tv The Communicators CSPAN November 21, 2015 6:00pm-6:31pm EST
paris as they recover from last week's horrific terrorist attacks. while we mourn this tragedy, let us be reminded those attacks could have happened here. this is not to instill fear, but to remind us to be vigilant. that's why we're calling on the administration to step up, provide global leadership, and put together a coherent and aggressive strategy to defeat isis. i need no reminders about the threats we face. before being elected to congress, i served 26 years in the u.s. air force, retiring as a full colonel. i was the first female fighter pilot to fly in combat and the first to command a fighter squadron in combat in u.s. history. in my career, i flew 2,600 flight hours, including over 325 combat hours in both iraq and afghanistan. i deployed to the middle east and afghanistan six times, serving in leadership positions for the initial air campaigns in iraq and afghanistan and counter-terrorism ops in africa.
after i was elected, i had the privilege to be appointed to a task force on combating terrorist and foreign fighter travel. for six months, our bipartisan task force looked at this very threat. what we discovered is that 30,000 individuals have traveled from over 100 countries to iraq and syria to join isis. we know about 4,500 are from western and visa-waiver countries. and 250 of them are from america. those are the ones that we know. we realize there are probably so many that we don't know. in addition, law enforcement has isis-related investigations in every single state right now, with cases increasing at an alarming rate. and isis is employing a sophisticated and unprecedented propaganda, recruitment, and social-media campaign. they use it to inspire or direct people to travel to isis-controlled areas to join the fight or remain where they are and commit terrorist attacks at home. there's an estimated 200,000 pro-isis social-media posts per day. they are acting at the speed of broadband, while we are acting at the speed of bureaucracy. after our six-month investigation, the task force
laid out 32 key findings and made over 50 recommendations in the report that we released in september. and the number one finding -- the most glaring weakness of all -- is that this administration does not have a strategy to combat this dangerous threat. i have been focused on national security for over 30 years, and i can tell you that isis is the most potent terrorist movement we have faced. they showed this month the apparent capability to take down the first airplane since 9/11 and conduct the deadliest attack on french soil since world war ii. france and russia have shown resolve in response, but the world is waiting for america's resolve and leadership -- and a comprehensive strategy to win. the administration has been leading from behind. in the military, we would call that following. their reluctant approach is only emboldening isis to recruit more fighters as they claim they have been attacked by u.s. airpower for 15 months, yet the momentum is theirs.
our strategy must include utilizing all elements of national power. we must unleash american air power to destroy their leadership, command and control, logistics, and their means of financing their terror. for 17 months, isis has been exporting black-market oil to fund their operations, and we just finally started striking the fuel trucks with the mighty a-10 warthog, the airplane i flew. the aircrews have been doing the best they can under overly restricted rules of engagement. we need to take the gloves off, let them do their jobs now to destroy isis capabilities in iraq and syria. next, we need to show leadership again in the broader middle east. our close ally israel and our sunni arab allies are rightfully confused and dismayed by this administration's myopic focus on a nuclear deal with the shia state sponsor of terror and their biggest security threat, iran. the strategy must ensure actions
against isis don't strengthen iran. a broader strategy includes partnering with the nearly 20 countries that have an isis presence to deny safe haven and counter the extremism ideology. it must step up our efforts working with our allies, especially in europe, to share information and close loopholes that facilitate terrorist travel. and it means countering the radical extremism that we're seeing in our own neighborhoods. we have around two dozen people focused on countering violent extremism in the federal government. but we have roughly 10,000 irs agents making sure you don't take an improper charity deduction. where we are putting our resources simply does not match up with the threats we are facing. this week, we sent the president's desk a national defense bill, for the second time. it requires the president to put together a real strategy to defeat isis. we also give him all the tools he will need to execute that strategy. second, we passed a bill calling for a new standard of verification for those fleeing conflict in syria and iraq to
ensure isis isn't posing as innocent victims, as they said they would. this is the first step to close one gap highlighted by the fbi director and our own security officials, and there are many other vulnerabilities we have identified that must be urgently addressed. in short, we're telling the administration to step up. take this terrorist threat seriously. the fight against isis is a generational conflict, and we must lead now more than ever. thank you. best access tohe congress. over thanksgiving, watch our conversations with six freshmen members of congress. congressman carter, republican from georgia. at 10:30 a.m., represented norcross. eastern, a0:00 a.m.
california democrat and former restaurant owner. 30 10: -- and congresswoman mimi waters, former state senator who interned as a college student. at 10:30, a massachusetts democrat, harvard graduate, and marine. isr best access to congress on c-span, c-span radio, and c-span.org. louisiana will choose their next governor tonight in a runoff election john bell edwards and tter. vi million have been spent by the campaigns in what could become the most expensive
governor's race in louisiana history. polls close tonight at 8:00 central time. we will bring you the results and candidate speeches this evening on c-span. >> the communicators is next with isight partners ceo john waters, talking about efforts to four attacks before they happen. cases, focusing on the 1952 decision on the separation of powers. later, a group of political cartoonists discuss their work and its influence. c-span, created by america's cable companies 30 years ago and brought to you as a public service.
>> we will introduce you to john waters, who runs a company called isight partners. we work with governments and large enterprises to protect themselves against cyber threats. mr. slen: what kind we looking for? mr. waters: cyber criminals, ists, and cyber espionage operators trying to gain strategic advantage. do you look at all three of those categories? mr. waters: that's correct. mr. slen: what kind of clients you have? mr. waters: we started off with government and financial services, the most targeted.
oriented with the some government concerns around espionage and other events. years, business has expanded dramatically to , industrial, retail manufacturing, energy, and you can follow the hack. it used to be limited to financial services, then the target reach, health care breaches, sony breach, so it has expanded dramatically across all sectors. mr. slen: do work with the federal government? mr. waters: yes, they are a client. is this consulting or do you do the actual investigations? if something happens, you try to figure out who is behind it and how they did it. we sell annual subscriptions to our cyber intelligence research. that research is conducted -- so we build an
intelligence collection plan that are relevant to abc company xyz agency. we have people look for threats in their development cycle as building. we analyzed those threats in our threat fusion center in chantilly, virginia. we come in here and put together the puzzles and say this looks like this presents a real issue from a cybercrime perspective against the following sectors. we deliver written and analytical content, but also the artifacts. they are fighting the fight at a data level. andcan't understand risks
less you understand what they're trying to do, so we say here are the data connections. if you see this piece, then it's that puzzle. serve datais help elements that say these are bad pieces of data, but they indicate this threat is being action against you. that's how customers drive privatization. mr. slen: in a new york times article on your company, it said that companies receive up to 17,000 alerts on a regular basis. how are your alerts different than what they are receiving? mr. waters: great question. the problem is not to increase the problem, but to shrink the problem. how do you shrink the alerts and find the ones that present the biggest risks to your enterprise or agency? ceo of aa panel with a large company and someone asked
a question. about 1d they have billion and a half alerts a day. have a significant amount of resources we can apply and shrink that to about 10,000 alerts a day. we get to about 1000 critical alerts a day. they say you must have a huge security team. we do. we can handle about 10. have less odds of picking the right 10. how do you figure out which are the biggest risks? >> we take the 1000 critical alerts, hit your api, interface into data sets, and then we can look at what threats and say these are the top 10 risks, go work on those. you have to shrink the problem rather than try to increase resources to meet the demands of the alerts.
you have to decide which are the biggest risks to the enterprise. if you can only pick one thing to do today, what would you work on? you would work on the one that created the biggest threat to your business or agency. that's what we do. we help them reconcile the alerts and pick which ones present the biggest risks. mr. slen: when you look at what happened to target, the office of personnel management, where the warned but missed risks. mr. waters: i will say generically that we were public by default on the target series of breaches, related breaches, because there was a warning system in place there. the code base that was developed that was used against the retailers was developed six months before it was started. it was sold in underground forms. if you are active in those forms , you can gain access to that
code base that allowed you to gain access to the credentials from the time they went to the card swipe until they are encrypted. in the clear before encrypted. if you plot the tool or gain access to the tool, you could reverse engineer it and say this is a tool that can target retailers, point-of-sale, here are the artifacts. if you are a retailer and have 100 critical alerts that day and have only time to do with one, if you hit the intelligence database, it pulls up that report. you know what they are trying to do. in cases of nation on nation, traditional nation sponsored activity using proprietary tools, infrastructure, never been seen before -- i'm not saying that was what opm was, but sophisticated attacks, government on government, very difficult for any commercial party to fight that fight. that is truly a national
resource to be in that space. the vast majority of cyber threats conducted against government and the commercial ,ector develop in the open using common infrastructure, common tools, reusing tools, reusing strategies, and there is a way to get ahead of the threat if you are forward leaning. mr. slen: how is isight partners different than another company, and in-house security system? mr. waters: the focus who manage attack surface have technology that sits three inches in front of the problem. here come all these packets setting off alerts. they use their a normally detection routines and say this doesn't look right. or, this is a bad piece of malware. they don't have that context. they start off with things happening in their environment, the final mile of the attack. then they do forensics and say
this came from this command-and-control server, so they're trying to work their way out from things that happened to where it came from, but very rarely can find who is behind it and what they are trying to a commerce. there is the attack surface, that's how security companies live. then there is the attacker surface, so when you click on that spearfish, where are they dropping it from? that's the attacker surface. you move out a layer, and you have the threat source itself. someone behind the keyboard with opposed that has an objective to accomplish. most folks start off here, all the security technology companies. we start in the threat environment itself, though playbooks, strip out the .udibles you can connect to data, in this case an audible, to the playbook
at machine speed and ask people to make decisions. mr. slen: you have been quoted -- afterters: in the desert iraq 10 years ago plus, the first issue people faced wasn't snipers or tanks or machine guns or rockets or airplanes, it was ied's. they fought the fight the same way you fight any threat, stop ,he bleeding, armor everything figure out how to jam and detect these things in close proximity, then move a layer out and say where are they placing these bombs. finally, somebody says how do we get left of the boom, recover from it. in the cyber conflict, you have the same type of analysis and trajectory. try to block everything and stop the bleeding, responders, armor everything, layer security devices in front of assets and
information, and finally, how do we get left of boom so that we can get ahead of the threat. on entire model is premised getting our customers left of boom, anticipate what is coming, and build protective layers prior to the attack being executed. 24/7 365. at scale that is hard to do. it is a long lead time to build this company, resources, patience, and persistence. that is where we sit today. mr. slen: we are in suburban virginia in an office park, and people are sitting of computers. what are they doing? mr. waters: this is our threat analysis center. we talk about our researchers around the world. the researchers are gathering information, puzzle pieces, saying here are the things that look like they could be bad. those pieces come into this facility, where the analyst , they looky the team
at those pieces and say using our data analytics platform and put together the puzzle pieces and say, this combination with this from this with this person at these targets, here is what is going on. so they did the human analysis that says this is the playbook. with thisis group capability with this infrastructure with these tools targeting these banks trying to compass the following objectives. they create the written analysis and then we take the data element out of that analysis, and from here we deliver that to our customers. we say here are the technical things you should look for, but all of those technical things we give them all link back to that analysis. we never say, hey, this looks bad. you are seeing is this analytical picture so they can read that threat analysis and know what to do.
is the analysis center that puts it all together. mr. slen: you have people around the world. how do you hire them? do they have security clearances? we hire local people. i'm not sure we have people outside the united states with security clearances. we have people in 20 different countries, former cybercrime professionals in their countries who worked inlks response teams, former law enforcement professionals, people who worked locally in the government to try to protect their government and national interest against cyber espionage operators. they have the skill set and operating capability, and then we bring them in together to secure our customers'i interest globally.
,hey are looking for soft spots the u.s., korea, australia, or brazil. the adversaries could come from anywhere. hiredfolks that we've roughly two thirds of everybody we have hard comes from somebody we know. it's deftly word of mouth. we go to great lengths to find key people to build teams around. -- it is definitely word of mouth. spent timei establishing risk centers. we have a team that manages relationships and make sure we work as a unified team. mr. slen: what do you look for? a programmer, creative thinker? mr. waters: we have a variety of skills that work together. a lot of folks say i will hire these guys and build everything around them. if you lose that person, you are toast.
we built this interdependent system and capability from the researchers, technical analysis, tools development, engineering that builds the workbench, to all of the analysts working together to put together the puzzles. system thatsupport allows us to work together as one global team. it's not individual rock stars. it is a rock star system. the individual capabilities are all passionate about what we do. there is so much demand for talent in this space. if and not passionate and love the company, they will work somewhere else and make more money. the people who work your primarily are passionate about our mission and support of our customers. smart,rily, they are hard-working, and get along with other people. we have a culture of humble experts here. chemistry orod for teamwork, so we rely on each
other to be successful in our rock star system. the output is all customer centric. all of our employees realize the customers pay the bills. everything we do is for them. every employee is a shareholder. our customers know that when they pick up the phone come and they are talking to the owner of a business that has a vested interest. mr. slen: you're not a public company? mr. waters: no, we are not. which is a luxury. we can grow the business and make the right strategic decisions near-term and long-term without making a quarterly number. mr. slen: will you go public at some point? mr. waters: who knows. we are not in a position or desire to do it today. comfortable position of making the right decisions long-term for the business, not necessarily what is the best decision to prepare for an ipo or make a quarter in the short term. you always want to present a business trajectory and business stability and business predict
ability that you have any option you want in the future, whether it was going public or strategically acquiring other , but this business is built for the long-term. mr. slen: john waters, how did you come up with the idea of isight partners? mr. waters: i am a finance and economics guy i background. i managed all the money for the founder of first data resources. i was chairman and ceo of a holding company, managing a fund, set on boards, and as a , financial risk, operational risk, credit risk -- i was always intrigued by the overall challenge of competing and managing risk better. i spun off on my own and looked at cyber as an investment theme. , and my own capital
outside capital is still with me today. we set up a public and private investment vehicle and started investing in cyber security. early investments was in a company that had just come out of bankruptcy, bought the company for $10 out of bankruptcy, and they were the ground floor of this building. very disheartened faces. they had just gone to the ringer soecond grade management, after we continued to invest in the business. , symantec bought several companies. i thought we were in a great place and got more engaged. of idefense.ceo ,ery high level threat related
so built that business and sold it in 2005, invested in other businesses, than when i took a step back and decided what i wanted to do, i realized threat intelligence was the least common denominator of the industry. nationhe only way that a that we can protect our interests against hackers meant to do harm to our global economic efficiencies, trade, relationships, you name it. intelligenceve an apparatus that was not the government to help you manage the risks to enterprise and governments. if you look at what the mission is at the nsa or cia, they have a unique, tight mission funding for and empowerment to do, but they are not loving requirements based on a retailer and save that we will protect this retailer. that is not their mission. they don't get taxpayer money to do that. the same retailers and energy companies and banks,
intelligence leads operations. and let's you know what you are up against, you have no way to resource against it. i set out to build this business and brought in a great set of people to build a company that could sustainably, repeatedly, and scalability deliver over the horizon threat intelligence that allows people to make strategic resourcing decisions, how they want to invest their security resources to give them the best chance to efficiently mitigate , howisks, operationally did they detect somewhere that something does not look right, but then comprehensively protect against that attack operationally, then tactically, rather than try to look for things they had seen before, how do i build a systematic way to build indicators that say this is what is coming down the pike, locked these things. the whole business rationale was through an economic lens, how efficiently you can manage corporate resources to manage risk and enterprise resources,
and how effectively you can line your current security resources against the greatest risks to your enterprise. it's built through a rational economic lens. we've got a good blend here in terms of the business purpose behind it. that's the technical and intelligence flavor of it. mr. slen: does the u.s. government and big companies think the right way about the right things when it comes to cyber intelligence and cyber security? over the past several years, has that thinking changed, the approach? mr. waters: it's a good question. today, there is a recognition that we are all in the same threat soup. people would say the government has to face these national threats and things that are sophisticated. we could never protect against those. i make motion pictures. why would a nation target me. i'm a casino. why would somebody come at me.
i'm a commercial entity. marshal entities were focused on regulation, and that was the definition of success. to comply with all the regulatory frameworks, how successful, and the board held them accountable to that, are you compliant, yes. the government on the other hand to always facing severe risk their enterprise and operational ability to work. in the dod spectrum, they spend 10% of their i.t. security budget on intelligence that leads them to manage the other 90%. ons their navigational chip how they will navigate the threat environment, so intelligence leads operations in the commercial sector less than 1%. same threatthe intensity, national interests are targeted commercial interests. you have to learn from the expense of the government. now the commercial sector is ledting into a intelligence
approach to bring intelligence to the core of how they are thinking about an resourcing against threats. most important, building an they are looking at the money to deploy resources next year and then revisit next year. that does not work when the threat is changing every day, so you have to have an adaptive constantly shift. they have taken a lot of talent from the commercial sector. it's hard as a security vendor former intel officers, former military intel officers, government practitioners, coming out of the military, into the commercial sector. you have almost seen a complete shift of military capability, a lot of this stuff, into the commercial sector