you to help us push out our collective valuable information that's available through your resources and also available through the stop bullying now campaign. pushing that information out to your colleagues and also to your organizations and be thinking of other ways that you think we can share our information even more widely. at the health research of services administration, we are working hard to get the message to and through many health care providers, for example. ..

as i mentioned at the outset the stop olean now campaign is a public health strategy. the campaign identifies the problems that afflict many of our young people and provides resources, information and outreach designed to prevent bullying. its message and the gravity of the problem that it is designed to address has resonated strongly with the public and its representatives. when her side and our partners began working on the stop olean now campaign, nine states have legislation designed to address bullying. today 43 states have laws. mississippi has just passed its own legislation. seen in this light as a public health issue the stop bullying now campaign certainly sets with

the multiple disease prevention and public health messages that have been launched by the obama administration and codifies in the affordable care act. let me close by reflecting back on that very special group of youth who made up the youth expert panel that advice to the team of adults that developed the stop bullying now campaign almost nine years ago. the young people on that panel make sure that the campaign reflected the real-life impact of bullying in middle school and beyond. those panel members, those youths came from several states from big cities, suburbs and small towns. some had bullied. some had been bullied and all had determined that the best way to stop bullying you is to take a stand against it. they shared personal stories of how bullying affected their lives in the lives of their friends and they help us to understand how to discuss bullying in a way that would make sense in their world.

they recommended ways for adults to engage this issue, to engage this issue without making matters worse. those were outstanding young people who helped us years ago and we hope more kids like them in like those in this room today are taking on leadership rosen pulling prevention and we are certainly here to help them. i would encourage all of you come everyone to visit the campaign web site at stop bullying now.hrsa.gov to the latest prevention tips and bullying research. that is a wealth of information and its impact started with a small group of individuals joined across the age demographics to move on an agenda item that was so incredibly important to them and remains very important to all of us here today. we also need to continue going forward to do whatever we can to reach children where they live so the stop rolling now campaign is on facebook and kids and adults can download a ring tone

for their cell phone. or they can follow us on twitter at stop bullying now. we started tweeting in april of 2009 and we currently have 1200 followers including boys and girls club's, pta, teachers, parenting reporters, libraries and community organizations. so with all of that, thanks to all of you and your collaborative effort, because of all of this bullying and strategies to address that are now on the national agenda. at her so we are committed to continue to push back against this public health problem. we look forward to hearing about your ideas generated here in this meeting and ideas generated in the days to come so that together we can do even more to combat bullying for the next generation of young americans. thank you very much for the opportunity to be with you. [applause]

thanks mcginn dr. wakefield. building on the wonderful comments from dr. wakefield and the expansive work they have done to create on line resources for the stop bullying now campaign, i am very pleased to say that out of the work of the federal steering committee on bullying prevention and the interagency working group on youth programs which includes more federal agencies and a broader range of issues, we have been thinking very hard about how to make sure resources across the federal government that address bullying are readily available to you. we are all familiar even within

the federal government is going in stopping other web sites to figure out what they have, so we are looking here to bring resources around bullying that will be of common interest and the youth serving organizations. and we know we have some very helpful input and leaders -- leadership in the stop bullying now campaign at the continuing interest so as we focus on what the federal government already has, we often find we haven't done a particularly good job of doing youth focused resources so i am sure that you will be giving us input as we go on what kinds of additional resources could be beneficial and our focus now is on what we can offer for youth serving organizations. so, we now have available, we have launched with the arrival of this conference, the bullying info pages on bullying prevention and response, which you can see over here to my

left. so we want you to focus on checking this out when you go back to your home organizations and you will see that there are a variety of ways in which you can give us input on what you find there and what you are seeking and we see this, anything as resources needs to stay alive and keep growing and changing, so we look forward to your feedback as we continue to solve these resources. so, this is the new feature page on bullying prevention and response on our new web resources. you will see that we have on the right a set of questions that we have gone through what federal agencies have to offer and what has been raised in the field. we think it captures a number of the critical questions that are of interest across audiences, and through these questions and the answers to these questions you can link into the resources from the stop bullying now

campaign as well as other federal resources now available and wants to come so we are committed to this, to having an integrated strategy to find the key resources across federal government around bullying. so what is the effective strategies to prevent bullying? you can see this as a typical page where we focus on answering these leave questions. for this question we have assembled what is currently known about preventing and responding to bullying. you heard earlier there has been a recent systematic review of the research and evidence on school-based programs. catherine bradshaw talk about these results and you'll find a summary of those here with a report. the research on bullying a still developing as we have been hearing throughout the day. there are some essential school-based programs that have shown modest effect. more is known about how to

prevent and address bullying we will build it into this web site. we also provide feature articles and videos on special topics related to bullying. these resources will be growing as we continue to develop the web site. if you scroll down on the landing page for bullying and so you can get a set of feature articles on bullying including one on cyberbullying, one on a program called you have the power, one on the efforts of the federal partners in bullying who brought you this conference today and one on ways you can get involved to prevent and address bullying in your community. you can also view a video of dr. james garbarino who spoke at a recent conference sponsored by our partners at the department of agriculture. it exports a number of topics that impact bullying in schools and communities. we also provide feature articles on special -- i think i covered that are ready, excuse me and

finally if you scroll down for the landing page you will find a tool to map federally funded programs that address youth violence and victimization in your community. you can use this tool to find potential partners as well as identify gaps in services. all you have to do is enter your zip code to learn more so this provides you with access to federally funded programs which you have been hearing part of the federal efforts to make sure you were accessible as possible about what kinds of federal resources are in communities. here we have looked for programs addressing youth violence and victimization in lincoln, nebraska. as you go into the map you can see that there are a safe drug and free schools program here. you would enter your zip code or city name to find out what is going on in your community. this information can be downloaded into spreadsheets, excel spreadsheets, things that you can print and venues at

meetings and in conversations about what you happen what you might want to develop in your community and you can copy and paste the pictures of the map as well. bullying info as part of find youth info.gov. this is a federal web site that the interagency working group on youth programs has developed and includes the federal partners that have been part of the bullying prevention steering committee and more for 12 federal departments and agencies. you can find additional information on crosscutting topics on youth like positive youth development and the latest federal news on issues. this is a slide of the homepage. as i noted, as you can see on the right-hand side, one of our other activities is more generally gathering strategic input or a plan for youth programs and policies and you can enter input on that site as well as find out about some of the sessions we are convening to get input. you can also give us feedback about the development of the web

site more generally, including what else you would like to see around the bullying resources. we look forward to getting your input on the side. thank you very much. [applause] >> the ftc reports with the growing popularity of wireless devices, demand for wireless spectrum will be over 30 times higher just a few years from now. assistant commerce secretary lawrence strickling talks about his departments plan to free up wireless spectrum and what happens if they fail. "the communicators" tonight on c-span2. >> the a new 112 congress begins in january with 16 new senators. 13 republicans and three democrats. west virginia's joe manchin is one of the new democrats. he takes the seat once held by robert hurd and serve the remainder of his term about two years. ?

>> this year studentcam video documentary competition is in full swing. make a 58 minute video on washington d.c. through my lens. upload your video to c-span before the deadline of january 20 for your chance to win the grand prize of $5000.

for all the rules and how to upload your video go on line to studentcam.org. >> now the interior department's role in the obama administration's energy policy. topics include legislation following midterm elections. tax incentives for businesses, bipartisanship and nuclear coal and renewable energy. hosted by the atlantic, this portion is about 40 minutes.

[inaudible conversations] >> good morning. we are just about to get started. may i ask you to take your seats, please? that was quick silence to the room. my name is elizabeth baker kaffir and i want to welcome all of you to our third annual green intelligence forum. on behalf of the atlantic and our underwriters. applied materials, the boeing company, the dow chemical corp., general motors, the itt corporation, morgan stanley, shell and be not. a program like this takes a lot of work and effort so we are appreciative to those companies for supporting us this year.

it has been my habit at these gatherings to try to tie back what we will be talking about today to the atlantic history which is now 153 years old. in the energy and environment space, we claim to be one of the first green magazines. we had very early writings from the likes of henry david thoreau, walt wittman and john monroe. in 1887 john muir wrote a piece in atlanta called the american forest which was one of the president teddy roosevelt to start the national park service. across the 20th century, our riding went into the direction of scientific and dance energy and alternative energies in the environmental movement with writers such as bill mckibben, amory levin, amy dillard and gregg easterbrook among those who rode for the atlantic. and observing her long history and all those dozens of writings to the magazine into the web site, i'm happy to claim us as the first grading magazine and hope these two days of content

at the green intelligence forum will help to support that as well. we will be covering topics ranging from environmental competitiveness to the future of fresh water, clean transportation to a coherent energy policy, so welcome to day one. in today's program we have an excellent lineup of speakers for you including opening headline remarks from david hayes deputy secretary of the department of interior in a keynote address by bill ritter the governor of colorado a little bit later this morning. we will kick off today by delving into the future of energy and environmental policy in the wake of stalled climate legislation. instead of looking backwards we will looking forward on solutions and opportunities for government and industry to shape the future of clean energy, technology and manufacturing. tomorrow we will start here again at 9:00 a.m. and their program take an in-depth look at water use in the u.s. and the possibilities for changing the way to use water in our everyday life. tomorrow's program will focus on transportation, both urban and

global and how cutting-edge technologies are changing the way we travel. we will have time at the end of each session for q&a so there will be standing mics here and we and we ask you to lineup for those and our moderators will cigna you. we also invite you your comments throughout the program today and tomorrow. has tagged gif 2010. hashtag gif 2010. we would love to hear your comments on today's program. you'll find comments that tier places so please leave it at the registration desk as you ghana ask that you silence cell phones and pdas if you don't mind. it gives me great pleasure to begin today's program with an introduction to a keynote talk and interview with david hayes. before his current role of deputy secretary of the interior, secretary hayes served as global chairman of the environment landed resources department at the firm of latham and -- he is also served as senior fellow at the policy institute and the world wildlife

fund and prior to those postings he was counselor to interior secretary bruce babbitt during the 1997 and 2001 clinton administration. secretary hayes has also been active in the past and the nonprofit sector. he served as vice chairman of the national conservation group and is a board member of resolve and nonprofit that focuses on problem-solving in the energy and environmental field. he is also former chairman of the board of the environmental institute. during the 2007/2008 academic year secretary hayes was a consulting professor for stanford university's woods institute for the environment for his report on regulating carbon offsets was published by the center for american progress. he is also the author of dozens of articles on issues related to energy and the environment. secretary hayes is a graduate of the university of notre dame and stanford law school so thank you very much for secretary hayes for being with us today. [applause]

>> in case you were wondering who the other guy getting on stage as i'm alex met a girl and i'm technology editor at the atlantic, and i actually have a book coming out next year about the history of green technology, so that is bad and we will take it away and we will have the q&a afterwards. >> thank you alexis. i just want to make a few opening remarks and then we are going to have a conversation. the topic of this program for the next couple of days couldn't be more relevant obviously sustainable energy development and some people may wonder, that is fine but what is the national park service have to do with all of this. isn't that what you do at the department of interior? we need a new branding, a

consultant of some kind because we are really more than the department of energy than the department of energy. traditionally, that has been in conventional oil and gas, and we have all been reminded about that with the bp oil spill, and surprise, surprise the department of the interior regulates oil and gas offshore. we also develop oil and gas onshore, and the department of interior manages 20% of the landmass of the united states and with the other major federal landowners ,-com,-com ma we developed the subsurface rights they are, so fully a third of the united states domestic energy supply comes from a third of the man -- landmass which we manage, the oil and gas coal from etc.. and that 50% of the coal mined in the united states comes from the department of the interior land. now the traditional approach has been very traditional. it is all about oil and gas and that certainly was the case with

the prior administration, where the unrelenting efforts was in opening up more areas for oil and gas drilling. an approach that the broad new balance to which i would love to talk about a little bit later. but, most importantly when secretary ken salazar and president obama came into office, we wanted to change the inflection point at the department of interior and expand it from yes, some continued oil and gas development board for the first time really meaningful renewable energy development on the public land, and literally in the last few weeks you are seeing that coming to fruition. it started right in the beginning with the first secretarial order by ken salazar saying we are going to put an emphasis on renewable energy and climate change in this department. we are going to create a swat team and see if we can for the first time develop our amazing resource base for solar, geothermal and wind and make

renewable energy a reality. with the help of the recovery act and driven largely by state renewable energy standards, we are moving out and by the end of this year, we will have permitted 4000 megawatts of new solar power in the southwest. just yesterday secretary salazar announced the world's largest solar facility in california that will produce a thousand megawatts of concentrated solar power. that 4000 megawatts that has been permitted that will be permitted a year and represents the equivalent of five nuclear power plants, eight to 12 coal-fired power plants, all renewable resources on our public lands. in the wind sector, we prove approved the wind project off of nantucket. apologies to all of you who had summer places and kate todd, but

it is an amazing project that will produce at peak 450 megawatts of power. we are looking at developing the atlantic wind resource more generally and we are doing it in a balanced way. we have a responsibility in our department for fish and wildlife resources for conservation resources writ large and we are working very closely with the conservation community to make sure we do this right. and the final point because i want to get to the q&a, in that regard for example, for future solar projects we have working with the western governors in the state of california which has been a real groundbreaker in this area, we have identified 24 areas in the west that look like they are well-suited for solar development and rather than just go willy-nilly and accept applications on our 30 million acres of solar

resource public lands, we are doing an environmental analysis that focuses on those 24 areas that 770,000 acres and that is where we want to do future development, because we think it makes sense. we are going to do a thorough environmental analysis for those areas. we are going to help investors target areas that make sense because of access to transmission line. because of relatively less environmental sensitivities etc. and we are thinking of taking and will be taking the same approach on the atlantic by dent of fine certain areas of states and investors that are interested in and focusing our environmental reviews on those areas, getting investor interest up and then moving out and developing those projects. is an exciting time for the department of the interior and a lot more fun to work on these projects in the bp oil and i will attest to that tersely. thank you. >> thank you secretary hayes and

thank you for joining us this morning. i want to make my pitch for the department of the interior has an interesting part of our energy policy apparatus. if you think about it, being a company it would be as great as takeover target i think because it controls so much land within the united states that is increasing in value largely because of the renewable resources that are there. the mojave desert is a great example of this. the solar sites that you have identified are actually posted on the interior web site and they have these incredible panorama where to go on line, you can click in on this large map of the mojave desert and spin around 360 degrees and check out how big the mojave actually is and i think if you are from the bay area for that and the planet corridor it is hard to understand the scale of those spaces and how much out in the west interior really does.

the other thing i really like about interior, unlike the department of agriculture the interior is this crosscutting kind of agency and as such they have to balance various competing interests, water, rick ration, energy production and i think particularly right now we are in the midst of possibly major political change in congress, major stresses to our biophysical systems, and the sword of needing to develop new technologies and energy. it requires balancing in a way that interior has been for years. so with those things in mind, i guess i want to talk a little bit more about the specific solar technology we are talking about deploying in the mojave because it is different than what you see on your houses or at least on the houses in california and germany. so, can we just talk a little bit about what one of these

power plants looks like? well, there are several types. as you know, alexis, one or two of the projects that we are permitting this bowler the traditional photovoltaic array, albeit at a very large scale, but most of them are concentrated solar plants and they either use the parabolic trough technology, where the mirrors concentrate the sun into a point that essentially is a mineral oil fed heats and then steam generates electricity through turbines. there also is the sun catcher technology, which are these large 38-foot diameter dishes basically the concentrate power individually into a unit and then tracks the sun as the parabolic mirrors do as well. and finally the power tower,

which are the mirrors the concentrate to a tower and bring the sunlight into the tower to keep this dim -- steam generating unit. the reason i wanted to make sure people knew this is that, when you have steam, you need water. and, when you are out in them a hobby there are not a lot of water, so we kind of get to our first balance issue which is, when you are permitting one of these plants how do you ensure that when you put in a thousand megawatts of solar in the mojave there is enough water to actually run the plant without impacting the surrounding community for ecosystem? >> well it is a very appropriate question and i attach myself to your remarks about the interior department how great we are. that is how i translate your comment anyway. but, your point is right, that we are a conservation agency and we have in our midst the u.s.

fish and wildlife service for example which has responsibility for endangered species. we have the national park service with you shed's etc.. we are used to these complex and are working through them. all of the projects that we are proving this fall use dried cool technology because of the water issue. it is a serious issue, and we have come up with very unique ways to make sure that these projects use the minimum amount of water and the water that they access is a renewable resource. the water needs actually, most limited to cleaning the mirror literally, although with the large footprint projects we are talking about three to 6000 acres of mirrors. that is a lot of mirrors. what are we doing? one of the projects in nevada is

taking the path led from a small town nearby, treating it and re-injecting it to essentially compensate for the groundwater that it pulls up. the imperial valley project is building an extension to from the town's water treatment plants, and so it will use treated effluent as its water supply. these are the kinds of approaches we have taken dairy creative approaches and the amount of water used in these projects as a result both in terms of size and impact, is very modest. the blithe project which would be the world's largest solar project i am told uses the water equivalent of 220 acres of alfalfa. alfalfa drinks a lot of water, but still, that is obviously from a percentage basis in a relative basis a very modest.

>> another balance issue, there is one particular plant that was one of the first that secretary salazar approved by a company called right source and a big hangup there was that there were 25 desert tortoises wandering around these thousands of acres and literally they did a survey. there are 25 of these kind of remarkable animals. how do we balance development of solar resources versus like a relatively small number of an endangered species? how do you follow the letter of the above while still accelerating clean technology? >> well, it is interesting we were having a conversation beforehand. there is a false sense that a lot of folks have that they desert is a desert when it comes to biodiversity and in

resources. it is not, and desert tortoises may be the subject of ridicule by some but they should not be. they are a magnificent animal and we worry about everyone of them because they are an endangered species. how do you deal with them? you deal with them by trying to ensure that after this project is done, the desert tortoise is going to be better off as a species. that can involve things like investing in a good habitat that will be protected. i think it is the blithe project that involves a very substantial investment in management habitat for the species. typically, where there is a disturbance for the desert tortoise we relocate them. we require the applicant to frankly spend an enormous amount of money to make sure it is done well and right and track part the science effort.

and we have had a lot of experience with this. i recall in the late '90s at ford irwin was looking to expand in the desert and the army had to have a very sophisticated effort to relocate the desert tortoises, and it was a little jarring to see the generals etc. tracking the desert tortoise. but appropriately so. >> i think against this backdrop of stalled policy and kind of the large climate picture, i want to talk a little bit about the policy around the solar areas that you have developed, and i think it is a legitimately good idea to be able to backtrack certain departments but how did you develop it and is it something, lesson we can learn from that, solar energy

development project that we can apply other places like the offshore wind? >> a good question, alexis. i think the answer is yes. we have sort of a duality here of approaches. when we came into office, the bush administration had not approved a single solar project on our public lands. they had opened up the opportunity for applications to be filed, and there were literally 200 plus applications randomly put on public lands asking for leases to develop solar projects. that is not a smart way of being what we call smart from the start of the sighting areas, citing these large facilities in areas that make the most sense because they may be near transmission and they may be environmentally degraded in the

property may be near a water source that we have a duality here. on the one hand we wanted to move forward and we needed to move forward in the recovery act provided material financial incentives to move forward, so we identified 20 to 30 of the projects were the furthest along, working with the state authorities, california in particular, that looked like they have had the best combination of citing resources to go forward. and we fast-tracked of those. weiss put special emphasis on those, working with the state governments, working with the conservation community and that is what you are seeing the results appear this fall in anticipation of the december deadline for recovery act funding. we are finalizing environmental impact statements and improving -- approving permits but that is not an ideal way to do it. a better way to do it is what i described before, which we have underway in a parallel effort,

take a broader look at that landscape, identify working with the governors, working with conservation groups. the areas that look the most promising, do a deep dive on environmental review, provide a pathway for investors to look to develop these areas, protect those areas for development, and move forward and that is what we are looking to do in the atlantic wind as well, the same approach. >> what happens, you mentioned mentioned -- what happens? do any of these projects get built? >> well, we will find out. we will find out. i think the answer is yes, and it is primarily because of the renewable energy standards that the states have. california of course just raised there are 233% of their electricity has to come from renewable power by 2020. nevada is i think 25% by 2025. on the east coast, new jersey, new york and massachusetts all

have strong renewable energy standards. they are clearly driving this market. certainly, in the solar projects in the west and in the great interest in atlantic wind in the east, it is the state driven pull a few renewable energy that is a huge driver, and it is worthy of noting here as we consider what to do on the federal level. spivak to the federal level, back in 2009, he wrote an article environmental law reporter where you argue that the obama administration's climate energy policy would have to be measured as something more than just getting a cap-and-trade bill passed. that seems like a good prediction. and you are good for deploying the federal government's full arsenal of tools i think is what you said. another year backing government, what do you see as maybe this two or three most effective tools for the obama administration?

>> well, the first is i think what we are talking about, which is incredibly important, which is showing on the ground success in terms of developing utility scale renewable energy projects. essentially, making the talk a reality. and we are very proud of what we are doing at the department of the interior in that regard. it is solar and wind oriented and also transmission oriented. we have had a big push to develop transmission where needed. we have a huge amount of stranded renewable energy that we are unlocking with transmission and it requires an interminable amount of number of interagency meetings as we get all the players around the table, but the administration is one mind on this and it is concentrated on results. that is one important thing. i will say one other thing in terms of our own backyard at the

department of the interior when it comes to climate change. it is obviously disappointing that we have not moved more fulsomely towards a comprehensive climate change legislation. but, we are the primary stewards of our national resources. the department of the interior has the world's largest water wholesaler and that bureau reclamation. we are the primary wildlife agency. we have more habitat than anyone else, so we worry about fire risks. climate changes impacting all of these resources in a discernible way and we have the responsibility to manage these resources. the water resources of the southwest and the colorado river which serves drinking water to 30 million americans. we are proud of the fact that we are confronting that issue head on.

we are getting data about what is required. we are developing adaptation plans and i think you will see a conversation occurring in communities around the united states about the impact that climate change is happening and how we have to adjust to it. and hunters and anglers, you see it already, water companies see it already. that is going to head to the debate in add to a recognition that oh i see, we really do need to tackle this problem. >> you served under secretary babbitt in the interior before. what are the differences between the agency or inside the agency under the two leaders? >> well, it is a different time. secretary babbitt had a fabulous run as secretary and like him, ken salazar was very well-suited

for the job, having been governor of arizona. secretary salazar is a former senator from colorado. just for the record, i am not from a west. i am from upstate new york, and i am proud of it actually. so the interior department is not just the west, and i've been talking to ken about that. he gets it, particularly with atlantic wind on our doorstep. it is a different time. the fact that renewable energy has become such an imperative is a very different thing. climate change in the late '90s was really just sort of on the upswing in terms of appreciation of it, and ken salazar came in after his senate experience committed to the clean energy economy and dealing with climate change. so that makes it very exciting. it is also very exciting to be part of this administration and this president who is very

committed to these issues. >> you have a lot of good things going on with the interior and we have the bp oil spill or the blowout. lots of attention has been focused on the management of our oil and gas resources and secretary salazar disbanded the materials -- do you think enough has been done to reform the management of offshore oil and gas? >> no. we are in a constant reform cycle, big time. and i have been personally very involved in this. i was the first administration official down in the gulf the morning after the accident. from april 20 until september 17, every day we were focused on this issue, and we continue to be focused on the need for reform. we are in the midst of reorganizing the bureau of ocean

energy regulation and enforcement formerly the minerals management service. we have split off the organization and moved it to essentially the budget part of interior, and the leasing an environmental review function is now will be split into by the end of the year. we are working with mckinsey consultants to help us figure out how to do this right. and we just listed the moratorium on deepwater drilling because of the progress we have made in putting new safety rules in place with a new final rule that came out on september 30. and we are going to have more rules coming out if i am confident that we are and a much better place today than we were before april 20. there was a shared lack of appreciation for the risks that could have happened. that lack of appreciation had evaporated. we are totally aware of the great risk now, and we are sort of righting the ship and make

sure that going forward, oil and gas drilling in particular, deepwater drilling will be safe but it is going to be an ongoing effort. there is no finish line here. >> kind of a structural issue too, right? people go in and out of the oil and gas industry back into the interior. it happens all of the government but in this particular case you have had pretty negative consequences. how do we stop that from happening? >> well,. >> safeguard might be a better word. >> i would say the bigger problem frankly has, was the fact that industry expertise outpaced government expertise. it is a related problem, but it is a serious issue when you get into very very high-tech, very high risk and high capital intensive activities like the nuclear industry are like deepwater drilling. we need to learn from the nuclear industry. i think we need to create

potentially an institute that will provide a place for its government to pull its resources with industry and ngo's and provide a training ground, so that the government is right there and able to be good cop on the beat that is clearly necessary. >> let me throw it out to you guys for a question or two before we wrap up appear, if anyone is -- there are mike's right now if anyone has a burning question. you can just talk really love. i will repeat your question. [inaudible] anyway, you were talking about resources and i can understand you have a lot of views but the question i had is these are

really public resources and while you are developing the policy right now before everyone gets an i have a frightening sense that it will be controlled by a few large companies. i mean i can understand it is big investments and you want to have companies and corporations that are reliable, but if other public resource areas, there have always been, or we have tried to have public entities, way for the public to share in the revenues and so forth. and i haven't heard anything in your discussion about how the public, who really owns these resources, and secondly what you are antitrust policy is with regard to developing these. and the final one is, what happens when these projects in their economic life?

sorry, frances frances. we are a law firm in town and we deal with resources and we do with public resources and i guess what i'm concerned is how will ordinary people who will end up paying for these resources and a cleanup of these resources, how will they be protected under your plan? >> those are really excellent questions, and these are absolutely public resources, so they have to be managed for the benefit of the public. they are managed under federal laws that mandate that we do this in a balanced way. you asked several questions. let me take a few of them quickly. one is, what are the financial benefits the american taxpayer who owns these properties? and, there are financial benefits and we are insisting on getting fair returns for private

use of these public resources. we have a bit of a kaleidoscope of approaches for dealing with this, and we are looking to better rationalize this. but, for example on our dlm landsglancelands, lefties essentially get a right-of-way to put the solar projects and, and we get a rant from them. we don't get a percentage of the power revenue like private landowners do and we actually think it make sense to change the laws so that u.s. the taxpayer can get the same financial return as a private landowner could. but there are substantial revenues that come from this. and that the department of interior after the internal revenue service, so largest revenue producer in the federal government, primarily because of oil and gas offshore. in terms of the antitrust laws etc., it is open field, and we

have not seen certainly in the renewable area and actually in the offshore area as well, an issue of only a few come for knees and no for independents etc.. in terms of your final question, we require permittee is to demonstrate the financial ability at the end of the lease to return the land to the way it was. so we are not going to have another century of the legacy of mining that occurred in the 19th century and those abandoned mines. we require a demonstration that the company will have the wherewithal to redress the impact on the land at the end of their tenure. >> you spoke about, large-scale utility power generation, i wonder if you could talk a little bit about the other end of the spectrum, the trade-off between the large central plan and transmission lines versus the individual homeowner community, distributed power

generation? >> well i see now and i'm sure it will be a subject of discussion here over the next couple of days, distributed power has enormous importance in the pantheon of renewable energy and we are all for it. and in fact, our personal department investments in renewable energy fall in those lines. we can go to a national park in alaska or a remote blm land without finding solar panels, wind turbines etc., many of which, many of these folks are off the grid so we have personal experience with how important and useful distributive power can be. we are we are all for it and please -- please do not interpret our position on the utility scale power is suggesting that is the only answer, far be it but it is certainly part of the puzzle. >> thank you.

i just wanted to know if you could address the idea that, i mean given that developing renewable energy was such a priority for the obama administration coming in, why it is just now and within the past month that we are getting the first project on federal lands? >> sure. it is very simple. the bush administration was nowhere on this program. it takes -- this is a major federal action to approve the lease for utility scale power. you have to do a full environmental impact statement of the national environmental policy act. that takes at least 18 months. there is your answer. here we are, 18 months later. and we pushed very hard to get these environmental impact statements reviewed, to work with stakeholders, to get a record of decision. these projects which involve anywhere from 6000 acres are

incredibly complex, major projects. the paper trail -- we are killing a lot of trees in doing this, and we are very proud of how quick we we have done it but how will we have done it to matt. the reality is though that it is a major league thing. >> interfacing with the state agencies. i spoke the other day with james in his tiny plane over west virginia and we looked at a lot of the removal coal-mining in that area and the scale of it is just amazing if you are up there. just 360 degrees in every direction there are these completely crushed lance. i mean that is kind of the scale of the challenge, right? what do you see as the future role of kohl, sort of an antihero and energy discussion? and how do we minimize the environmental impacts of that

type of coal-mining? >> well, i think we are all hoping the carbon sequestration, geological carbon sequestration will provide a route to truly clean coal and the 2005 energy act, our scientists at the united states geological survey were asked to work with d.o.e. to help develop the metrics that will be used in demonstration projects for geological carbon sequestration. and this is another area where the public lands can provide a laboratory to test big-time storage of carbon's that are removed from coal, the big liability issues and we have the potential to provide a real service they are. i think we move in that direction, we recognize though that coal is here to stay and we deal with it as best we can.

i think the best thing we can do right now is to provide an alternative and until recently, with a big-time solar and wind, we haven't had much of an alternative even to talk about it. so, the debate will continue. >> thank you. [applause] >> thank you. >> congresses out this week forced thanksgiving holiday break. when members return the house votes on censoring ways and maybe -- ÷???ñ?

>> at panel of cybersecurity experts now discuss cyberthreats facing the u.s.. the heritage foundation in washington host this event. it is about two hours. >> good morning and welcome today for of homeland security 2020, the future of defending the homeland. i am a policy analyst for homeland security here at the heritage foundation. today we have mr. paul rosen -- he is a visiting fellow at the heritage foundation in the center for legal and judicial studies as well as with homeland security. he is the founder of line consultant -- consulting and mr. rosen's wake served as

secretary for policy and the department of homeland security and he served twice as acting assistant secretary for international affairs. please join me in welcoming paul rosenzweig. >> thank you very much of the heritage foundation for hosting these two panels today. our topic today is cybersecurity cyberis hot. it it is the only time i've been able to work in a hot field and that makes me cool. i have always kind of wondered, but cyberis hot. we have got her on presidential cyberspace presidential review, run czar and if you read the news reports in the last couple of days, you have seen that even as august a number of people as the deputy secretary of defense are publishing articles in

renowned journals like foreign affairs, detailing america's new cybersecurity. why is that? well, cyberis hot because the threats are real, and the benefits from using it are real. as to the threats, we now know for sure, because it has been declassified that some foreign state actor in treated into the computers of our central commant extruded a whole bunch of data from those files. we have seen research and other nations states about how to use the internet to cause cascading failures. ..

>> how we should realize all the games that we can from the enhanced information, sharing abilities that come with the cyber domain while avoiding the worst problems. we will have two panels talking about ideas that should be on the able for discussion.

i don't think we get answers, but we'll talk about them. the first panel is on the civilian side on the beer actions -- interactions between private citizens and the governmental authorities. the second panel looks more at the official side and the nature of governmental responses, particularly military responses and law enforcement responses. that's the outline of where we go today. let me introduce the other two members of the first panel. immediately to the left speaking first is dr. jeffrey kohn. he works for a company helping lawyers in technology cases. he is a ph.d. science and his area of focuses include program design and java programming.

he's worked for ibm and basically everybody who is anybody in the computer field. i first met him when he participated with me at the national academy of sciences study panel on american policy towards cyberdeterrence, and i'm glad he can join us today. to his left is jay stanley, the technology director of the american civil liberties union. i note with happiness that a member of the aclu walked into the building and the walls have not fallen down. [laughter] which is remarkable. we had to reconstruct it after the last visit. jay writes and edits a large number of aclu reports on technology and privacy issues, and if you've read anything by the aclu you have seen his work whether credited or not.

he was the cochair in 2009 of the biggest computer freedom annual conference here in washington. he worked for a technology research firm. he's a graduate of williams college and holds a master degree as well from the university of virginia. our plan will be for each of the presenters to give us 12-15 minutes of skews -- discussion followed by a question and answers. with that, the floor is yours, jeff. >> thank you. i'm glad i got to participate. paul, introduced me, so i don't have to say much. it is an outgrowth of the work i did for that national academy study on cyberdeturn, and i think there's a publication forthcoming from that with excellent work in it.

just -- i don't know how technical the audience is, and i was warned that everybody might not be technical. we know the interpret is a series of tubes. for the people at home, there's a series of tubes. now, the thing -- actually i should say a little bit in the introduction that most of the pictures from my slides are from the library of congress' photo collection. you can see the notch code that tells the developer what kind of film it is. i'm told it's a chrome b from the early 40s or something. this is a picture from world war ii. i think the series of tubes specifically, you know, everyone uses metaphors to talk about the internet. it's inevitable. you have to use metaphors because the only thing like the internet is the intercht. the internet is no less a series

of tubes than it is cyberspace or matrix or anything educational. they let us reason about things, but they are also misleading. we shouldn't use a metaphor trapping us in a certain way of thinking, and i see a lot of that in the policies. it's cyberspace therefore it's like space or it's like some physical space we can dominate. that's dangerous thinking. i'll warn people off certain metaphors with certain kinds of things. the internet, really, is a series of wires, and what's interesting to remember about that is it's all physical objects, and those objects are all owned by somebody within the control of foundation state. every inch of the internet, every component of it is a physical object somewhere that someone has control over, at

least notional control over. the idea that it's a new domain independent from nation states is really false because some country has control over every router or cable. there's nothing in the internet that's not part of a nation state, and that has huge implications to be able to control and regular late it. if i had to use a metaphor to talk about conflict within the interpret, it's more like urban warfare than space or naval combat. every block is owned by somebody and there's countless civilians issue -- and there's no way you can know the state of it minute by minute. you have no idea where shootings are coming from. it's a different military conflict than for example, fighter up at 40,000 feet where

you can see around the curve of the earth. this is another test for how geeky the audience is. this is a cartoon by randall monroe. for the people at home, if there's children, and when she traced the killer's ip address, it was in the 192.168/16 block. i'm guessing you can figure out what the joke is supposed to be. the 192 refers to the loop back from the local machine, a reference of course to the classical movie silent night deadly night. the point to this is that many of the threats we're seeing -- it's in an article yesterday where they identified a new russian hacker who, you know, is

flying from france or something. it's very attractive to talk about the bad actors overseas, and they are certainly there. there's no question there's russian hackers extracting huge amounts of value from the united states, but everything that happens to u.s. people comes through u.s. facilities, through an isp based in the u.s., probably went through a domain registrar or an u.s. authority or allied countries and went across wires owned by companies. you know, on the computer, that's probably running microsoft. the problems that are going on are in many ways deeply rooted in the u.s. infrastructure and decisions made by u.s. companies, by regulatory authorities at every level of government. this is not to say this is not a threat. this is a great photo from

1904-1910. they don't have an exact date. i think it's amazing they had cameras that small in 1905. there is espionage, and i don't mean to say that that's not a threat, that that's not real, but i want to focus a little bit more on different kinds of threat. this is one threat which is espionage. before i leave that, understanding cyberconflict within the view of espionage and intelligence is one that makes a lot of sense, and i think we can see what's going on in government right now is this idea of is cyberspace like intelligence work or a john lacrae novel or a tom clancy book. it's going to predetermine our judgments in what we make and what's appropriate and how we should think about it. these are two cute puppies with

little valentine day hearts. that day is coming soon. don't forget to get a nice present for your sweet heart and make sure you grab the valentine day and get started. probably everyone in this room got this e-mail hopefully filtered out by your filter, but maybe you saw it in your inbox, and hopefully nobody down lowed that because if you did, it was a virus worm generated over 1.5 billion spam messages a day. 1.5 billion messages a day. those are not computers owned by hackers in russia. they are people at the pentagon, people at home, people's computers sending out spam which accidently the money went back

to russia if they managed to grab your credit card or something. that was a real threat, and that was a threat that honestly is not that hard to detect. finding an infection on the computer is not hard. they know what ip addresses are sending out the scanning pacts. it is not difficult or technologically challenging to know that your network has been compromised. the problem is the isp's don't want to know with the information. they don't want to be accused by spying on their customer or get hurt by laws that regular lay what you can look at. i think in a lot of ways, the isp is begging for guidance on what to do to solve the problem. i think paul mentioned this already, a picture of the s35, the joint advanced strike technology fighter, america's most advance the fighter.

this is close to my heart. this was my first job coming out college was this program back in the the very down of it, so it was the files for this that were down loaded according to open sources, i should say, i've seen estimates of tear bites of data downloaded by someone in china. probably someone in china has data about this. the first big lesson i want to say, and then, you know, hopefully the walls won't collapse when i say this. it is a classic market failure. you can put it in the economic textbooks. it is extraalty that people who make things like operating systems and computers don't get the direct cost of the security failures, and in fact ring they

make money because they sell insufficient secured operating systems and such, and the knowledge on dealing with it is distributed, and the fact is the market deals with cybersecurity terribly. the market is not an appropriate mechanism. there may be some parts, but relying on the market has failed and will continue to fail. the news is not necessarily all bad. this is a law professor at harvard. he clerks for both richard posner and judge scalia. he has a matter on law, norms, the market, and code, so all of those things can constrain action, and you can use those as leverage. if we are going to solve this problem, we're going to have use all four of those things. there's some market things where

hopefully the market can reward cybersecurity, but also need new laws, you know, also going to need new normses of behavior, and that's what's going on with isp's right now developing what is called best practices. no one is required to do that, but it's as publicly issued standards of best practices, what do you do if you know that a customer has been infected with a vie virus. so, this says, i am told, access denied. this is a screen shot from green dam, the chinese government's software that they mandated would be installed on all personal computers in china. you know, what do you do? the question is what do you do to solve it? this is one approach as you say. here's a piece of software that everyone has to install making sure everybody is safe. the problem it itself was

insecure and thankfully they didn't use it, but that's one option is that you can impose a regulation on users. the ultimate problem is the end users. can you control their behavior? this is another lovely photograph. this is one of my favorites from the library of congress collection. the point here is that a little plea for details matter. it's all well and good to have a 12 minute discussion on cybersecurity. the details matter. you can't really have an informed discussion without understanding a lot of what's going on which means you need to know what it is about the border of gateway protocol that's insecure. the chinese telecom use that intention thally or not to shut

down the third of the internet by accident because they issued routing tables that routed most of the internet through them. they were not able to do that and anyone who accepted that routing table cut off their usage of the internet. that may have been a mistake, but the fact is everyone knows you can do it and that most people accept that table. you have to understand that bug, and that's one slice of the security problem. you have to really understand why this happens. it's a little plea, and i don't think the people in the add yen, but in general, i don't think scientists engaged in cybersecurity enough. there's not enough academic research i think of it being strategic defense that credited the field of software engineering and did analysis in the mid 80s of how do you solve software problems and we need something like that for cybersecurity. we can do more police

regulation, computer fraud and abuse act, the tsma, a lot of instruments that exist now to regulate computer activities around the idea of copy right, and we don't have stuff that good for regulating security problem. you can't send a take down notice hosting malware or avatar. we need better security vac nations, antivirus software, and more protection of the end points. the idea is not by cleaning up the united states solves the problem, but creates a perimeter, an early line of the standoff day, and i think that's the best case pushing off the perimeter to actually see what's coming in rather than coming from ideas the house. thank you. >> thanks. perfectly timed, excellent, thank you very much. >> i hope i wasn't talking too fast. >> no, no, no, not at all.

>> jake? >> our primary concerns are around free speech and privacy issues when it comes to cybersecurity of course, and the internet, of course, is the primary place for americans to exercise their right to free speech. it's a media, research library, a soap box, it's a debating forum, it's the closest we've had to a true free market of ideas, and a lot of this success in this vie bran sigh and this bloc ming in the internet is because of the open architecture. everybody can contribute. the architecture is neutral, but that same open architecture makes it vulnerable to security problems, and the internet is a refletion of the human psyche with the creativity and then the dark side. the question is how do we

address the security problems that we are experiencing on the internet without killing the goose that has laid many golden eggs and made our country more wealth and powerful than it otherwise would be? cybersecurity is a vast and complicated area with a lot of very technical areas, and a lot of the areas in discussion about the cube security, you know, don't really have any implications for our rights, but some do, and there are many legitimate roles for the government in cybersecurity, regulations, governing, security standards for power plants and other infrastructures, public education, research, perhaps encouraging a greater academic in that area as geoff mentioned, procurement standards to try to address the market failures that geoff talked about, a greater

openness of threat information because net is the decentralized medium, and largely the managing problem of the government getting its own act together and its own security practices up to snuff to the basic level of corporate america, but there are are some areas and proposals that do cause or raise a lot of questions about our liberties and raise questions about whether we might be flirting with killing the goose that laid the golden eggs. there's the einstein program, the driver's license for the interpret, and emergency authority over the internet. einstein three we don't know a lot about, but the einstein program is an effort to protect government computer networks in a centralized way more or less.

einstein two which is currently under employment uses tax signatures to detect malicious code intrg on exiting government networks. einstein three adds to that and is conducting realtime pact inspection to try to make quote on quote "threat-based decision making based on signatures and scenarios" which might include personal information on traffic to and from government networks. it would be unlike einstein two and placed on the servers of telecom companies, of private internet providers so in talking about the balance between the government side and the private sector, this crosses a line over into the private sector which raises a lot of issues, and for the aclu talking about the nsa and at&t getting together to

scan network traffic raises a lot of red flags given the history in the last ten years of warrant list wiretapping and anyone caring about the rule of law should care that the law was broken by those two organizations, so that's the concern. the concern that the government will be placing its own filters into the private sector crosses a line. in the short term, one of the concerns is whether it will sweep up private traffic, president obama and his cybersecurity speeches said we will not monitor the civilian networks and private traffic. i have no doubt that he meant that, but security dynamics and imperatives have a life of their own, and security institutions are bigger than individuals with their own bureaucratic imperatives, and so we don't

trust that that will remain true. that idea of threat cig signatures and scenarios is being used in a proactive way raising questions about, you know, how that's implemented and whether we're going to see sweeping algorithms that catch far too broad a variety of threats. what we don't want is watch lists for the internet. we have seen watch lists in the airline context which have been too broad and swept up too many innocent people and let true suspects threw and based on sloppy lists and people are unable to remove themselves. we don't want a computer internet version of that, and the question is what does einstein three exactly look like and what it means if extend the to the private sector?

moving from einstein three to the broader vision, there's talk about how does the government's, you know, cybersecurity efforts, how do they interagent with the private sector where the internet takes place? there's broader talk that raises concerns among americans about the government's role of the internet. keith alexander said we need realtime awareness in our networks. mike mcconnell director of intelligence says we need an early warning system to monitor cyberspace. they could be referring to perfectly rational basic good security practices or referring to grandiose visions for imposing a government role on the internet of the likes which we have not seen. it raises questions. what is the role for a centralized top-down command and control approach to cybersecurity when the internet itself is a distributed thing?

internet problems are distributed and software is distributed among millions and millions of computers, and in what ways does it make sense to have centralized command and control response, and in what ways is it a distributing problem where openness and distributing information about how to combat threats is the best way? in particular, what should the role of the nsa be? the aclu is the nsa should not get near cybersecurity. it's a military organization, publicly unaccountable, has a record of illegal interference in private communications, and conflicting missions of spying and missions of defending networks, and we cannot have confidence that if, for example, discovers a as a rule necialt it spreads the word to millions of people to fix that vulnerability

when it's temped to keep it secret to exploit it for its spying mission. so, i mean, the defenders of the nsa say they bring two things to the table. they have a tremendous center of expertise in cybersecurity in the u.s. government. i say if that's the case, then that expertise needs to be spun off into another institution that is not part of the military or conflicting roles or have a tremendous history and institutional culture of reflexive secrecy, and number two, defenders say, well, the nsa has access to a lot of secret threat signatures. well, that may be true, we don't know because of the nsa secrecy to the extent to which that's true to judge the benefits of that, but if you take all the threat signatures and knowledge about different cybersecurity threats, there's a subset of those cricketed by the nsa and

some subset of the nsa ones which they must keep secret other than the ones they could share without harm, and the question is that subset of the subset, just how big of an advantage do we get from this secret intelligence about cyberthreats, and that must be kept secret. if the nsa is protecting us all based on secret information because if it must keep the information secret and protect everybody using the informing, then it must be done centrally because it can't be decentralized because then they would be giving away their secrecy, so we're skeptical about the size of the benefit of the contribution and all the secrecy that is involved. secrecy is out of control in the u.s. government as everybody from left to right and every commission has studied and

acknowledged, but it's inappropriate in the cybersecurity area in many ways because the internet is decentralized, and because the, you know, the best way to combat security problems is to get information out, push information out. we have this vulnerability, here's how to fix it and much of the problems result from people not doing simple patching and so forth, so the idea of the government and the military spreading its ten rules into the private network is one of the many concerns that we have, and it seems as though there is a push to do that. there has been talk of doing it. ..

as a practical matter takes place. and you can't do that on to the constitution. the other proposals are so crude, but they basically would lead to the end of the possibility of anonymous action online. what cybersecurity authors called attribution retribution

of ability, which means being able to figure out who did what on the internet. anonymous speech is one of her oldest american traditions. a lot of the founding fathers and people of the american revolution wrote another pamphlets and federalist papers. we now know why john jay and james madison and hamilton. a lot of these proposals would raise grave concerns. and we have to ask what the trade-off is. mike o'connell said we need to reengineer the internet to make attribution, geolocation and telogen's analysis more manageable. that raises red flags for people who care about the internet as a vibrant forum for free speech. people go on the internet to go and get advice for very personal problems. people speak more freely to power when they can speak anonymously. and we do not want to ruin all that because the intelligence agencies can't figure out how to stop foreign spies to getting

their deep secret. the white house has issued a trusted strategy for national -- i'm running out of time so we will talk about that, but we can talk and q&a if people are interested. the third thing i want to talk about is the idea of emergency of government authority over the network, which is an idea contained in current legislation being proposed to congress. and when the government shuts down internet, it's interfering with people's speech in people's right in association. and we haven't seen convincing scenarios under which this would be necessary -- yet their are many scenarios in which over time this kind of a power, sweeping power could conceivably be abused. at the very least -- i mean, theoretically there could be, you know, for extreme emergence needs that could be conceivable that we would want this kind of power to take place.

but at the very least, we need to have very well-defined parameters and checks and balances over any kind of a power like that. and so, you know, that is something our lobbyist is working with members of congress and so forth. so let me just finish with two quick points. number one, there is a -- there's a real problem in discussions of cybersecurity and the conflation of terms. there's a lot of different problems which are separate problems that are all cybersecurity. this criminal and malicious activity, fraud, phishing, i.d. theft and so forth. there is spy versus spy, espionage. espionage is always taken place offline and not taking place online. there's our tax and critical infrastructure, you know, the scenario of failure of the electric grid. and then there's more fighting, foreign attacks to create our military and dvd. and these are separate problems

that i've separate aleutians. and should not be lumped together. because someone happens is is you get the existential threat to our nation of a collapse of society that is your race, coming from attacks and wiping out all of our critical infrastructure which is according to many authors a highly dubious scenario, but one that is talked about a lot. and you get that in the urgency of that conflated with all kinds of everyday very real threats that do take place. and that leads to justifying cybersecurity knocking the secrecy and gives added weight to sort of justifying radical interventions and reengineering the internet, which really would kill the goose with the goldeneye. and cybersecurity has been -- has been a trend if none of hype and we can talk about that. a lot of scenarios such as the f-14 fighter -- a lot of that

was publicly available information i understand. nothing secret was taken. and yet these means sort of circular rounds are on different threads. so just to wrap up, let me just stop there. >> great, thanks. >> i gave him a cut nine. love having him. the virtue in being the monitor of your own panels is to get to talk last annika to decide which you talk about while the other two are talking. i will however be shorter than they -- mostly because i want to be sure we have a good 15 minutes for discussions in the panel. i will make one overarching point, my overarching point is it's a problem, right? i mean, i know that sounds trivial, but listen to what you just heard. you heard jeff described why and how we have a market failure in cybersecurity today. and the normal answer to market

failures is some kind of federal regulation or liability regime or canalization of the problem. typically those are things like the environment, right? the market does the empowerment failure. everybody's problem, but nobody is concerned, right? so we federalize the response i have been a large set of federal regulations. very intrusive federal regime to have because of some of the threads. you can imagine a regime like that in the cyberspace domain. but they need ragman into jay's problem, which is the internet has become something more than the common good of fresh air, but is actually at the core of our current perceptions of freedom and liberty and democracy. free speech have been there. it was a great list. yet even the psychiatrist is there. so that's actually a problem and

it's a wicked problem. it's a social problem that actually doesn't have a neat set of solutions. the answer to wicked problems, though, is not to give out. which is in my did essentially what we've done so far. everybody is battling ahead without any coordination, with their own set of solutions as best they can. and the answer that will eventually wind up if we don't change the trajectory of howard talking about cybersecurity is the cybersecurity solution that arises from whoever gets the first and fastest and best, right? and the first guy to actually come up with solution, that will be the dominant result. and it may not be the best result. what i perceive right now, for example, is that the nsa and u.s. cybercommand are by far and away the most significant powerful federal act twos in combating cyberintrusions.

they do have more expertise and for example the department of homeland security. and they certainly have a much more centralized set of authorities then save the disbursed cyberprotection systems that operate in the private network. so we are rushing ahead with a system that is likely to result in the default of some form of military or semi-military control of protection of vital critical resources, without deciding whether or not it right answer. now it may actually be the right answer, unlike jay, i'm probably willing to entertain the possibility that if we put in place enough oversight activity, enough protective auditing capability, enough regulatory capability, and that independence, we could empower federal action at that level. but we're rushing ahead without doing any of that. right now, i mean, it took from 1998, when president clinton first proposed it until 2009

when president obama did it, it took 11 years to develop decentralized coordinated function, not directly, but a centralized coordination the white house. even today the white house coordinator is not primus inter pares, not the first amongst equals suitable match, and force the different agencies to work together, but rather he is the least amongst equal. if you must know, who exists right now i'm sufferance within the context of the other agencies. we principally should be thinking about, at least at the federal level is enhancing the coordinated with doherty and structures of the white house to ensure that matter decisions about where we want to reciter cybersecurity in the military, who were in dhs or in some other institution are made by somebody who can actually direct

responses to that. right now budgets are disassociated. there's no unifying cyberbudget. is it then each of -- is within each of the agencies. there's no person who is tasked with actually direct team conformance with cyberpolicy. imagine the most powerless person in the world, the guy who just articulate policy, but essentially no mechanism for ensuring policy is carried out. that right now is more or less be a little unfair to howard schmidt two is a very able man, but in terms of its actual authority right now. that more or less is where he is. he has no dotted line authority over anybody who exists within any of the agencies. so that's my first point. my second point, that is the one i will close on his we have talked and talked and talked about the need for a public-private partnership, one that will solve some of these problems by allowing the

interchange of information between private sector entities that are operating at 85% to 95% of the back of that we use. and the federal government, which may or may not have enhanced ability to protect networks. and what we've built so far simply doesn't work. on the information -- the information sharing advisory councils are good in theory. they work someone in practice, particularly between and amongst you factor out her spirit but they haven't yet become in effect a tool for actually bringing private public sector people together. no one possibility that i think i'll just lay on the table and we can talk about either in q&a or perhaps in a paper that all right for heritage or something like that, is to actually consider whether we need to formalize the concept of public private partnership. we have public-private corporations in america.

some are in bad owner now like fannie mae and freddie mac are but others like lenny and challenge account and the american red cross has been very fact do for a number of years. it may very well be time to think about formalizing the structure good you can call the cyberspace assurance corp., which is what i've titled it. cyberspace assurance corp., which will be a locus for the coordination of public and private activities in a way that is beyond what the isaf do now. so with that brief summary, i will turn it over to questions. we are on tv, so if you have a question, you must wait for the microphone. if you don't, no one will hear you. the floor is open for the next 15 minutes. the lady right here, right behind you. these identify yourself as well for the people on tv know who you are.

>> joanne were from the university of wisconsin whitewater. i teach i.t. there. i have a question about google and microsoft in terms of the search engine that they control. search engine data are especially if interest. i'm wondering what the appropriate relationship between the government and these private organizations would be. again, with none of squabble at the detention between google and the chinese in terms of their relationship. i'm just wondering if you can project the future in which these private organizations would be able to run their parasites and still provide information when needed to the government for cybersecurity reasons. >> jay, i think that one is in your house. >> and inktomi search engine data if you think about it is one of the most personal source of information about you. if you use the internet regularly that exists. i mean, you're every interest

and thought, books you want to read, things you want to buy, every passing fancy and interesting research they had diseases you where you might have, people you might suspect our gay. it's incredibly personal. and that information should not leave the walls of the search engine companies and hopefully the search engine company should not retain it any longer than absolutely necessary, which unfortunately do. and it shouldn't be given to the government accepted the government has specific evidence that it's evidence of a crime and comes with private company with a warrant. there should not be any sort of routine relationship or prophylactic preventative use of that information out. >> well, i think i would just say that, you know, we have a mechanism in this country for

law enforcement getting access to information from governments. it's called a warrant and there is no reason that can't work more or less the same for computer information. and this happens all the time, where somebody sets up a threatening e-mail from a yahoo! account and the secret service, fbi, whatever he thinks is worth investigating you sent a warrant and say who does this calphalon two. sometimes that reveals factual information and sometimes it doesn't. i don't in priority ceos should be more protected than not are less protected. i don't think the government should have a magic backdoor, but i also don't think necessarily that we would say it's completely off-limits. now, i think that she is right, there probably needs to be better standards, possibly in the government for how these companies retained and use personal information. and right now it's a bit of a free for all and maybe were still letting the market work

that out or not. so i think there's interesting discussion there. but there's already a lot of mechanisms like kool-aid of the computer systems, whatever that says that technical or legal frameworks to go when it do wiretaps when actually they have a warrant to do so. so you don't want to get up and ask mother don't think you want to make it as easily patented. >> i'll take a different tact operably in disagreement with my two colleagues. two points. the first is in my judgment the increasing computing power that is attending that analysis and the decreasing cost of data storage. we're going to inevitably cross. we're running towards a world in which whether we like it or not -- and they don't like it and i understand why. but whether we like it or not, the half-life of secrets is a plummeting dramatically. and your ability or desire for very legitimate personal reasons

to keep profiles that view secret is eroding to have the governments actions. you know, i don't mean to be too apocalyptic, but i think in the end it's a lost cause to assume that there will be any way in the world that we can prevent the development of profiles, whether it's based on search data or travel data or whatever. and i would add parenthetically of course that even if we in america decide not to do it against americans, that doesn't mean the chinese will do it against americans or the indians or whoever. so unless there's a worldwide disarmament of the analytical capacity, the game's over. the other point i would make is that one of the things that we found in the last nine years is that this metadata is immensely powerful an effect give as a counterterrorism tool. it has allowed us to engage in

better targeting of scarce investigative and screening resources on people who are of greater risk. like most such algorithmic assessments of risk, it is not a perfect system. and it's also a system that can be dialed up or down depending on her threat of the fence today. you know, if we have a sense there's a greater threat in the next two weeks because we've had higher chatter over here, we can change the screening mechanisms in our air force. when i was at dhs, we very successfully used travel data, which is not google search data, but is the same sort of metadata to target inspection resources that have resulted in a number of successes are turning away potential terrorist activity. that's not to say that wholesale government access is without

threat. indeed, it isn't about that. no one would say otherwise. i actually think that one of the very biggest missing pieces in the whole puzzle right now as congress has provided for the existence of independent oversight that supposed to figure out -- and help us figure out how some of the rules are to be applied to allow us to get the benefits of that data analysis without the threats that arise to chase these. but that board was legislated into existence in august 2007 and there's now a bipartisan agreement apparently not to staff it because neither president bush or president obama have yet seen fit to audit. so i would cite that is one answer. next question. this lady down here and that gentleman will be next. do not errico from japan.

i want to ask you about cybersecurity bills for the iraq terror and obama -- [inaudible] what do you think about that? and what are the basic -- what do you think about it on the internet and also mention security -- [inaudible] >> jay, you had spoken about the bill, so why don't you -- this is basically come to see what you didn't get to say? >> well, basically we don't have an objection to the very concept of some kind of emergency power and actually some of these emergency powers they are to exist and exist in the in the

white house will say what it thinks its existing authorities are, which complicated the current debate. but any kind of an emergency authority like that needs to be very carefully bounded the checks and balances, very narrowly tailored in sort of the classic sense to be narrowly tailored in the way it's executed and be very compelling interest. and so i think we're working on members of congress on our lobbyists on that issue. in terms of the balance between freedom and security, my organization represents those americans who put freedom as their highest priority. a lot of the larger threats as opposed to the day-to-day attacks and fraud, although larger threats are quite the radical of the cybersecurity realm. and we don't want to interfere

with the freedom unless we are very, very sure that there is a very, very real threats and cybersecurity. >> i think it's really instructive to look at what happened to the virus. microsoft went into closed session, introduce an expert take to reverse training order motion in front of the federal judge in the first circuit -- sorry, northern virginia. laying out in enormous detail the technical problems the wall type virus basically said here's 234 domain names that are hosting the command-and-control servers for the virus. and tell them, you know, here's how to upload the new version of glaucoma glaucoma blog. all the supports are now public. you can onto the court sites and can read them. basically microsoft almost single-handedly forced this new legal doctrine that says that, you can't let the other side respond to this. if you let them know they'll do this the update the routing

table only won't be able to know what they are anymore. what you need to do is tell better sign to shut down the root name server entry for all these names and i will decapitate the network. they agreed and they did it. that's a pretty good parallel for the emergency powers i would envision is readable, which is to say we've identified the specific threat, this is why we have to take action to shut down, as narrowly construed as possible. there's a huge body of american mom on injunctions and narrowly crafted in a and doing it to minimize the impact on the public. i think that's a great template for urgency powers to figures that threat, here's where we have to act right now. here's the proof that is the most narrow possible remedy. and then you do it and maybe the other side gets to sue you and say that was done completely improperly. in fact come i think microsoft had put a reasonable amount of money to ask her to account for

damages, should they lose once it became public. so that's a fascinating legal case, a technical background to that. all the reports are really interesting and i really urge people to go and search for microsoft versus -- i forget who they were suing, but microsoft with the fires. i think that's a template. you have to narrowly so it's not too easy. >> i think that's right. justice goldberg, no conservative piece of the constitution is not a suicide pact. they can't get our protections of first amendment liberties are so strong that we can't allow a virus to take down the entire american elect her greed and fear of restraining free speech. on the other hand, as geoff has outlined, the mechanisms for which we would need that to be carefully thought through, we're going to run the risk of shutting down people just as

easy. we've got one more question. this gentleman here in the front. and then we'll move on. >> thank you. my name is rubin. i am an exchange student and cybersecurity and management at the university of maryland. we know that most of the projects that we have actually are related to lack of mostly security implementation, not always going. and not focus, should that shift to the security of particularly the software that is targeting the critical infrastructure? thank you. >> now, that's exactly right. the vast amount of the problem

is insecure software and badly designed software. software written a people who didn't take security into account, for a bunch of reasons, including training, adequate research, but probably most importantly for market reasons on which it does not pay to spend the extra time building security into your system. it's about economic decision for any company to make these days. partly what we need to do is figure out how to trigger the market so it becomes a good economic decision, saying if we have insecure software will make less money. so we need to figure out how that happens in addition to other mechanisms. but on the flipside, i would say there's also these vulnerabilities. o'reilly has a new book out called inside hacking or something. the current generation of threats is unbelievable. you read about these vulnerabilities. it's so subtle, so clever. as long as people are running

computers that have 50 pieces of software on it and are a canoe simulator firefox plug-ins on top of this release of windows there'll be vulnerability and somebody has a huge incentive to figure out the whole nobility and to identify it and use it. so we should definitely do more research. there's a lot we can do to make software more secure, to teachers so that people write better software, but that won't solve the problem if they moved around. but there's always going to be vulnerability. >> i think you i think you hit on a very important point, which is the fact that software bugs are such a huge part of the problem. we just don't know how to write complicated billing of my programs without bugs. and we probably never will. and one of the best solutions to that is openness. you open up the code so that coders all over the world can see it. people can exchange information about different vulnerabilities they see an open software some

of the most secure software that there is. and the idea that we need to put the military in control of domestic cybersecurity, or that we need to create a national identity system for the internet, those are attacking the wrong problems in many ways. and in fact, they're going just the wrong direction if you're putting in more secrecy into the system. >> with that, i want to ask you to join me in thanking the first panel for a very enlightening presentation. [applause] and we're going to do a quick change. don't move out of your seats because by the time they get off and make it on, i need the guy to come up and help me with herb's -- herb come you get to sit next to me. herb is that the end. yes, we've got to give them to

jessica. [inaudible conversations] ..

as a research fellow dr. galanos has helped positions at singapore institute of defense and strategic studies and also at the center for strategic and international studies at washington. she has both a masters and ph.d. from the fletcher school of war and diplomacy and given the recent reorganization at the college of international security affairs she is now also my boss when i teach there as an adjunct professor, so i am very glad i invited her before that happened. immediately next to hers dr. dr. steven bucci. steve is the emphasis leader with a strategic -- initiative. he basically serves as part of

ibm and eternal cybersecurity think-tank. early in his 28 year career he was part of of the u.s. army serving in leadership positions amongst other things the second arab force division and special forces. he was on september 11 system to the secretary of defense donald rumsfeld and thereafter also served as deputy assistant secretary of homeland defense support for civil authorities and that administration. he is a graduate of west point and has both a masters in a ph.d. from the university of south carolina and i am really stunned to note that he is also a graduate of the hellenic army war college in the salonika, greece which is kind of really cool. something cool about everybody here. our last panelist is dr. herbert lin, chief scientist at the computer science and telecommunications board of the national research council of the national academies of science where he is a study director on a bunch of major products

including public policy and technology. most recently he was on the study on offensive information warfare. that his offense capabilities of the united states in cyberspace and he has also participating in the cyber deterrence study that oath dr. colin and i have been participating in. prior to the service here, he was on the house armed services committee and he has a doctorate in physics from m.i.t.. i am fascinated to learn that he is a longtime foe can swing dancer and styles himself as a very poor magician so if we don't like his talk we will ask them to do some tricks for us. with those very brief introductions, allow me to please permit dr. bolanos to begin. >> the ideas i'm about to express our my own, not the international security of affairs or the department of. in addition i also have a bit of a warning.

there are a few public speaking engagements i have come to the tragic conclusion that i actually speak too much and that ascendancy of my symptoms interfere with my co-panilist. notably in this case we are talking about the time a former deputy assistant secretary and chief scientist so i should know better. therefore i will ask for your patience in what will be a bit of a rather scripted presentation that i hope will contribute to a much livelier discussion later on in our questions and answer session. i want to begin by thanking the heritage foundation and a particular dr. -- for the kind invitation and i also want to underscore the overarching theme of the homeland security 2020th and an today's panel in particular are exactly in line with my most urgent recommendation on the issue related to cyber domain. as mentioned by dr. rosenzweig

the average person will note that this topic is widely covered in the media and it is increasingly becoming part of more than one of washington d.c. agenda. however, the time is right for the discussion to be shaped or included in the informed, rigorous, responsible, open and in partial efforts undertaken by scholars, experts, decision-makers with goals in mind. to educate and to contribute to the adoption of measures that will ensure the viability of our wired nation-states. a somewhat abstract introduction on the challenges of crafting adequate cyber strategy, in particular cyberwar strategy that touches upon the role of the state but also nonstate actors and i think it is a nice link between the previous panel and i think we will introduce things at the other speakers

will talk about. i also want to explain before that how i got interested in this topic. for several years i spent actually quite a few hours a week listening to the actual conversations and observing the interactions between al qaeda and affiliated members. however, i did not have to leave my office to join al qaeda's new generation of trainees. a camp in kabul near jalalabad. winstead all of this interaction took place under cybersubstitutes through virtual portals like www.al qaeda .co .uk. there, i became familiar with explicit documents that among quite a few other things, demanded responsibilities for what they called al qaeda cyberbrigades are on line

brigades. monday's documents one could find a description of what these individuals referred to as electronic jihad. the most prevalent focus of electronic jihad remains today the use of information technology as a resource and support of other activities mostly happening in the physical world. clear intent on the use of cybermeans as tools for disruption and disruption constantly appeared in their dialogue as far as their long-term strategic goals. forcing myself to engage on the empirical and silver dialogue that i actually advocate for i must emphasize that relevant offense of cybercapabilities from al qaeda are yet to materialize. however, one specific trend that i observed at that time also told me it would be responsible for me not to continue paying attention to the engage meant that are nonstate actors in cyberspace. and that trend i actually noticed how al qaeda was researching and developing specific sets of weapons and two

things worried me from this trend. first, i noticed that their learning curve was relatively steep and second, i learned that they actually learn important lessons by tapping onto and fostering networks of sophisticated technical experts that knowingly, that actually unknowingly granted them capability developments and know-how. and tenth, research and development and fostering of networks linked to capabilities are not the immediate cursor of a cyberarmageddon. they are however, clear and loud efforts that shooting for the mission and decision of those in charge of devising cyberstrategies against 21st century adversaries. amongst those in charge is a recently formed u.s. cybercommand. the mission of cybercom is for the amusement of some, actually

codified in a 128 cryptographic hash that actually means a series of numbers that appear in the seal of the organization that actually stands for the 58 ward mission statement of cybercom. a mission that includes a defensive but also an offensive component to cyberspace operations. now, to seriously think of offensive and defensive cyberstrategies pursued by u.s. department of defense by the u.s. department of defense is really to think about legal and other dilemmas ahead. the effort to do this is certainly underway for both of the adequacy and an adequacy of legal regimes by various specialists. among the legal frameworks discussed, one proposal is the use of armed conflict as a possible platform from which to draw further insights on the legality of cyberwarfare by

states. serious advocates of this agree that even if we take into account the principles of armed conflict to guide us in the cyberdomain, these analogy efforts do not solve all and in case as it underscores many of our future policy and strategic challenges. now i will not represent each of the postulates of the conflict and its links to cyberwarfare thomas something that has been done in eloquent writing by men including some of my fellow panelists. winstead, for the next few minutes i will focus on one or two examples supporting the following argument which by the way represents a little bit of a metaphor that doctor cohen was telling us a sometimes is good and sometimes as bad on previous panel. be argument i want to get out his first in in the post-11 -- 9/11 environment we had the challenges of waging warfare with mark's difference from the

great 20th century wars. second, that this challenge characterizes 21st century warfare and i mark bring to its most general, it's physical expression, is not perfect but interesting parallels in the cyberworld. according to the law of armed conflict there ought to be a number of preconditions and conditions just to find the use of force. one of these actually relates to the need to clearly identify combatants are those accountable for belligerent action as a condition for counteraction. for the last 10 years, the u.s. has been engaged in warfare theaters where the adversary is increasingly an unidentified combatants that purposely seeks to disguise its activities and shield action by operating from within the population. one can think of ammunition and stores, individual strength, attack plans plants in places of

sacred locations that in other circumstances would have been considered a neutral and sometimes either protected some. in the cyberdomain, this can be linked to something that was referred to previously that is known to the problem of attribution. as a common practice, cyberattackers seek to exploit and hide behind wide and complex set of networks commonly used by the population at large, turning them into -- so the origin of the attack cannot be attributed to them. many cyberhas been conducted in this way for hijacking servers and unsuspecting countries including again, dr. cohen's servers in the united states. back into the physical world and also into the problem of attribution as the common practice of states to use proxies or proxy organizations to foster their interest. i can think of a few groups

actually globally relevant groups links to iran. in the cyberworld is this increasing, although i mean some of the information can be anecdotal or uncorroborated but there is increasing evidence that states tonight ability by outsourcing their attacks. unexampled, inc. income visit the probable connection between the russian government and the nonstate actor known as the russian business network who played a notable role in the cyberoffensive against georgia alongside the russian campaign in 2008. which brings me to another point and also in the relation to the attribution but more broadly regarding the definition of war. most of the love farms complex strategic thinking concerning the use of force in modern times has adopted a state-centric approach. war was waged between states and for many years we use force against nonstate actors under

very interesting categories such as operations other than war, and yet in the physical world we have an end of the element of surprise that it is armed nonstate actors that are adversary capable of strategic challenges against a nation-state. in fact the most powerful nation-states. in our effort to devise adequate responses to this threat we have also attempted to create another set of neat categories that distinguish from one nonstate adversary to the other. so in theory we speak of terrorists international organized criminals and insurgencies however an actuality late 20th century and 21st century warfare what things will continue to be characterized by the convergence or hybridity of these entities. simple examples would be the colombian farc and it's connection to marxist leninism and narco-traffic or the taliban and the opium networks.

the convergence of adversaries is actually replicated in the cyberworld continuing with the previous example of russia when non-suctioning as in the sense of sector against russia via forum mention network is also known to hold scores of illegal cyberactivities, some of them linked to global credit card fraud that actually on occasion have posted one or two al qaeda bombers. technically, the nation-state has problems waging war against our nonstate actors get as far as i'm concerned, so the most complex offensive campaigns of the last decade have been waged against those adversaries. while agreeing that in today's cyberdomain the greatest threats are two states, the u.s. must also be prepared to find responsible and legal recourse is to engage in complex cyberadvances against adversaries that may fall short or contain as we were discussing

before, full-fledged cyberwar. finally, if nonstate adversaries decide to pursue cyberaction against our networks, thinking of legal regimes will also have to account for a number of implementation problems. for example, from our point of view because of intelligence denials by adversaries for technical issues, cyberwarfare at the beginning of cyberwarfare, simple cyberintrusions or exploitations may look alike. who, when, how and to what extent shall we respond? the assessment, planning and responsive government should all be done with these challenges in mind. some of these decisions entail serious transformations that will affect the public. ultimately and particularly the cyberdomain, it is the public, the private sector as well who will have the right and the obligation to determine if they are willing to assume the risks and costs of inaction or if they

are willing to adopt action and support policies in order to secure the benefits of a wired and actually increasingly wireless cyberworld. >> thank you. >> i just want to point out that fact that i'm a graduate of -- however probably a bigger stretch for army sf guys that i'm a graduate of the state department senior seminar which is the state department war college college which is probably more foreign than going to greece going to school for some unlike me. i have to use my own disclaimer. these remarks are not ibm's policy position. they are my own so you know, please do not attribute them to ibm. also i will tell you that some of the things i'm about to say or disagreed with by many people dick clark, jim lewis of csis,

allen teller at the sans institute, people for whom i have enormous respect as experts, but i don't think they think like terrorists and i guess maybe i do. so there are some differences there. some of the stuff has been touched on. if you made a graph with a number of incidents on one side and the consequences from those incidents down the other, the beginning part of that graph would be huge. jay mentioned there are lots of stuff that goes on on the image that today in an enormous number of events, incidents, intrusions, and tempted intrusions that frankly are noise. they don't really have any big effect on hardly any of us. there are some down at the other end of that graph however that are pretty darn significant. not as many of them, but if they are successful and the melons and that they are perpetrators are using, there are some bad things that will happen.

it is not as theoretical as some people would think. i'm not a technical guy so i can tell you i don't sit there at the keyboard and plan how to do this stuff but i have lots of people that i know that our people with that kind of technical ability, who will tell you it isn't really as hard as it might seem. it is like rocket science to most of us but to those experts who are fortunately a fairly small group, it is not that difficult to cause great amounts of damage. if you look at cybersecurity threats on a continuing, he would have got individual hackers that are out there doing their thing. unfortunately some people in authority like to think that 22-year-old kid in his mothers basement with the star wars figures going after everything, they are not that big a problem, folks. they are really not. small criminals are out there. they are trying to affect you as an individual. they are tried to get your money, your identity and they are particularly painful if you

happen to be the specific target. on this side of bases not that big of a deal. organized crime is an enormous problem. if you talk to the fbi and people like that, cyberorganized crime is a bigger deal now than drugs. they make more money off of cyberevents than they do off of it listed narcotics. this just blew me away when i first heard that. that is enormous thing and they are all over the map doing all sorts of stuff to all sorts of people. cyberespionage, and this one is really tough because there a lot of different pieces to cyberespionage now. there are organized crime, trying to steal things from american companies because they can sell that influential property to other folks to make lots of money. there are american company stealing from american companied industrial espionage now being much more efficient and safer to do through cyberthan older methods.

there are foreign companies trying to steal from american companies. there are foreign intelligence services trying to steal from american companies to use either by their own governments were or two past to state-supported industries that are in competition with our companies, and there are the old-fashioned national security type espionage of intelligence services trying to steal from our government in secret. basically we have made espionage a lot more efficient, a lot safer for the people who are the perpetrators of it, because you don't have to try and go into a government building and walk out with a briefcase full of documents. you only have to try to recruit somebody to do that for you. you can just do it from a desk and some other part of the world. so that is an enormous problem that is going to be there forever. it is the way we do business down the espionage world. terrorist use of the internet,

if you talk to the experts to look at that, they abari's used it for propaganda. they advise used it for fund-raising and some degree of recruitment. there is some evidence of them using it for some operational planning. there are even some interesting things, funds transfers through things like second life and that sort of stuff that are really kind of elegant ways of doing that sort of thing. you can't money launder without but you can move operational funds that way. the biggest problem of terrorist use on the internet right now is through radicalization. that has been the biggest uptick in the past. that used to be the big point of vulnerability through extremist groups where the law enforcement or security guys could get them because they had to come face to face to really convince bucci to become part of their team. most of you have probably heard of jihad jane, the blonde lady from the southeast to get

recruited, totally bought into the whole jihadi ball of wax all over the internet. that is the problem now because that cover some of that vulnerability that that our law-enforcement used to be able to utilize to catch bad guys. i will get to cyberterrorist attacks in just a minute and then at the other end, which my colleague it has already talked about as the nation-state things we have had two examples of one, a cybernation-state attack and the other a nation-state cyberattack in april thing connecticut had. there is not conclusive for and to there were actually nation-states behind the cyberpeace of it, but that is out there as an example or. the president used the event in georgia as his example of cyberwar of the future. and this is where dick clark and those guys, they look at that stuff and that is the way it is going to go. cyberis now the equivalent of

artillery preparation on the battlefield or air attacks prior to a ground offensive. that is part of the deal. i think we'll continue to be so. now, if you look at all of those threats and i have my nice picture. there are a lot of threats out there. how you plan against those threats? the way you do it in my experience is to narrow that aperture. you have to pick the most dangerous threats and you have to prepare for those. but then you also have to prepare against the most like you threats. in the cold war we did that with thermonuclear war to soviet union was the most dangerous threat. we had to prepare for that. fortunately it wasn't too likely, because of mutually assured destruction and other deterrence. the most likely than where proxy wars, which we did have a couple of those go on. today the most dangerous threat in my mind are clearly those nation-state types scenarios where someone really comes after us either with peer cyber north

cyberplus kinetic, the most dangerous threats. not very likely for all sorts of reasons and i can talk about why that is the case during the q&a. the most likely threat in my mind is a cyberterrorist attack enabled by cybercriminal capabilities. now, why do i say that? before i said i will tell you a lot of people say it is not true. people who disagree with me. they think terrorists are not going to use cyber because it is not spec you are not. a terrorist like leading guts in the streets, burning buildings, that sort of thing. they think terrorists are not going to do it because it requires too big a capability for a terrorist organization to harness and develop. you've got to almost be a nation-state to do this sort of thing. i would disagree with those points were a couple of reasons. one, but be awfully darned spectacular to take over the control system of a chemical plant somewhere in the united

states from another country, hit enter and have all those open up and suddenly you have created an india like event in the united states. that is pretty darn spec tech grant also pretty elegant from an attack standpoint. two, you don't really need that big a capability. it takes more than one guy at a keyboard to to do this on i'm the first to admit that but it does not require an entire cyber army to pull off one of these events. the reason i say that is the terrorist group is not going to try and conquer the entire american electrical grid or take down the entire american financial system. they are going to be more focused on 9/11. they try to take over four airplanes and that -- they didn't have to take over every airplane filing -- flying in the united states. a cyberterrorist attack will be much more focused than a nation-state attack. could just be the water control system in northwest. it could just be electrical grid

and one state. they can do that. the way they develop the capability is by hiring criminal networks. people who are more than willing to work with anybody who has the money. and i will and with this point. when i came up with this idea i did not have a proven case for it which is my analysis. since then, if you recall last year when israel made its incursion into the gaza strip, the most recent one, they announced they were going to go in there. right before they went in, on the deadline because they had announced it so so hopefully innocent people would get out of the way, there was a massive denial of service attack against the israeli civil defense system. when they did the forensics of that event, it pretty much exact weight like the event that had happened in the estonia in 2007. well, i don't have definitive proof that they hired the same

criminal elements who were involved in in the estonia event but it is a pretty big quince events that they looked at similar. so did hamas or hezbollah hire the same criminal networks? i don't have the proof. pretty strong circumstantial evidence and in my mind a potential proven case of my theory. i will and with this. in this business i have a non-technical guys confidence that we are going to figure out the technology to increase our security while still protecting our privacy. i think we can do that. they are not a chilly exclusive. however, the long pole in the tent folks is the law, the policy and the definitions. we have nothing like any sort of agreement on those things today and until we do, we are going to have a devil of a time addressing these issues appropriately regardless of where you stand on these issues.

but we have got to do it soon or the terrorists are going to use the delay that we have to their advantage and i don't want to be prophetic, but i think we will see this kind of event somewhere in the united states. >> thanks, steve. i think you are right. if anybody out there is young and is looking for a job career opportunity, cybersecurity lawyer is probably a growing field in the next 20 years. herb. >> thank you. so i'm here to talk a little bit about the offense it dimensions of cybersecurity. mostly we think about cybersecurity in terms of defending ourselves with firewalls and so on and i will talk a little bit about that but there are a lot of stuff that has to do with how we might use of offensive capabilities to defend ourselves as well. and i will start with a metaphos some benefit which i described.

verifies been good guys and bad guys and technology they evolve from spears to bows and arrows and ak-47s but now there are weapons that include weapons that can go through cyberspace. that brings up a variety of very interesting questions. so, let me start by exploring the metaphor just a little bit. this is the situation where the bad guy has a gun and there we are. the first thing we do is put a bullet proof vest on and this is a good thing to do, because you know when you do that, you are more protected. and so, i have a sheriff's badge here because we sometimes deputize the cops that act on our behalf and if you think about bulletproof vests as an instrument for defense you have to ask a variety of questions. u.s. questions like how effective are they and how strong are they and how like anemic them? how can you ensure that every copy is when how do you make sure they are well-made and so on? of course we don't just give them the bulletproof vest.

to give them the guns as well and now you have to ask if ready by the questions like what types of guns can the cops use and when did they have permission to fire and how do they actually behave in the field when they are using their guns and what about the problems of innocent bystanders? if you take a look at these kinds of questions, the questions about the defense, that is the bullet troop deaths are very different in nature than the questions about the offense and in the defense of case they are very narrow questions about the technology and implementation issues and so on but in the offense they are really policy issues. when you have permission to fire? that is not a technical issue. how do they behave in the field with their guns? that is not a technical issue, and so on. so we have to really understand all of the dimensions of this. so let's take a look first. you have a situation where you have a good guy in a bad guy in the bad guy fires the gun at you. sometimes he misses and

sometimes he hits you, and the bullet ounces salt. those are good scenarios. but sometimes the bullet goes to your head and that resulted in a. what i'm trying to illustrate here is that the shows that you might really want to think about having all of the tools at your disposal to help defend yourself. let's take a look a little bit at the specific technology. you have a bulletproof vest which is a technology. protecting cyberspace is better firewalls and antivirus programs and the like. and so, sometimes the attacker comes up against those in the stymied by them but the attacker learns. he gets a bigger gun, okay? and you know now all you have is a bulletproof vest you are in trouble. if you just rely on the defensive technologies both made

the bad guys will find a way through them. and the other thing we do is we want people to call the cops. only the problem is, in cyberspace the cops take a very, very, very long time to figure out what is going on. and so, why might this be true? one reason is the nature of the attack. here you have a scenario in which the bad guy in red is attacking the good guy in blue. of course this is if the world were like this it would be a simple thing for the law-enforcement guys to investigate but really it is more similar to this. embedded in the network are really like this but the real problem in cyberspace is it is like that. there are no arrows. you can figure out where it is coming from and you are still being attacked or killed you know the approximate note that it is coming into but you don't know where the other things are coming from. and then there there's another question about the law.

there are laws that are applicable to cyberspace, security in cyberspace but if you look very carefully at this sophisticated graphic, you will see that in some cases there are blank spaces there. that means we don't have a lot and in some cases the laws are very unclear. you can't read them for a reason. how you apply certain laws are very unclear, so you are in a gym. so, in fact if you are on the defensive side and focusing on the defensive side you can put a debtor shields up, a better firewall and you can call the cops but they take months instead of minutes. but what you can't do, you can't return fire. so what does that mean? so you have the situation -- make here is the situation. you are outnumbered by the bad guys. they have all kinds of guns deployed against you and you have the cops who are

outnumbered on trying to protect you. this is not entirely satisfactory state of affairs. so i talked about the law but look at the offense. the offense inside of it is something that is not very much talked about. and one of the things that we did in our 2001 report on cybersecurity, and cyberattack is an instrument of national policies to call for national discussion. by the way their handouts that summarize the report which are somewhere out there. pick one up on the way out. it is in a page summary of the reporting you can get the report actually free on the web. will be called for was a national discussion which all the institutions of government actually the private sector would calm to engage in a national discussion about this topic. so what i wanted to do was to take a look to show you how some of the questions we are encountered in the cops versus criminal case applied in this

case. one question is what kind of weapons are the cops going to use? in cyberspace you have a variety of choices. for example you could go in remotely through the internet but there's another kind of attack or khomeini if you bought your computer's mail order so for some period of time it was sitting on a loading dock somewhere. how do you know that somebody didn't go into that, into the box and open up a computer, swap out a chip or put in a different piece of software and seal up the box again? how many of you probably check for that? probably no one. i know i didn't when i got mine. but if i were the wife of the chairman of the joint chiefs of staff, that might be an interesting computer to do that too and that is how -- and then there are other kinds of weapons in cyberspace. you can sometimes target one computer very seriously. you go after after the vice president's laptop. that would be a very interesting laptop to get ahold of and do something with.

and sometimes you can attack many computers at the same time. that would be a good thing to do to match depending on what you are trying to do. then you have a question of when are you allowed to use your guns? well the laws charter to find the stuff and they talk about use of force and arms attack and when those things happen, some are forbidden and so on and all those kinds of questions. here's an interesting question. what happens if somebody uses a cyberattack to steal money from you, trillion dollars and it all goes away. is that a -- an armed attack? what about causing a blackout. is that a cyberattack? what if you hack the electronic voting the chains of another nation and to try to influence the outcome of its elections by throwing the election one way or another? does that count as an armed attack? what if you just change stuff in

the database? hear the left side or the red side are identical apparently, except that i changed xyz to wxyz. they probably would not have got that. what if you are changing data or programs? does that count as an armed attack? what the program runs a nuclear power plant? spying is not against international law. if you are allowed to plant agents into another guy's computer. what if you change, rural we change that and she meant? to that count as a use of force for an armed attack? we have these interesting questions of what to do and they feel. you may have certain rules of engagement that say you know, with the private sector, you may have -- you can't fire and let the bad guy pointed and it you. well here we have somebody pointing a gun at something at you and it is not clear whether he's a good guy or a bad guy is not clear that he might miss.

how do you know who you are about to fire at in cyberspace and what the conditions are for that? how do you know who is was an innocent bystander? that guy is probably on my father's computer. i tried to keep it free of viruses but bad things happen to it anyway so that computer is probably the one that is attack in you. what are you entitled to go against a innocent bystander and how do you get the bad guy to surrender in cyberspace? you say no more, he surrenders. how do we know he stopped firing because in cyberspace everybody else is still firing at you. how do you know that he's he stuffed? how do they know that we stopped firing at them? and of course in the laws of war are a place where they metaphoric -- you are allowed under the laws of war to target airfields and military facilities and ammo factories but you are not allowed to target churches and mosques and synagogues. you are not allowed to target a hospital.

what are the analogues in cyberspace that maybe should be a power plant? there's there is a homemade area for discussion. here's another interesting situation. the bad guy here is a gun. we have something that looks at it again. it turns out this is a taser, nonlethal. under the laws of war is -- i'm sorry under international law is a sad exploitation, spying is legitimate by the tax may not be how does the bad guy know whether you you are conducting n exploitation or an attack? this is only an exploitation. not necessarily a viable policy. in the fact that the private sector and for cyberspace is very much involved in this process, and so this is going to be an area, point eight by a previous panelists at the private sector in the government are really going to have to start working together. so for example if you deal with a cyberattack you want to go over the internet. you will go through a service

provider. they are going to tell u.s. service providers hey, the next cyberattack you see as legitimate. don't shut it down. is that what we are going to do? how are we going to manage that problem? and i don't mean to make it a -- but it is a serious problem. the bottom line is we need a national conversation. get a copy of the summary that is sitting out there and if you do a google search on macarthur foundation technology policy and cyberattacks, you go to a free web site that will download the full report for you. macarthur foundation, who funded this, technology policy and cyberattacks. you will get the free pdf for the entire report and it is fascinating reading. >> thank you, her. i want to commend herb especially. you can see probably on tv or

hear, never before has anybody done 63 lines in 15 minutes. that is impressive hertko so we have about 17 minutes, 16 minutes, 15 minutes left for q&a. as before you are on tv so wait for the microphone. who would like to start the question and answer today in this one? oh, come on. okay, the gentleman right now. >> entrepreneur, new resident. what are the implications for cybersecurity if end-users have the ability to have encryption. ra 56 is encryption on their computers. herb? >> encryption is certainly a good thing to have in some situations. encryption does protect you

against some sort of problem, but it is by no means a cure-all. you can encrypt -- let's say you have the best encryption program in the world and you encrypt all of your files. the one question is how do you get access to it? and then whatever your answer is, what presents a bad guy getting it to? they will steal the password, they will steal your key and so on so encryption sometimes in some situations can help that it is by no means a magic olive. it is one element of solving some problems. you have to be cautious with any sort of security add-on, whether it is encryption or anything else that you don't get lazy with doing all of the other things you need to do. good cyberpersonal hygiene is really one of the keys, whether you are an individual or in entity and you can do the things. you can protect yourself much more than you would if you didn't do those things. we have not yet figured out, no

one has, how to protect ourselves completely, short of not going on the internet in that frankly is no longer an option. if you are going to be connected with the rest of the world. regardless of what you use, don't depend on one particular element. you have to do the whole thing. from a policy standpoint, you always hear the cops and everything don't want encryption because then the bad guys can use it. well, if the bad guys use the technology generally faster than the good guys do. cloud computing. the bad guys have figured out they can use cloud computing to bust passwords faster. gives them an incredible amount of computing power for the period of time they need to bust those passwords rather than take two months to do it. they can do it in a week. the bad guys will adopt probably faster than the good guys on almost any kind of technology. so, the cops aren't going to keep encryption away, but you

know we have just got to keep working at it and help the good guys stay competitive with the bad guys. >> the point steve makes about passwords is a really important one. they can use all of this cloud computing to bust passwords because people choose, a passwords. they are too short. how many of you people have changed your password in the last month or the last 90 days and, if you have a password that is 16 characters are more and have alphanumeric senate? [laughter] >> we are saying the same thing. when i give you the example of the learning curve, that was exactly what i meant. there is no way we are going to be able to have definitive answers to interpret. everybody's going to catch up with that so there has to be a solution. it has to be a bit more strategic. >> next question. this gentleman here in the back

of the room. >> my name is lieutenant colonel dance on amendments to terry fellow with csis. at the big findings in the 9/11 commission was the wall created between fbi and cia in order to protect civil liberties and become one of the reasons the system fail. do we run the risk in cyberspace of creating similar walls between nsa and, nsa and fbi and if so, what policy measures can we take to prevent it? >> again this is my personal opinion. our system require some of those walls. it is going to add in some inefficiencies or some imperfections in our ability to do security. as a citizen i am okay with some of those, but as paul mentioned it is not a suicide pact. so we have got to find ways to do it correctly. one of the things that we did and this is not a cyberexample but when we had the d.c. snipers, we use military

technology to try and find those guys. that required a presidential finding. it required special sections be built so the law enforcement guys could use those technologies and protect the information all with the kind of protections that jay points to that we need. we need need to do that sort of stuff in cyber as well. will it make it harder to secure cyberspace? absolutely. is it worth it? yeah, i think so because i kind of value our privacy and civil liberties. but we have got to find a way to do it smart. privacy and civil liberties and security are not mutually exclusive. people who try to taint it that way are wrong, regardless of which end they come from. we can do both but both have to give a little. how much we give is policy. >> let me move away a little bit from the issue of the dichotomy

privacy versus what we do in order to protect and so on, but you will find that there are a number of redundancies at this point, lack of communication even with those people that are doing the law enforcement etc., etc.. and although i take the point that is how we are built and in some cases it is necessary, call me naïve if you want, but what i see his adversaries is somehow are perfectly able to communicate in functions and that have networks and horizontal safe departments within their organizations that make them much more efficient. it is easy for them because they are smaller, but they are just faster and they can respond in more effective ways. i've had conversations with different law enforcement agencies, secret service and other people are doing similar crimes. you see that one would benefit tremendously from a bit more

cooperation, what cooperation is available. >> the gentleman over there in the corner. >> i just wanted to ask what do you think holds back the definitions, the policies the statements to be put into effect and to be implemented? >> i was the one who made a comment. the things that are holding it back are really good intentions. i have seen very little negative -- nobody is doing it just to screw up a system. they are people that are protecting different issues that are important to them. you look at all the laws we have or that are proposed that are in conflict with one another. they are written by staff who are looking at specific constituencies or jurisdiction so they write the law and what fits in their jurisdiction.

that is going to sometimes with them in conflict with laws written by committees who have different jurisdictions and different priorities. it is not valentin. we have got a very pluralistic system and that thurlow some sort of tilton some conflicts. i agree it would be nice if we could streamline it a little bit but i don't think we are going to junk the whole system to have a streamlined. the most remind systems in the world are called dictatorships. we don't want to one of those here. so pluralism ads and inefficiency. we would like to minimize them if we could. >> there is another reason i absolutely agree. there is another reason too which is we have to figure out what we want our policy to be. so for example we have said as a matter of national policy on one hand that we want, secretary clinton has talked about a global dialogue to promote secure information, information technology and infrastructure on the world. well if we have capabilities which we do, a secure

information technology infrastructure around the world is not going to facilitate that. so do we really want everybody else in the world including ourselves to be seek here? or do we want everybody to be vulnerable including ourselves? enables us to go attack. is that part of why we did this report? we need to have that conversation. are we better off in a world where everybody is secure or where everybody is insecure and i think the nation as a whole has not decided on that. lots of opinions, right. >> down here. >> i am from the university of wisconsin. the u.s. largely imports its computer chips, imports of high technologies. is ramping up our industrial base and ramping up our manufacturing of these components a subsidy in order to secure our cyberdefenses in the

near future in order to make sure what is manufactured and the standards that are needed has the safeguards that will thwart terrorist attacks? >> lots of people think so. people worry for example that if you have chips that are made in plants that are controlled by foreign nations, that it leaves us more vulnerable and one solution to that, one solution to that is to have more indigenous capability. whether or not that will solve the problem is unclear and i can give you lots of scenarios in which that will not solve the problem but certainly some people believe what you just suggested. >> speaking as the one person from from the private sector up here, i think that is a really bad solution. the reason is this. one, it totally destroys the business model of ready much every tech firm in the world

which would drive the prices of everything out of the roof. i mean he would not have the ubiquitous communication stuff that you have today because nobody could afford any of that. there are some niche capability for very special organizations that different tech companies do that has this additional security pieces for for the supply-chain built-in. if you try to expand that out aside from the incredible price increases, it's only going to protect you for a little while. it just makes it more difficult for the bad guys to infiltrate your supply-chain and try and mess with you as opposed do you know giving them opportunities overseas. the answer is really finding ways to secure the supply-chain as it is for us now. that is hard. it cost the company's money but there are a lot of motivation to do that because companies like mine and like all the other tech companies, our reputation is built on that staff.

if we let ourselves get fiddled with so that it then affects a client to whom we sell it, that is a ding on us and we don't want that and other tech companies do. they are working hard to secure that supply-chain but the old build it all here, it sounds good as we say in the military, briefs well. is really hard to implement and is really a red herring. is not going to give you the degree of security you think it might. >> we have time for one more question if there there is one in the room. does anybody want to take up the cudgel? then i will ask the last question. i will ask all three panelist to give me a short response because we have about two minutes. what do you think will be the major surprise in the next five years in terms of cybersecurity, policy or threat? will it be an attack? will it be the collapse of the private sector?

what do you think is the most surprising thing that is going to happen in the next five or 10 -- actually homeland security 2020 so let's make it 10 years. i will start here and work on to the in. >> i think there are tremendous disincentives for the most powerful big threats to actually go ahead and attack. we have been consistently surprised about not cyberattack that cyberexploitation in order for them to gather information. i think that we cannot measure that but it is already surprising to me. and people don't know it so it should come as a surprise and continue to, as a surprise, the amount of information that is gathered by what i call adversaries. the way we are loosing our information, information that probably should restored and carefully manage. >> i will reiterate what my final comment was, that i think sometime in the immediate future, clearly within the next

10 years we will have some major cyber event. i don't think it will be from a nation-state. i think it will come from a terrorist organization. with funding from the criminal networks. the thing that will be interesting about it is will be how the president, whoever the president is at that time in 10 years, response. will they respond with cybermeans, because remember there is no rule that says if somebody attacks you with cyber capabilities you have to respond with cyber capabilities. they can respond with old-fashioned stuff too. how the president at that time was fun to that event and a lot of that will depend on how we can attribute and where we can you trace those people to to give him those options for their response so i think that is going to be the surprise that will not surprise that many people. >> herb? >> there is a definition of surprise, i would really be amazed.

for me it would be if the u.s. government got its act together and decided what policy was. [laughter] that is actually probably right. so, that is a personal comment from me and does not reflect any official view of any organization with which i am affiliated. speier doesn't think the national government is disoriented? >> on that humorous but somewhat sobering and quite accurate note i want to thank the second panel for their excellent contributions. i want to thank again heritage for hosting us and i want to remind those of you who are interested that there is a lunch of sandwiches and chips across the hall and then and though. i want to thank everybody on c-span who might be watching for sticking with us. i want to thank everyone for attending and i want to issue a very fine rest of the day. we are adjourned. [applause]

[inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations]

>> up next on "the communicators" a discussion on the federal government's plans for the broadband wireless spectrum. in about 30 minutes, a conversation on the upcoming u.s. supreme court case on the 2007 arizona immigration law that penalizes employers for knowingly hiring undyed emended immigrants. then british prime minister david cameron takes questions about his government's domestic and foreign-policy agenda. ..