tv Public Affairs Events CSPAN November 2, 2016 4:45pm-6:46pm EDT
one thing and everything will be perfect, that's clearly not right. we've got to do multiple things to close that graduation rate gap and to ensure that when kids graduate they graduate ready for what's next. >> charter schools. you have said what i worry most about is we have some states that have done a really great job with charter authorizing and so have generally high quality charters and have been willing to close ones underperforming. on the other hand you have that have not done as good a job, like michigan. what's your view on where charters should be by the time you leave office and how do you plan to get there? someone who cites your own education in new york for saving your life and trajectory.
and better resources in public education. there's a second to this. a few days ago the naacp national board called for a moratorium until laws are revised to make charters as accountable and transparent as public schools. do you agree charter schools should meet the same accountabilities as public schools and if so will you stop funding charter schools? >> so let me start with this. we are i think as a country to have high performing charters that are doing great jobs, providing great stunts to students. that's good. we should have more schools like that. and i think any arbitrary cap on the growth of high performance
charters is a mistake in terms of our goal of trying to improve opportunity for all kids. that said, where states are doing a bad job authorizing, that has to change. i i've talked built example of michigan. we have states that set a low bar for getting a charter. when charters perform poorly, they fail to take action, which is the essence of the charter school compact. charter schools were supposed to be a compact more autonomy in exchange for greater accountability. yet some have not followed through. that is a problem. those decisions are made at the state level. what we've done in the administration the last eight years is two things. one is we provided resources to work with states to the strengthen their practices around reviewing the quality of charters, reviewing charter
applications. two, we have invested in increasing the supply of great high performing charters. to the extent what folks are doing, a better job charter this authorizes? i agree. we have charters that are doing a great job of kids that want to the grow, they should be able to. and i think this is an issue where we've got to put kids first. we've got to ask what's best for the students and parents. parents aren't concerned about that model than they are, is my child getting a quality education. we have to focus on that. one of the reasons it doesn't make sense. we shouldn't limit access to great opportunities. >> a lot of teachers have been writing. what do you propose to do about the equality of pay between
teachers and administrators, for example, like yourself? one teacher says i worked 12 hours yesterday, didn't have time for lunch. did you have time for lunch? i make $47,000 a year. how much do you make? of course it's public record. i can't go to the bathroom when i need to. can you go to the bathroom when you need to? please don't talk about how great teachers are. we need resources. we need policies that actually help us chief, not help profiteers. pretty upset teacher there. >> yeah. look, i think we see it across the country. we see states that have not made the education they could. we had a report earlier this year looking at the difference of state investment, prisons versus k through 12 education. what we found is we see the last 30 years a rate of increase in
investment spending on prisons that is three times as the rate of increase on k-12 education. that suggests maines a society are there states that should be spending significantly more on teacher's salary, absolutely. should we be paying more to teachers especially teachers willing to serve in the highest needs communities and the highest needs fields where we have real demand absolutely and the president proposed $1 billion for an initiative called best job in the world that would support professional development, incentives, career ladders for teachers who teach in the highest needs communities. so we agree about the need for more resources and focusing those resources on teachers. one of the places i learned more about is early learning, we did a study on pre-k pay and in many communities around the country
pre-k teachers are making half what they would be making if they were working in an elementary school, which again suggests that our priorities are not right. so this is a place where i agree with the questioner, we need to invest more resources in educators. we should pay our teachers very well, because we know that teachers are essential to the future of our country and we need to make sure the working conditions are good. it's not just a question of teacher pay. i think of a place like detroit, if the water is leaking from the ceiling and there are rodents running across the floor, those working conditions are not ones that are going to make teaching a profession that people want or a profession people want to stay in over the long-term. and so we've got to make sure that working conditions are strong, and the final point i'd make is this is one of the reasons supplement not supplant is so important because if you consistently underresource the highest need schools the result will be poor working conditions
in those schools and the inability to retain the great teachers that our highest need students need. >> running quickly out of time. had an issue with one of your senior staff, who had to resign over waste, fraud and financial abuse. have you been able to clean up the issues in the inspector general's office? >> so this is about an employee in our i.t. department who made mistakes and was accountable for the mistakes, chose to resign, not with the department. we have a strong team around our i.t. and we're very focused as folks are across the administration on continuously strengthening cyber security. this is cyber security awareness month.
just came from a meeting at the department this morning. we're making sure our i.t. systems are as strong as possible that we protect the security of data and that we ensure we are providing good services. so for example, collegeoscorecart.ed.gov is a tool we built and through investment in the strength of our i.t. systems and work across the administration to leverage technology on behalf of taxpayers and students, collegescore.ed.gov allows students to find out information about graduation rates, about how much people make who have graduated from that school. how folks are able to repay their loans. it's a great school that we've made available, and it is continuously evolving to try to provide services so i.t. is really a strength now of the department, but you know, as is true across, for any employer,
there are sometimes employees who make mistakes and we have systems in place to ensure that's still there. >> almost in the home stretch here. before i hit the last question, a couple of announcements. tonight's debate night watch here at the national press club at 8:30 in the reliable source. we have an upcoming luncheon on november 21st with epa administrator gina mccarthy and the head of metro general manager paul wilyafeld we'll need an update on him on various issues that happened in the subway system in washington, especially after the nats game. final question. before i do that i have to present you with the traditional national press club mug. >> thank you. [ applause ] very quickly what advice would
you give to a 12-year-old kid would was raised on public assistance who wants to be you? >> two things. one is to have faith in what's possible, you know, i'm only standing here only alive today because of what new york city public school teachers did for me. one of the reasons the president, first lady care so much about education is they know the difference education made in their lives and the opportunities they've been able to have, so one thing i always try to say to young people is to have faith. i think sometimes as a young person it, could feel like had is the only way it could ever be. sometimes you talk to young people and they don't have a vision what it would be like to be an adult and they become hopeless. one is to have faith in what is
possible. and to hopefully see my example or the president's example, the first lady's example, what education can make possible. two, work hard. work hard in school. education is the best path. look, you know, there is this debate about american life. is it poverty that matters, or schools that matter. both matter. schools are embedded in communities. schools can save lives, but schools also face the challenges that exist in the community. i try to say to young people, school can be the difference. it can be the path that gives you the skills and opportunities to have a different life and have life be different for you and your family. can't solve everything, but it can be a path. and so those would be the two things, to have faith and to work hard. >> thank you, mr. secretary, for future information on national press club programs, you can go on to www.press.org. we are adjourned.
join us later today for libertarians should vote and for whom. the kato institute discusses it later this afternoon and you can see it on our campaign i don't know network, c-span 2. we're playing close attention to state races as well. joan us tonight for a debate among candidates for louisiana's next u.s. senator. a number of challengers will take place, including john fleming and charles bustani. also, democratic candidate, foster campbell and republican david duke. watch it live at 8:00 p.m. on c-span. about an hour later, we'll show you the latest u.s. debate with incumbent kelly ayotte and maggie hassan, at 9:00 p.m.,
also on c-span. on election day, november 8th, the nation decides our next president and which party controls the house and senate. stay with c-span for coverage of the presidential race. including campaign stops with hillary clinton, donald trump, and their surrogates. follow key house and senate races, with our coverage of their candidate debates and speeches. c-span, where history unfolds daily. this weekend on american history tv on c-span 3. saturday night at 8:00 eastern. history professor on native american history from the co era. >> clearly our enemies, occupying with troops, which is
the one thing we were fighting against. by cutting off withholding gifts, refusing to give gifts, limiting trade with us. that's essentially a declaration of hostile intent. later, at 10:00, on "real america" we look back to the 1966 campaign for california governor between democratic edmund g pat brown and ronald reagan. >> my experience has turned me inevitably toward the people for the answers to problems, just instinctively i find i put my faith not private sector of the economy, and the belief in the people's right and ability to run their own affairs. >> and every single solitary category of business that tells whether or not california's economy is good is proven that we have done a good job. then sunday morning at 10:00 eastern, "road to the white house rewind."
>> next tuesday, you'll go to the polls and make a decision. i think when you make that decision, it might be well if you would ask yourself -- are you better off than you were four years ago? >> our proposals are sound and carefully considered to stimulate jobs, to improve the industrial complex of this country, to create tools for american workers, and at the same time, would be anti-inflation nary in nature. >> 1980 debate between jimmy carter and former california governor, ronald reagan. at 8:00 -- >> a realist would not have devoted his life to fighting slavery and a real list would not have said this, which is that a dissolution of the union for the cause of slavery would be followed by a war between the two severed portions the union. it seems to me its result might be slavery from this whole continent and desolating as this
course of events and progress must be, so glor yoglor yous, i dare not say that it is to be desired. at the new york historical society, james trabb, "militant spirit" and robert kagan, debate the question, was john quincy adam a adams a realist. they talk about the foreign policy views, and the legacy of the sixth president. for a complete schedule, go to c-span.org. now a panel of public and private talk about intelligence sharing. national security alliance. it is just over an hour. for the panel discussion of the domestic threaten virement public sectors can take to protect the homeland pleased to
have moderate a very distinguished panel. who he will introduce here momentarily. as deputy assistant to the president, deputy national security advisor for combating terrorism from 2005-09, juan was responsible for implementing all aspects of the u.s. government counterterrorism strategy, including violent extreme im. previously, the first of terrorist finance crimes, leading efforts with public and private sectors. juan is a senior advisor for the center of strategic international studies and frequent contributor to a variety of news shows where he is consistently a reasoned voice. i believe he is ready to moderate this esteem panel. juan, over to you. chuck, thank you very much. it is an honor to be here, thank
you for the kind introduction. fair and balanced, i don't know what that means any more these days. general schwartz, thank you so much for invite meeg to be here. karen, always a pleasure to see you again. it has been a while. frankly, a great honor to be with all of you today. especially this panel. frankly, as i was reviewing the bios for the event yesterday, i couldn't think of a better group of individuals to talk about the public/private challenges that we have moving forward, given the complexity of the threats that we heard about from director clapper and obviously many of us have experienced. in addition, these are four gentlemen that i would love to be in a fox hole with, and would love to go to battle with and i've been able to learn quite a bit from everyone on the stage. i'm excited for this panel and discussion. let me say first, something.
two organizations that have in their own ways tried to push the envelope and drive the debate around what the role of the private sector should be in national security. it is the core mission of benz itself, as you've been driving, it is what insa has been talking about. we're now at a stage in our national security with the diversity of the threats, the morphine of terrorism, ubiquity, and the debate has shifted and arced toward where they've always been the private sector isn't just an ancillary player how we think about national or homeland security, but has to be thought of as a central player. i think we understand that more and more everyday, in the report that bensa has put out, a
challenge to now we not only recognize that, but also deal with the structures and the coordination that has to come from that recognition. the private sector is at the center of the storm in terms of attacks. the private sector civil society state and local authorities are sources of great information, and awareness. and frankly, in tems of consequence and management, first responders and resilience as a nation, the private sector plays a critical role. and so with that, as a backdrop with the great comments from director clapper, i would like to open the discussion up. we're going to have a discussion for 40 minutes and then 15 minutes for some questions from the audience. think through some questions you may have. the bios are with you, so i'm not going to belabor this, but this is an esteemed panel. frank taylor, he is a general,
ambassador. he is a gentleman as well. i know that secretary johnson has relied on frank not just for the intelligence role, but at one point, i think frank had three different roles for dhs at a critical time. frank, great to see you. brad brekke, many of you know from the bureau community, director of office of private sector, fbi, critical role. especially as they've thought with their national exposure, when you look at cve and consequence management. for those of you who don't know, brad comes from the private sector. he was with target, and target has had to deal with numerous challenges in this space. next to brad is steve mcgraw. a long time veteran of the fbi, again known to many of you in the space. after retiring from the fbi, steve joined the state and local
community. is now director of the it texas department of public safety and is incredibly knowledgeable not only with respect to the fbi, but what happens on the ground and certainly between state and local authorities. finally, bob griffin, who is not a stranger to any of you in the tech domain. bob has made a career of leading organizations, selling companies, and being on the cutting edge of technologies that relate to national security. he is now the general manager of the ibm safer planet project and division, which has an enormous responsibility, thinking about safe cities and communities. so with that, let's turn to the experts. frank, let me start with you first. i think there is some critical dimensions to what we need to talk about. the first is how you and the department of homeland security and the government think about the threat and think about the threat as it impacts the private sector. and what that means for your mission and how the department does its work.
>> certainly we look at the threat not only against the private sector, but against the government sector, all sectors of our society. the response needs to be comprehensive across all of the sectors that we can't treat the public sector different than we treat the private sector, because those threats and risks manifest themselves in all of those environments. so our approach has been to work with the fusion centers to ensure intelligence is shared, to consistently with the fusion centers, and to the 18,000 law enforcement agencies across this country. to work with what we call our private sector security seminars across the country, where we bring together private sector security and our intelligence professionals to have discussions about the threat and sharing of information. and to get feedback from those organizations. and third, to invite private
sector analysts and others into the inter sanctum so they can incorporate that into their day-to-day activities. >> brad, what, from your vantage point, how has the relationship with the private sector changed? we have been talking about for years the importance of public/private partnerships, much of that has been centered around the idea of information sharing, you know, we talk about the vertical horizon, horizon l horizontal. how has it shifted from your vantage point and where are we headed with respect to those partnerships? >> thank you. let me provide a context related to the fbi and in a prior -- target corporation, just to be clear, i did leave before the
breach. you know, i think director comey came on board and one of the things he saw with me in the private sector engagement. he created this about two years ago. >> can you hear? >> is this better? >> let's see if we can get you a hand mike. director comey set up this office two years ago, specifically to look at the private sector and the bureau
engagement with them, and partly because of the evolving threaten virement. i think bob is best, it is actually in the ben's paper -- the private sector is becoming part of the battlefield now across many lines, both cyber, ci, ct. director comey's vision for the fbi right now is to be ahead of the threat. through leadership, a. >> -- agility and to adopt the same mind set that happened post 9/11, when the public side began to change the way they work together. so federal, connected better with state and local. now the push is how do we do it better with the private sector. so our role has been to assess current efforts and then look at what the future may hold.
if i could, i have four points we can discuss more. we have taken a number of initiatives to understand what is. we have done voice of the customer exercises, work with the presidential invasion studies to do studies, and four points have emerged that we're looking at as we change our engagement strategy and iterate it with the private sector. first, it goes back in time. it actually probably started back with the book, "the art of war", where one of the principles is know your enemy and know yourself. one of the things that came out is we know our enemy well. we know the threaten virement. we know ourself, if it pertains to the federal and stateside. but what became apparent, we did not understand the private sector well. in fact, we surveyed many of the corporations we worked with, including former federal, and
the number one issue raised was you do not know me. you don't know how i operate. specifically, you don't know my risk profile. or my resources or capabilities that deal with. for us to deal with transaction n le events, we need to know each other better. how can we increase that engagement, and that was finding mutual benefit. as the presidential invasion fellows put it, measure value, not investigations. so we had to find from their perspective the corporate side, what is the mutual benefit. the benz paper speaks well of this. what is the business case, what is the value proposition for engagement and they outlined a number of things. we're trying to probe what that
might look like overtime. how we could develop that, how to understand that better. which then, now that you have identified how you can work together, how do you solve that problem. you move from information sharing to collaboration. by collaboration, it means third principle, you have to co-create, co-construct the solution. which is a shift culturally. we like to control. we like to dictate what happens, but we're looking at how do we do that with the private sector. how do we co-create their solution. quite frankly, it works better, the iterations we've tried, because they have better data, better technology, and they can do things much faster. the challenge then for us is how do we stay connected. and this, i mean, we're still usg, we're still fbi, and this is leading us to explore the fourth principle. how do we create a franchise
framework for the fbi that allows us to develop certain standards of engagement, certain consistent ways of doing business, but does not prescribe how that business is conducted, just post scribes to keep us legal. again, the benz paper speaks to all these principles, that's why we are so pleased to be engaged with them that those are the things we are iterating and trying. we still have the legacy programs. they will continue, perhaps become 2.0. but we are actually based on this evolving threat, and how do we get ahead, looking at how to approach the private sector, perhaps in a way we've never done before, and see where that takes us. so appreciate the chance to be here today. >> brad, that's a helpful framing. that's four priorities or frame works. i want to return to two in
particular. this idea of co-creation. we heard director clapper talk about the distinction between cooperation and joint action. in the post 9/11 environment thought of that in the federal context app then the state and local context. i think what we're talking about here is, what does it mean in the contention of the private sector as well, with co-creation and cooperation. but steve, let me turn to you. i love your boots, by the way. >> thank you. >> how do you think about this, not just in the context of your interaction now, sitting on the stateside, but also, with texas companies, texas entrepreneurs, the tech industry in austin, for example. how are you viewing this landscape from your vantage point both up and horizontally? >> first, i want to reflect back. what general -- what he talked about -- >> brad, pass the mike.
thank you. >> how's that? there we go. probably better off. it's not working. >> joe mentioned something very important. when i retired from the fbi in 2004, i didn't know hurricanes had two rs. but when katrina, rita and ike was a real eye-opener, and we talk about continuous improvement, and where we were then and where we are now. embracing the private sector made a difference in how we're able to protect texans when a catastrophic event. if you don't have them integrated fully, into your emergency management center, you're wrong. there is information that they have, but more importantly than information, experts in terms of storage and delivery of commodities, water, food, ice, fuel, private sector. that expertise doesn't exist, okay, in the government necessarily. and they bring tremendous capability and expertise
immediately. we didn't know anything about in terms of stimulating fuel demand, importance of doing that. the concepts they can bring into it. we bring them right in and establish them as apart of the command within the state operation center. it has worked out very well in that regard. for them, the payoff is this. they want in terms of serve the public as well. their customers, their customers and locations are impacted. it gives them information and they're able to get back and operating sooner. any type of cat strastrophic ev. that's our biggest crosswalk. we think of suspicious activity, liaison, in terms of how we can do it with all the sectors. today, those crown jewels, those major things, but today, you know, soft targets are such with the desegregation of terrorism,
we have to worry about those things. but how do we actually, you know, move from cooperation, general did a good job of talking about that cooperation and coordination, to actual integration of effort. everyone get as long right now. coordinate and cooperation with each other. but depen ding on what the organization is, whatever it is, how can we integrate our efforts to maximize the impact. >> important insights. bob, from your perspective, you know, how is both the private sector viewing this landscape first of all, and what is your sense of innovation with respect to what's happening, for example, with what you're doing at ibm with the federal government from both national security perspective as well as just a national economic perspective? what is your sense of what's happening neenvironment, and where is the opportunity from your vantage point? >> i think there are several points here.
you know, with the movement from what is traditional market state, nation state terrorism to market state terrorism, the landscape, the battle landscape has shifted. and it is pulling more and more, what you want to call soft targets, but pulling more and more commercial oriented kind of targets into that battle space. and you know, clearly, once a week or certainly if not once a month, i'll get phone calls from somebody that is leaving the public sector in a role in the ic for example and say hey, bob, i'm going such-and-such client, or such-and-such organization. i need to build an ic. i need to have an intelligence center i can understand what is happening in my world. you know, the critical issues we deal with at the governmental level about high value awareness and understanding. how quickly can we build something to ensure we are
protecting not only ourselves, but also our -- the folks that visit my locations, and those constituents. and i think technology will play a, you know, a key part in that. you know, we've been talking up here about information sharing. and you know, information sharing is something that we have been talking about and promoting for years. it is not a technological problem. it is a problem with will in many cases. who is willing to share what information, what, when where and how. while i will say information sharing is the basis for these types of events and for preventing these things, it is access and distribution to that information that is critical. you know, i like to say that, you know, information is king, right. it is the most important thing. but sharing access and distribution of that information
is king connikong. it is important that we do that as close to the edge as possible. it is about real time situational awareness, and it is about making sure we can react as quickly as possible. and one of the things that i think is really important from a technological perspective is technology can move faster than the speed of threat. the challenge is how quickly can people assimilate what technology is telling them. and you know, we're focused a lot in my division around, we solve the speed problem. we can take pedi bites in real time information. the question is can we get and provide that information as quickly as possible to those in need so they can make on ground situational decisions, depending on whether they're in theater or not. >> the need for intelligence and capabilities within the private sector, from my own experience
consulting, you see a lot of the major global banks creating financial intelligence units internally to understand better where their risk and vulnerabilities lie. whether it is energy, oil, gas, you know, banking, that need and thirst for information and understanding of vulnerabilities is there. and then the connectivity out war. frank, i want to go back to the point about information sharing. it is critical, because it has been the centerpiece about how we thought about the success of public/private partnership. but it is also different, given the nationure of the threat. it is coming from a radicalized individual from a bedroom somewhere in the united states. manifesting in a laptop, if someone is infested with malware at a starbucks using the open wi-fi system. it is happening with the electrical grid, potentially being systemically affected by a sophisticated actor.
these are manifestations that aren't necessarily clear. they're not big build-ups from some well organized set of attackers. these are more individualized. how should we be thinking about information sharing in that changed landscape in that's a little different than what we thought about in the past? >> information sharing after 9/11 was i know something, i think know what you need to know, so i'll tell you what i think you need to know, but i'll a he keep all the other stuff close. the environment that we live in today, information sharing has to be about information being available 24/7, to answer the question when the question is needed, not when i think you need it. so it is the idea that all the information available and having access to that information is
general clapper mentioned, so you can make decisions on the fly. and that's not i'll describe and tell you, that's we're going to give you access to what you need to make those decisions. we look at 800,000 police officers in this country. one of those police officers is probably going to be the first touch of a terrorism investigation. so empowering them to understand what is happening dynamically, and if they see things during the course of their investigations and patrols, they can report that information. so bob and i were talking before the event. i think we're entering into a world, and just make one other point, when i left the government in 2005, and i went to g.e., i had every security clearance in the world working with the head of diplomat tech
security on march 3rd, march 5th, i became a -- i had no need to get clearance. general electric, small, 300,000 person company, operating in 120 countries across the world. didn't have the same level of need to know as my colleagues and diplomatic security. that began my thinking about how the government needs to see the private sector as customers, just as they see military forces, diplomatic forces, because they are as arrayed as those forces are, and what they do for the economic security of our nation is too important not to allow them to have that same. >> especially when dhs has responsibility with dealing with the infra structure? >> 85% of the infrastructure is
in private hands. if you're thinking about the economic security in the united states of america, and intelligence is critical to assuring the economic security in the united states of america, our private sector partners have to be seen as clients, not as an afterthought. >> i want to get back to brad's point about kind of the structures. steve, given your experience both at the federal level now in texas, do we have the structures where right? we've built -- we've got jttfs, and a variety of other structures that we've tried to build, sometimes at more formalized. do we have the right structures to do what frank is talking about from your perspective? have you recreated structures? >> i think less about structures and more to that horizontal approach in the benz report talked about. the challenge is, and frankly, look, there is a pointing up to 15 years, we still don't have
information. the general nailed it in terms of everybody is a collector these days. special agent, texas rangers, they're no longer just enforces. they're protecters. they have to be in tune to what the trade craft is, and what the requirements of the federal government or their partners and what they should be collect anything that regard. then us getting in the system so we can have access. if you look at texas, we've got 1,754 law enforcement agencies, and 69% have 20 officers or less. depending on them collecting and putting into a system, a record management system, a jail management system, which is really the 800,000 collector, that's where that information is. you don't know a speeding ticket, an arrest for a dwi, isn't the key piece in some of the intel needs to link this person to somebody else. it is vital. the challenge we have is fixing
that piece right there. now, there is some programs and the federal government has those figured out, but it is expensive to convert all of these lag gas see systems, into a platform that can be pushed and shared at any given time. i'll say this. for example, if you you're look at where air at at any given time, you should be able to look at the particular dots, about you that means you have to move to what director comey has talked about, national based reporting. we are an index state, legislature and governor has pushed us, we're going tube a nyber state. if you want timely data across jurisdictions, and quite frankly, there is nothing important that doesn't cross jurisdictions these days vertically and horizontally and geographically, then you have to be able to see those dots. >> very interesting. the benz paper talks about this horizontal network model, and i
couldn't agree more with the concept and the fact that we've -- we have to shift the paradigm to how we think about coordination and cooperation. brad and bob, i want to ask you both the same question, but from your different vantage points. what does that mean in practice to you? if we start to move toward a more horizontal network model of homeland, national security, information sharing and public/private partnership, what does that mean from your vantage point? >> so i would describe it as changing our perspective inside, at least the fbi. i think we have to look at the fact that the private sector is really about risk mitigation at its core. historically, law enforcement agency is about cases, investigations. so there a cultural shift that's going to have to take place internally, so that's with us. there is also a shift in i'll
use the word design or creating our approach and get around perspective. we have to invite the private sector to the table early. this goes with the creation of actually have to see what capabilities, what their risks, their erm is. and how that might tie to my threats. so if you lineup companies, just simplistic come out of target in minneapolis, but erm profile of target is different than the erm profile of 3m across the river. 3m aligns much closer to the fbi as far as our threats regarding cyber ci, other types of things. when we have no mechanism in place, and that's what we're working on, how to get 3m and target at the table with us, to talk through, and trying to
network this out, what is the solution set? what do we co-create to deal with their different sets of problems. the challenge i see is we like uniformity. a network means you have lots of little nodes solving their own problems. you have to actually function more like a connector or convener, and you may not know everything, and see and touch everything. but you have to have a level of working relationship or trust. i'm speaking kind of hypothetical, but we've actually seen some examples come into play, and i'll speak specifically. the bureau faced some challenges around ransomware specific to the health care industry. and we did the bureau thing. we notified the corporations in that industry. probably in a very classic sense of pins and flashes, e-mail type
things. someone actually in that industry, who is associated with us through one of our legacy programs said i have a solution. i am the ceo of a software company. i can create software that will network amongst these health care companies, and you don't have to be involved on the front end. we can set it up ourselves. if you ever need to get information to us again, you can go through this software solution. person did it in four months. owns the company. he is willing to connect it to us as needed. and to me, that's an example of the direction we have to head. figure out over time how to capture more and more of those situations, because now it is the private sector trying to mitigate their risk to their business, with their solution set. connect it to us. because we still have the intelligence as frank has talked about, the information that can
help them. and that's just, it is a different mine set. different model, different perspective. i think in particular, director comey see it, having worked on both sides and the challenge from my office is how do we institutionalize it, build it out over time. it also just, maybe pause and say i think it also, the goal for the fbi is to connected not just to fbi private sector, but with other usg and public sector. if we can move in this direction, and succeed. >> bob, how do you see it from your vantage point? where are the opportunities here? >> first of all, the shift is already happening. i think not only organizations like benz started that info guard, but organizations like the ncfta, national forensic training alliance, they've got a room inside that room sits fbi analysts and commercial sector analyst, right, banking
analysts, retail analysts and so forth. that shift is -- it is driving that information paradigm, but it is driving it for in many ways for different motivations. that's what people have to pay attention to. the motivation at the governmental level is really about security and protection and service, and so at the commercial level, while those are all important things, a lot of this is about brand protection. it is the importance of how that brand is perceived. you know, you talked about the breach at target. we all understand, that breach what, that did to the target brand for a while. you know, so you know, it is different motivations. all working toward the same thing. i think the -- i think several things have brought it to light. i was incredibly heart ended when secretary carter came in and talked.
at the highest levels, that's an important priority. that opened up a lot of doors to have conversations that we were never having before. to the point earlier about critical infrastructure protection, you know. you know, if the grid is attacked and it is heco that responds to that, first responder. yep, they're going to call in support and get help over time, but that grid supports pay com and all of pearl harbor. pearl harbor goes dark, that's a problem. the shifts are happening. i think we're starting to see more of those people come together. i think the advent of the fusion centers was another great move toward combining public/private information sharing initiatives at all levels, not just close source, but open source, and both private and public source materials. >> bob, let me stick with you for a second. what is your sense of the greatest impediment? at least from your ibm
perspective, but also, given your long interaction with the government, different government agencies? what's the impediment here toward more efficient cooperation an partnership with the type we're talking about? >> well, i said a little earlier, too, some of this is will. do we have the will to do this. to make this happen. you know, i -- it is not a technology issue. we can -- the technology problems for the most part have been solved, you know. it is interpretation of things like statutes, you know. we've got to -- we put some very important protective mechanisms out there around the use of information. 28 cfr part 23, if you have nothing to do at night, read that. that will put you to sleep. it talks about you cannot co mingle criminal history. so we've put processes and rules
in place. we're adhering to those. but sometimes we are so over focused on what might happen, we weren't paying in you have attention to what is happening. and i think if we can get down some of those barriers, you know, we mentioned earlier on stage, you know, the endex, national document exchange at the fbi program. i can remember when they first launched the endex program, there was a lot of concern at the state and local level, what's the im ddemnification, local issues are dealt with by city attorneys and managers, and they worry about what's the liability for my city. i think we've done a great job in dealing with that, but it took time. it was because we had the will to do that. as long as we continue to stay
forward with this will and this desire to make these things happen, there is nothing that i think we can't do. >> i agree wholeheartedly. >> you've got a great voice any way. it doesn't matter. >> i don't know about that. but the -- i think it is about will. it is about innovation. i just think we're in a space now that demands innovation and innovative thinking congressional level, executive branch, state and local governments in terms of power information sharing. now, we also have, you know, under our constitution certain rights, bill of rights that are important to our citizens and privacy and civil rights an civil liberties must be apart of the solution. but the american people in our
view at the department of homeland security expect that we will use all available public information to make judgments about security of our nation. we just announced, or it is going through the omb process that we want to collect social media handles as we look at people applying for estes, electronic systems for travel authorization to the u.s. there is a great cry within the privacy community that this may be a bit too far, but our expectations from the american people is someone is applying to travel here for benefit, we should check all available information to determine whether that individual represents a threat to our country. and increasingly, some of that data resides in social media. so we think it is a legitimate way of looking at broader data
sets that help us make decisions, but the question of will and understanding of the how we will do that and still protect the constitutional rights of our citizens is part of i they a very important discussion that's going on right now. >> that's really important. let me comment. i'll turn it back to you. you know, this obviously came up in the san bernardino context, whether there was enough vetting. but director clapper talked about certain degree of limitation in terms of both american will and perceptions. especially in the post snowden environment, intelligence and information gathering. how do you gauge that? you're responsible for intelligence analysis for the department of homeland security. what does that balance look like? we can't be blind to what's happening in the homeland, given the nature of the threat. at the same time, we do need to protect privacy and civil
liberties. >> we've been doing this for 30 years, 40 years, i'm losing a decade there. it started after the church commission in 1974, focused first on the military. dod, but it has permeated the way in which our intelligence agencies think about protecting privacy and civil liberties of u.s. citizens. i think we have a framework and it stems from the church commission in terms of how we should do that. we can integrate privacy, civil rights, civil liberties, intelligence oversight into the process of collecting intelligence in a domestic environment and do so safely without jeopardizing the rights of american citizens. it is doable. we're doing it today. we're doing it with great oversight. appropriate oversight.
i don't think there is an impediment to it. there is the will to take on more information sets that help us paint a better picture of what's going on domestically. >> bob, i also want -- say whatever you want to say, but i want you to answer this question too, if you can. does technology actually help us with that balance? right, does it help us both with the protection of personal date it and identities, but also, allowing us to connect the dots and understand the network threats that we face? >> yeah, no, i will answer that question directly, because i also want to play back what frank said about innovation. right now, we're on -- in a new era, certainly in computing. it is the cognitive era. it is being able to take machine learning, artificial intelligence, cognition kinds of capabilities and apply it to science problems. i mean, imagine us creating an
active repos toretory of information, and each time, let me look for any information that's like that. let me get close to that information. you know what, you're working on this problem, let me let you know i've had added new information and that may change your thinking as you create this intelligence product. geez, we've got identities here, and they may be the same three people. but i've added new information and it disputes that they are indeed and it may change your approach to that. this capability is going to change the game. it's going to allow us to do everything that we were up here talking about. and even more. given the abilities to not only take our mission and accelerate it, but to provide all of the protections, all of the rules and regulations and requirements, and ensure we are a, not violating them. that those that need have.
that that don't need, have a need to know, don't. and that everyone is alerted at the right time, at the right place. and it is what i refer to as an li -- analytics. it is hard to be on your game 365. technology can solve that problem now. >> steve, brad, we have a minute about of we open it up to the audience. get ready. i want to ask this question. we've talked about information sharing, structure models, technology. let's talk very quickly about people. because i think you two represent sort of the best in this class. which is to say you served at the highest levels in law enforcement, you've served in different capacities in private sector. and there is a fraternity and a sorority of, you know, ex-government ago agents, fbi,
dea, that serve in the private sector, and so what is the role of personalities and relationships and trust in the kinds of structures and networks we're talking about? >> you mean the federal mafia? after they retire? >> i think the trust is there. i think any, you know, there is some help to that, the fact that they've been there, done that, and there is a familiarization in terms of understanding that. there is some advantages, in terms of expertise and connect with it. there is an advantage. i did want to, because you did reflect on fusion centers earlier. i want to say something that i think before the general gets out of here. the great job he has done with fusion centers, recognizing that not all are created equal. but the idea that you can elaborate best when you co-locate vertically and horizontally is a tremendous vision. it works.
worth doing by yourself is worth doing together. so that's been a great program. in terms of support. i'm confident we've got the government support. it has been helpful from our standpoint. >> brad, very quickly, final thought? >> people, talent. i think it is actually -- he spoke. the federal connection is good, but it is a two-edged coin. because businesses more and more are bringing in people with different backgrounds. especially the tech emerging e economy. you don't find high level feds as you used to. that's the future. i mean that's where the economy is going. the challenge for us is how do we build the same level of trust you talked about with people that don't have a background. so now we're back to working with them, getting to know them, mutual benefit.
that's challenging, because depending on where you're at, there is maybe the natural reaction against the federal government. related to it too, i would say part of our our focus is to mov beyond just the security side, the cso. not that they're of value, but at the end of the day decisions at the company are made at higher levels, and we need to actually explore how to engage better with them. because those are the people who make decisions around a cyber investment or a non-investment in a nation state program or other things, and we have to look at how do we build that again if we want to be ahead of that threat and not just investigate it. we have to have those kind of conversations. if i could make one closing comment, as we talked about in the back room there, i think --
and everybody's echoed the same thing. i think it's imperative that we figure this out now. we, as a country, are very, very good at fixing problems after catastrophic events. we mentioned fema earlier. katrina and fema totally changed the way they did business with the private sector. 9/11 a tragedy. we totally changed the way we do business on the federal and public side. i don't think we want to be in a place where we have the same sort of catastrophic event that forces us to figure out how to be better problems with the private sector. by force of will, by tone at the top, by moving forward on this it's imperative that we work through what does the future look like, what is the way
forward thin this arena. >> there are different cultures in this community. the firefighting community is a different culture. and even public health. you can't afford a cultural arrogance. it has to be a team across, and you have to understand what the firefighters and incident command bring to the law enforcement profession. it comes with the great respect and immediate respect of someone that's served their country. there are advantages to have. we understand people grow up in a culture, which is fine as long as there's an understanding this is a cross discipline approach if you try to maximize the impact and protect the public. >> great points. let's now open it to the audien audience. i think we have a few minutes. we can probably get three solid questions in.
does anybody have any questions? let's go with this young lady in the back. we might have all the mikes. [ inaudible ] zero in on the idea of incentives. you talked about the drivers of the private sector, risk mitigation, challenges from the federal perspective in terms of information sharing around willingness, but having worked both sides i'm proud to say i've done that. what i don't hear often enough is a conversation around how do we incentivize the private sector to do a better job in collaborating with the government in information sharing before and outside a catastrophic event. back to a point that was raised earlier, there's so many people
who have served in both the private sector defense and in the federal government. we talk about this in a technology sense. you have power users around a particular platform. again around this notion of incentiv incentives, how do we create a cadre of people to remain power users who will come back and share and collaborate outside of a catastrophic event. >> i think the incentive is there. certainly, we've seen it in cyber. i think we've seen it in emergency response after katrina and sandy and those sorts of things. our business community understands what's available within our federal, state, and local law enforcement and security agencies that is of value to them and enterprise
risk management. the challenge has been in the past the fear of prosecution or the government wielding other powers against them for their efforts to try to help the government. i think we've solved that on the cyber side with the cyber legislation that was recently passed. i think increasingly we're seeing our private sector partners have greater confidence in the professionalism of the folks they're working with in that this is a team, not an adversarial sort of relationship. that's hard for them in certain cases to accept given the past behavior of our government agencies but i think -- we talked earlier and i was going to comment on this notion of trust building. you build trust by doing trustworthy things day after day
after day. it just doesn't happen just because you say i'm from dhs, trust me. it happens because you do trustworthy things, and i think the thing that we have done on the federal side is reached out to our partners across industry, across state and local law enforcement security, and say look. don't just trust us. make sure we deliver what you expect of us. just one final point. after the most recent terrorist event in our country, we and the fbi had a telephone call same day of the event. 1800 people on the telephone call. we went through what we knew about the terrorist event, who we thought were the perpetrators, what their tact s tactics, techniques, and procedures were.
that call happened in the evening, and to date no information from that call was leaked. unprecedented. trust within the fbi and within our state and local and private sector partners. so doing trustworthy things i think build the confidence that you can do more with people, and that's really kind of what we've been working on at dhs. i know the bureau has been working on it and the state and local partners demanding we act in a trustful way with them in the information they need. >> another question? >> yes. >> my question is how can the intelligence community better communicate how the church committee's findings impact and
provide guidance to the protection of privacy? within the cyber world and technology becoming a bigger, bigger part of our culture and society, that discussion seems to be kind of where there's a breaking point between the public and the government. >> frank, do you want to take that one again? >> i'm just the oldest guy here since general clapper left. >> you've got the biggest title. >> only four and a half decades. he's got five. look, i think -- i had the honor of serving on president bush's privacy and civil liberties oversight board. part of our duties was to look at the terrorist screening program at nsa. politically controversial, lots of discussion about whether nsa should or shouldn't be involved in that activity, and i'm not political so i won't make political comments, but what we
did find is in the application of the authorities that were given to nsa in that program that appropriate privacy civil rights and civil liberties protections were the first consideration in how that program was applied. i think it really surprised some of my colleagues on the civil liberties board how strongly that culture existed in nsa. so any intelligence professional that has grown up since the church commission has had this beaten into their brain. it is a part of the intelligence culture of our country. it's how we think about doing things. it's the first thing in the forefront of our minds. in fact, may limit us by not doing things we're authorized to do for fear of violating that trust. i think it's there. i don't think it's widely
recognized as being there, but i think it is there. it's how we think about operating. it's what we do every day. and it is part of our culture as intelligence professionals. >> if i could just complement that for a second based on my experience. [ inaudible ] an intelligence program that leveraged large amounts of data in the final context. this was swift data, the backbone of the global banking system, but had built in it the design with the subject itself, swift, the protections of privacy and civil electricilibem the get-go. it's the only intelligence program that i'm aware of that ever had the involvement of the subject in not just the design, what information was to be accessed, but how that was then
controlled and analyzed thereafter. in fact, the private sector had representatives in the intelligence community that could literally shut off the analysis at any point in realtime if there was a sense that it was moving beyond the boundaries and the agreements made in terms of the use, the legitimate use, of that data. and the data, by the way, was constricted more and more over time because due to the collaboration the government realized we don't need a lot of this information. we just need certain bits and bites of it, and that became constrained. i think there's ways of using technology if you coordinate with the private sector that actually make us much more productive and protect private and civil liberties. >> maybe one quick question more. yes, if you make it quick. [ inaudible ] but i'm one of
only two arab language specialists on that program currently. how do you think the federal government can continue to attract recent graduates with language skills and maybe from the s.t.e.m. field when oftentimes they're looking at the same jobs or similar job descriptions in the private sector? >> you have to deal with this too from the bureau perspective. >> it's a very good question. i think it's an ongoing struggle in what i see on the federal side coming out of the private tech sector side. we don't have the same set of incentives that you have on the private sector side. it's not just money, by the way.
it's also flexibility. we as a federal workforce have to really explore if you really want young, talented individuals how does that paradigm shift also. we're talking about paradigm shift with public/private partnerships, but internally i see a tremendous shift coming out of a corporate environment 20 years into this environment. and i actually applaud how many young, talented people work for us. i think it shows a great patriotism that they're willing to step up and help, but i also understand what the draw is from the private sector. i don't have an answer for you. it's a discussion inside up to the director is how do we change this to attract more talent for the future. >> thank you. well, join me in thanks the panelists for a great discussion. [ applause ]
>> so i'm going to ask our panelists to stay in place for just a second here. i want to thank the partnership in putting this on. to close our session today, i'm going to introduce karen wagner to give us some concluding thoughts. karen is a former undersecretary of homeland security for intelligence and analysis, kind of preceded frank into the job. she's also a former budget director. she's a former cfo of the intelligence community and lots and lots of other things. she's currently teaching at niu. she's doing consulting work with a lot of companies. amazingly to me like other folks in the audience she finds time to volunteer and give back to some of these discussions on our most challenging national
security issues. karen is chair of the homeland intelligence council. she's about to give that up and let don have the opportunity to excel. i ask you to welcome karen to give us some concluding thoughts here. [ applause ] >> i see i get to add former chair of the homeland security council on my long list of formers. thank you, chuck. really all i'm here to do is to thank the panel very much for your remarks, your perspectives on the nature of the challenges that we currently face, and the responses from federal, state, and local governments and the role of the private sector. very interesting thoughts and insights and we appreciate your willingness to be here today. i also want to echo the thanks to director clapper for sharing his thoughts on the intelligence community's effort to address the evolving threats to our
security, his commitment to improving integration in information sharing and interdepartmental collaboration throughout his tenure. it's greatly enhanced our ability to mitigate threats to the homeland. he is a great american. again, another thanks to our partners. you guys have been great to work with. nsa has similar visions. a close partnership between business and government can greatly enhance our national security through the application of private sector innovation and expertise. to continue the national conversation, both organizations are releasing reports today on the need to improve information sharing and community involvement in the homeland security enterprise. the two reports take kind of a
different approach so they'll be great companion preaches. one is taking a more bottoms up approach providing incentives for private sector businesses. there are printed copies of these available to you, for you to take with you on your way out. we hope you to find them to be valuable. we are interested in your feedback, if you would like to provide it after you have read them. thanks to everyone for participating and attending this event. thank you. [ applause ]
along with the presidential election, we're closely watching state races. tonight, we'll have a debate among candidates to be louisiana's next u.s. senator. a number of challenges will take part, including john flemming and charles boustany. see that live at 8:00 p.m. eastern on c-span. and an hour later, we'll show you the latest new hampshire u.s. senate debate with kelly ayotte and maggie hassen. that's at 9:00 eastern also on c-span. on election day, november 8th, the nation decides our next president and which party controls the house and senate. stay with c-span for coverage of the presidential race, including campaign stops with hillary clinton, donald trump, and their
surrogates. and follow key house and senate races with our coverage of their debates. c-span, where history unfolds daily. after i came up with this idea, first of all i did research information because -- this is definitely the case with a lot of pieces that will be done for this competition, but mental illness especially. it's a complicated issue. it's not black and white, and it is so multifaceted that i had to research to get a base knowledge of what i wanted to talk about in this piece. obviously there was a lot -- it's so complicated i can't talk about it all in five to seven minutes. >> pharmaceuticals is a really broad topic. i thought it would be nice to have a focal point i wanted to focus on. before i started interviewing my parents, before i went and got clips from the internet, before i started shooting, i researched
this topic extensively. visited my dad's pharmacy and talked to the pharmacists there. i did a lot of internet research. i actually went to the library. >> a lot of internet research to find more like facts and data and statistics about employment of those with developmental disabilities to see really what was going on. most of the information i got off the internet came from government-founded websites. that's how i knew most of the information that i was getting was legitimate. >> this year's theme "your message to washington, d.c." tell us what's the most urgent issue for the new president and congress to address in 2017. our competition is open to all middle school or high school students grades 6 through 12 with $100,000 awarded in cash prizes. students can work alone or in a group of up to three to produce a five to seven-minute documentary on the issues
collected. include some c-span programming and also explore opposing opinions. the $100,000 will be awarded and shared between 150 students and three teachers. this year's deadline is january 20th, 2017. so mark your calendars and help us spread the word to student filmmakers. for more information, go to our website, studentcam.org. the institute for critical infrastructure technology hosted a series of discussions recently on cybersecurity threats. these next panels heard from experts who highlighted vulnerabilities of the u.s. election system. this is about 50 minutes. >> good afternoon, everyone. thank you for joining us for today's briefing. my name is parham eftekhari.
i'm a senior fellow at the institute for critical information technology. i welcome you to today's briefing on a recent series of publications entitled "hacking elections is easy." now, i see i.t. as a nonpartisan think tank with no political leanings. we're holding today's briefing because of the factual conversations on the cybersecurity of our election systems have been replaced these days with two extremes. on one hand, we have conspiracy theories filled with doom and bloom scenarios and baseless banter that inflicts widespread distrust of the democratic process. on the other hand, we have statements from ill-informed commentators who believe hacking an election is impossible and could never happen because of the decentralized nature of our election system and because of the belief that state officials are adequately prepared to defend against the adversary. the relate is that neither of these schools of thought is accurate. i see i.t. felt it was necessary
to introduce tech logic and a hacker mind-set to this situation to discuss the realities of the vulnerabilities that exist at the local, state, and national level. we'll hear from experts on how hackers engine their way into our system. during the second panel, we'll talk more about cyber hygiene best practices, which should be implemented by every public and private sector organization as a whole. our motivations today are very simple. we're here to educate the public and educate our election officials on what is possible so that they can then shore up the vulnerabilities that plague our election systems. with that, i'm very excited to kick off our first panel which is an analysis of the publication series "hacking elections is easy." i'm going to introduce our panelists.
very esteemed panel today. to my immediate right is james scott, a senior fellow at icit and the primary author of the paper. to his right is jim walter, a contributor and senior researcher from a silent spear team. and to his right is tony cole, an icit fellow and the vice president of global government at fire eye. thank you, gentlemen, for being here today. to start with, i'll be identifying three major problems in the current voting system and asking you the panelists to keep these in mind as we go through the next several minutes. problem one is the black box proprietary systems. the greatest threat to every election is the dependence on black box proprietary systems because voters and officials do not actually know what code is running. the reliance on vendors or outside contractors to manage these systems is extremely worrying because it is an enormous security risk. problem two is the antiquated
defenses. state election boards believe state elections are secure because the vulnerable systems are isolated from hacking via an air gap. this limited perspective demonstrates how little state election boards understand about cybersecurity. finally, decentralization is not a defense. to point to this common belief, i'm going to go to a quote from director comey who said, the beauty of the american voting system is it is dispersed among the 50 states. it is as clunky as heck. a lot of people have found that challenging over the years, but the beauty of this is it's not exactly a swift part of the internet of things, so it is hard for an actor to breach our voting process. with that in mind, we're going to quickly breeze through a couple of questions before we get to the meat of the conversation. all of this stems from the digitization of our voting system, stems from the 2000 election process where gore and bush had a disputed election. it came down to 400 votes in
florida. as a result of this, congress passed the help america vote act, which allocated money for 48 states to move to electronic voting machines. fast-forward to today. there's about a dozen e-voting manufacturers out there, and there's two primarily types of machines that are used. panelists, my first question for you is since moving to e-voting systems, have we, as a nation, done enough to ensure the integrity of the machines and systems that we're using across our country? >> i would say absolutely not. throughout the history of their use, there's been numerous vulnerabilities in these systems uncovered across all the manufacturers. they're not at all designed with security in mind from the ground up, and they seem to sort of exist in a bubble outside of the normal sort of hardware/software security life cycle in that when vulnerabilities or issues are
publicized or disclosed in these systems, nothing seems to occur. you never see any cbes assigned to the issues. there's no follow up from the vendors, so there's definitely not -- little if nothing being done to address the issues in these systems. it's kind of been that way since these things were implemented. >> and nist put out 360, which takes the security aspect and starts it at the manufacturing level and takes it through the entire life cycle of the technology. it would be great to see something like that. >> great. can we really briefly touch on what security requirements and mandates have been put in place for the states and if they've been effective and is there adequate funding for states to actually deliver on these? >> yeah, i think the funding is adequate, but the people that are in charge, the election officials, are no longer qualified to fulfill these tasks in the digital age.
so we need to start bringing in people that are familiar with the cyber kinetic threat landscape that is plaguing our election systems. >> i would add that i think there needs to be a minimum set of standards that are equivalent across all 50 states and all the territories as well. i mean, this is what our democracy is based on is trust in this system that you vote and your vote is counted for the candidate that you want. if we can't trust those systems if we don't know they've been compromised, we actually chip away at the foundations of democracy. >> and those standards have to be mandatory. right now, most of the certified systems are certified against a standard that was drafted in 2005, the voluntary voting systems guidelines, voluntary being the active word there. there have been sort of revisions since, but it's still
proceeded sort of with the voluntary word, so there's no requirement for these things to follow the standards that do exist today. >> talking about machines for a moment, do you think that manufacturers have done an adequate job of building security into the life cycle in the developments or maintenance of these machines? >> yeah, dre and optical scanner just dilapidated bare bones pcs with minimal, if any, pinpoint security. when you have black box technology with minimal transparency, it's pretty difficult to get in there and forensically analyze a malicious payload or hidden features that may be in that black box. >> this is a 16 megabyte compact flash card. this was taken out of a voting machine which is still in use today in i believe 13 states across 170 some-odd different precincts, cities, counties,
however you divide it up. these are the kind of systems that these things are based on. this is a very ancient version of dos running the thing. it is very easy to open up the box and yank this thing out. but the point is in terms of designing things with security in mind from the manufacturing process onward, when you're talking about operating systems that, a, run on something like this and are running code between 1999 and 2001 and they're in use today, i would argue that there's no security being paid mind there. >> i would add to that we need to take a completely different path on that where security is baked into these solutions because the people who are running these systems out there generally have no training as part of the paper that was done. some of these folks are getting paid $15 an hour, so they're not
highly trained individuals that can monitor, maintain, and ensure that these machines are doing what they're supposed to do and have not been modified. >> i'm going to summarize some of the things that were just said. we have easy to breach networks. we have employees that are not adequately trained or volunteers. and we have an election system that are run off black box proprietary code. james, what do you think is the most likely adversary that we're facing given the environment that we just described? >> could pretty much be anybody. you can look at the sophistication of state actors, sand worm projects. from a mercenary perspective, you can look at poseidon patchwork. hackers for hire now can bring the cyber caliphate in in a big way, but what we're going to go over right now are tools that are tools that are readily available on dark web forums
that can make -- things that used to be sophisticated just point and click at this point. >> so we'll start. >> well, that's the big thing right there. we hear about illinois and arizona, but the reality is for a while now voter registration databases have been able with recently infiltrated data on dark web forums. if you look at the minimal sophistication of the state governments, i think nasa, center for disease control, united states postal service, these are pretty sophisticated cyber defenses. they defend in layers. ftp access is readily available for a fee. i would estimate by the next election cycle they'll be selling access as a service to state tabulators.
this is just a downloadable guide for information, internet information servers. another example of data access as a service -- little difficult to see. this one was interesting because they offer a refund. you pretty much just give the url. they achieve access. you check it out. then your bitcoin comes out of escrow. this is interesting because this is a hacker-for-hire service, but this is an ad by a handler. you described the project, what database you want access to, what type of malware you want customized, and this individual will have maybe 10, 15 hackers that he can pull from. this is a vulnerable port sniffer. we'll talk more about that at
the state level, injecting malicious code. same type of thing. just a different -- it's more of purchasing the software as opposed to a service. sql injection tools so easy anybody can do it in about ten minutes. brute force, we're going to talk about that as well. you can brute force your way into pretty much anything, especially with the web exploits. another brutal force. i'm going really fast here. sorry. trying to catch up. this is interesting because it is an all-inclusive encyclopedia like software to do script layered attacks with minimal technical capability. 0-day for microsoft office is a
steal at just under 50 bitcoin. excel will be important because state tabulators will oftentimes use excel as their spreadsheets. finding an exploit that will work with excel, bare bones dilapidated voting machine or scanner, black box technology which nobody can get into. there's a lot of things that can go bad there. another 0-day. this you can build your own exploits with this -- this is just another nifty tool for people to figure out you can start doing your own exploits. >> perfect. thank you. that gives you a good example and a good visual of some of what's out there. many of these and other images can be found in our hacking elections which can be
downloaded from the icit website. we're going to get into a part of a conversation that is going to be quite fascinating, and that is how a local election system can be compromised. so we're going to walk through this process. i wanted to start off by making a statement that there is no consistency across particular states or precincts in how machines are tallied or what they're using, but at that very high level the process is quite simple. votes are tallied at a local level and the state level using memory card, e-mail or transfer. this is constantly a changing process. there may be processes that are introduced for the upcoming election that we are not aware of. keeping that in mind, our first question, gentlemen, is what characteristic would malware have to impact an election? >> depending on where your starting point is, you mentioned right off the bat the transfer base of voting data or ballot
data. if we're talking about a system with ftp data outward, anything that can monitor that traffic or anything that can monitor the initiation of that traffic, there's any number of off the shelf tools that has been shown or -- it doesn't take much to write stuff that sniffs or scents or redirects elsewhere. you can get deeper into stuff it can run or be injected into code on the voting machines themselves. those that run windows, it's simple to craft a piece of malware for the machines or use something that already exists. they are typically not running protection. anything you dump on there in regards to how old or ancient the malware is will run and do the job. we have seen scenarios where people test out these machines and drop things like poison ivy or dark comet which are very well known, very easy to detect
in the security world. they'll definitely run on these machines and will absolutely infiltrate the data as needed. >> i would add the other thing we ought to think about too is many times this data may be taken back to the state level or to be tabulated or the regional level to be tabulated, the county level out of localities. if you have people sitting in the room who are working on their own systems and maybe more modern systems, if you have those other systems for the election that are air gapped, all it takes is one piece of removable media moved over to one of those and you can do a compromise. a lot of people think if you are air gapped you are safe. there are a number of reports that have shown how air gap
systems get compromised quite frequently today. >> air gaps, i would say you would have to know how to leverage exploits, specifically microsoft operating system, excel, access. but with bypassing the air gap, since 2005, it's pretty common. we had usb sealer in 2005. air hopper, project this year. all easily achieved bypassing the air gap. the air gap is no longer a defense. it's interesting to hear state officials say that it is. kind of shows how unqualified they are for their positions in the digital age. >> so, gentlemen, there's three viable injection scenarios as part of this conversation -- >> oh, i had one other thing. the payload should always target the tabulator. that's where we are headed. we'll talk more about that. then it should also activate on election day and self-delete after tabulation. >> so, there's three viable injection scenarios at the manufacturer level, at the local
level, and the state level. james, i want to start with you by talking about attacks at the local manufacturing level. how are you able to compromise machines at the manufacturer level? >> so, at the manufacturer >> so, at the manufacturer level that's actually the easiest place to inject a malicious payload that will carry through to the tabulator at the state level. so you could use a port sniffer, certain type of credential stealer, gain access, you could sniff for vulnerable ports with something like we showed in there. the easiest way to exploit an overall campaign is to inject -- to poison the update at the manufacturer level. what will happen then is because it's a black box technology, because the code is considered proprietary, because there's no transparency, you can poison that update.
that poisoned update will carry through to the contractors and manufacture reps in the field. also the election consultants and the local and state level officials that are updating and certifying. >> any additions? >> there's typically no real strong checks between the update process for these machines and the code that it is updating on the machines. so, there's been a lot of academic and published research on poisoning firmware updates for example for sequoia and premier where you can simply take a poisoned firmware update and that will -- because there's no signing in place or no check summing or weak krip toe that's
doing the check summing, that update will run on the box and generate, cause the box to be running malicious payload from that point forward. and most of these manufacturers have open ftp sites that are easy to find that they receive data or distribute updates. if you can pop the server and stick up your malicious update, then that takes care of it. >> we are going to move on now to the local level. we have an info graphic here that can kind of help facilitate the conversation. let's talk about what you would -- what an attacker would do at the local level. >> sure. i mean, we can look here or i can just walk you through it.
so what jim had showed, one of the first things is to exploit open ports, injectable media, memory cards. if anyone is familiar with the hursty hack. this is one of the places where they took a memory card that could manipulate the actual tabulation process of an election and then self-delete. >> yeah. i was going to say there's so many ways to go about it with all these varying machines. i'm sure everyone in this room probably has voted in the past, so you know a good percentage of the time when you vote, especially towards the end of the day, those people that are making $15 an hour, $16 an hour are really not paying attention. not only that, do they even really know what you're doing when you're back there on the machine. it's not difficult to go in -- one of them actually had a switch on the back you could
flip. sequoia pop the panel off and reset it. another one had a panel you could pop off and stuff the ballot box directly. there are a number of things you can do. i want people to think about this, the fact that it was 400 votes in 2000. 400 votes is all. for people to say you can't hack an election, that's crazy. it was 400 votes. you know, a large effort, you could certainly have a much larger impact than 400 votes, very easily, especially in a swing state or swing county. >> the focus is swing regions of swing states for a local attack. poisoning the update, you could add a targeting feature to the code so you are only focusing on particular proximities in swing states. >> back at the local level, you have the technical side of it and the human side of it. going back to the sequoia machine, it takes maybe eight to ten seconds to tilt the machine sideways and yank this thing out to either replace it or just
leave it out causing a denial service effectively and then the machine is rendered useless for the rest of the day. you can obviously replace it with your own compact flash card. there's also two media ports in the back next to that activate button that allows you to vote multiple times, but you can remove the results card, the pc card that stores the results from the back of the machine. you just pop up a little latch and yank it out and then off you walk with all the results from that machine. so, there's that sort of technical side and the human side. you touched on the employee side of it. it wouldn't be uncommon for malicious actors to insert themselves as employees/volunteers or pay off others. it works in the way that mirrors the carding universe. you have paid individuals to look the other way while you tamper with other things and they make sure no attention is called to it. there's all different kinds of ways to go about it.
>> most of these election volunteers have no social engineering training at all. they couldn't identify a physical attack on a machine if they saw one anyway. you know? >> so we're now going to move on to the state level. there's obviously at the state level several layers of technology that can be looked -- compromised. the report examines seven primary attack factors. exploiting, reaching state server, insider threats, infecting state pcs, poisoned updates at the manufacturing level, spreading malware and compromising state tabulators. we are going through each one by one. we have another graphic to help facilitate the conversation. first, we start with exploiting website vulnerabilities. >> dominion systems who also owns sequoia and they also own
premier, i believe, which used to be dibolt. they have a portal for all their customers. something easy to guess. something like dominion voting/portal, you know, syndication that can be popped and in you go as a customer to view or manipulate data. you know, all the different site that is can be popped as well. this is different from the web side of it. it's, you know, it doesn't take an act or sophistication to run simple tools to manipulate the sites or try to force their way into the site to maintain access. >> i think that's a really important point you just made as well. it doesn't take a nation state to be successful doing this. think about the resources in the nation state that wanted to manipulate our election to bring to bear and manipulate these. it is not a high level of sophistication to compromise
these systems. >> it goes down to getting into website, brute force, sql injection, getting into the network, stealing credentials, mapping the network, gaining intelligence. yeah, i think this is arizona -- so, this is already happened. some learn from what's already worked, so they will mimic this breach. >> next we move on to breaching state servers. >> yeah, same way. steal credentials, elevate privileges, move laterally throughout the network, try to find treasure-troves of data, voter registration databases that you can infiltrate and infiltrate sizes that don't go
detected or go undetected. again, these websites, these servers don't have properly layered security, so, you know, if you get admin credentials, they don't have user behavior analytics to detect the abnormality of what's happening with that user's behaviobehavio. >> they are going to get the credentials the same way they have for years now. the number one method of achieving that first stage of access has been spearfishing attacks and it's been that way for years. they're going to use what works. identify key individuals in the state that are associated with the running of elections within that state, which is very easy to do through osint and phishing e-mails to them and see what you get in return. generally, you will be able to,
you know -- you get at least one hit out of however many you try. at that point, you can start to collect credentials and laterally move from there. >> job offers always work in that one. grafted pdfa, great jobs. >> for a better job. >> take a look at this and we would love to talk to you about this. take a look at the job announcement. they always open that announcement. >> linked in is a starting point. >> linked in always -- >> moving on to insider threat. we know there's malicious insiders, unintentional insider. talk a little bit about this vulnerability. >> it's a huge vulnerability. the unintentional is one that we could fix. most security people today will state that users are the problem. users are why we have a job. it's important for us to remember that. what we need is a large campaign for anybody that is part of an enterprise to be involved in and understand the dos and don'ts of cyber security. there's a lot of challenges in that space force today because people don't know when that weaponized attach comes in. it looks like a normal e-mail
that they weren't expecting. they don't check on it. they don't know what they should and shouldn't do. instead, they open it. it leads to compromise. now you have a set of credentials to go out and utilize them to compromise an election database. those are a huge problem and one that is fixable for some reason that we don't seem to focus on, on bringing those users in and getting them trained on a continuous basis, understanding what they should and shouldn't do. all the way down to our kids who grow up to be enterprises. we just simply don't do it and we should. the insider threat, the malicious insider the very difficult to identify at this level because it's so inexpensive to hire somebody. in my county, $145 a day for loudoun county, virginia. 145 bucks a day you get paid for the election. most counties have very little background checks. they do very little on that side at all. most of the requirements were a high school diploma or ged to
actually be an election official. think about that. no background checks. that's it. they just want to know you can take simple steps in the i.t. realm and simple interpersonal communication skills to interact with others there. so very, very easy, probably for some nation state to come in and actually implant somebody inside that environment, getting a lot more than $145 a day, i'm sure, to go in and try to compromise these systems and impact our elections. >> james, you and i were talking about infected state pcs. you want to kick off that? >> yeah. so, state pcs can be infected any number of ways. it can be the contractor who comes in at night for janitorial services. most of these state level pcs have totally exposed tower backs
so you can inject any type of malicious payload using an usb drive. social engineering always works with spear phishing attacks at the state level. they lack cyber hygiene training. they will click on dancing kittens playing with baby puppies and toddlers. it's cute. you have to click. they will click, download a malicious payload. from there, it's funny because we were asked to put a sample exploit. i think a sample exploit, if we were targeting a pc at the state level, you would want pretty solid functionality across the board. the malicious payload would have a rat, additional droppers, key logger, screen grabber, camera and microphone capture tool, network mapper, lateral movement procedures, code injection
mechanisms, social media spread and activation tool, and usb infection capability also with self-deleting capability as well. >> and all that stuff already exists. if you're the malicious actor, you don't have to write that or code it. you can grab your own cracked version of zeus or poison ivy, infiniti rat, you name it. all those tools are just out there for you to slightly customize it, create a fake file and do all the things you just described. >> it's an easy step. you know, today, in the dark web, it's a very robust economy like if you run a large enterprise, you buy product and get maintenance and support. go to the underground, buy tools, and you can get maintenance tools for