Im not saying the estonian system is the one that wins because the singaporans have they flew a big delegation into estonia and said we want to do this for all of east asia, so people are often quite unwilling to trust their own government but if you say this is a Service Provided by another government, you can use it or not use it, an optin sturges people they have issued 10,000 of these. You can pick one up at the Estonian Embassy just down the road for 40 or some small amount. I think this solves one of a fundamental problems on the internet, which is proving who we are because civilization is based on the trust for interaction between people who dont know each other very well. And we use all five of our senses and all sorts of learned responses and other keys and safeguards which means we can do this to each other, facetoface and also by letters, and but we dont have a way of doing that on the internet. I cant proof who i am on the internet. You cant prove its me. We want get together and prove that someone else who is they say they are. This is one of the biggest responsibility wed have. The sort of systems i can solve that. Go to estonia. You mentioned at least three different aspects of the cyberphobia. One is criminals draining accounts of all kinds. The second of all, well say perhaps intelligence of getting opm data for whoevers own purposes, probably not for financial gain unless they sell it. Third, use an example st. S nets, an offensive use of this. Are we looking at different actors, for instance, states in some cases, versus criminal individuals and other in other words, are these very separate enterprises we can separate . Should they be seen as one . The easiest way to look at this is to say some things only governments can do. Highend National Intelligence services. Have got amazing capabilities, for example, in using bulk data. You can be for it or gift it but thats only thing a government can do. Getting stuff into firmware, into a keyboard and find everything type on the keyboard and getting that back to some beyond and control serve are in a secure way. Getting data on screens. Hacks of mobility devices. These are pretty sophisticated capables and you can buy some bits of them on the internet. You can buy very simple malware which you can send a text message. Theres a lot of stuff only governments can do. Expensive buying expensive vulnerables, holes in soft ware, hardware, noelse knows about. The good ones are expensive and its a matter of budget youch put those capabilities together and you get Something Like stocks net which really only a government could have done. The American Government boasted about it, so its no longer really secret. Before we get to that, too. But that is the kind of i think this is the least of our worries of ordinary people. I guess everybody here has seen the obourne identity but theyre not documentaries. Im not jason bourne no one in this room is jason bourne, were being attacked in a simpler way. I think leaving asigh the highend stuff, so many of the vulnerabilities are over if i want to get ton the network, i want to get on a i want to find out how you do your invoicing i want to steal some data and get in and change my grades, all sorts of reasons to get on the network. Theyll go to linked in, find someone who has lots of find out who they worked in the past, a gmail address and say, i found these picks, take a look. And then they click on it, nothing opens, they forget about it and it is very baseic spear phishing attacks. Links and attachments can be used by any one of the threat actor biz think the opm hack started with someone with a targeted spear phishing attack, and then got on the network, and once youre on the network you may need tools to try to get control, root over the network, but theres this very big lump of simple vulnerability which everybody has. Lets go to audience. We have othermake crow phone if a microphone if you just raise your hand until the microphone gets to you. Emily. Go ahead. Just introduce yourself before you ask the question. Thank you very much, mr. Lucas, for doing this. I am marcus picker, work for German National public raid glow washington. What im concerned about evening more than the technical aspect of all those things is the fact that the American Government employed someone who didnt even have a college degree, it got him into the most sensitive government systems, and he could manage to get all those things out and get away with it. Until now, at least. So, how do you think governments or societies can protect themselves from those kinds of breaches . The regular things that people actually steal something. Yeah. Well, its a great question. You didnt actually mention the name edward snowden. Could have been some other hacker as well. Theres been government likes to beat up industry over security. And theyre right to do it. Its scandalous we dont share information better between Different Companies in the same distribution across industries. We need to do a much better job about protecting the data that is entrusted to us as companies whether its the data of our employees or suppliers or customer arizona anybody else and i think should be serious penalties for people who are careless and wreckless and should be civil and criminal liability, but if you want to see a really bad didesigned network youre likely to find until the Public Sector than in the private sector. Its absolutely terrifying how badly protected out of date systems, badly administered by demoralized people. This stuff is happening again and again and again, and at one i think one can make several points. One is that i think this is very good reason i would we should not support any government mandates attempts to weaken encryption. If theres going to be government mandated book doors in commercially provided encryption, that will be a fantastic target for criminals, and i have zero confidence those its as if everybody in the country has to give a front door key to the government to make sure theres no frontdoor key in their front door that the government cant open, and that all these frontdoor keys instinct neatly labeled, kept at the local prognosis station, dont have to be that could be interesting for criminals. We should have very modest expectations of governments abilities to keep our data secret and we should be much tougher of what wet share with governments. Go going back to estonia. Theres no single point of vulnerability. They have a federation of databaseses connected we something called the xroad which works on a very simple but robust challenge and response system. So it will be really hard not impossible because nothing is impossible Something Like the opm hack would be really difficult to do. You need the depression of lots the cooperation of lots of people and nobody simultaneously at different points for and the final point id make is why do we keep all this snuff electronic databases anyway . If you look at films john he krcarre novel. Now, these days you would probably hack in. There you have to physically get into the registry, have to distract the person who is there to stop you copying files. Have to get access to a file, logged in and logged out. Who looks its it, how long. I you want to steal all the documents in the registry you have to attack with a Major Military force and then take the stuff away in trucks, and the omm is like that. Only 2030 years ago, the chinese would have needed trucks to take the stuff out of the opm. Now you can do it on a usb stick. So one of the big lessons, ask your gift why are you keeping stuff . You have convenience. Absolutely. Is that worth the vulnerability . One of the best stories ive come across this year is the blooming intelligence agencies are buying manual because you can theres a saying, ive heard from some Cyber Security guy, you cant hack a steam engine. No electronics nothing to hack. Steam engines would actually survive the carington event in the way no other form of transport would. So we have to be quite prudent about moving away from things that cant be hacked and very resilient towards things that seem convent but are actually vulnerable. Thank you, mr. Lucas. I study energy and environment here but before i used to work for the Korean Government Agency doing Cyber Security. I think the recent International Political environment has kind of come to the state that International Norms is important and the cyber space, but hearing from your example in estonia and other east asian i feel its not only the states that have different per sorptions cyber space and also the people of each state have different values and different cultural norms that they expect from the cyber space. So i kind of want to hear what you think about, is it even necessary to build International Norms . Is it even plausible or is it more practical and make it doesnt make more sense when you come when we have more effort that are done domestically, then kind of national boundaries. Its a great question. I think we are developing were beginning to develop norms in the way we use social media. I was looking at some emails i had done been sending and receiving about ten, 15 years ago. And i noticed a lot of people used capital letters to show they were angry, and thats become socially unacceptable now. We have laws, that theres sort of way we enter act by email. People sent long emails in the old days. Enough its rude to send long emails if you expect people to rate. So i think that the theres a if you look at shipping, which is the first really sort of global industry, we slowly developed in the Maritime World we have enormous about emergencies. The duty of see farers to pick up others in distress. They will pick you up. We developed ways of messaging, the days before electronic messages we had flags put up saying im in quarantine. We dealt with parts. We have the nests and the pirates and americas first overseas motor engagement was going after pirates endangering american shipping. So this stuff builds up on a casebycase basis. The fundamental problem is that the internet is a means for doing other things and the norms about those other things very widely. So you can quite easily get the banks of the world getting together saying, were going to have very tough rules about preventing people cashing out the proceeds of cyber crime. The classic cyber crime queue get into someones internet banking, good threat them to do something stupid and then you stay that money. That money doesnt appear in your pocket magically. You transfer into it another bank and another bank and at teach point youre doing the transfer theres a point of vulnerability. Someone lad to open that account. Maybe you hijacked another account, going from one hijacked account to another, but at some point a physical person went into a bank and opened the account. So we could have a quite easily imagine a lot of Reputable Banks saying were going to superintendent norms for transfers that makes it much easier to trace stolen moneys, hops from country to country and account to account and if you dont play by our rules we me a stop transferring money to you. And you have Reputable Bank gonzalez the world saying we want to play. We want to be in on that. Sigh can see that happening. What is much harder is things like the use of information, because if you look at the theres been a big push in russia and china to bring the internet under the control of the un agency and national telecommunications, the body that sets dialing codes and the rule ford the telephones. And that makes sense. Why not have a u. N. Agency in charge. It might well work better than the these thing wes have at the moment but the problem is one thing that russia and china want to deal with is what they Call Information weapons. Thats what we call news. Were not going to reach consensus on that because they think its part of National Sovereignty on the internet, the government should be able to control what information goes in and out. We say, no, that is totally unacceptable. But by the way, can you help us with child pornography. It is totally unacceptable. So countries have radically differentieses what us accessible. One one country says is terrorism ice countries you can have a global ban or terrorism wont have terrorism on the internet and then the Chinese Government says you have extremists on your server, take it down. Whats going to happen . I think we have to very very modest in our expect additions, whether its a clear common interest, as there has been in shipping, well make some progress. Where theres no common interest, i think we just have to accept what is going to health. Im a student in finance. I want to follow up on the previous question regarding the preventing Cyber Security and i meant to if youre familiar with the information sharing act absolutely. In congress. So theres a proposal by most Financial Institutions and also many other businesses in the americas and i just want to hear your comments on how likely its going to be passed and why the Technology Companies are they kind of opposed the Cyber Security information sharing act. This we call the category of really boring and really exciting. Most people have no idea about this. Opposite you get once you get into this issue its very important. Its been five years its been sitting there, bouncing around in the senate and house and different versions of the bill and amendments and so on and its not going some momentum and its in this process which i know what is brilliantly well where people put aside their Party Differences and concentrate on something that is actually going to work. So sorting out details. It does help i was talking to ibm. They really support this. Theres a lot of obviously not everybody happy with it but seems to be pretty broad consensus across industry that people want for example, people worried about the antitrust side. You get every Major Company in industry and the first thing they say is into we all be here . We dont want to go to jail. And if youre talking about stuff that could be seen as from an antitrust point of view is problematic, you want to have bulletproof Legal Protection on that. Probably overstated and Companies Love to say we cant do this for antitrust reasons but gives some security on that. I think we have already got quite a lot of information sharing but i want to see mandatory breach reporting. I think if somebody had legionnaires disease, they would not say, we wont say anything because it was could our students to panic and some might sue it us. They would sigh, whoa do we have to tell . Because the disease is a Public Health menace. We need to take the same attitude to we need really good ways of identifying malware which we dont really have because sometimes the tax yonny i the code or sometimes its what actually did, and so i think trying to theres a kind of action problem there its worth trying to make everybody report malware the same way. I think well see it from the kind of the other problem is that its always going to be in interests of individual companies to say to keep quiet about an attack because they dont want their shareholders to see but if everybody is doing it then you can be brave together. So i think pushing that. Again, im not sure legislation is absolutely necessary itch think maybe you can do it more on a voluntary basis. So im kind of agnostic but glad do see shares some legislative attention. This comes after five years of basically nothing. Hi. Ive been in the Security Industry for a while. My question is your thoughts on the role of the private certificator, particularly Security Companies with threat intel teams that expose Cyber Operations and point fingers. Do attributions. In my experience as a divide within the community on the appropriateness of that, and the effectiveness of that. Often with these campaigns you can share indicators and point fingers but it really only causes a tactical disruption rather than some sort of strategic change in my opinion. So, be curious about your thoughts on the ethics of private companies doing attribution and exposing indicators and if you think in the long term this will do anything or theyre gloverred marketing fodder. Glorified marking fodder. Its in the interest of the companies to show they can do stuff. The challenge an amazing amount of Cyber Security product and service, which is basically useless. And is bought by people who dont understand the problems. They need to do something and say this has a big companys name on it and ive bought this companys services. Will it actually defend you . Very likely not. Im not a big sort of booster for the Cyber Security industry. And they are, like any company, they will sort of talk up what they do. But the real question is how do we raise the cost of doing business in the criminal economy . And i think many people are have a role there because if youre on the other side of the world and you go by an alas. Youre in chat rooms and you buy and sell malware, maybe develop it, youre making quite a bit of money. Comes in bitcoin and subtly you are linked and snow, ircan never go to a civilized country, the european union, any g20 country, maybe make you will kind of think maybe this is not such a smart idea, and we can Start Building up profiles of people and scaring them. I think the not making any comment about the kim. Com case but i think if people like kim. Com thought they were invulnerable and then turned out they werent and they were attendant away to jail and facing criminal charges. So i think companies have a role in reducing the comfort zone. I think a more c