Are adversaries, nationstates or other entities, to steal our secret, but also to hide theirs, and to deceive us into thinking or doing the things that are going to be in their interest. There are influence operations as well as collection activities that fall within the realm of counterintelligence worries in dealing with foreign intelligence threats. Threats at home and abroad. So, counterintelligence therefore becomes the full range of things that are done information acquired and activities conducted in order to identify and assess these foreign intelligence activities byorder to neutralize them denying them access to be things that they are seeking by deceiving them or let me also add, by exploiting what we learn and understand about these foreign intelligence activities. So, frank, within the range of things that are done to protect ar secrets, we certainly have full range of security activities in order to protect secret information to protect against access to things that are important to our National Security, so he full range of security operations, physical security, personnel security, which we will get into these are things that are going to protect our secrets to be sure. But beyond protection, counterintelligence looks to understand how the adversary is going after these things, what their intentions and objectives are, how they are resourced, how they are recruited, what the liaisons may be. The full range of things that the entity does in order to say, now we can identify what are so we canerabilities look to those vulnerabilities as ways of stopping them. The foreignall, intelligence adversary service to think they have succeeded in what they are doing against us when in fact, our insight into their operations is sufficiently refined that we can misdirect their operations to protect what we are doing. So, you might see, and that short explanation, the potential tension for a tension, and i will call it a inlthy tension, between gauging the adversary and what security operators may do and trying to shut things down and deny access. Sometimes operationally, you need the ability to let things play along to better understand that works. You have together Insider Threat programs for a number of companies, small and large. Talk us through what that looks like. If youend of the day, want to glean information you can glean it through cyber means , but you can also just recruit an insider, which obviously can have the same impacts, and i think we are starting to see a of intelligence disciplines in this space. What used to be technical and human is coming together. The same thing is coming together in the corporate world. Geoff it is the technology you use, but its also the method from a broader. Arspective, it is very much decent position, where is Counter Intelligence is more of the offense of you offense view. It is more knowing what your risk is, protecting that information and going through the program plan with the organization, developing the technical means inside or outside. It is a ones and zeros problem. Theres very little to determine. There are key foundational components when developing a program like this for any organization and its really helping the organization understand its risk appetite. Geoff hit onthink a point we were talking about earlier, behavioral analytics. The where did the two converge . And shed a little light on where . E see the various actors from disgruntled employees to nationstate type threats. Think about these actors i think of the four gs grandmothers, governments, gorillas guerillas. Asis easy to think of that siloed groups. They are increasingly disparate organizations. Why hack when you can recruit . Who hasave someone access, you can operate with much more ease and greater stealth and probably extricate more information or commit more sabotage if that is your end goal. In the inset a group i see three general areas. There is someone who just made a mistake. They just left a bad door open or did something by accident. We see the malicious insider, hired malicious when they them or became malicious over time. Maybe they were recruited. Then we see the masquerading insider. Not actually employees or partners or trusted individuals at all. It is someone who hacked into one of the individual accounts, privileged accounts, like a data administrator, and network administrator, etc. They are pretending to be that individual and using that individuals right sent privileges. Rights and privileges. Tooinformation of acquired capture these individuals is actually out there. We have this information. We get this from network data. We get this from data from applications and databases and different security tools, but we do not have a good way of securing analytics. Hr databases, performance reviews, and looking for riddick did signs. Predictive signs. That someone going through a personal, professional crisis. Things evolve into a malicious insider, but they can be. It is something that would want further research. Especially with a Large Government Agency and we have to hay to get to the the needle. So getting past the notion of just preventing attacks, you are getting a front of it to predict behavior. Really good gives the good guys and advantage and allows us to operate more efficiently and effectively to mitigate threats, regardless. That aull a thread on little bit, i would be curious on the privacy questions when he think about some of these issues inside a corporate government or government environment. Frank then i want to go little further in terms of threat after his good actors. Who is it it should be . It is obvious, russia, korea, but it is also fair to say that every country that has a modern military has a cyber capability too. I would be curious what some of you are thinking. Start with the hardwon, the privacy question hard one of the privacy question. To understand something is not normal, you have to understand the norm. Brian you have to collect data. It is different from agency to agency. Are we going to be but collect all of the data that we would like to, so we can leverage it to protect insiders, or no . We will have limitations, we will not have access to everything, but we will have to make do. We are at the point where Artificial Intelligence and identity correlation, new types of techniques, where we can weaponize that appeared at what i mean, the more data you have, the more hard it was to analyze it. The more people it took. It hurt you when you try to do analytics. Today, we have actually come across that chasm. The more data, the more context we have and with the more context, we can actually respond. Privacy issues have to be addressed, but in most organizations, government agencies, we find that we have enough data to be able to address it. To the other point about the threat actors, i will Say Something quickly. Samuel cole said god created colebut chemical samuel made them equal. We are seeing cyber as a great equalizer. So you cannot be a Nuclear Country in order to facilitate war. In fact, you do not need to be a nationstate to be able to mount a campaign. So we are looking at another great equalizer and depending on the statistics you believe, roughly about 100 countries today have the capability of mounting what we would define as saber capabilities. Part of that is recruitment and the other part is planting, white hat when you can read why hack when you can recruit . Stealing intellectual property is far easier when you have this access. Your, whybuild on hack when you can recruit . Why invest building are in the d,n you can steal r and when you can steal . The theft of actual property, it is expensive. A lot of money is put into that and you have countries that are literally putting, spending their savings on market share and gaining market share, instead of dealing. It really is a combined market approach. Michelle it is human access that prevents golden opportunities. To the extent of foreign actors have strategic objective and purpose and employ the resources that they have at hand to achieve those purposes, we will see that the linchpin of a successful cyber exploitation my for example, might be those who are recruited on the inside i can provide that access. You look at the news reports that came out of the net activity, when the news reports said that planners involved in that attack identified as the holy grail, the individual engineer or other individual who may be working at that plant who was very careful careless with a thumb drive, that is the accordinghat enabled, to news reports, that allowed that attack to go forward. When you stand back and you say, what does that say to the United States as far as the threat environment, we do have this broad extrapolation of capability now among a variety of actors, where there were smaller numbers, we might have dealt with in times past. But we also have a prioritization of our resources and the prioritization of those resources needs to be based on, what are their overall objectives with these entities in respect to harm in the u. S. And friends and allies . We still have a prioritization that says, there is a different order, a different order of magnitude women chinese, for example when the chinese, for example, have a policy for espionage, that they are carrying out with great effect across the u. S. , versus the onesies and to disease two sies that other actors may engage in. Frank and he would put china at the top of the list . An economic espionage . Michelle yes. But overall capability, i think the russians give them a run for their money. Frank the line between Computer Network attack is all around intent. If you can exploit them a you can attack. I would argue, you can understand the theft of intellectual property, it is unacceptable, but i can understand it. The next question you would have to ask, is when you see the best of our Critical Infrastructure and mapping some of that from a sophisticated standpoint, that has no economic value, that is truly for potential crises to be able to put together a plan. So that is where, when you hear about our bridge being penetrated, that may not have the same Economic Impact as the property theft of behind it. So, where would you rack that . Michelle is where i am, but i am curious on your thinking. Where do you see the dr k, where do you see other actors who may be less constrained from engaging in Computer Network attack . If the organization we look at the reports that come out every year from vendors. The firsthem say, five have Insider Threat, they are concerned, but they are not sure about them. Always a great area of how Insider Threats are leveraged in an organization. , i am as a bad guy familiar with the method of operation, as a bad guy it is easier for me to sneak into a network and steal somebodys access rights and look like an insider, all day long, and hide in the network. The average length of time is 200 days. 200 days is a considerable amount of time. As a red team guy, we can map it out and take off with your data. The point is, there is espionage going on, gathering intelligence. And from the bad guys perspective, look across the infrastructure and the corporations, to pick selective pieces of information from an espionage perfect perspective, he would they want to blackmail people over, there are a variety of things that any enterprise must consider to some degree, but not be overwhelmed by the issues they need to deal with. From a nationstate perspective, i fully agree with the nationstate representing the biggest challenge. We are also aware of major nationstates going out and hiring smaller organizations, individuals in Different Countries of the world, giving them the tools they need and having them conduct that hack or the investigation of espionage, so that nationstates can find the work fund the work. Toationstate can attack conduct, while all the while i have asked somebody to go in the side door and map the network, matt things out for a potential pp map things out for a potential attack. You see nationstates like china and director really wanting to , whatever they can, and copy and create whatever they can with it. Frank you mentioned the , there has been a lot of attacks be indos that. Diversionary attacks. Can you say that with confidence . Years ago was harassment. It was my cannot connect my email. Now it is a distraction. There are so many other things going on within a network, it is a distraction. Frank brian, i want to pull a thread i asked earlier, how Many Companies went into business thinking that they had to defend foreignes against attacks. Openings are paying for the in this that and the other thing. I am curious, our government, all governments, do not have a great track record from defending against espionage. There have been many recruits in place, many individuals who leaked a lot of information. So if governments cannot do it, what can we logically expect companies to do and what is the outcome . You do this every day. I know that nobody can wave a magic wand and provide 100 security. No such thing, unless we live under a rock. But what can you expect out of that . Brian from silicon valley, if you go someplace and to say our Business Model is to be the most secure, you will not get funding. Geoff a lot of people ask, should we enable organizations to respond, should they be able to respond in force, not kinetically, but with a cyber attack. I think that one, the Collateral Damage that could because could be significant. We have seen that from other attacks and it is severe. I do not think that organizations are in a position to do that. Now, i think that our government is learning. We are learning more quickly than we give ourselves credit for. We think of the space race, the Wright Brothers were in 1903, broke the sound barrier in the 1940s, then we had somebody on the moon. This is increasing at a faster rate. We are keeping up well. Convergence,of maybe it is the wrong word, but the information sharing and being able to act more effectively is what is needed. We are in the paradigm of trying to prevent everything we can. It had a great quote p think of we think about cyber, we need a more adaptive approach. The cooperation between the public and private sector, i know this is like motherhood and apple pie, but the cooperation needs to be enhanced. I have seen pockets of it. I have seen stuff for the Financial Service industry. Automated manufacturing, i do not think we have enough of it. People are Still Holding cards too close to the chest and they do not want to reveal what they know. Tactic techniques that new hackers are using. Until we get to that spot where we are sharing information, the bad guys will have the advantage. In they know it and they are a window where they can execute. Frank you are forcing me to ask a followup. There is a lot of space between hack back and do nothing. Snd a big bigger modes moat and higher walls. External and internal, i do not know what the perimeter is, because attacks are growing exponentially and it is all shared and cloud and other things, but where do you stand on forensics collection, which can be proactive, but you are not engaging in Computer Network attack or hacking back . So, you turn that information over to the authorities, the fbi , or whoever it may be. Do you feel companies ought to be doing more in that space . Not all companies have the wherewithal to do it, but i would argue that the Financial Services sector is as sophisticated as government, or more than that. Geoff the devil is in the details. If i hand over a lot of information, that could easily contain sensitive, lots of financial specific information, etc. Health care is the exact same thing. I mean, your data, what you already own. Geoff it contains Sensitive Information about partners and being able to that, might make it unusable. It is a difficult problem to solve. I think in most cases, most organizations do not feel comfortable sharing that level of data. Future theree might be Something Better we can do to adopt information sharing where things are shared. That would be a utopia. Frank if your data is excellent traded empathetic, do you have the ability to do Data Collection on the info trader . Invader . It is your data, i am not addressing to your point, but there is a lot of technologically possible techniques that are not being fully exploited. Track things that you can. Absolutely. I am a fan of that. I think it is a grateful dead but the problem is great tool. But the problem is, you go to Different Countries like iran, there are legal issues now, it is like sending technology to those countries. From that perspective, legislation needs to catch up. With a number of countries, they would love to see fake data with these tokens that they can back so they can track at the black market and the deep web and darknet. It sounds like Science Fiction and some of it is, but the reality is, we can do a lot of it today. But we are legally prohibited from doing it. Frank any thoughts on the cyber side . And this is unfair, because he is working on a project with us. Geoff legal issues aside, when you look at the ability to do that, looking at what is done today, there is value in getting that data. It is counterintuitive in the gathering the data on bad guy behavior. Which is instantly valuable in a variety of formats. However, there are legal challenges that we need to address at some point. But it is plausible and not too difficult to be able to put s onns on data beacon data, to track it and delete it outside of the network. There are many ways to do that, i think again, when you talk about the First Priority question, you are getting into andissue of Insider Threats counterintelligence. Who role is that . E . A corporate rule rol is there a convergence . Protecting your network and her data, it is not an easy question, but there is framework for this thing. Frank you have linebackers in football, they are defenders, trying to keep others from scoring, but they can have an offense of offensive mission if somebody fumbles. But with michell