P. M. Eastern on cspan. Now, a discussion on cybersecurity and how the department of Homeland Security is changing to meet new threats. Panelists include leading experts from both government and corporations, followed by remarks from former National Intelligence director dennis blair. This is an hour and a half. [inaudible conversations] all right. Were going to kick start this. I know some are on break, but just given our time crunch, i want to make sure were able to cover enough time for panel to actually share some of their insights and thoughts. This is a bit of a, it coffers a wide range of issues from insiders threats to foreign counterintelligence to cybersecurity, but i think one of the things we hope to be able to do is show how they come together, where they do come together and where they dont. And, quite honestly, theyre treated as very pratt disciplines separate disciplines, but i thought we have a great group to shed some light on some of these issues. Firstly, let me introduce michelle van cleave. Michelle is one of the titans in the counterintelligence world with. She worked for, she was the first director, i believe, of ncix when it was the National Counterintelligence directorate, when it became part of the director of National Intelligence function. So under president bush she was running ncix. Following michelle we and shes worked on the hill, shes worked on numerous committees focusing on cyber issues and counterintelligence and National Security issues lock before they were long before they were cool. Shes young, but before they were cool. Stop when youre ahead, frank. Jeff hancock is one of our senior fellows here. Hes been instrumental in our active defense work and our task force looking at active defense issues. He comes from a background in the private sector and in the public sector. Hes a former special forces officer. He worked cyber at the pointiest end of the spear which i think adds a lot of flavor to the issue. And hes also worked at Small Companies like microsoft. [laughter] and last but not heath, we have brian cantos who i want to thank forporting us in the Conference Today supporting us in the Conference Today. And he, too, has come to his current role with extensive background in a number of Cybersecurity Companies ranging from riptide to, remind me. Youve been bell labs so all the companies. So actually brings a very good perspective from cuttingedge companies in terms of some of these issues. So what i thought wed do is start with michelle to sort of paint a picture a little bit, to provide a primer. I think when people think foreign counterintelligence, when they think counterintelligence, they immediately think security. Obviously, there are some similarities, but there are also some differences. Youve got to understand yourself, youve got to understand your enemy. But, michelle, id be curious what some of your thoughts are in term of how should we frame this in terms of thinking about some of these issues from an Insider Threat all the way through to foreign counterintelligence . Well, lets start by considering what we mean by foreign intelligence activities to begin with. Theyre all the range of things that foreign adversaries and whether they be nationstates or other entities do to try to steal our secrets, but also to hide theirs and to deceive us into thinking or doing the things that are going to be in their interests. So there are influence operations as well as collection activities that fall within the range of things that counterintelligence worries about in dealing with foreign intelligence threats to the United States, to our interests at home and abroad. So counterintelligence, therefore, becomes the full range or is the full range of things that are done, information acquired and activities conducted in order to identify and assess these foreign intelligence activities, in order to neutralize them either through denying them access to the things that her seeking that they are seeking by deceiving them or let me also add by exploiting what we learn and understand about these foreign intelligence activities. So then frank within the range of things that are done to protect our secrets, we certainly have a full range of security activities or that are performed in order to protect secret information, to protect against access to things that are important to our National Security. So the full range of security activities, operations security, physical security, information security, personnel security which we will get into these are things that are done to protect our secrets, to be sure. But beyond the protection, counterintelligence looks to understand how the adversary is going after these things, what their intentions and objectives are, how they are resourced, how they are targeted, how they are recruited, what the nexus of their relationships and liaison relationships may be. In fact, the full range of things that the Foreign Intelligence Service or entity does in order to be able to say, aha, now we can identify what are their vulnerabilities such that we can look to those vulnerabilities as ways of stopping them. And best of all, best of all is foreign intelligence adversary service to think that it is succeeding in what it is doing against us when, in fact, our insight into their operations is sufficiently refined that we can misdirect their collection and their operations in order to protect what we are doing. So you might see in that short explanation the potential sometimes for a tension, and ill call it a healthy tech, between what counterintelligence tries to do engaging, as you will, with the adversary and what security and security operators and personnel may do in trying to shut things down and deny access sometimes operationally. You need to have the ability to let things play along in order to better understand whats up. Thank you, michelle. Does that help . That works great. Jeff, youve put together, youve put together Insider Threat programs for a number of companies, small and large. I mean, talk us through what that looks like. I mean, at the end of the day, if you want to glean information, you can glean it as were talking about through cyber means which are vulnerable and susceptible, are intellectual property theft, but you can also just recruit an insider which, obviously, can have the same impact. And i think were starting to see a confluence and convergence of intelligence disciplines in this space, what used to be technical and human is coming together to a large extent. But i think the same things are playing out in the corporate world. Very much so. Help us think that new. Very much so. A program is really in part two things for this broad conversation. Its both the Technology Used which is actually a smaller part, but its the method and the process that the organization can use to identify its most important information, protect it, understand how its protected, understand how its used within the organization and identify those vulnerabilities. From a broader perspective, its very much a defensive position for an organization to be in. Whereas counterintelligence we were talking earlier, counterintelligence is more the offensive view of securing an organization, Insider Threat is understanding where your issues are, where your risks are and having the method of protecting that information. And then going through that process, developing a whole program plan with the organization, developing the technical means by which you can detect inside or outside. Because at the end of the day, in cybersecurity its a 1s and 0s problem, right . So theres very little determined to be if theres an Insider Threat or outsider threat. Looking for those things digitally, youre not going to tell a difference. Behavioralically is what you are looking for. Behaviorally. Theres some key foundational components when developing a program like this for any size organization, and its really helping the organization understand its risk appetite. Where that information sits and how they want to secure it. And, brian, i mean, and i think jeff hit on a point we were chatting about earlier, and thats looking at behavioral analytics. But where do the two converge . Where do they come together, and then shed some light a little bit on where we see the various threat actors and ranging from disgruntled employees to sure. Obvious nationstate sorts of threats. Ill answer the second part first. I tend to think of the four gs, grandmothers, gangsters, government and guerrillas. Minor actors such as hactivists and nationstate actors. Its simple for us to think of this as siloed groups but, in fact, theres a lot of overlaps between these disparate or seemingly disparate individuals or organizations x. Then it come down to a simple statement, why hack when you can recruit . If you have somebody that already is trusted, that has access, you can operate with much more ease, greater stealth and exfiltrate greater information or commit sabotage if that is your goal. Within the insider group, i see the careless insider, somebody that just made a mistake. They dont know theyre being malicious, they just left the back door open or did something by accident. We see the malicious insider that was either malicious when you hired them or perhaps became malicious over time. Maybe they were recruited x. Then we see the masquerading insider. Now, these arent actually employees or partners or trusted individuals at all. Its somebody that has simply hacked into or accessed one of the individual accounts like a Privileged User account, system administrator, a database administrator, network administrator, etc. , and theyre pretending to be that individual, and theyre using that individuals rights and privileges to dive deep into the environment. Now, the interesting thing about Insider Threat is the the information thats required in order to interpret this information, in order to capture these individuals potentially is actually out there. We have this information. We get this from network data, we get this from data from applications and databases and different security tools. But we dont have a good way of using Security Analytics or tools that can analyze this flood of information. Oftentimes pulling in physical security devices, h. R. Databases, performance review, and looking for predictive signs such as somebody thats expressing antisocial behavior, somebody thats going through a personal or professional crisis. This doesnt necessarily mean that these things evolve into a malicious insider, but they can be. Its definitely something that would warrant further research especially if youre dealing with a Large Organization or a Large Government Agency and you have to remove some of the hay so you can actually get to some of the needles. So by leveraging Security Analytics and getting past this notion of just prevent, detect and respond and getting in front of it to predict potentially nefarious behavior really gives the good guys an added advantage in this new war and allows us to operate more efficiently and more effectively to mitigate these threats regardless of how theyre being sourced. To pull a thread on that a little bit, id be curious on some of the privacy questions when youre thinking about some of these issues inside a Corporate Governance or a government environment, and then i want to pull, go a little further in terms of threat actors. And im going to open that up to all three. Who is it we should be i mean, the obvious, russia, china, iran, north korea, this is not rocket science. Yeah. But i think its also fair to say that every country that has a modern military has a cyber capability too. So id be curious what some of our thinking is here. Start with the privacy, the hard one, because thats yeah. To understand when somethings abnormal, you have to understand the normal. Exactly. And to understand the normal, you have to be able to collect the data so you can, therefore, analyze it. And its different country by country, organization by organization, agency by agency. Are we going to be able to collect all the data that wed like to so we can leverage it to detect these insiders . The answer is, no. Were going to have limitations. Were not going to get access to everything, but we have to be able to make do. In fact, were to the point now with Artificial Intelligence and identity correlation, these new types of machinelearning techniques where we can weaponize data. And what i mean is it used to be a hindrance. The more data you have, the harder to analyze it, the more people it took, the more processing power. It just hurt you when you tried to do analytics. Today weve actually come across that chasm, and were actually seeing the more data you give us, the more context we have. And with the more context we have, we can actually respond to this. Now, the privacy issues have to be addressed, of course. But in most organizations today, fortune 500 and government agencies, we find we have enough data to be able to address it. Now, to your other point about the threat actors, ill Say Something quickly about those. Samuel cole had a famous quote that said god created man, but samuel colt made them equal. Truth in advertising, his pr agency said that, he never said that. But well go ahead and say he said it. [laughter] were seeing cyber as a great equalizer. You neednt be a great country in order to facilitate war from a cyber war perspective. You dont even these to be a nationstate to mount a prison aggressive campaign. And depending on whose statistics you believe or as accurate at that time, roughly about 100 countries today have the capability of mount what we might define as a sufficient cyber warfare capability. Again, back to my earlier statement, why hack when you can recruit . Its much easier to go in through the back door, steal intellectual property, commit sabotage, these things are far easier when somebody has trust and access. Just to build on that, i want to get jeff and michelle in, but to build on your why hack when you can recruit, you may want to say why invest billions in r d when you can steal. And thats precisely what countries are doing. Its the theft of intellectual property which is very expensive. A lot of money poured into that. And youve got countries that are literally putting, theyre spending their savings on market share and gaining market share because theyre stealing but it really is a come combined arms approach, if you will. It is the use of integration of cyber attack and human access that presents the gold opportunity. So to the extent that foreign actors have a strategic objective and a strategic purpose and employ the resources that they have at hand to achieve those purposes, we will see that the linchpinover a successful cyber exploitation, for example, might be the human actor that is recruited on the inside that can provide that access. So you look at the, you know, news reports or, for example, that came out of the, that came out of the stucks innocent activity stuxnet activity. When the news reports said that planners involved in carrying out that attack identified as the holy grail, the individual engineer or other individual who may be working at that plant who was very careless with a thumb drive, and that is the, you know, that is the, that is the linchpin that enabled, potentially according to news reports, proper caveats that allowed that attack to go forward. So when you stand back from that and say, therefore, what does that say to the United States as far as the threat environment that we face, we do have this broad experhapslation of capability extrapolation of capability now among a variety of actors where there were a smaller number we might have dealt with in times past. But we also have a prioritization of our resources. And the prioritization of those resources needs to be based on, you know, what are the overall objectives of these entities with respect to harming the u. S. Or our interests, friends and allies. So we have still have a prioritization that says, look, its a different order of magnitude, a different order of magnitude when the chinese, for example, have a National Policy of economic espionage that they are carrying out with great effect across the United States versus the onesies and two says, as harmful as they may be in individual cases, but the onesies is and twosinging ies that other actors may engage in so you would put china at the top of the list . Engage anything economic espionage . On economic, yes. On overall capability, i think that the russians give them a run for their money. Thats where i come down. Now, one thing thats important to tease out of this is the line between Computer Network exploit or espionage and attack is all hinging around intelligent. If you can exploit around intent. If you can exploit, you can attack. Yes. And i would argue i can understand the theft of intellectual property. Its unacceptable, but i can understand it. The next question you would have to ask is when you see the theft of our Critical Infrastructure in mapping some of that from a very sophisticated standpoint, that has no economic value, thats purely for potential future crises to be able to put together part of their warfighting plan. So, i mean, thats where when you hear about our grids being penetrated, that may not have the same Economic Impact as the theft of the intellectual property behind it, but it actually has real National Security agreed. Jeff, where would you rack and sack . I mean, michelle kind of lined it up with where i am, but id be curious where some of your thinking. Where do you see the government of iran . Where do you see other actors that may be less constrained from engaging in Computer Network attack . So i think a couple of things. Im taking a step back. So if your organization is breached, an