Gen Michael Hayden - Cybersecurity and Intelligence

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is gonna be a briefing about a briefing all right I'm gonna I'm gonna show you what it is I normally show our countrymen and that's gonna allow me because your your different kind of group it's gonna allow me to kind of speed through elements of it know much more quickly than I do when I'm out there to trade association in San Francisco or something but it always gets organized at all builds to one point and I'm going to tell you the one point now all right the one point is the primacy of the private sector when it comes to cybersecurity and I'm gonna build to it I'm gonna explain why I think that so and then I'm gonna suggest some of the implications all right so well speed I start with this why is this still so hard all right I just use this and say that's what my grandkids say and then I then I elevate the conversation with this quote from Richard dancing who I think quite masterfully gets the word nourish and poison in the same sentence about the same substance which is not how we normally think about nourishment and and poison I dwell on this a little bit I'm gonna sort of do that for a second with you I did something like this out at blackhat about five years ago I actually kind of leaned into the darkness I can see you by the way I couldn't see them 3,000 people caesar's palace ballroom bright lights dark and eileen enter said by the way the former director of NSA talking the black hat is an away game for the director and I just kind of leaned in the darkness to say look I've been thinking I think this cyber thing is getting traction and I kind of got that polite chuckle from the audience too but the point I was trying to make was even you guys don't appreciate how disruptive a thing this is and then I play my own Ed McMahon - my own Johnny Carson a metaphor by the way that iPhone does not work on college campuses anymore okay and said how big a deal is it Johnny and and my answer since I'm by education as a historian it's as big a deal as the West as the European discovery of the Western Hemisphere and if you think back to the 500 years ago to the great age of sail and and what that meant in terms of disruption that's kind of where we are know by the way and I won't do this to you but I can spin this metaphor three or four more terms all right comparing this age of globalization to our age of globalization and that age of globalization was really impactful at 12 knots an hour with a favoring wind and now imagine hours of 186,000 miles a second I can I can go on but it's it's actually a really powerful historical metaphor so powerful that you're armed forces now think of cyber as a domain I got parachuted into this in the mid 90s I was coming out of the Balkans where my problems were literally medieval alright and and then I got parachuted into Texas the command the airforce cyber unit is the air Intelligence Agency at the time they didn't quite say this to me but in some they said general we're glad you're here sit down take out a clean sheet of paper and a number-two pencil and write this down land sea air space cyber it's a domain and when you tell an American GI it's a domain my response was why just say so that's straightforward I know what that means and so it is it is for the American armed forces now publicly a theater of operations privately it's a theater of combat and we intend to dominate this domain the way we think we want to dominate air and land and sea period with no no shame or embarrassment but the point I want to make is so disruptive it's a domain okay you know this story very well I won't draw on it that that's Vint Cerf in the lower right and vinden or lower left back in the day and I actually learned an awful lot about ARPANET and how that it started because VIN is actually a neighbor he lives up the road in Great Falls he comes to my class at George Mason hey Ben why don't you make it a little more secure with one of the questions he gets asked and it said well we had no idea Micah was gonna take off the way it did it's one of his answers but you know you know the drill it starts out as ARPANET it goes to there and now here we are there and this unfortunately is still based on the same technological principles is this a limited number of notes all of them I know all of whom I trust and the whole point is massive amounts of data quickly and easily and now we got this where it said limitless number of nodes most of them I don't know and a whole bunch of whom don't deserve my trust you all know you know all know the security problem we all enter we all have on ramps and to that into that domain I just throw this up heat map as to cyber connectivity the only point I want to make is as bad as it is today in terms of it being a nun governed space most on ramps to the Internet are coming from the parts of the world that currently are most ruled by the rule of law so just think when it starts to darken in some of these other spaces what it might be I do spend a lot of time on this about what could go wrong you're familiar with this but this is kind of my taxonomy there's a stealing your stuff the corrupting your stuff the corrupting your network and then using domination up in my thumb to create effects down here using a weapon comprised of ones and zeroes to create physical effects the only a point the only point I want to make to you is if I'm doing this three or four years ago to most audiences I'm just dwelling on number one I'm going on it's it's it's it's about they're stealing your stuff but the longer this goes the steal and your stuff thing doesn't get reduced but I see activity I see malevolence bleeding down in - and into the other what I can't categorize is cyber sins all right so we see more frequently not just stealing stuff but corrupting stuff damaging networks and then some examples of physical destruction I just just asked it out of curiosity how many have seen the film this is the Alex given a documentary on Stuxnet I'm in it a fair amount along with several other folks from government talking about what happened with when someone attacked the Iranian nuclear facility at Natanz okay a magnificently complex and technologically elegant attack I might add whoever did it and then that cyber sins these are cyber sinners a little commentary here might be an order just to give you a sense of my perspective so who steals other nations stuff everybody all right it is an honorable interstate activity all right it is an accepted international practice and so I've got up there among the actors the United States of America and let me just let me just brag a little bit I kind of think we're number one in terms of our ability to work our will in the cyber domain now we do self limit we steal stuff to keep you free and to keep you safe we do not steal stuff to make you rich and unfortunately most other countries on earth can't make that last claim in fact the number the number companies um the number of countries I'm comfortable telling you can find their espionage to safety and and and and liberty security kind of questions I think the total number is five okay they all speak English and they all go back to Bletchley Park ourselves the Canadians the Kiwis the Aussies and the Brits okay criminal gangs you know it's better than I'm traditionally in the post-soviet space all right Belarus Moldova and he got gusoff er working out of and so on and then and then this last group I actually have trouble identifying that last group activists activists economists when I do say in large audience is you know 20 year olds 20 year olds living in their mom's basement who have not talked to the opposite gender in months I then I then get I have great difficulty logging on and to my to the network by the way Jim clapper and John Brennan's emails were compromised by two twenty year olds in North Carolina living in their mom's basement all right in fact they're just down the street here now and in the lockup in an old town all right a couple of other thoughts here nation-states I think we're the best if you're looking at skill I think the next best are the Russians if you're looking at scale clutter the next best are are the Chinese but the nation-states I fear the most though are a couple of the other ones that are up there that's the Iranian and North Korean flag i I am I am now more fearful of that isolated renegade sanctioned nothing to lose out what the hell let's just roll the dice and see what happens nation-state which is kind of a permanent definition of North Korea it could be a dick it could be a description of Iran if the nuclear deal head south put another way I am NOT one who addresses audiences about cyber Armageddon or digital pearl harbors I've actually said if the Chinese are turning out the lights on the eastern seaboard that's probably not the first thing in the president's brief and I seriously mean that that is a subset of something else going on so I'm not I'm not really that panicked about the the near-peer going catastrophic on us when I draw them if you look just look up here you know kind of draw a graph of how bad could it be and how likely is it the lines kind of cross at what I just described you know an isolated desperate Iran an isolated desperate North Korea trying to try to give us a what a football player would call a real strong forearm shiver that has to be careful here I got tools to kind of kind of approach I won't rehearse this you've seen this kinds of victimization well one thing I have noticed the early history of cyber theft was stealing product I mean the PIN number the the credit card number the recent history of cyber theft has been stealing raw material I mean it's the theft of big data that they then have to productized in order to turn a profit israel's quite good they don't have scale and and and they're very focused all right how to say this and remain unindicted we had a lot of time for the Israelis Sigyn service I spend a lot of time in Tel Aviv there they're quite good now you realize I mean we have a special relationship with the anglo-saxons okay we have close relationships with others and and so I would simply say to you let me dare here's the way I would put it the American cyber intelligence relationship with Israel is the most combustible combustible combination of intimacy and caution that we have so they quite quite good and and sorry I'm going to do it one more term and they're monetizing it they are they're taking their they they go to the universities they pick the cream of the crop they've pushed them through 80 200 which is the Israeli cyber unit they do their six seven years and they come out and start a startup right and that that startup nation phenomenon is a direct byproduct of that cyber excellence built up in the security domain oh no this is this one's very nasty this was all for sins they stole their data they destroyed their data they credit collapsed their network and they at least threatened physical harm you know I grew up in Pittsburgh most front anything I ever heard as a teenager was I know where you live and I know what kind of car you drive the Sony employees were getting notes I know you never know what kind of car you drive and I know where your daughter goes to high school I mean really threatening stuff a nation state attacked a North American enterprise to coerce their behavior back to the earlier slides that's really disruptive stuff that's that's different to give you a sense of one of the problems we have with this you know we can use more technology certainly more trained people but I think that this most powerful limiting factor in our being better at this game is aligning our big ideas all right what is the role of the state how do you define action so sorry President Obama dimes out to North Koreans we don't normally do that I'm really happy he did I wish we did it more but he dies it was the North Koreans and he goes into the press room in the White House and says it's North Koreans this is really bad this was a horrific act of cyber vandalism and I'm watching saying good on You mr. president dyma not the North Koreans good on you mr. president calling attention to it vandalism what the hell do you mean vandalism vandalism what you do with spray paint on a subway car in the Bronx this is far worse than vandalism for God's sake mr. president call it what it is it's I'm still I'm still searching for the word all right I really am and I I used to make a living out of this stuff all right this is what I did and I do not have a word that I am comfortable using to categorize this really bad act I know what I would call it if this were done in physical domain by North Korean commandos landing at Malibu but I but I really don't have a word for it and that's one of our problems this is this is the Iranians yeah yeah just going back to that for a moment you just compared that scenario to a land domain right right so why wouldn't they parallel then the fact of matter is it hasn't yet I mean it just doesn't I would argue that then we're not treating it like a domain well we I think we are I actually think I think makes the counterpoint alright the activity because the destructive activity was mounted from up here alright for whatever reason or another we believe this actually has uniqueness right that we do not apply our instinctive approaches our instinctive responses down here to an attack mounted up there so I think but again I think we're in powerful agreement we don't have the big ideas aligned all right the Iranians go after Sands Casino because the owner said some insulting things towards the Supreme Leader OPM I go out of my way to not blame the Chinese for OPM I actually say this is honorable international espionage all right this this was a state target and that is a legitimate interest of a foreign government put another way if I were still director of NSA and I could steal twenty two million records of the people in China that the Chinese believe should be entrusted with the secrets of the Chinese state I'd have been all over that in a minute and and the punchline is I would not have had to go downtown and ask permission this is what nation-states do so no shame on China shame on us I think most of you are familiar with this one another example of a weapon up here and my thumb creating effects down here in in physical space and now we got we got the DNC thing which you know although our our government refuses to say the Russians did it because they don't want the follow-on question which is and what are you going to do about it okay the I think everyone is in agreement the Russians did do it by the way the theft of internal emails of a major political party in a global adversary power is also honorable international espionage I would have done it in fact I may have done it but taking that information and then weaponizing it to create to create effects is a different matter and that's what makes it so controversial here's where I get to the pivot about the primacy of the private sector government has been late to need in responding to the issues I've put out here and by the way the normal presentation this spends a lot more time stirring up dust about all the issues government has been late to me because big questions remain like this one I mean this seriously I think all governments are going to have trouble in the cyber domain because the speed of government is different than the speed of action you need up here our government is going to have peculiar problems here because the speed of our government and the current political gridlock really makes it unsuited for the speed of operations in this to me and finally our government our society is going to have great difficulty up here because of this we have a powerful national allergy with regard to our personal privacy fart blowing more so than Australian allies or our French allies or our British allies and so on they permit more state pressure on privacy they are more comfortable with it than we are put put put in a kind of a macro sense we and I mean the big 330 million we have not yet decided what it is we want or more importantly what it is we will allow our government to do in this domain to keep us safe I live him a claim all right just upriver just picture I can't sleep last night I get up I walk to the front door look out the window and I see a Fairfax County police car going by my house he's putting a spotlight on the shrubs my immediate thought is I like that all right that is my tax dollars at work now you know you go to any American audience and say you imagine whatever you think the equivalent is up here and there's no one in this room and tell me they're comfortable big deal big issue now government's try to act a very modest cybersecurity sharing bill fine the president's issued an executive order will sanction people will steal our stuff issued 15 18 months ago stills never been used ash Carter goes out to Sanford gives a very important speech about DoD cyber strategy alright you could go from boil at the bullet number one he says hey routine stuff act like a man defend yourself you're on your own more serious stuff the Department of Homeland Security should be able to give you significant assistance let me translate that for you act like a man defend yourself you're still on your own right I don't think anyone in government thinks DHS is the go-to person to an immediate response to the cyber event then the last one is really interesting he actually said there are some attacks so bad that the Department of Defense will view it back to your question here as as something DoD should respond to don't quite have to define it as an act of war but a response governed by the laws of armed conflict not by criminal law or other legal structures all right so Amy's a guard who is interviewing ash Carter says well what do you mean and that's that's Carter's answer all right significant loss of life destruction of property or lasting economic damage President Obama she's in ping trying to limit Chinese cyber espionage actually since the agreement the Chinese cyber economic espionage has been reduced I'm surprised I'm happy we'll see so here's the big pivot now despite those actions our government will continually be late to need in this domain and in our society when the good news is when government is late to need the private sector steps in I'm out of government now seven and a half years and I am overwhelmed at the amount of technological and entrepreneurial energy up here in this domain to provide a level of security that we normally expect the government to provide to us down here in physical space alright so we're in Virginia so I've got a picture of Ulysses Grant and Robert Ely why do I have this this this this is this is it right here in the department offense when an order is issued there is a paragraph in that order that says you you sir you you are them you are the support Ted command this is Europe and you people here you are the support ding commands in the Civil War that's why I got grant and Lee up here all right in a Civil War that's translated into sir sir your core your core is the main body and gentlemen you will conform your movements the movements of your core you will conform those movements to the movements of the main body get it all right the instinct of our government I think the instinct of a lot of people certainly my instinct while I was in government that in defense up here the main body is the government and that the private sector needs to conform its movements to the main body that they support dead operation is the government and you are supporting I am now convinced for all but those attacks down here in the third bullet I had that wrong for all except that that thin veneer of massively destructive attacks the main body in American cyber security is the private sector and the corollary that then is the government must realize that and assume a supporting rural role in other words the government should be enabling the private sector let me play this out in a recent high stakes drama right down front on your right yeah would you extend that to say private enterprises could and go on the offense against other private enterprises I hear the question privately I am not quite there yet I was actually doing this in a panel with Mike Rogers former chairman of the House Intelligence Ponson for that cyber sharing bill and Chris Inglis seven years deputy director of NSA and that question came up and I said I'm not prepared to do that yet I am prepared to say we need a robust discussion as to what it is we want to make legitimate in terms of a private entity conducting defense outside of its own far wall all right so the euphemism that creates the gray area that I want to I want to go into and talk about is active defense how much active defense would you give I am not quite to the point of issuing letters of marque and reprisal in the private sector all right but I'm not being half ass up here when our government was late to need in this domain the maritime domain it actually did issue letters of marque and reprisal in order to meet national security objectives I'm not saying we're there yet for this domain but I just what's the right word I want to stir up the conversation here we cannot confine ourselves to the old forms so encryption actually just on your left so I think I know what letters of marque and reprisal are but not being a charge of government what you're saying yeah outfitting outfitting privateers to go ahead and make war for on behalf of the United States government government having a decrease in cyber attacks after that agreement yeah but the Chinese government essentially using marking reprisals to sanction other entities to do it on their yeah until it's I didn't want to be too overly excited about the change in Chinese behavior I was surprised that she's a I mean if you look at the side she's in paying accepted the American definition of legitimate state espionage all right he did that's what that was and so number one well at least there's a standard he signed up to we can try to hold them to but I've talked to I talked to I've talked to Kevin Mandel and Kevin tells me yeah we we've seen changes here now part of that is is she getting his arms around these so called cyber militias that were out there pretty much privateering saying oh let's and that might might might also be a part of it too in doing that right and so at some point there's a growing asymmetry of that's going to let me just use China again as the example right so so there's a reduction in Chinese activity alright it may be partially due to the deal it may be partially due to she trying to get his arms around what was pretty much unrestricted submarine warfare being conducted all right it may also be a reflection on the Chinese that as they try to up their game and you know their own economic model a a world in which absolute piracy is uncontrolled unregulated and unlimited is not the world they want to be living in in other words they've got some skin in the intellectual property game now or they expect to have some skin in the intellectual property game now and in the world in which that is just standard behavior that might not be as comfortable world for them as it was five years ago so there there are changes I mean let me do it deal with this one all right sorry all familiar with this this is this is Apple San Bernardino the iPhone you can't get in and so on most you probably know that I I i sided with Apple on this one all right which kind of surprised a lot of people actually let me make it more surprising Keith Alexander sided with Apple okay Mike Chertoff sided with Apple Richard Clarke sided with I mean there are a lot of people with genuine security credential said I think I'm with Apple here and that that really seemed to backfoot some observers this Wow what's going on with these guys here's here's the rationale if you even half believe my my little thing here about the cyber domain and the private sector is gonna it just is your first line of defense you want to think two or three times making it harder for the private sector to do that even even for legitimate land of these are legitimate law enforcement needs so my macro argument is this is not about the authority of the government I actually think the government does have the authority through a court order to tell Apple to do that this is not about protection of privacy he's dead and it wasn't his phone he doesn't have any right to privacy I view this in purely security terms and we had a trade off to make in security the security we could improve by getting into that phone after an attack to gain the last final inch of forensic evidence versus the security we might put at risk by making an otherwise pretty tough encryption system less tough and I think there's no technological dispute no matter how you do it you're gonna make it less tough if you if you put a hole in it one way one way or another and so if you go back to my primary point I'm trying to make about who's the main effort and who should be the supporting effort this this answer is obvious this is a point at which the government should conform its movements to the movements of the main body which in this case was was Apple by the way this shouldn't overly shocked us we have historical examples of technology do you know that what does you do alright pushing forward so so powerfully that the forms within which it exists that's policy in law change to accommodate the technology so I got a couple of I got Sergey Brin up here and in Zuckerberg I mean it start right alright Mark Zuckerberg is gonna have more to do with the accepted definition of privacy in the 21st century than the Congress of the United States period that's his fact good bad I don't know but that's a fact lower left eye just just show Ober I mean most of us use uber I got on the app I use it all the time wherever first thing I do when I get off an airplane in the city see if ubers in the city right there are a lot of people pushing against uber trying to use the existing regulatory and governmental structures in a city or a state to make sure Ober doesn't get there but the technology ultimately wins and and people get over we change the forms we change the framework to accommodate the new technology one final example lower right all right what time is it it is 901 Eastern Daylight Time Eastern Daylight Time Knott central did I not mountain not Pacific where those come from who created time zones the American private sector okay our time is governed by four zones created by the American railroad system because they could no longer stand it being noon at different points in time for every village along the main way in other words the technology drove a change in the forms within which the technology has to work and I just think that's happening in this domain as well yeah so so I've been noodling over your your observation that the private sector ought to go first which I really find you know compelling but breaking it down a little bit more we as engineers many of the people here are either engineers are responsible for the engineering of systems whether they're the pipes or the applications or whatever that implies a special role for the engineers who are responsible for designing and building those system give some ideas around that because yeah it's not just the CEOs right or whatever so so so number one I mean facts matter I mean there's a little bit like my life as an intelligence officer right I mean I really went in to the president with what the facts lined up so tightly that they look like a syllogism whereas whereas whereas in the president well Mike okay therefore I mean I probably same with you what I did think my appropriate role was however was to create the left and the right hand boundary of rational discussion all right so over here I could say mr. president don't even go there you're dividing by zero and mr. president don't go over here that only works if water runs uphill okay I mean being cartoonish so I do think in that sense we share a burden going to the policymakers you know we we're kind of the world as it is people there are certain things that are and you know you can shade within that window but there are certain things that are that create create the limits and another another powerful thing too is is people particularly you are masters in this domain having the ability to speak to people who've spent their entire lives in this domain but I I make the point that I am a digital immigrant alright I will always speak with an accent in this new world ok I will never be totally comfortable with it it's not the old country my grandkids will all right there will be native speakers but how about how then do you folks communicate to those digital immigrants who are in very powerful policy positions and get them to reshape the forms to meet the realities that you created one other thing I'll add to it's probably not narrative defined his engineer but I'll just use the phrase the valley okay the valley has spent most of its life thinking it enjoyed the privileges of extraterritoriality and and I think frankly it's a it's a business model for the Chertoff group where I work now the valley now recognizes they can no longer go to where they want to without a more deep involvement and in the other processes here creating those frameworks in other words the American political process very quickly on this one and I put this up I'm gonna be really speed for you but I spend a lot of time on this with other groups so how does the private sector go about doing this traditional risk equation risk is threat times vulnerability times consequence of a successful attack first thing you know it's multiplication get any factor near zero we're home-free the history of cybersecurity is in the middle factor vulnerability reduction the McAfee semantic universe the current entrepreneurial and technological energy is in consequence management presumption of breach you're gonna be penetrated get over it continue the fight the future of reducing our I think is over here in the T factor back to your question do you ever get to shoot back right now that's an unanswered question so what we see in the threat factor now is not threat response or threat reduction but cyber threat intelligence and again this audience knows more than most there are really good private sector cyber threat intelligence companies out there web crawling port scanning foreign national employees assuming persona in Belarus and chatrooms and so on really aggressive intelligence collection all private sector ok and and one other I think really useful useful what model useful effort for improving national cyber security is cyber insurance now this is this is not quite embryonic anymore the numbers are starting to get pretty impressive I get it I can't quite pin down what collision comprehensive and personal injury look like in the cyber domain ok but there is a fascinating dynamic here this is the alternative to government regulation which I think we all we all agree is just bad in principle and really bad in this domain because the government won't ever keep up the standards will never be as relevant to there should be and it'll it will infect us with with compliance mindset on the other hand when you go to buy insurance in physical space you change your behaviors to get the better rates how many in this room you know don't smoke anymore drink less or have reduced their weight because it's better for the insurance I love all my kids but I like the 20% discount USAA gave me for driver's ed all right it shapes it shapes behavior alright and and so well if this cyber insurance takes off and it develops and it needs some help with regard to actuarial tables and so on it will I think be the best engine for causing people who want to buy insurance like everybody to shape their behaviors to meet the standards that the insurance company says they need to meet in order to get the a rate instead of the B rate or the C rate I really do think this this is this is making a business case rather than a regulatory case for for cybersecurity and I think that's a wonderful deal again private sector now the government can help you know the government can pass statutes that make this easier to do the governor also might also might also have to be for a while second ensure as well as the government is for terrorism insurance because you know no one will begin to do this in earnest if they think they have to they have to underwrite catastrophic attack yes turn up front that's my last slide first of all thank you for your membership and your service I'm USA I've been noodling on some of these concepts you've raised and I'm thinking what concerns you have about with non-state actors let's say terrorists gaining the capability to launch may be credible assymetrical yeah so question about in essence cyber terrorism here you know I I'm worried about that in government I worried about that post government let me give you a thought I don't have an example of the terrorist group using a cyber weapon to create physical damage I don't I don't know why I mean they wishes Hill these would be weapons of mass disruption if not destruction you they're not cyber stupid they use the web for practically everything else recruit proselytize raise money command control but I don't I don't have a I don't have an example of Isis or Al Qaeda or Al Shabaab or anyone using a cyber weapon to create the kind of destruction that that you're describing and I I'm gonna loss to explain now I'll throw out a couple of thoughts all right it it's not religiously rewarding disruption I'm not being irreverent or silly here I mean they they hammer us they hammer me personally all right for killing from unmanned aerial vehicles as being unworthy unmanly and unholy because it's not battle it's it's it's remote and so on maybe some of that bleeds over into into this and then they just haven't chosen haven't chosen to do it but I you know I wouldn't buy it in that for forever but so far it's just not happened again I can't explain it mom could you the government's done a lot to facilitate the private sector Isao information sharing analysis organizations the ice ax as you well know for intelligence sharing there's more perhaps they could do that we've tried to do some things with respect to DHS for indemnification to facilitate perhaps some of the privateering kind of activities or facilities investment standards clearly is something that we can do more other things that you see are missing that either the private sector could facilitate or the government should act on so yeah I mean even though there's goodwill all right the government treats information as if it's theirs and then makes the judgment as to how much of it share with you here I'm talking about the classification system alright and what say everyone's trying to do the right thing but the model they're using is the this is the government as the main effort needs to be the body of knowledge on this and it will meter out this information to the supporting effort to meet the needs of the main effort I mean I think that's the lens and if you flip it I think you get a different model for how much how quickly is shared how many people get security clearances frankly how much of this is even classified all right so that's one example where I think if you if you really invert the model you're not trying to make the old less relevant system work better you're you're going to to a different kind of system alright I think that's one I do think there's and I know that I talked to Mike Rogers former chairman of the hip see on the sisse the sharing bill and he fully admits that's just a halting first step that there's far more that can be done not just in terms of sharing but in liability protection for actions that you would take freer from regulatory bodies from antitrust bodies and and so on that they can move forward just as a practical level a national standard about breach notification rather than you're being responsive to 50 states and five territories laws I mean those kinds of things the discussion as to what constitutes legal active defense and how much more should be allowed in terms of what it is you can do would would be I think another one the underwriting the second second insure for cyber insurance I think would be a powerful signal but this is a good thing on the far right then broke I'm also thinking a little bit about your primacy of the private sector comment and what I've observed and I think others have observed as well is that here in the US we tend to trust our government less in the private sector more but if you talk to our friends and colleagues in the EU it's just the other way around they tend to trust their government more in the private sector less and so I'm wondering have you taken this story to some place in the ueuv7 gwf8v a little with to talk to them okay there are serious structural issues within the Union on these questions right in the European Union questions of privacy and commerce are at the Union level they're argued in Strasbourg and in Brussels questions of security remain at the national capital level okay so when the EU goes out and this is a slightly different issue I'm talking about surveillance here but cyber security is really wrapped up into it when the EU talks about surveillance all right it's every no one in the room has any responsibility for security all right what is discussed in Brussels and Ann in Strasbourg there their Charter is privacy and commerce the security folks remain back here in the national capitals so you get the EU in my view current creating structures all right and in which privacy is overweighted and and security is is undervalued here in America as flawed as our governmental system is the people responsible for privacy Commerce and security are on the same structure they're all in the same room and we have these really ugly discussions but at least security gets a hearing and we come out with an answer that I think balances virtues I mean these are not good and evil they're all virtues after Paris and after Brussels despite the EU and all the hand pointing and finger waving they've done it me and us after Brussels the parliaments of the United Kingdom France and Germany past surveillance laws that would never have gotten to committee in the United States back to thee and the breakdown in structure so when I take the homework assignment my first task is who do I talk to I do this at the union level or do I begin to work this at the at the national level I just don't know okay we have two questions in the queue and that's we'll have to draw close Peter then Bob as far as I can estimate the forces of good are about a thousand times more powerful than the forces of bad but the force the dark side operate need to share rather than need to know they operate a market where anything that they produce is either out there for free or you can buy it and you can get a copy of Stuxnet for about thirty five bucks all right now and then I look at my own governments and I look at your government and I look at industry and everybody is doing this and I can't see how ultimately we're gonna win this war unless we change the paradigm and start sharing and one of the big things it seems to me about the classification of secrecy and privacy is the half-life of information is getting incredibly short and we seem to be operating with nonsensical rules that would been applied to paper as opposed to cyber information now the only glimmer I've seen is your president making a statement that he's going to push it need to share again boy oh boy I don't see much movement in government and not looking industry I know totally great and it's back to the point we made earlier over here you're working within structures designed to deal with other domains other speeds other problems and and therefore to do what you said within a framework of classification created for a different era for a framework of liability created for a different air for a framework of regulatory activity created for a different air for a framework of antitrust activity created for a different air you just can't make it work and so the the frameworks have to change and again I'm back to the to my approach here's a speed my - who's that who's the primary and who's the supporting force we need to back the the the the the encryption event I mean it's just classic by all rights in the world in which we used to live Jim Comey should have been able to get into that phone but in the world in which we now exist that habit that cultural tendency that assumption no longer applies but but that's that's the one that still has so as weight within the system so yeah all things need to okay Bob just raise your hands to me yes even yeah my question was someone along the same lines taking your view of supported will versus supporting and in your mind how does that change the equation between privacy security and the needs of the individual versus the government and what we should or shouldn't be sharing collectively yeah so back to the point made here about an hour our cultural framework our great distrust is of government all right not of the private sector differently in other parts of the world wouldn't true democracies but different political cultural instincts it it might actually make it modestly easier to share and discover if it's being done by the private sector I'm gonna give one example he just comes to mind I think it's appropriate all right so DHS wants to score people as to whether or not they're in or not into pre-check and trusted traveler and so on right and that requires a rather extensive background investigation one approach that this has been suggested is the government not do that that the government give that to the private sector so you're a private sector company all right the government says we're looking to identify these characteristics these qualities in an individual so that we have certain confidence in can there can't they cut through the line rather than the government going through your personal life history to discover that a private sector organization could do that using publicly available information by the way which would still be offensive if the government were doing it you know I mean truly one indicator one indicator is how many places if you lived in the last ten years how much have you moved that actually is a big high correlation to how much trust you there are others all right so you give those factors to a private sector the private sector does all the math the private sector does all the investigation and the private sector simply comes back to the government says he's a 38 all right the government says well he's got to be a 50 before we let him do it so he obviously is not acceptable for the program but that's all the government knows and and so there there is an example where the private sector actually has more Running Room to actually do something that could be shared with the government and not cut across to the grain of the American distrust distrust of government so I actually think it's their opportunities or not look I'm offended by you know Google sending me the email about flowers after I make arrangements to go to a funeral on my account you know what amazing coincidence to report so that there are some troubling aspects to it as well but I do think it's there's the word I think it's more digestible by our political culture that way then then for the government to do it I'll get it off before you go so you get to a new city and the uber driver comes to pick you up what is what does an uber driver think when they're picking up the former director of this here's a happy circumstance I get recognizing more so lately than earlier because of TV and so on and so forth I have I have one dark incident in seven and a half years all right and it wasn't even that dark every every other incident I think I know you are let me just tell you I want to thank you guys for what you do that's that's what I get which is very quite very quite heartening terrific was wonderful thank you

Info

Channel: TTI/Vanguard

Views: 2,348

Rating: 4.5 out of 5

Keywords: Cybersecurity, National Security, security, political science, international relations

Id: am-0nKhkBuA

Channel Id: undefined

Length: 53min 1sec (3181 seconds)

Published: Tue Oct 18 2016