tv Intelligence National Security Forum CSPAN September 5, 2019 12:37pm-1:48pm EDT
recovery and you are working the program and are doing the 12 steps and you're doing commitments and your participating actively, then that can be the means to the end. that can be the means to the recovery. every person is an individual. we have to look at each person individually, and we have to consider each persons situation individually. but if you look at the general population, if you look at everybody with addictive disease, you guys know as well as i do. hobby of them are as committed as all of you are? there's a good portion of them, if not the majority, who are not as committed, or not participating every day, who come into my office and when i say to them, are you going to the program, working the program, doing the steps? tell me, all that does is make me want to use. you know, all i do, or they tell me i'm going to meetings when really what they mean is they
are across the street. >> we believe this program to go to our live coverage of the intelligence and national security conference taking place at the national harbor today. coming up a discussion on defending cyberspace. live coverage here on c-span2. >> it is crucial to collaborate to address cyber threats for our national and economic security. to moderate this discussion it is my privilege to introduce david sanger. david is a national security correspondent and a senior writer at the "new york times." in his 36 year reporting career for the times, very impressive, david, he has been on three teams that have won pulitzer prizes most recently in 2017 for international reporting. his latest book, and it's a good one, the perfect weapon, war,
sabotage, and fear in cyber age examine the emergence of cyber conflict, and how it is changing the nature of global power. please join me in welcoming david sanger. [applause] >> well, thank you, william. thank you all for coming here. we are acutely aware where the first session after you come back from lunch, so we will try to keep you awake and widely as well as we can. we have a terrific group for this discussion today. to my immediate left, you're right, general stephen fogarty, commanding general of the united states army cyber command. rick howard, old friend, chief security officer at palo alto networks. jeanette, assistant director for cybersecurity at the department
of homeland security, and, of course, still relatively new agency, cisa. and sonia, assistant deputy director for cy brad fbi. this should be a great discussion. tonya, let me start with you and ask you to just described, uganda, the fbi's role in cyberspace and the threat environment, particularly-think it has changed over the past year. >> sure, thank you, david a thank you to insa for hosting us today. so as we have the fbi at the threat environment from a macro level, it's not necessarily the best news story in the world but it is certainly complex. we are looking at an environment where there's no shortage of vulnerabilities and opportunities for malicious actors to exploit those
vulnerabilities. and we see that landscape only growing in complexity as we consider the number of devices that are going to become connected in the billions over the next few years, many of which don't have security built in. we live in a world where we see nation state actors conduct wholesale theft of personally identifiable information. so targeting not just our government networks but our citizens as well as healthcare information and intellectual property and then we have growing university of actors who are growing in their capabilities -- universe -- tools that are available to them to use and at the fbi would look at both the national security and the criminal space. so we increasingly see kind of crime and cyber crime as an economy, crying is a service. the growth of organizations and individuals who are marketing
different elements that are necessary to conduct cybercrime at scale, that only kind of embolden and enable more actors. and apart from this you have the complexity that apart from federal federal networks, much of what we care about in the u.s. is in private hands, whether that's critical infrastructure also as we see, for example, with ransomware, targeting of other potential victims such as municipalities, et cetera. and then the wildcard in all of this is adversary intentions, which is where we rely on intelligence community to help us prioritize and make sense of this complex space. who is it that we really need to worry about? who is most intent and most capable of causing the most harm to us? so that's the big picture for us so as i mentioned, that's a
complex picture. and we feel that often, especially in government but throughout our society, we reflexively look for a simple answer, even to address as complex a system and problem as i just described. but how we see at the fbi is that it's only through a woven fabric of the authorities and capabilities of all the entities i just mentioned, whether it's u.s. government, foreign partners, the private sector who have to come together with their authorities and capabilities in an agile way to be able to counter that environment. so that's a long-winded windup to where do i see the fbi in that we see it squarely in the middle. i won't speak for other agencies, i will just say generally we look to partners like fisma who are in the lead in assessing risks to our
networks and helping to support through medication and defense. we look to our right and we see our partners in the intelligence community and dod who are taking the fight to our adversaries overseas in ways both seen and unseen. and then we really see the fbi squarely in the middle, enabling the activities of that whole range of partners, plus the private sector with our unique authorities and presence. and briefly, , that comes from a long history 100 plus years now we now we're building on in cyber of having presence in argument is throughout the countries, and globally, where we are engaging in our communities before something happens so that we are ready after something happens to engage victims with the response that they need to conduct investigations and operations focused on two things,
attribution come find out who was responsible, and accountability, whether that's through our own tools in the criminal justice system or providing those nuggets of attribution two other partners who can use their tools to hold our adversaries accountable. >> tonya, will come back a little bit later on to the ransomware issue which you just alluded to, but just one question coming out of your scene setting there. the four big state actors would often talk about, china, russia, iran and north korea. are you seeing a significant difference in the level of activity among roles over the past year or so? obviously geopolitically a very changing environment with all four of them. >> i always hesitate to write because i think it's a pretty fluid situation, and different adversaries are focused on --
>> different things. >> and have different capabilities as well. for example, i think we continue to see china quite active in terms of economic espionage, which our director has been very forthright speaking about alongside other agencies. russia certainly continues its malicious cyber activity, and it's no surprise that there's been a fair amount of attention to the potential for geopolitical tensions in the middle east, particularly with iran, to perhaps manifest themselves in the cyber arena. >> are you seeing any evidence of the iranians are doing that right now? >> i do want to speak to particulars here. >> very good. you've heard from tonya where the fbi in the spirit my guess is that cisa which is just about a year old now, right, is probably a little less well-known in the role just
because it is a newly created agency. so tell us a little bit about that, and also tell us how your responsibilities differ from the fbi's. >> sure. i think tonya set things up very nicely. in where we sit is there's a lot of people in the government and in the private sector increasingly that are very focused on how to understand the threat. and for us we believe that threat is just one component of what we need to understand, and you talk a bit about geopolitical dynamics. and oftentimes i think we have cyber conversations in a bit of a silo and not thinking about the broader geopolitical dynamics, which is been that over the last few decades, we've created technologies and ecosystems that allowed the united states to be at least the
potential to be held at risk in the homeland. and oftentimes that manifests itself through cyber means, not completely. and so my organization, well, cisa, the cybersecurity infrastructure to get agency, created last year by legislation, last november, is nearly a year old. we do have a legacy actually going all the way back to the founding of the department with many authorities that were given to actually do with the characters an issue. and in thinking about what happen with 9/11, and that there wasn't anybody -- this picks up on the point about coordination, is we didn't have somebody who was focus on engagement with the private sector exclusively, not in the law enforcement, not in intelligence, not from a defense perspective but somebody who could think about risk, bring government partners together, not be the one to execute
because anybody come as tonya minchin, everybody has a lot of different tools would be the one bringing people together, letting the intelligence community sort of understand what would be useful for the private sector to take action and being in a in a position te able to alert and worn when we do learn things. so there's a lot of lessons learned from counterterrorism, and, about two years ago now we started to think about well, how has cyber, and, frankly, even if the terrorism, physical security responses as well, how has that dynamic and the threats to the homeland really changed? and what we realize is that we ourselves were missing the bigger picture a little bit by focusing on what i'm waiting for the financial sector, what is i.t. doing? and really adversaries what they want to do is, is hold functions of our society at risk.
and we learned this through elections. we have learned this through energy engagement. it's not in the interconnectedness makes it even sometimes easier. so if they want to have a situation where we have a loss public confidence in our financial markets, there's ways you can effect the outcome potentially if they want to take out our ability to generate electricity, there's ways you could contemplate going about that. but he can't just be a conversation with the utility owners or the global capital market bank. >> you have to have the service providers in the conversation. you have to have the broader internet ecosystem, on an average in the conversation. we have switched to a functional approach, and we released our national critical functions, the
first time we've ever done this in april i believe it was. and what we are looking there is, , that's really the foundatn of what we believe are, is understanding what is the risk to the country, help inform the threat with information were able to gather, help drive questions of those who click on the threat to better understand the risk. but also to understand vulnerabilities and was important to understand the consequence. if you have a capable actor who has an intent and there's a full ability of the consequence is in a big deal, well then we have a way to mitigate this. if you have a very significant consequence but nobody is looking to see if there's any actor who can effect the consequence they we should probably be pivoting resources to be looking at is that a potential. it's forcing not just us but all of government to thank very, very differently whether in intelligence immunity for those of us here on the stage about the role of the government and the private sector and the federal government and state and
locals, the u.s. and a partners in having much more open conversations about what do we know, what do you know and how do we share that information and not just here's some ioc these, good luck. it's really getting into much more contextual conversations, is i think we think russia might be doing this action i don't know if it's rush but we think somebody is trying to do this to your system. you and private sector willing to share what could be happening there back with us, back with nsa, fbi, dod come all the different components coming together. so that's where we see we are setting is we are not the ones that are going to have every single tool to solve all these problems, but we are position to be that kind of risk advisor to understand how is the homeland at risk and what can we do about it, what are the levers we can poll, who has of those levers
and how do we take action? so that's where we would focus at these national critical functions are the core of what's going to drive us and prioritize and without a great partnership across all of government, frankly in thinking a little bit differently about the u.s. as a target, how do we orient ourselves to drive down that risk. >> i'm glad you mentioned that. when you said before that it's different than just having people v iscs, the indications of compromise and say good luck, there was a bit of going on for a number of years and usually companies would say to me when i got those warnings that came out of dhs rfpa, this is great, we saw this four four mitsuko andt with it. which takes me to rick. because one of the big changes it strikes me has been the creation of the cyber threat alliance.
so that this sharing is much more of a two-way thing. you're going to see things that jeanette or tonya may not see first, or you'll see them from a different angle. tell us all a bit about how that works and a little bit about how it's got to speed up. it's still a pretty manual process it strikes me. >> definitely from the government side, but before answer that let me plug your book for a second. before i read david's will come if you ask you what is the single book i would want to read if you're starting from scratch or need to have under your belt, i would've said cuckoos egg book. the rest of you have homework to do. you should still read that book. after i read david's book it's david's book, perfect weapon. we know most of things he talked about the we don't really understand and to you read his book. the dictate what i have from it is we've been in a continuous low-level, low-level cyber conflict since 2010, and we are
just the starting to get her hands around it. >> i did not pay rick for any of this. >> i didn't know we're supposed to suck up to the moderator. >> i also want to plug the book. >> i'll give you a cat from a commercial perspective, david is right. the thing the commercial world relies is the adversaries have automated their attacks. what most of us have done in the commercial space and in the government space we're still kind of deal with that manually. if you have an information sharing program they are sending that around in spreadsheets and an e-mail. if your organization has the time to even consume those things, you may get around to it in weeks to months to never. what we decided to do in the cybersecurity vendor community is to automate the threat information sharing, right? between security minister cures the reason, right, every security vendor out there worth its salt is a giant intelligence collection engine.
palo alto said 70,000 customers all with ten-200 devices deployed in a networks. we can deliver controls automatically to those devices because they are our customers. the threat intelligence to hold out the networks works for unit 42. marketing sucks for us. totally free intelligence if you want it. but when you discover something new we can convert that into multiple prevention controls for our public set down the intrusion kewell chain and deliver to the 70,000 customers in the about five minutes. five minutes. that is amazing capability. all the memos of the cyber satellites and others were six of us, they'll have similar capability, ours is better, but that's the best you can have. you guys are not laughing now. this will be an long panel. they all have similar capabilities. when we share some new thing with the cyber satellites we putting controls around the planet in minutes to hours.
what is happening for the government side is trusting that system. if with information from lots of government around the world that say hey, we solve this thing and it is very damaging, if you just got it into the cyber threat of lines, i'm looking your way, we could get the prevention controls the protect almost anyone on the planet very quickly. we have to fix that going forward. >> we will let you guys defend yourselves. >> i understand the reasons why we can't. >> we'll get to that in a second. general, of course before you in your current role when you succeeded the general who we would be hearing from later this afternoon, you were at cyber command as well. you come at this from a bit of a different perspective. and the phrase we have heard since the concept of operations changed, just as admiral rodgers was leaving office with
persistent engagement, which is perceived by most people as being largely overseas, and the networks of adversaries so that you can see a threat gathering before it's delivered, before rick sees it show up in the cyber threat alliances networks. presumably before jeanette and tonya see them as well. tell us how this works day today. what's this look like? and in a world where people are concerned about sovereignty, how to explain to the rest of the world why we can be in their networks and yet we get so upset as, as jeanette points out, we've got four operators city and our electric power grid. >> so first of all, persistent engagement, i think the big idea there is we're going to start
using the entire operational depth of the cyber domain as we would frame what information environment. and so you're not going to see threat space or threat actors or planning or preparing, testing, rehearsing. they're trying to defend themselves if we are not going to see gray space so that i'm allowing it to maneuver out of their sanctuary, get into an attack position and just start to pummel us. even think about where we were just a couple of years ago, that's what it was. it was shields up. we were principally focused in blue space, , and he were trying to shoot the arrows or block the arrows from penetrating us. and i think tonya said it well, the volume, the velocity, the variety of threat, it just continues to improve. as rick said they have automated this. if you're going to be in a defensive crouch, you are just going to bleed out. you're going to get nicked by a
thousand arrows or a million arrows. so the big idea is that we will operate in all those environments. now, we don't do it by ourselves, so that's part of engagement. engage and asked if we engage with foreign partners. we engage with commercial partners. we engage with our interagency partners. .. and the beauty is the states have different authorities, different responsibilities and it's really bringing all
that together so that was the big idea is that we are operating, we're not seating space to the adversary. i'm not necessarily crawling through a partner's network. the partner is actually sharing. i'm sharing with them to actually defend better, to detect, to identify, to share back with me. >> i wasn'tsuggesting you were in a partner network . >> as we should be. >> coming out of one question on this, coming out of the 2016 experience, what i was struck during the reporting on the boat was the number of people in cyber command, and essay, certainly at dhs and fbi were saying that the reason we were taking by surprise was that we didn't get our radars off, it wasn't a pearl harbor type situation, it was we hadn't built the radar to be able to see it. so as you now have been through the experience of
midterm elections where i think both john bolton the white house and director nakasone and talked about this, are you persuaded now that we've at least built the radar network that we would see that kind of activity again both on the cyber side and on the information warfare side? >> i think the most important part of my response is we had the radar, it just wasn't tuned optimally so if you're focused on the cyber ma which is the subset of the information environment, you're going to miss a lot of things. they're just goingto fly right through your radar screen because you haven't tuned it to detect that . >> can you give us an example operationally from 2016 ? >> i think frankly we were camped out on social media, we certainly weren't looking domestically.
we probably weren'tpartnered as well as we should of and so the lesson learned there is first of all you better open your aperture . you'd better look at your partners, understand what their capabilities and limitations are and you'd better build sustainable mechanisms that allow you to partner effectively and as rick said, i think what we're finding is you got to automate as much as possible because we still put a lot of sweat equity against problems that i think, i go back to when we were really sucking in tremendous amount of sand in iraq and afghanistan, now we go to them and general alexander and say i need more lane list, he said you need to ask better questions and were going to give you tools that will allow you to do that and so information not falling on the floor, is being collected. you can access it, but you'd better know the question you have to ask.
that will allow you to access it. >> the other thing is an issue of recognizing the adversaries or conducting operations, we don't get that now but the question is do we have to wait to counter them ? i don't see that, are we working on it? >> once again i think that's a partnership so it's a combination of law enforcement, accommodation of working with our foreign partners but the other thing is i think we got to be careful about this idea that cyber, the person cyber, you look at the entire range of options that a nation date has at its disposal so you can impose sanctions. you can hurt them in the pocketbook. you can prevent actors from traveling internationally. so i think two things, sometimes we can narrowly defined roles and that will limit our ability to see the problem and then it will limit the amount of tools we have to apply against the problem.
but i don't see this as just a cyber problem. or a cyber response to the problem. we have to be much more sophisticated than that. >> will come back in a moment but in the general's answer about2016 and of course , you're both intently focused on 20/20, and tonya, i think you and i were at an event early in the summer where everybody agreed that whatever it is the russians and other actors are going to do in 2020, the one thing for sure if they're not going to follow the same playbook they followed in 2016. so tell us a little bit about what you are doing to begin to think out ahead to what kind of executives of the tax you might see and how you would get ahead of the period of the election focused on the social media information, what their side is on the election relation side.
>> i don't know which of you wants to take that first. >> this issue is one of the great areas of growth for probably the government and how government works with the private sector in the time i've been working cyber. as you would hope we learned and we get better in response to everything we experience and we have very much seen that since 2016. i don't know if the issue then was so much that our radar wasn't on. but the nature of these problems requires a coming together of what has traditionally been quite separate areas of responsibility so i'll speak just specifically for the fbi. the issues of foreign influence, traditionally were handled as a counterintelligence issue looking at how foreign intelligence services are trying to conduct their influence activities where the cyber related intrusion activity is looked at as a cyber investigated and an
intelligence matter and that was not only the case for the fbi multiply that really in different ways across the government including focus on functional issues like cyber and then regional adversaries like russia . so the key gap is where does allof that knowledge come together ? what i'm looking at, what my counterintelligence colleagues are looking at, what the russia experts are looking at and mary that with what insight the private sector has so i think the great growth since 2016 has been in building those structures and communication networks and capabilities where we are now having that conversation all the time. and lest you think we're just responding to the last thing that happened, i won't go into detail but it is more expensive and just looking at the nature of activity of what happened in 2016.
so there's also a level of imagination injected there too and analysis of how we think might be different in 2020. >> i want to give you a specific example of that. we've all over the summer for this has been the summer of rent somewhere or a number of cities and towns and school districts and all that. a lot of your colleagues have been looking at the question of what if you had a rent somewhere issue around election machines and the future. or where getting election machines just the registration system which reports are outward facing an online and therefore are a little bit easier or somebody to go and get into. and that's just one of a half-dozen scenarios . i heard clay out. tell us a little bit how you are all thinking i had of these. >> so similar to what tonya
said, i think not just for our agencies butfor a lot of government elections , with very much a forcing function not just to think about how we protect our electoral process but how are we thinking about this overall activity where you have adversaries who are thinking across multiple different ways to achieve an impact and one of the first thing that we did on elections was to work with election officials to actually understand what the election systems, soup to not looks like and to make sure that everybody understands that. we published something called the risk characterization and it's a simple info graphic that says okay, this is what happens for election day, this is what the types of systems are different organizations will use and what people through that. and the reason that's important and we're taking
this model and applying it to all of these different critical functions is what is that end-to-end process look like, not the technical system yet, you need to get to the technical system but what does that end-to-end process look like? what does that business look like to deliver this final outcome of voting results in the case of election and then assess the risk. and what that started is really an iterative process and say okay, registration databases are something we were concerned about in 2016 because we had some evidence that that was happening. why was it happening? and so there's a lot of questions now that start to come and you have people in the intelligence community to look for those answers. and then based on the answers they say okay, now that informs we've been didn't quite understand what the intent and you go through this iterative process no
different than anyother intelligence problem wetry to work on . it's just this one happens to be on cnn every day . and so we, we think that we are we learned our biggest lesson is really getting everybody on the same page and understanding and being public about it too. everybody should understand how your country's electoral process looks like and then we want to also be public and say here's how an actor could maybe cause some problems and sometimes it's not even an actual problem which for cyber people start to get us uncomfortable because there's no actual cyber thing happening. it's a perception a cyber everything has happened or something like that but we felt we had taken that full realm of possibilities and then and really focus on okay, voting machines, it turns out it actually would be really impossible probably to have any sort of widescale
impact that was undetected but you could cause chaos by injecting something here. or somewhere in this process. and knowing that was probably their intent, that allowed us to focus and if you take that model and we're still taking that model for elections and it will continue torefine, you can start to understand , here's the company that provides the system and those companies have since allowed us to take a wider system so we understand more technical. >> your talking about the companies that make the registration systems. >> collection management systems as well as the machines themselves so what that allows is we can say we start putting together technical indicators and warnings. i could go to nsa and fbi and say i need you to look and see if anybody is maybe looking at this company or this machine because we know that they're being used in a lot of different places and now they know this is a high priority alerts and i also know these are the people i need to get that information to with the right context so
that they can do something so that's a sort of title instead of just a generic list of hey, there's an advance atv out there who's messing with windows. >> that's a very different place because i remember going to dhs at the end of last year, the obama administration the last summer what's going on and the secretary of state who would return their phonecalls because they were afraid of federal governmentwas taking over . >> it was the one thing there were unified . >> they were very unified on that. >> if you ask people about dhs about dds, one of the biggest makers of election machines they had never engaged very much with them. let me take you to the next step on this. you can't say very much about what the us government did or didn't do during the midterms last year but if i believe what we read in the new york times and elsewhere, that rack. >> the failing new york
times. >> that makes up for the book plug. >>. >> evening out. >> we understand that there were text messages placed on the cell phones of individual actors in russia. we understand the internet research agency which of course was indicted by the us and so forth found their systems shut down for a while. while you can't discuss the civics, can you tell us if you're seeing this kind of outward engagement, is there any evidence you can cite that this kind of action which is intended as deterrence is actually working, recognizing the fact that even in the cold war, measuring the effectivenessof deterrence is difficult . >> i argue even in the cold war deterrence , it was an overwhelming success. we can annihilate eachother
with nuclear weapons. this is a different environment . and do i think the russians and other actors are going to compete in this space in 20? absolutely. the big idea of again, persistent engagement is not getting actuary. make them compete. throughout the entire domain, throughout the entire environment. i don't know a single thing we could do that would prevent them from competing in that, but i want to emphasize as much cost on them as possible goes back to if we restrict this to a cyber versus cyber operation or activity, that becomes pretty challenging but if i use everything that's available to me as a government, a whole government approach to this, and i think you have a lot of options so that, so again,
it's much largerand cyber command . what i would say is that if the midterms, we get exactly what we said we were going to do which was persistent engagement area we enabledour partners . we acted. and we acted in an able for out the entire operational depth so in race-based and gray space and in blue space and weimposed costs . most of our adversaries, we note there pretty adaptive. they learn and i think your point about are they going to pull the same play from the 2016 election, where it was effective for them, maybe they will but i think it's going to be you know, they will have taken lessons learned like we have. and they're going to work very hard to evade our defenses. they're going to try to limit costs that we're going to attempt to impose upon them
so i think it's going to be pretty sporty. actually. >> when you talk to lessons about this whole space , they don't differentiate between cyber and information warfare. and when you just read the factor and when you read all the rest of their materials, they don't and yet we do. and it's a very different approach. you've been pushing pretty hard to get the united states into the information warfare side which is a difficult thing for a democracy to do. tell us about what the concept of that is. >> if you look at our mission for army cyber, i have responsibility for full spectrum cyberspace operations so that operate, defend and attack when directed. my responsibility for information operations, i have response ability for electronic warfare and when i look at that, if i look at
them as stovepipes, i can certainly create effects. i can impose costs, i can engage persistently in all three of those areas. we think the big idea though is to integrate those capabilities and really erase those seems and when i look at cyber, i/o, ew, enabled by great until from the intel community, that allows me to start what i would call information warfare and so we are pushing very hard, spending a lot of time right now developing the concepts for that, but what i find is i support my commanders around the globe, army commanders is that it's very rare someone comes to me and says i need this cyber capability. they describe the problem they're trying to solve and maybe they're trying to get information to an audience and i have a way to deliver that, but i would argue that
cyber delivery is probably an information operation that they're not conducting. >> can you imagine theunited states openly saying it conducts information operations ? >> i think we should, absolutely. if you look at the idea of persistent engagement where i'm contesting, that creates first of all an operation. i think that creates an idea that we are not going to just get pummeled without imposing costs on the adversary and it could be your traditional range of adversaries all the way down to the criminals and again, i think what we found whether it's criminals or its nationstates or partnerships with fbi, with industry is what has allowed us to get after this in a very different way than we did in 2016 so i think that's an
important part of this because sometimes it's look, the adversaries are 10 foot tall. they're having their way with us and what i would tell you is a learned and adopted, they've developed capabilities, we've done the same thing but it is a very competitive space. >> rick, you've made the point that if you use the word attack framework, you've got maybe the groups, maybe 250. >> techniques. >> techniques, that doesn't sound like a huge unit for general fogarty or with dhs and fbi to be dealing with. >> it's like what you said, it sounds big because the bad guys have completed their attacks but there are 26 security vendors they believe that there are no more than 100 active cyber operations
going on at any given day, only 100. half of us think it's less than 50. if you go by the minor attack standards, these folks captured every technique and tactic and procedure baghdad has used and most people think it's brazilian, they've only collected 250 so if there's 50 adversary groups operatingevery day and they can only do 250 things, that's a math problem that even i could solve . and the trick to all this is to automate it but here's the problem and it goes to what you are talking about information operations, we forget the spectrum of information operations, there's a defensive component and the reason we are talking about the election infrastructure is because the cities and counties and the state run it and they have no resources todefend themselves. most of those folks have two guys and a dog in the back room that they run the printer, they run the firewall and they get coffee in the morning . they have no capability to do anything so it's the reason ran somewhere has been so successful against them. i think it's been over 250
successful ran somewhere attacks against cities, counties and states in the last five years. most of those leaders have elected to pay the ransom because they don't have the resources to prevent it from happening in the first place or to install backup systems so they won't be affected by it so they pay the ransom so the bad guys have said that's going to be work , i just have to keep hitting the cities because they're going to pay it . we have to find a way as a nation to provide those cities, counties and states resources to prevent those kind of things from happening . >> i'd like to take this moment to remind everybody to send in your questions . because we will be taking questions from all of you. so it will be magically appearing i hope on my little ipad here. jeanette, come back at rick! before that some of what's seen in the private sector isn't immediately trusted and acted upon by the us government ? tonya, you as well. how two ways the sharing
operation? >> i would say there's not full trust both ways. and i would also try not to love up every information under a broad information sharing umbrellaand say it's the same witticism applies to all of those . i think that you talked about the radars, those have been in a bit of a soapbox is that it's not just the radar of our intelligence community that we need to develop, it's the radar for how we hold the public andthe private sector to take action . and frankly they also have a radar for alerting us and how do we coordinate that? when we were first developing our automated indicator sharing system, everybody sort of went into it with this well, it's cyber so we have to do, they use
different terms. machine speed, cyber speed, superfast and real-time and if we find a way to automate indicators, we will get rid of all of this noise that everybody has todeal with and we can focus on the hard problems . but if you think about it, if i delivering a feed which we are now, we deliver these automated indicators to hundreds of organizations, the amount of trust that that organization has to have in my feed to automate not just the blocking action of my feed, that's a lot of trust . and so when we're talking about automation, i think there's a lot of improvement that has been made when we're talking about some of these contextual conversations, will you open up your systems to dhs and fbi so we can understand and better understand what's going on ?
we open up and having conversations with the intelligence community and the private sector, those have significantly a advanced and i feel like we have learned a lot as a result but the automation one is really going to be, it's going to take more work to build trust in the system. are going to make some changes in our, because we've got good feedback on here's some specific tactical things that would be useful so we can know how confident are you about this, what os are you concerned about, those sorts of things so we can make some changes in it but really when we start talking about automation , you really have to get into the weeds with your partner and you have to really have honest conversations about what would it take because i don't just need you to automate the ingress, i need you to automate the actions and i needed to start to spread to as many people as possible so that we're all blocking
whatever it is one person put in there so it's actuallymuch more complicated than i think anyone in vision . i think the cyber threat alliance , we worked really closely with and we are trying to push the bounds on the things that the government shares. i think the government still once we, there's still a lot of lawyers that get involved in conversations and so there's still a lot of things that the government has to push beyond in order to be fully open in this kind of public-private partnership we are trying to get to . >> we want to limit the set of things we share so it gets easier to do. we're talking about 50 adversary groups, 250 techniques. we don't care who you think it is, who the victim was, none of that matters. what matters is that subset of intelligence so that the security vendors who we have in our networks can deploy prevention controls automatically. if we could get that done --
>> the attack framework is really though, we're using it internally and where starting to align much of our products and capabilities against it because it really allows you to start to narrow down, if this thing is happening and it's prevalent, could i deploy a technical solution? should i deploy a policy? what are the things i can do against that and the more people orienting around this framework in the cyber security community, i think it provides us with a common lexicon for how it's happening and that will help the automation. >> the take away, please use the environmental attack framework but for cities, states and counties, they have no resources to automate the injustice and put it in their control, they we need to provide a better system. >> this gets to a question i was going to ask tonya. what struck me is summer as we were going across texas and elsewhere with all the cities and states that have had these ran somewhere attacks which so far do not
look to us to be state attacks but rather individuals, maybe foreigners who are in this for the money is whenhe went to the states , we went to the municipalities and the school districts or whoever it was and you say let me talk to your chief cyber security officer so that we could discuss how you might havethe automated response here , they would say we don't even have an it person or we've got a part-time it person or in the texas case, it actually looked like it was spread through a law enforcement network that seemed to be a custom network so while we're up here discussing automating it, you got as rick points out a set of targets out here who don't even have the basic infrastructure. >> the targets by the way, not just a set of targets, there's the target, the election . >> what was your question?
>> how do we match up this wonderful vision we have of automation with what you're seeing out there when something called the fbi and says and you come in and help us as one of our crowd here says, what can cities and counties do to prevent being frozen out of their networks by hackers seeking ransom? >> what might actually surprise you is if you look at the statistics from the fbi's internet crimecomplaint center, ic three , the sheer number of ran somewhere attacks has gone down year-over-year in the past few years, as an incomplete specific cause we're relying on what victims actually report into us, but the trendline we're seeing is that they're becoming more sophisticated, more targeted and less opportunistic which is to say whereas profit motivated criminal may have just targeted any opportunity , any opportunity, anyone with weak network security, now they are being much more targeted and looking at from
what we can tell the victims are most likely to pay, will have the highest incentive to pay, who can't afford downtime because their files and networks have been encrypted and that is municipalities, hospitals, targets like that . which of course raises the impact of those threats. so the way that we're approaching it, we have a history of looking at not just individual criminals but criminal enterprises. how do you target those key nodes that are enabling criminal activity at scale rather than focus on the low hanging fruit that might get you an immediate satisfying impact doesn't actually have a larger impact you want on the overall threat? that's how we're approaching the most prevalent ran somewhere strange and this is where we had to adapt our traditional model where we have 56 is a fbi field offices gathered throughout the country that
traditionally focus on our range of crimes in their geographical areas with cyber threats and something like ran somewhere that doesn't scale. you can't have 200 investigations open across the country on one string of ran somewhere at infecting that many victims. so what we do is we designate a single field office that is the subject matter expert and lead in investigating and finding those responsible for those most very balance prevalent strains and then individual offices are responding to victims and their geographic ar as all of the intelligence and information feeds up into that main office and with support fromheadquarters , liaison and with other partners in the intelligence community, and how we identify what's responsible and then sequence actions among us which could be with our partners here, it could be with foreign law enforcement.
it could be with the private sector owners of the infrastructure or perhaps even the bitcoins wallets that the adversaries are using and we look at what sequence of actions is most likely to disrupt and take down this activity? >> do this by example if you can, i understand it's ongoing you'd be limited but the texas case that you're seeing, there seemed to be a single strain that you saw there although it was a strain that we've only seen since april tell us how you dealt with that? >> i'll tell you about an example i can talk about in more detail which is resolved which is the ran somewhere which from 2015 to 2018 infected hundreds ofvictims worldwide and it's exactly that type of victim that i mentioned . the city of atlanta was one perhaps the most press because the amount it cost them to remediate far outstripped the ransom that was being charged and let me just, can i take an aside here?
i keep seeing in the press that there is confusion over what the fbi's position isand we're paying ransom to let me be unequivocal . we do not recommend paying ransom area you don't know the money is going to, you don't know what type of mental activity it might fund . there's no guarantee you will get your file decrypted and encourages this activity. >> you saw a flat account in florida announced publicly they were paying the ran somewhere and you saw the in baltimore they didn't pay it and there up at $18 million and climbing, far in excess of as you say what the ransom was. >> yes. >> while i hear the fbi warning i would say that economic signal be running the other direction. >> it is but hopefully that's a signal, it's highly regrettable for those municipalities and other victims have faith that very difficult decision but that is also a signal with regards to defenses as part of your
original question in terms of making sure you're maintaining off-line backups so that your backups that you're creating of your networks are not connected to your system and those can't be encrypted as well and for municipalities, corporations, other organizations, educating your workforce on the common ways in which ran somewhere is enabled through spearfishing andother means . to educate them out prevent those types of infections. and then coming back to your question about how we organize around it, in that case that had such a global impact, we had the individual offices responding to particular victims were collecting evidence, we're trying to gain those nuggets to help us identify how the ran somewhere isworking and who is responsible . there were foreign victims as well so we're also using our overseas cyber legal attaches to through foreign governments engaged with
those victims. long story short, all of that information comes together and then we turn to our partners to help us with the puzzle and in this case, we worked with sector, virtual currency experts who were able to help us trace the bitcoins wallets that were being used by the adversaries and we identified two individuals who looked to be responsible.they happened to be located in iran and so it's right around the time when the us government was deciding whether to stay in the jcp oa. but you can imagine there was a high level of interest in knowing whether the two iranian individuals who had impacted us cities, a port and other targets were acting as individual criminals or on behalf of the iranian government so this is where we turn to our it partners and say this is who the evidence ispointing to. what do we collectively know about these individuals ? and there was a
back-and-forth as we collect differentpieces of information , but based on the analysis of that collective of agencies, we were able todetermine a few key things . much of the activity was being conducted in the off hours so likely not part of somebody's day job. and the individuals involved did have potentially some ties that were concerning. and as well, but they also had extravagant travel and expenses that seem like they had just come into a lot of moneypersonally . and one had recently been fired from a government affiliated job so that along with other information led us to the conclusion thatthey were acting as individuals which was quitesignificant . they were indicted . treasury also through opec issued sanctions against the individuals as well as some
of the enabling entities that were enabling the virtual currency and use of bitcoins wallets and in the end, once thatindictment was publicly announced, all of the malicious activities ceased . so that's just a snapshot of not only how we deal with ran somewhere but it's really about how that woven fabric, i mentioned at the outset each of the different pieces of private sector and government rating their capabilities and authority and expertise to blend together to disrupt the press . >> thank you, to questions from the audience here that are related and directed to you, the first one is will cyber warfare eventually lead to the demise of kinetic war which is why we do the rest to destroy an adversary when you could usecyber tools to paralyze themand then a
related question , that came in , as whether or not cyber conflict is so often portrayed as a short of war operation, if the us was to engage in ashooting war with a near here adversary , what kind of cyber attacks that we anticipate as a complement to battlefield operations and how with the fbi be prepared to protectcritical infrastructure coming out of that ? let's start with you beforewe move that on ? >> i think cyber wear gives options, additional options to a commander and as we look at some of these cyber space operations we conducted, in some cases you could have conducted a kinetic strike. in some cases cyberspace operation was conducted in conjunction with a kinetic strike but my responsibility is to provide my commanders that i support the full range
of options and then make recommendations on how to best integrate the capabilities that i provide so in case of unique capabilities that complement what they're trying to accomplish so i don't again, i think this idea, that it's a binary capability, you have cyberand you can bring your adversary to your knees , >> i remind people in the early days of the airplane people bought air war was going to be separated from every other kind and we learned otherwise . >> but we might against some targets that cyber gives very good capabilities, creates very important effects for a commander. and in competition short of war, short of conflict, and i think cyber as part of that whole range of capabilities that a nationstate can use.
so a diplomatic, informational, etc. right on down the line that i want to be able to provide leadership options and sometimes they may choose a cyber option, sometimes they may not or a variety of reasons. >> connect, dhs has primary responsibility for cyber protection so until we hit some magic point where an attack is so big, you get to call general fogarty and say it's your problem now. we don't know exactly where it is that that unfortunately we have not had a moment to go see that but the question seemed to ask, seemed to suggest where does this step in in protection of infrastructure when you're actually moving from the day-to-day low-level conflict to something much more heightened. >> i would say this is not yet clearly defined. and there's i think
preparedness, a bucket of prevention and sort of response and all of those need a lot more work both in nocturnal he how does that work within the government? we had issues in doctrine with all of us together putting that out but on the preparedness side is understanding from an adversary perspective, what do we know if we're in escalation of tensions with them, how would they cease to target, what functions,what entities ? how are we with that knowledge focused on building more resilient and pardoning those systems and then gets into more of getting what i would call on the prevention is how are we tooting our collective learning and warning capabilities so that we know that when things happen differently on the geopolitical side and tensions start to escalate we know how to shift, i'm pointing to rick as our
private-sector representative collectively everybody who's involved in having some visibility or ownership over these critical functions, would sort of escalate in their level of alertness and how are we getting that information so that if, whether it's cyber, or other intelligence entities or partners are able to say okay, you in whatever country are starting to get towards the war. here's a source of alerts and warnings we need to start putting out. we've seen them try to do something, let's go act. we're still doing that. this is still the lead and if something does happen and you're talking about everything up to an actual declared war , and something does happen and an adversary has done something within the united states, we are still the leador leading the response within the united states . we have a national response
plan but have now done double exercises and there are a lot of gaps in thinking about emergency management doctrine from a cyber perspective and i'm just being veryblunt, this is something we have to work on . now, when we're in a state of war and our soldiers are out fighting overseas, where still in the homeland working with nor, to protect the unitedstates so there's really no sort of it's not my problem,it's now your problem . >> it's everybody's problem . and rick, we're going to give you the last word here because some but he asked what are the cyber functions most right for automation and it seems this situation we're discussing would be one of the most right. >> it's very practical and from my view it's just coming up with the standard of how you put thatinformation
together . they've come up with something called adversary playbook which is basically the minor attack techniques andprocedures plus indicators of compromised plus a little bit of context . six helps you automate steps but we share that with each other and if we could get the entire world on that standard it becomes easier to automate these kinds of things. >> we are not out of questions but we are out of time. i want to thank all four of you for what's been a really rich conversation and i really appreciate it, thank all of you for your great questions. [applause] if i could ask the panel tostay in place, thanks to david and all the panelists .we're going to take a 30 minute break so i'd ask to take a break but keep the exhibitors on their toes with questions.
before our final panel we will have three breakout panels, they will begin at two: 10 pm, the first is combating disinformation the next on technology futures and the third on continuous evaluation balancing ready and privacy so will reconvene in this room at 3:30 where we will have another great panel discussion with our top intelligence leaders . go forth and do well, thank you panel .
>> and taking a break in the conference here at the discussion on intelligence and national security continues outside washington dc. national harbor maryland. continuing on friend 21 live in about an hour and a half or so, 3:35 easter. they'll be picking up with the conversation about national strategic threats again, live on cspan2 when our coverage picks back up in about an hour and a half orso . also today, vice president mike pence with british prime minister boris johnson at after the uk politician lost two key votes in the house of commons. they talk about exit and the possible trade agreement between the us and