1 00:00:00,000 --> 00:00:01,083 LT. 2 00:00:01,083 --> 00:00:02,083 GEN. 3 00:00:02,083 --> 00:00:03,375 ROBERT ELDER: All right. 4 00:00:03,375 --> 00:00:05,209 It is great to be with all of you today. 5 00:00:05,209 --> 00:00:07,459 I saw a few of you last night had one of those shots and one of those 6 00:00:07,459 --> 00:00:11,209 at least one of those shots in one of those rooms. 7 00:00:11,209 --> 00:00:12,999 I really am pleased to be here. 8 00:00:12,999 --> 00:00:14,751 I'm grad to see a good crowd. 9 00:00:14,918 --> 00:00:18,375 It is not my first DEF CON but it is my first time speaking. 10 00:00:20,709 --> 00:00:24,751 Nikko said the topic the way it was listed wasn't didn't have 11 00:00:24,751 --> 00:00:27,125 enough pizzazz so she put from nuclear 12 00:00:27,125 --> 00:00:30,250 to cyber alternative approaches. 13 00:00:30,501 --> 00:00:32,250 I want to make sure I get the nuclear part 14 00:00:32,250 --> 00:00:36,459 in so you didn't waste your time or waste your ticket here. 15 00:00:37,000 --> 00:00:41,083 So when I was in the military my primary business was 16 00:00:41,083 --> 00:00:43,542 doing nuclear ops. 17 00:00:43,626 --> 00:00:46,125 But interestingly enough, when the Air Force stood 18 00:00:46,125 --> 00:00:49,209 up the cyber mission, they gave that mission to my command, 19 00:00:49,209 --> 00:00:51,584 not because they thought it was like nuclear 20 00:00:51,584 --> 00:00:54,667 but because nuclear was a global mission and they saw cyber 21 00:00:54,667 --> 00:00:56,709 as a global mission. 22 00:00:57,000 --> 00:01:01,083 But what I want to talk to you about today is that we somehow 23 00:01:01,083 --> 00:01:04,542 or quite often are constrained the way we think 24 00:01:04,542 --> 00:01:08,999 about cyberspace except in places like DEF CON. 25 00:01:09,334 --> 00:01:11,584 What I want to do is I'm actually looking 26 00:01:11,584 --> 00:01:14,125 to get some ideas from you quite frankly 27 00:01:14,125 --> 00:01:19,209 because the people in this room tend to think outside the box. 28 00:01:19,375 --> 00:01:22,083 But a lot of this is about looking at things a different way, 29 00:01:22,083 --> 00:01:25,999 challenging assumptions and looking at the way we think about the world 30 00:01:25,999 --> 00:01:29,292 and so the nuclear part of this is if you think about what we did 31 00:01:29,292 --> 00:01:33,375 with nuclear weapons at the beginning, I wasn't born then. 32 00:01:33,834 --> 00:01:37,751 But those weapons were being used for war fighting. 33 00:01:37,751 --> 00:01:39,542 And so when we dropped them in Japan, 34 00:01:39,542 --> 00:01:43,334 they were considered war fighting weapons. 35 00:01:43,334 --> 00:01:45,334 Very quickly they said this is not a good war fighting weapon 36 00:01:45,334 --> 00:01:48,999 and it became what they call now a political weapon. 37 00:01:48,999 --> 00:01:51,083 It was used in a completely different way. 38 00:01:51,083 --> 00:01:55,083 And then during the Cold War it evolved to something that actually caused 39 00:01:55,083 --> 00:01:58,083 the then Soviet Union and the West to not fight 40 00:01:58,083 --> 00:02:01,501 because they got so worried if they got into a fight, 41 00:02:01,501 --> 00:02:03,999 a war would break out. 42 00:02:04,167 --> 00:02:05,709 What's interesting is the weapons took 43 00:02:05,709 --> 00:02:10,375 on a completely different context than they were originally created to do. 44 00:02:10,834 --> 00:02:13,751 I think there is some parallels to that in cyberspace and that's what I want 45 00:02:13,751 --> 00:02:15,834 to talk to you about today. 46 00:02:16,834 --> 00:02:20,709 First I want to talk a little bit about some different perspectives 47 00:02:20,709 --> 00:02:25,501 on cyberspace, different ways to look at it, I guess I should say. 48 00:02:25,501 --> 00:02:28,334 I want to remind you how we tend to look at it typically 49 00:02:28,334 --> 00:02:32,876 from a network protection standpoint, and then I want to try to argue 50 00:02:32,876 --> 00:02:36,542 for possibly a different model to look at it that would be 51 00:02:36,542 --> 00:02:40,584 a proactive view that looks at both defense and then assurance, 52 00:02:40,584 --> 00:02:42,999 the ability to use it. 53 00:02:42,999 --> 00:02:46,334 There is another model that DHS has put out that 54 00:02:46,334 --> 00:02:49,999 they call their cyber ecosystem. 55 00:02:49,999 --> 00:02:52,999 And I just want to show you that if you haven't seen it before. 56 00:02:52,999 --> 00:02:55,125 Actually looking for some feedback for it. 57 00:02:55,125 --> 00:02:58,292 And then tell you some things about trying to get that to work. 58 00:02:58,292 --> 00:03:00,959 And then I want to talk a little bit about cyber workforce development 59 00:03:00,959 --> 00:03:03,709 and extend that to cyber leadership. 60 00:03:05,999 --> 00:03:09,083 One of the big problems we would have in the Air Force is that some 61 00:03:09,083 --> 00:03:11,999 of our very best pilots, they loved flying so much that 62 00:03:11,999 --> 00:03:14,999 they never wanted to leave the airplane and they got very good 63 00:03:14,999 --> 00:03:18,250 at it but they could never get promoted and get into some jobs where 64 00:03:18,250 --> 00:03:21,999 they could really influence some of the things going on. 65 00:03:21,999 --> 00:03:23,209 They would end up complaining about it but they weren't able 66 00:03:23,209 --> 00:03:24,709 to move up. 67 00:03:24,834 --> 00:03:27,375 Some of this in terms of leader development 68 00:03:27,375 --> 00:03:30,876 is I think we need to do more of that in the cyber world 69 00:03:30,876 --> 00:03:34,250 because for the most part people making decisions related 70 00:03:34,250 --> 00:03:37,999 to cyberspace didn't grow up from the beginnings that you are 71 00:03:37,999 --> 00:03:40,083 all familiar with. 72 00:03:41,167 --> 00:03:44,999 So the first thing and this is an old slide I used back 73 00:03:44,999 --> 00:03:46,999 in the Air Force. 74 00:03:46,999 --> 00:03:48,999 It has to do with getting people in the Air Force 75 00:03:48,999 --> 00:03:53,083 to think differently about how they approach cyberspace. 76 00:03:53,083 --> 00:03:54,584 What I found is there were three different ways 77 00:03:54,584 --> 00:03:58,209 people in the Air Force thought about the cyberspace. 78 00:03:58,209 --> 00:04:02,375 The first one was communications group. 79 00:04:02,792 --> 00:04:04,999 Cyberspace is a different way we were able 80 00:04:04,999 --> 00:04:08,918 to communicate, and so cyberspace is what we do because we set 81 00:04:08,918 --> 00:04:11,083 up all the networks. 82 00:04:11,083 --> 00:04:12,918 We set up the communication lines. 83 00:04:13,292 --> 00:04:15,834 We managed those networks. 84 00:04:15,834 --> 00:04:17,918 When they break down, we take care of it. 85 00:04:19,292 --> 00:04:22,083 That view is actually a proper view. 86 00:04:22,501 --> 00:04:25,250 And then you had the intelligence community that said, 87 00:04:25,250 --> 00:04:27,999 well, you know, the only way to really defend 88 00:04:27,999 --> 00:04:31,417 against attacks we are getting in cyberspace is we have 89 00:04:31,417 --> 00:04:34,834 to have this really good intelligence. 90 00:04:34,834 --> 00:04:37,083 And so the only way to, therefore, be able to defend the networks 91 00:04:37,083 --> 00:04:40,417 is you have to be really good intelligence people. 92 00:04:40,417 --> 00:04:42,667 So they argued that cyberspace should be controlled 93 00:04:42,667 --> 00:04:46,459 by the intelligence community because they're the only one that 94 00:04:46,459 --> 00:04:51,999 is would really fully understand how the intelligence and what that meant. 95 00:04:51,999 --> 00:04:53,792 And then but the Air Force took 96 00:04:53,792 --> 00:04:57,167 a different view of this, at least initially. 97 00:04:57,334 --> 00:04:59,999 And they said, you know, everybody uses cyberspace and 98 00:04:59,999 --> 00:05:03,584 as it grows, we are using it more and more. 99 00:05:03,584 --> 00:05:06,083 We use it for all of our different operations. 100 00:05:06,083 --> 00:05:08,999 And at first the things we did with cyberspace, we used it 101 00:05:08,999 --> 00:05:12,834 to extend the things we are already doing. 102 00:05:12,999 --> 00:05:16,709 If I could use a commercial example, these days nobody use Yellow 103 00:05:16,709 --> 00:05:18,584 Pages anymore. 104 00:05:18,999 --> 00:05:21,375 You go on your computer and look something up and get a lot 105 00:05:21,375 --> 00:05:25,125 of information, you can Yelp it or something else and get a review. 106 00:05:26,375 --> 00:05:28,999 That's a legacy capability to say I can use cyberspace 107 00:05:28,999 --> 00:05:31,083 to do that a little better. 108 00:05:31,083 --> 00:05:35,083 Then you have people that really took cyberspace and did things really 109 00:05:35,083 --> 00:05:37,999 differently like Google or Amazon where they say 110 00:05:37,999 --> 00:05:42,083 because of cyberspace I do things completely differently. 111 00:05:42,501 --> 00:05:45,999 Up until now, for the most part, almost everything we do 112 00:05:45,999 --> 00:05:48,292 is through cyberspace. 113 00:05:48,584 --> 00:05:51,626 We do very little actually in cyberspace 114 00:05:51,626 --> 00:05:55,501 to where we're operating inside the space and there 115 00:05:55,501 --> 00:05:59,999 is some type of transactions occurring inside. 116 00:06:00,459 --> 00:06:03,083 People say cyberspace is really a different domain 117 00:06:03,083 --> 00:06:07,999 because it's manmade and you can't operate you can't live there yourself. 118 00:06:07,999 --> 00:06:10,709 If you go into space, you have to have a space capsule. 119 00:06:10,709 --> 00:06:12,667 You can't really go into cyberspace. 120 00:06:12,667 --> 00:06:15,834 So they had some hard times getting their arms around this. 121 00:06:15,834 --> 00:06:17,999 The point of this is what the Air Force did 122 00:06:17,999 --> 00:06:21,751 is says we are going to put cyberspace under the control 123 00:06:21,751 --> 00:06:23,918 of the operators. 124 00:06:23,999 --> 00:06:26,918 What we did is we said, Intel people keep doing what you 125 00:06:26,918 --> 00:06:28,375 were doing. 126 00:06:28,375 --> 00:06:29,834 We want you to find out where the attacks are coming 127 00:06:29,834 --> 00:06:31,626 and help us defend. 128 00:06:31,751 --> 00:06:33,792 And com community, we want you to keep building 129 00:06:33,792 --> 00:06:38,083 up these physical networks and do the things so we can operate. 130 00:06:38,459 --> 00:06:41,167 Just some different ways to look at this. 131 00:06:41,542 --> 00:06:46,709 When we tried to figure out how to leverage cyberspace, I tell people 132 00:06:46,709 --> 00:06:53,083 the reason that we have airlines is not so that you can have a TSA. 133 00:06:53,250 --> 00:06:58,125 You have a TSA to do security so the airlines can operate safely. 134 00:06:58,125 --> 00:06:59,709 It is the same thing. 135 00:06:59,999 --> 00:07:02,334 With cybersecurity, cyberspace does not exist 136 00:07:02,334 --> 00:07:04,584 to have cybersecurity. 137 00:07:04,876 --> 00:07:06,999 Cybersecurity is necessary so you can operate 138 00:07:06,999 --> 00:07:09,125 properly in cyberspace. 139 00:07:09,584 --> 00:07:12,250 Cyberspace is important because of all the things you can do 140 00:07:12,250 --> 00:07:13,709 with it. 141 00:07:13,709 --> 00:07:16,167 And so one of the things that it does, it gives you this capability 142 00:07:16,167 --> 00:07:19,584 to bring together all these different communities. 143 00:07:19,999 --> 00:07:23,751 And as you see listed up here, it can be whether it is a political, 144 00:07:23,751 --> 00:07:27,209 it can be a military, it can be economic. 145 00:07:27,209 --> 00:07:29,250 It allows you to do a lot of social things. 146 00:07:29,250 --> 00:07:30,999 That's one of the areas we see growing 147 00:07:30,999 --> 00:07:33,083 up substantially. 148 00:07:33,083 --> 00:07:35,626 Of course, it allows us to have these information flows 149 00:07:35,626 --> 00:07:37,751 all over the world. 150 00:07:37,876 --> 00:07:42,459 So, it allows us to it is all about networking, right? 151 00:07:42,667 --> 00:07:44,167 You have physical networks. 152 00:07:44,167 --> 00:07:46,250 You have these informational networks. 153 00:07:46,250 --> 00:07:49,667 And then ultimately you have people networks that are using this. 154 00:07:49,667 --> 00:07:50,250 And that whole thing put together is what makes 155 00:07:50,250 --> 00:07:52,834 the cyberspace so tremendous. 156 00:07:52,999 --> 00:07:55,459 But it has these interesting attributes. 157 00:07:55,459 --> 00:07:57,626 One of the attributes is that for the most part, 158 00:07:57,626 --> 00:08:01,584 when people are operating there, it's you're anonymous when you are 159 00:08:01,584 --> 00:08:03,334 operating it. 160 00:08:03,334 --> 00:08:04,334 You don't have to be. 161 00:08:04,334 --> 00:08:04,999 If you want people to know who you are, 162 00:08:04,999 --> 00:08:07,667 you can tell them but, otherwise, you don't. 163 00:08:07,999 --> 00:08:10,584 The other thing, if you are actually inside cyberspace, 164 00:08:10,584 --> 00:08:15,292 if you will, it's some kind of an alter ego that's operating there. 165 00:08:15,292 --> 00:08:16,292 Why? 166 00:08:16,292 --> 00:08:17,792 Because you can't go there. 167 00:08:17,792 --> 00:08:18,918 I mean, you have an username or something and it 168 00:08:18,918 --> 00:08:22,999 is what actually transfers through the cyberspace. 169 00:08:22,999 --> 00:08:24,999 So it is a different way to think about it. 170 00:08:24,999 --> 00:08:27,918 The other thing that has made difficult for people to fully accept this is there 171 00:08:27,918 --> 00:08:30,751 is no such thing as time and distance. 172 00:08:30,751 --> 00:08:32,083 There is a funny anecdote. 173 00:08:32,834 --> 00:08:36,667 We were doing a global exercise. 174 00:08:36,667 --> 00:08:38,999 We had people in the Pacific. 175 00:08:38,999 --> 00:08:40,292 We had people in Europe and, of course, people 176 00:08:40,292 --> 00:08:43,918 in several different places in the United States. 177 00:08:44,083 --> 00:08:46,209 We were doing a planning operation. 178 00:08:46,209 --> 00:08:47,083 Of course, everybody was using chatrooms 179 00:08:47,083 --> 00:08:49,209 and they had headsets on. 180 00:08:49,626 --> 00:08:52,417 And one of the people that came into watch this saw these two people 181 00:08:52,417 --> 00:08:55,834 that were right next to each other and they obviously were exchanging 182 00:08:55,834 --> 00:08:58,125 information with one another. 183 00:08:58,125 --> 00:09:00,999 And the observer said, that's odd. 184 00:09:00,999 --> 00:09:03,083 Why doesn't he just turn to the person 185 00:09:03,083 --> 00:09:06,250 next to him and tell him what he wants? 186 00:09:06,584 --> 00:09:09,918 And they said we were kind of flabbergasted. 187 00:09:09,918 --> 00:09:11,999 They didn't full appreciate the fact that there was another 200 188 00:09:11,999 --> 00:09:14,125 people that were working on this project but they were 189 00:09:14,125 --> 00:09:16,501 in all these different places. 190 00:09:16,501 --> 00:09:19,334 So this notion of time and distance is really different. 191 00:09:19,876 --> 00:09:24,999 The extent to have a virtual presence, it allows you to actually work 192 00:09:24,999 --> 00:09:27,375 with someone and if you can break 193 00:09:27,375 --> 00:09:31,999 through the fact that you don't have the actual human contact, 194 00:09:31,999 --> 00:09:36,167 you can almost feel like you're doing that. 195 00:09:36,209 --> 00:09:37,999 There is two other things about it. 196 00:09:37,999 --> 00:09:41,209 One is that cyberspace information becomes a commodity and 197 00:09:41,209 --> 00:09:44,999 as a result we get a lot of information. 198 00:09:44,999 --> 00:09:47,250 We almost get more information than we stand. 199 00:09:47,834 --> 00:09:49,999 Before we used to pay to get information. 200 00:09:49,999 --> 00:09:51,999 Now we pay people to sort our information for us, right, 201 00:09:51,999 --> 00:09:54,167 because you get so much. 202 00:09:54,417 --> 00:09:58,334 And then the last one is this idea of a smart agent. 203 00:09:58,751 --> 00:10:00,751 Once again, this is because you can't actually function 204 00:10:00,751 --> 00:10:04,250 in cyberspace so you have to have an agent do it for you. 205 00:10:05,167 --> 00:10:09,584 An idea if we ever took the smart agent to its full potential, 206 00:10:09,584 --> 00:10:13,999 today let's say you wanted to order something off the Internet, 207 00:10:13,999 --> 00:10:18,334 a tie to match a suit that you had, for example. 208 00:10:18,334 --> 00:10:20,167 Well, you would go on to the Internet. 209 00:10:20,167 --> 00:10:21,918 You would run a search engine. 210 00:10:21,918 --> 00:10:23,501 Find some places that had it. 211 00:10:23,501 --> 00:10:25,000 You might look up the reviews. 212 00:10:25,209 --> 00:10:27,751 And then you would select that tie. 213 00:10:27,751 --> 00:10:29,834 You would work the transaction. 214 00:10:29,876 --> 00:10:32,999 It would then connect you with whoever was going to work 215 00:10:32,999 --> 00:10:34,999 the credit card. 216 00:10:34,999 --> 00:10:37,334 Then you get your tie and it gets mailed to you. 217 00:10:37,334 --> 00:10:38,959 Well, if you had a smart agent doing this, 218 00:10:38,959 --> 00:10:41,459 you would actually just launch your smart agent and 219 00:10:41,459 --> 00:10:44,876 the smart agent would then meet with all these other smart agents 220 00:10:44,876 --> 00:10:47,999 for you in cyberspace, go make you the best deal you could find 221 00:10:47,999 --> 00:10:51,959 and then the tie would just show up in your mail, right? 222 00:10:51,999 --> 00:10:54,042 You wouldn't be involved with this at all. 223 00:10:54,292 --> 00:10:55,876 And eventually, I mean, hopefully as a matter 224 00:10:55,876 --> 00:10:57,999 of fact that's where cyberspace will go because you 225 00:10:57,999 --> 00:11:01,417 will fully leverage the capability the network brings. 226 00:11:02,584 --> 00:11:06,792 Again, cyberspace is very powerful and just trying to expose yourself 227 00:11:06,792 --> 00:11:09,999 to a different way to think about it. 228 00:11:09,999 --> 00:11:11,999 Now, this group here would understand this chart 229 00:11:11,999 --> 00:11:15,751 more than typical audience that I would talk to. 230 00:11:15,918 --> 00:11:21,083 One of the big challenges we have both in the business community and then 231 00:11:21,083 --> 00:11:25,542 in the government sectors is the way we operate, particularly 232 00:11:25,542 --> 00:11:30,083 in the west, is it is kind of a seniority system. 233 00:11:30,083 --> 00:11:32,751 So you start at the bottom and you work your way up. 234 00:11:32,751 --> 00:11:38,250 And so if you look at the left side there, it's this hierarchical structure. 235 00:11:38,250 --> 00:11:41,542 And the notion is that the higher up you are in that structure, 236 00:11:41,542 --> 00:11:45,417 the more power you have, the more value you have. 237 00:11:45,626 --> 00:11:48,501 And you are also better looking or at least that's what everybody that's 238 00:11:48,501 --> 00:11:51,125 at the lower level tells you, right? 239 00:11:51,542 --> 00:11:55,999 Well, in cyberspace, it doesn't work that way. 240 00:11:55,999 --> 00:11:57,125 It is a network. 241 00:11:57,125 --> 00:11:58,125 It is a meritocracy. 242 00:11:58,125 --> 00:11:59,125 There is no top. 243 00:11:59,125 --> 00:12:00,125 There is no bottom. 244 00:12:00,209 --> 00:12:03,751 Your real power comes from how many connections you have. 245 00:12:03,751 --> 00:12:06,459 If you have a lot of information but you have no connections, 246 00:12:06,459 --> 00:12:08,959 you also have no power. 247 00:12:08,959 --> 00:12:11,876 The more connections you have, the more powerful you are. 248 00:12:12,417 --> 00:12:14,834 It is a meritocracy, so you can have a lot 249 00:12:14,834 --> 00:12:17,999 of connections but if you all of a sudden kind of get lazy 250 00:12:17,999 --> 00:12:21,751 and you are no longer contributing to the network, then your value 251 00:12:21,751 --> 00:12:24,959 to that network goes down dramatically. 252 00:12:25,125 --> 00:12:27,125 So that's very different. 253 00:12:27,125 --> 00:12:30,250 Well, the problem that we have is that the people who have 254 00:12:30,250 --> 00:12:32,999 after many years have risen to some level 255 00:12:32,999 --> 00:12:37,417 by the left hand side model are frightened by the right hand model 256 00:12:37,417 --> 00:12:40,250 and want to push back on it. 257 00:12:40,250 --> 00:12:43,167 The reality is you don't have a choice. 258 00:12:43,167 --> 00:12:45,584 When you are operating in a global system, it is going 259 00:12:45,584 --> 00:12:47,999 to operate like a network. 260 00:12:47,999 --> 00:12:49,999 You can't force it into a hierarchy. 261 00:12:49,999 --> 00:12:51,167 We kind of learned that with the automobile industry, 262 00:12:51,167 --> 00:12:52,626 by the way. 263 00:12:52,751 --> 00:12:53,999 We thought because we could control 264 00:12:53,999 --> 00:12:57,584 all the automobile sales that went on in the states they didn't need 265 00:12:57,584 --> 00:12:59,999 to do all the things from a quality standpoint, 266 00:12:59,999 --> 00:13:02,918 price control and everything else. 267 00:13:03,083 --> 00:13:07,918 And then the global market came in and the U.S. 268 00:13:07,918 --> 00:13:09,584 auto industry almost failed. 269 00:13:09,584 --> 00:13:11,417 It was a very hierarchical approach. 270 00:13:11,584 --> 00:13:13,667 They adapted the same kind of methods. 271 00:13:13,667 --> 00:13:15,667 It became a global kind of a business again and now 272 00:13:15,667 --> 00:13:19,751 they are starting to thrive and they are doing very well. 273 00:13:19,959 --> 00:13:22,959 So understanding that you can't always force the model to operate 274 00:13:22,959 --> 00:13:25,459 the way you want is important. 275 00:13:25,459 --> 00:13:27,999 But for this group, understanding that you're fighting 276 00:13:27,999 --> 00:13:31,918 the model on the left but you need to keep doing that and recognize that 277 00:13:31,918 --> 00:13:35,083 you're operating this network but there are people that want 278 00:13:35,083 --> 00:13:37,209 to connect with you. 279 00:13:38,834 --> 00:13:40,959 This should look very familiar to you. 280 00:13:40,959 --> 00:13:44,375 This is the traditional way people look I say "they," the Department 281 00:13:44,375 --> 00:13:46,959 of Defense this is how they would look 282 00:13:46,959 --> 00:13:49,999 at enterprise network protection. 283 00:13:50,542 --> 00:13:53,334 In the interest of time, I don't want to walk through it. 284 00:13:54,125 --> 00:13:57,626 There was a national strategy for cyberspace ops that came 285 00:13:57,626 --> 00:13:59,250 out in 2006. 286 00:13:59,626 --> 00:14:01,292 When they were looking to figure out how to implement it, 287 00:14:01,292 --> 00:14:03,167 they said what are the difference things we need 288 00:14:03,167 --> 00:14:04,834 to deal with? 289 00:14:04,959 --> 00:14:07,999 They realized the attack vectors that are involved 290 00:14:07,999 --> 00:14:10,999 in doing this are tremendous. 291 00:14:10,999 --> 00:14:11,792 I mean, there are all these different ways that you can 292 00:14:11,792 --> 00:14:12,999 get in. 293 00:14:13,375 --> 00:14:15,209 This community knows better than most all the different ways you can 294 00:14:15,209 --> 00:14:16,501 get in. 295 00:14:16,667 --> 00:14:20,459 One of the funny things, if you want to call it funny, is they kind 296 00:14:20,459 --> 00:14:24,417 of ignored the social part of it which is probably a good 80% 297 00:14:24,417 --> 00:14:26,999 of the attacks come from. 298 00:14:27,667 --> 00:14:29,999 When you look at some of the things they have 299 00:14:29,999 --> 00:14:32,918 with the way we try to law enforcement, the CDNR, that's 300 00:14:32,918 --> 00:14:36,334 the Commuter Defense Network Response capability. 301 00:14:36,999 --> 00:14:39,959 So if you launch an attack, then you would have some kind 302 00:14:39,959 --> 00:14:41,626 of a response. 303 00:14:41,876 --> 00:14:45,083 But the reality is when people look at this, they say, you know, that's 304 00:14:45,083 --> 00:14:47,334 an awful lot of different ways that somebody can 305 00:14:47,334 --> 00:14:50,501 get at me so it must be impossible to protect. 306 00:14:50,501 --> 00:14:52,501 And realistically, this community would know, 307 00:14:52,501 --> 00:14:55,999 if you take this pure approach, it is going to be impossible 308 00:14:55,999 --> 00:14:59,083 because the advantage goes to the offense in something 309 00:14:59,083 --> 00:15:03,542 like this and you can't possibly defend against every possible thing that's 310 00:15:03,542 --> 00:15:05,459 going to happen. 311 00:15:05,999 --> 00:15:11,417 So that's why I'm suggesting we need some alternatives to this. 312 00:15:11,417 --> 00:15:14,751 We need to have some different ways to think about this, and I asked 313 00:15:14,751 --> 00:15:18,209 if I could talk to this group because if there was anyone 314 00:15:18,209 --> 00:15:23,501 to be able to come up with groups, it would come out of this group. 315 00:15:23,501 --> 00:15:25,918 You are phenomenal at solving problems. 316 00:15:25,918 --> 00:15:30,375 There is one other thing I just kind of wanted to introduce in terms 317 00:15:30,375 --> 00:15:36,792 of the problem set here, and that is if you look on the far left side of this, 318 00:15:36,792 --> 00:15:39,834 you see the DOD networks. 319 00:15:39,999 --> 00:15:42,999 They're controlled and operated a certain way. 320 00:15:42,999 --> 00:15:44,999 They are somewhat closed. 321 00:15:44,999 --> 00:15:47,167 They have done a lot of work to reduce the gateways 322 00:15:47,167 --> 00:15:50,083 to the Internet but there are still gateways. 323 00:15:50,999 --> 00:15:53,999 But there is an awful lot of information that's available 324 00:15:53,999 --> 00:15:56,250 from a protect standpoint. 325 00:15:56,250 --> 00:15:58,584 They have got a lot of intelligence and intelligence comes from a lot 326 00:15:58,584 --> 00:16:00,292 of different means. 327 00:16:00,542 --> 00:16:03,834 And that intelligence is not widely shared. 328 00:16:03,834 --> 00:16:05,667 Now, they extend some of that to the other government networks 329 00:16:05,667 --> 00:16:07,667 and they brought in the Defense Industrial Base, 330 00:16:07,667 --> 00:16:09,999 that's what the DIB stands for. 331 00:16:10,125 --> 00:16:14,667 Because they said our adversaries are going after the defense contractors who 332 00:16:14,667 --> 00:16:17,167 are not as well defended. 333 00:16:17,250 --> 00:16:19,250 Based on that previous model, they are going to have 334 00:16:19,250 --> 00:16:22,083 to have more information to protect themselves. 335 00:16:22,542 --> 00:16:24,959 As you move a little bit further to the right, now you get 336 00:16:24,959 --> 00:16:27,584 into where you are dealing with state still government, 337 00:16:27,584 --> 00:16:30,334 you have state and local governments. 338 00:16:30,334 --> 00:16:31,751 And they get information but they don't get 339 00:16:31,751 --> 00:16:33,417 as much information as they are getting 340 00:16:33,417 --> 00:16:35,083 on the federal side and they don't get 341 00:16:35,083 --> 00:16:37,417 the same levels of protection. 342 00:16:38,250 --> 00:16:41,083 Of course, you have the Einstein and things like that that they've tried 343 00:16:41,083 --> 00:16:43,083 to put in place to do that. 344 00:16:43,083 --> 00:16:45,709 They have done a lot of work for ISACs for information sharing 345 00:16:45,709 --> 00:16:50,876 and made a lot of progress but, again, less information available to you. 346 00:16:50,876 --> 00:16:53,751 And then you get to the far right which is everybody else. 347 00:16:54,083 --> 00:16:57,125 What's interesting is that the information that's now becoming 348 00:16:57,125 --> 00:17:00,918 available there, it doesn't have some of the sources that, say, 349 00:17:00,918 --> 00:17:05,417 the Department of Defense has but the sources are really good. 350 00:17:05,876 --> 00:17:08,209 And as a result in the commercial industry, 351 00:17:08,209 --> 00:17:11,999 people are going and being able to obtain product that 352 00:17:11,999 --> 00:17:15,999 is really do provide a level of protection. 353 00:17:15,999 --> 00:17:19,417 But it is still based on this old model, I guess I would say. 354 00:17:19,876 --> 00:17:22,667 One other thing I wanted to show here is which goes back 355 00:17:22,667 --> 00:17:26,792 to the nuclear part, you get all the way to the bottom where it talks 356 00:17:26,792 --> 00:17:29,417 about the weapons of mass destruction you may 357 00:17:29,417 --> 00:17:33,083 or may not be happy to know none of those operate on a network, 358 00:17:33,083 --> 00:17:35,709 as you would think of it. 359 00:17:35,709 --> 00:17:36,999 They all use circuits. 360 00:17:37,459 --> 00:17:40,459 And that's done for obvious reasons. 361 00:17:40,584 --> 00:17:42,959 They are worried about somebody getting in. 362 00:17:42,959 --> 00:17:44,999 The other thing is it is highly redundant. 363 00:17:44,999 --> 00:17:48,083 So it's not the necessarily the most efficient way, but it 364 00:17:48,083 --> 00:17:53,417 is a time proven way to be able to do to protect a particular piece 365 00:17:53,417 --> 00:17:58,667 of information or a capability that you have to have. 366 00:17:59,375 --> 00:18:01,999 I said I want to give you two different models 367 00:18:01,999 --> 00:18:03,584 to look at. 368 00:18:03,751 --> 00:18:05,959 And what I would really like to do is hopefully stimulate someone 369 00:18:05,959 --> 00:18:08,334 to come back and say: Have you come about this model and come 370 00:18:08,334 --> 00:18:10,209 up with a third model. 371 00:18:10,334 --> 00:18:13,876 This one was actually developed by an Air Force scientific advisory 372 00:18:13,876 --> 00:18:16,334 board studied back in 2008. 373 00:18:16,751 --> 00:18:21,667 Their approach to this, if I take a few minutes to explain the chart, 374 00:18:21,667 --> 00:18:24,584 is they took the ISO layer. 375 00:18:24,584 --> 00:18:27,292 If you look in the middle you will see the ISO layer identified there, 376 00:18:27,292 --> 00:18:30,542 but they put them together so you don't see 7. 377 00:18:30,542 --> 00:18:34,999 They put devices and linkages together, hardware systems together. 378 00:18:35,167 --> 00:18:37,083 But then they added two layers to it. 379 00:18:37,083 --> 00:18:39,709 They put a human organization and mission layer. 380 00:18:39,709 --> 00:18:41,459 They started with that foundation. 381 00:18:41,459 --> 00:18:45,751 They said, what do the attacks look like on those different layers? 382 00:18:45,751 --> 00:18:48,083 And so what you see on the left are the things that they did to try 383 00:18:48,083 --> 00:18:51,626 to characterize how those attacks would be done. 384 00:18:51,626 --> 00:18:55,167 And when you look there the reason I put this attacker photo, 385 00:18:55,167 --> 00:18:58,999 if you are going to deal with those different types of attacks, 386 00:18:58,999 --> 00:19:02,626 you have to focus on the attacker and the intelligence on how 387 00:19:02,626 --> 00:19:04,999 the attacker operates. 388 00:19:04,999 --> 00:19:09,999 The other thing they said is what is the effect of the attacks on the users. 389 00:19:10,667 --> 00:19:13,292 You see those listed on the left hand side. 390 00:19:13,417 --> 00:19:16,083 There are high levels, you get confusion, 391 00:19:16,083 --> 00:19:20,876 and it disrupts our ability to do command and control. 392 00:19:20,876 --> 00:19:23,083 At the bottom, you get performance loss. 393 00:19:23,083 --> 00:19:26,125 You lose your communications, it completely malfunctions. 394 00:19:26,584 --> 00:19:28,792 The reason they thought it would be useful 395 00:19:28,792 --> 00:19:32,999 on the right side that's almost completely done by the operator. 396 00:19:33,209 --> 00:19:36,999 We refer to it as resiliency or mission assurance. 397 00:19:37,292 --> 00:19:40,999 So what they said is if you are going to try to deal with this problem, 398 00:19:40,999 --> 00:19:43,959 you would need to look at this thing and break it 399 00:19:43,959 --> 00:19:46,083 into component parts. 400 00:19:46,083 --> 00:19:47,751 I don't know how many in the room are engineers, 401 00:19:47,751 --> 00:19:49,999 but that's how engineers think. 402 00:19:49,999 --> 00:19:52,667 You take a complex problem and break it into parts. 403 00:19:52,667 --> 00:19:54,999 And so they start trying to look at this thing. 404 00:19:54,999 --> 00:19:57,834 So on the left side you have this intelligence and attack response that's 405 00:19:57,834 --> 00:20:00,999 traditional with your network security. 406 00:20:01,125 --> 00:20:03,375 You have this mission assurance which has been a traditional way that 407 00:20:03,375 --> 00:20:05,792 the military in particular but businesses do the same thing, 408 00:20:05,792 --> 00:20:07,542 business resiliency. 409 00:20:07,626 --> 00:20:09,417 One of the things the business community, 410 00:20:09,417 --> 00:20:11,999 particularly the financial community, does that we don't 411 00:20:11,999 --> 00:20:13,751 for the most part do with our networks 412 00:20:13,751 --> 00:20:15,792 is transaction control. 413 00:20:16,083 --> 00:20:18,417 So there is this anonymity on the network 414 00:20:18,417 --> 00:20:22,334 but if you put controls on the network, then typically it's 415 00:20:22,334 --> 00:20:25,459 a ledger/journal type approach. 416 00:20:25,459 --> 00:20:28,501 But it makes it more difficult for something for a change to be made, 417 00:20:28,501 --> 00:20:32,250 alteration to be made without it being detected. 418 00:20:33,083 --> 00:20:35,999 That's how they and a lot of businesses have those kinds 419 00:20:35,999 --> 00:20:37,584 of controls. 420 00:20:37,584 --> 00:20:39,999 That's how you avoid embezzlement, by the way. 421 00:20:39,999 --> 00:20:42,042 But then we put this other thing over here. 422 00:20:42,042 --> 00:20:44,083 We said it would be a proactive defense. 423 00:20:44,626 --> 00:20:49,042 What the Scientific Advisory Board said if you look at these different layers, 424 00:20:49,042 --> 00:20:53,292 if you think of them as targets, if this were a military problem, 425 00:20:53,292 --> 00:20:56,876 you would look at those targets and say: What can I do 426 00:20:56,876 --> 00:21:01,334 to make it difficult for my adversary to be successful? 427 00:21:01,709 --> 00:21:04,125 There is three typical things you can do. 428 00:21:04,125 --> 00:21:05,125 You can harden it. 429 00:21:05,125 --> 00:21:10,250 You can maneuver it or obfuscate it like Stealth or make it camouflaged so it 430 00:21:10,250 --> 00:21:12,417 is hard to see. 431 00:21:12,959 --> 00:21:18,501 They said perhaps we should identify some of these really critical areas. 432 00:21:18,501 --> 00:21:21,709 And that's how we should be looking to spend our resources. 433 00:21:21,709 --> 00:21:23,999 But part of the problem is that we have not had a lot of good, 434 00:21:23,999 --> 00:21:27,083 proactive ways to deal with this developed. 435 00:21:27,501 --> 00:21:30,542 I wanted to show you some of the things that have been done. 436 00:21:30,542 --> 00:21:33,501 If you look from a purely network security 437 00:21:33,501 --> 00:21:38,334 standpoint and you look at this left hand side there, 438 00:21:38,334 --> 00:21:43,999 what we can do is say, well, in addition to the normal thing, 439 00:21:43,999 --> 00:21:49,250 they've set up these virtual machine sandboxes. 440 00:21:49,250 --> 00:21:51,584 They have done things to monitor user behavior to look 441 00:21:51,584 --> 00:21:55,292 to try to detect to say it's not the right person on there, some kind 442 00:21:55,292 --> 00:21:57,999 of two factor authentication. 443 00:21:58,292 --> 00:22:00,667 There has been transaction controls primarily 444 00:22:00,667 --> 00:22:05,167 in the business community because it fits for them easily. 445 00:22:05,709 --> 00:22:09,626 There's products out that will monitor your registry and, 446 00:22:09,626 --> 00:22:13,501 for example in fact, in the Department of Defense now, it 447 00:22:13,501 --> 00:22:16,999 is called host based security system. 448 00:22:16,999 --> 00:22:18,834 When you first connect to a network, it actually looks to see 449 00:22:18,834 --> 00:22:22,667 if your registry looks the same as it did before and it alerts. 450 00:22:22,667 --> 00:22:24,709 It doesn't do anything to fix it, but it alerts you that your registry 451 00:22:24,709 --> 00:22:26,167 looks different. 452 00:22:26,834 --> 00:22:30,626 You can do things with the hypervisor that operates how 453 00:22:30,626 --> 00:22:34,375 the monitoring system behaves, to see if someone tried 454 00:22:34,375 --> 00:22:37,167 to put something in there. 455 00:22:37,292 --> 00:22:40,876 And then at this lower levels, they can put in resilient capabilities, 456 00:22:40,876 --> 00:22:45,876 if it takes out a router, there is another pathway, that type of thing. 457 00:22:46,542 --> 00:22:49,999 But these are still the fairly traditional approaches. 458 00:22:49,999 --> 00:22:53,709 If you want to try to take a look at how you deal with these targets, 459 00:22:53,709 --> 00:22:55,999 these are some of the things and a lot 460 00:22:55,999 --> 00:22:59,375 of them become more process oriented. 461 00:22:59,876 --> 00:23:02,209 If you found some ways to put some technology behind it, 462 00:23:02,209 --> 00:23:04,542 it could be very useful. 463 00:23:04,542 --> 00:23:06,626 So the idea of the two person controls, that's another nuke part 464 00:23:06,626 --> 00:23:08,667 of this thing which is one of the ways that 465 00:23:08,667 --> 00:23:12,999 they make sure that some single person can't do something with a nuke. 466 00:23:12,999 --> 00:23:14,999 You can't do anything unless you have two people and they always put 467 00:23:14,999 --> 00:23:17,999 the controls far enough part that you can't possibly do both of them 468 00:23:17,999 --> 00:23:19,626 at the same time. 469 00:23:19,626 --> 00:23:22,375 If you are trying to deal with people understanding 470 00:23:22,375 --> 00:23:25,501 the target so if you're a good hacker and you go 471 00:23:25,501 --> 00:23:28,667 in and start looking at a system and start doing 472 00:23:28,667 --> 00:23:32,834 all of your reconnaissance, if that system changes, they rotated 473 00:23:32,834 --> 00:23:35,999 the process, they changed the system or process, 474 00:23:35,999 --> 00:23:39,083 then you have to start over again. 475 00:23:39,167 --> 00:23:40,999 That's considered one of the proactive ways that you 476 00:23:40,999 --> 00:23:42,501 can defend. 477 00:23:42,501 --> 00:23:44,709 That's a maneuver type or maneuver thing. 478 00:23:45,334 --> 00:23:50,083 The session controls, they put a lot of there's some different products that 479 00:23:50,083 --> 00:23:54,999 work with session controls now that look to see if a session's been hijacked 480 00:23:54,999 --> 00:23:58,959 and they basically can terminate the sessions and minimize loss 481 00:23:58,959 --> 00:24:02,999 of data or damage to the system when they do that. 482 00:24:03,334 --> 00:24:07,542 There has been some things done with operating system obfuscation. 483 00:24:08,709 --> 00:24:11,417 It actually looks like it has a lot of promise. 484 00:24:11,417 --> 00:24:13,083 The only reason you don't see much of it being done 485 00:24:13,083 --> 00:24:15,751 is that once you do that, the people administering 486 00:24:15,751 --> 00:24:18,375 the network have to know a lot more about the systems 487 00:24:18,375 --> 00:24:21,667 to be able to deal with it because it is going to look different 488 00:24:21,667 --> 00:24:23,626 to them every time. 489 00:24:23,626 --> 00:24:24,918 They have to know kind of what's behind the curtain 490 00:24:24,918 --> 00:24:26,501 to make it work. 491 00:24:26,999 --> 00:24:31,542 And then the bottom there you see the banks do a lot of this, by the way. 492 00:24:31,999 --> 00:24:33,834 They shift their hardware. 493 00:24:33,834 --> 00:24:36,542 So by rotating hardware is the same thing. 494 00:24:36,542 --> 00:24:38,876 When you are trying to if a hacker is trying to come in, one time 495 00:24:38,876 --> 00:24:42,709 they go and it is one piece of hardware, another time it is a different piece 496 00:24:42,709 --> 00:24:45,959 of hardware complicates the problem for you. 497 00:24:46,125 --> 00:24:50,334 The other thing they try to work with is device diversity. 498 00:24:50,542 --> 00:24:52,709 It is not what they do in the Department of Defense, 499 00:24:52,709 --> 00:24:55,999 by the way, which is a little bit problematic. 500 00:24:55,999 --> 00:24:57,459 They want to make things standard so they are 501 00:24:57,459 --> 00:25:00,459 all the same, right, but no diversity. 502 00:25:00,459 --> 00:25:04,083 If something goes wrong with one of them, then they're all going to fail. 503 00:25:04,083 --> 00:25:04,999 But in the business community, I think they have been 504 00:25:04,999 --> 00:25:07,209 a little smarter about that so you see a lot 505 00:25:07,209 --> 00:25:10,792 of diversity with machines, operating systems, routers, all parts 506 00:25:10,792 --> 00:25:12,501 of the network. 507 00:25:12,876 --> 00:25:15,999 That's one way to think about the proactive defense. 508 00:25:17,083 --> 00:25:20,584 I bring this to this community to look at because you might have some ideas 509 00:25:20,584 --> 00:25:23,083 for how technology could aid this. 510 00:25:23,083 --> 00:25:24,999 But when you take a look at how you do things 511 00:25:24,999 --> 00:25:29,209 from a mission assurance standpoint, it typically involves having some type 512 00:25:29,209 --> 00:25:31,083 of redundancy. 513 00:25:31,083 --> 00:25:34,250 So if you are trying to determine if someone has done something 514 00:25:34,250 --> 00:25:37,834 with your sensors, if you have more than one sensor, 515 00:25:37,834 --> 00:25:41,667 you can compare them and at least you know that somebody's 516 00:25:41,667 --> 00:25:44,250 done something with that. 517 00:25:44,250 --> 00:25:46,250 In an airplane, that's pretty typical. 518 00:25:46,250 --> 00:25:47,999 They have all of the critical flight controls 519 00:25:47,999 --> 00:25:52,751 all have a backup and one you do all the time, to check to make sure 520 00:25:52,751 --> 00:25:54,999 they are the same. 521 00:25:55,125 --> 00:25:57,999 If they were a different, then you try to figure out which one is correct 522 00:25:57,999 --> 00:25:59,999 and which one is wrong. 523 00:26:00,292 --> 00:26:02,292 You assume in most military operations that you are 524 00:26:02,292 --> 00:26:05,125 going to lose communications so they put in what they call 525 00:26:05,125 --> 00:26:07,751 a lost communication processes. 526 00:26:08,584 --> 00:26:12,209 If you put those kind of things together, that's another way you can deal 527 00:26:12,209 --> 00:26:15,626 particularly with some type of an attack that actually caused your 528 00:26:15,626 --> 00:26:17,334 coms to go out. 529 00:26:18,834 --> 00:26:23,999 The redundant type apps means instead of using just one particular 530 00:26:23,999 --> 00:26:26,999 application to do whatever your process 531 00:26:26,999 --> 00:26:29,959 is you had more than one. 532 00:26:29,959 --> 00:26:33,999 By the way, in the Department of Defense, that's enigma to them. 533 00:26:33,999 --> 00:26:36,792 They said we will standardize and have one. 534 00:26:37,334 --> 00:26:39,751 Business community says we will have three or four 535 00:26:39,751 --> 00:26:43,751 because if one breaks or quits working, I want to have a backup. 536 00:26:45,334 --> 00:26:48,501 They started dealing with some of the attacks. 537 00:26:48,876 --> 00:26:51,709 I wanted to go to the talk yesterday that was talking 538 00:26:51,709 --> 00:26:54,999 about some of the ways to beat some of the systems for dealing 539 00:26:54,999 --> 00:26:58,834 with the DDoS attacks and I wasn't able to make it. 540 00:26:59,417 --> 00:27:02,083 But they have some things that they put in place there that 541 00:27:02,083 --> 00:27:05,626 at least would try to mitigate some of those effects. 542 00:27:05,918 --> 00:27:07,334 And then when you get down to the hardware layer, 543 00:27:07,334 --> 00:27:10,626 the only way to do that is to have more than one path. 544 00:27:10,709 --> 00:27:13,584 One of the strange things about people when they talk 545 00:27:13,584 --> 00:27:17,250 about cloud computing and things like that, cloud competing is great 546 00:27:17,250 --> 00:27:20,125 but if you only got one circuit leading to the cloud, 547 00:27:20,125 --> 00:27:22,876 then you only have a circuit. 548 00:27:22,999 --> 00:27:24,999 So if you don't figure out a way to leverage 549 00:27:24,999 --> 00:27:28,209 the cloud and you don't have multiple pathways into the cloud or 550 00:27:28,209 --> 00:27:31,751 into that network, then you have a limitation. 551 00:27:31,999 --> 00:27:36,167 So that's this one model that I guess I'm hoping that some 552 00:27:36,167 --> 00:27:40,834 of you would have some good ideas about how to do that better 553 00:27:40,834 --> 00:27:45,417 or some technical ways to take advantage of that. 554 00:27:45,751 --> 00:27:51,250 This next one is one that was actually put out by DHS. 555 00:27:51,250 --> 00:27:56,250 And their idea was they were going to try to teach or treat cyberspace 556 00:27:56,250 --> 00:27:58,584 as an ecosystem. 557 00:27:58,584 --> 00:28:01,834 And the thought there was you were going to have a static defense 558 00:28:01,834 --> 00:28:05,959 but you are also going to have this dynamic defense. 559 00:28:05,999 --> 00:28:07,999 And if you look up there, the things that they have 560 00:28:07,999 --> 00:28:10,999 under "prevent," those are pretty typical. 561 00:28:11,999 --> 00:28:15,334 They insert a couple of other things that they would 562 00:28:15,334 --> 00:28:19,083 like to see, like the moving target idea. 563 00:28:19,083 --> 00:28:20,834 I talked about it in the other one. 564 00:28:20,999 --> 00:28:23,083 A big part of this thing is you want to have a way 565 00:28:23,083 --> 00:28:25,292 to detect something happened. 566 00:28:25,584 --> 00:28:28,459 For the most part, most of the major attacks that occur 567 00:28:28,459 --> 00:28:32,125 whether it's in the commercial sector or it's in government, 568 00:28:32,125 --> 00:28:34,999 it happens because they actually start seeing 569 00:28:34,999 --> 00:28:36,751 the impact. 570 00:28:36,751 --> 00:28:38,584 And by that point, it is so far down the road that it 571 00:28:38,584 --> 00:28:40,999 is very difficult to contain. 572 00:28:41,083 --> 00:28:44,626 So trying to put processes in for detection gets to be important. 573 00:28:44,999 --> 00:28:48,209 That's still considered kind of the static piece of this thing. 574 00:28:48,209 --> 00:28:51,999 On the dynamic side, they want to have a lot of information sharing. 575 00:28:52,083 --> 00:28:53,083 Why? 576 00:28:53,083 --> 00:28:56,751 Because if you are only looking at small points, it's one thing 577 00:28:56,751 --> 00:28:59,167 to be able to sneak under the radar 578 00:28:59,167 --> 00:29:02,876 because you avoid crossing a level. 579 00:29:02,876 --> 00:29:04,999 But if you are able to bring in from multiple places and you say, 580 00:29:04,999 --> 00:29:07,959 hey, there is this kind of an odd behavior, abnormality here, 581 00:29:07,959 --> 00:29:10,834 same thing here and same thing here, now you say maybe there 582 00:29:10,834 --> 00:29:13,417 is something going on and by combining the information, 583 00:29:13,417 --> 00:29:15,501 you can leverage that. 584 00:29:15,876 --> 00:29:18,334 When you see that, then they want to have processes in place 585 00:29:18,334 --> 00:29:21,292 to respond and then as soon as they can kind of put things 586 00:29:21,292 --> 00:29:25,334 under control, then they want to have processes to recover. 587 00:29:25,626 --> 00:29:28,999 Part of it that's recovered, by the way and it is kind of interesting. 588 00:29:29,626 --> 00:29:33,999 When talking to some people from 9/11, they said they thought that 9/11 was 589 00:29:33,999 --> 00:29:37,250 the first cyber attack and the reason was nobody could talk 590 00:29:37,250 --> 00:29:39,999 to anyone after it happened. 591 00:29:39,999 --> 00:29:40,999 It took out no one could talk on the cell phone 592 00:29:40,999 --> 00:29:44,250 because everyone was trying to talk at the same time. 593 00:29:44,918 --> 00:29:46,792 The towers went down. 594 00:29:46,792 --> 00:29:49,334 They took out some of the PBX systems. 595 00:29:49,709 --> 00:29:52,083 So com virtual stopped in New York City at a time when 596 00:29:52,083 --> 00:29:54,334 they really needed it. 597 00:29:54,334 --> 00:29:55,501 And even the first responders were having 598 00:29:55,501 --> 00:29:57,999 difficulty with communications. 599 00:29:58,083 --> 00:30:01,709 Something similar with Katrina in Louisiana. 600 00:30:01,999 --> 00:30:05,999 They actually saw where there was a problem occurring with one 601 00:30:05,999 --> 00:30:08,999 of the levee breaches, but they didn't have a way 602 00:30:08,999 --> 00:30:12,959 to communicate because they lost they had lost the power and, 603 00:30:12,959 --> 00:30:16,042 once again they didn't realize this. 604 00:30:16,083 --> 00:30:18,999 When they lost their PBX system, the cell phones at that time were 605 00:30:18,999 --> 00:30:21,334 all tied into the PBX system. 606 00:30:21,501 --> 00:30:23,584 Once they lost that, they couldn't communicate so their 607 00:30:23,584 --> 00:30:25,999 ability to respond was lost. 608 00:30:26,876 --> 00:30:31,834 So a lot of this is having courses of action that get you up very quickly 609 00:30:31,834 --> 00:30:36,459 to where at least you have a capacity to do these public safety types 610 00:30:36,459 --> 00:30:38,083 of things. 611 00:30:38,250 --> 00:30:43,375 But you see at the bottom, they want to try to establish a trusted broker. 612 00:30:43,375 --> 00:30:45,417 That's what they try to do with these information sharing analysis 613 00:30:45,417 --> 00:30:48,626 centers, these ISACs that they have established. 614 00:30:48,626 --> 00:30:55,999 So we did a workshop, the Cyber Innovation Center for DHS. 615 00:30:55,999 --> 00:30:58,626 And we brought some people in from industry. 616 00:30:58,626 --> 00:31:02,083 We brought people in from academia and government 617 00:31:02,083 --> 00:31:03,959 and DHS. 618 00:31:04,250 --> 00:31:07,918 And we actually tried to look at some different situations that were 619 00:31:07,918 --> 00:31:11,250 would be dealing with a first of course, DHS is interested 620 00:31:11,250 --> 00:31:13,918 in a hurricane type thing. 621 00:31:13,999 --> 00:31:18,083 So we were doing a couple different scenarios that might 622 00:31:18,083 --> 00:31:21,459 be a DHS type operation where cyberspace 623 00:31:21,459 --> 00:31:23,999 would be affected. 624 00:31:23,999 --> 00:31:25,083 And we started looking to see what would be 625 00:31:25,083 --> 00:31:27,501 the impediments to doing this. 626 00:31:27,501 --> 00:31:30,083 And I got pages and pages of the things that they highlighted, 627 00:31:30,083 --> 00:31:32,999 but a few things just to highlight that I have here 628 00:31:32,999 --> 00:31:35,999 and my goal is not to read this to you because I want 629 00:31:35,999 --> 00:31:38,918 to leave some time for questions. 630 00:31:38,918 --> 00:31:42,709 But bottom line was that even when we had these experts in the room, 631 00:31:42,709 --> 00:31:48,501 it was very difficult to get them to think beyond the protect piece. 632 00:31:48,834 --> 00:31:51,459 We would tell them, it didn't work. 633 00:31:51,459 --> 00:31:52,999 We've lost cyberspace. 634 00:31:52,999 --> 00:31:55,167 And that was one they would go back and fight. 635 00:31:55,167 --> 00:31:56,292 No, it didn't happen. 636 00:31:56,292 --> 00:31:58,999 It did happen, you have to deal with it now. 637 00:31:59,083 --> 00:32:02,667 And that mind set makes it very difficult to get these other parts resourced 638 00:32:02,667 --> 00:32:05,959 because, you know, the government, businesses for that matter, 639 00:32:05,959 --> 00:32:08,209 they don't want to spend money for things that 640 00:32:08,209 --> 00:32:11,792 they don't think are going to happen obviously. 641 00:32:11,876 --> 00:32:13,999 So part of the things we have been trying to do, 642 00:32:13,999 --> 00:32:16,834 the DEF CON community does a great job of this which 643 00:32:16,834 --> 00:32:20,250 is highlighting the fact that it's if someone really wants to get 644 00:32:20,250 --> 00:32:23,709 into your network, they're going to get in. 645 00:32:23,709 --> 00:32:24,999 And we keep trying to reinforce this with people 646 00:32:24,999 --> 00:32:27,334 in government and in business. 647 00:32:27,667 --> 00:32:32,292 But then to get them to actually do the resources is really difficult. 648 00:32:33,667 --> 00:32:37,083 The balancing piece that you see there really has to do with the fact 649 00:32:37,083 --> 00:32:41,542 they always want to put the money into the protection which is good. 650 00:32:41,542 --> 00:32:44,584 We've argued that if you assume that the protection 651 00:32:44,584 --> 00:32:48,459 is going to fail, there's some smart things that you can 652 00:32:48,459 --> 00:32:51,999 do to set the stage in advance so that your ability 653 00:32:51,999 --> 00:32:56,709 to basically respond, minimize the impact and quickly recover would 654 00:32:56,709 --> 00:32:58,417 be helpful. 655 00:32:58,751 --> 00:33:01,999 We then talked about some things from a detection standpoint that there's 656 00:33:01,999 --> 00:33:05,667 a lot of noise on most of the enterprise networks. 657 00:33:05,667 --> 00:33:06,959 It makes it difficult. 658 00:33:07,083 --> 00:33:09,876 A lot of the things they have, the automatic detection mechanisms 659 00:33:09,876 --> 00:33:14,125 throw out so many false alarms that it is very difficult to deal with. 660 00:33:14,542 --> 00:33:15,999 This is actually one of the things to go back 661 00:33:15,999 --> 00:33:18,209 to the operational community. 662 00:33:18,209 --> 00:33:20,792 So whether it is a business or the government, people using 663 00:33:20,792 --> 00:33:24,292 the system say we really need to have you not do these things 664 00:33:24,292 --> 00:33:27,083 because when you do that, it throws so many junk 665 00:33:27,083 --> 00:33:32,292 on the network that we can't really tell when something is going wrong. 666 00:33:32,999 --> 00:33:35,999 There was a lot of interest in trying to set up these automatic systems 667 00:33:35,999 --> 00:33:37,792 to where the machines would automatically 668 00:33:37,792 --> 00:33:40,083 respond to deal with these things. 669 00:33:40,125 --> 00:33:43,542 And there's some problems with doing that, particularly some 670 00:33:43,542 --> 00:33:47,375 of the drastic or draconian response you would have. 671 00:33:47,375 --> 00:33:50,876 So one of the things we discussed is that you really you need 672 00:33:50,876 --> 00:33:53,626 to have a way that you can keep a human 673 00:33:53,626 --> 00:33:58,209 in this decision making loop but be able to basically be operated 674 00:33:58,209 --> 00:34:01,667 in a sensor response system that basically goes 675 00:34:01,667 --> 00:34:04,667 at the speed of information. 676 00:34:05,792 --> 00:34:08,083 And then, finally, I guess I actually talked 677 00:34:08,083 --> 00:34:11,083 about the last one there, about balancing this is really 678 00:34:11,083 --> 00:34:13,999 for the people that figure out where you should spend 679 00:34:13,999 --> 00:34:15,626 your money. 680 00:34:15,626 --> 00:34:18,334 They need to have a process to figure out how to do that. 681 00:34:18,959 --> 00:34:22,792 So now this is my appeal to this community here. 682 00:34:22,792 --> 00:34:26,959 When you look at this workforce, these are the different elements that are 683 00:34:26,959 --> 00:34:29,999 involved in doing this workforce. 684 00:34:30,083 --> 00:34:32,709 And if I went across this room, you'd see that parts 685 00:34:32,709 --> 00:34:36,959 of you are involved in all these different places here. 686 00:34:36,999 --> 00:34:39,125 And we do a lot of stuff looking at trying to eliminate 687 00:34:39,125 --> 00:34:42,667 the vulnerabilities and we do a lot of things trying to figure out what 688 00:34:42,667 --> 00:34:44,375 the threats are. 689 00:34:44,501 --> 00:34:46,375 But there are some really good opportunities 690 00:34:46,375 --> 00:34:49,584 in the software assurance, in the parts that actually look 691 00:34:49,584 --> 00:34:52,999 at the resiliency of the transaction controls. 692 00:34:52,999 --> 00:34:55,542 And then one of the things we can do to help make the users 693 00:34:55,542 --> 00:34:59,334 of the network more accountable for their actions and more careful 694 00:34:59,334 --> 00:35:03,667 about their processes, I bring this to you because I think this community 695 00:35:03,667 --> 00:35:07,501 could actually implement this and make this work. 696 00:35:08,167 --> 00:35:10,876 So that's the workforce part of it. 697 00:35:10,876 --> 00:35:13,125 The leader part of this is kind of interesting. 698 00:35:13,125 --> 00:35:18,626 This is a typical model for any kind of a pyramid type organization, right? 699 00:35:18,626 --> 00:35:20,167 But you have all these different functional specialties 700 00:35:20,167 --> 00:35:21,999 at the bottom. 701 00:35:21,999 --> 00:35:24,209 And just like we showed on that little chart before, 702 00:35:24,209 --> 00:35:27,959 the communities come from many different places. 703 00:35:27,959 --> 00:35:30,834 We tend to get good in those individual areas. 704 00:35:30,834 --> 00:35:32,999 But the people at the next level, the operational leaders, they are 705 00:35:32,999 --> 00:35:36,709 the ones that are able to integrate and pull these things together. 706 00:35:36,876 --> 00:35:40,999 In the cyber community we haven't done a good job of figuring that out. 707 00:35:40,999 --> 00:35:42,959 We tend to be very stovepipe. 708 00:35:42,999 --> 00:35:45,542 So a lot of the things we have been trying 709 00:35:45,542 --> 00:35:48,999 to do is encourage people who have expertise in one part 710 00:35:48,999 --> 00:35:52,209 of the cyberspace to cross over and do something else 711 00:35:52,209 --> 00:35:55,999 and learn about that other piece of it so they can help later 712 00:35:55,999 --> 00:35:58,375 with this integration. 713 00:35:58,792 --> 00:36:00,999 The strategic level, that's where we actually are trying 714 00:36:00,999 --> 00:36:03,167 to tie the thing back in. 715 00:36:03,167 --> 00:36:05,626 And you try to make it useful. 716 00:36:05,999 --> 00:36:08,792 And the other part that we're trying to do is we have a lot 717 00:36:08,792 --> 00:36:13,876 of strategic leaders today that know virtually nothing about cyberspace. 718 00:36:14,083 --> 00:36:16,125 They don't want to know in some cases. 719 00:36:16,667 --> 00:36:18,999 But it's incumbent on us to try to get them to understand 720 00:36:18,999 --> 00:36:21,250 the things that you know about cyberspace so that 721 00:36:21,250 --> 00:36:23,167 they can be better strategic leaders and 722 00:36:23,167 --> 00:36:25,999 they can better leverage cyberspace. 723 00:36:26,417 --> 00:36:30,083 So that's what I hope that I was able to talk to you about today. 724 00:36:30,083 --> 00:36:33,083 I think I left a few minutes for questions. 725 00:36:33,083 --> 00:36:34,918 I'm happy to take questions. 726 00:36:34,918 --> 00:36:38,250 I brought my pen with me because I'm happy to take ideas. 727 00:36:38,250 --> 00:36:40,375 Thanks so much for spending time with me. 728 00:36:40,375 --> 00:36:42,209 And I hope you have a great DEF CON. 729 00:36:48,125 --> 00:36:50,417 (applause) Where are you going? 730 00:36:50,417 --> 00:36:51,999 You don't have any questions? 731 00:36:51,999 --> 00:36:53,083 You with the long hair. 732 00:36:53,083 --> 00:36:54,083 Come back here! 733 00:36:54,417 --> 00:36:56,667 Anyone have any questions? 734 00:37:03,918 --> 00:37:04,999 Come on. 735 00:37:04,999 --> 00:37:07,918 Needless to say they don't give us wireless mics here. 736 00:37:10,334 --> 00:37:11,542 (laughter). 737 00:37:11,542 --> 00:37:12,999 You really tantalized us with conversation 738 00:37:12,999 --> 00:37:15,375 about nuclear weapons and they are not connected 739 00:37:15,375 --> 00:37:18,667 to the Internet but connected via circuits. 740 00:37:19,083 --> 00:37:22,292 I know you probably can't give us details, but at least tell us you have got 741 00:37:22,292 --> 00:37:24,334 the best people on this. 742 00:37:24,334 --> 00:37:25,334 (laughter). 743 00:37:25,334 --> 00:37:26,334 LT. 744 00:37:26,334 --> 00:37:27,334 GEN. 745 00:37:27,334 --> 00:37:29,999 ROBERT ELDER: And it is all two man control, too. 746 00:37:30,334 --> 00:37:34,167 No, they're the Department of Defense and the Department 747 00:37:34,167 --> 00:37:37,834 of Energy both put their best people. 748 00:37:37,834 --> 00:37:40,876 It is kind of interesting, we talked about this two person thing, by the way, 749 00:37:40,876 --> 00:37:45,083 it even goes the Department of Defense does not own the weapons. 750 00:37:45,083 --> 00:37:46,792 The Department of Energy does. 751 00:37:46,792 --> 00:37:47,959 And it is done that way. 752 00:37:47,999 --> 00:37:51,083 Everything is split right down to the weapons itself. 753 00:37:51,083 --> 00:37:51,999 So the Department of Energy owns the weapons, not 754 00:37:51,999 --> 00:37:53,918 the Department of Defense. 755 00:37:53,918 --> 00:37:59,959 It is that kind of approach that they really try to lock themselves into. 756 00:37:59,999 --> 00:38:02,999 I tell you, though, it is kind of interesting, if you think 757 00:38:02,999 --> 00:38:07,667 about administrators on systems see, the banks do this, by the way. 758 00:38:07,959 --> 00:38:09,876 They set up their superadministrator accounts 759 00:38:09,876 --> 00:38:13,542 and it takes two people to be able to get into the log or do anything 760 00:38:13,542 --> 00:38:15,999 to affect it because they don't want anybody 761 00:38:15,999 --> 00:38:18,167 tampering with the logs. 762 00:38:18,709 --> 00:38:20,999 Again, it is a two person approach to things. 763 00:38:21,292 --> 00:38:24,250 The point is, there is a lot of things we can do that wouldn't 764 00:38:24,250 --> 00:38:26,999 necessarily cost a lot of money but we just haven't had 765 00:38:26,999 --> 00:38:30,999 the people think it through enough to figure out how to do it. 766 00:38:30,999 --> 00:38:33,083 We don't have the people with the expertise. 767 00:38:35,083 --> 00:38:39,083 Earlier you drew a comparison between TSA 768 00:38:39,083 --> 00:38:41,876 and cyber security. 769 00:38:41,876 --> 00:38:43,999 I was wondering, so if we don't have a TSA, we know 770 00:38:43,999 --> 00:38:46,167 the things that happen. 771 00:38:46,250 --> 00:38:47,999 People put bombs on planes. 772 00:38:47,999 --> 00:38:49,542 People turn planes into bombs. 773 00:38:49,999 --> 00:38:54,417 Can you imagine a cyber world without a dedicated cybersecurity force 774 00:38:54,417 --> 00:38:57,459 and what it would look like? 775 00:38:58,209 --> 00:39:00,167 Why do we need that in the way we need the TSA 776 00:39:00,167 --> 00:39:01,999 to protect airlines? 777 00:39:01,999 --> 00:39:03,250 LT. 778 00:39:03,999 --> 00:39:05,125 GEN. 779 00:39:05,125 --> 00:39:07,999 ROBERT ELDER: When the Internet was established what's 780 00:39:07,999 --> 00:39:10,751 funny about the Internet, when you go back 781 00:39:10,751 --> 00:39:13,125 to the initial ARPANET. 782 00:39:13,125 --> 00:39:15,542 I will give away some of my age. 783 00:39:15,626 --> 00:39:18,626 I got to use one of the initial ARPANET terminals. 784 00:39:19,209 --> 00:39:23,083 It was a research thing and trusted people working together, 785 00:39:23,083 --> 00:39:26,709 just like you would go to a bar and you would tell your 786 00:39:26,709 --> 00:39:28,999 buddies a story about something going 787 00:39:28,999 --> 00:39:32,459 on in your life and you trusted them. 788 00:39:32,709 --> 00:39:35,083 That's the whole origin of this thing. 789 00:39:35,083 --> 00:39:37,584 So now what's happened is after the fact, we're having 790 00:39:37,584 --> 00:39:41,167 to figure out a way to make sure that people don't use it 791 00:39:41,167 --> 00:39:43,959 against you, if you will. 792 00:39:43,959 --> 00:39:48,999 And so the cybersecurity is, basically, how people can still use cyberspace 793 00:39:48,999 --> 00:39:53,999 but have a way to feel like they're still protected. 794 00:39:53,999 --> 00:39:58,959 But the reality is, I think you need to have a dedicated cybersecurity force, 795 00:39:58,959 --> 00:40:01,918 but I also think up with of the mistakes we make 796 00:40:01,918 --> 00:40:04,751 is we let our users off the hook, particularly 797 00:40:04,751 --> 00:40:08,667 on these enterprise systems, and we don't hold them accountable 798 00:40:08,667 --> 00:40:10,792 for their actions. 799 00:40:10,792 --> 00:40:12,792 Because the best defense at the point of the spear 800 00:40:12,792 --> 00:40:15,959 is for that person, that operator that's on the system 801 00:40:15,959 --> 00:40:18,999 to say, that doesn't look right and then do something 802 00:40:18,999 --> 00:40:22,626 about it rather than wait until it gets so big that you do have 803 00:40:22,626 --> 00:40:27,292 to have the cybersecurity professional come in and deal with it. 804 00:40:27,292 --> 00:40:29,959 No, there's no way we can ever go back. 805 00:40:29,999 --> 00:40:33,292 The cybersecurity field is going to continue to grow. 806 00:40:33,417 --> 00:40:37,918 My argument here is there are some other ways it should 807 00:40:37,918 --> 00:40:42,709 grow beyond a purely security and into more proactive defense 808 00:40:42,709 --> 00:40:47,083 and this mission assurance type of approach. 809 00:40:47,459 --> 00:40:50,292 I'm sure everyone is happy to hear that Elvis Presley 810 00:40:50,292 --> 00:40:53,751 is in the house and has a question about cyber. 811 00:40:53,834 --> 00:40:56,999 (applause) Thank you very much. 812 00:40:56,999 --> 00:40:58,000 Thank you very much. 813 00:41:00,834 --> 00:41:02,334 I'm Elvis. 814 00:41:02,334 --> 00:41:03,584 You may have heard of me. 815 00:41:03,584 --> 00:41:05,501 I'm kind of a big deal in this city. 816 00:41:05,584 --> 00:41:10,751 So one thing that has happened in history is, like, for Pearl Harbor, 817 00:41:10,751 --> 00:41:15,959 Pearl Harbor came out of nowhere and brought us in. 818 00:41:15,999 --> 00:41:18,876 Even 9/11, before 9/11 there were people already 819 00:41:18,876 --> 00:41:22,083 saying the things that needed to happen and no one wants 820 00:41:22,083 --> 00:41:25,250 to spend money until after the crisis. 821 00:41:25,250 --> 00:41:29,459 We even saw it for Y2K and you were probably 822 00:41:29,459 --> 00:41:32,459 like 50 then or so. 823 00:41:32,999 --> 00:41:36,083 Even for Y2K (laughter) there were people saying there's problems 824 00:41:36,083 --> 00:41:39,918 in code and when it rolls over there could be a problem. 825 00:41:39,918 --> 00:41:41,999 There were people that told Congress this. 826 00:41:42,250 --> 00:41:44,209 We always waited until the last minute. 827 00:41:45,501 --> 00:41:47,999 For cyber, we're doing the same thing. 828 00:41:47,999 --> 00:41:49,501 We're saying the same stuff. 829 00:41:49,834 --> 00:41:51,125 And I'm glad that you're here and you are giving a lot 830 00:41:51,125 --> 00:41:54,125 of good information and you are soliciting information. 831 00:41:54,125 --> 00:41:56,083 I think it's great to partner like that. 832 00:41:56,375 --> 00:41:59,209 But what's being done to actually get the wheels 833 00:41:59,209 --> 00:42:01,417 to actually turn? 834 00:42:01,417 --> 00:42:02,999 Are we going to have to have like a cyber Pearl Harbor 835 00:42:02,999 --> 00:42:06,501 before anybody really wants to put money into this? 836 00:42:06,792 --> 00:42:08,083 Because everything will cost money no matter how smart 837 00:42:08,083 --> 00:42:09,417 we are. 838 00:42:09,417 --> 00:42:10,417 LT. 839 00:42:10,417 --> 00:42:11,417 GEN. 840 00:42:11,417 --> 00:42:13,459 ROBERT ELDER: That's a great question. 841 00:42:13,459 --> 00:42:14,459 (applause). 842 00:42:14,709 --> 00:42:17,918 So, first, Elvis, the bad news is history has a tendency 843 00:42:17,918 --> 00:42:19,834 to repeat itself. 844 00:42:19,834 --> 00:42:22,999 So before we really see them putting the money into this that they need to, 845 00:42:22,999 --> 00:42:27,167 there will probably end up having to be a cyber Pearl Harbor. 846 00:42:27,167 --> 00:42:28,209 That's the bad news. 847 00:42:28,209 --> 00:42:32,999 The good news is that in a lot of the sectors, business people 848 00:42:32,999 --> 00:42:38,501 like to make money but they are also risk adverse. 849 00:42:38,584 --> 00:42:41,542 So they actually bring in risk management principles 850 00:42:41,542 --> 00:42:45,083 into the way that they do these things. 851 00:42:45,083 --> 00:42:47,542 So a lot of these companies are now starting 852 00:42:47,542 --> 00:42:54,083 to invest the money that they need to, particularly the larger companies. 853 00:42:54,083 --> 00:42:56,584 I will tell you the defense contractors, they now with what 854 00:42:56,584 --> 00:42:58,709 they now know about what the threats are, 855 00:42:58,709 --> 00:43:01,751 they are definitely putting money into these type of things 856 00:43:01,751 --> 00:43:04,125 because they are fully aware. 857 00:43:04,417 --> 00:43:06,292 The banks understand it. 858 00:43:06,292 --> 00:43:08,709 Some of the other communities have done that. 859 00:43:08,709 --> 00:43:12,125 So the communities that recognize that their ability to continue to operate 860 00:43:12,125 --> 00:43:16,167 the way that allows them to make money or do their business, 861 00:43:16,167 --> 00:43:21,250 they are now starting to put money in those kinds of places. 862 00:43:21,334 --> 00:43:26,167 But we're still, like, maybe 10% of all the sectors in the United States. 863 00:43:26,167 --> 00:43:28,167 And everybody else just assumes that the government is going 864 00:43:28,167 --> 00:43:30,375 to protect them from this. 865 00:43:30,375 --> 00:43:34,834 And this is not something I mean, cyber com is not going to protect 866 00:43:34,834 --> 00:43:39,209 the small business owner from a cyber attack. 867 00:43:39,501 --> 00:43:41,999 Once they figure that out I told people it 868 00:43:41,999 --> 00:43:45,083 is like the 12 steps for an alcoholic. 869 00:43:45,083 --> 00:43:47,667 First step is you have to admit you have a problem. 870 00:43:47,751 --> 00:43:49,876 The thing that scared me when we did a workshop, 871 00:43:49,876 --> 00:43:51,999 I had these experts in there. 872 00:43:52,167 --> 00:43:55,209 Even with the experts, they kept trying to go back and say, 873 00:43:55,209 --> 00:44:00,083 well, clearly we'll figure out a way to keep this from happening. 874 00:44:00,083 --> 00:44:03,125 And it's very difficult to get people into that mind set. 875 00:44:03,125 --> 00:44:05,876 It is one of the things that you guys 876 00:44:05,876 --> 00:44:08,999 through these conferences do, is you highlight 877 00:44:08,999 --> 00:44:13,999 to people that there are these vulnerabilities and hopefully repetition, 878 00:44:13,999 --> 00:44:16,083 they'll hear it. 879 00:44:16,083 --> 00:44:17,709 I applaud you to do that. 880 00:44:17,709 --> 00:44:18,876 And I encourage you to do that because that's the only way we 881 00:44:18,876 --> 00:44:20,834 will get the message across. 882 00:44:22,417 --> 00:44:24,667 Three questions. 883 00:44:24,667 --> 00:44:25,959 One question. 884 00:44:25,999 --> 00:44:29,125 There is two other people and we got to get out of here. 885 00:44:29,125 --> 00:44:29,459 I will say all three at once so you get to answer 886 00:44:29,459 --> 00:44:30,999 all of them at once. 887 00:44:30,999 --> 00:44:31,999 I like it. 888 00:44:31,999 --> 00:44:34,209 You are manipulating the system. 889 00:44:34,209 --> 00:44:35,459 That is inappropriate. 890 00:44:36,167 --> 00:44:37,292 (laughter). 891 00:44:37,999 --> 00:44:42,417 One of the things that we've seen DARPA do is they have engaged 892 00:44:42,417 --> 00:44:46,375 the community through the cyber fast track. 893 00:44:46,626 --> 00:44:50,999 Apparently cyber fast track has turned off. 894 00:44:50,999 --> 00:44:53,501 Will DHS pick this up or will the money go 895 00:44:53,501 --> 00:44:57,626 to the big contractors or slow innovation or will we see 896 00:44:57,626 --> 00:45:01,083 the same kind of initiative engage this community 897 00:45:01,083 --> 00:45:05,999 to develop those unique ideas, those unique defenses? 898 00:45:05,999 --> 00:45:08,584 LT. 899 00:45:08,999 --> 00:45:09,999 GEN. 900 00:45:09,999 --> 00:45:14,125 ROBERT ELDER: I thought DARPA still had money in the cyber fast track. 901 00:45:14,125 --> 00:45:15,375 Defunded. 902 00:45:15,375 --> 00:45:16,667 LT. 903 00:45:16,667 --> 00:45:17,667 GEN. 904 00:45:17,667 --> 00:45:19,792 ROBERT ELDER: That's typical for DARPA. 905 00:45:19,792 --> 00:45:20,709 DARPA is supposed to get things started and have other 906 00:45:20,709 --> 00:45:22,834 people pick it up. 907 00:45:22,834 --> 00:45:28,667 What I can tell you is that DHS does have some programs. 908 00:45:28,999 --> 00:45:32,999 In fact, the stuff that I do at the Cyber Innovation Center which 909 00:45:32,999 --> 00:45:36,709 is pro bono work for me is work that's actually funded 910 00:45:36,709 --> 00:45:40,918 by the National Science Foundation and by DHS. 911 00:45:41,209 --> 00:45:45,334 If you go around the country, there are a number of are they tend 912 00:45:45,334 --> 00:45:49,667 to be non profits that have stood up all around the country that are 913 00:45:49,667 --> 00:45:52,584 starting to take this thing on. 914 00:45:52,584 --> 00:45:55,501 So it's becoming somewhat of a grassroots effort. 915 00:45:55,751 --> 00:45:57,751 And I'm actually encouraged by that. 916 00:45:57,751 --> 00:45:59,501 There is a lot of interest to do that. 917 00:46:01,125 --> 00:46:03,542 It is not going to have the kind of funding that DARPA was able 918 00:46:03,542 --> 00:46:06,125 to put into it, though, that's the challenge. 919 00:46:06,125 --> 00:46:08,918 The other thing that's being defunded is the DIB. 920 00:46:08,918 --> 00:46:11,626 You have mentioned the DIB during this whole process. 921 00:46:11,626 --> 00:46:13,834 Who is going to take that initiative? 922 00:46:13,834 --> 00:46:14,834 LT. 923 00:46:14,834 --> 00:46:15,834 GEN. 924 00:46:15,834 --> 00:46:16,999 ROBERT ELDER: So the DIB pilot went 925 00:46:16,999 --> 00:46:21,459 out but the information sharing continues. 926 00:46:23,834 --> 00:46:25,918 They do have the information sharing piece 927 00:46:25,918 --> 00:46:28,918 but they are using the ISAC to do it now. 928 00:46:29,501 --> 00:46:34,999 To what degree do you think from an information assurance 929 00:46:34,999 --> 00:46:41,584 standpoint you can start selecting the guy that wrote black swan would 930 00:46:41,584 --> 00:46:44,667 called anti fragility. 931 00:46:46,999 --> 00:46:50,501 We are in an environment of a few large targets, 932 00:46:50,501 --> 00:46:54,999 large target sessions, crack exploit everywhere. 933 00:46:55,125 --> 00:46:59,167 Where what we need to do is start going towards a diversity 934 00:46:59,167 --> 00:47:02,751 of smaller, more robust targets. 935 00:47:02,751 --> 00:47:05,459 Are how are we going to get that changed 936 00:47:05,459 --> 00:47:09,667 around since the business imperative seems to be 937 00:47:09,667 --> 00:47:14,167 toward conglomeration and single source support, much 938 00:47:14,167 --> 00:47:19,209 the standardization much the way the DOD does. 939 00:47:19,209 --> 00:47:20,209 LT. 940 00:47:20,209 --> 00:47:21,209 GEN. 941 00:47:21,209 --> 00:47:23,083 ROBERT ELDER: You are exactly right. 942 00:47:23,083 --> 00:47:23,083 It is a huge problem because particularly 943 00:47:23,083 --> 00:47:26,417 in the business community, they're looking for efficiencies. 944 00:47:27,083 --> 00:47:29,250 Sequestration in particular, everybody is looking for efficiency 945 00:47:29,250 --> 00:47:30,999 in government as well. 946 00:47:31,292 --> 00:47:34,667 Where I see some encouragement, by the way, for your question 947 00:47:34,667 --> 00:47:36,959 is actually in the business community and 948 00:47:36,959 --> 00:47:41,083 the process that they're using is a risk management process. 949 00:47:41,083 --> 00:47:42,999 They apply it across their business. 950 00:47:42,999 --> 00:47:45,918 They are now starting to apply to their cyber systems. 951 00:47:46,083 --> 00:47:48,542 What I'm worried about is they're now starting 952 00:47:48,542 --> 00:47:51,083 to do some things like in the industrial sectors 953 00:47:51,083 --> 00:47:54,584 with the industrial controls, things like energy, transportation, 954 00:47:54,584 --> 00:47:57,542 they're now starting to look at this. 955 00:47:57,542 --> 00:47:59,083 But it turns out they are looking at it and they say, you know, 956 00:47:59,083 --> 00:48:02,083 we design it had to be this very efficient system. 957 00:48:02,083 --> 00:48:05,375 It is difficult to go back in and reengineer it to be the other way. 958 00:48:05,375 --> 00:48:06,999 They are starting to do it now. 959 00:48:07,167 --> 00:48:09,083 The only way to keep this thing going we have 960 00:48:09,083 --> 00:48:12,167 to keep telling the business owners, we have to keep telling 961 00:48:12,167 --> 00:48:15,167 the Congress that it's important to not put all your eggs 962 00:48:15,167 --> 00:48:19,083 in one basket and demonstrate to them what could happen. 963 00:48:19,501 --> 00:48:23,751 Sir, you did a lot of talking about the processes and 964 00:48:23,751 --> 00:48:26,709 the high level strategies. 965 00:48:26,959 --> 00:48:29,167 One of the things I've seen over and over again 966 00:48:29,167 --> 00:48:34,125 in government organizations that I work with is that this is about the people. 967 00:48:35,083 --> 00:48:38,209 The government has gone to a point where it 968 00:48:38,209 --> 00:48:42,501 is about the certifications you have, DOD8570 and so forth 969 00:48:42,501 --> 00:48:47,209 to where we have lined a lot of pockets of certification companies 970 00:48:47,209 --> 00:48:51,999 in an effort to prove that people know these skills. 971 00:48:52,083 --> 00:48:54,083 But on the outside, in the commercial sector, 972 00:48:54,083 --> 00:48:56,999 that doesn't seem to be the case. 973 00:48:56,999 --> 00:49:00,918 They don't have as much desire to have people with certifications 974 00:49:00,918 --> 00:49:04,542 to be able to prove they can do the job. 975 00:49:04,542 --> 00:49:06,375 If they can't do the job, they move on. 976 00:49:06,751 --> 00:49:09,334 And they have a hierarchy set up to allow people to grow 977 00:49:09,334 --> 00:49:11,959 within their organization. 978 00:49:11,959 --> 00:49:15,709 And most government contracting companies that I have seen and 979 00:49:15,709 --> 00:49:19,667 the government military and civilian markets as well, 980 00:49:19,667 --> 00:49:24,667 they want people to get a large breadth of knowledge. 981 00:49:25,542 --> 00:49:27,999 Is there any thought about maybe changing that paradigm 982 00:49:27,999 --> 00:49:30,167 to where we get specialists? 983 00:49:30,209 --> 00:49:32,751 Where we let people focus in on the technical aspects 984 00:49:32,751 --> 00:49:35,584 on the things they like to do, that they're good at, 985 00:49:35,584 --> 00:49:38,083 and let them stay there without penalizing them 986 00:49:38,083 --> 00:49:41,999 in the system and maybe getting away from making it so hard to get rid 987 00:49:41,999 --> 00:49:45,501 of people and encouraging growth from within. 988 00:49:45,501 --> 00:49:46,501 LT. 989 00:49:46,501 --> 00:49:47,501 GEN. 990 00:49:47,501 --> 00:49:48,667 ROBERT ELDER: Yeah, so to be perfectly honest, 991 00:49:48,667 --> 00:49:51,584 I still have friends in government that work 992 00:49:51,584 --> 00:49:55,709 on the personnel sides of things and they are actually looking 993 00:49:55,709 --> 00:49:59,999 at the exact type of thing you are talking about. 994 00:49:59,999 --> 00:50:03,167 A lot of the standardization piece, it is funny, they were trying 995 00:50:03,167 --> 00:50:05,999 to mimic what they saw on the outside and they said, 996 00:50:05,999 --> 00:50:08,999 we should try to do something like that. 997 00:50:08,999 --> 00:50:11,083 Of course, whenever the government does something, 998 00:50:11,083 --> 00:50:14,501 it turns into its very bureaucratic and you lose sight 999 00:50:14,501 --> 00:50:16,999 of the actual objective and you get locked 1000 00:50:16,999 --> 00:50:20,999 into all the processes bureaucratic processes. 1001 00:50:21,250 --> 00:50:26,292 But there is a huge effort, number one, to grow a cyber workforce, especially 1002 00:50:26,292 --> 00:50:30,834 in the Department of Defense and the other government agencies 1003 00:50:30,834 --> 00:50:35,501 and they are looking to find ways to make it attractive for people 1004 00:50:35,501 --> 00:50:37,250 to do that. 1005 00:50:37,250 --> 00:50:38,250 So the types of things you are talking about are 1006 00:50:38,250 --> 00:50:40,083 all being considered. 1007 00:50:40,999 --> 00:50:43,000 So one of the things, by the way I'm not 1008 00:50:43,000 --> 00:50:48,250 in that business myself but I have a lot of friends that still work with that. 1009 00:50:48,417 --> 00:50:51,709 And so I will give you my card because I'm looking 1010 00:50:51,709 --> 00:50:56,000 to get those ideas and I will pass it to them. 1011 00:50:56,000 --> 00:50:59,042 So let me make sure I give you a card before you run out of here. 1012 00:51:01,501 --> 00:51:04,250 Thank you very much. 1013 00:51:07,125 --> 00:51:09,667 (applause) All right. 1014 00:51:12,584 --> 00:51:15,999 We need to close the stage for the next speakers but we 1015 00:51:15,999 --> 00:51:19,876 will take the General over to the Chillout Cafe. 1016 00:51:19,876 --> 00:51:22,999 So he will do some Q&A there before he heads out to the airport. 1017 00:51:22,999 --> 00:51:23,999 All right. 1018 00:51:23,999 --> 00:51:24,999 Thank you very much.