It is a great tester to maturity of the company you want to do business with is do they submit themselves to open hacking . Do they compensate hackers. If a volume and if you find a vulnerability of their product they will pay the hacker which is amazing. It gets hackers oriented the organization that puts that out there feels comfortable. They want to learn more. They have a culture that wants to identify and protect themselves. Any thoughts on the black holes . What is interesting to know my years of technology he will invent something new every five to 10 years and create a of natural holes. The social media today we couldnt fathom 15 years ago. It continues to be this notion of mixed Public Private and in trying to coordinate across your organization, most businesses meanwhile. So finding more ways to partner, finding more ways to Work Together to make sure we are covering this. If you look at my back in a database in your backend database, how come we dont have one bad guy database. Theres some interesting places where the federal agencies are now trying to encourage sharing of the information and encourage sharing of tpp that the bad guys are using adversarial expense. A fascinating world unto itself. The panel later will be given into the policy information sharing a bed found the longterm peace is the answer. We have some questions for twitter here in one of them is very interest him. Can you offer it is to bring along slow adopters who are still interested in protecting their turf . Maybe each of you can take a crack at that if you want to start. Share, the white house issued a few executive orders that are helpful for this. They created the framework a few years ago that provides a laundry list of standards and a framework for assessments. Companies of all sizes can go to the framework and help them assess my level of risk and what should i do in response to that. It is voluntary. Its also self policing so nobody has to do it but it helps raise awareness of what sanders and processes are available and may be appropriate for the level of assist you have here maybe focus on the problem around you and passwords as a consumer. Use a password management tool like one password. Theres lots of them to make it very easy to have unique and complicated passwords. Those three things most of your problems are solved as a consumer. We were talking about the things people at an email spirit but is that have to do with cybersecurity . Should people be careful what they put about themselves on social and emails . One of the rules is dont put something you dont want in the front page of the washington post. That is the reality. It happens more than you would think the inadvertent sharing. Then a trip in hawaii, posting that crazy chemists amongst surveilling your property nospace y a tend to wrap your house. He might be in the social world where you want your friends know how much fun youre having that you also need to think about the persians have that level of information. Is an interesting human condition where we have sharing communities now around social networks they need to make conscious decisions for your family and children on the appropriate level. I also used the privacy policies to restrict civil and my friends could see me. What a fascinating audience a fascinating panel literature scene ideas. [applause] hi, everyone. Welcome to the post. Happy to have everyone here this morning. Im a National Enterprise reporter and former cyberreporter off a fan of all things cyberand happen to be a teacher this panel to look at political weeks and hacks. The tc institutions sure cyberadversaries and something a lot of people in town are thinking about. Also hello to our viewers at home. Hope the folks in Silicon Valley are fully caffeinated. Lets introduce the member of the pnc cybersecurity and privacy forward. Brad dewitt as staff director of the Infrastructure Protection and Security Technology subcommittee for the u. S. House Homeland Security committee. Thomas hicks, commissioner of the Election Assistance Commission and finally, rich barger, chief Information Officer and cofounder of threat connect in which many people will be familiar with. I want to start with rich and talk a little bit about the modem of a cyberadversaries online. Russia and china are constantly probing if not gaining access to institutions around d. C. And its not really an overstatement to say theyre interested in intelligence value of the information they find. Could you talk a little bit about that . With regard to the intelligence value, it really depends on what motive, what operation to know what effect they are trying to deliver. He might look at the traditional chinese espionage weve seen that has gone after a variety of companies, businesses as well as organizations such as opm and make it to market quicker or perhaps if they wanted to look forward recruitments or operators within their borders. What weve seen recently with the russian attacks, we are still looking at trying to test out what their motives might be. They are being very and assist in terms of shaping and mary tape around that . Over our system. In the case of the love that hacks the american exceptionalism and the fact of whether or not our medals really going to have it cannot. There could be a variety of different motives and with these types of groups are trying to do in trying to effect for the national object is. Some of the things theyve been kicking around the offices for every story that runs in every conversation in and around elections, what is the thing we are not talking about . Were not talking about syria and ukraine. For some broader issues than the rest of the world where we are hyper focused on ourselves in the u. K. Received a lipid that admits everything convenient distraction is an interesting time and polarized event. That would follow up on that by asking do you think theyre special attention being paid to the Democratic Party to run for president sand is that possible adversaries first tuned in as they made the to the election that theyre interested in one party and the outcome that way. Ultimately what is fact and if they are seeking love rage. I would not see that leverage and one party alone. Ill make sure i cover my bases depending on however this falls. I would be very surprised if this wouldnt affect both parties and perhaps might be the new normal. We see campaigns targeted going back as far as 2008. The president indicated his campaign will be targeted. That we want to consider this in the next election cycle and start to focus that this is maybe a new way of life. Michael, i ask you similar questions. Do you think cyberadversaries are politically as it in that way . Do you think they take special attention because of the potential to see a Clinton Presidency . We really dont know what they are doing. I think the middle of the book someone will write a book and we dont know what it is big political theater to figure out. We know that russian state sponsors and the groups doing it are very sophisticated. In fact, this is their day job. When we were looking at activity resolve the most activity from 9 00 a. M. Until 5 00 p. M. Moscow time and when we talk to the big guns of the Political Parties, we would say unlike the company for a state actor would say lets find the doors are locked really type. For these organizations, it is someones day job to get into this organization and they will be persistent. They are very sophisticated and what theyre doing but its a guessing game dallas to what they are doing. Do you think we could see were emails . T. Think thats possible . Is a Broad Campaign to hack. Party and Campaign Systems personnel email accounts, people in iraq at all. We dont know what we will see you at the interesting thing is will please the documents we dont know who they are very often. Additionally when the documents were posted with whatever organization is working with comments is the series, is that yours . The document may have been created by one group, circulated to other groups. Some have been found to have nowhere on the period they are really busy trying to elect candidates. Its become a side job to have to do with it. There isnt a lot of effort he put into figuring out who of us come up where it came from, is it offensive. Youre trying to move on with the business of the campaign parties. Lets turn to you. Your boss said that the rnc was hot and then wondering whether you are aware of the operatives who have been either provoked or hacked and whether your boss was really telling us the true story at this point. The the point that chairman cole is trying to make a point and cnn was the point that both Political Parties had impact and make it a point that this is bigger that you have to look at what these hacker groups are doing. Looking at the psychological warfare, trying to undermine the integrity and conference republican or democrat. Looking at motives that harvested personal identifiable information, voter registries are the motives weve been briefed on and appoint the chairman was trying to make is both parties have been hacked. We cannot allow nationstates to target either Political Party and we stay strong consequences when actions take place. Whatever the actor is. That is the point. Do you think republicans are vulnerable . Absolutely. There have been reporting that republicans have also been hacked with their emails and campaign related issues. Both parties have had and i think looking at the political organizations, well need to be vigilant that this is real. This is the way of the future. We need to be vigilant. Its almost a warning that all Political Parties and all state, local state and federal need to be aware that this is a new world we have to live in and we need to be prepared for that and looking towards november 8th. There is a lot that we need to do to ensure that we are prepared for that. Everyone should be aware. Thomas, lets go to you. For younger viewers in particular, the question of online voting always pops up this time in the election cycle and many of the people watching the lenders and why thats a bad idea. Im hoping you could walk us through what you think of that idea. Thank you are having me here today. A lot of folks dont know the small federal agency that is what the administration of elections and respond after 2000. In terms of internet voting, there is a small portion of folks who were allowed to use the internet to vote in the same military and overseas voters gave most of them have to be in harms way but its a very small segment of the population. In terms of expanding that outcome has to be a discussion we need to get into when we have things about these incidents occurring in the last year or so. We need to look at best practices and see how we can expand that out with their agencies doing now working on a voluntary Voting System guidelines which have it been updated since 2007. 2007 was when it came out. At that point we should be looking at ways to make it more convenient to use their technologies to the also make sure those votes are secure in canada accurately as well. Internet is people talk about this is that trying to Voting Machines if they have access to the internet can be vulnerable on their own. I wonder if that is something you are thinking about added into next month. We think about all of that in the event thinking about that for years on end. Its not something that will change overnight. Im hoping the conversation does demand a november 9th to be continuing january february so we can look towards the 2018th election, 2020 election to make it more secure. Elections right now are the most expensive ever been but we can do better. Again, thinking about the issue, looking towards the elaborate that theres anything in your mind in particular when it comes to threats. With regards to threats, i never cease to be amazed. Never surprised when i start to see these sorts of things. We just continue to think creatively around how might the adversary continue to meet their objective short of a crystal ball it is very hard to say what we might see. Theres certainly precedent for the leaks. Leaking of some of the communications that we saw recently might be indicative of some things that closely matches that kennedy. Really we have to look at the precedent. What if we see around the elections and might they be playing an operating from a similar playbook. I cant say for sure but maybe thats a good rupert to look at and think creatively as to what we might expect to see. Michael, when you think about the d. C. Institutions in particular everything from Party Committees to campaigns, think tanks, what would you suggest that people who havent had ahead of the curve on this begin to do now . How would you introduce them to this problem . They been introduced by reading the papers and seeing what is going on. The big change is the idea that people looking after things and learning about you is one kind of threat. Now people are seeing that their personal emails and communications and papers have been posted to embarrass them and i dont think anybody here would like or be proud of everything in the email inbox posted on the internet. A superb for companies, a threat for people and the education is investing for it. For the Political Parties and campaigns there are really two time periods. There is the next month before the election in terms of cyberpreparedness, respond and really important work after the election because all these political organizations want to put all their resources into many races and building their party. Traditionally this hasnt been in a corporate analog for the annual budget has a line item for 4 million for cyber. Just hasnt been the case. So theres thinking about finance team, how we find the money to spend on the summit dedicated basis and thinking about longerterm plans. To continue the metaphor of building. A question i want to ask about the safety is that the elections this time, the Voting System on election day is safe from cyberattack because the 8000 or so districts we have are not interconnected. They all bring different systems this summer. Paper. My understanding is very sent a voting by race or a voting now thats going to go out for an attack on the nations Voting System. We are very safe in that way because of that diversification in heterogeneous nature of all the different districts, none of whom are connected to the other. One of the things i would raise our system is decentralized. You would need an army of folks to basically try to get into the systems. 47 out of 50 states used our Certification Program in one way or another. Every system is certified, none of them are connected to the internet. Spirit not be any sort of internet hacking incident to the Voting Machines themselves. Michael, one of the question when it comes to individuals looking at the rose diaper hygiene and email practices, is there anything you advise people as they say things in email so they might not want hacked. Do you think there is a culture change going on as we approach the technology . Are a couple simple simple things that everyone should do. Everyone in this room that is turned on your email and social media account. You need to raise to login. When i use my personal email, i put my email address and password with text message her coat and im prompted to put in the code. It makes a huge difference. The bad people years your social media and personal accounts and all sorts of information to create spearfishing attacks. They look authentic to try and get you to click on the link for a pen attachment. Attacks are so sophisticated with a simple piece of human engineering to get you to click on something. Think about your privacy in a social setting and they spoke as a one click solution. Theres one thing you can click to make all future posts and everything in the past friends only. When youre going to meet someone you look someone up and see what that person is about. Some people on facebook of a person in a bathing suit, drinking a and people dont have that awareness. You can take care of that with a click. Lastly, peertopeer encrypted apps like face time audio and signal and other apps that allow you to have nearly guaranteed private communications. Those are very quick tips. The culture on the hill, is there attentiveness to the idea that you are being all the time. Do your part of your system there . The house of representatives with any other organization there needs to be training. Its cultural and you need to have everyone in the organization aware of it because it takes clicking on now where and emails to really undermine the system. We are very vigilant with Training Programs and i think we set an example of what we do internally for that. I would say yes for sure. Thomas, jeh johnson recently talked about taking our election system as Critical Infrastructure. Could you explain what that would mean and whether you agree with the idea . I cant really speak with dhs wants to give but i can talk about the fact that states are looking for resources to make sure systems are secure. If they want to offer those resources, thats a great idea. We have legislation through the congress in 2014 and last year basically says he just can provide voluntary upon request assistance to Critical Infrastructure but also state and local. It is optional and tools that are available to fast upon. It could be those tools but the bottom line is they need to invest in technologies that ensure they are secured. The capability dhs has more than half have now signed up for the voluntary assistance. We have legislation that passed out of our committee back last year that passed the house of representatives in december that basically been further clarifies the rule of dhss voluntary assistance to states when they request it. Clarifying the law will make a big difference. Insuring that absolutely not to have to federalize the election system. It would be unconstitutional. They reserve the right of states to administer elections. We do think that writing tools and capabilities would be a good thing if it makes sense for those localities. Could you give