And friend, illustrates the commitment that they have made personally which i think all of us want here at the post are very grateful for. I just wanted to share that with you. Today were going to talk about cybersecurity interference in our 2020 president ial elections. The very Innovative New way of trying to do with that. And avoided talked with two of the people who are most familiar with these issues. First former director of Homeland Security, michael, former director of National Intelligence, james, each knows the cyber in these issues in a difficult political and legal background as well as anybody who has served in government. On this gentleman with the question is on everybodys mind. It involves the question of interference in our elections but this is the complaint that has been raised by the so identified whistleblower who is complaint now before the house Intelligence Committee. This subject of an Intense National discussion going all the way to the issue of impeachment. That went out asking you what you think about both of the president should be impeached, do what i ask you each the baseline question both of you as experts find it whistleblower his complaint which we have now read, urgent and credible. Because there are the words that were used. As i get both of you would think that it ought to be investigat investigated, both of its accurate. Maybe i should start since his im sort of familiar with the Intelligence Community is the lower protection act and the complaints that are submitted with it. I would say that the whistleblower complaint that i saw during my six and half years of dni, this one was the best written and best prepared footnoted and calmly added as an appropriately as it should be. The law prescribes that once a complaint is submitted, it goes directly to the intelligence communities and Inspector General. It became statutory during my time as dni. Accordingly, index independently. The attorney general makes the determined if it determination about if it is credible. I dont recall ever to have one declared urgent. So that was done, the whistleblower complied and meticulously with the provisions of the law. And for me, it was one of the most credible compelling such complaints ive ever seen. Should be investigated absolutely. The whole premise of whistleblower protection act. Is that a serious credible complaints of wrongdoing should be accordingly investigated. Your feeling about the same issues. Was it credible urgent and should be investigated . I cant judge both of its credible because i think you have to investigate it and determine the technologies and there is a person within to know certain things are not know certain things. Operably other people who would have to be talk to. When i would say is the self. Obviously it is a matter of significant concern. Any investigation or not be passionate fair, thorough and expeditious. Should what should i have it is people resolving things for before the investigation is done. That is tearing the credibility of the whole process. To be clear, the law stipulates that period of 14 days i believe where the Inspector General can investigate the allegations containing the complaint. That was done in this case where there was within the time limit of 14 days of collaboration. At least in the ig his mind before he forwarded it. Jim let me ask you because you were in the position of the acting dni. He found himself, just after taking office, he mayday decision we need received the complaint from the Inspector General, to go to the white house and the council and then to the Justice Department, and legal his counsel, with institution and says part of the whistleblower his complaint, do you think that was appropriate. Is in a tough place. Acting director of National Intelligence for about six weeks. This arrives on his doorstep. So i think, we have answered this, this is beginning to be a faq. [laughter] the way i responded in the past is that i think institutionally, joe did the right thing. The problem of course by consulting with the doj and the white house, and he had a genuine concern about violating the executive privilege. He doesnt have the authority to waive the executive privilege. I can argue till the cows come home but was at the right thing to do where he is consulting with element of the government. This implicated in the complaint. Thats a judgment call that he made. If it were me, i honestly dont know what i wouldve done. I trust what i wouldve had is the very expensive and deep conversation with my general counsel about the pros and cons of doing that. And im sure joe did the same thing. Mike, i want to ask you about a question becoming more central now and that is how can congress compel testimony either through subpoena witnesses or depositions where the documents in an investigation that it deems essential but where Administration Officials are withholding that information. What happens next . Typically what happened in the past, in particular we do get a subpoena, but even if congress what you did testify is usually holds the power of the purse through appropriations, government officials go alone because of the sanction they face the money gets cut off. I think of you going to be technical about it, what would happen as a subpoena would issue if someone failed to up here, they would then go to court and congress would go to court, it would get a court order mandating the person to up here and that if the person still failed to up here, they would in theory be held in contempt of court. The other possibility is if they declined to answer certain questions, on the ground that they are privileged, they get you into some legal issues about both of congress has a direct ability to impose contempt or both of congress has to go to court. As with most things in the american legal system, usually wind up a potentially extended litigation because you are dealing with unprecedented issues and that means everybody is going to wind up being careful about how they deal with it. And would you guess say based on your experience at this is going to end up in the Supreme Court before it is done. It is quite possible. Obviously ruby remains members back next in case. But the court given a schedule, only as a certain amount of bandwidth. In some ways, by the time he gets up to the Supreme Court, you are talking about months having online. So the may be a tension between the temple of these investigations in the temple of the court system. So again is the little hard to speculate because we dont know her yet seen a concrete dispute that emerges that is right for to report. Return that to political experience Going Forward to the 2020 elections. I want to invite if you have questions, you can send them to me right to this little ipad hashtag the slide. I will in theory see them here and look and ask the questions. Let me has jim first and then mike. To give us a sense as we head towards 2020 of how well prepared you think we are to protect our elections from the kind of interference that we have seen now, powerfully in 2016 and in 2182. Having happily left the government, i dont know is my impression that is what has been done. Certainly among the key federal agencies at the ite deferment of Homeland SecurityNational Security agency, all of this it have had our stakeholders and can help us. I think a lot has been done. Over the situation where we were in 2016, but youve got to remember that our voting apparatus is very decentralized. It said that state and local loophole and not at the federal loophole. I was really taken aback during the 2016 and we are seeing with russians doing when jay johnson then secretary of Homeland Security, reach out to voting officials and election commissions and the sort of thing at the state loophole. And a lot of pushback. We want the feds messing with this sort of thing. So i think having said all of that, i am confident that a lot has been done. To make it better and if i may david make a point here, id this topic comes up, securing the voting apparatus apparatus, the Voting Machines, computation of votes, transmission of votes, and all of that, thats usually important. But that is to me, at least one division of the problem. The other than is what i might call the lack of better terms, intellectual securities. Meaning how do you get people the question that what they receive here and read on the internet. This is where the russians exploited us. They exploited by using social media. So that part of the problem im not sure about. Mike let me ask you the same thing. How vulnerable do you think we are heading into 2020. Both of the resistance that jim describes, to federal help the state and local governments, if thats changing, and then also maybe to comment on the broader question that jim raises about the way in which our Information Space as a whole now has been it looks like contaminated. First of all, i agree with jim, the federal government has been much more active and i think the states have but much more wheeling to accept help. I also agree that actually the machines themselves, in some ways are the least vulnerable because a they are decentralized. And be they are normally not hooked up to except for very briefly. To tamper with him, you have to have physical access. Greater challenges are the registration databases, the tabulation databases and all of the infrastructure around voting which includes his ear power working, transportation working, can people get to the polls. These issues require not just preparing to raise your loophole of cybersecurity against hacking, but it also means rezoning is. If there is something that makes it difficult on election day, either databases down and if we can verify who is entitled to vote. While the trains stop running because of the cyber attack. Is there a plan for what you do next. And that is the essence of resiliency. You need that in advance. Have to make sure you know the plan is and that you have the authorities and you have the capabilities. I think that is the area we have to look at. And what jim called the second man, which is disinformation, i think this is the challenge that is broader than the election itself. Im obviously one of the approaches, that the russians and chinese also, takes your geopolitical conflict and using Information Space. With the used to call active measures. The idea here is if you can disrupt the unity of effort, of the United States or europe or other democratic countries, and basically win that went out firing a shot. Because people dont trust each other and they dont trust institutions. I think thats what weve seen over the last ten years. In fact he goes back decades. What is change most recently in social media. And the ability to manipulate that to drive very carefully tailored messages to particular individuals. That is an area where i think we are still trying to implement standards and approaches that would mitigate the effect of that. And job number one is to get people to be critical in their thinking when they see a story and not something to accept as true. Because its on the internet. Going to the point that jim and you both now have discussed, the more that we talk about the insecurity of our election systems, and sense the more people have it in their mind that there is something wrong here. A friend who runs the cybersecurity for one of the big social Media Company said to me recently, what the russians are really doing, his weapon icing and certainty. That the very fact that you know uncertain that one of these systems may be attacked, leads to less faith in the outcome. So i want to ask you, these were the hardest questions there is, is there any way to reduce that weapon iced uncertainty that you can think of it that its appropriated for the democratic government. Jim . Mike customer. One of the points that has been made repeatedly is that you need to have a verifiable order system for actually getting voting. Both of it is a paper ballot or various kinds of tools now being developed that we encrypt a copy of the ballot, the ability to ensure people that if there were a dispute, you might take those little bit of time. You can go back so that you can actually manually see it. I think thats an important confidence building measure. I dont have any silver bullets suggestion here other than to implore people to think critically and try to collaborate the information there absorbing to pick and choose your sources, that sort of thing. Ive often fantasized about some sort of national exchequer. Unassociated with the government perhaps. I dont know quite how you would constitute this but the fact checker would be seen as uniformly and universally credible. But somebody like that, could verify or refute, what is being said out there on the particularly on social media. Is tricky, we dont want to Single Authority telling us was true and what isnt. That sounds like big brother. But theres gotta be, i want to get to something that is really encouraging that you know both involved in. And its a creative effort to deal with this problem. Its called psycho. Maybe i could ask each of you to explain the basic idea of this and what sorts of Services Cyber dome will offer to candidates. For candidates in 2020 and for years to come. Jim what dont you start that off. Jim i was approached by this group which is the group of citizens public spirited citizens to align themselves with cybersecurity experts. Put together an organization in which is designed on a bipartisan basis, support and assist campaigns in particular the two mass communities to secure themselves. Its not a government thing. They are seeking funding outside of the government. Mike and i have both approached about it. We are surfing on their board of advisors. Mike the idea here is the nonprofit organization, free of charge to campaigns, cybersecurity advice. We have campaigns hacked for years. I remember back in 2008, cafes were hacked. What is different in 2016 is what they called dotson. Not only were the campaigns hacked by foreigners in order to see what the campaign was thinking about from a policy standpoint but actually some of the content was disseminated by the russians and put out there in front of the 20002016 election wait to try to unnerve and demoralize the Democratic Party and supporters. So that i think took the weaponization to a new loophole. Part of it its what we are trying to do is to get the campaigns to raise their game when it comes to protecting against these kinds of intrusions which then can be as been said, weapon iced against us. Sawyers people to take those look at what the cyber zone is proposing, its a creative idea, is that the government doing it the private citizens. In a way that should make it easier for people to call and help. As we think about how we are going to protect our democracy, which are set to be more fragile than we realize, is the pretty good idea. Im really pleased to have these two people who are associated with it here with us. Let me ask another question. On the surface of our National Debate now, its a hard one but there are a lot of people out there, its clear who think that there is something that is a call to deep state. They think of people like the two of you, experience National Security, [laughter], criticism no criticism attended. People like jim who served as i remember over 50 years as an Intelligence Officer one way or another, i think about mike is being the u. S. Attorneys, u. S. Agencies, is seen every part of a government. That they worry that youve got a kind of hidden hand on the nation his steering wheel. That surfaced in the whistleblower complaint. He said what the heck is the cia guy doing to conquer the nfc staff, investigating the president. He can be really interesting for people if each of you with response from your, this long experience youve had to this argument that out there in america and want to suggest that you would want to say. Jim i have never heard of that term. Maybe i was ignorant bliss or something but never heard of that until the campaign and afterwards. Theres alleged a conspiracy of a career government Public Servants who somehow organize themselves into a conspiracy to undermine or overthrow the president. Which on its face, is ridiculous. The Intelligence Committee, almost ripped. Truth to power. On what difficult circumstances that may be, and if the power reit ignores the truth they still have to keep telling it. Mike sperry says ben, people in the Intelligence Community, they have political views but again, my observation is been consistently, they parked those political provinces at the door. Before they walk in to the office. No unfortunately, this recent whistleblower complaint, coming from them member of the Intelligence Committee, just fuels that conspiratorial fire. That there is such a thing as a deep state. Deep state is the very competitive, and entirely different context. For the military is so powerful they also control a lot of the industrial base. The revolution regarding a run, actually in addition to have military capabilities, the actually controlled industry. We dont have any of that year. Our military is completely on civilian control and they say in the lane. Likewise the intelligence communities is very carefully hedged with a lot of rules and reports. The supervisor most everything. If you look at some of the history for example, surveillance programs and the controversy, the safaris occurred because of he was uncomfortable with the decision being made and got to court perhaps for Congress Change the role. We are kind of of the opposite of the deep state. That is not so much the question of the Civil Service is it is more generally the question of not having government overstepping his role with the private sector. Our solution in our constitution as we break the government into three parts, and we also fed federalism. Will be will miss sometimes is much of the real power is at the state loophole. The police, and the Enforcement Mechanisms in this one of the things i guarantees that our government cannot overstep or really commit misconduct. Final question again when i think every member of this audience probably would want me to ask you, what is the damage to our National Security agencies to the people the cia and other intelligent agencies, the fbi that you work closely with mike. Of this period in which you have the president calling the whistleblower ci a officer, a spike in accusing him of treason. What damage does it do for the people who work for these agencies and also the partners we have around the world who are essentially. Obviously not good. Its not a good thing, and i think it affects a lot of peop people. I have to say, is the dangerous thing to try to characterize, another faq, Intelligence Community is the large complex duly expressed in a rise there are people in the Intelligent Committee that are not affected by the staff at all. If your Mission Ground stations ablaze, your endeavor or find gap or an end of the cx some place the Intelligence Officer, you know just there doing your job. And its not affected by this. So the specific elements that are really directly affected within the Intelligence Committee are of course my old office, National Intelligence director and obviously the, the cia and the fbi. It does have an effect on them. Best parts of the Intelligence Committee just arent directly affected. Just because they are a part of the Intelligence Committee, and are getting pretty regular that nothing, thats not good for morale. It is a good as well for our intelligence partners. They share with us in good faith, information that they believe is to our National Security. My observation is by and large the agencies, when their ups and downs and controversies, people still go about their businesses professionally in the vast majority are dedicated to the work. Both of they are accountable or not its not going to change a mission for a debit i will say is, generally and i think jim will attest to this, our relations with our good partners overseas, had an operational loophole have generally been able to resist the politics. Even when the politicians are at each others throats. The professionals particularly the six security space know how to Work Together and know how to trust each other. This will pass but i leave you with this thought. We set up over 50 years ago to promote freedom around the world. People look to the u. S. As a beacon for the values of democracy and freedom and the rule of law. And we stand for that, not only did we arent friends but we actually earn admirers. I remember beating people when i was in office, in central and Eastern Europe who had been High School Students during the cold war and on the boot of the soviet union and they said to me when i met them many years later, the fact that americans like Ronald Reagan spoke up for freedom. Tear down this wall inspired us to keep strong and keep stop struggling for freedom. And that as of one of the most powerful weapons we have. It would be a shame to lose it. So weve had two of the very best people to National Security to kick off our discussions this morning. Please join me in thanking them. [applause] [background sounds] our cyber attack its not unique. Its affecting Many Organizations in the public and private sectors. Cyber threats are becoming much more hostile and frequent. We must continue to understand how to protect ourselves against these attacks. Time and time again we have seen these can be debilitating. Taking out tools and Services People need to Access Health benefits, buy a home, or even call 911. This its not a state or local problem but a national one. Who should invest accordingly at the federal loophole. Hello everyone. My name is joe, i am a reporter of the Washington Post. It is on her and im here with jeanette who is the assistant director of cybersecurity at the department of Homeland Security. We are to talk at least partly about brent somewhere which a lot of people are familiar with. It is when hackers not only steal your computer files, they also lock them up and will release them until you pay a ransom and is going. This is just been a huge problem that is hit cities including baltimore and atlanta in Major Industrial players, small towns and police stations across the United States. What is dhs and the government doing about it. His of those of you i dont know, the cyber q security agency, which was established by Congress Close to a year ago. To be the federal government central. For leading cybersecurity and physical infrastructure security in working with our partners in the private sector and state and local. So first also if i may, is the second day of National CyberSecurity Awareness month, for those of you who are not aware, you know now aware. [laughter] and the recent sort of state of brent somewhere attacks, really highlight the theme that we have decided to focus on. Its about accountability and both as an individual we are all consumers, were all employees of an organization. Some of us run organizations. How do we think about how we own it and how we secure it and how to be protected. And partly we are also very much focused on those organizations who dont have the hundreds of millions of dollars of resources to do will of these things. Often times in cybersecurity circles we talk about very advanced sophisticated sexy concepts and the reality is as they ransom her attacks have shown, is the willingness to attack the most vulnerable organizations. People were wheeling to stop schools from functioning. Hospitals from functioning in municipalities, takes a sort of low tide of criminal to do that. Morrill is trying to set that up. In addition to being pretty malicious are these people relying on the brightest and best new hacking technology. No not at all. Technology that they are using is sort of commodity malware that anybody can find. And run. There is more sophisticated stuff and theres definitely some money in this, and in many cases, the incentives are a pit misaligned we do have we dont want anybody to pay out because that just encourages future problems. You should pay out. That being said, i am not the person in the midst of making that tough decision about what is going on. Hopefully understand what the risk calculus is. We do have insurers and others who are going to cover that, that furthers our problem of misalignment of incentives. Trying to focus more in the resilience and getting the tools we are going to be releasing, very soon a set of cyber essentials. Just a place where a lot of small and medium businesses state local they come to us and we spent a lot of time focusing on height and threats to the electric sector to art collections of these things. A lot of people just come as a work i start. I need to do if i have 5. Where my putting that 5. So this month, and really beyond, with our essentials we are going to continue to focus on that community. Its not new for the dhs, to focus on the 5dollar problems rather than the 5 milliondollar problems . Its not new, weve worked closely with state and locals the small and mediumsize businesses. Whats new is that we are really stepping up and prioritizing our efforts there. Often times the five dollar problem can turn into a 5 milliondollar problem many times just the interconnectedness and everything, many of these organizations might be Public Safety. They might be connected somehow in the supply chain they larger sort of traditional sort of infrastructure. We cant really separate those two communities. The concern about the ransom attack from russia from anyone who targets databases in advance of the 2020 election. What are you doing to prevent that. Pursuant to be clear that theres not a threat, they were aware of. Which is more sort of logical extension of as we are staying that is a potential scenario. There is a very basic thing to prevent yourself from being a victim. Backup your systems. The federal government cant delete these for the organization nor is it our role. We are publishing more documents in august a specific brent somewhere partnering with associations and state and local leaders mayors and others to get the message out. Thinking about where they are taking that it money and spending it on preventive measures and also being able to understand the federal government can help in a response. The big picture. After two years of working on this is 2016. How confident should americans be of the 2020 election will not be or suffer from a compromise by russia or another hospital actor. Remain very confident that the tally of the votes the actual vote count itself, will be faithful to what the motor actually put into the machine. Former security talked a little bit about the broader sort of architecture. Some of the things we really focused on that increases our confidence and talking just about it election infrastructure. In 2016, as i sort of three main gaps. The first was around visibility. How to federal state and local have visibility and how is manifesting in their system. Recognizing that as of the voting machine, this fairly connected but systems that are potentially accessible remotely. So we focused a lot about visibility, we spent a lot of time and effort to. Now where we have sensors covering all 50 states. Execution for improvement that takes intelligence information and others aided from the federal government and Threat Intelligence companies and quickly sort of pink those. The other thing was ensuring that we had an understanding of communications protocol. In 2016, if we have intelligence that said he a potential victim or target, and our practice is to go to the owner of that system and and we need them to work out to make sure that the senior official in charge of elections and say also have visibility. We worked that out and exercise that. The last thing is really about how to speak to the public. Make sure the public is getting the facts. This gets into the disinformation side. We did some really unique things having an exercise with media. So that they would understand how the election day would unfold. Making sure that we have quick abilities to run down if somebody is posting on twitter that abutting machine is behaving erratically what did happen in 2018. We were able to quickly run down and nothing was going on there but we are able to get the facts. If that to the media and the public. So those three areas continue to focus on and i think in 2018, we are able to really demonstrate a loophole of sort of cross party and cross sector and cross federal and state local coordination that we werent able to do in 2016. We will continue to expand that including the private sector those who do make the Voting Machines and the books in that ordination. Leading up to the elections from the time that first absentee ballot is sort of mellowed out all the way to the final vote is tallied. Despite all of the work from dhs and all amateur other agencies. We looked at a bunch of Voting Machines that are going to be used in 2020 purity. There were other reports about Voting Machines connecting to internet when they shouldnt be. Possible other issues. Should the american couple public be concerned about that. Ashley think about those vulnerabilities. I think that its important to think about these things in context. We still need to root through the report to the voting village. We want to make sure that what was done there is how real live is sort of. Thats an important thing. People work in cybersecurity, we have a term, you are not sort of dependent on one machine being fully secure. All of the time. And not ever be able to be hacked, you put a lot of things in place. Both physical and personnel, as well as technology. Thats really what we are focused on with state and local and frankly something that they have done for years. Every time you have votes tallied, you have people watching that happen. Theres going to be a lot of indicators that something was misaligned, we will be able to see that. We still sort of remain focused about any actor who seeks to spread this information or to dissuade people from voting. Thats always a concern. Thats our sway before election day. So were going to continue to work to make sure that people understand where their authoritative sources that they can get a provisional ballot. Even if something on the registration its not showing that they are eligible to vote. Training in technology from companies you dont trust the nations you dont trust the russian antivirus dispersed and the Chinese Telecom while way off of government systems. Are you working on and hasnt been any ways of figuring out how to get things more secure upfront so that you dont have such a long process for the next while way. Does a few things there that could take multi hours to talk about. On the kind of secure by design sort of concept and thinking about how do you have more secure code. There is a lot of the Software Community that is working on this. Were continuing to work and have you build more secure cutting building practices. Has your transparencies. Do you know, a lot of products are correlation of different sort of codes that comes from different places are different programmers. That may come from Different Countries. How do you have transparency in that. That is something will have to continue to have both hardware and similar transparency and where did it come from. From our perspective, what dispersed ski really taught us, you cant have a blunt approach and say everything from ex country is bad and we cant use that. Our economy just doesnt support that. We chosen to outsource a lot of things over decades we cant just flip that switch. We do want to get to a point where we have more trusted capabilities. What we really learned is that what we have to or what you cant just sort of hope that you cant have this perfect case the company is the witting agency of a foreign intelligence agency. The ego, lets just get rid of that. Instead, were very riskbased or in organization what we came to is sort of three components of thinking about and we would encourage others, when you are procuring your it products and services is the country of the law of where the product comes from or where the data is stored is important. There are certain laws regardless of both of a Company Wants to, cooperate with the government or not, there are laws in russia and china and others that would compel that company to provide that data. That was the case in the last one. We are comfortable with that. The second is loophole of access the di to product has. Theres a lot of things in it they dont have access to data. Thats a really important thing to think about. Then the last thing really thinking about market penetration. Were coming at it from the u. S. Perspective is that for the first two things, not something that is used in the u. S. Something to keep an eye on but its out also not something that we need to sort of overly focus on. When Congress Passed the secure technology act, thus december we happened to be past the day the shutdown. There were other things happening. The really important people at legislation, because it set up the framework, the government could do what we did to mr. Siebert gave us the tool to give it more sustainable fashion. Thats whats happening right now. The federal activation, i represent. That will allow us to have a more systematic and open process for being able to man these things. The other thing we learned is that its important to do an unclassified and frankly even public way. The reason we did it publicly is for due process. Wanted to ensure than anybody who would potentially be negatively impacted would be able to have a voice in our decision. But that resulted in was a lot of people now sort of dont fall on our directive authority, are now following our guidance. So were able to impact the larger ecosystem that doesnt necessarily have to follow our orders in anyway. We are at a time. Thank you so much for coming. [applause] [background sounds] would bad actors try to use our site, we will block them. We will take them down. We are opposed use new techniques, we will share them so that weekend strengthen our collective efforts. We strongly believe in privacy and security for everyone. Not just a few. Background sounds. Hello again, my name is joe you probably remember i did the newsletter. I am here with the great private sector panel. We have google, director cybersecurity, Senior Researcher and citizens labs. It occurred to me as i was thinking about this panel, you guys all look at a vast array of bad people and bad organizations that are targeting the people you work with from criminals to foreign government. And Intelligence Services and even stockers and malicious people in your live. Stockers and partners that access. The good way to start was heading down and starting the chain, who are rather than what are, the main people that are causing problems that you are to protect online. My team really focuses a lot but not solely on government backed threats about users and google. Really what we are seeing these days is that, pretty much every governmental and most governments are really engaged in this activity, the espionage, dissected reasons, ford disinformation periods going overtime. We have this big map will recolor in all of the Different Countries where we actually see a country that we believe is activity we have seen it from. Your after year, theres less and less countries that are white in more than a red. Really you have to be a very small number of countries now. He really is everyone. Is growing. The sophistication is really growing between the gap is closing between the high ends and what was kind of lowend sophistication. That gap is going. Its becoming more sick accessible so we are seeing normal play from the middle east and around the world, google his capability, so day in and day out we have seen as a target. Are you seal staying russia and china as being the biggest threat. Is always hardest to see who the biggest threat is. Really depends on who you know. Those four are the biggest players in the space. But as i said it is a lot more broad. If you know somewhere in the middle east, you might be targeted by your own governments. And we have particularly toward all of this uses, warning that we put out monthly that we believe that is targeted. To scale, we want 36000 users last year that we believe they were a victim of fishing. That just means they were targeted. Premier van dig. Civil liberties and rights. Where the groups you are most concerned about . My work really focused on activists. Outside of the United States. Often in north africa and the middle east. And over the last decade or so my work has expanded to get broader. We have actually seen a lot of prochoice organizations that are really concerned about their safety, a lot of Civil Liberties organizations, a lot of immigrant protection organizations are really concerned and just immigrants in general especially including legal immigrants in the United States are very concerned about their Digital Private insecurity. In some ways i have an even bigger problem than shane and that shane only needs to secure peoples googles accounts. And Android Devices and Everything Else. Its an easy job. Things are getting contentious already. But the problem that i have is that people come to me and they dont just need to secure their google environment that also Everything Else about their lives and all of their other accounts and things which are not run by google which gets somehow even more stressful and i have fewer resources with which to do it and finally in the ultimate expansion of my work i started looking at the victims of Domestic Abuse so it turns out most people who were being spied on in their lives are not being spied on by government or Law Enforcement. They are being spied on by stalkers or by exes or people with whom they are in currently an abusive relationship or one of our biggest problems with building as a model for that is that Companies Often assume when they are locking down devices that if you have usernames and the password and access to somebodys phone that you have legitimate access to the persons account. Abuse often involves access to all of these things at once so now we need to completely rethink our threat model just in case we did not have enough to worry about. Before we get to job you made a big address about this at the conference a couple of months ago. They are going to start are Companies Getting better about this in the because presumably there are some situations where apps like this have legitimate purposes. To begin with i wouldnt want symantec and mcafee to get credit. The companies that did make statements were look out and malware bite so we have three companies on board and right now since we are just now kicking off the Domestic ViolenceAwareness Month in cyberSecurity Awareness month and halloween. All of these things at once. We are really working on getting the antivirus industry elements same page to take the threat a lot more seriously. Are there legitimate uses for this stuff . It depends. Whether or not you are talking about isnt strictly legal . Often the software is violating the law. What jurisdiction are you in . They are all different people that exist in Different Countries. The place where i have intended to draw the line is software which is sold commercially and is designed to fool the user into thinking its not there. If for example you are a parent and you are concerned about where your children are going and you want to see their Text Messages and you want to know where they are thats fine as long as you dont feel the need to install the software on their device which leads them to believe they are not being watched. I dont want to give them credit that they dont deserve. John what should we be scared about . Its an interesting question. Highrisk groups similar to what eva has done and i feel like our conclusion sounds like a lot what she is said and whatever we scratch we find and i think of it as neapolitan ice cream. The strawberry is nationstate actors who got a to solve pipeline and good stem capability and then sinaloa is like cant necessarily develop inhouse but compete with. Can you name names . For example they worked for years on the proliferation of open called nationstates spyware stuff made by companies that allegedly sell to governments only for the purposes of like tracking terrorists and child pornographers. It looks more like an International Espionage instead of technology and they sell to Companies Like saudi arabia and mexico and then slosh around and use the things for targeting Civil Society groups and that gets a lot of attention in the press because maybe it involves zero polar grau these and other and exciting stuff that the third flavor which is chocolate by far the most overrepresented is the my cousin knows computers approach to cyber espionage. Doesnt need to be fancy. Just works. Thats because Human Behavior is unpalatable. The same thing that worked 20 years ago works in different digital guidance guises which is what drives shanes team nuts but its an overlap in the stuff the events we are concerned with which at the simplest level and for a decade, im so sorry. Its an rrated panel. I thought i would limit myself to one but we have seen nationstate actors using basically the same kind of spyware that producer partners end up using an increasingly a lot of the problem space ends up in the hands of someone like shane and other Device Manufacturers whose systems are still constantly locked in battle with the simple technologies. One of the biggest problems we face is enter cost is so stupid low that anyone can do it and it ends up looking a lot like the public system with the behavioral complexities that come as something. People love using their devices and they wont fundamentally change the platforms. They are designed for the most highrisk focus ways that we dont know who the next collective act of this is going to be. People who are in a domestic situation that will end up in a domestic spousal abuse dont know when they i get there and direct loan they will have someone sharing their bedroom fundamentally. The big problem. One example i lost you in the neapolitan but shane google works on exposing and microtargeted attack with apple devices. There have been reporting since the Chinese Government attacking the muslim minority. John yoo worked with this. We just know about the uyghurs. Tell me how, common do Something Like this and how concerned should we be about the microtargeted attacks . Well we really the fact that this is one example where ive seen the data. A zero exploit as an exploit where if you use devices and install it up they then you are protected because all the holes are being fixed in whats going on to really they still work because people dont patch but the exploit where there is a patch available. We take this very seriously because theres not much you can do in many cases that we have a policy and for the last 12 months mateens found five or six different platforms. That policy is we tell the company we help work with them to get it fixed and we say theres a sevenday deadline here. We are going to start telling people how to protect themselves at the end of the day. The apple case is won and thats why its a counterattack. Its actually somewhat an exceptional circumstance where we used the zero data and i think we are having a really good effect in making it harder to use these exploits and thats really the background of what that was. We really believe learning more about the techniques working ahead to make sure these bugs dont happen in the future is how we secure the entire ecosystem in the world because this is a very microtargeted threat. This is not how you are going to generally be hacked because someone will trick you into using your password or trick you into installing something. The zero threat is one we have to take very seriously. I think part of whats interesting about this case that just happen and part of why theres so much drama so much trouble companies have put the public medication and different aspects of these pieces. Google got a lot of flak for it in did some form of attribution and i feel its an interesting space because we are putting a lot of emphasis on companies basically stopping nationstates doing its nationstates surveillance stuff that companies have lots of different incentives that our kids. I feel like theres a bigger problem which is the pipeline the public and policymakers have for getting meaningful timely information about the full scope of the threat that they are at the groups face. Its fundamentally constricted by the different incentives of the different players. For example shayan what was the number for nationstates that you did . 36,000. 36,000 which is great. Holy smokes thats a meaningful number but its also challenging for example if i asked shane 6000 from which country collects google is limited in what they can say and completely reasonably but at the same time we need to know that. We need to know the states that are the worst actors. Users dont even know. We are in kind of a weird place. In some sense the dark problem is information including attribution about threat actors and what they are really doing in the way they are doing it. Im going to be mean. I promise not to swear though. Nationstates targeting warnings dont work and this is actually one of my bitter disappointments for the last few years. Ive spent many years going around talking about the threat of nationstate actors in nationstates buying and one of the things that i did was i called on companies to give users these warnings so that they know to up their game. And then it turns out that often these warnings were too vague. They did not give users enough information, that they just scared the pants off of the user so they didnt know what to do next or sometimes they would often, sometimes, often, on occasion they would go in exactly the opposite direction where they would not believe the warning and believed it was just a thing that google does every once in a while to keep them on their toes. I think now is a good time for platforms to rethink the nationstate warning and think about what kind of innovation you can give to users that they will actually act on and that will help to protect them in the future instead of just scaring their pants off or getting to the point where you can no longer scare the pants off. I would say its like the person who initially rolled out these warnings way back in the day. These need to be challenged. How much can we can make it without revealing what causes and how to give changes to make change. Some users definitely do secure them. I think we have ideas. When i started this nobody believed the nationstate threats and now we are having new conversations. If anything people are becoming blase to the whole thread but when i talked to rushing campaigns and activist people do believe there are nationstate threats out there. I think its a wakeup call for people and we have some who say im going to think about it and now we can take action. Ideally we do want to take more action. I think there is a more research and how to make it more for defaults but i also think we as platforms and as everyone else in the industry we put all the blame on the users as well. We tell everybody to drive safer but you have to build safer cars. Returning to work very hard tube told safer operating systems to make it so we can also do a lot to help. You mention campaigns. Its organizations and not just users that arent doing anything with the information. In 2016 they have been trying to get as much information as they can to the campaigns to local Elections Officials and say what the heck can we do with this information . We dont know how to respond to that. Is there something in particular and we will start with government and corporations, the government should be doing to improve the situation . I mean i will take a free. I feel like its really great to have conversations about cybersecurity with a bunch of government books with the problem is when they talk about cybersecurity its their show and they like to think about cybersecurity issues as the great game, super exciting and they play it with each other and users always come second or maybe third. The problem is my volume most of the bad stuff happening on the internet is happening to individuals who dont have anybody really has their back and have to depend on the larger quality of things like chains. For the most part part their governments dont have their back. A number of cases will where they have gone to users and they have the problem of users and nothing happens. They have no meaningful recourse. Its remarkable and i feel everyone is watching videos on line of people getting arrested in the u. S. And basically everybody who gets arrested is some version, i know my rights. They have that experience like i know my rights and you cant do this to me. Nobody ever says that our experience is that when they get a nationstate warning. Nobody ever says or experiences that when they are a victim of phishing and its a huge problem and it doesnt get changed by folks in government basically continuing to view cybersecurity as other states. Even if there is a discrete thing the government can do to make the people you work with more secure . I get suspicious when somebody says there something the government can do because i spent a lot of time texting people from government. Im not here to tell you government and Law Enforcement good guys but im suspicious of giving them power and im very suspicious of any remedy that involves asking the government or Law Enforcement to somehow be better and rescue us from our flow. I think that what we need to start doing is really start organizing as a Civil Society and there are two ways to go about this. One is the people who are speaking truth to power, the journalists and human rights lawyers and people who get out and demonstrate in the streets need to have a very solid threat model is going after them and how and why. As part of that involving the work i do and that john does as citizens lab which is writing reports about the kinds of threats that they face so people can then do the right thing. The other half of that is the work that shane does which is just speaking everyones Communications Private and secure by default so you dont have to sit there and worry about whats going to happen when the government comes calling. And then finally there is sort of the last group of people who really often get pushed to the side and that is victims of Domestic Abuse. They have the hardest threat model to deal with because they are dealing with somebody who actually has interaction with your stuff. Its really up to the companies and platforms to start thinking about ways to deal with that particular threat model because i get way more calls. I get way more complaints and i get way more work than a Single Person can possibly do. Before you go on we are taking questions over twitter. Tweet the emmys and the post live and i will try to get them to the guests. John did he want to Say Something . Even makes an interesting point about changing threat models. I feel like one of the things that we see a lot of inner research is device compromise. I feel like the new form of this at least what we are seeing is a smash and grab approach from sophisticated actors were they get a device and they grab on and then they go. One of the challenges there is like man they end up putting a bunch of stuff on devices. Im super excited to read yesterday as im sure some of you folks have it looks like one app has begun to experiment the there was a report saying they are starting a group chat. If you like that stuff is really important because a number of cases that i look like at where threat vectors have gone on and they have spent 20 minutes on the persons laptop is huge and addresses some of the issues around intimate partner surveillance. You get a device you dont get a minus one, two and three years of personal stuff but i feel that experimentation is good and important but i also feel like and i worry that theres a National Security right now around the importance of axis securing encrypted information and hold by frankly a scary narrative around dark players and bad things pornography and terrorism. It has rebounded since 2014 and theres a Justice Department conference on it friday with the fbi drug fbi director. Cheney wants to talk about this . The encryption debate never seems to die unfortunately. We are against the back doors. The argument here is everybody thinks its a natural solution where the communications to the socalled good guy or bad guy now. We really have to as you mentioned here before create a secure platform because we really have to weigh the risks here are. The risk of tapping these open platforms to create a open backdoor for a good reason is way too high. Y. Is that . Can you give a 32nd explanation . It having a back door encryption one you dont have encryption and it means somebody is in the back door. Even like to hold that magical backdoor key you need to keep their keys secret and there are solid arguments about what happens if the secret back door gets stolen and what happens if some insider gets access to it. Its just creating some other new mechanism where people can have their data stolen and. Uses the debate inside the National Security system . Every couple of years a certain set of folks who are struggling with legitimate Law Enforcement challenges i sing you know what lets take another crack at this encryption thing and maybe we will have the case that will do it this time. Within our world most of us may be its ideology and maybe its historical experience or suspicion that this is probably going to result in that thinks. Become they come at it from Different Reasons like my argument is i have no idea what the next couple of years will look like in most countries if we have learned anything in the past two years and we have no idea what happens when capricious folks with access to request the status decide to do so in ways and that in itself is a good argument that important to encryption. Before we are out of time is there any light on the horizon for things Getting Better for the average person or for highly targeted people in the next five years . Yes. I think theres a light at the end of the tunnel. The attackers are having to work harder. The rate of phishing and malware by platforms and systems so attackers are having to work harder which is a good thing. We are so seeing what they can do. We have things like detection. If you wanted to sign up with a security key. But leave it there for someone who wants extra protection which to be honest i dont think he was there for five years ago. But i think and i want people to walk away not thinking theres nothing you can do youre going to get hacks to give up. If you do take a platform and work at it and you trust the platforms ability to do the job or risks, you are a lot more secure and you have pretty good odds. Of course theres a super targeted stuff like getting hit by lightning in a row world but in the role of vp worried about having a heart attack or Lightning Strike but you should be worried about the major stuff in the overall security is increasing. Im going to take a dissenting view dissenting view. Surprise. To some extent some of our accounts and some of our platforms are becoming safer and we have more options and that is great but our attack surface is also expanding exponentially with every passing year. We are filling our homes and our offices with microphones and cameras that are extremely insecure and that are often manufactured by companies that dont have security as a particularly high value. They certainly dont think about nationstate level a pt in their threat level went i dont think about Law Enforcement. For example there is a great deal of argument about the installation of ring doorbells and their partnership with local Law Enforcement. Amazon continues to insist that this cuts down on crime whereas the research seems to indicate that filling a neighborhood with cameras that everybody can see does not actually cut down on crime. It just increases the amount of surveillance. Real quick before you run out of time i dont want to end without talking about election security. Big picture of how confident should we be from a private sector perspective of 2020 content . By observation is every time we have looked at the elections outside the u. S. In the past couple of years every time we have scratched we found all kinds of players domestic and foreign mucking around in those elections but i cant think of an election thats happened in the past two years where there havent been experimentation and mockery. Biggest thing that bugs me what is mockery to be clear . The biggest thing that freaks me out is that so many of our analogies when we are talking by the virtue of the 2016 narrative that access is pulling our tuition backwards and the problem space looks really different. Im not at all convinced that we have got a good handle on it right now. I wouldnt say we have got a handle on it. I went through 2016 and there are a lot more people taking this more seriously. The government is taking a more seriously and industry and people working together. Its the top priority of everyone so watch this space to see all plays out but if it does happen is not going to be due to lack of effort by the platform. I think people are taking effort. Thats all the time we have. Thank you everyone and please hold on for our final segment. [applause] the deployment of foreign proof encryption is already imposing huge costs outside. These costs will grow exponentially as deployment of foreign proof encryption accelerates and folks are emboldened by their ability to evade detection. Hi everyone. My name is Ellen Nakashima im in National Security reporter for the Washington Post. We are very fortunate to have here today sujit raman the associate Deputy Attorney general of the department of justice and he leads on cyber issues for the department and chairs the attorney general cyber task force. We are going to have a very wideranging interesting conversation with the key issues facing us today and thats the challenge of encryption and what the fbi sometimes calls going dark. Set the table for us by describing briefly what role digital evidence plays for us for you and your criminal National Security investigation. How crucial is it . Thank you for having me today. Digital evidence is critical. If you are in the business of trying to enforce the rule of law and a system the way that you prove it in court as their evidence and the reality is the world we live in today everything is digital. Your Business Records are digital and your phone records are digital and often your communications are digital so for us to build cases we need to have access digital evidence. Of course everything we do was founded by law so we want to make sure we in Law Enforcement when we seek evidence we are doing it in a lawful way. Part of the difficulties we are facing now is the Way Technology is developed, technology has incredibly positive benefits and encryption is something we are supportive. If youre in the business of detecting Sensitive Information including government information you want to make sure its secure. On the other hand those very same technologies that protect information also make it increasingly difficult to gain access to it even with core authorization and that in a nutshell encapsulates the going dark problem. Give us a sense where roughly what percentage of. A category criminal, what percentage of those cases does the encrypted evidence pose a challenge . And think its difficult to modify because it depends on the nature of the case, the type of case and the type of investigation. What i can tell you is when it comes to for example data in motion so communications this is publicly known. Many apps are encrypted so we cannot gain access even with a court order to those communications. People are communicating lets say by face time or i message. Even if we go to a judge and fulfill all of the rigorous requirements and see a wiretap under federal law when we tried to serve the order the Company Simply cannot execute because they design their systems in a way that doesnt allow interception so that creates tremendous obstacles for us. When we have satisfied all the legal obligations. Is more than 50 in your drug cases . Like i said it depends on the nature of the case. What i can say once whatsapp was encrypted a few years ago the number of dea wires fell precipitously. I wont get into specific members by can tell you was a massive drop because dea investigators who are running these wiretap wiretap and in organized narcotics cases thats how they are communicating. Whatsapp which is a very popular encrypted app went encrypted. You have a Material Impact on our ability to solve our cases. This past week in your times published a Major Investigation on child abuse and exploitation on line. The report is unequivocal. On line child abuse is rampant with no signs of stopping and Technology Support and protect the future. Encryption specifically has been a major roadblock for Law Enforcement and in fact facebook recently announced it was going to look strong encryption on messenger. How will that affect childabuse . Youll you will have a tremendous impact and im glad you mentioned that ellen because thats one area we have clear statistics. Last year around 18 million, more than 18 million tips, cyber tips were reported at the National Center for missing and exploited children but these are essentially tips that Technology Providers send to a Nongovernmental Organization showing evidence of child sexual abuse on the platform. 18 million and think about that number if facebook encrypts all of its platforms including messenger an instagram which the company is publicly said it will do the estimation is that millions of those tips will go dark. To put flesh on the bum last year about 18 million tips, over 90 of those tips were reported by facebook. The company under the current status quo is doing pretty good work in trying to identify Child Exploitation of material. In the supports are reported to this Nongovernmental Organization so that organization can b referred to Law Enforcement or take appropriate action. Busuttil state and local and federal Law Enforcement we follow to try to arrest the individual. The key point is of those as i said 18 million over 90 last year were provided by facebook. If facebook encrypts it its essentially 70 or 75 of the 60 million tips will go dark. That is a very Practical Application of how not having visibility into whats happening on these platforms will have a Material Impact on Public Safety and these are children. This is a child sexual case we are talking about in the news york times article said its widespread. Stuff thats happening on the internet now is really. Scary. These Companies Facebook apple they have talked about the encryption that they are putting on their devices and on their platforms as a way to enhance privacy and security of their users, if everyone. So it helps criminals. Thats a price to pay for living in a free society. The Justice Department fbi in the last three years or so have tried to have a public conversation. They have asked these companies to voluntarily try to work with them to come up with solutions to the problem. Bill barr the attorney general in july sort of repeated that call and he said as the companies have the capability and ingenuity to come up with technical solutions. Where you stand on that . It we made any headway in that debate and that ongoing conversation with Tech Companies . Its been difficult. Candidly we are not looking to demonize the Tech Companies. These are the same companies that have created prior with carson drones and wearable tech previews of the most Innovative Companies in the world. The question we have or the call is work with us. Try to find ways to protect security, protect privacy but also factoring them important upon the Public Safety. Often in a conversation thats whats forgotten and there are as i said very real attacks on real people where we are not able to have visibility into whats going on with these networks. When it comes to companies have been reaching out. The attorney general and the director of the fbi has made overtures. I wish companies would do more and thats something we are working on that as we are not working to demonize the companies we hope they work with us but we have an obligation to the American Public to call a spade a spade. We arent going to go away either because this is a real Public Safety problem. Are you considering legislation to require companies to build and lawful access to their platforms . This is an administration wide position we are actively engaging with the public to raise awareness of the lawful access problem in a warm proof encryption problem. I think you will see various parts of the government reaching out. Youve got the department of justice and youve got the fbi and the Commerce Department will be reaching out to talk about the need to solve and find solutions to this problem. The department of Homeland Security which has a very important Cybersecurity Mission but also significant Law Enforcement division as well. Youll see them probably reaching out and trying to raise awareness of this issue. We are at a point now where we are trying to make sure that the output is aware of the costs and benefits of whats going on here pedal out of decisions are being made by Corporate Executives for their own business purposes but that has tremendous impact on the Public Safety and our broader Public Policies that have broader political conversation needs to take place you mentioned legislation there other rule of law nations that have made legislative moves in this area. Last december australia on the rule of law partner of ours enacted legislation in this context. They are still implementing it and figure out what it looks like and britain also a couple of years cost the investigative powers act which has certain provisions relating to providing decrypted information. We run the risk and america falling behind. Our partners are democrat rule of law partners are starting to examine this issue because they understand its a very complex set of factors that we need to take into account. To those laws apply to Companies Like facebook and apple and google . I think youd have to ask the australians and the british about that. My sense is that they would have similar jurisdictional principles as we do so in other words of American Companies are doing this and countries exactly what the mechanics are and my understanding of the australian legislation and its still in a pretty early stage of implementation. Lets move onto a separate or related issue that grows out of actual legislation that Congress Passed a year ago now. The cloud at and that was to get at the issue of accessing data but not necessarily encrypted data. Can you briefly describe the cloud at this . The cloud act was a major legislative accomplishments last year. A Bipartisan Organization was very supportive because Many Companies found themselves in an awkward position. They received Legal Process from say the United Kingdom but they would be barred from producing data to the British Government because american law had essentially a block function that you couldnt produce data to a foreign government. Those are privacy protections but he cant just produce data to anyone who asks. The Companies Found themselves in a very complicated position where they were under a legal obligation to produce data in the United Kingdom but they were forbidden by u. S. Law to produce that information to the companies came to essence of look where and a really tough spot here. Can you please help us . We were hearing it as the Justice Department from our partners in the uk who were saying look we are trying to investigate a murder that took us in london. The perpetrator is british and the victim is british and everything happened in britain but the guy was using a Gmail Account so the evidence is held at a u. S. Service provider. We can do our jobs. Outside the uk american law forbids google from producing a response. There were an just in time mx and law. If foreign partners asking for help and industry asking for help. We had her own motivations. We dont want murderers running around the streets of london. Everyone came together and in march of last year enacted the cloud act. Essentially what it allows for rule of law partners that we engage in bilateral executive agreements with to serve usbased Service Providers directly with the Legal Process onset of having to go through the mutual assistance treatybased process which can take a couple of years particularly with electronic evidence cases once the agreements come into place the uk can serve google directly and receive data directly. Is that happening now . It this agreement in place . There are not any agreements in place yet. The u. S. And uk have been working hard to move towards finalizing agreements. Im not in a position to make any announcements today thank you ellen for asking but i would say look this has been a priority for us. I expect there to be promptly. Will this Bilateral Agreement apply to countries like russia and china . No. The straightforward answer is no because under the statute imposes part of the negotiations. We were trying to get this legislation enacted in congress. We had very positive conversations with the civil rights community, Civil Society community and obviously with Congressional Staff as well to make it clear that this direct exchange of data should only occur with rule of law countries and protect privacy and honor Civil Liberties and have protections in place. Theres actually a catalog of factors that the attorney general has to certify that country x meets the standards that will he before he can engage one of these bilateral executive of agreements. The short answer to tell a tank countries have no business entering into an agreement and we will not engage in negotiations with them. The time has flown by so quickly. Do you have any other announcements to make about encryption going dark within the department or a plants . On friday we are hosting a public summit of the department headquarters. On the question of war and proof encryption and the impact it has particularly on Child Exploitation cases and to get to the question at the outset. We anticipate a highprofile event to the attorney general be there in the fbi director with two special guests from around the world the british home secretary susan patel will be there in the Australian Affairs peter doug. We are trying to send a message that when it comes to access to information we are united on making sure we protect privacy and we protect Civil Liberties but we also keep Public Safety imperatives and might as well. Thank you very much. Lets thank them and move on to our final segment. [applause] we have economic espionage investigations in all 50 states that traces back to china. Every day americas effort to adversaries are testing or cyber defenses. They tend to gain access to our critical infrastructure, exploit or Great Companies and undermine entire way of life. We cant let that happen. Hello again everyone. Ellen nakashima with the Washington PostNational Security reporting for the last conversation of the morning we are so proud and honored to have bill evanina the top counterintelligence officials and director for counterintelligence and Security CenterUnited States as well as David Hickton the first is to turn to obtain an indictment of Chinese Military spies for economic espionage or is the likes to call them the og of chinese espionage cases and the founder of the university of Pittsburgh Institute for law, policy and security. So our conversation today is going to focus on the counterintelligence priorities for the country against china. We often hear of the challenges of a rising china. Its an indefensible trading partner and at the same time its arrival on the global stage. China has a complicated relationship with the United States especially when it comes to that Technological AdvancementGlobal Market dominance. Bill was the head of u. S. Counterintelligence you have a unique Vantage Point when it comes to china. Wheres the u. S. The most vulnerable . It said economic espionage . Is it dominating technologies . Is this a chinese fight or u. S. Fight or is a chinese spy agencies versus spyware and academia . Are the framework to challenge . I would answer all of the above and when you look at it from a Strategic Perspective by the u. S. Government the private sector we have to look at all of those sectors individually but as a group and its importance for the audience to understand geopolitically militarily economically china is all ones on america we have had the opportunity to grow up in a society where we have clear bifurcations between the government the private sector and the criminal element. Thats not the case in the peoples republic of china or russia or iran. They use all those resources of the one to combat us. This conversation is an important part. Right now its Intelligence Services battle against the private industry and thats not the way we do business. We are trying to combat that and allow and alleviate a threat by integrating the private sector is part of the battle and thats her biggest challenge right now. As i mentioned you let the case against hackers working towards the Peoples Liberation army of china but thats one of the many in the cases he have spearheaded in cyberspace. How many of them have actually wound up in prison . Once in a while you have someone travel to a country with an expedition treaty and it gets picked up and said the pair but chinese hackers are not likely to do that so how do we hold chinese actors in cyberspace accountable . You are correct but the case we brought in 2014 led to the agreement between president obama and president xi which is an even greater result which everybody agrees reduced intellectual property in the election of 2016 but you make a very good point. We dont have an extradition treaty and this is one of the challenges of the borderless nature of cyber crime. They argue unmasking cyber criminals has virtue in and of itself but the principle currency of cyber crime moses their anonymity. If you unmask them and declare that they did if thats first step. By the time i left the government is trying to expand the forums for adjudicating these cases beyond criminal desiccation to the World Trade Organization commerce and treasury. My belief is that we need to hold foreign actors to the same standard we hold american citizens so if they steal from our district particularly intellectual property they ought not participate. I want to jump on that. I believe that was a moment in our governments ability to combat trade secrets because it turned out to be a marketing endeavor where we were able to educate the American Public as well as the entire government writ large of an Intelligence Service in this case the Peoples Liberation army and or economic ingenuity for military purposes. That was a watershed moment. This is the first time we were able to shed light on that test. One of the key achievements in that dave was your ability to get the private Sector Companies who traditionally historically did not like to come forward and admit that theyve been hacked or compromised have the names of their publicly for crimes of reputation. Youve agreed to be public about their names. How did you get them to come forward . I had representative many of these people and known many of them since childhood but i spent most of my time trying to make sure that we could not only bring the case that tell the story by putting a picture of the defendants which we did on the back of the indictment that iconic picture that came off of a wanted poster to show the public who did it and a parting from what would have been the norm which is company a, b, c, d, e and when we announce i described how this affected real people. U. S. Steel, the united steelworkers, alcala westinghouse and how this led to factory closings and lost jobs and why we needed to care about this. Will come expand on that. I was in 2014 and now here we are five years later. Its not just secrets of the chinese are after. They are moving into farm and genetics. Publicly we talked about the span of influence and requirements. I would say the ministry of state security works with the communist party to steal her innovation that goes from farmer to green energy to technology to future markets gas oil shale clean energy and a year a few years ago the monsanto case dealing hybrid greens. They would rather not create their own research and Development Arm when they come to the west. Their Patent Program is quicker and more effective than ours and they immediately had gained at the local or international market. This idea of them working with genetics Mapping Companies in the u. S. I hadnt heard about that. Whats going on there . Not only did they use their intelligence arm to steal our intellectual property and trade secrets but in the case with the utilization of duke and yale cat ability for genome mapping sometimes we engaged them into great collaborative work with their Academic Work and they take it anyway. Its a nonwinning environment that they took that technology on the genome in dna and used it to imprison over 1 million uyghurs. Even Great Technology that we utilized for great purposes sometimes is used nefariously by Intelligence Services of rogue agents. This was done by the msn which is a major Intelligence Service. Is this through legitimate lawful partnerships clamp. Some lawful and some unwitting and some illegal. The idea that they realize the whole country approach to intellectual trade secrets they will use academia joint Ventures Plus private equity and venture capitol to utilize all tools or whole Society Approach to obtain her secrets. Talk about both of you about the academic approach, this issue with the chinese trying gain access to universities for the secrets but also trying to influence academics or chinese researchers there. How much of a challenge or threat is it and what is the governments role here . In my view the good news is we are still the cradle of innovation and best academic country in the world. Everybody loves to send their kids to school here but lost in the shadow of the pla kids which i did in 2014 in 2015 i expose the network of gunman who were fit dishes or fraudulent testtakers who existed in this country who were taking the s. A. T. And the gre for students in china and somehow they were getting passports. They were given admission to our colleges and then they would get a student visa and go home after they were educated here. This was an organized network and at the least deprived American Students who might have been paying taxes for some of the state related colleges and universities. There is invasion of our research and cases that were done there. I believe its a real threat. I believe what the government should do about it is the same we do with intellectual property. Seems to me if we are going to have Digital Space and we are the number one economy in the number one research and Development Location in the world american citizen should be treated equally as citizens around the world and nationstate intrusions should be treated as a present and real threat. I cheer the expansion of this initiative. I will double down on threat. Its critical next at 5 g. Moving forward but what we are doing about it, for the past year working on a bipartisan effort in congress. Chairman and vice chairman of the senate Intelligence Committee. We utilized the dhs i met personally with 150 University College president s doc about the threat of what its like. We gave them pacified reading so they could understand the intentions of these foreign leaders as well as heres the threat manifested in heres the amount of investigation being done by the fbi and they Work Together to find a solution that is not only effective and efficient for universities and colleges but also doesnt perform the effort of because the argument is then this is a racist issue and chinese Intelligence Services have been pushing that envelope very effectively here in the u. S. But its not. We look at the amount of investigation the fbi has which is over 900. 95 are from china. Over 900 espionage investigations . Economic espionage. In fact there have been a few cases where the department has had to drop the case of the case got thrown out for lack of evidence and these were cases of i believe economic espionage against chineseamerican often academics or Research Universities which has led to criticism that the Justice Department is overreaching and to seeing a chinese threat amongst the chineseamerican community here that doesnt really exist. Im in academia now and i think thats a valid concern. We still in our cetaceans of Higher Education aspire to have a worldwide student body with an Educational Opportunity in a diverse population. I think we have to be really careful. I would double down on the importance of understanding threads versus who is committing the threat. Recently the fbi charged and indicted an american citizen at a University Campus for spying for the chinese Intelligence Services so its not about the chinese individual students that are here. About the Congress Party of china and how it manifests in the u. S. Through administrative programs. Its a Holistic Program but its not about the legitimate students coming from china to study here. What is the role of the u. S. Government to have u. S. Competitiveness here. I will pass on the role of the advancing our competitiveness. I think it is a significant threat in their ability if you map their allocation of Government Funds to phyllis eight into billions of dollars as dramatic. We do have also which is none fair blanket bandages all of the best, indiana, they stole only here but american in the world. Subic personally identifiable information. Thats right. This recently the anthem healthcare, 78 million america americans, use that in the ai to accommodate analytics. So the more database to steal from us, from pii with her travel records they used that to facilitate on platforms. Subic it all went into big databases. Algorithms for ai. More than 50 percent of American Adults half of us here have gotten things and faxed to us stolen. To between an investment in Scientific Research is the threat to us. But we and pittsburgh, have been home of a lot of great advances both of its medical or manufacturing, technology, those of all been sponsored by present sponsorships between the government and the Academic Community and private industry. We need to continue that so that weekend make pittsburgh or detroit or philadelphia the envy of shanghai instead of the other way around. China has one advantage in the sense they are much more of a command and control economy. The government can basically Order Companies and universities to do things here. We have a much more free market system. Try to keep independence on the market. Is there now or more of a need for the government to sort of maybe direct areas of Research Funded given senses so that we are not left in the background. Perhaps but even when the government his responses are directed, still driven by the site is. Id like to address the premise of your question. Some think the initiative particular the word that i did. Was anti china, it was exactly the opposite. I personally believe that china is the linchpin of developing norms and laws in the emerging world of Digital Space because they are the number two economy in their world. At some. , theyre going to appreciate that they have as much to lose is the number one economy has to lose. Theres the old Law Enforcement, from willie sutton, we do rob banks, because thats where the money is. If you look at the threat vectors, theyre all coming at the unitas his because we have things to lose. They can barely turn the lights on in north korea and russia, but china is like that. Applying law to Digital Space was the essence of my mission in my former job, i think we do that correctly, it becomes of a strategy as opposed to in a tactic. Doing china our partner. That was the strategy for years, the engagement, between u. S. And china. To open our market to them so that they would need to become more like us and want to be a part of the free market. And abide by the rules. And they havent followed those. They are following the same norms in cyberspace respecting free and open internet. So how likely is it that we will be able to get china to become more like a law of a nation and abide by western norms of tradition. I cant predict the end of that but any efforts like this requires persistence and take time. The one thing that has been successful is if you just look at china at large, they largely have become more western. Their young people are more western. I think that our engagement strategy, has worked. It just requires continuous effort. I would differ with my partner on this one a little bit. On leadership, they become the most amazing surveillance state in decades. The social so they have the ability to have photograph and face recognition of every second of everybodys live over there, is really, you see whats going on in hong kong. Secondly with any change, then we just talked about has to come the agreement of ceasing the property and trade secrets. Were somewhere in the middle of 400 to 600 billion a year. In Economic Loss due to theft. Thats about 4000 per American Family after taxes. So we have to be able to spend that time. With the cant, i dont know how we can get to a place we get back to the policy of hope. Sanctions, there was a. Where the Obama Administration was about to impose economic espionage in china. Multiple levers to include that to include policy in the white house legislation in congress. I think the main a change in the mindset of the american people. To understand the damage. The value added and the value subjective from this if it. This really literally going to be a whole country approach. I dont disagree with what he said but i do believe we need sanctions, and i think we really have to appreciate that current trade war, has impacted us negatively. We have divided our absence in the current trade were as opposed to multiplying them by combining application of the rule of law with selling below cost within our markets when we could multiply that to conversation with have to in my view. Only get to a question. The first i want to get to the issue of way, the Chinese Telecom equipment is the big issue for the u. S. Government you wrote especially as we are moving into five g superfast super quick network five g. Mixed results and success, eat in an argument in there is allowing them into your networks will open the door for either chinese surveillance or cybertek that could disrupt the network at a critical moment. But sue gordon who is the re says Deputy Director of National Intelligence, you know well built, has publicly argued that we have to take those pragmatic view while even if we dont have alright in our five g here, there will be other countries around the world that do have the internet work and we internet connect with these networks. Got to manage risk and presume this dirty network. We think the issue is right. I hate to even think about have to presume a debt during network. The world we live in, that is the beginning of the end of the intelligence part from a practical standpoint, she might be right. But our efforts in the intelligence communities is counterintelligence at large. Not have the dirty network. We been able to prove so long the rope, of what way and what they are capable of doing it right when we have a five g platform. I would also say that they to me, its not the problem. Is the communist party of china. If they go away, another company will facilitate that law or communist party of china, and the efforts to be the Global Supplier of telecommunications. I think that is the threat we face. Not necessarily a company. I agree completely. One of the last cases i worked on, ultimately led to the indictment of the so called group of advanced threat group three. The case was originally presented to me, it was on the obama care agreement. It was later to be a global satellite case. Google satellite, precision agriculture was i didnt know about. It later became written up as the spy arm of huawei. It sounds like something that just emerged but has been going on for some time. I agree that they will go to what until we and someone else will replace them until we address with china what is going to be our understanding. I am confident that weekend get there. Its just going to be very hard. I have a question from the audience about Law Enforcement tools indictments. A person has had to the indictments against chinese hackers done any good. I think youve mentioned that at one point with help this all lead to the sheet agreement. A pledge not to conduct espionage in cyberspace. It worked for about a euro store but then where it started telling off on attacking the m msn, now that agreement is it meaningful. I think is an expectation issue. No one would suggest remote that the fbi started investigating bankruptcies of Bank Robberies is useful or useless because weve never solved a bank robbery. Our expectation and Law Enforcement is to reduce not eliminate crime. I think was a very important start. Id be the first to admit it was extremely versatile and we did not bring up pittsburgh. Maybe the only one who may be that they are ultimately trying pittsburgh. No one thought of it is the time. Imagine we give them three scares and roof over the head for ten years or does the president try and rush to get together and reach an agreement which everybody agrees for. Time reduces property theft down to zero. She came over to the agreement in part because i think the threat of economic sanctions where washington part house reported that it happened. That combined with the indictments will be a push them to an agreement. Two things. I think the agreement, she said in the forefront the conversation. I agree that he is president and agreed to stop the economic espionage with the cyber perspective. But not from the human perspective. That date increased prospectively. The more human based effort. Secondly, i think the indictments are critical, ive spent a little time with her partners to finalize. The recent two indictments have been earth chatting i think when it comes to getting the facts out by doj and with the indictment are. What are the mean for the private sector. When i go to estonia, they looked at these very carefully is that manifests in their countries. So as much as we are exposing particularly china for various activities, and there was positive impact of their around the globe about the same activity in our country. Im afraid thats all of the time we have right now. Lets think bill and david for a wonderful conversation today. [applause] [background sounds] one thing i thank we can all agree on is negative polarization. What it means is that i have less affection for my own side and i have hatred for the eyes of the site. So for example, even in the obama era, we cant say negative polarization began to talk, he didnt. But in close. This marking up was really long time. If you hold the average republican, their opinion was democrat 82 percent would say they strongly or somewhat dislike a democrat. In 2 percent. He pulled the average democrat they strongly somewhat dislike republicans, they were far more tolerant, 78 percent. [laughter] they hated the average republican. Some have an incredibly divided country. We have an enormous amount of animosity. You can watch this entire debate from the university of notre dame tonight at nine eastern on cspan. You watch our Program Online at cspan. Org arneson with a free cspan radio app. Friday, at 6 00 p. M. Eastern, live coverage of Hillary Clinton and her daughter josie, talking about the new book, the book of gutsy women. Stories about women who inspired them. What are live coverage from the politics store in washington dc, friday at 6 00 p. M. Eastern. Im booked to be on cspan. Next forum of National Security adviser john, talks about u. S. North korea relations any chance by the Trump Administration to reach a nuclear arms deal. The center for strategic and international studies, is the host of this if it. [applause] thank you very much. I appreciate the kind words of introduction and i want tonk