Skip to main content

tv   Politics Public Policy Today  CSPAN  November 18, 2013 9:00am-11:01am EST

9:00 am
criminal activity is a great source of money from john dillinger up to jihadist and that's going to continue. >> i think we need to bundle up corruption and organized crime. we cannot just look at one and overlook the other one. and i think we need to also look at the enablers a little more carefully. we need to look at brokers, bankers, lawyers, going after the money that organized crime has alone is not going to fix the problem. if they are flourishing, it's because there is corruption. and i think it is really important that we bundle that with corruption. >> thank you very much.
9:01 am
let's go to a second question and that is given the way in which this nexus crosses two communities, the law enforcement community and the national security community, are we effectively organized to deal with these problems and the special issues of this nexus and how should we be changing our organization nationally or internationally to be dealing with these issues. any thoughts from the panelists? >> we should not go to knee jerk reactions when a major disaster happens and i'll give you an example. back in the days of my partnership of trying to bridge that gap between intel and law enforcement and work together, during that time we had an organization called the organized crime operation. s group.
9:02 am
case officers from the cia, i had about 15, at any given time 15 to 20 fbi agents and analysts assigned there full-time. it was very successful. with regard to human trafficking internationally, we did two renditions in that program for major international human smugglers working together. 9/11 happens. two months after 9/11 ocog no longer exists. it's gone because we have to address counterterrorism. so everybody go over here and do this because this is the top priority of the government. then something happens, wait a minute, what about this? we need to keep at the policymaker level and this requires advocacy at the law enforcement and intel level to maintain a balanced approach to this. and that's exactly true, the focus on organized crime has to be everything from the bank robberies and cigarette smuggling to the public
9:03 am
corruption that requires it to a variety of other criminal activity, but we need to maintain a balance. and this idea that policymakers that we can take all the resources out of one program and stick it over here or all the resources over there, and i can come up with 100 examples of opportunities lost because we thought criminal programs don't matter. routine white collar crime, food stamp fraud, who needs to investigate that? who needs that? many of the things that became too minuscule to get the attention of federal law enforcement proved later to be critical to the fundraising activity of terrorist organizations or the fundamental fundraising for international organized crime groups. so that would be my word of advice to policymakers in the hope that they would listen is really take a look. when you sacrifice one program for the sake of another, really take a look at how important
9:04 am
that program -- why was that program created and what benefit comes from it? >> thank you. >> there's strong practical advantages to integrating with the law enforcement agents themselves. sometimes i think they operate in separate spheres, and for good reason at times. but if you want to get practical and be able to take law enforcement steps and make sure that you're focused on the right people, the integration of those two efforts can be extraordinary powerful. at the police department and over the years particularly accept september 11th, we developed robust intelligence effort and a lot of in-house analysts, very bright, young people who focus on intelligence analysis and the integration with them as detectives is a potent combination.
9:05 am
it sounds like with suggesting is sort of what this operation was prior to september 11th. but it's a strong combination and i think people should look at that. >> i think it's difficult to overemphasize how important it is, what tom has just said. we had an organization that was working pretty well. one of things we did in getting rid of ocog was recreated for terrorism for the national counterterrorism center. it's much bigger, it's more robust than ocog was, but the point of the matter is if you put these resources together they tend to work. we already have direction from every president going back for years now to work together on organized crime. we don't have direction to put ourselves together in the way we did at one point. i think we need to reestablish
9:06 am
that for organized crime. >> thank you. >> i agree with everything that has been said. i mean, i couldn't emphasize more how important it is to look at the resources that the fbi needs. and only just to try to encourage cooperation among so many agencies that could be coming together to try to help and determine what's going on with organized crime. we need to try to use techniques that are going to be preventive. we need to prevent instead of always reacting when it's just too late. >> tom, let me pursue also, if i could, the international part of that. you were associated with interval. could you tell us about how effective the international level of cooperation is and what needs to be done to enhance this.
9:07 am
>> there are a number of multinational organizations and probably it is the largest and most relied upon by other countries. now here in the u.s., the fbi has the largest legal program around the world in 76 different offices overseas, which covers basically everybody but iran and north korea for the most part. the other federal agencies, customs, they do also have a ta jays. but the rest of the world can't afford it. 50 countries have their police here in washington at their u.s. embassies here, but that may cover all of north america, not just the fbi or dea or certain federal agencies. but overseas they rely on it. they have 190 member countries. what it basically is a 24/7 communication network to pass
9:08 am
information among those countries and ensure cooperation and assistance and marshall resources should they need it. it is not contrary to some of the movies. it does not have a team of investigators that run out and investigate crimes. but what they do is through the communication network is get countries one or more in a major situation to send those resources to another country that may be in need. that can be a wide variety of law enforcement or national interests such as the tsunami. get additional countries to send resources to asian countries that were victimized to help identify victims. or in some cases try to create task forces to assist in addressing somali pirates, which is affecting commerce in the indian ocean bordering countries. other issues where they get countries to provide networking capabilities to other countries.
9:09 am
now prior to -- in his last year of secretary, he's in his last year as secretary and at the time deputy secretary of treasury when atf was under him. he established a 24/7 internet communication network. prior to 2000 countries in order to talk to each other by computer had to piggy back on the international air travel reservation system. it cost them money to get on that. just like a travel agency, you'd pay by the minute to be connected to saber. so a country like sudan, for example, they would log into that system for about 15 minutes a week. turn it on. the meter is running. they would download all the answers, turn it off until next week. by creating it, it's a private network. it provides the encryption keys to the 190 countries.
9:10 am
if you have internet access and the encryption key, you can access their system. they do not pass classified information so you're not giving away the keys to the kingdom. but it enables the sudans of the world to basically be on there much longer. they may not have a 24/7 law enforcement. they might be on only 9:00 to 5:00, monday through friday, but it's better than 15 minutes a week. most recent example if you heard about the girl that was rescued. she was begging on the street. she was rescued about three weeks ago. and dna proved that her parents were not biologically her parents. police could not figure it out. they had no clue as to her identity because she was abducted as an infant. huge worldwide organized crime networks engaged in human trafficking and it's from infants to use as black market babies for adoption to infants being used by other organized
9:11 am
crime groups to grow up and beg on the street because they are kids and look cute and can get money from tourists. also sex trafficking organizations, other businesses that use illegal aliens coming into country. in this case they put the messages out. all the details go out over the network. the girl has been identified. the country where she was abducted from has been identified. they do not know the identity specifically of her parents, yes, but the investigation is ongoing with the other countries and it shows that probably her mother sold her when she was pregnant. could not afford her. sold her to an organized crime group who trafficked her to greece. that's an example of how it works. in the u.s. here, it's
9:12 am
administered under the command of the deputy attorney general. their office is here in washington, national central bureau. have about 120 full-time employees from 22 different agencies because we in the u.s. do not have a single national police agency contrary to what some fbi agents think. but the ncb washington is part of networks and deals closely with it. we rely on our relationships around the world. but other countries do not have the ability to have that. interpal is their life blood communication system to every other country in the world that's part of the network. >> thanks, tom. any other thoughts here? >> how many of you have heard of the sook agreement? okay, one person. this agreement covers under
9:13 am
which conditions the united states can access bank data and under which conditions the eu will provide the data to the united states. and that is intended to fight terrorism and organized crime. fortunately in light of the reports about the programs run by nsa, the eu decided to suspend the agreement. so i think that's pretty concerning, especially in light of the fact that organized crime keeps a lot of money in several european banks. >> thank you. yes? >> the nypd is lucky enough to have resources. most local police departments don't. but as we talk about the international nature is just central part of the problem.
9:14 am
and in light of september 11th and the threat of terror to the city, i think it's worth noting that the police department has 11 detectives stationed overseas who work closely with local law enforcement in the 11 countries in order to understand the conditions in those countries because they may well directly impact new york city because of diverse nature of our population. that international part is a key part of our efforts. >> two last questions for the panel before opening it up to the audience. if we look now to substance in the national scene. what might be done to deal with this that is a substantive problem, that would enable us to more effectively deal with this nexus? >> i think the legal tools and the laws that are available should always be looked at.
9:15 am
we talk about the rule of law and the ability to combat these things. the sometimes crisis action that takes place. new york state has a serious problem in the terrorist statute they passed september 13th, 2011. it's kind of a mess. it's way, way too restrictive. it makes it extraordinary difficult to prosecute terrorist cases in new york state and a lot of good statutes available in the federal system. it's a minor point. but larger point is it's important to kind of examine the laws on the books to see what can be improved to combat the problem. >> i can add another point to that. that's an ongoing situation of stupidity on the part of our government. that is sequestration. much was made about the government shutdown and the potential about not paying our
9:16 am
bills and all of that and the crisis has been averted, for 90 days. the crisis isn't completely averted because i can give you an example. since last year the fbi has a hiring freeze. it's had $750 million cut from the budget. through attrition is downsizing by 3,000 positions. you haven't heard a word about that publicly. we don't hear about the other federal agencies that are affected right now by sequestration and by the inability of our policymakers and i'll blame congress and the white house and everybody included to allow sequestration to continue without a thoughtful process, there was a thoughtful process that went into the budgets of these agencies. i have been involved in budgeting for years and the strategic plans and the thousands of pages of justification when you submit your budget, what the problems are, why you need the money, how you will use the money.
9:17 am
all of that is out the window when we just arbitrarily take agencies and just cut them. that's occurring right now. so again, what is the agency sacrifice? is it going to sacrifice food stamps, cigarette smuggling and the other criminal activity, narcotics trafficking? yes. that needs to be brought to an end. >> tom, thank you very much. very fundamental point to be made to us. let me shift to the last question and that is simply the counterpart to the last question, but internationally. what, if anything, needs to be done substantively internationally? and as part of that, has this issue ever been taken to the security council of the united nations? what are the possibilities if we took it to the security council? what is the level of cooperation that might be improved? are there new treaties needed, et cetera? thoughts on that? >> one of the biggest problems you have internationally is the fact that money laundering is not illegal in many countries of the world and there are a lot of
9:18 am
countries that virtually sell their sovereignty to allow money laundering to occur. so that's one issue that i don't know how it can be solved because it's an issue of sovereignty. the united nations is chartered to paragraph four. but there are other things that could be done, global asset forfeiture is something we could work on. we have had some experiments of -- and tom can address it better than i, but for example, in hungary we have had fbi agents working with the hungarian national police to shut down organized crime in hungary, which was remarkably successful. so there are a number of things that we could do on an international scale that we do here in the united states. we could work more closely and we could also institute a better way of international investigations, not just the
9:19 am
communications, but has gone a long way towards international investigations within the european community. >> i could add one more thing to that. relating to sequestration, among the discussions occurring at fbi headquarters and on the hill over the last six months has been the tremendous expense of having the fbi in 76 offices overseas including i had agents assigned at interpal headquarters at the u.n. headquarters in new york and a number of these agencies. among the discussions was to either eliminate or cut by 50% the fbi's international offices. again, another act of absolute stupidity. i would like to go on the hill and argue anybody that raises that issue and tell them how stupid that is and why we need these relationships and
9:20 am
representations and how every day it affects u.s. and helps u.s. national security. and an example of that is that a particular u.s. senator i won't. name landed once in a foreign country and was greeted by the fbi agent there and his remark was i guess the fbi, the sun never sets on the fbi. and the agent was very polite and everything, but he could have easily replied the sun never sets on u.s. interests either, pal. >> any other thoughts on that before i open it up on the floor? >> i can't top that. >> i have to say this. we have a lot of agreements and initiatives, i had to talk the
9:21 am
americas with the americas. i'm very concerned as to how the money is being used to help is being misused. and where the demand is going. a lot of money has been lost. and more concerning to me is to see that a lot of people that we have trained to combat organized crime, they themselves have become the supporters, the promotors of organized crime. and then we end up doing what, extraditing them and trying them here in the united states because they knew the how and they knew who to communicate. i'm very concerned and i think we are wasting a lot of money and we need to pay attention as to how the money is invested. >> thank you very much. the floor is now open for questions.
9:22 am
if you would please state your name and question and. you would like to address it to a particular member, please do that. yes, sir, right here. >> this is for all the panelists. my name is greg golden with the security administration. over the past several years a number of u.s. jurisdictions have established fusion centers, which are intended, in part at least, to put law enforcement and intelligence analysts together. could you comment on the effectiveness of this approach so far and give us some idea of what kind of institutions nationally and internationally could be built on that foundation going forward? >> well, the fbi has two types of fusion centers and dhs has
9:23 am
yet another one. and they have basically different functions. the fbi has the joint terrorism task forces before 9/11 i believe there were 34 in existence. today there are 103. they have been a tremendous success story. building on that, the fbi has built a field intelligence group, which are more analytically oriented, which are more operationally oriented. the best of my understanding, i have been away from the fbi for awhile now, but they have been equally successful. the homeland security fusion centers have basically have a different focus and i'm probably going to do dhs a disservice here, but what they basically do is they work more with the politicians, the mayors and the governors to help them understand what the problems are in their area so they can take
9:24 am
the actions on their own. could that be done on an international scale? the problem that you have is basically the problem of the piece of failure from 1648 which says that everybody is sovereign and it's incorporated in article 2, paragraph 4 of the charter. territorial integrity and political independence of every country is sacrosanct. if you carry an fbi agent were to go to great britain and couldn't take his gun with him because that would be an act of sovereignty there. that's the sort of thing you have to get past. it wasn't until margaret thatcher was the prime minister and president reagan was the president that they allowed the
9:25 am
secret service to be armed when the president went there. so that's what you're looking at. could it be overcome? it can. if a country wants to sacrifice its sovereignty, as basically hungary did at one point, and there are other sort of instances than that. the spanish have the agreements they can search on the high seas without asking permission, so some of this can be done, but it's quite difficult if you want to preserve the idea of sovereignty as incorporated in the united nations charter. >> if i can add, having been in charge of trying to set up fusion centers at the state and local level when i was special agent in charge of indiana, one of the difficulties is for doug
9:26 am
in new york city, there's no trouble convincing new york city police there might be a terrorist threat here, they might try to attack here, really. but if you're in other parts of the country, the police there and the governors and the mayors will say, you know, we're worried about mexican drug trafficking organizations and drugs brought into our junior high schools or high schools. we don't think there's going to be a major terrorist attack in our territory. why should we, in their view, waste police officers on a fusion center to address federal or national security issues and the fusion center in turn isn't going to address what we really care about at the state and local level. so that's part of the difference with local fusion centers. the local jurisdictions out in the rest of the country just may not think it's a wise use of their resources to devote investigators and analysts to the national programs or fusion center program if it's not going to also address their local issues, too. >> next question. over here. >> thank you. i'd like to pursue a question i actually started yesterday and directed to mr. fuentes, your
9:27 am
remark about keeping your eye on the ball and not swinging in the pendulum in response to crises pursuing routine criminal investigations and criminal activity is not only an important task in its own right, but may lead to greater discovery in respect to international crime and terrorism. the question to you, do you think that the fbi's morphing into an intelligence agency focused on c.t. and issues related to it has, in fact, encouraged the -- encouraged taking the eye off the ball? >> to an extent, yes. but since 9/11, 50% of the fbi agents out there are working criminal cases, so the increase in counterterrorism and national security related investigations has increased as a percentage, but not completely. so criminal investigations are
9:28 am
still ongoing, but the thresholds to work many of the, you know, perceived white collar crimes are not. and in terms of initiatives or new programs, when you're on the hill trying to justify something, again, much of the focus is going to be counterterrorism as opposed to other benefits that come. i'll give you a quick anecdote, i opened the fbi office in beijing, china, in 2002. at the time i was lobbying for that opening, we were working organized crime together with the chinese, intellectual property was beginning to be worked, human trafficking was beginning to be worked together. when i lobbied for that office, the questions i would get from the hill was why -- there's no counterterrorism there, there's no jihadi organization, there's no south american drug cartel, there's none of the threats of organized crime in china that we worry about in the middle east.
9:29 am
i said, well, we still need this for a variety of other u.s. interests. two years later after we opened it, in 2004, a human trafficker at the mexican border walks into fbi laredo office and says, i have just trafficked four chinese terrorists across the u.s. border, and this was a couple months before the democratic convention in boston. they are on their way to boston to commit a terrorist act. wow, you know, this gets disseminated, bulletins, be on the lookout, lock down boston because four terrorists en route that we know of. we sent that message to the office in beijing. they go to the ministry of public security who administer police officers to where the four people were from. we did have their identities because the trafficker has their documents. 48 hours later, chinese government comes back to us and says, they are not terrorists, they were just your typical peasants trafficked by the snake heads to the west and these four people coming out of the rice paddies in that providence
9:30 am
wouldn't know confucius from bin laden. so within 48 hours, the threat to massachusetts, boston, and the convention was completely eliminated. the thousands or millions of man hours that would have been wasted had it not been them giving us that investigation, they maybe still be standing on the bridges. maybe they would have prevented the marathon bombings by being there looking for the terrorists, but that was a tremendous savings. in my view, putting other analysts in beijing paid for itself in savings to u.s. taxpayers because of being able to resolve an issue of terrorism when there was no intent or knowledge that that office would be a key player in the war on terror. >> next question. yes, sir, here. >> john duncan, florida a&m university college of law.
9:31 am
we talk about the chinese and japanese russian mafia here in the u.s. how about our u.s. gangs possibly overseas, and i'm thinking not only cooperation with other gangs, but also the national security impacts back on us. and because i say, you know, a lot of the new millionaires will be in china and russia and that's where the money is going. >> anybody like to take on that one? liz? >> yes. we have -- organized crime today is transnational. it's not just one-way street. it goes both ways. and, yes, we do have our own gangs, the biker gangs, and also i may add that ms-13 and churchill are also gangs. so, yes, we have that threat also to other countries.
9:32 am
and it is a vicious circle, because it comes and it goes, it comes and it goes. as you well know, ms-13, they just go to central america, come through mexico, human trafficking, trafficking and weapons, trafficking and drugs, and the circle goes back and forth, back and forth. to the point that some of them say that they sometimes get caught because they know they are going to be deported and that allows them to have a free trip back home and just come back again. so, yes, we have that problem. >> okay. other thoughts on that? if not, let's open it up to another question here. yes, lady right over here. >> i'm dennis lair with hogans law firm. my remark is addressed to commissioner maynard.
9:33 am
i'd like your personal opinion, not that of the department, whether stop and frisk will be sustained, and if it is, what action the mayor will take. >> well, i'm not sure it's appropriate to give my personal opinion. i'm not also sure i understand the question, to be candid. there was a major ruling yesterday, i don't know if that's what you're referring to. i can't predict what mayor de blasio will do if he wins. personally, to give you my personal opinion, have hope that opinion if he wins the election upon realizing that he is responsible for the management of the city, that he will realize that it's in everybody's interest, including his own, to be able to manage the police department on his own without
9:34 am
the interference of a federal judge. i don't know if that addresses your question. stop and frisk is a pregnant topic. people use it with very different understandings of what they are referring to. i think we all know it is a standard, traditional law enforcement practice. it's done that way in new york city, like every other police department in the country. we believe it's done constitutionally and properly, and i don't think that will change. >> another question? i think there was a lady here. yes. >> hello. katherine from the treasury department. first of all, i want to say thank you for your courage and dedication. it's much appreciated.
9:35 am
quick comment then a question. the agreement only covers terrorism, not organized crime, but luckily, not for treasury, but for other people, on the same day the european parliament voted to suspend the recommendation, voted to recommend suspension of the agreement, they also passed a piece of legislation recognizing asset freezing and expansion of resources into organized crime networks. so that's very good for organized crime, not so good for treasury, in the area of terrorism. good in the area of organized crime. i did actually have a question about corruption. i think corruption is a very big issue. as mentioned, treasury has a robust transnational organized crime asset blocking program, but, you know, you can only do so much just solely from the united states. you want to have transnational partners, you want to have
9:36 am
people in country you can partner with and work with, but the problem is, of course, who do you work with? who is your natural partner? you can offer technical assistance, but who do you offer that to, and is that really the appropriate assistance? i would appreciate any of your thoughts on how to tackle corruption in sort of practical cases or lessons learned that you guys have had. thank you. >> tom? >> i can comment. what a great question, or couple questions. i think first before i get into the answer, it would be to recognize the difference between the united states and almost every country in the world, and that is, in our country, you are not immune from prosecution if you're a public official holding office. in the rest of the world, that's not the case. you look at some of the wealthiest countries in the world, including developing countries with oil and gas and other mineral resources in the ground, if you're a public official, you have immunity from investigation and prosecution while you're in office. so what they do is they take the money that they get through corruption, send it overseas to a safe haven, and as soon as they leave office, they join their money and spend it in the safe haven or somewhere else in
9:37 am
the world. the country is victimized while they are in office by bad governance, and while they are out of office, the fact the money is gone from their country. at least la cosa nostra spent the money in the u.s. that they made. in terms of your question about dealing with the officials in that country, the problem is that they may be the only officials. so now you're trying to deal with an administration in some of these small countries or developing countries, even larger countries, where you have no choice. and as long as that country allows the people in office to have that immunity, you really are going to have a difficult time ever getting rid of corruption, and if you don't get rid of corruption or at least neutralize it or reduce it, you're not going to get rid of organized crime and the other threats. now you'll notice, and the reason this is so important, is
9:38 am
if you look at the united states, you look at the corruption cases, and again, the fbi has primary jurisdiction for corrupt public officials, if you look at it here, if the republicans are in power, the republicans are in a position of power to hand out contra, to do other things, and some people within the republican party will take advantage and steal and the fbi will investigate and put them in prison. when the democrats are in power, they have the ability to have a lot of influence to control committees, to do other things, that help steer contracts to their pals. so really, this happens both ways. what i'm saying is, corruption is an equal thing and also, by the way, public corruption and greed is not, oh, those chinese are greedy, or those guys over here in nigeria. no, it's a human nature phenomenon.
9:39 am
we have as much corruption in this country as any country in the world or culture in the world, it's just this country does more to take it on than anybody else in the world, so it's an important factor, but you almost have to deal with who you have to deal with overseas. that's the problem. >> okay. another question? yes, sir, gentleman back there. >> if drugs were legalized and taxed, would it -- >> could you state your name, please? >> sorry, michael jabra, i'm from los angeles. and if drugs were legalized and taxed, would it damage organized crime by taking away some of their revenue and allowing law enforcement to go after other crimes such as human smuggling and international property theft? >> well, certainly, it would change the pecuniary status situation there. there's been a mixed message sent for places where drugs have been legalized. in canada, there is medical marijuana that's permitted and the canadians say that organized crime is taking advantage of the fact that there is medical marijuana permitted and they are setting up grow facilities and things like that. in the netherlands, there's been a substantial loosening of drug issues there, but the interesting thing is, it has brought in a lot more illegal drugs in the netherlands since
9:40 am
they've had certain legalized marijuana to the point that starting this year, the netherlands prohibits any foreigner from going into their pot shops. the czechs have legalized a significant amount of drugs recently. what it has done is allowed the police and the official resources of the czech republic to sort of focus their efforts elsewhere, but it hasn't done much for the drugs at all. and in poland, i believe it is, they actually have a fairly success story of legalizing drugs and things getting better there. so i think it's really going to depend on the society that you're looking at. you know, if you have a society as large as the united states and you legalize drugs, you know, you're probably going to change the way the money flows, but it's not going to get rid of organized crime. it will just be operating in a different way. >> other thoughts? luz? >> yeah, i think that will do zero. yes, because of what spike said, but also just look at how diversified the portfolio of organized crime is today.
9:41 am
i mean, they don't need to rely on drugs, illegal drugs, alone. yes, if they were going to be legalized, look at the pharmaceutical industry. a lot of the drugs are legal, but they've been pirated, counterfeit, organized crime is making a lot of money out of it. so i think that legalization, per se, is not the solution to organized crime.
9:42 am
i think corruption, we need to tackle corruption. >> and one more comment, i think that, you know, the problem is already been created that organized crime, particularly in latin american countries, has been able to make billions of dollars trafficking marijuana and other contraband, other drugs and other contraband materials. i don't know really how successful we would be, and i would agree with luz about the success that might or might not happen from legalizing marijuana. the example i would use is that when alcohol was legal in the united states, you did not have la cosa nostra involved in any great way. they did gambling, prostitution,
9:43 am
their normal knuckle-dragging racketeering things, but they were not large-scale threats that they became. when prohibition goes into effect, it's a bonanza. they make billions. it creates the al capones and the rest of la cosa nostra in the united states getting involved in the importation or production of illegal alcohol and the speakeasies and network to consume it. when prohibition is eliminated, too late to eliminate la cosa nostra. they have now become a powerful national organization. they have now dominated the four largest labor unions in the u.s. and the industries affected by those unions. they have now corrupted public officials at police and regulators and all the way to washington. so the elimination of prohibition didn't eliminate the mafia growth that had been allowed and created and able to flourish was then entrenched. now they could move to other things, other aspects, to make
9:44 am
money. and it was too late to take them out then, and it's taken, you know, 75 years of coordinated effort and sustained attack to reduce them now. and we have been successful in reducing them. and the example i would give is, if you watch "godfather i," it is an accurate depiction of cosa nostra's power and control in the u.s. in the '40s, '50s, and '60s. it went from "godfather i" to the sopranos arguing over vacant lots in newark, new jersey. that reduction from 26 national families down to a handful was significant, but it took 75 years to do it. and really the elimination of prohibition didn't weaken them. it was the continuing attack later that did. >> robert f. turner?
9:45 am
>> i'm bob turner from the university of virginia. i want to follow up on your comments on la cosa nostra. hollywood often portrays them as great patriots who will rally to help the country. recently i heard a story about how helpful they were right after the 9/11 attacks, and i wondered if one of you might want to address that. >> i don't know the particulars, but i do know they were involved in the rubbish hauling and corruption and taking the remains of people to places where they couldn't be found or sorted, so really grotesque criminality and corruption of the grossest level. >> i can speak to that. i was running the organization of the fbi at the time. in our organized crime task forces, which go back decades, preceding 9/11, so many task
9:46 am
forces, organized crime terrorism, were in place for many, many years. the day after 9/11, we have our very patriotic la cosa nostra members in new york saying, you know -- i'll leave out the expletives. those feds, they took us out of waste hauling, construction, the laborers union, which was involved at major construction sites. they does all of this damage to us over the last 20 years, but now the reconstruction and the knee-jerk reaction after 9/11, we're back in business. we're going to send people to washington, we're going to try to go after the no-bit contracts. we're going to go after, as doug mentioned, the carting, the waste hauling of the debris. one of the things that happened after the media responds to ground zero was then to be just putting the material, the raw material, into dump trucks,
9:47 am
taking it across the river to new jersey to landfills, where teems of police and fbi agents like prospectors were sifting through the debris, and i won't tell you the type of materials that came out of that, human and other, but immediately these guys were talking on the wiretaps, we're going to send that to our landfills, we're going to get our hands on money and jewelry, they didn't want the body parts, but the other material that would benefit them financially. and there was a huge argument after 9/11, who owned the debris, the insurance companies, you know, who was really the financial victim at ground zero? so that caused us to put gps's on the trucks and monitor every single truck to make sure it didn't deviate by ten feet from the route to the designated landfills where it's supposed to go. that's your american la cosa nostra thinking all these years we got put out of business, but now this is fantastic, we're going to make money again. >> okay. i'm going to ask the last
9:48 am
question, kind of double-barrel question as to two possibilities for substantiative intervention, and that is, first, we saw in putting the ku klux klan out of business, or largely out of business, that civil litigation played a very major role. should we in some ways, or have we already done it effectively, unleash civil litigation against organized crime? and the second question is, one sees in looking at the sources of criminality and money raising that kidnapping and the paying of ransoms is a very significant part of it. should we be more effective in seeking to criminalize the payment of ransom to these groups, and what is the comparison there in relation to what we've done on terrorism? anybody like to address any part of that double-barrel question? >> i'll take a shot at the civil litigation. i think if you can create a significant financial incentive,
9:49 am
you'll get plenty of civil litigants. that's always the way. and i suspect the challenges whether anyone thinks they can collect for a claim. i'm sure there are a lot of claims out there and often people do sue terrorist organizations. the federal government can be effective, too, but the challenge is always finding and getting your hands on the assets. >> i could add to that. professor blakey at notre dame would be very proud. he wasn't proud because nobody used the statute until he went around and said, hey, look at this tool. but an example of civil provisions are powerful and actually enable the success of many of the other prosecutions. so, for example, i mentioned that la cosa nostra controlled the four largest labor unions in the u.s., teamsters, laborers, longshoreman and hotel workers.
9:50 am
when those gangsters were convicted, civil suits were filed by the department of justice, removing them from ever being allowed to be a member of a labor organization again, so they couldn't on paper have no-show jobs, or in reality become union stewards or some of become union stewards or some of these other union organizers that they used as fronts to maintain the control of the gangsters. so the civil part was enormous when it was used throughout this period, the '80s, '90s, and since, to remove them permanently from ever participating in a labor organization. they couldn't go back to what they knew best, labor racketeering. >> anybody want to talk about the ransom issue? it's the last issue. >> i'm a little bit concerned with criminalizing the individuals who pay ransom, because you may find a lot of people desperate, a lot of families desperate, trying to just recuperate the loved ones. and, you know, i have problems
9:51 am
with that. i think it's just we will be criminalizing the wrong individuals. >> thank you very much. i'd like to thank this panel for just a superb presentation. [ applause ] >> thank you, john, as always, for a wonderful, wonderful panel. i want to take this opportunity to officially thank the cosponsors of our annual review. we have from the center of national security and the law, georgetown law, in particular, the dean, dean trainer, laura donohue and ray la rosa, who will be running the next panel and chairing it on cybersecurity and its future. i particularly want to thank the center on law, ethics, duke university of law. and charlie, who was on the panel yesterday, who did a wonderful job on the authorization for the use of
9:52 am
military force. and lastly, the center for national security law, which is not only john norton-moore, but a very special person, who is right now has his eye behind the camera, and that's bob turner. these three schools have been extraordinary in their support and development of the area of national security law. so we're going to take a 15-minute -- i want to thank them officially for what they do. i want to thank the panelists for being quite fascinating and i think all the room would love to remain as hostage for you, but we have to move on. we'll reconvene in 15 minutes and have our panel on cybersecurity and the future. thank you very much.
9:53 am
this afternoon, health insurance professionals will look at health care costs and price caps on some plans offered by employers. the discussion is hosted by the alliance for health reform. you can watch our live coverage at 12:15 p.m. eastern on c-span2. mrs. johnson as first lady loved to show off the country and her home. the guests to the ranch would often informally gather here in the den and various heads of state came to visit. we do have a few things that speak to her connection to the room here. one of the things that she wanted to highlight was the native american heritage here in the hill country, and we do have a small collection of arrowheads over there.
9:54 am
she had an eye for copper and collected various items through the years and had gifts from various friends. mrs. johnson gave a tour of the house in 1968 that was filmed, where she featured the china that you see her purchased in mexico. first lady johnson spent a lot of time at the ranch and it was important because it provided such a respite from all the turmoil of washington, particularly later in the presidency, when the johnsons could come home, recharge their batteries, and make that connection back to the land and this place that they valued so much. >> first lady, ladybird johnson tonight live at 9:00 eastern on c-span and c-span3, also on c-span radio and c-span.org. more from the american bar association's annual national security conference. this second panel focused on cybersecurity and the u.s. government strategy to protect americans. it's an an hour and 45 minutes.
9:55 am
good morning again. thank you very much. for those of you, the first panel was a little bit too early in your rhythms, i just wanted to bring your attention to two outstanding breakfast programs the committee has on the horizon. the first one is on friday, november 15th. the keynote address will be by ambassador mark grossman, vice chair of the cohen group, former undersecretary of state for political affairs at the department of state, who will be talking about the diplomatic campaign in afghanistan and pakistan. the second one will be a couple of weeks later, december 4th, wednesday. senior adviser transnational
9:56 am
threats project in homeland security counterterrorism program. he will be speaking on treasury's war, the unleashing of a new era of financial warfare. and one final reminder, when this panel concludes, we have to clear the room, just like we did yesterday, so that the hotel can set up for lunch, about 15 minutes, then we'll come back in and start our lunch program. it gives me great pleasure to introduce our moderator this morning, mary derosa, distinguished instructor, georgetown law. >> thank you, everybody. i'm very excited to be here. i think we have a really terrific panel. we're here to talk about cybersecurity and how we address the significant and growing threat from criminals, hackers, terrorists, anarchists, and other nations who are spying on
9:57 am
us, stealing from us, intruding, disrupting, and potentially attacking our private sector and government infrastructure. i don't feel like i have to say very much about the threat, give a lot of background, particularly in this crowd. not too many years ago, if you started talking about cybersecurity, most of the eyes in the room would have glazed over. and, you know, not that people didn't care about it, but it was technology, sort of unfamiliar, didn't, you know, feel like the kind of national security issues we're used to dealing with, but now i suspect everyone here is paying a lot of attention to cyber and the issues because the threats that we're facing have only increased and increased quickly.
9:58 am
and the efforts to address them are progressing, i think it's fair to say, a little more slowly. so today we're very lucky to have a panel of people whose eyes have never glazed over on the topic of cyber or probably anything else. and these people have been thinking about cyber intensity. in many cases for many years, way before it was cool. so really the collective experience here and expertise is really impressive. we're going to focus this panel on the relationship between the u.s. government and the private sector in cybersecurity, what are the challenges, where we made progress, where we're on the right track, and where we might need to do some rethinking in those relationships.
9:59 am
so let's get to it. i'm going to introduce the panelists, and then we'll run this as a conversation. the panelists' bios, i'm going to give you some information on them, but there's a lot more impressive stuff in them, so please, read them in the materials. i'll start with leonard bailey. leonard is a special counsel for national security in the department of justice's computer crime and intellectual property section. he was also recently an associate deputy attorney general and responsible in that capacity for managing criminal and national security cyber policy for the department of justice. he's had a long career in the -- in the justice department working on crime and cyber issues. leonard received a j.d. from yale law school and a b.a. from yale law school. steve chabinsky is senior vice president of legal affairs
10:00 am
general counsel and chief risk officer of the international technology firm crowd strike. he's also an adjunct faculty member at george washington university and the cyber columnist for "security" magazine. prior to joining crowd strike, steve was at the fbi for 17 years, culminating in his service as deputy assistant director in the fbi's cyber division. prior to that, he organized and led the fbi's cyber intelligence program. he's also served in the office of director of national intelligence. he's a graduate of duke university and duke law school. laura donohue is a professor of law at georgetown law and director of georgetown center on national security and the law. she writes on national security and counterterrorism law in the
10:01 am
united states and the united kingdom, including on emerging technologies. professor donohue has held fellowships at stanford law school center for constitutional law, stanford university center for international security and cooperation and harvard university's john f. kennedy school of government, where she was a fellow in the international security program, as well as the executive session for domestic preparedness. she received her a.b. in philosophy from dartmouth, her m.a. in peace studies from the university of alster, her j.d. from stanford law school, and a ph.d in history from the university of cambridge in england. wow. jim lewis is a senior fellow and director of technology and public policy at csis, where he was nice enough to hire me a while back. at csis, he writes on technology and security and the
10:02 am
international economy. jim has authored more than 90 publications since coming to csis. he's an internationally recognized expert on cybersecurity, whose work includes the bestselling "securing cybersecurity for the 44th presidency." before joining csis, he worked at the departments of state and commerce as a foreign service officer and as a member of the senior executive service. he received his ph.d from the university of chicago. and last but not least, we have daniel sutherland, who is the associate general counsel for the national protection and programs directorate of the department of homeland security. in this capacity, he is the primary legal adviser to the undersecretary for nppd. he leads a team that provides legal services to the office of cybersecurity and communications. the office of infrastructure
10:03 am
protection, the office of biometric and identity management, and the federal protective service. he previously served in the senior national intelligence service at the nctc, and prior to that, he was at homeland security, providing legal and policy advice to three secretaries of homeland security as the first officer for civil rights and civil liberties at the department. he started his federal career as a civil rights attorney at the u.s. department of justice, is a graduate of the university of louisville and the university of virginia school of law, and he's also an adjunct professor at pepperdine and george washington university. so, let's get started. i'm going to start, dan, with you. our topic today is the relationship between government
10:04 am
and the private sector on cyber, a key element of that relationship is the effort to share information between -- to promote sharing between the private sector and government about vulnerabilities, threats, and intrusions. can you talk about what from the dhs perspective, those efforts are trying to achieve and how they are working? >> thank you, i'll try. i'm going to describe some of the information sharing programs that our client administers and that will hopefully set up the other panelists to talk about some specific approaches to those issues. i think information sharing is one of those terms that can make anybody's eyes glaze over. so i'm going to try to put it in plain english to the extent that i can what these programs are
10:05 am
about. dhs has very broad responsibilities in cyber, from the coast guards rolling cyber com to cvp and ice with electronic border searches, to investigating cyber crime. it's central the work that my client, the national protections and programs directorate does. it focuses on increasing the security and resilience of critical infrastructure, federal and nonfederal critical infrastructure, from both physical and cyber threats, making a connection really there. let me just briefly talk about what we do in the federal critical infrastructure, because i think it will help in the discussion some there. our role there can be hands on, direct. we provide technical capabilities to allow other federal agencies to protect and secure their networks. for example, we have a service called cdm or continuous diagnostics and mitigation, which is a scanning program that allows them to diagnose vulnerabilities in their system, how their networks look and where vulnerabilities might lie. we also have a capability
10:06 am
referred to as einstein, which uses signatures or indicators of known malicious activity and when a signature is recognized, it allows the networks to filter that so that malicious activity doesn't enter networks. information from both einstein and cdm then are gathered and fed back into the system so that everyone is learning as we go through. and that gets -- there's a parallel there, i think, to what we're going to be talking about in terms of information sharing. so in terms of the private sector, how we partner with the private sector, we're working with people in the private sector to help them withstand a tax and recover from incidents. let me break that down just a little bit. the first thing is, we help companies understand their risks and manage their risks.
10:07 am
for example, we provide bulletins with information about threats and vulnerabilities that we have fused from a variety of sources and put these bulletins out publicly. you can find them on our website. they are broadly distributed. we also have assessment teams. we help companies assess their networks and make recommendations how they can improve their security. that's pre-incident, left of boon. second, when a company is a victim of an incident, dhs provides help in assessing the scope of that incident and advice and recommendation on mitigating the incident. and then finally, we take information about incidents, we dissect it, understand it, analyze it, then push that information back out to others in the system. again, there's this continuous learning cycle and information sharing really has to be that kind of continuous learning cycle and, i think, provokes some of these issues i think we're talking about. i think it's helpful to think about -- to understand that information sharing is not a monolithic concept, and that produces, i think, some of the difficulties we have in coming to grips with this.
10:08 am
it may seem obvious, but i need to point out, there are different types of information we may want to share and for different purposes. there are different degrees of sensitivity in the information that we have. some classified, some unclassified, and that, therefore, promotes a variety of restrictions, and there are different rules for sharing, depending on who is doing the sharing and who is doing the receiving. and i think we'll discuss that as we go along. so let me just finish by giving you kind of a spectrum of some of the information sharing programs that we're doing. there's a wide spectrum. first, we do work in the area of vulnerability alerts. i just mentioned this. we send bulletins to a broad range -- broad range of people who get this information. as i said, there's even on our public website. the information could be already publicly available but not
10:09 am
generally known, and the goal is to allow a broad range of entities to use that information in developing network security. on the next part of the spectrum is more focused or more targeted information and more targeted relationship. in this context, we often have actual written agreements between us and the entity that we're sharing with. in this context, we share threat information, but we also have taken a step further where we can do what they refer to as operational collaboration. so you're not only just sharing the information, but also sitting and working through issues. we have the national cybersecurity and communications integration center, the n-kick, which is an operations floor, where people who have these agreements are able to sit and liaison and have that kind of operational collaboration. that's bilateral sharing, the term they use which is both back and forth, us government and private sector, back and forth. and having multilateral effects. as it goes to private sector, it's spreading out. so the last part, i'll finish
10:10 am
here, in terms of the spectrum, broad public audience, more tailored narrow audience is a specific audience, program called enhanced cybersecurity services, and this includes classified data. we've negotiated agreements with a select set of certified providers, who have demonstrated the ability that they can handle and protect classified information. the information shared there is more sensitive, obviously. and under this program, those companies are then able to package that information and use it for a broader range of helping others in the private sector to protect their networks and security. so there's a range of information sharing programs, again, for a variety of purposes, with restrictions in data and with different purposes that we're trying to accomplish at the end. i hope that's kind of a good overview of some of these information sharing programs. >> perfect. thank you. i'm going to turn to leonard and see if you can, from doj's perspective and your experience,
10:11 am
can add to that. >> sure. so let me start by saying i submit the information sharing in the arena of cyber is both difficult and necessary. when i say that it is necessary, i say that it's necessary in a way that it may not be quite as necessary in other areas. what i mean by that is, when you're dealing with a cyber incident, determining first whether you have a cyber incident takes information. in other areas, for example, terrorism, you would open a window and you would see a bomb crater. you would see some sort of carnage. there would be some indicia of the problem you then need to address and respond to. cyber is different. the best indicia of some sort of activity we have in cyber is communications. communications that are doing something or affecting a network
10:12 am
in various ways. it would so happen in our legal regime, communications are regulated or access are regulated. necessarily. they touch on first amendment, fourth amendment issues, privacy concerns. you are necessarily dealing with an environment in which you're trying to, as someone dealing with cyber security, gain access to protected data. so we need to get this information to determine whether something is happening. it is in some ways by the force of law made more complex. the complexity is then, to amplify something dan was talking about there for a moment. this information-sharing cuts across different entities.
10:13 am
so you have sharing that has to happen among private entities. by and large the constraints people speak of in that area are largely anti-trust concerns. although i must say we had difficulty talking to industry in identifying exactly what those anti-trust concerns may be when they're actually sharing cyber threat information which is what we are really talking about. then you have sharing from the u.s. government to the private sector. that's something dan was speaking to. a lot of product that is going out to the private sector in an effort to help better protect their own networks. then there is the effort to get information from the private sector so that the government is in a better posture to respond to and mitigate any incident that occurs. of course, that is the area where we find perhaps the greatest difficulty. that's where you have your fourth amendment concerns and again, the web of regulatory statutes that approach that historic communications act,
10:14 am
wire trap act. there are statutes we have set out there to regulate how the government gets information. in the cyber security space where we attempted to figure out how to do legislation, this is a challenge. putting all of this together and figuring how and when those statutes that normally operate give way in the interest of cyber security while at the same time protecting civil liberty. that will be a push and pull for a while still to get just right. i'm something of an optimist. so i'm hoping we made some headway in those discussions in at least identifying certain issues. there are some issues that come out and have been teased out
10:15 am
that relate to things like minimum age and purpose based application made. the difficulty in information sharing is the ability to reach into the soup of data that is content, noncontent, meta data. reaching into that soup and, one, extracting a good image of what it is that might be a hazard you need to deal with. and at the same time identifying what you need to do about that hazard. again, complex, but very necessary. >> great. laura, leonard has raised some of the legal and privacy issues he sees with information sharing. i'm wondering if you could give your perspective on that and any concerns or additional thoughts you have on that. >> thanks very much. so i'd like to broaden this just a little bit to address this
10:16 am
question which is looking at cyber security generally. there are more than 50 statutes already in place that deal with cyber security. the problem is that since 2002, there hasn't been kind of a comprehensive cyber security bill that's successfully gone through congress. the reason this matters is because there are many different aspects of cyber security that need to be addressed. we talked about information sharing and along with that goes protection of the critical infrastructure which dan addressed. dhs' role in that regard. federal information security management act introduced in 2002. it's under pressure and being criticized because it focuses on procedure and compliance. it's expensive. there's a data deluge in terms of federal agencies. they are expecting a 47% increase in data by 2015. there are concerns about the
10:17 am
criminal realm. we've seen proposals to deal with breaches, exposure of data as well as cyber crime. international efforts. emphasis on research and development. there's cyber security work force bills before congress. the point to be made about all this legislation is, even for those of us who follow it fairly regularly, there have been more than 100 bills in three years. in terms of us starting to reach a consensus or agreement on some of the issues, that number annually introduced is decreasing. in the 111th congress there are more than 60 bills introduced. in the 112th congress there were more than 40. in the 113th congress there were over a dozen. we see the actual volume, thank goodness, it's starting to taper a little bit. the reason why it hasn't been addressed yet, and there hasn't been broad agreement, in part, turns on this information sharing and protection of critical infrastructure question. there are four concerns here.
10:18 am
first is the legal barriers. there are myriad statutes in place now that protect privacy and would have to create barriers that would have to be overcome for information sharing. they range from communications privacy, children's privacy, privacy of financial information, privacy of government collections, medical records, confidentiality and so on. many of these could actually be changed or amended, but then you're still left with the constitutional concerns that present. there are first amendment concerns about protection of speech. associational privileges, political privileges related to that. anonymity in public space. there are serious fourth amendment issues. perhaps we'll talk later in the panel about how the fourth amendment concerns come down in light of emerging technologies and what appears to be on the supreme court growing tension between trespass and those who
10:19 am
come down using application of the reasonable expectation of privacy. fourth amendment concerns, fifth amendment, due process concerns. ninth amendment issues. there are a number of constitutional issues that come up. there are in addition to the legal barriers the second major is concerns of liability and misuse of this information. there are various proposals. the third is trade secrets and propriety information. finally, institutional and cultural factors that relate to secrecy and confidentiality in terms of doing business. there are a number of solutions considered. so far we haven't had a comprehensive bill that has managed to make it through both houses. it doesn't look like we are going to have one this year or
10:20 am
the near future either. >> great. i want to turn to steve. you obviously in your current capacity have a window into the way the private sector views a lot of these issues. maybe you can comment on information sharing programs that we've been hearing about from the private sector perspective. what are the concerns? >> i think the predominant concern is a question of why we're sharing information. what is the strategic value of information sharing? there might be some tactical advantages here and there to the information sharing you heard today. it's on the margins. so what we hear a lot, i would
10:21 am
kind of equate it to selling vitamins, exercise programs and band-aids. nothing is wrong with any of those it. like them all. i take my vitamins. don't exercise as much as i should and use a band-aid when i get a cut. but we are not in that environment. we are being hit by nation states and their intelligence services and militaries, and extremely organized crime groups. this is not a resolution for vitamins, exercise programs and band-aids. in fact, what you'll find is that it's really not a resolution for victims to constantly be playing defense and shoring up their systems. it's just not possible. it's never going to be possible for an agency or a corporation to become impenetrable to the vast number of threats we see today in our interoperable dynamic environments.
10:22 am
it might be possible if we bunker down and didn't connect to other systems and we retained static environments. that's not the situation we are confronting here. so what we are seeing is a failed strategy where our security gets worse every year because we've been predominantly focused on vulnerability mitigation. we've been predominantly focused on information sharing, in which the government warns the private sector to kind of hide under the table, to lock the doors. when that doesn't work, there are more warnings. the private sector is looking at the government saying, i don't mind being warned, i like being warned there's incoming, but i had hoped that while you were warning me, you were actually going after the bad guys and taking them off the playing field. whether you're in school and you have these drills, that's a bomb drill in the old days, right? that's okay. i could hide under my desk for five minutes, five hours, maybe five days, but it's been 15 years. so come on. this is not going to get better. the problem is we haven't put our resources into threat
10:23 am
deterrents. in the real world, we would never operate like we are operating in cyber where we constantly victimize and revictimize the victims and tell them they haven't done enough to protect themselves, constantly having information for protection we see has very limited return on investment. at the end of the day, if we don't change the playing field for threat deterrence, to make it so the bad guys can't keep trying and trying with no negative consequences, this is the way it's going to end every time. so we do need environments where information sharing is fostering a new strategic paradigm that focuses on better detection, early detection of the bad guys, better attribution, figure out who they are and real penalties. so that when the government actually knows who the bad guys are, they can do something about it. we can't be in a situation where the government has all the information it needs to say exactly what foreign country or countries are robbing our
10:24 am
industry blind, and then ten years, 15 years later it's the same or worse situation. you cannot allow that environment to continue. so we need a complete shift over threat deterrence. atry -- attribution does matter. penalties do matter. when you think about the real world, we don't go around trying to become impenetrable. our places of business, we have locks on doors, locks on windows, but after a while, if there are break-ins, we shift to threat deterrents. we have alarms and cameras. they shift the burden away from the information and make information sharing about going after the bad guys. the alarm is early detection. video is for attribution. the monitoring company calls the police, not the locksmith. the idea is we know you can get in, now it's about you. it's not going to be constant costs and constant warnings.
10:25 am
you don't want the police to say somebody is going to break into your house in five minutes, get a better barricade. that's not how it works. i am quite puzzled at why we haven't made this realization that we have to differentiate what we are going to protect. how to protect it, have threat deterrent models as predominant. keep doing what we are doing on the vulnerability mitigation side the same extent locks on doors, vitamins, band-aids and the like. we are hemorrhaging right now. it can to the be the case when you come and see your place of business completely raided, maybe your integrity of your products are changed, you might not have availability, that the first question is how do i clean this up, what is my patch management strategy? the question has to be why is someone coming after me and what are we going to do about that? i think to myself of the "godfather" movie. you come home one day and find a
10:26 am
horse's head in your bed. your immediate reaction is not how am i going to clean this up? so that's what's happening here, right? it's quite preposterous. why is this happening and how are we going to change this? what i hope changes over the next few years is that we really need to stop victimizing, further victimizing victims, increasing their costs to really no metrics of success and short shifting towards threat deterrent models and the governance and penalties that will require. >> okay. i had some more questions about band-aids, but i think maybe we should, since steve raised this very interesting and important topic now, i'd like to get, leonard, your response and hear from jim and anyone else in response to what steve just raised. >> much wisdom in what steve
10:27 am
said. the one thing i would say is that, i mentioned earlier cyber security is hard. it's a multidisciplinary problem. it cuts across private sector, government, it's international. i think the challenge we've understood in the last few years is we have to be able to walk and chew gum at the same time. so while we are doing all the vulnerability mitigation activities, we obviously should be dealing with the threat actors, removing those threats. we should be on the prevention side building safer, more secure software and hardware that doesn't invite intrusions, right? we should be able to on the back end mitigate and recover from incidents quicker because we are not going to prevent every incident that happens. being from an enforcement agency, department of justice, i would -- is anyone from congress
10:28 am
here? the notion there would be more, resources towards actually going after threat actors would be something we would be very much in favor of. i would also say we do, in fact, go after actors. we enjoy greater success in the international realm. we are getting large-scale data breach actors in eastern european countries. we are gaining cooperation with countries in doing the prosecutions and also obtaining them for prosecution. the only thing i would take issue with is there isn't threat mitigation activity happening on the other side. there is much to be done there. again because of the complexity of the networks and what it they work and availability to get information in international environment. that work is, in fact, occurring. again, i would be very much in favor of going after it in a more concerted way. the one thing i would toss out is we also do know, as steve said this does work.
10:29 am
there was a prosecution of alberto gonzales who was reputed to be one of the most successful data breachers on the planet and still may hold that record. he was ultimately convicted and sentenced to 20 years. when he and his ring were taken offline, according to the verizon data report, there was a international drop, notionable, in data breach activity. we do know going after actors matters. i'd say we are doing that. i would love to do that more. >> i agree with you. >> i told mary not to put me first and i regret that now. i don't do cyber security conferences because for me it's like "groundhog day." there are regular opponents like albert gonzales. they are defeatable. there are measures you can do to defeat them.
10:30 am
think of the high-level opponents, ssb. there are 20 or 30 criminal groups largely in russia that have fsb equivalent capabilities. fsb, russian domestic intelligence service. they're unstoppable. there is nothing you can do. if they want to get in, they'll get in. sharing information, they'll be on your tail in 30 minutes. can you beat that? we have hard set of opponents. you need different strategies for dealing with them. the u.s. has a strategy. it's very touching. i feel glad. it has three parts. it has a diplomatic strategy. it's been published by the white house. we are doing pretty well on the diplomatic side. some of what steve was talking about and the budapest convention on cyber crime. we made good progress on the diplomatic side. there's this snowden turbulent right now, but we'll get over that. the u.s. will be dinged for the
10:31 am
foreseeable future, but we are making -- and we'll talk more about the international stuff later. on the military side we are doing quite well. we are probably one of the three best in the world. that's touching, too. you can read our strategy. it's top secret but you can get it on the guardian website called bbd-20. they get really upset. i don't work for the government any more. we are doing well on the military side. what we've discovered is, surprisingly there is a shortage of resources. we don't have enough bodies that know how to do this. there is an effort to crank out the bodies. the place we are failing is the domestic side. there's a whole set of reasons for that. the main reason is political gridlock. i think you've heard that from all the panelists. this is like our third constitutional crisis in the last century. when we are in these little periods of unhappiness, nothing is going to get done. this congress isn't going to pass legislation. next congress probably won't
10:32 am
pass any legislation unless there is political change. what do we do in the interim? we offer magical solutions. information sharing qualifies as a magical solution. say the formula and maybe it will be better. you don't want to say cyber security, it's a problem, i'm not going to do anything. you say we'll share information. i just told you 30 minutes, you're going to beat that with information sharing? i don't know you're going to implement it either. when you talk to people what's changed? this is starting to get board attention. that's been a goal for many years. it's getting attention. talk about eyes glazing over. it's still difficult. i talked about one investment firm in new york. the ceo said i don't want to know and i don't care. if i make my mark and make the money i'm expecting to make, i don't care if somebody else makes money. when i told them they were listening to a cell phone, what's this guy doing on his cell phone?
10:33 am
you have that sea level attention. board level attention that. will change things. information sharing. some of the obstacles developing a private response. i'm not holding up government as an exam particular of anything at the moment. there is a real reluctance to share information among companies. there was an s.e.c. ruling last year promoted by senator rockefeller that basically said people when something bad happens, people have to tell. the response from the companies was define bad. it turns out nothing bad has ever happened. i am relieved to hear that. the issues that come up are legitimate issues for companies. the ones you're familiar with. liability and risk. there is a risk to shareholder value if you report a significant loss of intellectual property, a significant loss of financial data. i know these have occurred.
10:34 am
how i do know these occurred hold on. because nsa spies on other people. we see what other people collected from american countries. the law prevents us from saying here is a big bank, they lost this amount of money, we saw it, but we can't say anything. the public debate is misinformed in some ways. the scale of loss has not established that precisely. there are legal obstacles to information sharing. you heard about that. don't know about the anti-trust. all the companies say anti-trust. don't know how true it is. the privacy obstacles are more important. there are a few sectors that have made some progress. i look at financial services and telecom. they made progress because it's in their business interest to do better at cyber security. other places, very little progress. so easy an energetic 12-year-old could be a good cyber attacker. i had some unusual experiences this year. the one most unusual for me, was a big international conference.
10:35 am
when did we have the shutdown? october 17th. in asia and there were 90 countries there. the first time i saw people expressing pity for the united states. we weren't the feared super power any more. they were feeling sorry for us. hopefully, we can change that. while in this political situation, it's not going to change. until the political change occurs, we aren't going to see progress on cyber security or progress on information sharing. outside of the things that the executive branch can do without additional authority. the only caveat to that would be if there is some sort of unavoidably disastrous event, not a cyber pearl harbor, please, but some big event, maybe involving wall street, maybe involving something like the 2003 blackout, then you'll see congress react. until that time, the classic example is the bill cyber security information protect
10:36 am
act put forward. contrary to what you might read in the press, it's a good bill there is a matching bill in the senate being developed by senator feinstein and i think senator chambliss. the odds of that bill passing, even though it would remove object tackles, the odds of it passing -- it's a good bill, we need it, it has no chance. that might be a good way to end on an overview of cyber security. >> i'm depressed right now. laura, do you want to respond? >> i agree. i don't think it's going to go anywhere. i also agree that information sharing is being seen as a magic bullet in many senses. this, as steve noted, victimizing the victims. where i disagree is the deep cynicism about congress. it's just we are in an unhappy period and they are not able to get their act together. the reason i disagree, there are very serious legal and constitutional concerns here.
10:37 am
take steve's suggestion that jim mentioned. we have difficult legal questions about covert activity underneath the 1947 national security act, and under what conditions the exceptions dealing with intelligence collection or traditional military activities, planned or operational. the extent to which this falls within that. if it does not fall within covert action, what happens about notification to congress, to which committees? how high does authorization have to go? there are difficult questions there. with regard to the fourth amendment issues and privacy concerns, there are some very difficult questions that have to do with once you have ordered an entity to collect information and deferred it to the government on behalf of the government, under skinner that becomes an agent of the government. you're subject to fourth amendment concerns. fourth amendment issues actually are significant. then there is an elephant in the room which was yesterday's
10:38 am
morning headlines. the nsa is collecting information on industry as well, private information. i think there is a healthy level of mistrust between industry and the government, and the idea information sharing could somehow take place in a siloed universe where nothing wrong would ever be done with that information. exposing the companies to liability or exposing them in some way would occur. i think this ignores the considerable concern that certainly yahoo, google and others are expressing right now about information sharing with the government. >> the one thing i'd add to that is i don't think we have a problem in offensive operations. we carried out offensive operations. what is wrong with these snowden people? why haven't they published it yet? we have carried out offensive operations. some you may have heard of. i was talking to one of the people responsible for these. i said what's the legal thing you do under it? we try to do it under title x, if it's a problem we do it under title l.
10:39 am
we don't have a problem carrying out offensive operations. that said, there is no such thing as cyber deterrence. there are issues congress needs to work on. most are domestic. in terms of our military capabilities, i'm not cynical about congress, i'm cynical about this congress. in terms of our military capabilities, the military is not waiting for happy words from capitol hill. >> leonard, i think you wanted to respond. dan, i'll see if there is anything you would like to add to this discussion. >> i have a brief point to make, which is kind of meta and apology level rather than legal one. i think when i say cyber is hard, having done this for a while, i think one of the reasons why it's particularly hard, i'm sitting in a room of highly educated people.
10:40 am
used to abstract and difficult thoughts, but i would wager that for most of you, everything happens beyond your keyboard is magic. right? where is your information going exactly? what are the underlying communications that happen between you and your provider? having a conversation on privacy and information sharing in this context that is fact-based and rational is very, very difficult. trying to tease out fact from fiction when there are different parties with different interests and have that discussion is very, very difficult. but the fact you have a baseline community, consumers, all of us, who don't exactly understand what we are working with, makes it, again, extremely difficult. much of this discussion about privacy and information is being had in an environment is people
10:41 am
need to tell us whether the information we're leaking is important or not, whether it's private or not. some of it is easy. no one wants your e-mail read if it's not done legally. >> even if it is. >> probably right. there are other aspects of this that make this so hard. just want to toss that, particularly in the information-sharing bucket where we are trying to figure out what information can or should be shared. getting a baseline of what that information is, just what it is is very difficult in a techno-phobic world. >> dan, i have trouble seeing you down there. do you have anything to add on the privacy issues and some of the legal concerns that have been raised? or anything else? >> i think it started was do i have something to contribute to this debate or discussion. i hope there is a point this audience would appreciate my title is associate general counsel, not director of
10:42 am
strategy and policy for nppd. people in think tanks and business where you debate the subjects, our role is to help the client figure out the legal ways to move forward here. i think in terms of privacy protection, in information sharing, the information sharing a cornerstone of it has got to be trust and confidence in one another. so privacy protection is absolutely critical. it's got to be built into the whole project. i can talk about that a little bit more. underlying this whole conversation has got to be a level of trust and confidence and belief in one another. a lot of that does come back to privacy protection we think is a key element that dhs can bring to the table. >> two things. i want to move back to steve's
10:43 am
point about deterrence and look more at what role can the private sector play and can the private sector play a more active role? just before i do that, i do want to because there's just this week the nst released the, the national institute of standards and technology released its preliminary cybersecurity framework and is seeking public comment. this is another element of the domestic strategy, the strategy of the government working, working with the private sector on cybersecurity, and i wanted to get maybe, jim from you to start, the framework is in part a response to a failure of legislation last year. do you think it's a useful effort?
10:44 am
where do you see it going? >> it's interesting because i think at the end of the debate last year, when you speak to individual senators or members, they understand a problem. they like to do the right thing. a few of them are very ideological, we know that from the budget debates. most want to do something. i think they felt a lot of regret they failed to pass a comprehensive bill. the bill had a lot of problems. i know that as well as anyone for a whole set of reasons. behind the scenes after the two votes failed, there was a big effort with senator mccain and others to try and resuscitate something. they were unable to do that. as part of the reaction, the white house in early august decided it would put out an executive order that would use the existing authorities of the president over the regulatory agencies he has control over,
10:45 am
and hopefully influence other regulatory agencies like fcc to set standards for what adequate cybersecurity would look like. that's a good plan. the paragraph you want to look at in the february executive order is paragraph 10. that says once nist develops its framework, regulatory agencies should compare it to existing regulations and see if they are adequate for cybersecurity. please do this by 2015. we are not exactly on what we call a quick cycle here, but it's probably the best we can do. we have to hope that the iranian revolutionary guard is patient. what does it mean? the nist framework. you know nist. i was talking to people working on it at the beginning of the process. you guys, how much have you actually written? they said only 12,000 pages.
10:46 am
what do you do? when there's a crisis, open it, whatever page you open it to. the framework attempts to rectify that. the framework is a concise document for nist, only 44 pages long. it's best to think of it as how nist does things as an annotated bibliography. there have been two major changes they year that will reshape the legal landscape for cyber security. the first is international. the u.n. group of government experts, which i'll come back to. the second is this nist framework. the nist framework inadvertently and much to the shock and horror of some people, creates the possibility of defining due
10:47 am
diligence. if you aren't exercising due diligence you should be liable. that's the path we are on. this has been kind of a goal for more than a decade for many in the field. how do you get companies to say this is what you must do? we are at a point where we can say to people, do these things and you reduce risk by 80% or more. if you aren't doing them, why aren't you doing them? due diligence, liability, that's the implication i think of the nist framework. right now, nist is pretty much done. there is a hand over to dhs. dhs will get to implement this in some fashion. >> laura and then dan. >> kind of a question for you. executive order 13-636 is where this was introduced. rockefeller introduced legislation in july which would make this a statutory requirement for nist. i'm assuming from your remarks you're opposed to that? >> i got a note from rockefeller's staff saying please don't trash us in the
10:48 am
press because we took out all the hard parts out of the bill. hard bills aren't going to pass this congress. it doesn't actually -- they took out the part that may put the executive order into law. i admire senator rockefeller. he has been pushing this since he was the chairman of the select committee on intelligence. he is doing a great job. he knows what to do. he's trying to do it, but i think judging from remarks i've gotten from his staff, he doesn't believe there is a chance. to get any bill passed, they had to strip out the parts that would have made the executive order put into law. >> dan, where do things stand with the nist framework? how do you think it will help? >> i think jim described it very well just in terms of timing. the framework is out for public comment. people are supposed to comment by december. there's been a number of workshops building this over time. it's not a surprise to anybody in private industry. then it will be issued finally
10:49 am
in february. if i could expand on it just a little bit, another angle to it is that in this environment where congress is not able to pass legislation, the president's decision as jim mentioned was to try to encourage federal agencies to do what we could under current authorities. nist developing this framework is one way that we could make a contribution essentially trying to establish a set of industrywide best practices that would allow people to see where they need to be shooting to. at the same time, another part of the executive order asked several agencies including dhs to try to think through a set of incentives that could be developed to encourage adoption of that framework or framework like it. in an absence of regulation, how can we incentivize that type of behavior? that was issued by, developed by
10:50 am
the different agencies and issued by the white house and report on incentives, which i think is a very thought-provoking area. some of the areas of incentive that were suggested. federal agencies to do and much would still require congressional action. there were areas such as building cyber security insurance framework or industry so that underwriting practices would drive this. maybe leveraging current grant programs. there is a phrase, process preference. if there's technical assistance that certain companies would benefit from that by adopting the cyber security framework that they would have at some level some level of preference for that, liability limitations, streamlining regulations, other incentives. it's an interesting complement to framework of development, how to incentivize people getting there.
10:51 am
>> i'm a huge champion of nist. i think they are incredible at what they do. not a day goes by that we are not taking advantage of something that came out of nist. the task given here doesn't end well for the security role for the reasons we already described. you look at the executive order and what the mandate is. it talks about regulate, regulation, regulatory. it doesn't talk about going after the bad guys. it talks about the government again warning the good guys about the bad guys are coming. you have to tell the good guys the bad guys are coming. okay. then it talks about best practices. this is not best practices for soldering metal. this is best practices in a dynamic environment where your best practice today is to defeated tomorrow by the enemy who pivots and shifts.
10:52 am
what we've seen in the area of security, if you're focused, it's not that good cyber hygiene isn't good. it's in the name, it's good. it's that it's ultimately ineffective or effective only at the margins. no more effective than saying i'm going to have some good best practices for immorality. maybe i'll get a couple of years but it doesn't ultimately end well. the first problem is every dollar being spent on security is not getting the same value it used to. at the beginning you have base layers. you're getting more than your dollar's worth. eventually you spend a dollar, you get a dollar. what we are seeing is actually that's diminishing returns. it's negative returns. as we start building the best practice, the enemies overtake that, which means our efforts actually increased the problem. we are actually spending dollars and making the problem worse
10:53 am
which is hard for good people to accept. when good people and smart people put a lot of effort into something, they can't believe that it's actually making the problem worse. it would be the same as if, for example, somebody said, hey, we have a good way to keep bad people out of this hotel. let's build a 20-foot brick wall because our understanding is that the bad guys can't jump that high. so we spend about $2 million to build that 20 foot brick wall and it works for maybe a week or two. then the bad guy spends $50 and buys a 30-foot ladder. the government pats itself on the back for warning us that, hey, the threat landscape has changed. the bad guy now has a 30-foot ladder that can overtake your best practice. you know what you need to do now?
10:54 am
40 foot brick wall. you see where this is going. at an expense of $3 million for foundational problems and the cost of inflation, i'm going to be prepared now for the government's warning. about the 50-foot ladder that only cost the bad guy 100 bucks. on this constant focus having the victim spend more on an environment that's dynamic, where you can't keep up with it, and where the dollars we are spending are making the problems worse, you would forgive the private sector wondering how this ends. but nist, and this is why i love nist, nist recognizes this issue. when they sought public comment, they asked for comment about metrics of what success looks like in this environment. this he said there is a dirth of metric of success. that was the problem they were dealing with. for example, if i'm getting scanned, my system is being scanned for intrusion, 1,000 times a minute, and i could block 999 of those a minute, but
10:55 am
one gets through every minute of the day, that completely penetrates my system. exposes everything to confidentiality, integrity and availability harms. is that a successful security system? your answer to that matters. because there's no best practice that's going to get anywhere near that but is going to cost a heck of a lot. i am completely on leonard's side. we've got to go on the threat route. we've got to do it better than ever before. our legislative proposals have to focus on that. we have to start thinking about what the role of government is. this might be where you're heading. we talked a lot about the fourth amendment, privacy certains. a very government-centric view of this problem. the private sector through its own technologies, its own market forces, through its own trans
10:56 am
national organizations, including nongovernmental organizations can help define those rules for their own groups. that on this system, this environment, this is what we consent to. these are the rules of the road. we have to start thinking more then about what the government's role is in helping the private sector both at a professionalized and industry level and for nongovernmental organizations that control a lot of the governance of the internet. how we include security in that model. not to sound like a broken record, but i will keep saying this until we shift our strategies toward threat deterrence. i think we have to explore what the value of government is in figuring out what the powers of the private sector are as part of the elements of national power we have all grown to view as government sector. the private sector actually has some of those capabilities as well. using government institutions, whether it's to better enable
10:57 am
them to do civil lawsuit, whether it's to better enable them to have detection attribution that feeds into a law enforcement system, a name in shame campaign that could impact the economy's of nation states and rival companies that are benefitting from stolen intellectual property. we have to start thinking that way. >> laura, you had something to add? >> there are five approaches taken for this information sharing. new institutions are needed. new procedures are needed to do this. substantively you have to limit disclosure of certain information to other entities, indemnity for the companies, privacy concerns. all these are governmental focus. none of them transfer authority power agency to private industry and empower them to actually defend themselves against such threat. >> we would have a lot of fun talking about private sector capability. i was in a meeting once with the
10:58 am
supreme court justice where the google representative said google had the same capabilities of nsa. i said that's cool. i didn't know you guys had nuclear submarines and bus-size collection of satellites. don't underestimate your opponents, please. don't underestimate your capabilities to deal with those opponents. they are not bound by laws. the thing with metrics points, cios and ceos have different metrics. when you go in with a set of metrics aimed at a cio, you are not going to get a sale. the ceo's metric is, is this going to make my company more money? that's the angle you have to take. what we are beginning to see is ceos do this calculation of risk. the question i usually ask now is, does your board have a risk committee? most people say yeah. does your board's risk committee consider cyber risks?
10:59 am
the answer on that one is mixed. that's one of the metrics we can use to see how this is changing. is the board thinking about risk when it come to cyber space? different metrics, and that's part of why this has been such a hard problem. >> leonard, you have something to add? >> one brief point. i always embrace support of my colleague here, steve. one to toss out. concern about the lens that's used. that is, what we see in cyber is at this point it's just another extension of other activities of crime, of spying, but of activities that are constant, that in reality we are not going to eliminate. spying is not going to disappear from other countries. neither is crime. i'm from an agency dedicated to minimizing that as much as
11:00 am
possible. no one, i think, rationally says it will be eliminated. i think in this environment, we are dealing with threat mitigation. we are going to mitigate that threat. we are also dealing with vulnerabilities. vulnerability mitigation. we are not going to eliminate vulnerabilities, unfortunately. the one thought i have on that, in other areas, we agreed you don't drive cars when they rear end they explode, that is unacceptable. having planes that tumble from the sky is likewise unacceptable. having computer hardware that is immediately subject to or vulnerable to intrusion is unacceptable. actually, it's not. we actually have accepted that as a model. we accept that there are updates that are provided to our computers because they, in fact, are perhaps inherently subject ul

74 Views

info Stream Only

Uploaded by TV Archive on