tv Cybersecurity Across the Atlantic CSPAN May 5, 2012 7:00pm-8:00pm EDT
is a kind of political power. see what a president can do and a time of great crisis. how he gathers all of them. what does he do to get legislation moving. that is a way of examining power in a time of crisis. i want to do this in full. i said, let's examine this. >> robert car on the passage of power. this sunday on "q &a." look for our second hour sunday may 20. >> this past week the congressional -- the on -- to the human rights abuses in china.
>> i really fear for my other family member's lives. even with the electric fence. those security officers in my house -- it basically said, we want to see what else -- >> watched the entire video online. on wednesday posted a conference on cyber security. speakers include the deputy assistant director of the fbi as well as the assistant director at your poll. this is about 55 minutes.
>> we were off to a good start so i will do the following. i will introduce our three panelists. then we will have time for questions. with that, thomas and duke's is the senior adviser -- he forces on cyber -- focuses on national security and capacity building. before that he was at csis. he is also a lieutenant colonel in the air force reserves. he is known to many of you here already.
he has had a distinguished career. he is the deputy head of the eu delegation to the united states. many times in the past, his career has focused on multilateral affairs. he was the ambassador to geneva, which multilateral affairs. he was the head of the -- a focus of attention here for cyber security in the coming year. finally, bruce mcconnell, who is also known to everyone. i have known bruce for a long time. he was on the transition team.
before that he was in the private sector. before that he was in the omb. we're happy we can have all three panelists here to speak to you. why don't we just go one, two, three to make it a little easier. all-star with bruce and end up with tom. >> thank you. good morning everyone. it is great to be here. i wanted to comment on a couple of things. i think there are some interesting threads we get along collectively over the course of the day and in the future work the commission is going to be doing and the this important area of cooperation.
starting from home, i would note there is a fairly large footprint of dhs people at the conference. i think that is instructive to. it takes me back to an article that the secretary and i wrote an -- in wired it. cyberspace is civilian space. there are many metaphors -- we are searching for them because we cannot see too far into the future. they produce some bizarre conclusion anything, that is the end of that. we all have good examples of that. if you think about some of the things cyberspace can be thought of whether it is a school yard or a classroom or a library, or
a market place, the one thing the we asserted in the article is we do not want it to become a battlefield. to give us the primary responsibility for securing cyberspace and the united states. i think from the government's standpoint and with the caveat that government cannot do this and governments can do this by themselves. to that. , a second interesting aspect of the conversation today and as you heard this morning, the initial focus that many of us
have and many of us collectively internationally have on so-called cyber crime. in cyberspace and we were happy to see in the most recent two days ago announcement, fact street from president obama that the japanese have decided -- it is a major extension of it to outside of the normal atlantic sphere. it is very promising. we hope that his the beginning of more participation.
as you tease out the different kinds of pieces and threats of how we deal with this large problem of safe and secure cyberspace, there are a number of threats. the cyber crime apiece is an interesting one. almost every attack that we encounter every day is a crime. any unauthorized attempt to access the computer system of somebody else without their permission or to deny is a general crime. we do not typically prosecute under that statute. the focus we collectively focus on is the suspect -- subtext of those crimes -- that is the kind of thing where we are off -- we
are all in an agreement that child pornography is not appropriate thing to have in cyberspace. we attack intellectual property crimes that are enabled by the internet. we attack financial crimes that are enabled by the internet. there is a whole rich area of collaboration and cooperation in that area and i think we need to continue as governments to increase the sway and use of law enforcement tools in this area. i know my colleague is going to take up that question in more detail. you can then get to a couple of other things. three other areas that are interesting that we all work on and to think about because they deal with different parts of it. there is the problem of cyber defense -- it possibility that
our colleagues in estonia and georgia -- in those countries that know they have been hacked in this context and are leading the charge in europe to get others to understand the importance of this issue from a national security level. there is no doubt that there is a role and there are adversaries that we all face. inevitably, cyber will become an elephant -- aliment of conflict going forward. that is not something you can deal with particularly well or effectively in the law
enforcement context in my opinion. it is an area that needs to be dealt with and its own right to. the third area is -- what i think of generally which is our core mission at homeland security, from this space that is cyber security. that is securing the internet itself. it is a place that can be supportive of our ability to defend against cyber adversaries from a nation state standpoint. it can be supportive of reducing cyber crime. it is really about the defense of the networks and the defense of the information and the protection of identities. it is and the space that we get into why it is important to have a civilian agency. from the standpoint of cyber security and home and security generally, it is really a
bottom-up thing. in national security and national defense, the actual norm is that you wait until you are a tact or about to be attacked before you do something. -- attacked or about to be attacked before you do something. if the population is afraid in the local jurisdiction, if you are already behind the curve. you have to act proactively to create environments which are resilient which include empowered individuals. i know you're thinking about a similar kind of campaign and we are talking about that. about capable communities. if you translate that piece of resilience into cyberspace, you are talking about all the various networks and communities and making sure they are able to
defend themselves. our federal system that can aid and assist that whether through sharing threat information and remediation alerts to ordination of response when incidents reach it national level. and so in that context there are a bunch of areas where we are cooperating. we talk about emerging collaboration on bought nets. there are several interesting approaches. the germans are well along on an approach. this is in a broader conversation in the european union. we have had a couple of successes here working with the isps to promote the stopping of botnet. on all this we are cooperating on a bilateral basis and increasingly multilaterally on operational matters. we were recently in india where
we had signed a certification to certification cooperation agreement which allows us if we see attacks coming from india we can call them up and ask them to check in with the hosting company and see what is going on and they can do the same with us. that could be quite helpful. this collaboration can work as all cyber security works that is effective on the internet. the fourth. just to capture the overall picture here is the question of internet content. both europeans and the united states and our strategies talk about the importance of keeping the internet open. that means open from a technology and operable stand. but it also means an open place for discourse. this is an area where it my
opinion there is the least amount of international agreement. we will have a long set of conversations about what content is appropriate by governing bodies and various jurisdictions. that is a longer-term conversation. it is not strictly about cyber security. on the other hand it does relate to the nature of cyberspace. for those of us to think about these questions about what is cyberspace and how does the work and how does it become an environment for humans to collectively discuss and take action on global problems, this question of content will become increasingly of important and something we need to deal with. you have those four threads and on top of that you have a question of governance, how do you manage these things collectively. for that, just as the deputy
said we are trying to make sure we can get the machines to help us protect them by having them -- by automating some of the response and alert aspects of it. i think we have to use the internet to help us govern it. because we can not only rely on the ability of standing governments and standing governing institutions, we found already in cyber security, if you can work informally and collectively to get things done -- i think we will need to continue to develop institutions that are internet based for the future to govern some of these problems. that is very much still a work in progress for all of us. i am asking as we increase our dialogue and cooperation we take the big picture and the longer view, since this problem will
be with us for a long time as an exciting area. i just want to echo the points made earlier about how important this particular collaboration is. i look forward to the discussion. >> thank you very much, bruce. i am in a more challenging situation that you. not only do i have to speak after the eloquent -- [unintelligible] with very happy to work her because she knows how to motivate people. it is an example of the way it works. we have to talk about
transatlantic cooperation. it exceeds by very far other regions. we share basically the same of value and this is a unique part of our relationship. we have different laws and infrastructure, but we say the -- we share the same values. that is the debate we have on both sides of the atlantic with cyber security, to protect infrastructure. but also on the other to promote and other countries, to preserve and our country's freedom of internet and also to maintain business friendly
environment as much as we can. on both sides of the atlantic -- it is our common interest. we share so many things. that is why cooperation is so important. my second point about concrete measures. state of play. as the commissioner put it so well, sucker -- cyber security on both sides of the atlantic copper -- operate differently. the first strategy is open and free. since 2008 and 2009, a policy is
focusing mostly on the german market. , they set upear's a new die mention for cyber security. most important, they have engaged in the discussions preparing for new discussions and cyberspace. this shows we know that we have to come after it quickly. it is an issue of emergency. i can tell you that we plan to track that as fast as possible because we know it cannot wait. because of critical dependencies between the u.s. and other countries, there is an open trade market between the you and
and you s. there is a trade investment market in the way. there is direct u.s. investment which are higher than the total u.s. investments in china, india, south africa, and russia altogether. we are such a big community of companies -- a company that is american registered. it usually is partly owned by european stakeholders. because of the critical and to dependencies, policy cooperation exists and that many fields. this strategy has designated to allow us to well, local different approaches. our dependencies will grow also. obviously, part of the landscape
is that some of the member states, we worked to gather to sell the same objectives. and the current policy aspect of cyber security, [unintelligible] but now we have a strategy which has been proposed. they have close working relations with cyber policy coordinator is, and this is a field that is developing quickly. what could be the agenda?
if we have the tools, we have the will, we have a strategy, what could be the agenda? first, the u. n and u.s. have up to have full democratic values and rule of law. but we need norms of behavior in cyberspace. we have existing rules that have to apply and be implemented. this is a very technical challenge. we have international europe -- national lot. we think it could stabilize
cyberspace where international laws apply to have a common vision is essential if you want to shape. secondly on the cyber crime and security, we have very practical operation. this will always remain at the center of our work. this has been described by you -- i will not come back to it. private sector. the contact between our businesses will define a certain dynamic in relations. it is crucial to define how to protect our infrastructure. there are many exercises -- [unintelligible]
cyber protection is probably the most important dimension of that. our environment provides for security a functioning for business is very important and should also be on the agenda. we also want to stimulate the contacts between cyber communities in the u. s and d e u. this of the main elements. i think the application of existing international law is a first challenge. i will mention briefly, to strengthening the global response on cyber security, many cyber threats, it has been -- territories that are week to deal with cyber incidents.
if i may, one day i was in charge of the internet department -- i was opening my computer going out my website, icy the word france had been changed to very little country. and then i said, ok. we should be able to know -- this is for humor. but we should be able to have an idea of who did that. we were able to see this was coming from a tiny islamic
country in africa. a very small country. we have no agreement with this country. that is a long challenge that i hope to see one day sorted out. i think there is a need to really prove to the rest of the world that we can have security in developing countries without sacrificing freedoms. but we have to put some money on that. at a time when money is rarely have to court in a how to do that. that is an important part of the process. there are also some aspects and strengthening cyber security
that we should take into account. it is also of interest to prevent these countries from having cyber crime battles. to establish as secretary clinton put it in a speech more than one year ago, a new world on the internet. it was in her speech when she said, he had the cold war with the berlin wall. we want to avoid some countries establish new wars on internet. when discussing countries like syria for example, to make sure that when we establish our embargo, we extended to cyber, too.
it can be useful in preventing them to establish things. this reflects automatic interaction that we have to think automatically board. finally, i would say -- i would come back to the united nations. we had an important discussion to orient that to favor more government control of free flow of information. this is also an issue in which we have to talk because we see some merit in having -- we would like to be able to focus or refocus to preserve freedom of
information. that is why we really need to act together. i should stop here because i have been far too long. i hope that the commissioner will not cut my head, but i know that is not the way he behaves. thank you. [applause] >> thank you to csis for sponsoring this event and inviting us to participate. i will start out by saying i largely echo all the comments that have been made by the previous speakers, particularly in terms of the very strong working relationship between the united states and the eu on
cyber security matters. if you set aside the privacy issues, i think you find that we are almost in complete lock step on those two key issues. as he teed up for you at the end of his comments, we both look ahead and see a number of very significant coming debates, basically that have already begun but are going to be very active in the year ahead at the un on things like looking at norms for state behavior's and cyberspace, world conference on affirmation, a technology that will take place and do by this december looking at revising its treaty documents and house cyber issues could play in that document. i think it is all very encouraging from a u.s.
government policy perspective to know that we have such a strong partner on these very high-level policy debates and challenges that we face a head. what i would like to do is spend a few minutes talking to you about a couple of fairly concrete areas and which we are currently engaged with the eu and perhaps offer some examples for continued successful engagement and cooperation and collaboration. i will first put on my hat as a senior policy person for the state department, an office created in february of 2011 when secretary clinton appointed my boss to serve as her first coordinator for cyber issues. this was something that was done in conjunction with the
finalization of the u.s. international strategy for cyberspace that can out in may of last year. the basic idea was, working at the state department which is largely built around a functional basis, trying to figure out their way to ensure that within a large organization like that, a way to ensure that policy decisions can be made to take into account and reflect all the different equities we face in our foreign policy engagements. the office has been up and running for 14 months. among the key things that are worth noting for this group are -- we are increasingly engaging with the european union in addition to key member states on
a wide range of security issues. we have a steady flow of eu officials as well as senior officials coming through our offices. it is almost exponential growth and interest in talking about cyber. it is very encouraging. sometimes it is almost overwhelming to try to just hit the key opportunities like this conference where we can talk about these issues. certainly we are seeing a real interest across the board and engaging in cyber security. another thing that has been encouraging is to see other countries have either come up with the same ideas are fallen -- follow the u.s. lead france,
the u.k., germany, japan, russia, the netherlands have all appointed senior officials to make sure their governments have a clear. person who can manage -- clear point person the can manage cyber security issues. we're seeing more countries issue strategies that define how they view the key policy issues, how they have decided to organize governments. how they have decided to engage with the private sector. that is another very encouraging trend. we try to encourage companies to really think seriously about these issues. keeping in mind particularly as we go through the next few years, there will be incredibly important policy debates and
international decisions that are going to be hashed out in places like the u. n or other key regional organizations like the eu and the council europe and a pack and the organization for american states. you can name any multilateral organization and there is a very robust high-level cyber work screen going on. helping countries think ahead and really start forming their positions on a lot of these key policy issues that relate to internet governance and norms, really how we deal with cyber climb -- cyber crime. we can work effectively together to help other countries understand the issues and implications of things like the russian chinese code of conduct
and help them see the high level view is that the u.s. and eu promotes are really the most consistent notices of international law, ensuring we have a safe and secure open and operable internet. a couple of the other key things i will just highlight our that our office is increasingly working with eu institutions or european institutions to find ways that we can better integrate our capacity building efforts. the u.s. conducts a very robust international training program focused particularly on cyber crime and security, also countering terrorist use of the internet that is funded by the state department and our law enforcement bureaus. one thing that has been missing
though is the same level of engagement by institutions like the eu or individual eu member states. we're starting to see much more interested particularly by key countries like france and germany and the u.k. making a much more robust investment in their capacity building efforts in places like africana and asia. we are working on a number of upcoming programs the state department will be a bleeding where we will be doing joint programs to include the you and a number of other key partners including countries like japan and our capacity building efforts. we think that is a great way to go forward. let me shift now to talk about cyber crime. i am currently working on the
state department on a temporary detail. i also share the high-tech crimes subgroup. i have a little experience dealing with cyber crime. if we look at the successes we have had in addressing cyber crime. it really provided a good model for how we can tackle other challenges like helping insure other countries have brazilian networks. we have been duly with cyber crime for almost 25 years now. we have been in a focused way building our capacity and capabilities to combat cyber crime. a couple of key things we use, they were trying to create a world where there are no safe havens to operate and all countries can do is promote -- the budapest convention that has a little over 30 parties to it.
the u.s. helped negotiate the convention. we ratified it and it went into force the next year or two. japan is 99% of the way there. we are seeing good movement in countries like canada, australia that have been working for years to become parties to the convention. the dominican republic and a number of other countries, mexico, the are in the process of becoming parties. i know of at least five or six other countries that in the coming months will be announced as working toward becoming parties. that is really encouraging. the laws that allow you to prosecute acts, you have to have the right investigative powers so law enforcement can get
stored communication and data can get intercepted and does serve as a treaty. one traded a 247 network that has grown to 60 countries. we are adding a new country every few months now that includes a really wide range of countries from all over the world. things like that can serve as a very effective models for how we can work to build capacity by bringing countries along the at different stages and getting them involved in networks that can lead to building institutional resources and capabilities to become better able to really deal with cyber crime on their own and do things like join the budapest convention. we do a lot of our reach and training to help them draft
laws and build the investigative capacity to establish forensic labs. that is the type of work that the eu and u.s., if we really put our minds to it and collaborate and really help build the international community raise the base line so there are no longer these instances where you have countries that are e essentially safe havens for criminal actors or others who want to do bad things on the internet. there will not be that problem. i think we are making great progress toward that. thank you for including us in the presentation. if you have any questions along those lines either here or later on offline, please feel free to reach out and i will be happy to talk about any foreign diplomacy issues. >> thank you.
but i will start by asking all three panelists. where are the operational areas, not the policy or the negotiation but the operational areas where there is a benefit or possibilities for cooperation? would this be more than crime? crime is easy and almost everyone thinks it is bad. are there other areas, particularly when you think yout information's sharing, would face this on information sharing for passenger data when you think about information. how would an operational
approach work. >> i think there are many areas -- let me talk about things on going today. those are the ones i have identified. we looked at two different cyber scenarios. there was an after action report for that which is going to set for a series of incident management conversations between us and particularly involving the european network information security its -- issue. that is working well.
i think it is a big piece of it. i will come back to the information sharing. because that is critical to that cooperation. let me mention a couple of other areas we are working on. we are working on awareness raising. on the context of empower individuals, we are going to be doing some work. we have our stop and connect campaigned i mentioned. that is a conversation with europeans about what is a uniquely european way to attack that question. we will be doing work together on best practices for child protection online schedule to coincide with the national slaver security awareness month this october. that is exciting. as was stipulated earlier,
governments cannot do this. we have some particular work we are doing together in the industrial control systems area. next week we are having conference in savannah. there is also worked together -- i think there are a lot of areas of collaboration. on the information sharing front, something we have found successful in the united states and the bilateral arrangements is to really whenever you share information, state what the agreement is about how they can be handled. you can use red, yellow, green approach that is just for that conversation. it can be shared with a trust the group or more broadly disseminated. i think at this point we are at a place where we have to deal with it on a case by case basis and get some experience before we come up with an overall
framework for that area. i think that can work well as long as you are explicit about how it would be shared. >> thank you. >> about information sharing, it is a difficult area because it involves usually a lot of information sharing on business solutions and practices. let me compare that to another field which we feel it is useful to think about, it is by your protection. when you think about a convention with biological weapons. you will see when you want to share information about by a weapons and practices, you face a bit of the same problem.
in a way you have to have software to know how to protect yourself against. usually this involves sensitive problems. if you forget to 1 seconds about computers than you think about bio, is exactly the same problem. it's usually is a parts of intellectual property highly sensitive information. on this to you can find resistance. in both cases, the situation is a bit similar. what did we do in the bio field? we tried to promote a minimum
level of protection. we still have to work out in the cyber field. we need good practices and regular meetings between experts on good practices. first of all to be prepared in the western framework because -- on the other hand, be expanded to the whole world because as you pointed out it is the weakest point of eight global chain. you have to have global ambitions if you want to get something.
you will discover much more without setting up the proper context. >> great. thank you. very briefly, information sharing is one of the hottest and current issues facing us in terms of dealing with cyber security. you only need to look at the plethora of bills in congress currently which are mostly focused extensively if not often expose away on how to help the government may share information internally and with the private sector. one is going to the criminal law enforcement example. it is amazing that with and law
enforcement channels how effectively we are able to share information with a wide range of countries. often countries we do not necessarily work very well in any other context with. but the law enforcement brought has really developed very formal mechanisms over the last few decades to figure out how to share about seven, investigations. we are seeing -- about cyber investigations. we are seeing take downs and you are increasingly seeing larger and larger groups of countries working together to tackle cyber crime organizations that have members in many different countries.
we are 6 successful in doing that-we are very successful in doing that. the other thing i mentioned. briefly is another area where i think there is great opportunity and fantastic work being done right now by dhs. is an international watch and warning network the up by a smaller group of countries. one of the things i you're constantly is that i travel around to international conferences. there is a real desire to find better and faster ways we can share information about threats for malware.es from now whe that is one thing that will yield huge dividends for us. it is particularly appropriate
for discussions with and the context of the u.s. and eu on cyber security. >> we have one last question over there. that will be the last one. could you introduce yourself? >> i am from an institute. the attacks are impressive. -- the effects impressive. something was mentioned to get the vendors to deliver technology and were safer in networking. is there anything going on between the united states and europe in the sharing the buying power so that you can use the leverage of procurement to essentially make the systems that are dispensable instead of indefensible?
>> you have a right to point out a very important program. the answer is, we are not yet fully there. one of our issues of strategy is intending to answer that. when i go to buy a computer, i ask, is it possible to find something around the market that would allow me to deactivate the wi-fi a sure that no one else can use my computer? it is almost impossible to find that on the market. go to best buy or wherever. i have gotten the answer of no. the computers you have, they can
be misuse when you are not online. things of that kind, this kind of thing-we want to rectify. -- we want to rectify. we need to have a strategy. we have also a new tool which is very your pin. it is trying to make -- new tool which is very european. there are some ideas in our dialogue. did their thinking about how to make procurements. these tensions we do have in mind. >> i guess not.
then highlights from the libertarian party convention in las vegas. it will include vice-president nominees. this week, richard trumka of the president and the jobs and employment numbers. -- the unemployment numbers. "newsmakers" airs on c-span. >>--n sunday this is a kind of political power. say what a president can do in a time of great crisis and how he
gets legislation. that is the way of examining power in a crisis. i said i want to do this in full. i suppose it takes up 300 pages. i said, let's examine this. >> robert caro on "the power of knowledge." look for our second hour with him on may 20. >> the president and the first lady returned to the campaign trail today. it held rallies in ohio and virginia. speaking at his second event today at the virginia commonwealth university. he was introduced by his w