Skip to main content

tv   U.S. Senate  CSPAN  May 2, 2012 9:00am-12:00pm EDT

9:00 am
right kind of price stability we need, and i think that's the best way to keep unemployment on a good track. >> another question for you, president lacker. to constrain the impact of excess reserves when the time comes, will the fed deploy higher reserve requirements? .. >> we feel pretty confident that that would result in a monetary
9:01 am
tightening up a substantial negative and that would be our primary tool for exiting from the situation we are in. >> one more question whether audience and then i will wrap it up. you agree with managing huge risk positions using derivatives? do you see them as weapons of mass destruction as suggested by warren buffett? >> i'm not going to comment on private sector financial management practices except they be sounding institution we have a supervisor responsible for. [laughter] >> how about this? should public institutions, should state and local governments, which got into a lot of trouble with derivatives, be allowed to use these instruments, because after all the taxpayers, we're not talk about shareholders. >> is hard to see a rationale for blanket prohibition because simple things like plain vanilla interest rate swaps ought to be
9:02 am
available,. >> which would put jefferson county into bankruptcy. >> there's a lot of ways to go bankrupt. there's a lot more than plain vanilla interest rate swaps out there involved in a bankruptcy. >> who is looking out for the taxpayer on that one? there's all sorts of smart people selling derivatives to hayseeds in state and local government, and they unfortunately are taking advantage of. so should we just let it continue? >> we've got to place a system that has protection in terms of faithfully represented what product you're selling to people. it's really, the sec's bailiwick, and you know, i see, you know, it's obvious that sort of attitude engage in and clean and communicate should, the lack of fraud, i think in the long run more healthy than just blanket prohibitions on particular financial aspects. >> i know we could go on, but
9:03 am
thank you very much. >> my pleasure. [applause] >> we have live pictures from the center for strategic and international studies here in washington this morning. they are hosting a conference on u.s. european relations cybersecurity for most of the day. shortly we are expecting to keynote speeches from the european union's commissioner for home affairs, and the deputy u.s. secretary of homeland you could. later display will hear from officials with the state department, nato, the e.u. and a number of other groups. we will have it live when it gets underway here on c-span2. >> while we wait for the event at the center for street international studies to get underway, newt gingrich is going to bring us presidential bid for the presidency to an end today.
9:04 am
he is making the announcement at three eastern and we'll carry that live on our companion network c-span. that is at 3 p.m. eastern. every day this week you on c-span2 at 7 p.m. eastern, q&a on education in america. >> with the u.s. senate in recess, booktv is on c-span2 each night this week are tonight, american serviceman reflecting on their experiences in iraq and afghanistan. starting at 8 p.m. eastern, benjamin bush, a marine reservist who was deployed to iraq. then at 10 p.m., chris kyl, the
9:05 am
author of american sniper, the autobiography of the most lethal sniper in u.s. military history. that's booktv each night this week here on c-span2. >> life again at the center for strategic and international studies for a conference on u.s.-european relations. and cybersecurity. we expect to start in just a moment. [inaudible conversations]
9:06 am
>> [inaudible conversations] >> [inaudible conversations]
9:07 am
>> [inaudible conversations] >> [inaudible conversations]
9:08 am
>> [inaudible conversations] >> we are still apparently a moment or two away from the start of this conference on u.s.-european relations with cybersecurity. we will get to it when it gets underway here on c-span2. while we wait, yesterday the joint chiefs of staff chair general martin dempsey spoke at the carnegie endowment for international peace on u.s.a. to challenge is an international partnerships.
9:09 am
>> i would like just to know you are finishing the word victory in afghanistan, what are the parameters of this victory and why the war has been protracted? why the most power on earth is taking that long to defeat the taliban, and what are the reasons for this and how can we deal with the? >> thanks for asking. i am a student, i am a student of tabular, and just the our citizens out there, victory, wind, success, defeat. so let me zero in on the one question you asked them about why is it taking so long. that's a fair question. i would just do you it's taking so long because we are trying to get it right. and i really mean that. look, could we have started at one end of afghanistan and fundamentally overrun it, destroyed it, created a
9:10 am
situation where we would make a near certainty that the taliban could come back because there would mean to come back to? of course we could. but that's not who we are, and i sorely don't think that's what afghanistan would expect of us, and i happen to believe it's not what any afghanistan's neighbors would expect of us. so because we're trying to do it right, we had some starts and stops come in some cases we made more progress than others. but i'll tell you, when i say do it right, it's about building a nation that has institutions to support it over time, and that can provide more its own security. if you're asking me for my definition of victory in afghanistan, that's the definition. and i think that in terms of my responsibility to do that, it's about building the afghan nation's. it's too thing, it's creating some space -- >> just a portion of remarks
9:11 am
from the joint chiefs chair general martin dempsey, see it in its entirety at our website, c-span.org. we are live now at the center for strategic and international studies for a conference on u.s.-european relations in cybersecurity. it's just getting started. >> i would now like to welcome our cohost. >> thank you, jim, so much. i would also like to welcome everybody on behalf of the european security roundtable. thank you, jim, thank you, heather, for having picked up this opportunity to organize this day with us. i'm very glad that sony people responded to our common call to have a transatlantic cybersecurity community meeting, and i would like to thank you, therefore, it's impossible to do without you. i would like to thank also sra,
9:12 am
through transatlantic private sector stakeholders also made this opportunity possible. thank you very much for the great support. i would like to thank the commission in particular that took the time to come here, because as we all know, going over the atlantic it does take a lot of time. we're all very busy but it's very much appreciated to have this opportunity today. i would like to thank in particular also the estonian and the german embassy who were also extremely helpful and supportive in getting this event together, and i would also like to mention the european parliament's liaison office was also tremendously helpful. and last but not least, i wanted to thank kristin for linking of jealousy the true side of the atlantic which as we all know always not been easy endeavor.
9:13 am
but not only i look very much forward to what you have. >> dr. kissinger said it is to i do not give an introduction but i like a really good introduction. someone to get a really good introduction to commissioner and deputy secretary luke.
9:14 am
we love transatlantic conversations, and we could not be delighted to have to very important powerful voices with us this one. we are delighted to welcome you, commission, for home affairs, cecilia malmstrom, one in 2010. she has the incredible responsibility looking after e.u. border patrol, asylum and police cooperation. prior to this important position, commissioner malmstrom was us finish minister from 2006-2010 with a strong focus on preparations for implementation of the lisbon treaty and the swedish e.u. rotating presidency at that time. but she knows brussels extremely well, having served as a member of the european parliament from 1999-2006, where she served on the foreign affairs committee of the constitutional affairs committee. but there's one title that i actually hold very dear, that we did not know until yesterday.
9:15 am
commissioner malmstrom was a csis in turn, 10 weeks, women's leadership program and i cannot point late better advertisement for our young interns and our women leaders. this is terrific. so we are so delighted. after the commission to provide her remarks, we are going to welcome deputy secretary jane holl lute to offer her remarks. secretary lute has responsibility for overseeing the third largest federal agency, with a staff of over 240,000 people. that's an awesome management responsibility, and she has been so well prepared for this responsibility, with such a distinguished career both at a public sector as well as international civil service serving as a basis of secretary-general for u.n. peacekeeping operations, the assistant secretary-general for peace building operations. we claim her as a think tanker as well. and a non-ngo.
9:16 am
she served as a chief operating officer for the united nations foundation, and has served on the national security council under two presidents. so we could not be more grateful for making time to visit with us today. and after we have the remarks, our very own jim lewis will moderate a q&a session where we bring you into the conversation, and i think i already warn deputy secretary lived that jim may have some stories of zone during his q&a session, so i forewarned you, the conversation will be interesting. so again, welcome, thank you, and my colleague, jim lewis has been such a stalwart for this project. and take it away, commissioner malmstrom on that note. thank you. >> thank you very much for that
9:17 am
introduction. it was a good introduction. and a good, i could agree on this, ladies and gentlemen, a very good morning. i'm extremely honored to be here today. of course, i didn't hesitate a moment when i was asked to come to washington, and when i saw that csis was one of the organizers, that brought very fond memories when i was here 18 years ago. industry and i think. so i want to thank the european security round table and others are organizing this. it's an excellent opportunity come together to talk about very, very important subject, both to europe and u.s., and hopefully some good ideas and new ways for cooperation can be born out of this. we have to win the battle of everybody was trying to interrupt our lives, and this is a true challenge, that which we will overcome together.
9:18 am
i will just by telling you about the joint operation conducted by fbi and interpol about child sexual expletive osha that the name of this operation was atlantic him and the case was completed only two months ago. thanks to the services cooperation between fbi, euro poll and several individual member states, an international network of child sex offenders was disrupted. several arrests were made on both sides of the atlantic and eight children, snow children -- small children was brought back preventing further horrific offenses of these children. some of course are extreme grateful for the dedication that i've seen from law enforcement to fight this horrible crime, and many others as well. yesterday the opportunity to be briefed more in detail about cybercrime and how you work at fbi, and we saw a lot of ground for cooperation them a lot of
9:19 am
things we can learn from our u.s. friends, maybe some things we can contribute as well, and i was impressed about the commitment, engagement and the professionalism that i saw here today. this has reinforced my view that we will need to deepen even further our cooperation over the atlantic. the u.s. and the european union our target, primary targets for different kinds of cyber threats. our governments, our businesses, our citizens are under siege from increasingly sophisticated attacks. they can come from many sources, from other states to organize crimes and hackers. and to overcome this growing global threat, our cooperation is not a choice, it's an obligation, it's a necessity. establishment of the e.u. and u.s. cybersecurity working group in november 2 years ago was the first step to identify strategic goals and complete actions.
9:20 am
the attorney general eric holder played an important role as does deputy secretary james lute him and we discussed this on a few days ago in luxembourg how we could further enhance our cooperation its went very good partners on the american side. so this working but so far has been a success. we had the first cyber atlantic exercise 2011. that kicked off a groundbreaking program of joint cyber attack exercises and that will culminate in a further full-fledged exercise in 2014. the working group has also been instrumental in raising international awareness of the problem associated with the misuse of domain names. fortunate as you know it is still possible to register a domain name under the name of mickey mouse disneyland. of the data given to the top five domains,.com or.net back and that is, contains evidence
9:21 am
of fake, fraud or incomplete identity information. that makes it of course very difficult if not impossible for law enforcement to trace offenders abusing those industries. after considerable pressure from e.u. and u.s. can we are finally seeing a commitment from the internet corporation for assigned names and numbers and the private sector to implement specific law enforcement recommendations in their policy. we must join the continue to press to deliver at its upcoming meeting in prague this june so the actions of your government in the coming weeks will of course be decisive if we are to succeed. this year we also are planning a summit on the child protection. with particular concern about child sexual expletive osha and online. in the past decade, we've seen an unprecedented expansion of the market for child abuse. this is of course a horrible
9:22 am
crime, and although we have successfully disrupted numerous child abuse networks we must do much more to protect our children from harm. alongside his cooperation with the u.s. the e.u. also have to do some homework to make cyberspace safer. as more and more in every case lies a business transaction happen online, so does criminal activity. online organized crime ranges from selling stolen credit card to advance identity theft. we must make sure that people feel countable of having their ordinary life digitalized with trust because of course it's much of trust that is also a matter of the economy if people do not dare to use all the benefits of online that would have disastrous consequences for the economy as well. we must ensure that our legislation keeps up to this of course.
9:23 am
the new technological development is growing so fast, so legislation is running after all the time. in the e.u. we hope to agree very soon on a proposed, on a legislation to update, to update our current legislation, including matters to address the rising threat from -- so legislation is important but it's not enough. we must also equipped law enforcement agencies, and intelligence to respond to threats. a month ago i presented a plan to set up a european cybercrime center. the center will be established within the euro poll in the netherlands. and this center will be a european focal point in the fight against cyber crime. it will help to prevent illegal online activities of organized crime groups such as online fraud involving credit cards, bank retention but it will also work very closely with social networks to protect users from online identity threats.
9:24 am
us practice and gathering intelligence from a wide range of sources. the intelligence will be used to warn member states have major cybercrime threats and alert them to witnesses on the online defenses. despite the member states the center will work closely with the private sector. but the center will not only be an inward facing, it would also become a natural partner for international initiatives and law enforcement agencies in the field of cybercrime such as fbi, secret service and interpol, you'll hear more about this in the second panel, we have a very distinguished guests here from europe. as you have heard, we have a strong package of measures to prevent cybercrime but to be effective, we have to align
9:25 am
these measures with initiatives that we're taking in a wider field of cybersecurity. some member states in the european union as we know we are 27, have already quite advanced cybersecurity strategies in place. and i'm well aware of the u.s. strategy as well of the effort you put into the document. other member states are not as advance and if we, of course, will be very important for us to help to raise the level so that everybody is at the same level. it is also time for the european union to set up a joint mission on how we can't enhance security in cyberspace. so we need everyone, government, business, individuals to work together and to share that responsibility. our strategy, and i said ours because it will be a joint product of several colleagues within the commission, for instance, they the action as you is responsible for foreign affairs. vice president cruise was commissioner responsible for
9:26 am
agenda. we are stepping up now our efforts to ensure cybersecurity. we are working together to establish a joint cyber strategy, and it is still work in progress. we look forward to good discussions here today, but let me just give you a few elements of what we intend to cover. first we intend to communicate the ever important message that freedom and security in cyberspace is not mutually exclusive. we can do both. we must do both. the verge of an open cyberspace has to be maintained while of course providing the right levels of security. secondly, we need to enhance cybersecurity resilience and response capacity. we must become better at sharing critical information in secure and confidential matter within and between public and private sectors in the e.u. member states. this is on a also a major issue here in the u.s. there are areas we can work together to enhance the sharing
9:27 am
of information through transatlantic partnerships. we must furthermore and -- on a critical infrastructure including a cyber confident to management procedures at all e.u. levels. third, we know that the private sector owns and runs most of the infrastructure, so they must have the incentive to improve their own security and to coordinate much more effectively both within the national authorities and with each other. for example, the private sector can and should be much better at managing risks and exchanging information when security breaches do occur. we know from experience that a top down approach in this field with a government trained to mandate a security, cybersecurity boundary. we have to seek out new intelligent ways of working with the private sector to create trust, to improve coronation and increased increased the joint handling. we also need better software, more resilient technology in the future. this is of course primary
9:28 am
responsibility for the private sector but the e.u. will continue to invest in security, technology and innovation. finally, since the cyberthreat is a global threat, we need global cooperation. the cyber strategy would therefore identify how do you can reach out to a strategic partners and make a response. the e.u. work in this regard is a good example. instead of focusing on institutional and set up new conventions, we have built upon the budapest convention and identified the immediate and complete actions to make citizens and businesses safer. we also have the beginning of a strong operational partnership between the e.u. and the u.s. i'm convinced that in the coming months and years we will be able to report back to u.s. citizens on many successful joint operations between fbi and euro poll. we have outlines of good work, and we, i think it's impressive we should be proud of ourselves, and we have the establishment of
9:29 am
the cybercrime center and the different work we're doing in the european union, the work that you're doing in the u.s. but, of course, we also have to be honest. for the time being the bad guys have the upper hand. so the only way to change the game in our favor is for us to act quickly and to act together. there are many friends here today and colleagues in this room. i'm hopeful that we can win the debate, and i'm hopeful we can win the battle. i am looking forward to good suggestion, good discussions, and the beginning of in even deeper partnership between us. thank you very much for attending today. [applause] >> well, good morning. during the introduction and the very kind introduction when you mentioned that homeland security was the third largest department
9:30 am
with 210,000 employees, we have quite a number of additional contractors and so she leaned over to me and said my, god, that's luxembourg. [laughter] spent i was just in luxembourg. it's not luxembourg. but it is a large. and it is at its heart and operations department. i have to say at the outset, thanks to csis, to its partners for hosting this event and for giving us the opportunity speak with our european colleagues, which is something we're doing with increasing frequency these days, weeks and months. indeed, my colleagues and i have just concluded a negotiation with cecilia and her colleagues on a major data exchange regarding passenger name record difficulty, and it was an extractive experience for us in many ways. not least in giving us a deep, and abiding insight into new
9:31 am
europe. i was at one meeting and mentioned that i was curious about the views of new europe, and i spoke to a polish colleague, and she was puzzled. and one of her colleagues said, oh, she means the former soviet, the former east bloc. and this young woman looked at me and she said, that's not new europe. new europe is all of us, post lisbon. that's the new europe. and that's the new europe that we need to learn and understand. and it has been an extraordinary experience for us, to get to know the commission, the council, the parliament in great detail. and capital as they are adjusting to life, post lisbon, with highly integrated and responsible lives to institution. not least in the area of cyber. and cybersecurity. that's what we are here all talk about.
9:32 am
adult our transatlantic partnership with the problems in cybersecurity more generally. homeland security has a key role in cybersecurity for the united states, and i find that when i talk about the role of homeland security, it's almost as important to talk first about not just its cyber robot of homeland security more generally. because while many people have heard of us, we have a great brand name recognition, we have something less than great brand name understanding of what it means we do when we talk about homeland security. what are we trying to do in this department, in this endeavor that we call homeland security? i'll talk a little bit about that, focus on cyber, touch on our strategy that we're promoting implement security, and didn't embrace obviously the theme of international partnership and what we are trying to do with the europeans and more broadly around the world in the area of cybersecurity. homeland security has at its heart the core mission of
9:33 am
helping to create a safe secure resilient place where the american way of life can thrive. that's our sins. that's our motivation. that's out of touch to a safe secure resilient place where the american way of life can thrive. we can or to do that we need to do five things well. prevent terrorism, certainly this is job one for us. secure our borders. this is important, not only do we need to keep out people or goods that might be dangerous, but we need to expedite legitimate trade and travel. we need to do both things if we're going to secure our border. we need to manage immigration. of course, our immigration laws -- we need to safeguard cyberspace, ensure that it is also safe, secure and resilient as a place where our way of life can thrive and we need to build national resilience. what's this about? is about creating empowered individuals, capable of committees and a responsive federal system so that we can address all hazards when and as
9:34 am
they come. i have spent most of my career, almost all of it, in national security. and it's come to think of homeland security as just a lesser included piece of national security. it is, of course but what i've also discovered over the past three and a half years is that is really qualitatively different. homeland security is different than national security in important ways and in ways which matter for cybersecurity, very meaningfully. what do i mean? national security is something we understand that strategic. it's centralized and it is top driven. homeland security is operational, transactional, decentralized and bottom-up driven. driven by the states, the communities, the cities, the municipalities of this country. so much of what we do in homeland security is animated in the first instance by the needs of the cities, municipalities and states. and all the american people. if national security is not all of us, homeland security is in a very real way about each of us.
9:35 am
we take this approach because it's fundamentally informs us that no single department can do all that needs doing when it comes to any aspect of homeland security. indeed, in the case of cybersecurity globally as cecilia has mentioned, no single government can do all it needs doing as well. it is an important difference to understand. it's an important, it animates in a very real way how we approach all of our tasks. we called out cybersecurity and the importance of a safe, safe and secure cyberspace as a core mission of homeland security because we believed that cyberspace is the endoskeleton of modern life. it's the endoskeleton of modern society, certainly of this society. it's impossible to imagine a safe, secure, resilient space and cyberspace for the united states, for americans and, indeed, for our global partners around the world is somehow
9:36 am
imperiled. what do i mean by that? what does it take to ensure cybersecurity? two things. ensuring fidelity, the security and reliability of our information, and for security, stability and reliability of our identities in exchanging information. the rest as we say in my religious tradition is commentary. that is the core problem but how do we secure those two things? we have a strategy for cybersecurity. we called it our cyber blueprint. we think we needed to fundamentally to basic things. protect the critical cyber infrastructure of this country and building healthy, resilient and dynamic cyber ecosystem. how do we protect the critical infrastructure? first of all, again, 90% of the in this country, of the critical infrastructure, not just cyber infrastructure, but of the critical infrastructure in this country rests in private sector hands. we operate in homeland security with the principle of nothing about you without you.
9:37 am
so we work very closely with the private sector, across the board in addressing the needs of cybersecurity for these infrastructure committee's critical infrastructures as well. we need just average and maintain situational awareness. what is happening, what is the relative health of our cyber infrastructure? how do we do, how do we reduce the risks and exposures to the infrastructure? how do we respond in a dynamic and real and effectively when interests of her? and other mischief and problems. and how do we building resilience to these infrastructures? so that they can withstand the challenges that they face. when it comes to building a cyber ecosystem, we focus here again on empowering individuals. we need smart individuals and smart machines. we need to build out organizations that are themselves intelligent and responsive. we need to promote a trustworthy protocol, services, products, configurations and
9:38 am
architectures. and we need to build very fundamentally elaborate it communities, and understand how these communities can operate together. now, i think it's fair to say that when it comes to cybersecurity there is a significant misperception out there. is a significant problem and, of course, there is a significant opportunity whenever there is a significant problem. what's the misperception? the misperception i think is, when it comes to cybersecurity, the role of government is clear. that's a misperception. it's not yet clear. too many people. what's the problem? the problem is the view of the role of government is polarized. and there's a great debate going on among those are paying attention, anyway. they would call it a great debate. and the views might be characterized perhaps unfairly, perhaps simplistically as follows. there are those who believe that
9:39 am
government has no meaningful role to play in cybersecurity, that the internet itself, while originally found with government engagement, certainly has grown and expanded and generate new wealth that is as representing a dynamic force that it is in all of our lives in a way that was largely a result of market mechanisms, market-driven forces, the private sector. government has no role and should have no role in interdependence based in the name of cybersecurity. on the other hand, are those who think that frankly, it is a war zone other. and that it is so dangerous and so, so urgent that governments must come in forcefully to establish regimes of cybersecurity that everyone must adhere to. we believe very fundamentally though that the truth lies somewhere in the middle, not surprisingly. in our view the status quo with respect to cybersecurity is not acceptable. that governments do have a role to play, must play a role here, and we will play a role.
9:40 am
cecilia mentioned in the case of the european union the dialogue that is going on with respect to going to the member states, but to the e.u. institutions as well, as to how to think through the appropriate role to play when it comes to balancing freedom and openness and access to the internet, with security. how do we build that openness and access in a way that also ensures resilience? how do we understand the role of the private sector when they are so critical for the very functioning of the internet? and how do we ensure and instill, and even global corporation for building cybersecurity. the united states international policy and strategy on cybersecurity identifies a number of priorities for this country in approaching international standards, innovation, and the role of the internet. certainly we want to protect our economy and our economic livelihood. we think standards and
9:41 am
innovative open markets ensure this. we want to protect our networks. we want to strengthen the hand of law enforcement, and extend collaboration, law enforcement collaboration and the rule of law to enhance confidence in cyberspace. we also know that when it comes to internet governance, that an open multi-stakeholder system and model is the right approach in our view, and we believe in this strongly. we believe in the power of the internet for international development, and all of this must be achieved while maintaining internet freedom of access, resilience, interoperability, and fidelity. what does this mean at the end of the day for cybersecurity, and for the department of homeland security? we will continue to pursue our responsibilities, working with the private sector in this country, to safeguard and secure the critical infrastructure, but also to build out this ecosystem that we believe is essential.
9:42 am
it, too, is a multi-stakeholder model where responsibility is distributed, where networks are supported by an intelligent protocols in architectures, and while the federal system engagement is responsive and appropriately positioned to ensure that critical cybersecurity of this country. none of this can be done alone. we are active in our partnerships, not only across the federal government in the case of dhs, but also across the globe. and there is perhaps no more important partner and our partner in the european union. i mentioned that my colleague and i just included a negotiation on this major data exchange. at the heart of that negotiation which took 18 months, cecilia reminds it actually took nine years. i need a chair. i am pleased to say that we successfully conclude this agreement, and we hope we don't need another one for at least the next seven years.
9:43 am
at the heart of this negotiation was the issue of privacy. how do we ensure cybersecurity, how do ensure the privacy and protection of civil rights and civil liberties and exchange information? this is a part in at the heart of the cybersecurity debate as well. we have different views and privacy here in the united states as against those in europe. i know european legal expert -- i am no european legal expert. i am no american legal expert either as i think about it. but there is a way to characterize the differences of views and their important from an american point of view, privacy is about limiting the ability of government to intrude into our lives. from the european point of view, if i can be permitted, it's about controlling one's information once you put it out there. these are two very different views. and they are equally legitimate. at the heart of our agreement in recognizing the legitimacy of each other's point of views on terms that each other finds
9:44 am
important. we will succeed in the agenda of cybersecurity. i mentioned it was a misperception about the role of government. i mentioned that there was a problem, because in the debates, in some quarters it is dominated by extreme views but there is an opportunity. and opportunity exists, dialogue and a partnership such as we have with the european union to solve these problems in an inclusive way that helps create a safe, secure, resilient cyberspace for us all. thanks very much. [applause] >> i would like to thank both our speakers, as you might suspect they have a somewhat packed schedule so we have a few minutes for questions. and if i could ask you, if you have a question, raise your hand, identify yourself, and then get the microphone. john, are you kidding? you do have a question. [laughter]
9:45 am
it's okay with me. i can't identify you. >> i'm from at&t. nice to see you both. secretary lute articulated the u.s. view about the multi-stakeholder model and internet governance. i would be interested in the european prospective on that. cecilia can you mention in your remarks, icann has a u.s. plot to maintain control over the internet. so what are their views on the internet governance from the european perspective? >> that is a short question to a very, very long answer. i know that you debate here as well, and well, the truth is we have appointed a joint commission on this. so this is part of the work i was alluding to that into together with my colleagues in the commission to formulate a joint cyber work. these issues will be dealt upon as well.
9:46 am
we have to make sure that all the 27 countries are onboard. somehow their own strategies, very advanced in working with this for a long time. some member states are not as advanced and not as online as others so we must make sure that everybody is on board. so it's better to take a little more time to have this ownership, joint ownership. we are working with this, having discussions and negotiations, and the plan is that this joint strategy would be ready by the end of year. so i can't tell you much about this yet because we are in the process of developing and identifying our use of this. icann is important with our american friends who share very much a commitment to the budapest convention, which is the governance in many ways, and we've been working jointly with jane and with attorney general to promote where ever we go countries to sign, ratify and implement it. so that is very much at the heart of where we are parting from come and building upon that we hope that we can be much
9:47 am
clearer when a comeback your maybe next year. >> a question over in the corner. >> thank you. my name is marina -- >> it is working. >> i am ambassador with emphasis on the. i would like to thank the both speakers for excellent presentations and commission i know. personal dedication to your very strong ally of my country when dealing with cyber in e.u. my question is to both of you. when we talk about cooperation with third countries, with those countries who are not paying enough attention today to cybersecurity, and who may be in short term do not see the advantage of cooperation in cybersecurity. what does it mean, leverage the to involve those countries more and more into cybersecurity cooperation? thank you.
9:48 am
>> so maybe, perhaps i will start, and i love they eat and estonia. i have opposed that meeting -- [inaudible] >> i am. of meeting with your colleagues when i was recently in luxembourg with cecilia, discussing with the council questions related to cyber as well as other things. i was also just recently in -- were the government is quite seized with the imports and challenges of cybersecurity. my colleague, bruce mcconnell, who is here and who will appear on a panel shortly, reports a wonderful saying. and i think by the third or fourth hand you know longer required to properly attributed it, so i believe that to him to do. there are two types of organizations one might say two types of states in order to those who have been hacked and those who do not yet know they have been hacked. and this is the case but, unfortunately, some have to
9:49 am
confront the reality of a cyber attack, intrusion and even disaster before they realize the importance of this. surely we cannot wait for that to be the case. and so through the process we believe of creating a responsible cyber ecosystem where everyone is aware of their responsibilities, users. again, we think machines are users, can work to create machines that are shipped with the cybersecurity capabilities already enabled so that they don't have to be activated your that can provide part of the defense. users at all levels, beginning with young children, certainly all kinds of users in cyberspace, understanding their vulnerability. it is outrageous today that we live in a time 25 years or more after the creation and widespread, you know, growing of the internet that there's not a single activity one can undertake in cyberspace, confident that your information identity will not be compromised in some way. for sunday can either plug in your computer.
9:50 am
that's simply unacceptable. we have to do better. and it begins with a frank dialogue at every level between governments, with our industry partners, with our publics on the vulnerabilities comment responsibilities in issue -- in a secure cyberspace. >> thank you. the guardian by congressional the work that the stone is doing on this. i know you're commitments under professionalism and high level of online reaching out, even to the remotest villages, and also the work you're president of estonia -- i had the privilege of meeting a few weeks ago. we discussed the cyber strategy. where i can understand that a country like estonia gets frustrated some countries are not at the same level, and this is what i was talking about. this very important challenge for us in the e.u. to make sure that some countries who do not have this resilience, do not have this progression thereby are much more vulnerable in many ways of cyber attacks because they don't have the
9:51 am
infrastructure to deal with this. that we get them onboard and that that we get them into the cooperation very much. so i think, hope very much that the cyber center and others who speak more about this i think about this afternoon, but this can be sort of focal point to encourage and to help to support member states. also working with other country. i mentioned the u.s. as an obvious partner but also in aaa setting up a cyber center in singapore, and is not in place yet. a few years to go. but this could be a partner as well force, as well as industry and other sectors. and again, the budapest convention is so far the best tool we have in counsel of your convention and we're encouraging as many countries as possible to ratify, defined and to join the community who haven't signed up to this. so it's a struggle. it's difficult, but we need to start and we need to be very focused because as i said, and
9:52 am
by jane also, the cyber criminals are far, far further than we are come and we must make sure that we can make internet a safe place, as well of course as authorities are also going back to the individuals. >> we have to appear. -- we have to up here. >> commissioner graham you mentioned your plans to do a new e.u. legislative proposal. i was one if you could tell us a bit more about what kind of proposal you have in mind. and just on the budapest convention, has the u.s. signed up? are you planning to sign up? >> just on your first question, maybe, it is directed. that is already on the table.
9:53 am
so it's updating our current legislation on cyber, which is a bit outdated. also it contains new elements on harmonizing of definitions of cyber crimes and penalties and also criminalizing the use of malware and botnets. we will hear more about that maybe, and also in the council. so this is not been decided to more but we're making good progress. [inaudible] >> henry, george washington university. for the commissioner, the deputy secretary mentioned the intersection between
9:54 am
cybersecurity, a more traditional kinds of national security questions. of course, the european union doesn't have very many competences when it comes to traditional forms of military security. so does that leave a vacuum there? at how are people trying to fill that vacuum? and for the deputy secretary, you mentioned the successful culmination of the pnr agreement. there have been discussions over the last two years about a possible blanket agreement covering all this bride of issues where homeland security and privacy intersect with each other. what you think the prospects of our after the recent successful conclusion? >> know, you're absolutely right that when it comes to more military security where cyber plays a very important role, the european union as such doesn't have any confidence. this is of course issues with the cooperate bilaterally pick
9:55 am
we also have made aware know this is very high on the agenda, cybersecurity your but the mere fact of cabinet of a strain, building up the cyber center, having it on the agenda also creates platforms will we predict views, where they get best practices, that practice as well. don't do this, we tried it. and this hopefully will create a dynamism that also can be useful in the field. so we do not count on building of any european union confidence in the field because we have enough to do as it is, but i think it can also be useful in that regard because of -- there's a limited amount of people to work with us who are experts and they need, and that will feed into the other. >> so, i'm very bullish on the u.s.-european cooperation right now. i think it's on an upswing. i won't comment on the ongoing negotiations on the so-called umbrella agreement, and i think it's important, our dialogue on every aspect of this is essential.
9:56 am
i can't imagine the united states proceeding in any area of cybersecurity without being in close dialogue with our european partners, both bilaterally and institutionally through the e.u. cecilia mentioned when we were in luxembourg with about five or six ideas of additional things that we ought to put on our discussion agenda, and we will. so to your specific question, there is that ongoing conversation. i'm very optimistic that this dialogue will not only remain but will develop. if that's possible to imagine. of course, i believe that anyone who has lived through the events of 1989 have lost the ability to say anything is impossible. so everything is, therefore, possible. and in this regard i would like to say that some of the most innovative thinking between governments and between multilateral institutions, multi-governmental institutions like the e.u., certainly in our own dialogue on pnr reflects some of, at least in my
9:57 am
experience, 30 pleasures experience in largely the public sector, some of the most interesting and innovative thinking and willingness to confront novel issues that i've ever seen. and some of these problems are as hard as they get. and these problems occur with very interested to focus to the rest of the world is not standing still. i in greece and we talked to my post about the world's 5 billion. there are five things that claimed acted affiliation of a billion or more people. five things. team indian, being chinese, being catholic, being muslim, and being on facebook. now, that is real interesting. and government are attuned to this reality, certainly in our dialogue. we are attuned to these realities, and the emergence importance of the internet, and have access to the internet and the promise that holds for the world's population. we conduct and conclude our conversations across a range of issues in this space. >> i think we have time for one
9:58 am
more question, if anyone has got one. if not, what am going to do is say it's great seeing these two together. i think there are two places that should have shared values that are like-minded and a good set of global presidents. i think it's the cooperation between the u.s. and the e.u. so with that, join me in thanking our speakers. [applause] >> and if i could ask members of the first panel to come up. [inaudible conversations]
9:59 am
.. [inaudible conversations]
10:00 am
[inaudible conversations] [inaudible conversations] [inaudible conversations]
10:01 am
[inaudible conversations] [inaudible conversations]
10:02 am
[inaudible conversations] >> if i could ask people to take their seats, we can get the first panel started.
10:03 am
great. [inaudible conversations] >> we're missing one. ah, here we go. well, we're off to a good start. so let me do the following, i'm going to introduce our three panelists. we'll each let them speak for, oh, about ten minutes, and then we'll have time for questions. so, um, with that, thomas dukes is the senior adviser to the state department's coordinator for cyber issues. he focuses on cyber crime, cybersecurity, national security and capacity building. before that he was at the
10:04 am
computer crimes and intellectual property section of the department of justice which is, of course, one of our premier institutions in cybersecurity, and he's also a lieutenant colonel in the air force reserves. francois rivasseau is, of course, known to many of you here already. he was the dcm at the french embassy at the u.s. he's had a distinguished career. he's currently the deputy head of the e.u. delegation to the united states. been here about a year, almost on the nose n that position. but many, many times in the past his career has focused on disarmament, security, multilateral affairs. he was the ambassador to geneva which is a perfect place for security, multilateral affairs. the spokesperson for the french ministry of foreign affairs and the head of the mission, the ministry's u.n. directorate
10:05 am
which is a focus of attention here for cybersecurity in the coming year. finally, bruce mcconnell who also is probably known to everyone, as all our panelists are. the senior counselor of the national protection and programs director at dhs. i've, of course, known bruce for a long time. he was on the transition team, before that he was in the private sector, before that he was in omb which is the true center of power as many of you know here in the u.s. government. and we're very happy that we can have all three panelists here to speak to you. why don't we do the following, why don't we just go one, two, three, to make it a little easier. we'll start with bruce and end up with tom. >> good morning, everyone. it's great to be here, although i must say deputy secretary lute is a hard act to follow, so that's a good thing. but we're really happy to be here, and i wanted to comment on a couple things and draw out a
10:06 am
couple of conversations that jane and cecilia started because i think there's some interesting threads here that we can pull on collectively over the course of the day and in the future work that the commission is going to be doing in this important area of trans-atlantic cybersecurity cooperation. so starting kind of from home, i would note that there's actually a fairly large footprint of dhs people here at the conference, and i think that's instructive because it takes me back to an article that deputy secretary lute and i wrote in "wired," i guess it was about a year and a half ago which the main thrust of which is that cyberspace is civilian space. so there are many metaphors. we, all of us who work in this field, are always searching for them because we can't see very far into the future, so we're always trying to reason by
10:07 am
analogy, and with all analogies they take us partway, and then they produce some bizarre conclusion, and you think, well, that's the end of that analogy. so we all have good examples of that. but if you think about some of the things that cyberspace can be thought of whether it's a schoolyard or a classroom or a library or a marketplace, the one thing that we asserted in the article that we do not want it to become at least by its very nature is a battlefield. and so, um, it is, i think, instructive that the administration, um, and that this event today has such strong representation from a civilian agency, homeland security and the administration's legislative proposal asks the congress to give us the primary responsibility for securing cyberspace in the united states. and i think that from a
10:08 am
government standpoint, anyway, and, of course, with the caveat that government can't do this and governments can't do this by themselves. so to that point, i think a second interesting aspect of the conversation today and as you heard this morning already is the initial focus that many of us have and many of us collectively, internationally have on so-called cyber crime. and so we have the budapest convention which is the probably principle government-to-government instrument at the moment that covers, covers cooperation in cyberspace, and it is, um, we were happy to see in the most recent, i guess, two days ago announcement, fact sheet from president obama and prime minister of japan noda that the
10:09 am
japanese are, have decided to exceed to budapest convention. so that's a major, i think, extension of it to outside of the normal kind of, you know, atlantic sphere, and so very promising. and we hope that's just the beginning of more, broader international participation in that point. but i think as you tease out the different kinds of pieces and threads of how we deal with this large problem of cyber, of safe and secure and resilient cyberspace, there are a number of threats. and so the cyber crime piece is an interesting one because, in fact, of course almost every attack that we encounter every day is a crime. in the united states, anyway, any unauthorized attempt to access a computer system of someone else without their permission or to deny service to it is a federal crime.
10:10 am
but we don't generally prosecute under that statute. it's very difficult to prosecute under. and, in fact, the focus that we all collectively work on as governments is what i -- a subset of those crimes which i would call cyber-enabled crimes, and so that is the kind of thing where we all are in agreement that child pornography is not, you know, an appropriate thing to have in cyberspace, and so we attack that as a cyber-enabled crime among other, among that, using that among other tools. we attack intellectual property crimes that are enabled by cyber, you know, by the internet. we attack financial crimes that are enabled by, um, by the internet. and so there's a whole area, rich area of collaboration and cooperation in that area, and i think we need to continue as governments to increase the sway and use of law enforcement tools in this area. and i know the second panel, my
10:11 am
colleague steve is going to take up that question in more detail. so you can then get to a couple of other things, three other areas, i think, that are interesting to, that we all work on and to think about because they deal with different parts to it. so there is the problem of cyber defense, of the possibility which our colleagues in estonia and georgia are those countries which know they've been hacked in this context and so are leading the charge in europe to, um, to get others to understand the importance of this issue. from a national security level. and in that area as the deputy said there's another one of the areas of great debate about roles and responsibilities of the state in this area and of the defense establishment, but there's no doubt that there is a role and that there are adversaries that we all face
10:12 am
that are, um, you know, national governments and that inevitably cyber will become an element of conflict going forward. and so that's not, that's not something that you can deal with, you know, particularly well or effectively in the law enforcement context, in my opinion, and it is an area that needs to be dealt with in its own right. so the third area is, well, we all -- what i think of generally which is our core mission at homeland security which is from in this space, and that's cybersecurity. and this is securing the internet itself. it's a place that can be supportive of our ability to defend against cyber adversaries from a nation-state standpoint. it can also be supportive of reducing cyber crime, but it's really about the defense of the networks and the defense of the
10:13 am
information and the protection of identities. and it's in this space that we get into, um, why, why it's important to have a civilian agency doing this. and as the deputy secretary said, you know, from the standpoint of cybersecurity at homeland security, generally, it's kind of a bottom-up thing. it's not a top-down thing. and so in national security and in national defense the actual, you know, the norm is that you wait until you are attacked or are about to be attacked before you do something. in policing in homeland security you can't wait for that. if population is afraid in the local jurisdiction, if you are already behind the curve. you have to act proactively to defend and create environments which are resilient when include empowered individuals. so in cyber that connects with
10:14 am
the our stop-think-connect campaign and awareness campaign, and i know europeans are thinking about a similar type of campaign, and we're talking to them about that, about capable communities. and if you translate that piece of resilience into cyberspace, you're talking about all the various networked communities and making sure they're able to defend themselves, right? and then a responsive federal system that can aid and assist that whether it's through sharing of threat information and remediation alerts to coordination of response when incidents reach a national level. and so in that context there's a bunch of areas where we collectively are cooperating, right? so we talked about the emerging collaboration and cooperation on bot nets. there are several interesting approaches. the australians have an interesting approach, the germans are well along on an approach, and this is under broader conversation in the european union, and we now, as you know, have had a couple of
10:15 am
successes here working with the isps on a voluntary basis to promote the stopping of bot nets. there was discussion earlier about the importance of managing the domain name system and, of course, on all this we are cooperating on a bilateral basis and increasingly multilaterally on operational matters. we were recently in india where we have signed a cert-to-cert cooperation agreement, and that allows us to if we see attacks that appear to be coming from india, we can call them up and ask them to, you know, check in with the hosting company and see what is going on, and they can do the same with us. and so that can be quite helpful in this operational cooperation and collaboration, can work as all cybersecurity actually works that's effective on the internet in a very informal basis among communities of trust. so the fourth area just to capture the overall piece,
10:16 am
picture here is the question of internet content. we all, both the europeans and the united states in our international strategies, talk about the importance of keeping the internet open. and that means open from a technology and interoperable standpoint, but it also means it is an open place for discourse. and this is an area where, in my opinion, there is the least amount of international agreement, and we will have a long set of conversations about how to deal with the problem of what content is viewed as appropriate by governing bodies in various jurisdictions. and so that's a longer-term conversation. but -- and it's not strictly about cybersecurity, but on the other hand, it is, um, it does relate to the nature of cyberspace. and i think for those of us who think about these questions about what is cyberspace and how does it work and how does it become an environment for humans to collectively discuss and take
10:17 am
action on global problems, this question of content, um, will become increasingly important and something we'll need to deal with. so you have those four threads, and then on top of that you have the question of governance, how do you, how do you manage these things collectively. and for that just as the deputy said, we're trying to make sure that we can get the machines to help us protect them by having them, by automating some of the response and alert aspects of it. so, too, i think we have to have the, use the internet to help us govern it, because we cannot only rely on the agility of standing governments and standing government institutions. we've found already in cybersecurity that it's certainly true if you can work informally and collectively to get things done, and i think we will need to continue to develop
10:18 am
institutions that are internet-based for the future to govern some of these, govern some of these problems. and that is very much still a work in progress, i think, for all of us. so i'm asking only that as we, as we increase our dialogue and cooperation that we take the big picture and the long view, i guess, since this problem will be with us for a long time, and it's an exciting area, and i just want to, um, echo the points made earlier about how important this particular collaboration is. so i look forward to the discussion and -- [speaking french] [laughter] >> thank you very much, bruce. i am in an even more challenging situation than you because not only do i have to speak after the eloquent and speech of my commissioner, but she's here. [laughter] and let me tell you, we are very
10:19 am
motivated to work with commissioner malmstrom particularly because she knows how to motivate people and, you know, she didn't ask her collaborators to review what i was going to tell you, so it's an example of the way she works. really, she knows how to create a stimulating environment. we are to talk about trans-atlantic cooperation. let me just start with one fact. -- [inaudible] over communication infrastructure should exceed by far, by very far any data flows between other region or with other regions. and another fact is that we share, basically, the same value, and this is also a unique element of our relationship. and although we don't have necessarily the same privacy conceptions, we have different laws and different federal structure, but we share the same values, and that's why the debate we have on both sides of
10:20 am
the atlantic on how to -- [inaudible] need to regulate against cyber crime, for sign or security -- cybersecurity, to fight against terrorism on one happened, but also on the other to promote in other countries, to preserve in other countries freedom of internet and also to maintain business-friendly environment as much as we can because on both sides of the atlantic we need the jobs and growth. and we know that the big internet firms are, for the time being, still in europe and in the u.s., so it's in our common interest. so we share so many things. that's why our cooperation is so important. let me just start my -- [inaudible] my third point about concrete measures. state of play. as commissioner malmstrom put it so well, cybersecurity on both sides of the atlantic have evolved rather differently, and in the u.s. we show
10:21 am
cybersecurity has become part of national security policy for a long time and is, therefore, a more mature field maybe compared to the e.u.. the first u.s. cyber strategy was 2003. [inaudible] something more recent. since 2008-2009 we, for the first time, policies focusing mostly on internal market, but in the last years on one hand there is one treaty set up a new dimension to cybersecurity in cfsb field and, most important, under the initiative of commissioner malmstrom mostly -- the information society have engaged in the discussions in preparing a new strategy for cyberspace. and this really shows that we know that we have to come after that quickly. and as she put it and for the reasons she put it, particularly related to cyber crime, but for many other issues.
10:22 am
it's an issue of emergency. and i can tell you that we plan to try to achieve that as fast as possible because we know it cannot wait. because of critical dependencies between the u.s. and the e.u. companies, you know that if we are still not -- [inaudible] between the u.n. and the u.s., there is a trade investment market in a way. there is direct u.s. investment in the netherlands which are higher than the total u.s. investment in china, india, brazil, south africa and russia altogether. so we have such a big community of companies, a company which is american-registered usually is partly owned by european stakeholders and vice versa. because of these critical dependencies between our u.s. and e.u. companies --
10:23 am
[inaudible] and the current e.u./u.s. working groups cover only a fraction. so, therefore, the strategy -- [inaudible] so designated to allow us to work on more comprehensive approaches. our dependencies will grow also. and, obviously, part of the landscape is that some member states, e.u. member states have -- [inaudible] very important dimension of our land scape. we work together, member states and the event u. commission, to service the objectives. in the foreign policy aspect of cybersecurity, the department of state was initially -- [inaudible] to include strategic and diplomatic cybersecurities into u.s./e.u. working group's agenda, and initially direct contact with member states on global and foreign policy issues. and not to deal specifically
10:24 am
with cyber. but now we have a strategy dialogue on cybersecurity which has been proposed, and the e.u./u.s. security policy have close working relation with department of state policy coordinator's offices, and this is also a field which is developing quickly. so what could be the agenda? if we have the tools now, if we have the will, if we should have, on the e.u. side soon, the agenda, what could happen? first, rule of law which could preserve open and free cyberspace. but we need for that norms of behavior inside cyberspace, norms of behavior. we have as another domain existing laws and rules which have to apply and implement, and this is a very technical challenge. as commissioner malmstrom explained to you for budapest convention, before conflict in
10:25 am
cyberspace we have dimension of cyber convention but also some results of some -- [inaudible] we also had in new york. we have international humanitarian -- [inaudible] in the cyberspace. and confidence measures are important, and we think should be, could be developed to stabilize cyberspace. the principles of human right laws apply. and to have the common vision on -- [inaudible] essentially f we want to shape the agenda. secondly, on cyber crime and cybersecurity we have, obviously, very practical cooperation. i think this will always remain at the center of our or work, and this has been described by you, bruce, so i will not come back to you. come back to it. private sector. the contact between our businesses will also define certain dynamics in
10:26 am
trans-atlantic cyber relation, and it is crucial to define how to protect the most critical parts of our interdependent infrastructure. there are many exercise when i was -- [inaudible] i remember in 2005 we -- [inaudible] critical infrastructure, and insure that the cyber protection that is most important dimension of all that. harmonize the environment for provide security of functioning for business is also very important. and should be, also, on the agenda. and we have, also, to stimulate the contacts between cybersecurity communities working every day in the u.s. and e.u.. so this is, basically, the main element of the agenda, and what could be maybe the main priority, concrete priorities if i have to go a bit more in-depth, i think the application of existing international law and developing norm in cyberspace is a first challenge. but i would mention briefly two
10:27 am
ore others. strengthening the global response on cybersecurity capacities. many cyber threats, it has been recorded by commissioner malmstrom, emanate from territories where there is weak state capacity to deal with cyber incidents and investigations. there is no legal system present that would allow criminal misusers of computers and weak capacity. if i may, reminds me of personal experience at a time when i was spokesman. one day i was in charge of internet of a department of, the french department of state, and one day while opening my computer, going on my web site i see that the word france had been replaced by very little country. [laughter] it was in 2004 maybe to tell you something. well, and then i said, okay, we should be able to know at least -- not only to congratulate him for his sense
10:28 am
of humor, but we should be able to have an idea. then we went, i can tell you, to all security service -- [inaudible] and we, we are able through legal means to see that this was coming from a tiny country, a tiny island country in africa. i will not name it, but a very, very small country, completely undeveloped. no rule at all. and then we are told we have no agreement with this country. we cannot try -- [inaudible] it's absolutely impossible. so that's a long-standing challenge that i hope to see one day sort out. and i think there is a need for u.s. to really prove to the rest of the world that we can develop security in developing countries, in cyberspace without sacrificing freedom. but we have to put some money on that. we shall have to put some money
10:29 am
on that, and at the time when money is rare, we have to coordinate how we do that because we have the same objectives here. and that's an important part of so-called london process, as you know we are very interested by and have very important stakes at it since november last year. but there are also some aspects in strengthening cybersecurity capacities that we should take into account, but it is also of interest of the u.s. to prevent country becoming hubs of cyber crime, but also developing country to completely established as secretary clinton put it in a very famous speech a bit more than one year ago, a new walls on internet. what was exact formula? >> [inaudible] >> no. it was in her speech when she said, you know, you are at cold war with the berlin wall, and what we want to avoid is some countries establish new walls on internet. and, for example, the e.u. has
10:30 am
begun when discussing sanctions for country like syria, for example, to make sure that when we establish arms embargo, we extend the conception of the arms embargo to cyber tools that can be useful repressing the population and preventing it from establishing links. i see it kind of reflects automatic reaction that we have to develop and to think automatically, more automatically to that. finally, i would say, i would come back to united nation. we have a discussion, an important discussion in the united nation, and the major initiative like china and russia to increase proposal to frame the discussion in classical arms control mechanism to favor more government control of free flow of information. this is not, this is also an
10:31 am
issue on which we have to talk because we, we see some merits in having a u.n.-based image. we see some merits. we need the u.n. to be sure to be level global capacity. at the same time, we would like to be able to focus or refocus the main purpose of that to realize cybersecurity in preserving freedom of information. that's why we really need to act together to get, also, capacity of -- [inaudible] i should stop here because i've been far too long, and i thank you your indulgence with me because i hope that commissioner malmstrom will not cut my head, but i know that's not the way she behaves. she's absolutely not like that. [laughter] thank you for your attention. [applause] >> and thank you to csis for
10:32 am
sponsoring this, for sponsoring this event and inviting us to participate. i will start out by saying i largely echo all the comments that have been made by the previous speakers, particularly in terms of the very strong working relationship between the u.s. and the e.u. on cybersecurity matters. if you set aside the data privacy issues, then i think you find that we're almost in complete lockstep on most of the key issues. and also as francois, i think, very well teed up if for you at the end of his comments that we both look ahead and see a number of very significant coming debates, debates that have already begun but that are going to be very active in the year ahead at the u.n. on things such as the group of governmental
10:33 am
experts looking at norms for state behavior in cyberspace at the u.n.'s international telecommunication union world conference on information technology that's going to take place in dubai this december looking at revising its treaty document and how cyber issues can or should play in that document. and i think it's very encouraging certainly from a u.s. government policy perspective to know that we have in the e.u. such a strong partner on these very high-level policy debates and challenges that we face ahead. what i'd like to do is just spend a few minutes talking to you about, um, a couple of, i think, fairly concrete or maybe narrowly-focused areas in which we are currently engaged with the e.u. and that, perhaps, offer some examples for continued, successful engagement in cooperation and collaboration. and so i'll first put on my hat
10:34 am
as a senior policy person for the office of the coordinator for cyber issues at the state department which is an office that was created in february of 2011 when secretary clinton appointed my boss, chris painter, to serve as her first coordinator for cyber issues. and this was something that was done in conjunction with the finalization of the u.s. international strategy for cyberspace that came out in may of last year. and the basic idea was, you know, looking at the state department which is largely organized along both regional bases and then functional bases, trying to figure out a way to insure that within a large organization like that in the same way that for the united states government we've created a cyber coordinator position on the national security staff, a way to insure that policy decisions can be made that take into account and reflect all the different equities that we face in our foreign policy
10:35 am
engagements. and so the office, um, has been up and running now for about 14 months, and among the key things that are going on now that i think are worth noting for this group are, as francois mentioned, we are increasingly engaging with the european union in addition to key e.u. member states on a wide range of cybersecurity issues. we have a steady flow of e.u. and e.c. officials as well as senior officials from a wide range of countries but particularly european countries coming through the state department, coming through our offices. and it's almost an exponential growth in the in talking about cyber. it's, it's very encouraging, um, sometimes it's almost overwhelming to try to just hit the sort of the key opportunities like this csis conference where we can talk about these issues.
10:36 am
but certainly we're seeing a real interest across the board in engaging on cybersecurity. another thing that's been, um, very encouraging is to see that increasingly other countries have, um, have either come up with the same idea or followed the u.s. lead and are appointing senior officials to manage their cyber policy work, particularly in their foreign ministries. so france, the u.k., germany, japan, russia, the netherlands have all within the last year appointed very senior officials to make sure that their governments have a clear point person who can manage and develop their cyber policy, lead their international engagement in cyber policy issues. we're also seeing more and more countries issue national strategies that define how they view the key policy issues, how they have decided to organize their governments, how they've decided to engage with the private sector.
10:37 am
and that's another very encouraging trend that we try to, to encourage countries to really think seriously about these issues. and, again, keeping in mind that, um, as particularly as we move through the next few years there are going to be some incredibly important policy debates and international decisions that are going to be hashed out in places like the u.n. or the osce or other key regional organizations like the e.u. and the council of europe and apec and the organization for american states. i mean, you can name any multilateral organization right now, and there is a very robust, high-level cyber work stream that's going on. but helping countries think ahead and start really forming their positions on a lot of these key policy issues that relate to internet governance,
10:38 am
that relate to norms, relate to how we deal with cyber crime, and that's where, you know, again, the u.s. and the e.u. can really wok very effectively -- work very effectively together to help other countries understand the issues, the implications particularly like the russian/chinese code of conduct and help them see that the kind of the high-level views that the u.s. and the e.u. promote are really the most consistent with notions of international law, human rights, um, insuring that we have a safe and secure, open, interoperable internet. so some of the other, a couple of the other key things that i'll just highlight are that our office is increasingly working with e.u. institutions or european commission institutions like the external action service to find be ways that we can better integrate our capacity-building efforts. the u.s. conducts, um, a very
10:39 am
robust international training program focused particularly on cyber crime and cybersecurity also countering terrorist use of the internet that's funded by the state department out of both our counterterrorism and our narcotics, international narcotics and law enforcement bureaus. and one thing that's been missing, though, is the same level of engagement by institutions like the e.u., by individual e.u. member states. but we're starting to see much more interest, um, particularly by key countries like, key partners like france and germany and the u.k. and, um, making a much more robust investment in their capacity-building efforts in places like africa and asia. and we're working on a number of upcoming programs that the state department will be leading where we're going to be doing joint programs that will include e.u.
10:40 am
and e.c. and a number of other key partners including other g8 countries such as japan in our capacity-building efforts, and we think that's a great way to go forward. let me shift now to talk a minute about cyber crime. most of my background is as a prosecutor for the department of justice. i'm currently working at the state d. on a temporary detail -- state department on a temporary detail, and i also chair the g8's high-tech crimes subgroups, so i have a little bit of experience dealing with cyber crime. and i think if we look at the successes we've had in addressing cyber crime, they're really instructive and provide a really good model for how we can tackle other challenges like helping insure countries have secure and resilient networks. we've been dealing with cyber crime -- we, collectively, the u.s., europe -- for almost 25 years now that we've been in a focused way building our capacity and our capabilities to combat cyber crime.
10:41 am
and a couple of the key things that we used as the pillars were trying to create a world where there are no safe havens for cyber criminals to operate, and all countries can effectively deal with cyber crime challenges are the promotion of the budapest convention which, you know, currently has a little over 30 parties to it. the u.s. was one of the countries that helped negotiate the convention. we signed it when it first was open for signature in november of 2001, we ratified it, um, and it went into force in january of 2007. and what's been really good about sort of the last year and i think the next year or two in terms of the convention is we've seen a number of countries that were involved with drafting the convention, signed it early on such as the u.k. and japan that are now u.k. last spring completed its ratification, japan is 99% of the way there. we're also seeing, you know, good movement in other countries
10:42 am
like canada, australia that have been working for years to become parties to the convention. but also there is a very steady flow of countries that are asking to become parties to the convention. so if you look, for instance, at the council of europe's web site, you see that in november senegal asked to be a member of the convention, south africa's working towards becoming a party to the convention and has signed it. in central south america you have chile, argentina, the dominican republic, and a number of other countries, mexico, that are in the process of becoming parties. the philippines is in the process of becoming parties. and i know of at least five or six other countries that will in the coming months be announced as becoming, as working towards becoming parties to the convention on cyber crime. so that's really encouraging because what the budapest convention does at its heart is it provides sort of a three-legged stool approach towards dealing with cyber crime.
10:43 am
it says you have to have the right substantive laws that allow you to prosecute certain acts, you have to have the right investigative power so that law enforcement can get stored communications and data, can get intercept in realtime communications and data, and then also and probably most importantly for this group that there can be robust, international cooperation, information sharing and assistance. and one of the great things that the budapest convention does is it actually serves as a treaty. so if two countries are parties to the convention but they don't have an existing treaty to deal with sharing of information, the budapest convention itself serves as the treaty and allows that to operate. one of the other things that the convention encourages or says countries should do is, um, be part of a, basically, a 24/7 network that allows immediate assistance, it allows you to immediately request and receive assistance from foreign law enforcement, trusted foreign law
10:44 am
enforcement counterparts. so one of the great things that exists to make that happen, in fact, probably the best success that i can point to in terms of international cooperation on cyber crime is the g8 high-tech crimes subgroup a number of years ago created a 24/7 network which has now grown to 60 countries, and we're adding, you know, a new country every few months now and includes a really wide range of countries from all over the world. and things like that can serve, i think, as very effective models for how we can, you know, work to build capacity by bringing countries along at different stages. getting them involved, for instance, in informal networks that can lead to helping them build the resources and capabilities to then become better able to really deal with cyber crime on their own, to do things like join the budapest convention. we do a lot of international outreach and training to help
10:45 am
countries draft laws, to help them set up certs, to help them build the investigative capacity to establish forensics labs, and that's the type of work that particularly in the cyber crime area that the e.u. and the u.s., i think f we really put our minds to it can find some great opportunities to collaborate and really help build the international community, raise the baseline so that there are no longer these instances like francois mentioned where you have countries that are, essentially, you know, safe havens for criminal actors or others who want to do bad things on the internet, that there won't be that problem. and i think we're making a lot of great progress towards that. so, again, jim, thanks for including us in the presentation, and if you have any questions along those lines either here or, um, later on offline, please, feel free to reach out. i'd be happy to talk to you about any cyber crime or foreign diplomacy issues.
10:46 am
if -- >> great, thank you. very full presentations. and we have a few minutes for questions if people have any. i've got a couple. maybe i'll start by asking all three possiblists -- panelists, um, if you were going to think of where the strengths of trans-atlantic cooperation might be, where are the operational areas? not the policy, not the negotiation, but the operational areas where a benefit or a possibility for cooperation? and would this be more than crime? crime is sort of easy. everyone thinks it's bad -- almost everyone thinks it's bad. but are there other areas in and particularly when you think about information sharing, how much do you create the same, how much do you face the same kind of risks or problems you would face on information sharing for passenger data when you think of information sharing for cybersecurity? so i don't know if you want
10:47 am
to -- but where, how would information -- how would an operational approach work? >> so great question. i think there's probably many areas of fruitful operational collaboration. let me talk about some of the ones that are ongoing today because i think those are the ones we've identified are already working for us well. so, um, late last year we held a u.s./e.u. cyber atlantic tabletop exercise which took place a year earlier than it was originally scheduled, so we were agile there. and be looked at -- looked at two different cyber attack scenarios and how the roles and responsibilities would work. there was an after-action report for that which is going to set for a series of annual, you know, incident management conversations between us and particularly involving the european network and information security agency, enisa. so that is working well. it, obviously, connects also
10:48 am
with the bilateral connection that we have, you know, with individual countries, and on a testing and incident management approach, i think that's a big piece of it, and i'll come back to the information-sharing point because that, of course, is critical to that cooperation. but let me just mention a couple of other areas that we're working together on. we're working together on awareness raising, so in the concept -- context of empowered individuals we're going to be doing some work. we have our stop-think-connect campaign which i mentioned, and that's a conversation with the europeans about what the, you know, uniquely european way to attack that question, and we're also going to be doing some work together on best practices for child protection online scheduled to coincide with the u.s.' national cybersecurity awareness month this october. so that's exciting. and then in the third area is just working the public/private
10:49 am
partnership. so as was stipulated earlier, governments can't do this. we need everybody's help. so there's some particular work that we're doing together in a industrial controls systems area, and next week we're having a conference in savannah. there'll be an international partners day as part of that, and there's also work together on botnets, so i think there's a lot of operational collaboration. i think on the information-sharing front an approach that we've found successful in the united states and we've also found success. in bilateral arrangements is to really just whenever you share information, you know, state what the agreement is about how it can be handled. so you can use the red, yellow, green approach that is just for that conversation, that it can be shared with a trusted group, or it can be more broadly disseminated. and i think at this point we're at a place where we kind of have
10:50 am
to deal with it on a case-by-case basis and get some experience before we come up with an overall framework for that area, but i think that can work quite well as long as you're explicit up front about how it would be shared. >> thank you. >> about information sharing, it is a difficult area because it involves usually a lot of information sharing on business solutions and practices. let me compare that to another field which as a member of -- [inaudible] ban ki-moon we feel is useful to think about which is of bioprotection. when you think about the convention of bioweapons, biological weapons, you will see when you want to share information about bioweapons and
10:51 am
good practices, you face a bit the same problem because in a way you have to have a software, aggressive software to know how to defend yourself against, and usually this involves international -- very highly-sensitive intellectual property problems. and if you think -- if you forget one second about computers and you think about bio, it's exactly the same problem. you have to have a bacterial agent which is usually refined and worked out with increased performance and which usually are part of intellectual property, highly-sensitive information. and on this basis you can find the difference. so in both cases the situation is a bit similar. what did we do in the bio field?
10:52 am
we tried to promote a minimum level of protection. first, we need a universal norm that we have in the bio field that we still have to work out in the cyber field. we need good practices and regular meetings between experts on good practices. first of all, to be prepared with some framework because we are the most advanced internet in boy owe. but after that, as you rightly pointed out, the soldty of a defense is worth the solidity of a weakest point of a defensive chain. so you have to have a global ambition if you really want to get something. and then on this, in this context one you have established the proper context, then you have experts who can -- then you
10:53 am
identify the most we can share. and usually you will see that in the proper context you discover that you can share much more than you would have thought initially without having set up -- [inaudible] so that would be my answer on information sharing. >> great. >> just very briefly, um, obviously, information sharing is one of the hottest, you know, current issues facing us dealing with cybersecurity. you only have to look at the plethora of bills in congress, most of which are focused extensively if not often exclusively on how to help the government better share information internally and with the private sector. but in terms of kind of existing, i think, successful operational information sharing we can look to, one is going back to the criminal law enforcement example. it's amazing within law
10:54 am
enforcement channels how effectively we're able to share information. um, the u.s. with a wide range of countries, um, often countries that we don't necessarily work very well in really any other context with. but, um, the law enforcement world has really developed some very good formal and informal mechanisms over the last few decades to figure out how to share information about cyber crime investigations. and one sort of direct, positive result from that that you see are increasing joint international criminal investigations and takedowns. whether it's groups like anonymous or reaching back, you know, even five or six years, huge carding organizations like operation firewall that the secret service carried out. you're increasingly seeing, you know, larger and larger groups of countries working together to tackle cyber crime -- transnational cyber crime
10:55 am
organizations that have members in many different countries and very successfully being able to keep those investigation bees secret until the appropriate time, arrest people, execute search warrants and do that effectively. and i think that provides some very good lessons. and just the other thing i would mention very briefly is another area where i think there's great opportunity and fantastic work being done right now by dhs is in expanding cert-to-cert cooperation. there's an international watch and warning network set up of smaller countries, but one of the things i hear constantly as i travel around to different countries and international conferences is a real desire from international partners to find, um, better, faster, more comprehensive ways that we can share information about threats, about signatures for malware, and i think as an area of focus on an operational area, that's one thing that will yield huge dividends for us and that,
10:56 am
again, is particularly, i think, appropriate for discussions within the context of the u.s. and the e.u.'s relations on cybersecurity. >> okay. we have one question over there, and that might have to be the last one. yeah. and could you introduce yourself? >> i'm alan from the fans institute. the law enforcement sharing is pretty amazing, and the effects are impressive, but i think the largest lever we have where there could be cooperation where i think there is none is in the buying power of the governments. deputy secretary lute mentioned that one of the really big needs was to get the vendors to deliver technology with security baked in to get the isps to deliver safer, safer networking. is there anything going on between the united states and europe in sharing the buying power so that you can use the leverage of procurement to, essentially, make systems that we're buying defensible instead
10:57 am
of indefensible? >> you have rightly pointed out a very important problem, and the answer is we are not fully yet there. we are precisely that's one of the issues the strategy is intending to answer. personally, if i could make a wish at the end of this conference, you know, when i go to buy a computer, i ask, i have asked is it possible to find a computer on the market which would allow me to physically disconnect the wi-fi so that i could be 100% sure that nobody can misuse my computer? and strangely, it should not be impossible to find that on the market, but go to best buy, go to wherever, i've been answered, no. there's no computer with a physical disconnect of a wi-fi. so all the computers you have,
10:58 am
they could be misused while you are not online. so, you know, things of that kind, this kind of reflection is precisely an angle we want to reflect upon. because it is, it is a key, but for that we need a strategy. let me just add that we have, also, in the context of -- [inaudible] a tool which is trying to make the relationship with nato, between nato member states to assure that we are all talking about the same things. and they are also beginning to develop some kind of ideas we could be reflected in our dialogue on how, because, you know, program you are yen si, they are thinking about how to make procurement tools. so these dimensions, yes, we have it in mind, but we are not yet there.
10:59 am
>> no, i guess not. with that, could you join me in thanking our panel? [applause] we now have a coffee break, and then we'll reassemble for the second panel on law enforcement. thank you. [inaudible conversations] >> this conference on u.s. and european cooperation on cybersecurity taking a short break for coffee. they'll be back in about 15 minutes and take up a discussion on cyber crime. in the meantime, some of the remarks from earlier in the day. we'll hear from the deputy homeland security secretary on her agency's role in cybersecurity. >> well, good morning.
11:00 am
during the introduction -- and very kind introduction -- when you mentioned that homeland security was the third largest department with 210,000 employees, we have quite a number of additional contractors, cecilia leaned over to me and said, my god, that's luxembourg. [laughter] i was just in the luxembourg, it's not luxembourg. [laughter] but it is large. and it is, at its heart, an operational department. i have to say at the outset to thanks to csis and to its partners for hosting this event and for giving us the opportunity to speak with our european colleagues which is something we're doing with increasing frequency these days, weeks and months. indeed, my colleagues and i have just concluded a negotiation with cecilia and her colleagues on a major data exchange regarding passenger name record, so-called pnr, and it was an
11:01 am
instructive experience for us in many ways. .. with highly invigorated and
11:02 am
responsiblized institutions. not least in the area of cyber and cybersecurity and that's what we're here all to talk about. not only our transatlantic partnership but the problems in cybersecurity more generally. homeland security has a key role in cybersecurity for the united states and i find that when i talk about the role of homeland security it's almost as important to talk first about not just its cyber role but of homeland security more generally because while many people have heard about it and we have a great brand name recognition we have something less than great brand name understanding of what it means. we do when we talk about homeland security. what are we trying to do in this department, in this endeavor that we call homeland security? i will talk a little bit about that. focus on cyber. touch on our strategy that we're promoting in homeland security and embrace obviously the theme of international partnership and what we're trying to do
11:03 am
with the europeans and more broadly around the world in the area of cybersecurity. homeland security has at its heart the core mission of helping to create a safe, secure, resilient place where the american way of life can thrive. that's our sentence. that is our motivation. that's our touchstone. a safe, secure resilient place where the american way of life can thrive. we think in order to do that we need to do five things well. prevent terrorism, certainly. this is job one for us. secure our borders. this is important, not only do we need to keep out people or goods that might be dangerous but we need to expedite legitimate trade and travel. we need to do both things if we're going to secure our border. we need to manage immigration and enforce our immigration laws. we need to safeguard cyberspace. insure that it is also safe, secure and resilient as a place where our way of life can thrive. and we need to build national resilience?
11:04 am
what is this about? this is about creating empowered individuals and capable communities and a responsible federal system so we can address all hazards when and as they come. now i spent most of my career, indeed almost all of it in national security and it's common to think of homeland security as just a lesser included piece of national security. it is of course but what i've also discovered over the past 3 1/2 years is that its really qualitativelily different. homeland security is different than national security in important ways and in ways that matter for cybersecurity very meaningfully. what do i mean? national security is something we understand that's strategic. it's centralized and it's top-driven. homeland security is operational, transactional, decentralized and bottom-driven. driven by the states, communities, city, municipalities of this country. so much of what we do in homeland security is animated in the first instance by the needs of the city, municipalities and
11:05 am
states and of all the american people. if national security is about all of us, homeland security is in a very real way about each of us. we take this approach because it fundamentally informs us that no single department can do all that needs doing when it comes to any aspect of homeland security. indeed, in the case of cybersecurity globally assess celia has mentioned. no single government can do all that needs doing as well. it is an important difference to understand. it is an important, it an any mates in a very real way how we approach all of our tasks. we called outside per security and the importance of a safe and secure cyberspace as a core mission of homeland security because we believe that cyberspace is the endoskeleton of modern life. it is the endoschedule ton of modern society, certainly of this society. it's impossible to imagine a safe, secure, resilient
11:06 am
space if cyberspace for the united states, for americans, and indeed for our global partners around the world is somehow imperiled. what do i mean by that? what does it take to insure cybersecurity? two things. insuring the fidelity, the security and reliability of our information and the security, fidelity and reliability of our identities in exchanging information. the rest as we say in my religious tradition is commentary. that is the core problem, how do we secure those two things? we have a strategy for cybersecurity. we call it our cyber blueprint. we think we need to do fundamentally two basic things. protect the critical cyber infrastructure of this country and build a healthy, resilient and dynamic cyber ecosystem. how do we protect critical infrastructure? first of all again, 90% of this country of the critical structure, not just cyber infrastructure but of the
11:07 am
critical infrastructure in this country rests in private sector hand and we operate in homeland security with the principle of nothing about you without you. so we work very closely with the private sector across the board in addressing the needs of cybersecurity for these infrastructures, these critical infrastructures as well. we need to establish and maintain situational awareness. what is happening? what is the relative health of our cyber infrastructure? how do we do, how do we reduce the risks and exposures to that infrastructure? how do we respond in a dynamic and real and effective way when intrusions occur? when other mischief and problems. and how do we build in resilience to these infrastructures so they can with stand the challenges that they face? when it comes to building a cyber ecosystem we focus here again on empowering individuals. we need smart individuals and smart machines. we need to build out organizations that are
11:08 am
themselves intelligent and responsive. we need to promote trustworthy protocols, services products, configurations and architectures. and we need to build very fundamentally collaborative communities and understand how these communities can operate together. now i think, it's fair to say that when it comes to cyber security there is a significant misperception out there. there's a significant problem and of course there is a significant opportunity whenever there is a significant problem. what's the misperception? the misperception i think when it comes to cyber security the role of government is clear. that's a misperception. it's not yet clear to many people. what's the problem? the problem is the view of the role of government is polarized and there's a great debate going on among those who are paying attention anyway. they would call it a great debate. we always do when you're
11:09 am
inside the debate and the views might be characterized perhaps unfairly but perhaps sim policicly as follows. there are those who believe that government has no meaningful role to play in cybersecurity. that the internet itself while originally founded with government engagement certainly has grown and expanded a and generated the new wealth it has representing the dynamic force it is in all of our lives in a way that was largely a result of market mechanisms, market-driven forces, the private sector. government has no role and have no role in intruding in this space in the name of cybersecurity. on the other hand are those who think that frankly it's a war zone out there and that it is so dangerous and so, and so urgent that governments must come in forcefully to establish regimes of cybersecurity that everyone must adhere to. we believe very fundamentally though that the truth lies somewhere in the middle not surprisingly. in our view the status quo
11:10 am
with respect to cyber security is not acceptable. that governments do have a role to play, must play a role here and we will play a role. cecelia mentioned in the case of the european union the dialogue going on with respect to not only member-states but e.u. institutions how to think through the appropriate role to play when it comes to balance freedom and access and openness to the internet with security. how do we build the openness and access in a way that also assures resilience? how do we understand the role of the private sector when they are so critical to the very functioning of the internet? and how do we insure and instill and even substantiate global cooperation for building cybersecurity. the united states international policy and strategy on cybersecurity identifies a number of priorities for this country in approaching, international standards, innovation and the role of
11:11 am
the internet. certainly we want to protect our economy and our economic livelihood. we think standards and innovative open markets insure this. we want to protect our networks. we want to strengthen the hand of law enforcement, and extend collaboration, law enforcement collaboration in the rule of law to enhance confidence in cyberspace. we also know that when it comes to internet governance that an open, multistakeholder system and model is the right approach in our view and we believe in this strongly. we believe in the power of the internet for international development and all of this must be achieved while maintaining internet freedom of access, resilience, inner operability and fidelity. what does this mean at the end of the day for cybersecurity and for the department of homeland security? we'll continue to pursue our responsibility of working with the private sector in
11:12 am
this country to safeguard and secure the critical infrastructure but also to build out this ecosystem that we believe is essential. it too is a multistakeholder model where responsibility is distributed. where networks are supported by intelligent protocols and architectures and while the federal system engaugement is responsive and appropriately positioned to ensure the critical cybersecurity of this country. none of this can be done alone. we are active in our partnerships not only across the federal government in the case of dhs but also across the globe and there is perhaps no more important partner than our partner in the european union. i mentioned that my colleagues and i have just concluded a negotiation on this major data exchange. at the heart of that negotiation which took 18 months, and cecelia reminds me it actually took nine years. i need a chair.
11:13 am
i am pleased to say that we successfully concluded this agreement and we hope we don't need another one for at least the next seven years. at the heart of this negotiation was the issue of privacy. how do we insure cybersecurity? how do we insure the privacy and protection and civil rights and civil liberties and exchange of information? this is a part and at the heart of the cybersecurity debate as well. we have different views of privacy here in the united states as against those in europe. i'm no european legal expert and i'm perhaps no american legal expert either as i think about it. but there is a way to characterize the differences of views and they're important. from an american point of view privacy is about limiting the ability of government to intrude into our lives, from the european point of view if i can be permit ad characterization it is about controlling one's information once you put it out there. these are two very different views and they equally legitimate.
11:14 am
and the heart of our agreement was in recognizing the legitimacy of each other's point of view on terms that each other finds important. we will succeed in the agenda of cybersecurity. i mentioned there was a misperception about the role of governments. i mentioned that there was a problem because in the debate in some quarters is dominated by extreme views but there is an opportunity. and the opportunity exists in dialogue and in partnerships such as we have with the european union to solve these problems in an inclusive way that helps create a safe, secure and resilient cyberspace for us all. thanks very much. [applause] >> i'd like to thank both our speakers. as you might suspect they have somewhat packed schedules. so we have a few minutes for questions and, if i could ask you to, if you have a question, raise your hand,
11:15 am
identify yourself and then get the microphone. john, are you kidding? you do have a question. [laughter] it's okay with me. i can identify you. you want me to do it? >> from at&t and nice to see you both. secretary lute articulated u.s. view by multistakeholder model in internet governance. i would be interested in the european perspective on that. cecelia you mentioned in your marks i can, in some view i can as a u.s. plot to maintain control over the internet. so what are the views on internet governance from the european perspective? >> that is a short question to a very, very long answer. i know that you have debates on internet governance here as well and they're very vivid. the truth is we haven't formulated a joint vision on this and this is part of the work i was alluding to i'm
11:16 am
doing together with my colleagues in the commission to formulate joint cyber strategy work. these issues will be dealt upon as well and we, we have to make sure that all the 27 countries are on board with this. some have their own strategies, very advanced. working with this for a long time. some member-states, some not as advanced and not as online as others. we must make sure everybody is on board. better to take a little more time to have this ownership, joint ownership and we're working with this, we're having discussions and negotiation and the plan is that this joint strategy would be ready by the end of the year. i can't tell you much about this yet because we are in the process of developing and identifying our views on this. it is important and with our american friends. we share very much the commitment to the budapest convention which is the governance in many ways and we have been working jointly with jane and with the attorney general to promote wherever we go countries
11:17 am
sign, ratify and implement it. that is very much at the heart of the where we are parting from and a building upon that we hope that we can be much clearer when i come back here maybe next year. >> thank you. question over in the corner. >> thank you. my name is marina. is this working? no? >> yes it's working. >> i'm a student, ambassador with emphasis on e!. i would like to thank both speakers for your excellent presentations and commissioner, i know your personal dedication and very strong ally with my country when dealing with cyber in the e you. my question -- e.u.. my question is to both of you cooperation with those country who is are not paying enough attention to cyber security and maybe in short do not see the advantage of cooperation inside the security what does it means leverage,
11:18 am
carrots to involve those countries more and more into international cybersecurity cooperation? thank you. >> so maybe, perhaps i'll start. and, i would love the e in estonia. i had the privilege of meeting, i am. of meeting with your colleagues when i was recently in luxembourg with cecelia discussing with the council big questions related to cyber as well as other things. i was also just recently in tablisi where the government is quite seized with the importance and challenges of cybersecurity. my colleague, bruce mcconnell who is here and who will appear on a panel shortly reports a wonderful saying and i think by the third or fourth-hand you are no longer required to properly attribute it i will leave them for him to do. there are two types of
11:19 am
organizations one might say two types of states in the world. those who have been hacked and those who do not know they have been hacked. this is the case. unfortunately some have to confront the reality of a cyberattack, intrusion, even disaster before they realize the importance of this surely we can not wait for that to be the case. and so you there the process we believe of creating a responsible cyber ecosystem where everyone is aware of their responsibilities, users, again we think, machines are users. can we, can we work to create machines that are shipped with cybersecurity capabilities already enabled so they don't have to being activated? that can provide part of a defense. users at all levels beginning with young children, certainly all kinds of users in cyberspace understanding their vulnerabilities. it is outrage just today we live in a time 25 years or more after the creation and widespread growing of the internet that there's not a single act test one can
11:20 am
undertake in cyberspace confident that your information or identity will not be compromised in some way. indeed for some you can't even plug in your computer. that is simply unacceptable. we have to do better and it begins with a frank dialogue at every level between governments, with our industry partners. with our publics on the vulnerabilities and responsibilities in a secure cyberspace. >> thank you. started by congratulating the work that estonia is doing on this i know your commitment and professionalism and high level of online reaching out even to the remotest villages and also the work of the your president of estonia of course very inspiring to many of us. i had the possibility to meet him a few weeks ago and we discussed exactly the need of this cyber strategy and where i can understand that a country like estonia is frustrated that some countries are not at the same level. this is what i was talking about. this is very -- >> remarks from earlier this
11:21 am
morning at the center for strategic and international studies here in the conference on u.s.-european relations in cybersecurity. we rejoin it live now for discussion on cybercrime. this is just getting underway. >> i'm very pleased that we can start our next session on cybercrimes, cyber criminalty. already heard quite a bit of this morning. my pleasure to introduce the moderator of this session. this is monika hohlmeier, member of european parliament since 2009. pleasure you came over here. made the trip and monica hole meyer is member. european parliament since 2009. a member of the committee on budgets. she's a member of the special committee on financial, economic, and social crises. the special committee on organized crime, corruption and money laundering. and of the delegation for relations with peoples republic of china and as she
11:22 am
was previously a member of the varying government in germany for education and cultural affairs and she is and that was already mentioned most importantly, calling the europe the legislator passing the bill, responsible for the bill on the european cybercrime center to be situated at euro pol in the netherlands. this is very important and highly responsible function. my congratulations on that. we're all very interested in that and following what you do and very pleased to hear. with that i would like to give you the floor for the moderation. thank you very much, miss hohlmeier. >> thank you very much. welcome. you are the second panel in the fight against cybercrime, a very interesting issue. and, to answer brian, because he had the question
11:23 am
about the new law and regulation in the up, we're in the trial log with this new regulation. called the directive concerning attacks against information systems. the european parliament and the commission together, we would like to have a more common european approach in the fieldings of tackling cybercrime because as you know cybercrime is international from the -- it is international and so we would like to have a common european approach in different fields, in the field of illegal excess, definition of illegal system interference, illegal data interference. illegal interceptions in the common definition of tools used for committing offenses. instigation and aiding and abetting and in the attempt. field that definition of penalties that offenses
11:24 am
should be punished, punishable of a maximum term of imprisonment of at least two years. and, aggravating circumstances of five years. so then we discussed with the member-states at this moment the corporation in between european union and member-states, the transatlantic dimension, the cooperation to other states in the world. then, the cooperation to private companies. we discussed something like minimum standards. we discussed now that, member-states should introduce some things, implement something like minimum standard like certification system for minimum standards in the cybersecurity because the criminal law regulation we think it's the last step in a long chain of.
11:25 am
that's why we now try to get through our new regulation. and i think we will have three or four trial logs and i hope we will have passed it with success in the next two months. one of the subjects will be the training. we will have here one specialist, ron plesko of the ncfta. he is the specialist for training subject but, to introduce the subject, to introduce the issue of the fight against cybercrime i think that most of the population is not aware that cybercrime is a really high profit, and low risk crime. . .
11:26 am
>> but because it's not easy to have an evaluation of the damage of cyber crime, but one thing should be clear, that cyber crime at this moment is more profitable than the global trade than marijuana, cocaine and heroin combined, so we should think about the cybersecurity, and we should think about how tackling cyber crime. the european parliament has the same goal as the u.s.
11:27 am
we want to maintain confidence and secure online communication and trade, so we have to tackle cyber crime. and cyber crime from the very first beginning was and still is a cross-border issue. i'm convinced and the e.u. have to cooperate, that we have to strengthen the cooperation. i'm glad that i can introduce to you the panelists we have, steven chabinsky, assistant director of the fbi, thank you very much. else to oerting, assistant director of operations at interpol and ronless coe. so i would like to have, perhaps, stephen chabinsky, would you like to -- >> thank you. i appreciate the opportunity to be here today.
11:28 am
there's no doubt that the international dimensions of cyber crime require an international coordinated response. and at the fbi and the u.s. government as a larger group we've decided to consider that to be relationships both with governments and with nonprofit organizations as part of the international solution. i don't really think that in this space we could afford to think that the u.s. government agencies really can do this within the united states without the assistance of the private sector both internationally and domestically or without the assistance of our international partners. but what's more than that, i think, is that we've changed our view together with our partners over the years of what that type of cooperation really needs to look like, and the ncfta is a primary example of our relationships with both private sector and its members in that we've moved past considering
11:29 am
information sharing to be the key and moved really towards collaboration being the key. we found most of the original discussions in the area of cybersecurity were placed on what data do you have, what information and products do you have, and how are you going to disseminate those as broadly as possible. the problem, actually, is far too big, i think, for that to be the appropriate solution. we ended up throwing a lot of noise into the system and receiving a lot of noise. noise meaning it was information that actually either was not relevant to our missions and our efforts to either protect our systems or try to find attribution, um, against the threat actors, or it actually could be relevant information, but the find we already know. and so what we found is from the perspective of really making a difference, and i would actually, um, think through today's panels and how you're looking at this problem in the future. we started recognizing a trend that where we were most successful, it wasn't because we were sharing information well, it was because we were working together side by side
11:30 am
collaborating and figuring out common strategies and how a relationship with the national cyber forensic training alliance, um, is one of those relationships. but we're also, um, on the ground, and many of our, with our international partners, the fbi has over 70 offices abroad, um, by invitation of host countries representing relationships with well over 200 nations where we're actively engaging in cybersecurity efforts not by just throwing information over the fence, if you will, but really sitting side by side and coming up with common approaches, prioritizing, um, what the biggest problems are, figuring out joint solutions, recognizing everybody's authorities be they within the private sector or within government and then creating out of that a strategy against the problem. so that, i think, is the biggest lesson we've learned. so now when i hear people talking about information sharing, um, i'm really listening for are your, is your information sharing side by
11:31 am
side, or are you really still on this notion that you're just going to send things out? and collaboration works, it's necessary, and it's working well. >> [inaudible] [laughter] >> i'm sure there'll be opportunities after, so i don't know that i could leave right now, but i certainly, from opening remarks i just want to encourage that point of view, thank you. >> [inaudible] [laughter] >> just a short approach to our new panel. so i would say, um, troels oerting, the next one, because you have a lot of -- cooperation to fbi authorities. >> thank you very much, monika, for this introduction and allow me even though that we should focus first of the trans-atlantic corporation that i take some kind of steps towards explain what's going on in the european union in cyber
11:32 am
crime, actually, right now. and i will try to focus on four areas, the given challenges the european cyber crimes center and the e.u./u.s. cooperation in this. and what is a given? and everybody knows this, the cyberspace driver cannot be growth and prosperity and intersection, a given. and we in the e.u. we, actually, are even more interconnected. we're connected by 72% of the population in, actually, the global average of 32. but because we are so, we are dependent, we also bring new risks, and cyber crime -- and it's already being -- exploited and continues to be exploited by terrorist attacks. and because all the network systems are vulnerable, it's difficult to detect where, there can be no thing such as absolute security, and i think we also have to recognize this. i think we recognize this in the
11:33 am
e.u., and i hope you also recognize this in the u.s. i think we have a difference sometimes in opinion about security. you can also see this, how you protect your borders and how the e.u. protects our borders. it's with a lower context that you have. cyberspace is commercially driven, and that's also why we need to cooperate with the private sector. i don't think that we are very good at that in europe compared to the u.s., but we will learn. and the law enforcement community, unfortunately -- and i have to admit this -- in various areas work very slowly in the offline world, but in on line world we actually need to react even faster, and we need, therefore, to step up some of the things that we are doing, and that's also why i'm happy to be here together with you and also with the european parliament. i agree completely with steven, we should prioritize what we are doing.
11:34 am
you will also find there is bicycle thefts on the internet, basically, there is all sorts of crime, and some more important than other, so we have to prioritize. we also have to focus on what not to do. we cannot do everything, and especially in europe we cannot, but we have to focus on this. we will hope that the e.u. and the u.s. cooperation will facilitate that we create norms for actually working and handling the internet. but we also have to facilitate some kind of understanding in this wild west internet that what is not permitted in the offline world should not be permitted in the online world. there are no free lunches, and you cannot just give up and say this should regulate itself. i have the pleasure to coordinate efforts in if an area of 500 million people, 27 individual states and 23 different languages. and this is a challenge, i can assure you, because i'm sure that both ron and steven will say they have their challenges, and you have one state, one
11:35 am
language and one legal framework. but this is actually what i have to deal with. and then i think we should focus on cyber crime laws and combating illegal activities and not try to restrict the access to the internet. it might be easier said than done, but it's actually our starting point. so what is the european cyber crime center, what is the aim and what should it do? it's been set up by a communication from the commissioner malmstrom who's our minister of interior in the european union. now it has to be endorsed by the 27 member states which will hopefully happen on the 8th of june under the danish presidency, and after that it will go to the parliament, and the parliament will discuss because they pay, so they also have to give some kind of funding to it. and they will deal with it. we should be up and running by the first of january, 2013, that gives me about seven months. and at the first of january,
11:36 am
2014. and what we have taken in our approach is a very inclusive approach. this is not a europol entity. this is not just the police thing. it has a much more inclusive outreach. what should we do? we should be an information hub, fusion center for all information in the area from law enforcement to private sectors. we should help create a help desk of 24/7. basically, everybody can report a crime. i can do this through the german police, and i can do from denmark the exact same web page to the danish police. will they work, all of them, on the same web page, or do we need some kind of coordination, what to do? of course we do. how will we do it? let's wait and see. we also have to create a public awareness. and i think that half of the trick is to give some kind of education or insight to the public about what to do and what not to do. i don't think that the cyber center will do this, but we will
11:37 am
facilitate it. then we have to create operational support in four areas; intrusion, fraud, intellectual property rights and child sexual abuse at a high level. because we have such a big area, we will also be relying on the member states, but some of the cases needs to have, let's say, a higher level of expertise, or they are so high profile that we need to assist the member states. forensic support. it costs a forchub to have these -- fortune to have these tools. it's so expensive. why should 27 member states try to develop even and every -- each and every step by themself, why not use some the research and development money we have in the european union and to collect, actually, the requirements created and give it back to the member states. capacity building, the e.u. is very different. we have states who are very, very high at the cyber crime agenda. they are very robust, they're very strong, u.k., germany and
11:38 am
other ones, but we also have member states who are actually not as good as the other ones, and we are only as secure as the weakest link. so we have so much some kind of capacity building, also, to educate law enforcement staff, but not just law enforcement, also prosecution and be judges. they need to have some kind of insight. then we have a specific role in the cyber crime center to protect the critical infrastructure in the e.u.. this is a huge task. this is already done to a certain extent by enisa who is, actually, the e. u. agency protecting the infrastructure, but enisa is not a realtime agency, and in order to create realtime responses, we need to also be realtime. but instead of the ec3 building up this capacity which already exists, we would like to have lay yeason officers so that they can continue to do their very valuable and high quality work, but we will actually benefit all of us. then the most interesting thing
11:39 am
for the europeans is the outreach to the public and the private sector. i think yesterday i visited ron in pittsburgh and the ncfta where we already have one agent working, and there will be another one coming, and i hope that we can, actually, have a permanent presence. and i'm really impressed by the way that the u.s. is dealing with the private sector in this, and you can create these nonclass areas that you can exchange, and you can work, as steven said, side by side. it's not just receiving, it's actually working, identifying it. and i think that we will try to do the same in europe if we can. because i'm not trying to reinvent the wheel. other ones have experienced longer than i have, but we will take advantage of this, and we will also try to be -- and this is the most important thing for the center -- it should be the european collective voice in this area. if you're a collective voice you speak not just for law enforcement, but also for the private partners, for the public partners, for the industry and for the population. and what we were trying to do is
11:40 am
by having all this insight, to be able to on a qualified basis say to the legislators, this is the problems. now you deal with it out of the balance between privacy and efficiency. but in this way we will try to do our best. so we need to develop a trusted relation to owners of the critical infrastructure, and i use here the ncfta model. as steven said, it's not just receiving. we have to reach out to deutsche bank, to british telecom, to other ones and work with them on this spot. but without hampering privacy. and here we have a balance. just like if you have a house and it has been tried somebody to break in several times, you report this to the police, and if somebody is trying to break in to your infrastructure, you will also report this to the police. we will include e.u. agencies already in the business, and as you can see, the cyber crimes center have this very broad task from, let's say, education capacity building to forensic research and development to investigation and also prosecution.
11:41 am
we will have to include eurojust which is our european prosecution services. enisa is already set, the commission and the e. ow. certs, and they will all be members of our board so they can advise us on what to do and what not to do. but we also need to go outside and include key partners. interpol, singapore will be one of them. so i already in talks with interpol -- and we meet frequently, every second month we meet in order to see what can they do, what can we do. there is no need for duplication here. there is a need for complimentarity, there is no need to have a competition about this. there is enough for everybody anyway. so what we will do is try to focus on what is worst, and then we will try to do our best. we already work with a virtual global task force on fighting sexual abuse of children. the european financial coalition
11:42 am
and the icspa which is an ngo in the e.u., but we need, also, to take a step further. so let me go to the e.u./u.s. cooperation. we already have in europol a high-tech crime center, so we're already working in cyber crime. we are now just scaling up this work in the ec3. why was europol actually chosen as being the host of the ec3? i think of a number of reasons. first of all, we already acted. secondly, which is very important to the e.u., is our very robust state of protection regime. we are the only agency in e.u. who are allowed to receive, process and store data on people who are not convicted but only suspected of crime in order to pinpoint the worst of the worst and make the connections between all the investigations in the member states. but we are also heavily scrutinized.
11:43 am
we have a jsb, and we have a data protection office which, actually, assessing these cases case by case, and i'm happy about this because this gives us the ability, and we will not just, you know, store information which is not used. we should scale up with very good cooperation we have with the fbi. i hope that the fbi will also post a liaison officer when they see it worthwhile in the center and vice versa. and we work with the fbi on child sexual abuse, and also we're increasingly working with them on intrusion. but i also have to say that fbi is very much on a bilateral approach. i think that the fbi would like to work with the nations, with the member states. but this center will now coordinate what is happening in 27 countries and very soon 28 because croatia will also join the european union very soon. and i think that we need to have maybe a change and adjustment in the way that we work. with i'm sorry -- i.c.e. we work
11:44 am
predominantly on sexual abuse cases and secret service especially on fraud, especially on credit card fraud. but we hope that the u.s. will also implement the chip over here on our banking cards to change the magnetic stripe, and that will help us a lot. we've just been full member of the ipr center in crystal city under the leadership, also, of i.c.e. but to a certain extent, also, with a heavy representation of fbi. i think that we also need to create a mechanism that we can exchange the information that we get from our private citizens, from our private companies with the ones that you get from your private companies. because, unfortunately, in this global crime when it was completely right, the protection risk is rather low, i would say. if you try to enter a bank with a gun and you're physically there and you get away with 100,000 euros, you have half the police over you. but if you do the same by
11:45 am
actually flying to make some fraud which we have seen a number of fraud cases in the e.u., for instance, carbon credit emission system, we have lost eight billion in six months, and nobody knows where the money are. they were last seen in dubai on the way to pakistan. but this is all done on a computer and, basically, with limited risks. i also think that the u.s. have an understanding which is a mistake that if they exchange information with europol, they automatically exchange with all the 27, now 28 member states. this is, actually, not true. we have handling codes that allows us to protect the owner of the information. we will just connect the dots. but if nobody wants to exchange information with some member states, we won't do it. but coordination is key. so the final remarks with that the european cyber crime center will deliver, of course. we will be very inclusive, but we will not be naive.
11:46 am
we also know that there are countries and partners out there that we might not like to work with for various reasons. we will try to do the right things, and we'll try to do them good. we will start modest, underpromise and hopefully overperform, not the other way around, and we will strive to inform policymakers based on facts. i would like to thank ms. malmstrom for showing strong leadership in this field and also ms. hole meyer who spent immense time on trying to get this right. ec3 will not come for free, but the question is not if we can afford it, the question is can we afford not to make the investment? and based on this, i will end by being an optimist. if we work together, and i'm quite confident we can beat the criminals, and we will also beat the criminals. thank you very much for your time. [applause]
11:47 am
>> thank you very much for the very good overview. and then the third panelist, the specialist for private/public corporation. >> there you go. you got that. well, i'd hike to start by thanking monika and my other panelists, troels who is suffering through some back problems drove up to pittsburgh yesterday, and i did not try to deceive you, i didn't find out i was speaking here until 4:00 yesterday afternoon. and also to other panelists, i guess i should say acting assistant director steve chabinsky, fbi cyber division. so with that, i have a few comments. not as detailed as troels' are, but like to introduce you to sort of who we are and what we are. and invite you all to come up to the ncfta. yes, it's in pittsburgh,
11:48 am
pennsylvania. i guess the question is, why? first and foremost, it's not within sight of the beltway, within sight of washington, d.c. and i'll get into that in a couple minutes, but i think information sharing takes place at the speed of networking, and it can take place anywhere in the world, let alone pittsburgh, pennsylvania. we like to say it's there because we've won six super bowls, three stanley cups and others, but we'll leave that one away. [laughter] especially since the capitals are doing so well and the penguins find themselves on the sidelines. move away from the hockey, but into some stats. it's always good to quote a longtime friend at the white house, and i was at georgetown's forum recently where howard smith spoke. and howard always has one quote that i like. and if you think about what's taking place from an e-commerce standpoint, over $8 trillion were moved in e-commerce last
11:49 am
year. we focus on that in a variety of ways, but we consider that inside the united states ach or account clearinghouse fraud. others consider it probably not the correct acronym, but you can get a giggle out of it, wtf or wire transfer fraud. so when we look at whether it's wtf or ach has a fraud problem, there definitely is in everything we do an international dynamic. what do we focus on? and i'll get more into who we are and what we are in a minute, but really what are we focused on? cyber threats and cyber crimes. i'm honored to represent the national cyber forensics and training alliance, help today co-found the place way back in 1997 before anyone knew what a fusion center was, before anyone knew what a private/public alliance was, that's how we term ourselves, or a public/private alliance, and came in the as the ceo about four years ago into the organization. specifically, we do focus on cyber crime, the worst of the worst and how it's happening.
11:50 am
methodologies behind it. intellectual property crime. sure, nation-state gets in there, but i'd rather stay away from that especially since i have a colleague on the panel who represents china because i think it's not just china. but at the end of the day, the attribution is a very tricky thing. the networks that are being utilized by organized criminals, botnet networks, bad guy organized criminal clouds, hosting networks, etc., are the same networks that are doing all the other things. the tough part is to try to decipher what's going on and the attribution related to it. that's a challenge not so much for us as it is our law enforcement partners, intelligence community partners both here, internationally, europol as well. so with that it's all about return on investment. so why would a private sector corporation, u.s. or non-u.s., want to partner with us as an organization? they'd need to see immediate roi
11:51 am
back, that their money or their partnership with us is paying dividends to them, preventing things. same with our law enforcement partners. fbi, steve, thank you for your kind words about the ncfta. fbi was really a co-founder of the organization back in the late '90s and has been there ever since. steve's, um, cyber division has a unit co-located with us, and they've been so since the inception of the ncfta. we also have homeland security. ispr center. formerly i.c.e -- i love the acronym change, a merry go round these days, but i think it's hsi, homeland security investigation. dia, dea as well as a handful of other agencies that we share more in a tdy capacity with inside the u.s. big gov, if you will. the history of pulling an entity like this together is on our web site, so i would defer to the web site, but i hearken back to
11:52 am
a long time ago when i first met steve chabinsky. i was a board member, and he was an attorney then, still, with the fbi, and sat down with us to figure out how to you set up a collaborative center in which you can share information related to cyber threats, we now call cyber. back then we called them computer threats back in the late '90s. how do you do it legally? and steve was instrumental on behalf of the fbi as well as on behalf of the department of justice and our outside counsel in putting together a formula, if you will, a game plan on how to do it in a legal framework. and the legal framework that we stand by today is one in which we enter into legal agreements for sharing of information, non-pii for sharing of that information towards threats for three goals; identification of cyber threat or cyber crime, share towards mitigation and, third, share towards neutralization. some would refer to those goals
11:53 am
as disruption, dismantlement and destruction. i like that, d3 is a new term of art we started to use as of late. but the idea is to get out ahead of the threat actor, and i thank the center for hosting this today and inviting me, though last minute, invited me to come speak because i think the issues are more important than a lot of americans, a lot of citizens, worldwide citizens really understand. the threat, the threat, the threat actors are sharing realtime at the speed of networks. we get together in concerns, we get together daily in what i do and manage and try to share realtime as well. but we have to do so within the confines of the law as well as treaties, etc., regulations as well we should. the threat actors don't. they don't have to care about that. and therein lies the major challenge. so with that, um, a little bit about us. wewe are a 501c3.
11:54 am
we're a nonprofit, we're organized like in the united states a church, temple or mosque would be organized or a red cross, the red cross would be organized internationally. we're lucky to have 1200 partners worldwide. 34 countries, we share information with 34 countries. and as i speak to you now, seven countries represented in this room -- i got a look at the list a little earlier -- actually have law enforcement agents detailed to our location for 90 days the only way we're able to do that is not only with the cooperation of steve and the fbi, but also with the cooperation of, um, private sector. private sector is helping us in underwriting the deployment of those agents to pittsburgh, pennsylvania. and believe it or not, they're very excited to be in pittsburgh, pennsylvania. so with that, i'm remiss if i don't say as troels mentioned, we also are hosting a europol agent at the location right now. this was born out of necessity.
11:55 am
last year at the conference where law enforcement, private industry gathered, we all -- as all good thought usually happens, over wine or libation -- decided wouldn't it be great to get everyone in a room to start sharing, to start sharing not only the national and international dimensions of the problem, but to start sharing what law enforcement companies are seeing inside of your member states, in your member nations. we would see each other an yulely at conferences or in different parts of the world in our travels or successfully as the fbi has worked multijurisdictional cases with a lot of you in this room. but we got to know the individuals and said what if we would co-locate, what if we would offer you the opportunity to intern in pennsylvania? last year we hosted six, this year we're honored to host eight, and our private sector partners are happy to underwrite that, and i'd be remiss if i didn't thank she man tech for
11:56 am
underwriting a big part of that. so with that we also are looking forward to partnering with europol and to working that out. simultaneously, i like the note of noncompetition or complimentary competition, if you will. we also are working with trying to figure out a relationship with interpol and they're emerging crimes center. we've hosted them in the fall and recently hosted them as well to look at the worldwide aspect of this problem. countries, other countries have spent a lot of time with us that are not in this room. why, i guess, is the question. whey come to a nonprofit in -- why come to a nonprofit in pittsburgh, pennsylvania? i think the answer lies in the information that is being shared. that information's being shared by private sector. cannot speak to the e.u., the european union states that are represented here or the members, but in the united states i know for a fact close to 90% of that private sector owns 90% of the critical infrastructure in which
11:57 am
the threat actors do their deeds, if you will. so with that, that's important. and for us it's important to get back to the private sector that information that will allow them to mitigate or prevent some type of cyber crime from happening to them. so to do that, we organized ourselves around trends or threats, what's happening today. ach fraud, sure. so financial-heavy, we're partnered with a lot of u.s., non-u.s. financial partners. looking at threats that are hitting them as well as trade organizations that represent them or fsi. tomorrow morning i speak on a panel with financial service information sharing and analysis center up in baltimore. so that's one aspect. financial-heavy, sure. why? that's where the money is. threat actors, organized crime and all the pieces of malware that we track are written to steal credentials, to steal money and to move money somewhere. but that doesn't mean they're not after other things such as intellectual property rights, so
11:58 am
ipr. that's why we're happy to partner with the ipr center and the last couple of weeks and going into july also deals with intellectual property rights issues. nation state, we do trip over that, but it's more the criminal state actors whether it's counterfeit pharmaceuticals, luxury goods and the public safety impact of those pharmaceuticals or goods. so we do share a lot of information related to that. telco and mobile, mobile is ubiquitous. there's more cell phones coming online than people are buying computers worldwide, and in the back of my head i know the stat, but i just can't pull it out and give you the quote. i'll leave that there, but mobile's a huge problem. over 132 last check so far this year unique pieces of mobile malware cross-platforms, android, blackberry, and let's just say, sure, windows is in
11:59 am
there, but it's not as ubiquitous in the environment as iphone or android is. we focus on the confluence, the infrastructure that supports threat actors, that infrastructure that supports the promulgation of the direct threats, vis-a-vis spear fishing or anything like that. so with that i just want to give you a sort of high level who we are, and then i wanted to thank you for allowing me to come here for a few moments and share some thoughts and, hopefully, we'll get into some good q&a here in a moment. and i'd be remiss if i didn't thank monika for being our panelist, and hope fly she'll be -- hopefully she'll be kind to me and thank you for your attention over the last seven minutes. thank you. [applause] >> thank you very much, ron. i think we have 15 minutes until

37 Views

info Stream Only

Uploaded by TV Archive on