And let us defend the second amendment. It is simple to me. [applause] i believe that was the last question because i want to have a chance to shake as many hands as possible. Thank you so much for your warm welcome. When i started this campaign there were a lot of people who said it could not be done. And i knew it could be. Because i have a lot of faith in people. I have a lot of faith in people. And i know that all of you agree with me. And so many people across generational lines, gender lines, party lines, so many people have been watching and paying attention, and saying we can do better than this. We need to do better than this. Every wound we have can be healed. Every problem can be solved. What it is going to take now is leadership and citizenship. But truly, we have everything we need. We have the potential of the people of the greatest nation on the face of the planet. Help me, support me, talk to your friends, talk to your neighbors. Go to carlyforpresident. Com we can make sure this will be the greatest century for the greatest nation on the face of the planet. Thank you so much. God bless you all. [applause] [indiscernible] [captions Copyright National cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] announcer now, a discussion on u. S. Phone her ability to cyber attacks. This is 35 minutes. Good morning, thank you for being with us. Lets talk about the office of Personnel Management and this cyber hat, headlines say that china is the leading suspect. Lets go through the numbers. 19. 7 Million People applied for a background check 1. 8 nonapplicants impacted, so total of about 21. 5 million current and former employees. And after and people that applied to opm for any sort of clearance that included topsecret clearance. Including fingerprints including 1. 1 million fingerprints. It is an indicator that, in many ways, is the Gold Standard for authentication. That is a tremendous breach. I have been talking to different people about what that means. And who might have been behind it, different people in the administration and around this town will tell you Different Things about attribution members of the senate and congress are going to be more vocal in saying we understand that it was probably china. The nsa dont assume attribution to be china. At the same time, that has not been something that the administration has formally declared, which i think is interesting. The next question becomes, what is the person or entity that took that information going to do . There is a theory that it would be compiling an enormous database of different people who have applied for positions within the government or have positions in the government and different ways to reach them. It can be used for different sorts of online scams. Katherine archuleta is the former director of personal management. She had been in the job he claimed that they were making great steps in trying to make sure that this could be prevented. Is she a scapegoat . In many ways, because she is a person where the buck stops, you have to say, why didnt you take steps to encrypt data on the database and sooner . Wise why wasnt there a Better Program in place to analyze mall where malware. The country spent close to 1 billion on a detention intruding system that was unable to detect this particular malware. At the same time, it is a legacy system. Different people respond to Different Levels of urgency around them. This was not a priority. How did this happen . How easy was it to hack to the database . At this point, they are thinking they had to have nation state to nation state support. Einstein three, the system they were using to diagnose and detect intrusions in real time, it failed. It is not an on complex system. Uncomplex system. The malware mimicked traffic. It was incredibly sophisticated. Why would china want this information . There are Different Things you can do with it. I spoke to a former cia operative, who brought up that personal information, and some of the form c would fill out for topsecret classified clearance that could be used in different ways to reach out to intelligence professionals and in many ways, look more familiar to them. The real value of this is for what might be called social engineering. Getting more passwords later learning about different people that operate within the levels of government and convincing them that you might be a trusted entity when you reach out to them through email or in real life perhaps you are familiar with where somebody went to school you might no pet names are Different Things about them that you can use to create a sense of familiarity. That was one of the things that the operative i spoke to said he was concerned about was that it makes intelligence assets at the point this becomes part of broader fronts teams, broader fraud schemes. The most logically commercial thing to do with this actually becomes easier. If it is merely stealing a database, we are not sure how or when this will be used. Patrick tucker will be with us and told the hour. We have a phone set aside if you are a current or past federal employee. That number is 202 7458002. Otherwise, we are divided by lines regionally. This past week the testified before the committee. Here is what james coney had to say about the hack. James coney it is a huge breach. A huge amount of data. Former employees. People who applied for federal employment. We have to assume it was looked at the endor filled. We are talking about millions and millions of people affected by this. The challenge is, i am sure the adversary has my ex86 now. It lists everywhere i have lived since i was 18yearsold. All of my family. Their addresses. Not just my identity is affected. My siblings. My kids. The numbers quickly grow far beyond federal employees millions over the last 20 years. It is a big number. It is a huge deal. Patrick tucker one of the things that has been very interesting about director coney and his adventures this week. He appeared before the Senate Intelligence committee and he was pulled to a question about the scandal by mark warner. His original intent in being at that Committee Hearing was to argue against and to end user and corruption and different steps commercial companies have taken to safeguard information in transit from companies and their devices. Apple, google, facebook, they now offered these services. What he was there to argue against was the allowance of that. Because, he says that endtoand encryption equipment gets in the way of law investigation groups and groups like ices. One of the important things about this opm that had to come out is that user data was not encrypted on the database. It is not the same issue, but it is related. We have not begun to think about all of the different ways we interact with this technology on a consumer level and the highest level of governments. Host could the president have been impacted . Guest if he had filled out one of these forms, yes. It is not inconceivable. Different things that would be used probably exist out there around the president with the exception of very personal information, like Social Security number. The president is not going to be subject to Identity Theft or fraud. People know who barack obama is. He is guarded enough that it will not have any effect on him in terms of national security. What is at stake here, the vulnerable targets, are people that have intelligence assets listed as contacts in foreign countries. Those people that wind up in these forms who have actually it nothing to do with applying for a job in the government. As director coney mentioned, his travel is listed. Laces he is gone. People he has met. Show up on these forms. In terms of national security, that is what we are worried about. Host harold is up next. Caller i am an independent taxpayer. It sure seems to be a problem with this administration in particular. All we get is apologies and this happens again and again. I mean, the Civil Service seems to be more concerned with how to apologize the into getting a clue against taking action. I will take your response off the air. Guest i think that is a feeling filled by a lot of different people who are thinking of the ramifications. It is clear there are a couple of things that could have been done to keep this information more safe. Now they are going to lose out. The thing about personal data as it is entered into any computer system, a matter what part you are part of, there is mauled her ability there. It is a fact of life. If data is collected it is going to be used. If it is used, it becomes vulnerable. Independents, republicans, democrats, it affects everybody. It is the way information moves in the 21st century. Host kathleen says the government should hire my navy son because he makes backups. Of course, that was not the case in new york in Lower Manhattan on wednesday. Guest this was an odd incident. You had this enormous grounding of uniteds entire fleet for not too long, but long enough to cause serious alarm. A few hours after that, the New York Stock Exchange shutting down for more than two hours alarmed and what people. It is not the the u. S. Stock exchange does not have backups. Brazilian see is something we think about. Admittedly, one of the best diagnostic and for an sick diagnostic forensic pieces of evidence is we rushed to put software into these incredibly complex systems. We rush to put new software on top of old. If you are trying to deal with this as an engineer, you are dealing with a lot of legacy software. The source code is a mystery. It is the continual application of different technological bandaids and bandages to systems that are incredibly vital. More complexity in any one person cannot fathom. They run continuously at a incredibly high rates of speed and we keep learning them without any understanding of exactly how much they can stand. We can preach redundancy for backup and resiliency for the event of an outage so that businesses elsewhere might work. At the same time, we demand more from these sorts of systems then we are in many ways able to accommodate. And we have not appreciated that. Host a quick update from monty. Is there a 100 percent secure cyberspace . Hackers and their toll seem to be evolving at a high speed. Guest that is what the commenters are upset about. Is there a 100 secure cyberspace . That links to the internet. We have agencies that are dedicated to cracking it so they can intercept intelligence. Do we want them to do that . That is what the mandate says. Having said that, there are tools that you can use to communicate much more safely and anonymously online. One of them is onion writing. It is called tor. It was developed to allow people to communicate with one another while remaining anonymous. It is used by dissidents. It is also used by child pornographers. It is a tool. Tools like that help keep the broader internet safer because it keeps Information Secure and prevents passwords from getting out and prevents future hacks. But also, as director coney would say, secure communication creates in enormous Law Enforcement challenge in that is when he is trying to tackle. Host were talking about internet and defense vulnerabilities. Patrick tucker is here. Good morning. Caller i hope you can and lightest and lightness on an article that was in the wall street journal. Employees behind the firewall being able to go to their personal gmail or yahoo email accounts to read their personal mail and at attachments there may be a source of insertions. The wall street journal article basically said the government tried to, several years ago, is eliminate this and the federal employees union went to court and the courts ruled in favor of the federal employees union said the people such as me would continue to have access to their personal gmail and email accounts. That is the way i understand the article. I am hoping your guests could clarify or enlighten us as to that area of discussion. Thank you. Guest i have not read that particular article. This is an ongoing concern though. Ensuring information across networks. Certainly for military. You skip between different email accounts. You might have devices you bring with you. You might have the devices given to you. The temptation not to move from one account that you know a specific for that particular device to another one so you can check personal email, that temptation is too great. I think it is completely understandable to the extent that happens with people with dedicated devices, it happens a lot. I know i am surrounded by devices. Im checking all of my accounts all of the time on all of them and not is just the way it works. I have not read this article, i am not sure what conclusion the article writer reached, but this is one of the reason people say that endtoand Encryption Services on devices like the Android Phone or the most apple phone are so important. That is what allows a somebody with a device like a personal account and a federal account to use all of that safely. That would be the argument in favor of that. And, we not exactly sure what the attack vector was on this particular attack. Because, it was discovered long after it began. Long after it was in the system. Almost 80 year. I get, we have not even been honest about attribution yet. Weve not been able to know who will want to entity was behind it. Knowing exactly what federal employee did write to open the flood gates, i think that will be a mystery for a little while longer. Host you can follow the work of tetra tech are at defense one. Com. Richard is next. Good morning. Caller mr. Tucker, mr. Scully asked you a question as to whether she was being used as a scapegoat. On the Steve Kornacki show there was a reporter who was claiming, and hopefully he was right about it that it was businesses that do not have the cyber qualities that to the federal government has and also that on the board of these people were several generals. In, my question would be, i hope that you people look into the real situation and not to use people as scapegoats just to satisfy your ego. Host thank you, richard. We will get a response. Guest this problem will persist. So, in terms of the effect that larger businesses have on nationwide Cyber Security, this is something that remains an ongoing debate between the Obama Administration and different parties. Many people say that what would be best would be to have a mandate that Different Companies report different malware intrusions to the government and then the government can, through dhs, share that information more broadly. Right now that mandate, there is opportunities to do it voluntarily. But the mandate does not really exist. So, there is a lot of discussion between great pink business and government about how to pursue as a nation better Cyber Security. Business would prefer the government provide Cyber Security as a Service Really to almost all businesses, particularly those associated with infrastructure. The government says that is a unrealistic unless we can figure out some of these issues with reporting. At the same time, if you are a company and you report a big region and you do not have liability protection, youve intentionally face a big celloff. It will not be good for the company if they report a big reach. Host you talked about united airline. Exactly what happened and how did that result in them shutting down operations for several hours . Host guest we are hearing it was a router. It is not one that is associated to how you would look online. That was my originally thesis because you can enter that system for affairs if youre someone who is cybersmart. You can learn different search query language. Search engines on Different Airlines and discover funeral surcharges and different routing. That is sort of like a hack. And that is not the case here. We know as a single router connected to the reservation system triggered a series of human responses which was the shutdown. Nothing mechanical was wrong with the planes. Nothing wrong with the navigation system, for instance. The reservation system outage made they could not verify people showing up for not on a nofly list. They could not verify the contents of the manifest. The faa ordered the stoppage. I think a the idea that a single router was the culprit is remarkable. But the fact that this happened on the same day as a major New York Stock Exchange outage is why am talking about it today. Host do you think it was a coincidence . Guest at this point, that is what the evidence suggests. I was thinking perhaps this is the thing though, online reservation systems for airlines is in attack viktor. This one, at this point in time, appears to be a coincidence. But, the online reservation systems is a pretty constant factor of attack. As mentioned, you can use different data about it to gain from fares. That is a continual concern. At some point, if you break it in a particular way you trigger a human response which is, that an entire airline is grounded for the time being. In many ways, that same thing is sort of true about the New York Stock Exchange. You can game the Stock Exchange and all of the high velocity logarithms on it for shortterm gain. This is what high velocity trading is. There are a couple ways you can do it illegally by frontloading by or sell contracts which will then canceled. In many ways, this was blamed on the 2000 12 2012 flash crash. So, both of these things really show that these systems that we all use a lot, they are going to be the subject of continual lowlevel scam and intrusion attempts no matter what we do because there are ways, there are ways to manipulate information going into them for shortterm monetary gain. This is to be expected. Host we welcome our listeners. Our guest is Patrick Tucker of defense one. We are focusing on Cyber Threat