most are the ones that would kill mosquitos eventually with this particular type that causes malaria to go to the distinction -- extinction. >>host: what is behindseattl this technology? >> is the bill and melendez gates foundation in seattle from microsoft founder bill gates. he and his foundation of and running this a little over 10 years they spent about $44 million which is not a lot from their perspective but this is the most developed program out of london with the imperial college it is a big program to develop to have concrete plans to release them. >>host: they do have
concrete plans? what are the risks? >> bid is the contingencies it is still in the lab the gates foundation did put together a business plan to release the technology by 20 or 29 but in terms of the rest what they have never been able to do before change the genetics of the whole species including eradicating them. that has never been done before so people who will criticize this technology and there will be some is the question of the unknown. and then there is another
question of what kills mosquitos and what if it jumps to another species?t mala. that is another concern that people have. >>host: retaking your questions and concerns with the fight against malaria. the lions are divided by region.you ta extinction in invention and the m.i.t. technology review latest addition. if you talk about disrupting ecosystems, who would have for what country would have the moral or legal authority to do something like that that would impact other countries around the world with their ecosystem?
>> looking at what happens with this species is releasing the technology that they will fly across of borders ohio deal even use that technology? in sub-saharan africa and the biggest country in the democratic republic of congo? rep that is a big issue peoplege are talking about the national academy of science is working on a report due in a couple of weeks but there is a debate we have never had before which is who has the moral authority to eradicate the. >>host: is the united states or companies doing similar work to try a 258
zika zero or malaria or other mosquito boardha diseases? >> there is three or four different technologies involving engineering mosquitos to be of the most radical but there are others because it is testingg another type of genetically modified mosquito you have to release millions because of the suppresses the mosquito population that is tried out in florida there is some opposition tothat although the government put out an opinion. >> you had a recent headline in the technology review.
>> that speaks to the diversity that is out there and how they're treated differently if he is a genetically modified people are worried lot more regulation but there is one of the parasitic bacteria and it has been added it also renders them still because it is sent regulated the same way but that is changing mosquitos also to spread animal diseases so we don't have that intensity of you also king a problem
they do question if it will reach the net is states this summer with the zika virus. >> the mosquitos blamed for an outbreak in why that caused health officials to declare a state of emergency in february and as you said the epa is regulating it as the fda moved a step closer to allowing genetically modified for it to be tested of florida is this an effort to move ahead in preparation and if zika does reach the united states?s also a better >>guest: the theory is a bigger problem than zika and there has been some cases in the united states. with the company's
motivations for testing the genetically modified but the main opponent so the concern is that they don't want the test happening because it would sound like florida has a disease problem a bit like that idea so it is an interesting mix against these types of tests -- tests. >>host: let's get to call. >> caller: why can't we use the technology we use 100 years ago to eliminate malaria in pittsburgh with ddt? >>guest: the wonder chemical very effective todd kill mosquitos still used in some parts i think it builds
up in the environment with a long-lasting chemical. there are environmental problems.ller: because of the environmental concerns. >> caller: good morning i am struck that some studies i got through reading the book the brothers. '' companies like united and in africa how can you attract so much attention to
a mosquito play in a company cannot go in why do you deal with mosquitos? think about it.ll gates is deve >>guest: as a related anecdote delegates is developing the is mosquitosrica. with the self annihilating mosquito who is bill gates to do that?t of them but in africa and opposed to genetic engineering. to the point it was signed by 30,000 people of the genetically modified the man in uganda.er. if there is a huge opposition on the ground ine
africa with the different points of view or united true for that matter. >> but you write in your piece that officials and united states worried that it might be too easy with this technology. wondering if they could be misused talk about that a little bit more stick that is scary it is a much easier way to genetically modified the mosquitos so when they target malaria when the 27 year-old kid does the work
to create a mosquitos that could literally wipe our all other mosquitos so it's a little bit scary but the power that the individuals now have to reshape the environment is a problem that could be used for good or bad credit control and individuals decide to use? students getting their ph.d. is but you never know there could be a bad actor somewhere and the risk is the technology could be used pl. for terrorism or criminal purposes. >> what you put in a mosquito? >> you can do is a lot of places people but it cannot
do that it is too small. but you can imagine to create the driver of the bumblebees are the pollinator you could really say plague if he wanted to but united states and most other countries we don't develop biological weaponsdivido as the government defense enterprise. >> good morning. years ago i worked in the hematology lab and like any branch of it of george washington university and i
saw a tremendous amount of people who have malaria of what they called differential you can actually see it and we have a number of patients at dunno if they use that term or not people do not realize they you cannot support as a people with sickle cell anemia the likelihood of getting malaria. that is what i just went to say in down here in virginia beach i don't know what they are using but there are no
more fireflies' anymore and people have wondered about that. they have killed those as well.or and i see very few bees or butterflies. >>host: and on twitter to ask how can you be sure when you kill off the mosquitos you don't kill the peace? >> right. that is the question of the o genetic scope what about the other species? this technology then jean drive is spread by sexuall reproduction.species do y so it will not reproduce old will not spread but howm close of the species to you need? i don't think it would sprite -- spread it to the bumble bee but it would to a
closely related species bear right now this technology has to reproduce together in only happen and probably not with a bumblebee but it is a little scary to say will release into nature of mechanism to eradicate life of a mosquito if it affectedwa other forms of life. >> that is what another twitter follower once to know to upset the ecological balance of species but first, how long, how many mosquitos do you have to introduce that would die off?st how long would that take? >> these questions are still
unknown. the projection was to start the chain reaction the only four or 500 that itself would start the chain reaction. >>host: and how long will it take? >> the faster it reproduces the faster it spreads with the case of mosquitos of you were to release that that it would fill in the intervening area so wouldn't take very long. >>host: we're talking about biomedicine for itt technology of new technology
to kill the mosquitos species and the effort to eradicate malaria delegate has already spent $45 million on this new technology. >> my concern is if they release this in africa how does this affect the drinking water? what is the effect on human of the treated mosquito bites a human how does that affect our own dna?ll >> it is a dna but managing it is true that they buy either is a change of blood but there is no way to be
taken up into your dna. that will not happen. so there is no risk to humans directly from the is mosquitos so the point is to get rid of the risk of malaria. >> it's nice to hear we use ddt?esides politics. the gentleman is said why don't we use ddt? my dad used to spray in the house but almost all of us have liver problems. and i want to say that this needs to be explored so we
have to have faith in some of the intellectuals and the researchers that they do this for the good of humans and if we don't they will do that in secret anyway and we will just not know it. >> to the plight of ddt with the new technologies instead of spraying of that of the houses and in the pond to affect other insects the beauty of the technology is specific to the dna of this species and it is genetic. that is the power of biotechnology. i think the caller has a good point we should encourage the scientist or will be a substitute for
new $45 million so far that is the biggest spend on this technology with health and biomedical research so the u.s. government itself has not been funding the research. as far as the fear factor goes, malaria, of the media to stir the figure of viruses yes you need to bring it to people's attention iran at one to go to latin america as it is spreading but i can tell you one century ago one of the
biggest breakthrough discoveries ever in the history of medicine to understand they really are spread by mosquitoes and the challenge is that new technology those are afflicted by malaria still don't know how it is spread it on notice spread by mosquitoes or standing water so a lack of information that the space sec level is an obstacle so i know he really says it'll spread disease. >>host: denver colorado. >> caller: good morning.
this is spread and it is deadly and data good friendar who died of it like within 12 days and you are gone. it is very unique in the midwest area., just i cannot think of the name of it but just certain mosquitos obviously they spray for those your but golfers. >>host: had you heard of this? >>guest: i don't know which disease she is referring to but mostly affecting birds and horsesin ths it could be west nile but all of those including my disease which could also be
addressed by technology it is spread by a tick. i got one disease last year. you can cure it with antibiotics so even in the united states it is spreading jeans among the wild organisms and also dealing with problems like lime disease. >>host: in "the washington post" this morning says poses the question. life fighting for the zika to said the present like to see additional 1.9% billion dollars to fight the zika virus a decision based on new research showing that it destroys the ability to think in the fetal brain. so does this pro-life stance
good morning go ahead. >> caller: i was curious about the genetic tailoring if there is the plan and though labs and in that event so whenever that factor is you can reintroduce a species back into the environment and ecosystem? >> there is. first call is an opene. yo question if it would extinguish the species completely but then you can maintain them in the lab and to destroy them in nature then you treat the people that have malaria and once that was cleared up there would be no human reservoir said to put the mosquitos back into nature absolutely.
>> i am curious of the scientific of the tuskegee airmen and that has been viewed very negatively with the experimenting with these initiatives. help yinitely. that is colonialism it will help you but what will happen? a the bill and melinda gates foundation has a ground game already to send scientists around to the governments in
africa to build a consensus for the technology in the future and try to change that into the african labs so they want to trade the african scientists to work with the mosquitos to develop the technology further. >> i have a very simple question for the doctor. wed he prefer the speed doesn't? does he feel it is a good day or a dangerous thing tois do? >> i'm actually a journalist so i will refrain from giving you my opinion of i
think it is very interestingca >> there is of little bit of concern what would stop somebody adding a gene to the human genome like a terminator seed with the cubans? with the gates foundation it does work in population control and eugenics so do you see any issues to work that same magic in humans? >>guest: that is a good question because the e underlying technology does the magic of mosquitos it also be used to change the dna of a human embryo so for
example, in in your family have the inherited disease you to try to change the dna whe like cystic fibrosis or something like that. so well reengineer humanity may be everybody should have gone terribly why is that the gene drive will not be a big worry because we produceonsf too slowly. >> what about the possibility of the genes changing themselves? >> soviet militiaman this
still happening if even onel mosquitos shows up soon enroll replace all the dna then it will come back so the main concern is that will make said jean drive so could you take something we did not intend to have heardll that possibility laid out yet. >>host: we have to make it quick. >> caller: is ebola spread by mosquitoes?
>> i don't think so. i believe it is bodily fluids. >>host: lead with warmer temperatures why not vaccines? >> bay has spent lot of money on vaccines but it is. hard to do so at that plaint it is happening before that becomes available. >>host: the extinction and invention of delegates foundation is behind this technology you can find it online baking for your time this morning
honestly is a separate discipline to shed some light on some of these issues. first, michelle is one of the titans of the counter intelligence world the first director of the national counter intelligence director when it becomes part of the national intelligence function under president bush into cyberissues she is young but before they were cool. and active defense issues to
so we will start with michelle to provide a primer that i think what they think of counterintelligence they immediately think security. but there are also of some differences. i am curious of some of your thoughts how should we frame this in terms of thinking about some of these issues? >> start by what we mean by foreign intelligence there is a whole range of things that adversaries and other entities due to steal our secrets but also to harbor there's to deceive us into thinking or doing.
so there are operations as well as collection activities falling within their range of counterintelligence to deal with foreign intelligence to interest dash whole man that abroad. so counterintelligence is the full range of f activities conducted in order to identify these foreign intelligence activities to neutralize rather to deny them access to by deceiving them or by exploding -- exploiting what we understand of the foreign intelligence activities. so what is done to protect our secrets we have a full
range of activities to protect secret information and access to national security so a full range of security activity the personal security to protect the secrets to be sure but beyond that protection is counter intelligence to hobby intentions and objections how they are targeted and recruited and what is the nexus of their relationship that the foreign intelligence service
does but now we can identify that we can look to those for their abilities and best of all with the for intelligence adversaries. that it is succeeding what it is doing against us with the operations with what we're doing. that the potential sometimes for attention because what counterintelligence tries to do is what security is security officers made to
organizations it does come back. end in the insider group i see somebody that just made a mistake and left the back door open by eight accident nbc the malicious insider when you hire them that maybe they are recruited. and then partners and with that data base administrator. and pretending to impede that individual.
and with insider threats and what is required to interpret in order to capture it is out there we have that information. we get this from data from application so we don't have a good way to use security analytics. with that h.r. database and looking for predictive signs going to a personal and professional but it is definitely something to warrant further research with a large organization or a large government agency.
said get past the notion to respond and get in front of it gives the good guys be added advantage to operate more efficiently for these threats regardless of how they are sourced. >> i am curious on the privacy questions thinking of these issues with a government environment so i want to build a little further in terms of the threat actors. rusher the china iran and north korea is not rocket science those of the modern military has a cybercapability so i am curious into understand to
understand the normal. it is different country and of country. in we're collecting all of the data to have limitations but we have to make to. and with artificial intelligence and used to be a hindrance or people it took the more processing power it hurt but today we come across that chasm with the more context that we have. in those privacy issues have
to be addressed for the fortune 500 and now the other point of the threats and that god created man with truth in advertising. [laughter] >> but in order to facilitate but in fact, you don't need to be a nation state end as accurate at that time to advocate that ability as a cyberwarfare capability and part of that is recruitment for comeback to the earlier statement to
commit sabotage and espionage these are far easier. >> but to build on that why back in a lot of money was poured into that. and to put the savings on the market share. the. >> with the combined arms approached the integration of cyberattacked to prevent the golden opportunity. those four actors that have a strategic objective to see
and so what does that say to the united states? lee do have this pride extrapolation of these actors but we also have the up characterization of those resources with those entities harming the u.s. it is a different order of magnitude. >> to carry out with great effect across the united states but those other
actors they engage. >> can put china at the top of the list? >> but i think the russians give them. >> the line between as benign as attack if you can exploit you can attack. and the theft of intellectual property. so the next question you have to ask when you see in the theft of our critical infrastructure that has no economic value that is true.
and without war fighting plans a we hear about that and with that same economic impact. and michelle lima that upper i.m. but we heard you say these other actors that our less constrained? >> select every to support that comes out every year so it did say grey area and as a bad guy so it is easier if
somebody has access rights to look like the insider the average length of time supposedly to a hundred days is a considerable element of time but my point is there is spi is going on from the bad guy perspective with the infrastructure and networks of companies to see if they want to black people -- blackmail people but not be overwhelmed the seven
nations states perspective fully agree the biggest challenge and the greatest example of that to higher organizations or individuals to have them conduct that pack -- that have to find the work and then it gets to that point that a nation state to feed off the attack to mappings out with a broader base attacked china or russia you name it into
go create something with it. >> there has been a lot of attention on the attacks to be diversionary. can you say that with confidence? >> it used to be a cannot connect my e-mail that is a distraction there are so many other things it is a distraction of the companies went into business? but the battlefield that has changed to incorporate society but i am curious but
all government to have the defense against espionage. there has been many individuals who leaked quite a lot of information. so what can we logically expect companies? what is the all come? you do this every day. to provide one had to present security with a magic wand. >> what can you expect out of that? >> to see that they're the most compliant in the world. socially enable organizations?
and the damages could be cost should be. and that can be quite severe. but i do think the government is learning. the right brothers were 1903. we had a man on the moon in the '60s it has been 70 years from the first flight this is increasing at a much faster rate but the convergence the information and sharing is what is what is needed to prevent everything that we can't so
if we think about cyberas a moving target with that approach you have to do that with the cooperation between the private and public sector with the financial services industry i don't think we have had enough people are holding their cards to close to their chest with those new tactics and until we get to that spot of sharing information the bad guys will have the advantage and they know that. that is why they take advantage of it today. >> there is a lot of space to build stronger walls are higher walls i now think
what is the external or internal because the tax service is growing exponentially. . . a companies have the wherewithal to do it. but i would argue the financial services sector is as sophisticated as government, if not more than most governments. >> the devil is in the details. if i hand over a bunch of information, let's say network capture data that could contain lots of sensitive, let's take financial services, lots of financial services information,
pii et cetera. health care same thing which is considered more sensitive than financial services data. >> i am saying your debut already own. >> the day did we own could contain sensitive data about employees and partners and customers. being able to screen it might then make a so it is unusable for forensic analysis. a very, very difficult problem to solve. i think in most cases most organizations don't feel comfortable sharing that level of data. i think that in the future that might be something better that we can use to adopt this information sharing with things are scrubbed and this is a bit of the utopia. >> i'm asking a different question. if your data is exfiltrate it, do you have the ability to do forensics collection on the perpetrator? so it's putting beacons on your data. it's lighting up your information. it's your data, suggesting, i think that is a breach of our to clear point.
but there are lots of technologically possible techniques that are being fully exploited. >> things that we can plan and track, absolutely. on a big fan of that. i think that's a great tool. but the problem, it echoes a certain countries like iran for example, there becomes legal issues now because of that actually considered sending technology to those countries. from the perspective legislation needs to catch up. a number of countries would love to see take data with these tokens that beacon backs tokens that beacon back so that a truck through all these black markets and over the deep dark net. it sounds a little bit like science fiction. some of it is but the reality of it is we can do a lot of this today. but we are legally prohibited from doing much of it. >> any thoughts on the cyber side? this is an unfair question because he is working on a project with a. >> the legislative issues are aside when you look at the
ability to do that, and it is being done today which i know it is being done today, due to that. there is value in gathering that intelligence. it is counterintelligence to a degree. variety of formats. however, there are those legal challenges that we have to address at some point in time. but it's plausible and not too difficult to be able to put beacons on data to be able to track of the information, destroy data, delete it if it is accessed outside of your network. there's many different ways of being able to do that. i think when you talk to your first part of your question, you are getting into the issue of insider threats and counterintelligence. whose role is that? is it a corporate role of? is a their convergence? between the two. is better how organizations should look at it, offenses
versus defenses, protecting your network and data. there is a framework for these things. >> you have linebackers in football, american football, where yes, they are defenders, trying to keep others and scored on the but they can have the offenses mission if they get a fumble. there's all sorts of analogies to play with. but michelle takes us back to restore. there's a difference between security and the role of a cheap ticket office on someone who understand foreign counterintelligence. >> also it's very important to discuss the vulnerabilities of industry, the things that can be done in order to protect the proprietary information, to defend privately all held an operator networks against potential cyber attacks and there's a full range of things that this conversation has touched a on but we would be remiss if we did not also acknowledged the use of cyber attacks for collection against
traditional national security targets. and i was a from the standpoint of u.s. counterintelligence, perhaps a devastating on what really was the breach of opm's records, which is rather in one sense a traditional type of a cyber attack against a set of records and the exultation, thereby of some 22 million individuals, records -- exfiltration. that includes those sensitive -- i got my notice from opium. we regret to inform you that your data main event optimize blah, blah, blah. and maybe many of you here did as well. but what is perhaps less appreciated, or what we don't want to think about too hard because it gives us nightmares is the way in which this information will be used may be is being used by the nation that
took it. so it's likely, as has been said, speculated publicly that the chinese were behind this exfiltration. and that the records they now have acquired are essentially all kinds of the most sensitive personal insights on any individual who has ever done any classified work for the united states government, whether on the inside or at the contractor. because virtually all of that with some small exception were held by opium. so your information about where you travel, for example, into in these federal personnel files which means that you also disclose reports of any foreign contacts that you might've had. and so if you are behind this, you are the editor behind this and you're putting together the network that shows him speaking to whom and where and when and
why, you begin to develop an understanding of potential if u.s. intelligence operations, human operations worldwide. you certainly have an opportunity for defining potential recruitment of people who have access to information that you are interested in, in reaching. so the way in which these files are going to be used, this is a nightmare for u.s. counterintelligence going forward for years and years because of the extensive reach. then you saw people talk about this on behalf of the administration, people saying, look, this is traditional, this is terrible, that lets recognize it was traditional espionage. it's the kind of thing that nation-states do against one another all the time. so we shouldn't think, we do, too, so we shouldn't think that this is all that devastating. but i will say from the
standpoint of wearing a counterintelligence have come every single american should be saying this is unacceptable. it is unacceptable that we are this vulnerable, and it is unacceptable that we don't do anything about it. because on top of this, you have all kinds of attacks come in this case by the same actor, against our health insurance companies, for instance, acquiring more personal information or against extramarital dating services acquiring other kinds of information, and building dossiers. so building dossiers and building dossiers, 22 million people, 7% in one vacuum, 7% of the u.s. population. add to that more people and more people and more people, what's going on? what is going on? why, why are the chinese and potentially others building personal dossiers on so many americans? what is the in game?
i think i understand the in game from an intelligence perspective, the recruitment kinds of things, understanding what our intelligence services are doing in the world. they want that information for specific reasons but why the the doing this kind of personal dossiers on others, why attacks against her health insurance companies, for example, i am sitting you mystified and yet it is going on and it is an invasion of our privacy day to day today, and we should sit up and take notice and demand action. >> countering on a few things, key point. i think participating in some of those resolutions of the opm breaches, it was about as big as you just described is a loss of so many people, it's just a data breach. i protect my personal information, that's great, la dee da. the impact of all of that information together traditional
diet of what's going on in the world. that cannot be understated as an area priority. >> if you do try to do some of them at ss the coming out of that. >> what that means that what looks like for individuals, elements of the government, for our nation. and it is quite, many people talk about the cyber 9/11 and la dee da, battled the concept, i get there. that was about the most, the closest thing that anybody could be considered a cyber 9/11 was that in my opinion because of the date of that was available and axes and what information is doing today. the challenging thing is the process from which that was accessed and exfiltrate again goes back to my previous point. it's ones and zeros. was inside or not an insider? somebody had network access. they had logon credentials to get to that data. so innocent a threat situation you may not ever seen that happen.
however, if you put on a counter intel had on view no way to second, bad guys want this information. how am i securing and? how am i confusing the enemy about this? those conversations were not decision had so that the cross over between threat and counterintelligence. >> just imagine the nightmare let us not forget this came just in the wake of the edward snowden damages. >> do they compare contrast. >> the damage done to u.s. intelligence capabilities. i mean, that is just so staggering, it is beyond our ability really to describe how serious that is. we were talking about damage assessment when i was an executive in one of the responsibility of the office was to do damage assessment. and i will tell you it was difficult enough doing the damage assessment on a long serving spilak katrina leland was a plant by the chinese were
17 years, and 70 years as a very long time to have access to such sensitive information. that's a very difficult process. take that and expanded exponentially into what edward snowden was able to ask god with and head over to the russians. -- absconded. i don't envy the people that they were trying to assess the extent o of the damage because t is just extremely difficult. >> i want to say time for a lease in two quick questions. >> i will add onto that the we're working with a very large oil and gas company. i guess they're all very large. they suffered a phishing attack. and you know campaign is going after these executives in the company and one of the executives was compromised, malware was inserted onto his laptop via the spear phishing campaign but then once he was
optimize he was able to move laterally to all the other executives because they thought they were receiving e-mails or attachments or connections from other executives. for over two years 90% of executives at his company had had their systems compromised. they were capturing every document, every e-mail, every password, every communication. they turned on keyboard monitors so they could track everything that was typed. they turn on the video camera at the turn on the microphones. could you imagine 90% of executives at this company have their the camera turned on for over two years? so when you talk about measuring the damage of something like that we don't even know the extent of the damage. a lot of the bids are close like that in terms of we found a new oil deposit of revisionist we like to bid on the. the ramifications could be billions of dollars that could have an impact on national security. just to show that example. >> and i might know the
significant and exploitation of our intellectual property is an attack on our economic security as a which is an inextricably interwoven with our national stupidity. we will have time for two quick questions. right up front. sorry. >> i'm a senior fellow here at the center. to carry on with the opm think of everybody forgets to say that there may have been 20 some million people that were affected by it but it doesn't have all of the people that they have listed on their forms. none of those people got their data. but to fall upon it was taught by the economic security systems, an issue that is near and that is near and give my hard. michelle, you probably remember 1995 when a city on the advise record for the then brand-new national counterterrorism center. we came in front of intelligence policy board you were cheering and i got the private sector answer into the national intelligence policy as illegitimate consumer of
intelligence and also probably recall the ice response was there not our customer. 2014 when clapper put out his latest strategy document, the private sector still is not listed as customer of intelligence community but we went from that briefing with you in 1995 of having it countries that we are aware of that were actively and aggressively stealing technology to the latest report of national counterintelligence executive office that says that while in excess of 140 countries are actively and aggressively stealing technology. what is the intelligence community continuing to bury its head in the sand and not acknowledging that they have a responsibility to the economic secret of his country and educating the senior -- >> i will have to ask you, we have two minutes. >> -- about the risk of their facing so they can take actions speak with one of the things congress with washington with a critical national counterintelligence executive was to give that office an
explicit responsibility to reach out and help educate and provide information to the private sector so it is closely in the statute. i think what you buy from intelligence community though is a single, our job is to collect secret information as past. so policy tasks the intelligence community. they come forward with information and then there needs to be an appropriate entity that is responsible for the dissemination of that information. and in addition to that we need to have a wiser way of government industry partnerships that really are genuine partnerships. attaboy needs to get along and share information. that in and of itself doesn't cut it for me. i think what we need is to have explicit missions objectives, goals and assignments, government industry working together to a comment and. >> very quick question. please.
i'm sorry. >> spent i think of threat analysis -- i think of threat analysis and when we save national security, we think of things directed against the u.s. mainland and its commercial operations year. the threats are around the world. we are in a global society and what i am not hearing in this conference and in the intelligence community more generally is a realization of mistakes that we have, for example, with regard to the soutsouth china sea which doesnt have a direct attacks on us, with regard to iranian domination of the economy in the gulf area, which is their main thrust your more so than a nuclear threat against the united states. although either one is pretty
terrifying. the point is, there are many issues of security that are not in the united states, even with the government or with private industry. but very much affect in the broader sense of national security. >> does anyone want to comment on that? >> understandable point. >> put another way, yes. and i also think though when we think about insider threats, when we think about cyber, when we think, i mean, technology will continue to change whatever we are thinking about today, i hate to say. we are all wrong. it will change. that's a constant. human nature will remain the same and there are only a handful of different motivators, i don't care through what means and/or vehicle, once we understand the motivators can once we understand the behaviors, and if we can do it
in such a way where we are doing it where we don't undermine our privacy, i think we are on our way for. please join in thanking an amazing panel. [applause] >> we are down to one last -- thanks. great to see. >> all right. we are down to our last keynote speaker, thanks to everyone for joining us. you are not going to be disappointed. our final speaker is admiral dennis blair.
admiral blair is i think everyone here knows a former director of national intelligence. he also served as our, we were calling him -- he was a cink in the pacific region. he served in senior positions at the joint staff, at the nsc. everyone knows admiral blair as a thinker and doer. a soldier and a diplomat. and i'm thrilled to be able to have him co-chair one of our major initiatives on, at the defense. in addition to that is a bio is in everyone's handouts will not go into that integrates specificity, but he is totally chairman of the board and ceo of sasakawa, which is a u.s.-japan
entity. we are thrilled, delighted. thank you, admiral blair, for taking time to join us today. thank you. [applause] >> this is my cyber day. i was down this one at the naval academy with an advisory panel on their new cyber center, cyber major. it's wonderful to see the next generation coming along. part of my ambition is never to be part of the meeting on cyber and which i'm the youngest person in the room, and i think i can achieve that. thanks to thos those of you ours shall be endured to show up at this point in a daylong conference. and generally everything has been said. it simply has not been said by everybody. but i will try to avoid that trap and perhaps raise a few new ideas on this very important topic. as i was looking over the agenda that frank put together, i saw so many corrupt officials,
retired officials, all of them veterans of this two decade old struggle to keep americans safe. i know, i've worked with many of them. as i thought of the contributions i was reminded once more of a great injustice of the common american public opinion towards these men and women and towards their colleagues. they are to a person dedicated, patriotic, incredibly hard-working, motivated by a burning desire to protect their fellow citizens, and determined never to let something like 9/11 ever happened to this country again. and yet somehow they've been characterized publicly as a group of civil liberty and privacy trampling rogues who try to pry out of secrets from the lives of their fellow citizens. spend their days poring come and do not support over information about innocent citizen for
nefarious purposes, they're portrayed as running wild on the internet, citing information from information to be stored forever and used against innocent citizens. but most of you who are now working in this visit i think are shrugging off his caricatures. you go about your jobs as diligently as you ever did, but i do think it is up to those of us who do the public voices to use them to oppose this misconception, to tell the truth. that those public servants at the national security area are working incredibly hard to protect americans, that they carefully follow the limitations on the activities set forth by the constitution, the laws of the land, executives, directed at the direction of the bosses in both the executive and legislative branches. but that's another speech for another occasion. but what i do give a speech, adecco by colleges and talk about that, i find that there
really is an understanding of what these dedicated public servants are doing. not ignorant rejection and i think americans can understand the rim of the efforts made to protect them. i think we need to continue to explain that reality. so the correct ideas are widespread. and to those of you who may may still be there or to work in places like dhs, nctc, the fbi, nsa, cia, state and local enforcement, keep up the great work. it's nice to be appreciated on the mission is more important than that appreciation. but the subject out like to talk with this afternoon ought to be development and the future of information technology that is cascading on us at moore's law's rates as they do not i believe it will affect homeland security. and the two biggest ones of course our big data and internet of things. the first order approximation to widely exaggerated, i would say
that big data will overall help us into homeland security mission but i think in contrast the internet of things will overall hurt us, make our jobs more difficult to protect our fellow citizens. let me talk first and were briefly about big data. after all, the intelligence business, much of our law enforcement crime investigation business has always been about what is now called big data. processing large and complex data sets, including analysis capture duration shirt, sharing, transfer and query are few of the words that appear in the wikipedia definition of big data. data. using mostly and alyssa brings in recent years we've been trying to supplement, to strengthen that was connected databases, sophisticated algorithms come we have tried to attempt to trace the the traces of a digital work with the goal
of identifying and stopping them before they can launch their attacks. the large and unstructured data sets can be edited and manipulated, the more the questions get asked across these databases, the more the algorithms can do this work frer any the human brains to do the higher level and intuitive detective work that only a trained analyst can do, the better we will all be able to do our jobs. but because of this false perception of what intelligence and law enforcement is all about, especially the terrace area, we will have to gain public support for the author's use of whatever big data tools may be developed in future. that would be wonderful, ideal if an nctc analyst could sit at his or her keyboard and be alert to every american who made multiple visits to jihadists websites, who perhaps traveled to pakistan a couple of times in
the last few years or maybe to belgian who exchanged e-mails with suspected extremists and they did a facebook site the portrayed antipathy towards the united states. i would argue this kind of mission business is different from information that law enforcement authorities receive from other sources, a concerned relative, an interview in the course of another investigation, a tip from a source. edifact information from data sets is probably less objective, less subject to misuse then the information is that come from human beings. however, right now homeland security and law enforcement regulations, law enforcement organizations cannot freely use even data set for which there is no reasonable expectation to privacy. and yet as we know ironically they are strong criticized if they do not follow-up everything from much more questionable sources that come their way when something happens. so there's a great deal of
public debate on these issues, some propose legislation to try to set up ground rules for some of it, but it will take a while i think for public policy to be decided in this region, and for the government to be able to know just what it can do. so big data potential, but potential to make the country more suitable went to figure out how to use a gun at his in a way that is trusted by the public as well as simply being effective. the situation is different for the internet of things. it is true ubiquitous surveillance cameras, many of them controlled and reporting data over the internet have become important for protecting sites, deterring attacks on them. in addition to have become key sources for reconstructing events during investigations of terrorist incidents in trying to pursue those leads are different additional activities by the same group. but a huge number of new center
that will be attached to the internet really that will make up the internet of things we will not provide that much additional center dave that i think will be helpful in identifying, finding or tracking terrorists. and the they can't open a huge l bellies, to potential to act as both a terrorist groups and even more to criminal organizations and to promote individuals. as with most for builders of the internet and the device attached to a distribution of additional futures not technically inevitable. however, it will take a great deal of work in order to change that prediction to be pretty safe in making it right now. as with most i.t. developers deposit applications, the whizbang, the features was the most attention, the most funding, the most buzz, under the assumption that security can be added on later for a code --
a coat of paint following final assembly. where have we heard this story before? well, for virtually every major i.t. government that has ever happened to the internet itself, the cloud, the wonderful allure of what advantages will bring us of the debate early on and later on, the dole, born -- boring security people to expect the assumption because of some of your matters the assumption that security will come to you for the internet of things will become slutty more sophisticated than just turned over to the security guys. here's a report from wind river put it last you. given the novelty of audio tea and the pace of innovation to vegas and get a general expectation that some entirely new revolution is to get a solution will emerge your that is uniquely tailored in the internet of things. that we can send a compressed 25 years of security of illusion into the tight timeframe in which next-generation devices
will be delivered to market. but what's the situation now? after all we already have an internet of some things. the current status of your devices on the internet is not encouraging. the self proclaimed search engine of the internet of things searches of the web, and you can log on and see many unsecure device of a gigabyte thousands more. you can look at what webcams are showing in sweden. you can go into video game servers in eastern europe. you can look at what wind turbines are turning up in the united states, all completely open. a recent report by hewlett-packard state as many as 70% of devices could be for sale in the iot are foldable to attack. the latest report says dark 6.4 billion things attached to the internet, about a third of billion dollars every year spent on the internet of things. predicted to go up to almost
12 billion things in two years am then go up to about a half a billion dollars. from a terrorist perspective the most dangerous old buildings are of the iraqis have to do with the potential for physical damage to large systems as more and more web connected sensors are added to the systems. considerable believe the networks of the mythic -- utility companies offer by the smart grid with millions of customers, houses, apartments, office buildings all look up to the central server is of utility companies. what are the chances that the security functions of every single one of those computers will be configured correctly? yet every unsecure home and lexical mooring system is a potential factor into the couple systems controlling for electricity on that grid. the recent attacks on ukraine electrical power system shows the potential damage that can because once you get inside the loader should be. of course, there security that
can prevent an actor to access from achieving access to the entire grid control system. but with millions of points of access to the utility networks the attached face to be defended become enormous and the point of which and attacking me is multiplied exponentially. the second great vulnerability open for the by the iot is the proliferation of legitimate institute computer second used for botnets. today mos botnets our personal computers without adequate security appropriate a hackers and in use in os attacks for other websites. the computers that connect and control data on devices on the internet of things will provide hundreds of millions of new potential bots that could potentially be turned against legitimate websites in schemes to shut down legitimate traffic or for other purposes. and again yes, there are security features that is implemented can prevent unauthorized access for computers on the iot devices but
it takes money, takes attention, takes checking to do so. right now most of the iot devices being sold, the computers, the programs that govern them, have known mobile authoring systems and related provisions for future patching. the third and perhaps most frightening of all ability is control on individual devices by criminals potentially by terrorists. without adequate security, internet connected pacemakers could be manipulated, cars can be run off the road, internet connected systems could be disabled. the internet of things an is lok at a pretty attractive place for terrorists, as i look out there. brave new world. regular criminals of course will be wellhead and they will conveniently make available to terrorists to use her more nefarious purposes and making money. what do we do? what's to be done? that same report i cited earlier
makes an observation backed up by report some other major i.t. companies. there is no silver bullet that can effectively mitigate every possible cyberthreat. the good news is that tried into i.t. security controls that have evolved over the last 25 years can't be just as effective for the internet of things provided we can adopt into the unique constraint of the embedded devices that will increasingly comprise the networks of the future. there are certain advantages of the internet of things that can be used for greater security. as one example, the smart energy grid has its own set of protocols, very unique and identifiable that govern how devices talk to each other. that's what industry-specific protocols that filtering deep packet inspection protocols, for the traffic that should be going on.net can be much more effective in identifying malicious payloads hiding in non-i.t. protocols.
but a more complete description of what is needed for a secure internet of things is provided by microsoft. it was in one of their publications advertising their internet of things cloud service. they have great confidence in their ability to protect the iot dated that makes it safely into the cloud, not accompanied by other malicious data. however, they do point out that for other organizations involved in every single iot system need to operate perfectly in order for the system to be entirely secure. the hardware manufacture integrated has to make the device capital, building upgrade capabilities. the solution developer has to worry about the right choice of platforms, languages and tools for a secure system, not to choose outmoded or inherently vulnerable components. the solution to put us to deploy them secured often in a place that does not have any physical security. and has to keep the authentication keys safe.
and finally the solution operators to keep the system updated, audited, physically safeguard infrastructure and protect the cloud credentials but that's a long list of things that have to go right in order to be secure on the internet of things. as we all know that grateful to the countries of the internet is only as secure as its weakest link. by my reckoning we have about six been potentially very weak links about to get onto the internet in the next several years. select everything else associated with the internet, advances in some of our discussions earlier today, achieving a secure internet of things is a public and private enterprise. for the private sector there are conflicting incentives here. if the internet of things is to be profitable, expenses have to be held down. doing things cheap dominates. as one knowledgeable observer wrote, a lot of money is already
pouring into the iot. the pace of investment simply picking a. the trouble, especially those from the diseases they could focus on shiny things. devices that can be marketed soon with a spectacular roi. these investments don't do much for security or infrastructure which would basically have to trailed iot demand. again we've heard this, we been through this movie before and the ending is not pretty. now, the major incentive operating in the correct direction for the internet of things, and again this been some discussion of it earlier today, and which motivates against us doing it on the cheap is risk, both financial, direct financial risk and reputation risk. who would be sued as a smart refrigerator was attack? that the manufacture, the developer, the deepwater, the operator? this being the united states,
probably all of them would be sued. and even if no suit, their reputation could potentially suffer. that's probably a good thing for motivating better security. and although the fear of being sued, losing market cap because of the cyber incident is powerful, it would be better i think if government standards and smart regulation were established. that chairman of the u.s. federal trade commission on edith ramirez gave an axle speak kurdish of the consumer electronics show in las vegas can point out all of the security dangers of the iot and much more detail than i thought over butter solution for largely to urge the industry to do a good job and it is. -- security. she did not speculate. earlier today you heard the deputy of homeland security say that the nist framework is about all they can expect of the government as far as standards for the next year, next several years.
that's a pretty general set of guidelines which is easy to give yourself an eight on without breaking much of a sweat. however from the government's point of view, security consideration should be brought to bear their i'm talking security considerations. government standards and great elation may be motivated massively to protect consumers, not so good to protect corporations from the own greedy nature but because an insecure internet of things threatens physical danger to americans and societal danger to the united states. at a minimum the government should develop and endorsed a set of best practices for the many different companies that will have to be involved in building the internet of things systems. we need to go way beyond this framework in specificity and in scope, and yes the technology will change continually, so yes will have to update this continually. stuff that would be less intrusive but more effective would be a certification process
for i.t. systems, like leaves for iot. i understand that the underwriters laboratory is thinking about a project for the devices themselves, and that's a start. at the higher end the government would be government requirements for iot systems. at a minimum this requirement should be for the system the government actually purchases and puts to use. but they could be extended under the same authorities that medicines and food products are certified to depose a major danger to the country if they are done wrong. though they would not last as about the next cybersecurity development, beyond the next scandal, but they could be updated, updated continually. i think we have time to do this because the internet of things, the rhetoric of the internet of things is far exceeding the actual deployment so far. it really is in the early stages and there is time to develop standards and regulations so
that it can fulfill this great promise of greater efficiency, greater effectiveness, greater convenience. however, it will not do so if security as an afterthought, if the government waits until disaster strikes to take action. so thank you for your attention. i look forward to comments and questions. >> thank you, admiral. [applause] >> thank you for painting an important canvas, one that i think isn't getting nearly as much attention as the dodgy. and i think you clearly brought a sense of urgency as the internet of things, need to start good architecture. the design. you at the naval academy. it's how do we start designing at the very roots sorts of issues, a seeker device. question i have is, how are we going to get the political will to get this done? so i mean at the end of the day,
the challenge with the internet of things is a set of devices. there may be handful of companies, take cisco, a handful that could really drive this. but however going to cut to the of all the competing priorities right now, to recognize that this is going to huge potential applications? our attacks of is going to go exponentially, exponentially. so what is it we can do, what is it those watching c-span, those iin the room today can do to try to hear your call and advance the ball? >> i think certainly cyber is hot in government these days. it's running up against, it's try to take on some of these huge questions of privacy versus, privacy versus security, which is frankly going to be very hard to make progress in.
some of the seamen the kettle, some of the energy to do something about cyber can be diverted to some of things that are controversial and can be done extenders for the internet of things. or more imaginative, imagine things like some sort of back up government insurance program beyond what private insurance companies do, in return for that the government would insist on very strict standards. the inspectors don't always have to be civil servants. there are models in which we have other groups that are doing the check in, but the government is the one that runs the program. i think that's a we can do on the government side. on the private side i don't know. maybe i'm late -- >> equality or to think there's some incented-based approaches we ought to be thinking about?
>> hey, i think that if some companies can actually market a safe internet of things as opposed to an internet of things and assume a certain responsibility be on their own piece of that five company matrix that i laid out can't they just as prime contractors take responsibility for the subcontractors, if some of the big companies that are going to offer internet of things cloud services could be the ones, they have the technical expertise, they have the technique so they could offer a total solution rather than saying i look up whatever cheap devices you by and i will run your cloud, and it's your responsibility if crappy data gets into mike leavitt i will protect a perfectly and it will deliver them our perfectly to the next stage spent almost a safe neighborhood or you would be
wanted to bring all that there is components. that's very interesting. another point picking the committee conversations today, i think the role that you played with jon huntsman in chairing the commission that was on theft of u.s. intellectual property, i think it did have a profound impact, even leading in part at least to the president signed an executive order to look into sanctions. talk us through a little bit about national and economic security, how they are inextricably interwoven. obviously, there are two sides of the same coin, but increasingly i think it becomes a big set of issues when we're talking about cyber related matters. because that of intellectual property, it's killing us. and secondly, what is left undone in terms of your commissions findings? >> well, never underestimate the
power of public shaming. that's what i've learned in government. it from the outside you can show there really is a very dangerous situation that is not addressed company, many of us are in this audience have worked in government. that's all it takes, 30. you have a full in basket. it's the case of what do you put at the top. the set of incentives you have when you're inside the government don't always align with what really ought to be national priorities if you have the time to sit down and look at it. i think this idea of a blue ribbon commission, looking from the outside trying to raise the priority of things that really are potential problems is very important. and i think that was what, i think, that $300 billion figure that we had in our commission, i
think is the most powerful thing. the trick is getting something that graspable, that really motivates action. i don't quite come up with that for the internet of things but that would push it because i think the solutions i prescribed our blood, you all would put up if you put into them and give a couple of months to work on it. it's the motivation and the drive that needs to be put together. >> but don't underestimate not all commissions are created equally. i think that what it had impact. i can count 50 others that are still gathering dust. timing was important but i also think it was framed and captured in such a way that wasn't written to a tech specialist come an economist, or even simply a policy maker. it was all of the above. so i think people could grasp
and see the impact. i think i was very important. we have time for a couple of questions. we've had a long day so i think -- >> is anybody out there? >> please wait for the mic. and if you can identify yourself as well. >> i'm from pragmatic a corporation. i was very intrigued and how you put together internet of things with big data. may i suggest that this could be expanded into things for big data? furthers the general concept that the more the merrier, the bigger the database the better. however, some 10 years ago there was an act for statistical deficiency. and i've heard recitations on the fact that with big data you can use -- to control the data
that comes in and the answer comes out. so we need to be scrutinizing when we put the inputs for big data, why they come from. whether they are from samples, carefully designed, or whether they come from the internet of things or from the internet, or volunteered information. and if we do not, then the efficiency of big data is going to be hindered. and that information could be taken seriously. this is more of a comment than a question. and i thank you for your presentation. >> admiral kime anything he want to -- >> as you were talking so i was preparing remarks, trying to think of big data help us with the security of the internet of things. sort of an intriguing concept. if you have all of this data
coming in, maybe you know what a standard pattern of a system looks like, and something that has happened that's anomalous could be more quickly detected. you could get some help in deciding if this is something that is onto something happening in the physical world that you ought to be worried about are whether someone is screwing with your system and, therefore, to take a different set of actions. that's penetrating idea that sort of put those together, which would argue for not sampling by keeping all of the data and trying to figure out the pattern for it. it. >> and looking backwards, to be able to reverse-engineer which we've seen in the past. >> we might get to the point that we could do some of that. >> the one thing i would urge though is you are always going to false positive. at the end of the day we are learning every step of the way. so don't expect to push a button and get the answer i'm waiting
for that day. a question here. >> thank you for your talk. i'm also a student in the program here at george washington. >> a ringer, watch out. he is one of my students. >> frank is a great guy. [laughter] i thought your talk on the iot roi was interesting. it seems like we have a multidimensional problem. we have decision-makers at private sector companies that want to make a profit. you have a consumer that doesn't want necessarily to pay the additional cost for more security. then you have our concerns around security. so they're competing interest. i just want to get some more thoughts on how they could close the gap their ideas. what are some of the ideas on how we can get on the sure if it
regulation or some type of policy change would allow us to close the gap quicker. just kind of expand on your thoughts on that. >> one of the other things i think we need to do at a minimum that the government should do this is to sort of warning stickers on refrigerator that have computers on the. i mean, you know, we got along without longtime with refrigerators and where to look after it is frosting up, i better turn on the defrost cycle. it's a nice if somebody is monitoring that for us and doing that at 2 a.m. without us having to worry about it but is it essential for the risks that it's run? that's a trivial example but as you get more and more devices that are closer and closer to your health and welfare, it doesn't become so trivial. and how many of us have tried to use a complicated digital peace of the gear and found that it
just wasn't worth the trouble and went back to something we use before because that was good enough? i think those cost-benefit trade-offs on the personal life are important and i think companies can also make those rather than blindly buying the next cool thing. we are all familiar with computer in the, as the rams and wrongs of laptops are getting bigger, you know, it wasn't your office site that was important that was what the power of your computer was. we bought those things mindlessly, far more features more power than we would ever use. maybe part of it is sophistication of consumers in addition to some of these systemic things i talked about. >> asked to pull a thread on that in a little different direction? government can also drive so you have the regulatory side, but the purchasing power through acquisition processes.
so you did start to see largely the department of defense to weapons platforms. the last thing you want is when you push that button and those you actually want to work when they're supposed to, and if it doesn't, you're in big trouble. so at the end of the day what more do you see that can be done there, at least government as a purchaser? and then from a private sector standpoint, i mean, at the end of the day third party vendor issue as well. so if i'm a big fan to i'm going to start maybe asking some of these questions from the iot perspective. which it's back to maybe the provider concept that you, whether it's the cloud, amazon, whoever it may be. those might be the drivers going forward. i would be curious what your thoughts are. but does not take advantage of its purchasing power. this could be a when maybe they could. >> right, right. it's not just of the department of defense that buys lots of
stuff, of course, in government, and to our other government departments and agencies that buy huge amounts of digital equipment. and so if you try to their efficiency. i think, yeah, at a minimum they should, they should in the context be able to insist on the highest standards. now, as those of you who work in the contracting world know, this sort of all boils down to some clause in the fake document enforced by some g7 who is not shy we say computer trained. i think it requires government -- >> more than just check the box and fill out a form. >> you need smart cis mcso's who are doing this stuff. i think in those areas, it applies certain retooling of
your contracting workforce, working with them is important. the same is true for big companies. when i've talked to people in big companies who are not deeply personally involved in i.t. matters, they are no more smart on this stuff than the average government official this. so i think it cuts across both the means, buying smart in the i.t. area means you need to up the game of the people who are actually doing it. >> we have time for a very good question. the last one here. >> thank you. leapfrog solution. thank you so much for your comments. i would like you to elaborate some of your comments about standard-setting entities such as underwriters and maybe even having some regulation regarding internet of things and security.
i find that fascinating. would you elaborate on what current government entity might be capable of regulating, or what type of consortium you would consider for developing standards? >> well, i can talk with the great wisdom of never having worked on the domestic side of government. >> you have some insurance and reinsurance people are looking at underwriting. >> but you know, somewhere in the commerce department i think has a convening power to get the different agency has an predatory parties together but it would probably have to be a new sort of, a new type of regulation and standard. i mean, if any of you have been involved in the writing of government regulations, it's not a pretty process, but i think we
have, but when it's done well, it's done by bringing in the private companies who will actually are going to be the regulators at and early stage. not giving into every single one of their demands because they want cheaper, less interferes but taking into effect around the deputy. i would sort of put together a group from several different agencies basically under the commerce department, called in the loss of the companies to help, and then as i say, i think we put way too much time in trying to make the 1.0 edition really good, instead of just getting it out of there, working with and making to point over and 3.0 better than that. i think if we can learn one thing from the software industry is to get something out of it is pretty good and then really
build it and increase it. >> admiral blair, unfortunately the tyranny of time requires abyei bit of a time when. thank you for a phenomenal q&a as well. i think you made clear that you truly are a soldier, scholar, and a rhodes scholar to beat i might know. so thank you for taking the time. let me also thank all of you for joining us today. let me thank our viewers on c-span, and particularly some of the companies that made this possible for us, securonix, delta risk, and, of course, my phenomenal team, christian, rachel johnson, christina parker, alec come and the list goes on. so thank you. thank you, admiral. and thanks to everyone for joining us all day today. thank you. [applause]