Briefing on the Attribution of the WannaCry Malware Attack to North Korea
Morning, all sorry for being tardy. This morning. I'd. Like to talk to you today about a cyber, issue of significance, in May of this year a dangerous, cyber attack known as one a cry spread. Rapidly and indiscriminately, across the world the. Malware encrypted, and rendered useless hundreds, of thousands of computers and hospitals schools businesses. And homes in over 150, countries, while. Victims receive ransom demands paying those demands, did not unlock their computers, now, this was a careless and reckless attack. It. Affected, individuals. Industry governments, and, the consequences, were beyond economic. The. Computers, affected, badly. In the U in the UK and their health care system put. Lives at risk not just money. After. Careful investigation in, the United States is publicly, attributing, the massive one a cry cyber attacks in North Korea. We. Do not make this allegation, lightly we. Do so with evidence and we do so with partners. Other. Governments and private companies agree, the United Kingdom Australia. Canada. New Zealand and, Japan have, seen our analysis and they join us in denouncing North Korea for one a cry. Commercial. Partners have also acted, Microsoft. Traced the attack the cyber affiliates, of North Korean government and others, in the security community have contributed their analysis. The. Stability of the internet and the security of our computers, is vital to free and fair trade and the fundamental, principles of our Liberty and. Accountability. And cooperation, are the cornerstone, principles, of our cyber security strategy. North. Korea has acted especially especially badly, largely unchecked for more than a decade many, of you have reported on that. It's. Malicious behavior is growing more egregious and stopping that malicious behavior starts, with this. Step of accountability. The. Attribution, is the steps we're talking them accountable but. It's not the last step, addressing. Cyber security threats also requires governments, and businesses to cooperate, to mitigate cyber risk and increase. The cost to hackers by defending America. The. US will lead this effort. President. Trump has rallied allies and responsible, tech companies around the free world to increase the security and resilience of the Internet, cooperation. Between industry and good governments will bring improve security and, we. Can no longer afford to wait. We.
Applaud Our corporate partners Microsoft, and Facebook especially, for. Acting on their own initiative last week without, any direction by the US government or coordination to. Disrupt the activities of North Korean hackers. Microsoft. Acted before the. Attack in ways that spared many US targets. Last. Week Microsoft, and Facebook and, other major tech companies acted. To disable, a number of North Korean cyber exploits, and disrupt their operations as, the. North Koreans, were still infecting, computers across the globe. They. Shut down accounts, the, North Korean regime hackers, used to launch attacks and patched systems. I'm. Extremely proud of, the hard and dedicated, work of the intelligence services and cybersecurity professionals I'm. Very happy today to have one of the finest with me. I'd. Like to introduce Jeanette, Mann for assistant, secretary, for cybersecurity and communications at, DHS. We. Call today I call. Today and the president calls today. On. The private sector to increase its accountability in. The cyber realm by, taking actions that deny North Korea and the. Bad actors the ability to launch reckless, and destructive, cyber acts. As. Responsible, US companies join us in this cooperation, it will fall to Jeanette and her leadership team Chris Krebs secretary, Nielsen they're. In charge literally, of coordinating, the operations. That will protect us. As. We make the internet safer we will continue to hold accountable those who harm us or. Attempt to threaten us whether. They act alone or on behalf of criminal organizations or, hostile nations. With. That turnover Jeanette thank you. Thank. You sir, at. DHS, cybersecurity, is, a core mission of ours and just like preventing, terrorism or responding, to hurricanes, and wildfires it. Is a shared responsibility between. Government. Industry and the American people wanna. Cry is a great example of how this partnership works it began, on May 12th the Friday before Mother's Day we. First learned that something unusual was happening from our partners in the asia-pacific region as, the, Malheur traversed, the globe we received information from, our partners in Europe as the. Day went on and the National Health Service in the UK was impacted, we knew we were dealing with a serious, issue and began to activate our domestic industry, partnership, by. Mid-afternoon I had all of the major Internet, service providers, either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States we. Partnered, with the Department of Health and Human Services to reach out to hospitals, across the country to offer assistance we. Engaged with federal CIOs, across our government to ensure that our systems were not vulnerable I, asked. For assistance from our partners in the IT and cybersecurity industry, and by 9:00 p.m. that night I had over 30 companies represented. On calls many. Of whom offered us analytical, assistance, throughout the weekend by. Working closely with these companies in the FBI throughout, that night we were able to issue a technical, alert publicly, that would assist offenders, with defeating this malware we.
Stayed On alert all weekend, but were largely able to escape the impacts here in this country that other countries, experienced, in many. Ways want, a cry was a defining moment and, an inspiring, one it, demonstrated, the tireless commitment of our industry, partners a moment. That showed how the government, and private sector got, it right that our preparation, our investments, in cyber security keeping. Our systems up to date and sharing information paid, off, although. The wanna cry attack demonstrated, our national capability, to effectively, operate and respond we cannot be complacent we. Are seeing increased activity, and sophistication. From both nation states and non-state actors in many, instances, these are the same adversaries, we have faced in the past they're just now operating, in a different space most. Devices, are connecting, to the Internet which broadens, the threat landscape and compounds, the for security practitioners. And, there's no sign of these trans abating in the years to come this, is why cybersecurity, continues. To be one of the most significant, and strategic, risks to the United States in. Addition, to broadening the threat landscape we, see some gaps between, what an entity might consider, adequate, security for themselves or, their sector, and what, is in the public's interest the. American, people depend, upon critical services, and functions such, as electricity, a stable, financial system and dependable, communications. All things, that enable our modern way of life, many, of these are run by the private sector therefore. In order to ensure the security of these services and functions we, rely heavily on public/private collaboration, this. Collaboration, is entirely voluntary and provides, companies, with strong liability. And privacy, protections, should they participate, to. Ensure adequate security, in the private sector DHS, plans to move beyond only offering voluntary, assistance, to more proactively, becoming the world leader in cyber, risk analysis, and intervening, directly with companies when this when necessary, specific. To North Korea we have issued technical, alerts to, assist network, defenders, in understanding. The types of malware that, they are using and urge them to remove them from their systems so that they cannot continue, to have access to our infrastructure, as we, learned during the wanna cry attack these incidents, can have life-threatening, consequences. So. How did we get here the, internet was engineered for interoperability, trust and openness innovation. And automation equals, efficiency, and cost savings but, often times the cost of security which is too commonly, an afterthought, are bolted on aftermarket. Attackers. Only have to be right once but, defenders, have to be right all the time some. Say that defending, cyberspace, is impossible, and that attacks are inevitable, I disagree. With this assumption, we can take small tangible. Actions, to, make the cyber ecosystem. Safer, our, goal is a cyber environment, where a given threat, such as a malicious, email can only be used once before it is blocked by all other potential, victims we. Need to get to the advantage, to the defender, we, make it way too easy for attackers by operating, independently, our, adversaries, are not distinguishing, between public, and private so, neither should we government. And industry must work together. Now more than ever if we are serious about improving our collective, defense we. Cannot secure our homeland alone, a company. Can't single-handedly, defend itself against a nation-state attacker. Cybersecurity. Is a shared responsibility we.
All Play a part in keeping the internet safe to. Prevent another attack like, want to cry we are calling on all companies, to commit to the collective defence of our nation and. This commitment does not end on our borders as identified. In the wanna cry incident cyber security defense is a global challenge as many, as 150, countries had systems infected, by this ransomware, and it is only through international, partnerships, that the United States had time to prepare, therefore. We are working to strengthen our international partnerships, with cyber security sentence, centers across, the world we. Are taking a greater leadership, role in cyber security at DHS, we seek to drive the market toward more secure scalable, and interoperable, solutions, ahead, of us like great challenges, but even greater opportunities. Which, I know we can accomplish by working the catch together thank, you very much. Okay. Question. Sir the. Two, questions, the. United States was. Apparently. A bit slow to. Publicly, identify North. Korea as the culprit and all of this, was. There some new evidence that came to the fore that. Led. To making. This public conclusion. Second. Question is about Marcus, Hutchins, has been identified as, an individual, who helped out, to. Stop. The wanna cry. What's. Gonna happen to him given the fact that he's been locked, up when unrelated, charges will the u.s. interview so. Two questions there one did we do it too slowly no. I'm my answer is no I think the most important thing is to do it right and not to do it fast we. Took a lot of time to look through classified, sensitive. Information, what, we did was rely, on and, some of it I can't share unfortunately. Technical. Links to previously. Identified North Korean cyber tools tradecraft. Operational. Infrastructure, we. Had to examine a lot and, we had to put it together in a way that allowed us to make a confident, attribution, as, we move forward an attribution, becomes, part of our accountability pillar, we, can't do it wrong, we, can't get it wrong we can't try to rush it I think, ultimately at this point if, we had gotten it wrong it would have been more of a damage to our reputation. And national security that would have been a boon for us to do it quicker the. Second question I can't comment on the ongoing criminal. Prosecution. Or. Judicial. Proceedings, there but, I will note that to. Some degree we, got lucky a lot, of ways in the United States we were well-prepared so it wasn't luck it was preparation, it was partnership, with private companies and so forth. But. We also had a programmer, that was sophisticated, that, noticed a, glitch. In the malware a, kill, switch and then acted to kill it he took a risk but. It worked it, caused a lot of a. Lot, of benefit so, we'll give him that next time we're not going to get so lucky so what we're calling on here today is an, increased, partnership, and increased, rapidity, and routine speed, of sharing information so that we can prevent, patient, zero from being patient 150. You. Said, that, cyber, affiliates, within the North Korean government were, responsible, for this North Korea is a fairly. Inclusive. Inclusive. Country, how do you believe generally. That their cyber. Operation. Than they're hacking operations. Would work. How. Does that all piece together in your mind from whatever what. You've been able to entail and secondly, you, talked about one in the private sector to do more, what.
Do You mean exactly what you, want to see how the private sector yes so the, difficulty, in attribution, is often to figure out who was operating the keyboard and on whose behalf and, so those are the two gifts the two biggest challenges people, operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea so that's one of the challenges behind cyber, attribution, we're. Comfortable in this case though that it was directed by the government of North Korea we're, also comfortable, in saying that there were actors on their behalf intermediaries. Carrying out this attack and that they had carried out those types of attacks on behalf of the North Korean government in the past and that was one of the tradecraft. Routines. That allowed us to reach that conclusion that. Said how. They operate is often a little mysterious, if, we knew better with perfect knowledge we would be able to address North Korean problem, with. More clarity and part, of the larger. Strategy. Of increased pressure on North Koreans is to, get. Them to change that behavior I mean my. Observation, they've, got some smart programmers, it's a real shame that their governments leading them down the use of that in the wrong wrong direction if, they have smart people there and a free government they'd be positive. Contributors, to the world I wish that their. Leadership and despots would get out of the way, source. The, majority. Of these, operations, or do you think this comes from actual. I. Don't think there's an outsourcing, distinction, here with the North Korean regime I think that everything that happens in North Korea happens with and by the direction of their leadership. Private. Sector what we're doing here is, improving. Our own ability to work with them so there's two halves to this remember. That what they do is they report to us all the time targeted, attack, vectors that they're seeing we put it together and share it back out with everybody so if you're receiving a. Phishing. Attack and you report it to us we can notify the whole country, to be, on the lookout for that so we want them to increase their sharing, of information with us and then, as we move forward and become more sophisticated in, this administration we're, gonna ask them to look into sharing. More technical. Information on, how they're architected, and where their exposure points are so if we can get a better strategic view with defending ourselves. The. Purpose, of ransomware is to raise money so do you have a sense now of exactly, how much money the North Koreans raised as a result of this and you have any idea what the, money that, it could have fund the nuclear program did it go just to the regime for its own benefit or where, did that money go yeah, it's interesting right there's two conundrums, here at first we don't really know how much money they raised but they didn't seem to architect, it in the way that a smart, ransomware, architect.
Would Do so they, didn't want to get a lot of money out of this if they did they would have opened computers, if you paid once, word got out that paying didn't unlock your computer the payment stopped and so, I, think, that in this case now, this was a reckless attack and, it was meant to cause havoc and destruction the. Money was an ancillary, side. Benefit I don't think they got a lot of it. Two. Things first was the consequence. For this what is I understand that we have to have a collective defence of our nation's now what is the consequence, for the North Korea for doing this well. At this point North, Korea has done everything, wrong as a actor. On the global stage that the country can do and, president Trump has used just about every lever you can use short of starving the people of North Korea to death to, change their behavior so, we don't have a lot of room, left here to imply, pressure to change their behavior it's, nevertheless important, to call them out to let them know that it's them and we know it's them and and. I think at this point some of the benefit that comes from this attribution, is. Letting them know that we're going to move to stop their behavior it, also allows us to galvanize, back to the question previously the private sector in. This case the private sector also acted. Facebook, took down accounts, that stopped, the. Operational, execution. Of ongoing cyber attacks and, Microsoft acted to patch existing. Attacks not just the one to cry attack initially so now this is allowing us to call on, all like-minded. And good responsible, companies to, stop supporting, North. Korean hackers whether they're operating North Korea or elsewhere and it's secondarily, an opportunity, for us to call in the other countries in the region that were affected to mobilize them to stop that same behavior often, North Koreans can travel outside of North Korea to hack where, they can rely on people outside of the country with better access to the Internet to carry out this malicious, activity, and we need other countries, not just other companies, to work with us follow, up on this it seems there's a different, handling, of different intelligence, assessments, first on North Korea there's an elaborate rollout appear, today where you're calling out North Korea by, name for its cyber activities, but take, Russia, for example for interfering, in the u.s. election. Why hasn't there been a similar rollout, like this to, call Russia out for his activities. I'm. Not sure this is all that elaborate but I'll tell you that there was I think President, Obama called him out and, I think for what it's worth and underreported. President Trump not only continued, the national emergency, for cyber security but, he did so himself. And sanctioned, the Russians involved in the hacks of last year and so you. Know I think that that was the appropriate act I think he's continued, that for another year and will probably continue it for the year after that. This. Was this, was, yeah. This was the continuation of, the, national emergency with respect to significant, malicious cyber enabled activities, mm-hmm. President, Trump continued. That national, emergency, pursuant, to the international, emergency. Economic Powers Act, to, deal with the unusual and extraordinary threat, to the National Security foreign. Policy and economy of the United States now. Look in addition if, that's not making people comfortable this, year we acted to remove kaspersky from, all of our federal networks we. Did so because having, a company that can report back information to the Russian government constituted. A risk unacceptable, to our federal networks, in. A spirit of cooperation which, is the second pillar of our strategy accountability. Being one cooperation. Being the second we've, had providers. Sellers. Retail, stores follow suit we've had other private companies and other foreign governments also follow suit with that action I think, we're leading to take bad actors whether they be Russia North, Korea at, times China and Iran off, the internet knocking them off their game and I think today is about North Korea but, I welcome the question on Russia I think we stand with a good record. Sir. Thanks, Don I have a follow-up on that and a separate question, president.
Has Said sort, of casting doubt on the on the, findings, about Russian, interference he said unless you cavity hackers in the act it's very hard to know exactly who. Is, behind it major did the US catches, the North Koreans in the act on this yeah that's that's the key here right so today, took us a little a little while but we did in a thoughtful manner because, we believe now we have the evidence to support this. Assertion it's. Very difficult to do when you're looking for individual hackers or different groups in this case we found a concerted effort secondly. You mentioned. Earlier that, North Korea has, I did especially badly, and he said largely unchecked, for the last decade, now there's been reporting, that the US has actually, acted to combat, North Korean parents. We've taken a cadiz reportedly. Against, their nuclear facilities. Using. Our own capabilities. Obviously. None of that it's being confirmed on the record but when you say largely unchecked on something that sort of undermine the idea that the u.s. is actually taking, action to combat what North Koreans don't know I think President terms made it very clear that his view is that previous, administration's, of both parties could. Have done more and should have done more in his opinion to apply more pressure under North Korea when the opportunity, to do so would have resulted in a better world. And I think at this point the, cyber issue has, come on the heels of his other decisive, actions so it leaves us with little room left to apply. Additional pressure but, we will continue to apply that pressure campaign, without any wavering. David. Thanks. Very much for doing this you take us a little more into, your, attribution. Process here we, said the leadership, of North, Korea. Ordered. This, that's. Not something that would necessarily be, visible from the code itself. Can. You tell us a little bit about that within the limits. Of what, what you can and whether, you believe Kim jong-un was. Directly involved in that decision, you also tell us a little bit about what you think the motive was as you pointed out ransom. Seemed to be sort of a cover story. Chaos. You. Can see that but that's, not the usual North. Korean mo. They usually have something that's a little more, concentrated. In your map shows this, is all over the place in Geneva Japan, places. Right so, tell. Us a little bit about about that and how, how. Attribution. Got you to 1/10 so. Let me go backwards on those of you don't mind address them in reverse order and one of the difficulties, here of. This. Assertion is that it is wanton and reckless and it's also one of the most troubling attributes, of what we've seen in water cry why it's so important for us to treat this one differently the, idea here David is that what. Discriminates, on the map is not the intent of the attacker but, the quality of the defenses and security of the people that they saw to, attack so. The targets in the United States were harder thanks, to people like Jeanette so.
They They were suffering less people, in Russia people in, China took, this one badly some. Sectors in Great Britain took, this one very badly and so their computers weren't defended, properly, in this case or. At least in time I shouldn't say properly we're, all struggling to keep up with this increasingly. Reckless, behavior so, I disagree, that they're looking to be more targeted and more sober, in their calculus I think, at this point North Korea has demonstrated that, they want to hold the entire world at risk whether it be through a nuclear missile program, or through one cyberattacks. Secondly. It's a little tradecraft to get to your second question it's. Hard to find that smoking gun but what we've done here is combined a series of behaviors. We've, got analysts, all over the world but also deep, and experienced, analysts within our intelligence community that, looked at not only the operational infrastructure, but also the tradecraft and, the routine and the behaviors, that we've seen demonstrated, in past attacks and, so you have to apply some gumshoe, work here not just some code analysis. Able. To take advantage of. The vulnerabilities. That got, published, and the shadow. Produce website, do you think that would have made a significant. Difference, in their ability to carry out the attack yeah. So I think, what Dave is alluding to here is that, vulnerabilities. Exist in software they're not almost. Never designed, on purpose software, producers, are making a product and they're selling it for a purpose when, we find vulnerabilities United, States government, we, generally. Identify, them and tell the companies and, so they can patch them in, this particular case I'm fairly proud of that process so I'd like to elaborate under. This president's, leadership and. Under the leadership of Rob Joyce who's serving as my deputy now and the cybersecurity coordinator we've. Led the most transparent. Vulnerabilities. Equity's process, in, the world and what that means is the United States government finds vulnerabilities, in software routinely. And then, at, a rate of almost 90% reveals. Those they. Could be useful, tools for us to then exploit for our own national security benefit, but, instead what we choose to do is share those back with the company so they can patch and increase, the collective, defense of the country it's. Not fair for us to keep those exploits, while, people sit vulnerable to those. Totalitarian. Regimes that are going to bring harm to them so, in this particular case, I'm, proud of the vet program and I'd go one step deeper for, you those. Vulnerabilities. That we do keep we. Keep for very specific purposes, so that we can increase our national security and. We use them for very specific purposes only tailored, to our perceived, threats I think. That they're used very carefully they, need to be protected in such a way that we don't leak. Them out and so bad people can get them that that has happened unfortunately, in the past but.
One Level even deeper when, we do use those vulnerabilities, to develop exploits for the purpose of national security for the classified work that we do we. Sometimes find, evidence, of bad behavior, sometimes. It allows us to attribute bad actions other, times it allows us to privately call, and we're doing this on a regular basis, and we're doing it better and in a more routine fashion as this administration advances. We're. Able to call targets, that aren't subject, to big rollouts, we're, able to call companies and we're able to say to them we believe that you've been hacked, you, need to take immediate action it, works well we need to get better at doing that. And I think that allows us to save a lot of time and money so that, process is, an, equities balancing process I think we've got it right and I know the United States is by far head and shoulders above any other country in the world. Two, things one on a matter of policy, is. This administration's. Policy, that an attack on the US company constitutes. An attack on the US government, how, did you get to that conclusion that it's, clearly. Holding the state of, North Korea responsible. Here so, can you explain that, policy, and then on, digital. Currency I believe, I know you said not much money was raised off this you don't think but, that seems to be sort, of an open spaces that does, appear to me how the hackers, were seeking. Any compensation. Right. What are you doing on that yeah so so any crypto currency might be difficult to track so it's both are good and a positive innovation but also a concern, is we hope it doesn't end, up being used for illicit. Behavior. In. This particular case our assumption, on, then that raising a lot of money comes from our belief that the hackers, hit. Targets, that then reported, to us what they did about it the targets seems, to have reported, to us by and large that that mostly, didn't pay some. Seemed to have tried to pay and then quickly reported to others online and through, other media, that, they weren't getting their computers unlocked and so the others stopped paying does that make sense so now, we're able to track the behavior of the targets in that case. You. Would not have necessarily, had, visibility, into how, those, crypto currency was. Yeah. I'm gonna reserve judgment on that it is a difficulty, that as, a general matter I'm, not sure how we would have tracked cryptocurrency, into, this particular, country so I'll, have to get back on that but, I will say that your.
Last Question is, open it's. Not about holding. A country accountable, it's, about simple culpability, we've. Determined it was behind the attack and we're saying it's. Pretty straightforward it's all I've learned about. Cybersecurity, I learned, in kindergarten we're, gonna hold them accountable and we're gonna say it and. We're going to shame them for it and when we need to increase our collective defenses we're going to cooperate and we're going to try to trust each other more and. I think companies are demonstrating, that trust I think this president's inspiring that kind of trust I think, he's bringing them together in a way that's got. Them feeling like we're on their side and I think it's going to improve our security. You're. Saying an attacking us company, yes constitutes, an attack on US government I'm not saying that that's, not the policy and you're not moving in that direction to make that house that's, not the policy right now. Yes. How, do you expect the core, I spawned after this announcement I. Hope. That they decide to stop behaving badly online, I'm. Not naive and I. Think they'll probably continue, to deny and, to, continue to believe that they're beyond. Repercussions. And beyond consequences. But, I think at some point they're gonna realize that this president in this country and, the Allies that he's rallied unanimously, around this cause will, bring them to change their behavior and, if they don't this presidents gonna act on behalf of the United States and its national security interests, and not the national, security interests of another country I think, he's been, clear on that and I'm glad he's our president that regard. Initially. Interpreted, these, findings how many times he was briefed was he receptive. Or. Did he have any doubts and then secondly. Senator. Lindsey Graham says there was a 30%, chance that the president will have to strike, North Korea and. If they test another nuclear weapon that just to seventy, percent do you dispute, Graham. Sighs yeah, I have. No ability to put a percentage on those, outcomes. I, hate that I hate to do so it. Doesn't seem productive for me to do so, that. Said the president's briefed regularly by, the heads of his intelligence communities and that's how he received this information. Sir.
Sweetie Talked about that percent. Of times when you guys share information, back with companies, rather than exploit. Those vulnerabilities, was, this one of the 10% that you guys had held on to. So. I think there's a there's, a case to be made for the. Tool that was used here being cobbled together from a number of different sources but the vulnerability, that was exploited. The, exploit developed, by the culpable party here is the tool the bad tool but. The underlying vulnerability in, the software that they that. They exploited. Predated. And pre-existed, I. Believe, our administration, taking, power. And. So I don't. Know what they get and where they got it but they certainly had a number of things cobbled together and, a pretty complicated intentional. Tool meant to cause harm that. They didn't entirely create themselves and, part of that allowed us to attribute their. Behavior and their culpability here because we, were able to look at where they got different. Parts and tied them together and how they did so and when they tied them together they use their trade craft and reveal their hand. One. Of the criticisms that came out in late man was. That the, NSA, chose, to afford security holes in operating, systems and, criticized, by, Microsoft's. Brad Smith even Vladimir, Putin. Read. That great this attack provides yet another example. Of why the stockpiling. And vulnerabilities. By government, is such a problem you're. Talking about private, industry, meaning, to stuff in information. Sharing but how much is. The US government, and specifically NSA, to blame for this no not at all and I think that while, the US government needs to better protect its tools and things that leak are very unfortunate, and we need to imply security, measures that prevent that from happening I think. Brad also now appreciates, more and better what, we hold onto and why we hold onto it and in part he appreciates, that more and better because we've made it a transparent, process it's. Something that we addressed and changed under, president, Trump's tenure it's. Something we rolled out and, while. You're quoting people have criticized, this I'll. Tell you back at even the ACLU could complimented. Us for how well that process. You. Taught yourself today Brad Smith is standing with me on this he'll, stand with me on television if you need him to Brad's. A good partner for this country and. Brad has come out in this particular case and joined, us in this attribution, so, I think Microsoft is a strong partner I've absolutely no fear that there's any wedge between us. Give. You short shrift the. Reason I thought I answered it already is in part because mr., singer's question earlier touched, on the Vette process. So, I'll go back what. Brad was talking about at that time during that at the time that quote was made contemporaneous, to that remark. Was his belief that we were not adequately, weighing the different, equities.
In The process, when, we held on to tools that were vulnerabilities. That we discovered, inside the government now. He understands, how that process works, because we've made it transparent we've opened it at the time you made those comments it was not an open and transparent process. As. I said we hold on to about 10% give, or take of the, vulnerabilities, that we find for the purpose of national, security exploitation. Happen. Again you're still doing that and not providing. 100%, we. Don't, we don't use them to attack anyone, indiscriminately. We certainly didn't attack. 150. Countries, and hundreds, of thousands of computers the North Koreans took, a vulnerability, modified. It into a weapon and deployed, it recklessly not, the United States, I'm. Gonna rap that was that can I go the last questions that's. A what, Margaret asked you about crypto currency which we have you here I'm you said it's difficult to track Sarah, had told us a couple weeks ago that you, were monitoring, it what exactly is being monitored, why are you monitoring, it what, is the administration's. Position. On, this seemingly. Booming. Industry. Right here you know yeah we don't have a formal position on blockchain, currencies. And crypto currencies at this point blockchain technologies, operate, in, a way that there's, I guess great hope, and promise they. Also have some. They. Also presents some security, risk and concern for us and so I think, what Sarah meant to tell you is that I track, and monitor this very closely from a security perspective because, among other things I'm not only advising. On cyber policy but also on, counterterrorism. Policy, and so what we want to make sure is. That blockchain. Crypto currencies aren't being used to, support the illicit behaviors in a way that we can't discover but. We have other people in the administration equally. Following it for the promise it provides, economically. And. From a trade perspective, so we, don't have any negative or positive view on it right now but we have to monitor it closely as this new technology, is becoming. Quite. Quite, quite I guess expensive. Lucrative. Regulation. Not. Prepared to say that now thank you. I'll. Tell you what I'll give you a full briefing on Puerto Rico I try, to track it regularly, the administration, is tracking it regularly and as for current trips the Secretary of Homeland Security is there today. Wilson. With the Secretary of Housing and Urban Development housings. A major challenge for us in Puerto Rico the. Governor is doing a great job but, he's got a large problem, here as we move forward with 55%. Of us its, housing population, in informal. Housing our two powers. Making strong recovery we're up over I think 65%, in terms of power restoration which is 65%, of the load capacity, which is a significant. Milestone. We. Were hoping to get to 70 here by, the end of the year so we'll see how that tracks pretty, close to what we set for ourselves a. Target. But, Puerto Rico was on my mind on a regular basis and the president's as well yeah, and he sent Kirsten, and Ben Carson down to, see what's happening thank, you thank you Thanks.