Skip to main content

tv   Cyber Talks Conference  CSPAN  October 18, 2018 1:17pm-2:20pm EDT

1:17 pm
go. give them an opportunity to live. give them something to live on and release them. so the principle of jubilee, that's what i used to say to the segregationists in the 1960s when they were bombing the houses and things and they were trying to say slavery is in the bible. i said, so seven years ago, why didn't you let them go? so jubilee means to restore. you do punish and correct because bad behavior is not good. but the day should come when people are aloud to be restored. it's a biblical principle. >> one last thing. i don't think people understand there's no more parole board. so the parole board used to review people and their progr s progress. and so there's no vehicle. when you're serving life, life means life.
1:18 pm
>> thank you for coming out today. thank you for give. ing me the opportunity to put this together. i hope y'all take some of this information home with you to your communities because it's all about the grass roots movement at home. it all starts at home first. >> thank you, jason. live here on c-span 3, cyber scoop is hosting its day-long conference on cyber security issues and trends. our live coverage counties here in the coming discussions we're hearing from intelligence director dan coates among others. you can watch this and the ea y earlier panels online as well at c span.org or find our live coverage on the free c-span r d radio app. it should be starting shortly.
1:19 pm
>> please put your hands together and give a warm welcome to rob joyce. >> good afternoon, everybody. i want to thank cyber scoop for the chance to be invited and talk. i think if you want to frame the discussions for today, we really need to think about whether doing the same thing over and over and over again is going to get us any different results. there's been enormous amounts of money put into cyber security over the past several years. there's been enormous focus in the technology. yet i think anybody who is looking at the trend lines, looking at the types of threats we're seeing and how the threats are evolving would say it's
1:20 pm
going in the wrong direction. so what do we have to do to change that trend line? i'm becoming increasingly convinced that it's not a technological problem. that the human factors are really the key to getting ahead of the cyber threats. and so what do i mean by the human factors? do i mean that we need to do fishing education? you can point to the stats that say 92% of exploitation today happens because of fisphish. we ought to have smart users and understand the implications of clicking a link from something they don't know, running an executable they didn't
1:21 pm
understand, but reality i us think if you're running an important i.t. system and you can't withstand a user doing a click, you haven't done your homework from the begin ining. why do us say that? because everybody all the some point is going to click something they shouldn't. i'm pretty attentive and also know that given the public persona, what i've got on social media, if you wanted to craft something for me to click a link, i probably would. we need to do that for all our users. if it's not training on phishing, how do i say human factors are the key to cyber security. because i think cyber security starts a the top. it starts with the leadership. it starts with the investment that boards and others put into
1:22 pm
cyber security. it all comes down to starting from the beginning and saying i'm going to have strong cyber security. when you look at the environment we have today, where are we struggling? i'm in government. i know we're struggling. there are pockets of excellence and there are places that my head hurts because of the state of the cyber security infrastructure, maintenance and focus. one company is excellent and another is on the front page for a massive breach that should never have happened. the common factor of all the good and secure companies is that they have taken the time to invest. they invest in the technology, they invest in the people, they
1:23 pm
put the appropriate resources all companies don't need the same level of defense. all government agencies, even all systems inside government agencies don't need the same level of defense. but what they havevaluated the appropriately designed the infrastructure, gotten the expertise, the help at times, it will be the help. and they have gotten the capabilities to defend themselves. as you try to figure out how to be defended, you can look at an industry like the financial sector. they are constantly under attack. they are constant ly seeing people trying to exploit them and take the assets they have. because that's where the money is. for the most part the banks are doing an outstanding job.
1:24 pm
they have looked at the threat environment. they have matched resources to it. their leadership to the ceos to the board and investors have said we are under threat. et we need to invest properly in the cyber security to protect our assets. when you lock at the government agencies, i don't know we have had that same attention to what are we trying to protect and where are we trying to defend. nsa is part of the department of defense. in the department that's a praise that rolls off the lips. everybody talks about equip mission of services. i would ask you is it time we evolve to man, train, et equip and defend. we have to flip the switch to think about the human factor, the leadership, the culture, the that says i'm going to invest in the systems to make sure that in the time of crisis, in the time
1:25 pm
i need to count on them or the peacetime i can't afford the exploitation that they are going to serve me in cyber extremists. they are going to withstand the adversaries that attempt to come at us. and so getting that mind set of man, train, equip and defend would probably put us a little more down the road of looking at where we're putting our informs, how we talk about the resources we're going to put in defense and even how the leadership is talking to their employees, their. troops, their partners about their expectations for making cyber security. you only have to look at technology to understand we are in the middle of growth of the things we trust and connect into the cyber era.
1:26 pm
i look at what's around me whether it's the iphone i carry, whether it's the online services i use, whether it's the companies i entrust with my data or the companies that give me services or manage my finances. i also bring them into my home. i told several folks in d.c. that i am to my wife's chagrin what's known as an early adopter. that means i'm going out and buying the latest gag et and toy and bringing it home and those early cool things are more and more often internet connected. i take care to decide what i'm going to give it access to, where i'm going to connect it to, what ooum going to trust with it. but it's a risk surface in my
1:27 pm
life. whether it's in the sbegs community or any other branch department are generations joining government service who have never known a time now without this in your pocket and their hand. that's a problem for the intel community where et we say, all right, welcome to work. he's the box you put your phone in before you enter the door. they can't work, think and live in the same way they have grown up and even gone through school collaborating, looking up information and connecting to the rest of society. et we literally have put one hand behind their back and taken away the tool that they have expected to use. so as we watch technology invade all parts of our lives even more than the cell phone systems
1:28 pm
we're expecting, but wit move on to internet of things and other technologies. we have to consider how we're going to protect those. and i would assert that you don't do that without the human factors setting the stage to go into those devices and make them secure. thr things like the internet of things. there are technologies like the internet of things that are increasingly woven into the fabric of the environment. small sensors, devices that phone home, things that are smart on the edge of the network that talk to big dataing a gaiters that can be smarter and allow you remote access. i'm thinking about the ability to lock and unlock your house. the ability to go and check your thermometer, but also knowing and being awir of the weather outside and being able to compensation and make smarter
1:29 pm
decisions about how it heats your home. all of those things project risk surfaces on to you. and if we don't have the companies protecting us from the beginning thinking about secure by design principles, having the regular rations that say i want unique passwords for each thing. i want the update to be encrypted so us can trust the software. all of those things are nice to have today. where we won't buy them or the law won't allow them to be sold, i think at that point we'll start to change the curve of this trend line that's been going the wrong way for several years.
1:30 pm
>> the folks coming at us, whether they are coming at our critical infrastructure, coming at our finances. and today that cost benefit questioned is really easy to answer. there's very little consequence to trying something. there's a consideration there that the ability of fbi and other law enforcement to reach out and touch you and put you in jail. if you're in an eastern block country us and able to some, tept to reach out and steal
1:31 pm
money in the u.s., now you have more layers in tweep yobetween actions and the possible consequences. the extradition and the agreements on cyber grcrime mak it harder to put hands on so the risk versus gain determination is skewed. the same thing about the nation state level. today it seems that there are nations who believe that it is in their advantage and there are few detriments to going after things with hold dear like elections. how do we change the international dynamics where they are afraid of the costs. i think we're starting to push on some of those levers to change the cost value equation on that when we use all elements of our national power. we use the capabilities to
1:32 pm
impose financial penalties through sanctions. and we go all the way to using cyber capabilities to contest their ability to go after us on a continual basis. we have to address the issues that are at a threshold short of war and change the cost benefit equation. so i would assert that it's human factors at the bottom of almost all of our cyber problems. we have had the luxury at the big national level to be very safe and secure in our homeland. we have natural ocean, nice neighbors, we have not for generations seen attacks on our homeland soil. that's changed in the internet age. the threat has come to us. so us would awe certificate in closing that we need to change the human factors that make it a reasonable cost benefit decision to come at us in our personal lives and businesses and national security.
1:33 pm
thank you for your time and attention. >> let's give another round of applause. thank you so much, rob, for making time. thrilled to have you join us today. thaf that was awesome. i thought i was so anxious to have him come speak. and he impressed me even further than i us thought i would be impressed. i'm really excited to introduce our next speaker. this is someone who san z an excellent speaker. i told him i think he should consider being a professor because he gives some good lectures. he's going to be talking about flip i flipping the script and changing the game in cyber. he's a senior director of national technology strategy at vm ware. put your hands together and give a warm welcome to robert.
1:34 pm
>> thank you. and thank you all. i us really appreciate the opportunity to speak to you in this venue of all venn use. something that some of you may know about me from my past, but i'll share it for those who don't i was a professional opera singer. this feels very much like home for me. i promise i us won't start singing things, but i really want to talk to you today. the title of this talk is flip ing the script. thinking about security in a different way. ooip going to endeavor in my short time to convince you to think of our fully software defined world as a feature, not a bug, when we consider cyber security. so you have heard a lot of problems through the day. and i'll just be quick on this.
1:35 pm
this is a picture of the castle up in the very north of scotland. this was right near my boarding school where i spent five years up there. and i thought this was a great illustration just o to prove the point visually that our enterprise boundaries are eroded. we cannot rely on these anymore. more over, as i can still see screens, we're all working from everywhere. we're using our own devices, we're connecting to our corporate networks and expecting to be fully functional on any device on any network whether it's apt internet cafe or sitting there, you're interfacing into your corporate network. therefore, the concept of any cou boundary is a falsehood. there's no way us we can rely on that. moreover, i.t. spending is going
1:36 pm
flat. however, cyber spend iing is increasing. you can see it's this green line here. but look at that cost of the cyber breaches. those are going up. so all this money we are spending as an industry to create technologies is failing. and therefore, we want to think about things in this new way. and i think of this as a sorlt sorts of comprehensive top down approach. we want to look at the basics of cyber hygiene and i'll come back to that in a moment. we want to think about a fully integrated ecosystem where there's true collaboration and then to me the sort of powerful aspect that we often overlook is this possibility for a secure infrastructure. and i'm going to start with that. by a show of hands, how many of you know what a hyper visor is. it's a very lightweight but
1:37 pm
powerful piece of code that's essentially the heart of virtualization. this is what allows all the virtual servers we know and the networks and storage and all of that to function on top of it. this, to me, is the life blood of our hope for having a new security paradigm. so if we look at virtual ma seens, we can use trusted extensions to have encrypted machines and can even be encrypted as they move across networks in a dynamic way. we can also enforce authentication. at the storage level, we figured out how to encrypt data at rest. we figured out all of the massive ways to challenge of addressing massive storage and how to have key management across that. and we're much us more secure at the rest side.
1:38 pm
something that many of us don't really know about is we have added this ability to virtual liez the networks and the software defined networking. with that we can have very, very fine grain control of networks, users, their access and we can have much more visibility into what's going on in the network. so this is a very powerful capability to simpthink about sr in a different way. finally, situational awareness. once i stepped off the opera stage as a storage administrator, i remember walking into a cage at the data center and looking at the cables and trying to solve an internet site that was down. i had no context. i had no awareness of the world around me. and i was literally pulling and pushing cables and turning servers on and off. now with this virtualization cape can blt, the software defined infrastructure, we have much richer context and insight
1:39 pm
as we look into our infrastructure. so that to me is a case down here at the very core and that very secure hyper virus space where we can start from the very bottom have deep security and control. the ecosystem, all that money that's been invested in cyber has gone through venture. capital to create literally hundreds of cyber companies. i was vetting lots of the venture back start ups. it's a dizzying space. there's so much noise here. and there's gret capability. and there are great teams. but how do you rationalize this? more over, many of you back in your home office are putting point solutions all around your network to try to solve this problem. the issue is they don't work well together. so one of my key tasks as i was vetting companies was to
1:40 pm
rationalize them and to investigate the team, investigate their capabilities to investigate the technology and how did that technology work and was it suitable for my customers, the people that are going to use it. so what i talk about here is think of it as a filter. and you build down a filtered down rational approach. it doesn't have to be these companies. this is just an example. but what you want to do is is create deep, close apis to empower these technologies and to function as a partner in the ecosystem. there's no single solution to this problem. so let's try to create that framework or that fabric where the best solutions can have the most access into that dynamic infrastructure and provide the security we need. now cyber hygiene. rob was talking a lot about
1:41 pm
this. this was at the user space. how can we prevent the issues, which are mostly human related. but i want to add a little bit to that. so what we're fundamentally talking about here is trying to reduce the attack surface. we're trying to limit our exposure and our risk. now i have argued that with my software infrastructure, we're doing that because we have very fine level control and automation and the ability to address things, but let's think about the five key te innocents and what i would argue is that if of these had been addressed in the breaches that we hear about would not have occurred. what is this? this is using virtualization to make very small segments of your network and to avoid or limit
1:42 pm
what we call east/west traffic. so going from server to server, app to app, whatever it is and continually escalating privilege. the administrator it's scary to think of the lack of security and the passwords. we theed to use our automation. et we theed to use our insight to give people the least privilege to avoid exposure. encryption. encryption throughout, we can now do this. the compute is strong enough to do this. and i described how storage and networking is now embrace iing t encryption fully. this is coming along so much further than it has. if you're not using it personally, it's such a powerful capability to ensure that if somebody compromises your
1:43 pm
password or device, they still can't get into the system. and then finally, patching. now this is one of the things having been a systems administrator that i argue is one greatest capabilities. we can turn things up, down and patching constantly maintaining our consistency and preventing those exposures. so that's one key element. now i have described this concept of a secure infrastructure. now i'm going to talk about something to an even provide better depth to the et ecosystem. this is something in the machine learning space. what i want too talk about is thinking about knowing truly what good is and using that power to use the forces we have
1:44 pm
to address the bad as it arises. so i pause it. this is hard for you all to see, but in the green box, what we're talking about is we now have a much better supply chain. we understand and we can have known code respositories where e have done security scans and uses better processes to deliver software internally. so what we're seeing is you have this phone man fst in history of a piece of technology. and you can start to they can that into your infrastructure and know how it's supposed to behave and watch it evolve. then with the power of virtualization, with the power of machine learning as these environments evolve, as patch os cur, that's known good. but if we see something happen that's interesting or different, we can address it much faster with that automation of vur chulization. we can shut that server down. we can turn its network to a different space so we can watch
1:45 pm
the behavior closely. there's so many capabilities that we can now do. this is what i us wanted to leave you with is this concept we think it's very powerful of knowing truly what good is and using that to be better at going after the bad. so i'm going to leave you with a little analogy. i like to describe what i'm thinking about. in this picture, z a frog. the frog is hiding. that frog for you is the bad. and you can think of these leaves as the good. so i'm not going to make you find the frog. i'd almost bet lunch you wouldn't find it. but if we filter out the good, the frog will. pop out and we can address it with speed, repity and use all the power of our infrastructure to address that. i thank you for your time. i appreciate your attention. and thanks to cyber schooop for
1:46 pm
having me here today. >> thank you so much. i love this guy. i'm thrilled to introduce our next speaker. he's a hard guy to get. he's a very businey individual. he is going to be talking about just remarks from the director of national intelligence. i dent think he needs a lot of introduction, but he is the director of national intelligence. please join me in giving me a warm welcome to daniel coates.
1:47 pm
>> good afternoon. given those lights i can't et see anyone. us hope you can see me. although although you can hear me, i guess it works. i appreciate the opportunity to speak to you. my understanding is closing in on the end of significant conference dealing with a very significant issue. so i'm pleased to have the opportunity to come and share a few thoughts with you. my understanding is that everything has been conduct c canned in 15-minute increments. goldy said i could have an additional five minutes. so i us may get rung off the bell hear. when i left the house of representatives and moved on to the senate, i guess i hadn't given it that much thought, but after two or three speeches on the senate floor, one of my staffers said why are you always rushing at the end of your
1:48 pm
remarks. it's like you have to hurry up and finish. i said, that must be in the house someone is with a gavel and the gentleman from indiana your time has expired. that doesn't happen in the senate. and so i said, i must have been referring back to that. i must be rushing thinking i'm going to be called off the senate floor. and so he's a precocious young man. he thought for a minute and said i don't think we have a problem. us said how is that? i said in a very short period of time you, too, like your fellow colleagues will become so enamored with your own voice we'll have to drag you off the senate floor. i'm going to try to avoid that today. by being somewhat concise if i could. we have obviously spent a great deal of time look iing at the
1:49 pm
issue of cyber and cyber threats. it's one of our. top priorities at the annual threat assessment that i deliver to the congress and the american people. i made a decision to elevate cyber security as one of the top, if not the top threat that we face in this new era of extraordinary change and technology and all the benefits and some of the down sides of cyber. we're living at a time when a growing number of people worldwide are interconnected by devices that provide information and guide their daily activities. despite the positive benefits that come from all that, there's clearly a dark side. we're experiencing that more and more. as we look around the world, countries that dominate our attention from a threat
1:50 pm
perspective, russia, china, iran and north korea to name four, also happen to have advanced or rapidly maturing cyber cyber capabilities. and each of these countries use cyber operations as a low-cost tool of state craft to advance their national interests. so it is easy to see why the cyber domain is so attractive as an operating environment. relatively small investment can be made in financial and human capital, but have a return that dwarfs the initial cost. aside from the geopolitical impact, the economic consequences of cyber attacks are profound. according to an estimate from the council on economic advisers, a malicious cyber activity costs the united states economy between $57 billion and
1:51 pm
$109 billion in 2016. just the fact that they had to look at a range of 57 and 109 tells you that we don't really have a total look at what is happening, and what the cost of what is happening relative to cyber malicious be activity. so it is also to see how the weaponization of cyber tools and the relative lack of global guardrails in the cyber space significantly increases the risk that a discrete act can have enormous strategic consequences. the global community witnessed this firsthand in recent years with the debilitating effects of the wanna cry ransom ware attack, which spread around the world to the point of seriously affecting emergency care in the united kingdom, and then if you look at russia's notpetua mall
1:52 pm
ware, which the administration called the most destructive and costly cyber attack to date, which crippled ukraine, before infecting governments and businesses on a worldwide basis. and aside from ransom ware and malware attack, we often see different kinds of malign activity through the cyber domain. adversaries are conducting persuasive influence efforts that seek to sow division and undermi undermine our values. these efforts manifest themselves in different way, but the goal is the same. let me give you a couple of examples. we continue to see fake online personas created for use on prominent social media platforms to amplify hot button social and political issues. this is often conducted in a coordinated effort, using
1:53 pm
inflammatory rhetoric, or through the seeding of misinformation. the rhetoric might include provocative descriptions of race, religion, sexual orientation, or information crucial to u.s. organizations. but in the intent, but the intent is to provoke, to distract, and to divide those who read the content. we also see foreign adversaries tempting to -- attempting to shape public opinion through the placement of overt or misleading or blatantly false advertising in specific news outlets or locations. the purpose of this approach is to target certain segments of the population in an effort to influence the policy views of specific local, state, and federal officials. this effort can also be combined with a release of information that is tailored to negatively
1:54 pm
impugn a specific elected official, because that official holds policy views that are not in the foreign adversary's interest. the end goal of all of this effort is to increase pressure and build leverage, in order to improve a negotiating position, or influence those voting in an effort to remove that specific official from office. bottom line, the bottom line in all of this, these efforts are real. and they are continuing and we should not, and we should all be opposed to them, because they exploit our constitutional values. the very pillars of democracy. most notably, in an effort to turn us one against the other. so given all that we know, the question now becomes, what are we doing to counter these activities? i'm pleased to be able to start remarks relative to this that
1:55 pm
while the destructive activities persist and are growing, this administration has made significant progress in addressing the threat. the president recently signed the first new national sieb cybersecurity in 15 years, a document that reflects a commitment to the american people, to protect and defend our interests through aggressive offensive and defensive, and defensive, and defensive measures. a critical component of this strategy, is authorizing the department of defense to play an essential role in the execution of this new cyber strategy. in addition, the intelligence and law enforcement communities are working more closely than ever to share information and increase awareness of the threats we face in the cyber domain. and we are pushing more information out to state, local,
1:56 pm
and private entities. we stepped up our efforts to defend and go after adversaries whose actions in the cyber domain are a malignant strain on those who seek to advance the cause of freedom. and as you will continue to see, the law enforcement community is stepping up to the effort, its effort, to attribute responsibility and prosecute cyber criminals. as a national security community, we recognize our responsibility to the american people and see that we are looking forward to limit it to the best extent that we possibly can. but responsibility doesn't stop with the federal government. we also need the private sector and media outlets to step up and take greater responsibility, because this, it is a national interest that demands a response
1:57 pm
from both the federal government and from the private sector. recently, we have seen many prominent technology companies take ownership of the threat posed by foreign adversaries who exploit tech platforms for maligned purposes. just last week, facebook announced it had removed more than 550 pages and 250 accounts that attempted to grab readers' attention, drive web traffic to additional sites, and manipulate consumers. and this week, twitter announced it was shutting down almost 4,000 accounts attributed to the kremlin-linked internet research agency, and almost 800 accounts attributed to iranian actors. all this is a good thing. and we hope these kinds of private sector actions will continue. we must agree, and must not allow foreign adversaries the
1:58 pm
ability to use our indigenous and privately-produced technologies to divide us as a nation. and beyond the positive actions that these companies have recently taken, we would welcome greater partnerships, with the technology sector. we recognize that our intelligence warnings and assessments will be most useful if we can incorporate insights from the private sector about what they are detecting, also. we have distinct advantages in the united states in this field, as many u.s. firms are able to see and analyze huge slices of data, and discern malicious activity. one of my cyber experts likes to describe this with a sports analogy. if this were a ball game, it is a game where we, the united states, invented. we're playing on our own field, with u.s.-produced equipment, and we have thousands of
1:59 pm
spectators, private sector, as well as government, watching the field from the bleachers. so we have the advantages, if we can work together. public and private. and in doing so, we need to explore ways to make the collaboration beneficial, establishing a two-way street, with value for both sides. to be successful in this effort, we need to adhere to three principles. first, it must be scalable. it must not erode business competitiveness or user confidence. and third, it must be operationally secure. so our goal is to fed rate it, as well as federal, situational awareness of malicious cyber activity. nevertheless, there is a critique for some in the technology sector that the u.s. government is too intrusive.
2:00 pm
even when we're seeking cooperation on national security matters, some companies are reluctant to partner with us, because they believe it could hurt their brand, by working too closely with the u.s. government. nevertheless, some of these very same companies turn right around and pursue access and production opportunities in china. so let's be clear about this. if you are a u.s. company that believes you should limit your partnership with the u.s. government on national security matters because it could hurt your brand, then perhaps you should think about the harm to our over-arching national security interests of pursuing greater business opportunities in a country like china, where the private sector and the state often merge into the same. so the basis of the message, the basic message that i would like to leave with you, and i want to impart on you, is that we all
2:01 pm
need to do our part to protect our democratic system, as messy as it may seem at times. so what can u.s. businesses do to strengthen their cyber security? allow me to suggest several measures that we believe can help secure our cyber security. first, be aware of supply chain threats. understand that cyber threats to your supply chain are an insidious problem that can jeopardize the integrity of your products. secondly, designate a chief risk officer to oversee a company-wide security effort, and determine what matters most, so you can protect the crown jewels. third, practice security hygiene, by using the latest i.t. systems that include updated security features. fourth, develop insider threat
2:02 pm
programs, announce an enhanced awareness of threats in former employee, and create a culture of awareness in your organizations. next, and finally, continuously review your security posture. this is what we have to do in the intelligence community. this is what we believe is necessary to secure our product. and we think that these provisions also need to be incorporated in each of your businesses if we're going to be successful in dealing with this problem. the intelligence community preaches, practices what we preach, and these are the steps that we have taken. well, and i may have slipped past my time limit here, so let me just throw my final pitches to you here. to our colleagues in the private sector, to our colleagues in the private sector, know that you're part of our national security.
2:03 pm
know that we cannot successfully deal with this issue unless you can be a partner with us. know that your efforts to fortify your cyber security defenses will strengthen our collective security. and know that you have a willing partner in the federal government and in the intelligence community. back in world war ii, a statement was issued, and i have it framed in my office, and it says uncle sam needs you. that applies today, as it did back then, at a very critical time in our nation's history. and i want to leave here by saying uncle sam needs you you. we cannot do this job successfully if we cannot work together. we realize that there are basic reasons why it is difficult to achieve this, but we can
2:04 pm
overcome these, and it is absolutely essential that we do so, if we're to succeed in dealing with this top threat to our national security. thank you all for your attention. i appreciate the opportunity to speak to you. and god bless you all. thank you. >> let's give him one more round of applause. thank you so much, mr. coats. incredible. we have one more little mini session for you before we break into our fabulous reception. i don't know if you guys know, we celebrated our ten-year anniversary this month. i used to be so young and fabulous when we started the company and i'm like oh, wow, okay, ten years, it has been, in some ways it feels like two years, because we've been having
2:05 pm
fun, and in some ways it feels like 20 years, because we've crammed a lot of work into the ten years. but we're excited to celebrate with you guys at the after-party. but i'm really thrilled to introduce our next session. we have a little fireside chat, and insights from a hacker, a pretty well-known hacker indeed, a former black hat hacker and now he is the chief researcher of rhino security lab. hechter monsegger. and he is going to be chatting with our editor in chief of cyberscoop greg otto. this is our final session. let's give them a warm welcome.
2:06 pm
>> so hecktor, you now work for security, and we have you billed as a former black hat hacker and we could devote one or two pages to your title. as quickly as possible, let's go with your background, the former black hat hacker, there is a little bit more details to that. >> sure. so i was, i would say i was a black hat for a long time. somewhere between 15 to 20 years, started in the late '90s. and for the most part, it was more a gray hat. towards the end of that, i became a hacker, which was a major mistake on my part. but i tell you, for the most parts, what i'm really known for or what i'm infamous for is leading the operations for anonymous or lowsack, did a lot of hacks during that time. i'm not proud of that. i definitely moved on from that lifestyle. but that is the quick gist as to what it is. some of the operations i was involved in was the uprising in
2:07 pm
tunisia. i participated in the tax against the indonesian government -- tunisian government. and same for zimbabwe and i was convicted for those attacks. and eventually federal contractors and ultimately the fbi, which ultimately led to my downfall. >> so let's dive a little bit deeper into what you're doing right now. can you explain what you're doing with rhino security? >> sure. i have been given a beautiful opportunity to kind of start fresh and that mind set started in prison. really finding myself and realizing what it was i was doing wrong. and really realizing i was about to lose not only my life but my family. i had two little girls, and it, the risk and the losses and all that stuff, it wasn't just adding up. so as soon as i came out of prison, i began the process of proving myself. which was doing the bug bounty program, participating in responsible disclosure. i know ibm is here, i released a few bug force them. so i went through the process of
2:08 pm
trying to prove myself for the community. now for rhino, i'm the director there for assessment, meaning i run the teams, i make sure that our engagements are good, we are running soc engineering, red team -- adversary simulations day in and day out and for the last 20 years i've been on the offensive side, and now i would say on the whitehead side. >> so you do a lot also with hiring for your company. >> oh, yes. >> you told me before. >> yes. >> and we know there is a skill set when it comes to cyber security. as a role for hiring manager you know what you're looking for and you know what is in or isn't out there. what is missing when it comes to the work force when it comes to talent. >> many of us in this room, you have seen it yourself, we either have a talent shortage or we have a skills shortage. there are a lot of great universities and colleges out there, that now they're offering cybersecurity programs but even then when those folks come out
2:09 pm
of school, their experience is academic at best. and it becomes difficult for to you try to integrate them into whether there is a defense side, a blue team, or on the other side, as an offender, a researcher, a pen tester and it becomes difficult to really integrate them. and what we're seeing now, what i'm seeing mostly, that a lot of these, i would say the new generation of cybersecurity personnel are really need the -- needed but we need to invest time and energy and resources in training and that is a major issue moving forward. >> let's talk about. that we talked about it before. i know you have some strong opinions when it comes to the current training that is out there right now. >> yes. >> so let's sort of break down what you think about that. whether it is mid career work force training or things like that. how do we further that? and where are the holes in that right now? >> well, i had a great conversation with greg, this guy is awesome, he is really thoughtful, and insightful, and one of the things i really wanted to bring up here, was the
2:10 pm
fact that yes, there are colleges providing cybersecurity programs. now let's say that someone is mid career. they want to switch over to the cybersecurity industry, well, where do they start? i mean you have the sans institute which is a great organization. you have the offensive security program, the oscp, which is another fantastic hands-on experience, experience-heavy organization or training program. but they're costly. and so even moving further than that, what if you want to bring someone to your team that has an associate level skill, you really need a win zoes defender, and -- windows defender, so you bring something in like specter op, one of the top windows specific security companies out there, and i sent one of my guys for training there, and it was a pretty hefty bill. the point is, that we need to figure out a way to open up the resources, give them more training, or have more programs available, and i know of at least one, and i'm sure there are many, but i know of at least
2:11 pm
one nonprofit organization that is taking young teenagers, or young adults, from poorer neighborhoods of new york, and dallas and other places, and putting them through a pretty extensive security training program, funded by like symantec and j.p. morgan. it would be nice to see more of. that and we need to have that conversation more. what else can we do? can we even start a little bit younger? can we start talking about cybersecurity in high school or some other way? >> so talk to me a little bit about what you're seeing when somebody applies for a job at rhino security and you are going through resumes and sort of the difference between what is on a resume and what happens when you get somebody in for an interview, and you actually walk them through their skills. talk to me about your experience there. >> well at the end of the day, i'm very open-minded. i was a new by at one point in my life, so i have no disregard for that. i like, i mean at this point in my life, i'm mentoring a lot, i'm training a lot, but what i'm seeing, if somebody is
2:12 pm
approaching as an social level position, their experience is probably a lot lower than an associate level position. when i have someone applying for a senior level position, they're right above an associate level in terms of experience and in terms of like a real world work history. so it becomes difficult to really hire, i mean there was one example, i gave you on the phone, when we last spoke, which was, and i'm not downplaying their experience, but we had two former agents from the nsa that applied to the company, and these were fantastic gents, and talented in so many way, well-spoken, really nice guy, but their job at the agency was so segmented that a kind of integrating them into our organization would have been extremely difficult. it would have taken us a lot of time and resources just to get them prepared for the kind of job, the kind of work that we do. >> so let's talk about that a
2:13 pm
little bit further. what do you think needs to be done in order to get more talent into government? because government has a work force shortage. and there are rigorous security clearances to go through, and there's lots of other things that go into that, but obviously, the government needs hackers just as much as the private sector does. so what do you think needs to go into government hiring in order to change that? >> well, again, going back to what i said before, i think that it is important, that we emphasize research and training and education. the academia is extremely important. but it also start, every one of you here in this room right now, when you go home and speak to your family members and young cousins and nephews and niece, you start talking to them about the cybersecurity industry and you also point them in the direction of government work. i mean at the end of the day, listen, with the way things are right now, and the kind of shortages that we're seeing in this country, we need to all,
2:14 pm
very similar to what mr. coats said a few minutes ago, we all need to work together to really solve this problem. is a human element problem. and it really touches us all. all facets of life. now, in terms of governments, getting more employees, again, you may even find yourself in a situation, i think this may be impossible, but bear with me here, where you may have to lower requirements a little bit. i think the fbi has already done that, or part of that, where they're lowering requirements for certain fields and that's a great first step. it doesn't mean that you have to bring in someone like me. i understand the government cannot hire someone like me. but there are a lot of talented folks out there that don't have the proper education, the resources and they don't have the networking capables to land themselves at a good job and have a good career before they apply to the government. >> so that is my idea there. >> let's go back to that compartmentalized part that you were talking about. expand that a little bit, when you say that these nsa
2:15 pm
applications came through, and they were working in more compartmentalized fields. it is a good word. >> right. >> what do you mean by that? what can be done to make sure that when they leave the public sector, that they can get hired and they aren't fine-tuned to one thing? >> sure. well, i think that, and i want to bring this to you as well as possible. when it came down to these individuals, one had experience with internal network penetration testing, which is great. but their skills were very specific to using a specific, i would say a specific amount of tools. they knew how to use nmap, for somebody you don't know nmap is a network map, a very simple port scanner and they had an understanding of things like that, that work. and beyond, that that was their experience. with the other example, that person was more on the logistics
2:16 pm
side of thing, which is aggregating the reports, aggregating the raw data, putting together a zdebrief, an that's really important in a reporting environment where you have to report but you have to understand one thing, even the most associate person in my company right now is doing all of that plus more. and -- >> we are going to leave the conference here, but you can find this and earlier panels online, c-span.org. and again, leaving the conference here, but you can find many online c-span.org. c-span where history unfolds daily. in 1979, c-span was created as a public service, by america's cable television companies. and today, we continue to bring you unfiltered coverage of congress, the white house, the supreme court, and be public policy events in washington, d.c. and around the country.
2:17 pm
c-span is brought to you by your cable or satellite provider. while congress is on break for the midterm elections next month, we are showing american history tv in prime time. and tonight, it is a conference on the american west, hosted by the aspen institute, historians talk about westward expansion after the louisiana purchase, in 1803. kit krarson and other mountain men. and the impact wertward expansion had on the civil war and slavery. american history tv and prime time begins at 8:00 p.m. eastern. and on c-span this evening, 19 days before the midterm elections, pennsylvania congressman scott perry debates his democratic rival george scott. live coverage of the 10th congressional district debate gets under way at 7:00 eastern. and on c-span 2 tonight, president trump campaigns in mizzoula montana for republican candidate rosendale who is
2:18 pm
running against john tester. watch tonight at 8:30 eastern on c-span 2, online at c-span.org and with the free c-span radio app. the c-span network. your primary source for campaign 2018. this weekend, on american history tv, on c-span 3, saturday at 10:00 p.m. eastern, on real america, the 1968 broadcast, the nixon answer, southern townle had. >> hall -- town hall. >> i do not believe that nuclear bombs or nuclear weapons should be used in vet nam, i do not think they're necessary to be used in vietnam and i think nuclear weapons should be reserved only for what we hope will never come, and which i think grate diplomacy, and it will have to be great diplomacy can avoid, and there is confrontation with a nuclear power. sunday at 6:00 p.m. on american art facts we will tour the baseball americana exhibit and magna carta, precivil war
2:19 pm
documents that spell out the basic rules and organization of the goal. and at 8:00, on the presidency, former president george w. bush, coky roberts and friends, reflect on the life of former first lady barbara bush. >> she had this motto that you're going to be judged about the success of your life, by your relationships with your family, your friends, your co-workers, and people you meet along the way. >> watch, on american history tv, this weekend, on c-span 3. . the u.s. house is in a break until after the midterm elections next month. before leaving, house speaker paul ryan talked about the current political association and about his future. speaker ryan announced in april that he will be stepping down after this term. from the national press club, this is about 45 minutes. >> so on january 3, the man standing right here next to me, paul ryan, will be

69 Views

info Stream Only

Uploaded by TV Archive on