from the defcon voting village. And we want to make sure that real life happened, thats important. People who work in Cyber Security. Youre not dependent on one machine being fully secure all the time and not ever be able to be hacked. You put things in place, physical and personnel and thats what happened withtate and locals, frankly theyve gone tore years. If you think about the transparency of the voting process. Every time theyre tallied, you have voters from both parties looking at the tally of the votes. Theres a lot of indicators if something wasnt adding up, if it seemed like misalignment of votes. We remain sort of focused about any actor who seeks to spread disinformation or dissuade people from voting and thats always a concern and that starts way before election day and so, we are going to tun to work, to make sure that people understand where their authoritative source is, that they can get a provisional ballot even if something on the registration is not showing theyre eligible to that. You spent a lot of the last two years trying to get from people you dont trust and nations you dont trust, and intelligence and huawei off government systems. Is there a process figuring out a way to get things more secure upfront so you dont have auch a long process for the next person and the next huawei . Well, theres a few things there and that could easily take multihours to talk about it. On the kind of the secure by designs sort of concept in thinking how do we have more Security Code and theres a lot in the community. How could you build more secure coding practices. And transparency so you know a lot of products are compilelation of different code that comes from different places or different programmers, that may come from different countries. How do you have transparency in that . Thats something well try to continue to evolve. From our perspective with they thought us is that you cant have a very sort of blunt approach and say, well, everything from x country is bad and we cant use that. Our economy just doesnt support that. Weve chosen to outsource a lot of things over decades and we cant just flip that switch. We do want to get to a point where we have more trusted capabilities, but what we really learned the threat is important, but you cant just sort of hope that you will get to a point where you have this perfect case of a company is a witty agency of a Foreign Agency and get rid of that. What we kind of came to is three components of thinking about and we would encourage others in pro curing your i. T. Services, is that the countrys law where the data comes from or is stored is important and there are certain laws regardless whether a company would be wants to cooperate with their governmentor not, there are laws in russia and china that would compel them to provide that data. Which was the case. Were not comfortable with that. Theres access to your data that i. T. Has. There are things in i. T. That dont have a tremendous access to data. An antiviral tool has a lot of access and thats the second and the last thing thinking about market prevention. If it needs those things, maybe something made in the u. S. En its not something we need to overly focus. The when Congress Passed the secure Technology Act last december, which didnt get a ton of press, it happened to be past the day of the shutdown, other things happening. But there was a really important piece of legislation because it set up the frame work by which the government could do what we did in kaspersski. And we set up the acquisition and the supply Chain Council and that will allow us to have a more systematic and straig straightforward. And the other thing, doing in a classified or even a public way. The reason we did it publicly we wanted to ensure that anybody who potentially would be negatively impacted would have a voice know our decision. And what that resulted is, people not under your direct authority are following our guidance. So were that doesnt necessarily have to follow our orders. Looks like were out of time. Thank you for coming. [applause] when bad actors try to use our site, we will block them. When content violates our policies, we will take it down and when our opponents use new techniques, we will share them so we can strengthen our collective efforts. We strongly believe that privacy and security are for everyone, not just a few. Hello again. My name is joe marks, as you probably remember, the Cyber Security newsletter. And i am here with a great private sector panel. We have googles head of counter espionage, shane huntley. The director electronic, and from citizens labs, john scott railton. It occurred to me as i was thinking about the panel, you guys all look at a vast array of bad people and bad organizations that are targeting the people you work with from criminals to Foreign Governments to sometimes peoples own governments and Intelligence Services and stalkers, malicious people in your life, stalkers and sometimes partners and exs. And i thought heading down starting with shane, who are, rather than what are, the main people that are causing problems for the people youre trying to protect online . Well, in my case, my team really focuses a lot and solely of governments and what were seeing these days every government or most governments are really engaged in this activity for espionage, for speculation and information. And growing every time. We have the big maps where we color in the countries and we see a country which is like activity weve seen it from. And year and year there are more countries white rather than red. And its really everyone and its growing and i think the sophistication is also growing between the the gap is closing between the highends and what was kind of the lowend sophistication, that that gap is growing, that this has become more accessible and seeing more players from the middle east, around the world, and the capability, by this capability. So day in, day out were seeing this targeted. Host are you still seeing russia, china, north korea the biggest threat . Or democratized, the word there. And those four are definitely the biggest players in the space, but as i said, its a lot more broad. If youre somewhere in the middle east you might be targeted by your own government specifically and we, like equally warn all of these users that we have a participating we put out, we believe you were targeted of governmentbacked attack and to give you an idea of the dale, we warned 36,000 users that we saw phishing or something going to them. That means they were targeted. Thats the fear of what were looking at on my team. Eva working on digital tsnd Civil Liberties. What are the groups youre most concerned about. Well, i started out by work really focused on activists, mostly activists outside of the United States, often in north africa and the middle east, and over the last decade or so my work has expanded to get broader and broader and bradder. So, first we started seeing International Activists being targeted and then in we started seeing journalists being targeted, human rights lawyers, scientists, and then in 2016 we experienced a tremendous spike in domestic activists suddenly very interested in privacy and security. Could you expand . Who are the domestic activists . Weve actually seen a lot of sort of pro pro choice organizations that are really concerned about their safety. A lot of Civil Liberties ormss, a lot of immigrant protection organizations are concerned and just immigrants in general, especially including, you know, legal immigrants in the United States are very concerned about their Digital Privacy and security and i have, in some ways, a bigger problem in that shane. Shane only needs to secure peoples google accounts. Only google. Only google. And Android Devices and yes. Every user in the world. It isnt an easy job ever. This is why you make the big bucks. [laughter] but the problem that i have is that people come to me and they dont just need to secure the google environment, but also Everything Else about their lives and all of their other accounts and things which are not owned by google, which gets somehow even more stressful and i have fewer resources with which to do it and finally, my in the sort of ultimate expanse of my work, i started looking at the victims of domestic abuse. So it turns out that most people who are being spied on in their lives are not being spied on by government or Law Enforcement. They are being spied on by stalkers or by exs or by people with whom theyre currently in an abusive relationship. And the model for that, companies assume when theyre locking down devices that if you have the user name and the password and access to somebodys phone that you have legitimate access to the persons account. And abuse often involves access to all of these things at wednesday. Now we need to completely rethink our threat models just in case we didnt have enough to worry about. Before we go to john, you made a big address about this at a conference, and companies symantec and presumably there are some situations where apps have legitimate purposes . To begin with, i wouldnt want symantec and mcafee to get credit they dont deserve. Neither made a statement. The companies that made statements were lookout, malware bites and kaspersski. And we have three companies on board and since were kicking off violence Awareness Month and and halloween, all of these spooky things at once. We are really working on getting the antivirus industry all on the same page to take these threats a lot more seriously. Are there legitimat uses for this stuff . It depends on what you mean as legitimate use and whether or not youre talking is it strictly legal . Often the software is violating law, but the real question, where . What jurisdiction are you in . State laws are different, and countries. The place where i decided to draw the line is software which is sold commercially and is designed to fool the user into thinking its not there. So if, for example, you are a parent and you are concerned about where your children are going and you want to see their text messages, and you want to know where they are and do some parenting, thats fine as long as you dont feel the need to install this software on their device which leads them to believe theyre not being watched. Just to clarify symantec and mcafee was in an article, but dont want to give them credit if theyve done nothing since then. John, what should we be scared about . And then your vanilla is like cant necessarily develop inhouse but can pay for it. Can you name names . For example, citizens of otr and work on the proliferation of what we call nationstate spyware. This is stuff made by companies that allege they sell to governments only for the purposes of like tracking terrorists and child pornographers. In practice it looks more like an International Espionage set of technologies and the celtic countries like saudi arabia and mexico who then slosh around and use these things for targeting your own Civil Society groups. That gets a lot of attention in press because it involves maybe like zero day vulnerability and other sexy exciting stuff. The third flavor which is chocolate and by far like the most overrepresented is the my cousin knows computers approach the cyber espionage. Like it doesnt need to be fancy. It just works. Human behavior is untouchable. The same deception the works0 scoble were to get a different additional guises which is what drives the team nets. Its also because let between the stuff eva and where concerned with, which is at the simplest level and for like a decade we seem im sorry. This is the rrated panel. Sorry whoevers doing the moderation on this audio. Weve seen nationstate actors using basically the same kind of spyware that abusive partners wind up using and increasingly like a lot of that problem space in step in the hands of someone like shane and other device manufactures an operating system manufacturers whose systems are still constantly locked in battle with those really simple technologies. I dont know, i feel like one of the biggest problems we face is the entry cost is so stupid low that anyone can do it. And it ends up looking a lot like a Public Health problem with all of the behavioral complexities that come some something where like people love using their devices and they will not fundamental change of that use those devices the platforms are not always designed in the most high risk focused ways but we dont know who the next clutch of activist is going to be. They have no idea who the can d of yet and yet they will be target over these platforms. People who were in a domestic situation will end up in some digital spousal abuse dont necessarily know when they get their Android Phone that two years later they will have spook sharing their bedroom, fundamentally. Is the problem. Take one specific sample, either vanilla or strawberry but shane, google worked on exposing a a very microtargeted attack with apple devices that you guys did identify who the actor was. Theres been reporting that says this was Chinese Government linked hackers targeting the muslim uighur minority. John, youve worked they were targeting tibet with this. Can you tell me speedy public all the five voices. We just know about the uighurs and the tibetans. Tell me how common it Something Like this and how concerned should be about these really microtargeted attacks . Well, i think what was really interesting about this attack, was the fact this is one example where ive seen zero day exploits, which speak can you explain zero day exploit is an exploit where most of the exploits out there if you past your devices, installed or updates than your protected because all the holes been fixed in whats going on. Really they still work a lot because people dont patch but when we consider zero day exploit is the exploit there isnt a patch available. Thats what this was which is what of can we treated this is the because theres not a lot a user can do many cases against 80 day exploit. We have policy, over the last2 months making has found 546 different zero day exploits against different platforms. Multiple different companies. That policy we tell the company we help work with them to get it fixed but we say theres a 70 deadline. We dont extend this out. We will start telling people how to protect themselves within seven days. The apple case was one of these and thats why this was such an attack. This is a rarity. Its somewhat, exceptional circumstance where we do see that zeroday exploits being used and thats what we treat it so seriously. Were having a good effect of making it harder use of these exploits. Thats really the background of what that was. We really believe that learning more about these techniques, 14 how to fix them, working how to make sure these bugs dont happen in the future is how we secure the entire ecosystem in the world because this this isy microtargeted threat and this is not how the biggest that youre going to face, like you going to generally be hacked because someone will take you for your password or snd will trick you into installing something. But this really serious threat is one we have to take seriousl seriously. I think part of whats interesting about this case that just happened is come apart of what its such fun drum is how much trouble companies have with the public communication. Google didnt attribute, got a lot of flack for it, later things that some form of attribution. Its an interesting space because we putting emphasis on companies basically stopping nationstates doing nationstate surveillance stuff. Those companies have lots of different incentives, lots of different Public Relations incidents, different markets. I feel like theres a bigger problem which is a pipeline the public and policymakers have for giving meaningful timely information about the full scope of the threats that they are of the groups face is fundamentally constricted by the different incentives of the different players. For example, what was a number for nationstate warnings . 36,000. Which is great. Holy smokes, thats a meaningful number but its also challenging. For example, if us to ask 36,000, how many from each country . , and from each threat actor . Google is limited in what they can say. And completely reasonably but at the same time researchers and others we need to know that. We need to know who are the states for the worst actors. User dont even know when they get those warnings. We are in a weird place in some sense, like the other going dark problem is like information including attribution about thread actors and what there te really doing and where theyre doing it. Go ahead. Im going to be mean. I promise not to swear though. Nationstates targeting warnings dont work, and will this is been one of my bitter disappointment from the last few years. Many years going around talking abt the threat of nationstate actors and nationstates by, and one of the things i did was i called on companies to give users these warnings so that they know to up their game. And it turned out often these warnings were too vague, that they did not give the users enough information, that they just scared the pants off of the users and he did know what to do next. Or sometimes they would often sometimes, often come on occasion they would go in exactly the opposite direction when he would not believe the warning in believe this is just the thing google does every once in while a while to keep them r toes. I think now is a good time for platforms to rethink the nationstate warning and think about what can of information you can give the users that it will actually act on and that will help to protect them in the future instead of just giving the pants off or getting to the point where you can no longer scare the pants off. This is the big challenge come like how much can we communicate without revealing how would detecting things because that causes come like we give that we cant predict future uses. And how to give changes, cause users to make change. Some users do sechings. We have come a long way in the last eight years, like ive been doing this that when i started this nobody bleated nationstate threats. Now you having these conversations wherever it takes it as a given. People become blase to the whole threat but when i i talk to election campaigns and activist, people do care and believe about there are nationstate threats out there. Weve seen some users use mechanism of i didnt think about it, and im going to tae some actions. Weve measured that. Ideally yes, we do want users to take more action. There is a a more research to o on to how to make this more of a default. I also think that we has platforms and is and what else in the industry, we have put all the use of the planes as well. You cant tell anybody to drive safe. You have to build safer cars. We are trying to work hard to build safer operating systems come to build more security by default, to make it so users had to do some things themselves but we can also do a lot for the user to help secure the. You mention campaigns. Its organizations that just users are not able to do anything with the information. Dhs is running to the same problem with it and try to get as must information is camp to campaign. Allow time to say what the heck can we do with this letter information . We dont know how to respond to that is a something in particular, start with governments in the corporations but what government should be doing to improve the situation . I mean, ill just take a free be. I feel like its really great to have big thought leading cyprus tree with government folks. When the target cybersecurity its their show. They like to think about cybersecurity issues as the great game, super exciting and they play with each other. And users always come second baby third. The problem is by volume most of the bad stuff happening on the internet is happening to individuals who dont have anybody who has the back and who have to depend on the large as quality of teens but for the most part, like their government really dont have the back. Like the number of cases where citizen lab visconti users and said youve got this problem and like nothing happens. They have no meaningful recourse. Its remarkable and if you like its like everyone has watched it is unlike people getting arrested in u. S. And basically everybody who gets arrested as a version of it, i know my rights. Right . They have that expense like and know my rights, you cant do this to me. Nobody ever says that or experiences that when you get a nationstate warning. Nobody ever says that or experiences that when they are the victim of station. I feel like thats a a huge problem and it doesnt get change the folks in government continuing to view cybersecurity of the plane with other states. Eva, is are some discrete thing either government or industry can do to make the people you work with more secure . I get really suspicious when somebody says is there something the government can do. I spent a lot time protecting people from government. Im not here to commentary the government and Law Enforcement of the good guys. In fact, im suspicious and giving them power and im very suspicious of any remedy that involves asking the government or Law Enforcement to somehow be better and rescue us from ourselves. I think that what we need to start doing is really to start organizing as a Civil Society, and there are two ways to go about this. One is that the people who are speaking truth to power, the journalists and human rights lawyers and people who get out and demonstrate in the streets need to have a very solid threat model of whos going after them and how and why. As part of that involves a kind of work that i do and that john does over at citizens lab, which is writing reports about the kinds of threats that they face so that people can do the right thing. But the other half of it is work that shane does, which is just making everyones Communications Private and secure by default so you dont have to sit there and worry about whats going to happen when the government comes calling your and then finally, theres sort of the last group of people who really often get pushed to the side, and that is victims of domestic abuse, and they are, they have the hardest threat model to deal with because you are dealing with somebody who has physical access to your stuff. And i think it is really up to the companies and the platforms to start thinking about ways to deal with that particular threat model that they havent before. Because it, i get way more calls. I get way more complaints and i get way more work than a Single Person and possibly due. Before we go on, we will take audience questions or twitter if you like to toss went in. We still have time. We can use the hashtag post live and i will try to get to some of our guess. John, did you want to Say Something . Eva makes an interesting point about changing threat models and if you like one of the things that we see a lot of in our research is the vice compromise, as ever is. But i feel like a new form of this or at least what think is more of a smash and grab approached even from sophisticated actors where they get in in a device and the gral logs and they go. One of the challenges is like, man, it ends up putting a bunch of stuff on devices. I was super excited to read yesterday as after some of these folks have, looks like whatsapp has began to experiment with, theres a report yesterday think theyre starting this with group chats. I collect that stuff is important because a number of cases ive looked at her threat actors have gone on and gotten all their jews because its been 20 minutes on a persons phone or laptop and pulled everything is huge and also addresses some issues around intimate partner savannas because it means if you get a device that time a you dont get a 1, two and three years of personal stuff. That instrumentation is good and important but i also feel like and i worry that theres a National Security narrative right now around the importance of access to security encrypted communications, being pulled by frankly a scary narrative around dark players who use bad things for pornography and terrorism. This has rebounded since 2014 and we had a conference on about friday with the fbi director and attorney general will speak. Shane, you wanted to talk about this . I think the encryption device never seems to die, unfortunately. Like we are against the back doors. I think the the argument here is try to balance Law Enforcement and public thinks this magical solution we can like only get Access Communications to the socalled good guys, but keep all the bad guys out. We really have two thomas mentioned before, create secure platforms because we really have to weigh the risks here, and the risk of having these open platforms created open or backdoors us forcefully good reasons is way too high to speak why is that . Can you give the 30second explanation having a backdoor encryption it means some has to secure that backdoor. Like, even like who holds that magical backdoor key . Who do think you think can keet keep a secret . Ive never been a really solid argues about what happens if the secret backdoor key is stolen . What happens if some insider get some telly medications from a manufactured his access to it next creating some other new mechanism where people can have your data store is a massive way. This is a debate inside the cybersecurity committee. He keeps coming from without. Every couple of years a certain set of folk struggle with legitimate love for the challenges are like lets take another crack at this encryption pinata and maybe look at the case that will do it this time. I think within our world its fair to say most of us believe for maybe ideology, made its historical experience or suspicion, that this is probably point resulting bad things. If we go down the place. We come at it from different reasons, like my argument is we have no idea what the next couple of years look like in most countries come if weve learned anything the past few years, and we have no what happens when you push his folks with access to the ability to request that they did decide to do so in ways that their underlings have trouble refusing. And that itself is a good argument for the importance of encryption. I want to ask, big picture is any light on the horizon for things Getting Better for the average person or for highly targeted people in the next five years . Yes. I think theres a lot, made an optimist in the room. One, the attackers are having to work hard. The down attackers with were ts another being blocked. The rate of phishing and malware and things being blocked by platforms isis is increasing. Attackers are having to a card which is good thing. We are seeing these bugs being killed killed the faster it would also seem there is more things use can do. With things like advanced protection or if was wanted a fancy google account you would sign with security queues all these other mechanisms that believers as someone who does want to get these active protections which to be honest i dont think they were there for five years ago. Not as much you should do but i think i want people to walk away not thinking its a hopeless, nothing you can do, youll get hacked so give up. Where what we really do see is if you do take some protections and the platforms worked at it, trust the platforms that are doing a good job, then your risk run a lot your a lot more secure and you have really good odds. Of course you take him supertarget stuff that my future the same way getting hit by lightning does in the real world, but in the real world you would probably be worried about getting sick by a heart attack and not by a Lightning Strike the uk should be worried about the basic stuff. That overall security level is increasing. Im going to take dissenting view. Surprise. Yes. To some extent some of our accounts at some of our platforms or become safer and we have more options and that is great. But our attack service is also expanding exponentially with every passing year. We are filling our homes and offices with microphones and cameras that are extremely insecure. And that are often manufactured by companies that dont have security and privacy as a particularly highvalue, and that certainly dont take about nationstate level aptc in the threat model and the dont think about Law Enforcement. For example, there is a great deal of argument about the installation ring doorbells and neighborhoods and sort of their partnership with local Law Enforcement. And amazon continues to insist this actually cuts down on crime, whereas the research seems to indicate that filling your neighborhood with cameras that everybody can see just actually cut down on crime very much. It just increases the amount of surveillance that you have. Real quick before we run out of time, i want to talk about election security. Big picture, how confident should repeat you guys think from a private sector perspective of the 2020 contest . My observation is every time we have looked at election outside the fewest in the past couple of years, every time we have scratched we thought all kinds the players, domestic and foreign, mucking around in those elections. I cannot think of an election thats happened in the last few years with has been experimentation and mockery. The biggest thing that bugs me, the biggest thing that freaks me out is so many of our analogies, the we were talking are still come by the virtue of the 201630 access is pulled him into relations back towards that the problem looks really different. Im not at all convinced we got a good handle on it right now. Real quick. I wouldnt say with a handle on it. I would say unlike 2016 and he went to the 2016 things, there is a lot of people working this problem, or people taking this more seriously. They come is taking more seriously than industry, people working together and it is like the top priority of everyone. Watch this space to see how it plays out but if anything does happen is that going to be due to a lack of effort by the platforms or anyone else because people are taking these threats seriously. Thats all the time we have. They to everyone. Please hold on for a final segment. [applause] [inaudible conversations] [inaudible conversations] my name is ellen nakashima, National Security reporter for the Washington Post, and we are very fortunate have here today sujit raman, associate Deputy Attorney general of the department of justice, and he leads on cyber issues for the department and chairs the attorney general cyber task force. So we are going to i think a very wide ranging interesting conversation, on the challenge of encryption can what the department and fbi sometimes called the wing dark. So, sujit, describe briefly what role digital evidence plays for us today come for you and your National Security investigations. How crucial is it and how do you obtain a . Thank you for having me today. Digital evidence is critical. If youre in the business of trying to enforce civil law system the way that you prove cases in court is through evidence. The reality is the world we live in today everything is digital. The Business Records are digital, phone records are digital, your two medications themselves or digital if youre talking on a phone or by application. For us to build cases we need to have access to electronic evidence and digital evidence. Anything we do is bounded by law so we want to make sure that we and Law Enforcement when we seek evidence we are doing in a lawful way. Part of the difficulty we are facing now is the Way Technology is developed and technology as an incredibly positive benefits encryption is something that we are in support of, if youre in the business of protecting Sensitive Information including government information you want to make sure its secure. On the other hand, those very same technologies that protect information also make it increasingly difficult for us to gain access to it even with court authorization. That in a nutshell encapsulates the going dark problem. Give us a sense, how severe problems and about roughly what percentage of your cases, pick a category, criminal, drugs, what percentage of those cases does the encrypted evidence close a challenge for you . Its difficult to quantify because it depends on the nature of the case, the type of case, type of investigation. What i can tell you is about when it comes to, for example, data in motion, soaking medications, this is publicly known so communications mini apps are into and encrypted so we cannot get access even with a court order to those communications. If people are committed getting by facetime or by message, even if we go to a judge and fulfill all of the very rigorous requirements to seek a wiretap under federal law, when we go try serve the order, they companies simply cannot execute because they design their systems in in a way that doesnt allow the intersection so that creates tremendous obstacles for us when we have satisfied all the legal obligations to access that evidence. To more than 50 of your drug cases . It really depends on the nature of the case. What i can say, without, a few years ago whats at the number of diyers so precipitously. I will get into specific numbers but it was a massive drop because dea investors who are often running to his wiretap investigations and for those of you know we were doing transnational organized narcotics cases you need to be up on wires because thats of the drug dealers typically argument getting, the traffickers. Those numbers fell precipitously once whatsapp which is a very popular encrypted at went into and encrypted. Its that imMaterial Impact in n our ability to undertake investigations. Lets move into another and we might see the impact of this. This past weekend the New York Times published a Major Investigation on child abuse and exploitation online. The report was an equivocal. Online child abuse is rampant with no signs of stopping. Technology both supports and protects abusers. Encryption specific has been a major roadblock for Law Enforcement and, in fact, facebook recently as you announced is going to put strong encryption in two and encryption messenger. How will that affect your child abuse investigations purpose it will have commenced infector im glad you mentioned that because thats what and when we do have statistics and very clear statistics. Last year around 18 million to more than more than 18 million chips, cyber tips were reported to the National Center for missing and exploited children. These are essentially tips that the Technology Providers send the knickknack, a nongovernmental organization, showing evidence of child sexual abuse on the platforms knickknack. Facebook messenger and instagram which accompany have publicly said it will do, the estimation is that millions of those tips will go dark. Again to put flesh on the phone, assets at last you about 18 million chips, over 90 of those tips were reported by facebook. So the Company Actually under the current status quo is doing pretty good work in trying to identify child explicated by two of the been critical of the platfo and its response supposed report to the Nongovernment Organization so that speakers can refer to Law Enforcement and take appropriate action. Once they get the tip egg theyt the testing of the Law Enforcement or the federal Law Enforcement we can follow up and try to wrest rest the individu. The key point here is that of those as a sieve 18 million come over 90 last year were provided by facebook. If facebook goes end to end encrypted, 7075 of 75 of the 16 million tips will go dark. That is a very Practical Application of how not having visibility into whats happening on these platforms will have a Material Impact on Public Safety. These are children, child sexual abuse were talking about and as the article said this is widespread. The stuff happening on in a net now is really pretty scary. These companies, facebook, apple, they talked about the encryption that theyre putting on their devices and on the platforms as a way to enhance the privacy and security of their users come everyone. So doing it it affects, it helps criminals, the price we pay for living in a free society. The Justice Department, the fbi in the last three years or so have tried to have a public conversation about this debate. They have asked these companies to voluntarily try to work with them to come up with solutions to the problem. Bill barr, the attorney general, in july at Fordham University repeated that call and he said that these companies have the capability of the ingenuity to come up with Technical Solutions. Where do you stand on that . Have we made any headway in that debate, in the ongoing conversation with the Tech Companies . Its been difficult. Candidly, were not looking to demonize the Tech Companies. These are the same companies that graded driverless cars, drones, wearable tech. These of the most Innovative Companies in the world. The question we have or the call that what we would like to make to check his work with us, try to find ways to protect security, protect privacy while also factoring in a very important component Public Safety. Often in the conversation thats whats forgotten and rsa said very real impacts on real people when we are not able to visibility in these networks. When it comes to the companies weve been reaching out. Weve made at first. The attorney general spoken fbi has made multiple overtures. I wish the companies would do more and that something were working on but were not looking to demonize the companies. We hope they wk with but on the other hand, we have an obligation to the American Public to call a spade a spade. Were not going to go away either because this is a real Public Safety problem. Are you considering legislation to require companies to build in lawful access to their platform . We are at least now and i think this is an administration my position, actively engaging with the public to raise awareness of the lawful access problem. I think you will see various parts of the government reaching out. You got the department of justice. You got the fbi. The Commerce Department will be reaching out to industry shortly to talk about the need to solve and find solutions, find improvements to this problem. Department of Homeland Security which has a very important Cybersecurity Mission but also a very significant lawenforcement mission as well. I think youll see them publicly reaching out and trying to raise awareness of this iue. We are at a point now where were trying to make sure the public is aware of the costs and benefits of whats going on. A lot of the decision being made by Corporate Executives for the own business purposes. That has tremendous impacts on our Public Safety and our broader public policy. That broader political conversation needs to take place. The only other thing i i would say, you mentioned legislation. There are other rule of law nations that have made legislative moves in this area. Last december australia, obviously rule of law, a partner of ours enacted legislation in this context. They are still in admitting it, still figure out exactly what it looks like. Written also . Britain passed the ipa, investigative powers act which has certain provisions related to providing decrypted information. We run the risk of america falling behind because our partners, our democratic rulef law partners are starting to examine this issue because they understand that its a very complex set of factors we need to be taking into account. But do those laws apply to u. S. Companies like facebook and apple and google . I mean, i think her death as the the british about that. My sense is that they would have similar jurisdictional principles that we do. In other words, if American Companies are doing business in these countries they subject themselves to the loss of those countries. Exactly what the mechanics are i think it just depends. My understanding of the australian legislation is it still in the party early stage of implementation. Lets move onto another separate but related issue that grows out of this time actual legislation Congress Passed, what was it, a year ago now, the cloud act. That was to get at an issue of access to data but not necessary encrypted data. Can you briefly describe what the cloud act is . It was a major legislative accomplishment last year, bipartisan come into she was very supportive because Many Companies found themselves in an awkward position. They had received Legal Process from the United Kingdom but they would be barred from producing data to the British Government because american law had essentially blocking function that you couldnt produce data to a Foreign Government because those are privacy protections pick you cant produce data to anyone who asks. The Companies Found themselves in a very, in a difficult position, a conflict of opposition by the refund of the obligation to produce data to save the United Kingdom but they were forbidden to u. S. Law to produce that information. The companies came to us and said look, were in a tough spot can you please help us . We were hearing it as the Justice Department from our partners in uk who were saying look, wer ting to investigate a murder that took place in london. The perpetrator is british. The victim is british. Everything happened in britain. But the guy is using a gmail account. The evidence is being held by u. S. Based service provider. We cant do our jobs. The evidence itself outside the uk and american law forbids google from producing in response. There were interesting dynamics at play. We had four partners asking for help with industry asking for help. We had our own motivations we do want murderers running around the streets of london, less of a concern but still a significant one. Everyone can together and in march of last enacted the cloud act which essentially allows for rule of law partners that we engage in bilateral executive agreements with to serve u. S. Based Service Providers directly with Legal Process. Instead of having to go through a mutual Legal Assistance process, a treatybased process which can take a while, a couple years, take her with electronic cases, once these common to place, said uk, can serve google directly receive data directly. Is that happening now or is this agreement in place between u. S. And uk . Does not in agreement in place yet. What i can say is the u. S. And uk been working very hard to move towards finalizing an agreement. We hear that might be this week. So im not in a position to make any announcements today. Thank you for asking here but i can say look, this has been a priority, a priority for us, and i expect there to be movement probably. Perhaps an announcement its possible. With this sort of collateral agreement apply to countries like russia and china . So, i mean, no. The straightforward answer is no, because under the statute and this was part of the negotiations. When were trying to get legislation enacted in congress we had very positive conversations with civil rights community, Civil Society community, ill visit with Congressional Staff as well to make it clear that this direct exchange of data should only occur with rule of law countries that protect privacy, that honor Civil Liberties and have protections in place. If you look at the law theres a catalog of factors that the attorney general has to certify that country x meets the standards before he can engage in one of these bilateral executive agreements. The short answer is totalitarian countries have no basis in her into agreements and we will not engage in negotiations with them. Great. I misled by so quickly, only a few seconds left. Any other net announcements make maybe the encryption going dark with the department about to do this week, any plans . So on friday were hosting a public summit at department of justice headquarters and will also be Live Streaming at first on lawful access on the question of wort proof encryption and impact on Child Exploitation cases. To get your question at the outset. We anticipate a very highprofile event, the attorney general will be there, the fbi director will speak at with two for a guests from around the world. And speeded the bridge secretary secretary and Australian Open affairs minister. Trying to send the message that will unlock countries will stand together on this issue, that when it comes to access information we are united on making sure we protect privacy, that would protect Civil Liberties but we also keep Public Safety in mind his own. Great. Thank you very much for that, and lets move on to our final segment. [applause] with economic investigations in every, all 50 states that goes back to china. Hello again, everyone. Ellen nakashima with the Washington PostNational Security reporter, and for the last conversation this morning are so proud and honored to have bill evanina, the top u. S. Counterintelligence official and director for National Counterintelligence and security center, of the United States, as well as david hickton, the first u. S. Attorney to obtain an indictment of chinas chinese y spies for economic espionage, or as built like to call them, the og of chinese espionage cases, the front of the university of pittsburg institute for law, policy, and security. So our conversation today is going to focus on the top counterintelligence priority for the country, china, and we often hear of the challenge of a a rising china. Its an indispensable trading partner and at the same time its a rival on the global stage. So china has a competent relationship with the United States, especially when it comes to Technological Advancement and Global Market dominance. Bill, as that of use, intelligent chip unique vantage point. When it comes to china, what is the u. S. Most vulnerable . Is a from i. T. Theft or economic espionage . Advanced technologies . Is this a Chinese Spy Agency versus your spy agency or Chinese Spy Agency versus u. S. Private sector in academia . I will choose all of the above. When you look at it from a Strategic Perspective of the u. S. Government and private sector with a look at all of those vectors individually but as a group of one. I think its important for audience to understand that geopolitically and militarily, economically, china is all of one. In america weve had an opportunity to grow up in a society where clear bifurcation between the government, the private sector, and the criminal element. Thats not the case in the people are republican china or russia or iran. Its an unfair plainfield to utilize all the resources as one to combat us. For this conversation the important part was right now were struggling its an Intelligence Services against our private industry. Thats not the way we do business so we tried to combat that and allow and alleviate t threat by integrating private sector as part of the battle and thats our biggest challenge right now. As amended, you lead the the case against hackers working for the Peoples Liberation army of libya but thats one of many precedent setting case against spearhead in cyberspace. In some sense how many of them have actually wound up in prison . Once a while you get lucky and some defendant travels to a cottage with an extradition treaty gets picked up and sit over here but chinese hackers are on unlikely to do that. How do we hold these maligned chinese actors in cyberspace accountable . Youre correct, but i think the case was brought in 2014 led to the agreement between president obama and president xi, which is an even greater result which everybody agrees reduced intellectual property theft down until virtually the election of choice 16. But youre making a very good point that we dont have an extradition treaty and this is one of the challenges of the borderless nature of cybercrime. I argued that unmasking cyber criminals as virtue and in of itself because the principled currency of cyber criminals is their anonymity. If you unmask them and declared that they did it come thats the first step. By the time i left the government i was trying to expand the forums for adjudicating these cases beyond criminal investigations into the world trade organization, commerce and treasury. My belief is that we need to hold foreign actors to the same stuff we would hold american citizens so that if they steal from our industry, particularly intellectual property, they not participate in our markets. I want to jump on that because i believe that was a symbol moment in our government ability to combat theft of i. T. And trade circuits secrets because it turned out to be a marketing endeavor where we were able to educate and reform the American Public of those the entire government writ large of an Intelligence Services, in this case the Peoples Liberation army, theft of our business and economic ingenuity and knowhow for the military purposes. That was a watershed moment that we kept always in the government, this is the first summer able to shed light on that theft. One of the key achievements in that was your ability to get these private Sector Companies who traditionally historically do not like to come forward and admit they had been hacked or compromise and have the names of the publicly for repetition, armed repetition. You got to agree to be public, have their name mentioned. How did you get them to come forward . That was in unusually nice that strength because i bet surf and the department of justice and a representative of these people and that not many of them since childhood. But i spent most of my time trying to make sure we could battle to bring the case but tell the story by putting a picture of the defendants which we did at the back of the indictment, the iconic picture that came off a wanted poster which showed the public who did it. Also departing from what wouldve been the norm which is company a, b, c, d e but also putting a picture of who the victims are and then when we announced the case i described how this affected real people, u. S. Deal, united steelworkers, alcoa, westinghouse and how this led to factory closings and lost jobs, and why we need to care about this. Bill, expand on that. That was like 2014, was it, and now five years later, its not just steel and theyre moving into bile pharma and genetics. Can you talk about speeders publicly we talk about this band of influence and requirements that i would say security works with ecommerce party to develop, to come and still innovation and the put some bile pharma to green energy to leading technology to future markets to gas, oil, shall Come Clean Energy and we saw a few years ago with the month at a case dealing hybrid grains and send because at the feed 1. 4 1. 4 billion people. They would rather not create their own Research Develop an arm when they can come to the west and take it. They go first to market, their Patent Program is quicker and more effective than ours and they get a of a local or International Market at 30 cents on the dollar. This idea of them stealing are working, working with genetic Mapping Companies in the u. S. Tell me, i have not heard about that. Whats going on there . Its complicated. That only do they use their intelligence arms to steal our intellectual Property Trade secrets, in the case recently with utilization of duke and yale capability for genome mapping, sometimes we engage with them ando great collaborative work with the research and development of the Academic Work and they take it anyway. Its a not winning environment. They took that technology on genome and dean ever used it to imprison over 1 million uighurs. So even Great Technology that we utilize for great purposes sometimes is used nefariously by Intelligence Services of rogue nations. This was done by the mss which is their major intelligence service. Took this through legitimate, lawful partnership . Some illegal and i think thats the idea that they utilize a whole country approach to the theft of her immature Property Trade secrets but they uighurs collapsed collaborativn academia, joint ventures, private equity, Venture Capital to be able to utilize all tools whole of Society Approach to obtaining our secret. Talk a little bit both of you i guess about the academic approach that the chinese are making, this issue now with te chinese trying or using, gaining access to universities and university secrets but also maybe trying to influence academics for Chinese Students and researchers. How much of a challenge for threat really is it and what should the government, what is the role governments role . In my gut its a huge threat. The good news is were still the cradle of information of the best academic country and world. Everybody wants to send their kids to school there, and lost in the shadow of the pla case which it did in 2014 was in 2015 i expose a network of gunmen who were fictitious test takers or fraudulent test takers who existed in this country who are taking the s. A. T. And the gre for students in china and some of their getting passports, get admission to our colleges and then they would get a student visa and then go home after they were educated here. This was an organized network and at the least deprived american stooge mightve studee been paying taxes for somebodys state related colleges, space in the universities. Theres an invasion of research. There are been cases that have been done there. I believe this is a real threat. I believe whether government should do about it is the same we do with intellectual property. It seems to me that if oakland at Digital Space and with the number one economy with a number one research and Development Location in the world, american citizens should be treated equally with citizens around the world. And natiotate intrusions should be treated as real and present threat. I choose the expansion of this initiative. Ill double down on the threat. We believe its critical up there next to 5g winwood before but what were doing about it, this past year which on the leadership of senator berndt and senator warner, chairman and vice chairman. Right. We utilize my office at the idg, we met personally with over 150 University College president s to talk about the threat and what its like. We give them one day classified reading so they can understand the intention of these foreign leaders as well as heres the threat and who is help manifest use medical investigations been done by the fbi. Lets Work Together to find a solution that is not only effective and efficient for you as universities and colleges but also doesnt i would say perform the effort of racism. The argument has been this is a racist issue in the chinese Intelligence Services have been pushing the envelope very effectively here in the u. S. But its not. When you look at the amount of investigations the fbi has which is overnight elder, 95 from the peoples republic of china. Over 900 espionage or with respect to economic espionage. But in fact, there and in a few cases where the department has had to drop the case for the case got thrown out for lack of evidence and these are cases of a bleak economic espionage against chinese america often academics are researchers at universities, which is led to criticism that the Justice Department is overreaching and is sort of seeing a chinese threat amongst the Chinese American Community here that doesnt really exist. Im in academia now and i think thats a valid concern, and we still in our institutions of Higher Education aspire to have worldwide student body and the Educational Opportunity and a diverse population is valid. So i think we have to be real careful to get that right. I will double that on the importance of understanding the threat versus actual whos committing the threat or resort the fbi and doj charge and indicted an american citizen and a University Campus for spying for the chinese Intelligence Services. So its not about the chinese individuals and students who are here. Its about the communist party in china and other manifest their efforts here in the u. S. To the security as follows confucius centers. Its a Holistic Program but its not about legitimate students come from china to study here. When my partner talkedbo the Great CollegeUniversity System ever invented. Bill, china is said to be making Great Strides in use of artificial intelligence. Where exactly in the field of ai is jen most advanced . And what is the role of u. S. Government to enhance u. S. Competitiveness . I will pass on the role of the advancing our competitiveness. I will stay with the threat perspective. It is a significant threat and their ability, if you map their allocation of Government Funds to facilitating ai and the building in the billions of dollars aftermath. They do have also which is an unfair playing advantage is all of the theft of everyones pii you stolen not only here in america but around the world. That theftelps speedy personal identifiable information. Thats correct, that allows them to use that data set hundreds of thousands of petabytes of data. And some healthcare, 70 million americans have their health care, the use that to promulgate advanced analytics. The more data to from us from bfi, they use that to facilitate testing other ai platform. Like the opm breach as well . 20 million american record. Which the chinese run their ai algorithms. Right. Some of the current estimates more than 50 of the American Adults have had all of the pii sold by the peoples republic of china. Half of us here. Dave, did you speed is the current denigration of facts and science is a threat to us. The retreat on investment in Scientific Research is a threat to us, but we at pittsburgh have been home to a lot of great advances whether its manufacturing, medical and technology, and those of all been sponsored by partnership between the government, the Academic Community and private industry. And we need to continue that so that we can make it. Or detroit or philadelphia the injury at shanghai instead of the other way around. The envy china has one advantage and that there commandandcontrol economy and the government with a much more free market system and we try to keep independence from that market. Is there now, is or more of a need to think for the government to sort of maybe direct areas of research funded, give incentives so that we are not left in the background . Hops but even when the government sponsors that are directive, it still driven by the scientist. Id like to really address the premise of your question. Some think the initiatives, particularly the work i did, was antichina, and it was exactly the opposite. I personally believe china is the linchpin of developing norms and laws in the emerging world of Digital Space because they are the number two economy in the world. At some point they will appreciate that they have as much to lose as number one economy has to lose. Theres the old salt and Law Enforcement, why do you rob banks . Thats with a money is that people look at the threat vectors theyre all come at the United States because we have things to lose. They can barely turn the lights on in north korea and russiachina is not like that. Soft like a lot of Digital Space was the essence of my mission in my former job comedy think if we do that directly it becomes part of the strategy as opposed to aa tactic to make china our partner. That was the strategy for years, this engagement, right, between u. S. And china to open our markets to them so that would maybe become more like us, want to be part of the free market and abide by the rules, and they havent followed those. They are not following the same norms in cyberspace while respecting free and open internet. So how likely is it will be able to get china to become more like the rule of law nation and abide by western norms and traditions . Well, i cant predict that but i can say any effort like this requires persistent and is going to take time. The one thing i think has been successful is if you just look at china writ large, they largely have become more western. Their young people are more wester and i think our engagement strategy has it just requires continuous effort. I would differ a little bit. I think under the leadership of xi jinping they become the most amazing surveillance state weve seen in decades and the social score the have and the ability to photograph an official recognition of every second everybodys life over there is really coming to see whats going on hong kong right now. Economic loss. That is 4000 per American Family after taxes. We have to stem the tide very fast. If we cant i dont know how we can get back to the diplomacy of hope. What will stem that . Sanctions . There was a point beard obama administered was about to impose sanctions for economic espionage in china. Multiple levers to include policy and legislation from congress had a change the mindset for the American People to understand the damage and value subtracted from this effort. That will be a whole country approach to stem the tide. I disagree with what bill said. We need sanctions and appreciate current trade war has impacted us negatively. We have divided our assets in the current trade war as opposed to multiply by combining application of rule of law with selling below cost within our markets when we could multiply the conversation. I want to get to a question from the audience but first i want to get to the issue of huawei, the Chinese Telecom equipmentmaker that is a big issue for the Us Government as we move into 5g superfast telecom networks. The Us Government has been pressing allies in europe to bar huawei from their 5g network with mixed success. The argument is allowing huawei into the networks will open the door for either chinese surveillance or cyberattacks and disrupting the network adequate a moment but sue gordon, the recent Deputy Director of National Intelligence has publicly learned we have to take a pragmatic view. Even if we dont have huawei here there will be other countries around the world that do and we interconnect with those networks. You have to manage risks. What do you think . In my space i hate to think about having to presume a dirty network. In counterintelligence that is the beginning of the end. From a practical standpoint you might be right but our efforts in the Intelligence Community and counterintelligence is to not have that network and we have proved around the globe with various activity of huawei and what they are capable of doing nevermind the 5g platform and huawei to me is not the problem. It is the communist party of china. There is another company that will facilitate the effort to be the Global Supplier of telecommunications and that is a threat we face not necessarily accompanied by huawei. I agree. One of the last pieces i worked on ultimately led to the indictment of advanced Persistent Threat Group three and the case was presented to me as enforcement of the obama agreement that developed into a Global Positioning satellite case. Google maps bombed drones and the precision agriculture later became the spy arm of huawei. That conversation sounds like a 5g conversation the just emerged but the huawei conversation has been going on for some time and they will go away when someone else will replace them, until we address with china our understanding and im confident we can get there but it will be very hard. I have a question from the audience about the Law Enforcement tool of indictments. How indictment against chinese hackers have done any good. You mentioned this all led to the obama agreement, the pledge not to conduct economic espionage in cyberspace which worked for a year or so, the pla started peeling off and attacking the mss. Now that agreement is meaningful. It is an expectation issue. No one suggested that the fbi which started investigating bankruptcy or Bank Robberies is useless because we never saw Bank Robberies. Our expectation is to reduce, not a lemonade, crime. It was an important start. I would be first to admit it was controversial and we did not bring them to pittsburgh. I may be the only one left who believe they will be tried in pittsburgh. It leads to the obama agreement that was thought of at the time. Do we give them three squares and a roof over their head for 10 years or do the president of china and russia get together and reach an agreement which everybody agrees for a period they also came and did the agreement in part because of the threat of economic sanctions which the Washington Post reported combined with indictments to make the agreement. In the conversation, agreed to stop economic espionage from a cyberperspective but not a human perspective. Made their trenches from the pla to mss and humanbased efforts. Secondly the indictments are critical. I spent a lot of time with partners, the recent two huawei indictments were shattering in terms of getting fact out by doj and what they mean for the privatesector industry. New zealand, canada and Great Britain they look at these and see how they manifest, as much as we expose, and the same activity in their country. That is alltime we have. Thank you for a wonderful conversation. [applause] coming up next on cspan2, charlie cook of the Cook Political Report asked about the 2020 elections. We go live to American University in washington dc with Justice DepartmentInspector GeneralMichael Horowitz to talk about government oversight and the role of Inspector General. Donald trump will hold a News Conference with the finish president , he expects to talk about the ongoing impeachment inquiry. You can watch live coverage at 2 00 pm eastern. Sunday on q and a the smithsonian institutions Peter Liebhold on terrorists. A tomatoes a vegetable and not a fruit because of the tariff. And odds story. Any botanist will tell you a tomato is a fruit but in fact the 1883 tariff, the tariff on vegetable and fruits, and importer of vegetables, the tomatoes from the caribbean were a fruit and didnt have to pay tariff. The battle went on for quite some time and the Supreme Court ruled tomatoes are vegetables and it is an interesting ruling that had repercussions beyond this. Sunday night at 8 00 eastern on cspans q a. Up next a look at the key house and senate races a of the 2020 elections. Charlie cook of the Cook Political Report will join bill press at this event held at the hill center