the consumer and electronic association. and alex byers is a writer with "politico." thank you, gentlemen. >> thank you. >> on the next washington journal, the president of the american principles project will talk about social conservative priorities and agenda. followed by a look at federal investment in green technology businesses. and a discussion on al qaeda in iraq and the united states agreement to assist without sending troops in. washington journal is live with your calls and the day's headlines every morning at 7 a.m. eastern on c-span. >> our message was this: as

mothers we are concerned. as first ladies we are committed. as citizens of the world we plan to do whatever we can to stop. >> however different we appear there is far more that unites us than divides us. we are here to find common ground so we can bring dig nity and respect to girls all over the world. >> all of you are a part of the conversation because in the coming years all of you will be building the businesses and making the discovery and drafting the laws that will move the country and world forward for decades to come. >> mondays, starting january 13th, first ladies influence and

change returns. [laughter] next journalist discuss cybersecurity issues and the impact of cyberwar. we will hear from editors from the wall street time and foreign policy. they will look at how the issue impact several areas of society. including the military. theespondence, from guardian, wall street junior -- wall street journal, the new york times. it should get underway in just a moment. this is live coverage on c-span.

>> hello, everybody. we are here at >> hello, everybody, i work for a magazine down the street called foreign policy. i am honored and excited to celebrate the launch of this really interesting book which i have in my hand called

cubersecurity and cyberwar. we will talk about some of the big issues in cybersecurity. peter, as i am sure you will know, is director for the center for 21st century of technology. alan is a visit scholar at the cyber policy research center at orge washington and was here at brookings for three years. it is interesting to me, you know, just to kick off, that this become is coming out now.

we have had it seems like a stream of cybersecurity stories and mishaps and events in the last five years. and so i guess i am curious why you decided now was the time to go back to basics and set the table and lay out the primer for folks about what they need to know on the topics. >> i will weigh in. i want to thank you for and all of you for coming out. it is an exciting time. and a book is a journey. it is coming out now but showing the journey of almost two years. the idea behind it and why we think it is relevant right now is that i would argue no issue is becoming more important but less understood than

cybersecurity. and i say more important in terms of policy implications to legislative questions to the business side to your own role as a netizen or citizen. the future of world politics is as important as your only personal privacy and what the kids are doing on snapchat or the like. there is a gap there, though. we can see it in the former director of the cia described it as he has never dealt with an issue where less people with knowledge were dealing with the

event. to where 70% of executives made a technology decision. and yet no major mba program is teaching on it as a regular management issue. to again, the way we handle ourself online. the most poplar password is password followed by 1, 2, 3, 4, 5, 6. and also to how he handle a citizen. and the goal behind the book was to get to basics. i would argue it isn't back basic because we never had the

basics. so we are doing it emphasicizin what everyone needs to know. >> it seems like 2013 was the year of the leek. there was an nsa contractor got his hands on the document. what do you see 2014 heading? what are the big issues and 2014 going to be the year of? >> you can say it will be like the past but more so. looking back, one of the interesting things about 2013, was it was the first year no major person in the policy world gave a speech that amounted to the problem with the internet was it was built without the security in mind and the solution is to build a new

internet and make it secure. we want to move from the area where cybersecurity is something that is unique and separate and cut new out of whole cloth into an issue that is integrated into everything. one think i think we can expect to see is boards of directors will demand briefings. they will say listen how are we covered. at the technical levels you will see creative attacks. we will move from taking advantage of the human error and finding new challenges. one of the largest questions are always at the intersection of the technical and economic and political. who bears the responsibility for

securing our cellphone? maker of the operating system or your cellphone company? i think in 2014 those will come to head and we will see lawsuits. the challenge is to make sure we work toward a coordinated approach. >> i will ask a couple more questions because there are things i am dieing to ask and then we will open it up to the audience. you know, both of us have worked around the pentagon-types for a while. it seems like the answer is more offense. and you know, if we are being hacked the answer to hack them back a hundred times more. first of all, do you see that trend continuing that everything

has to be about offense? and does that trend so far make any sense? >> that is a good question. it is as a question of consequence when you think about what we are spending on or the direction we lose control over. this notion of cyber offense is very appealing. it is appealing in how it sounds. if someone attacked me i will attack them first. or the best way to defend yourself is a good offense. we can see it in the assumption we are baking into the military docume documents. offense will be nomdominant for

the foreseeable future. and there is a series of issues with that. a true cybersecurity would be one. doing something like that is difficult. it is not as we have seen the senior pentagon officials phrasing it as a couple teenagers sipping red bull and wearing flip-flops could pull off a mass destruction style event. no, they don't. it isn't easy to do some of this stuff. the defender has a series of steps they can take to make cyber offense difficult. it isn't an easy offense way. when you start to connect both the technical side to the military side to the policy side

to the history side you see lessons crossing back and forth. for example, every time in military history where someone has said the military offense will be dominant, actually history had a great way of teaching them history played out the opposite. prior to wwi is a good example of this. the next is where do these assumptions take you? the united states military is spending roughly $2.5 to four times as much on cyber search as they are on cyber defense research. if you go back and connect to security studies, it is a lot like thinking the best way to protect your glass house from a gang of roving teens is to buy a

stone sharping kit. he need to come to a balance in how we talk about it and assess the threats but a balance in what we are spending on and how we approach it. >> and just from a political perspective, one thing that i think is novel is when we talk about attacking their systems and we talk about attacking theirs, they are the same system. and we are faced with the decision do we exploit the other guy or work toward defending ourselves. it isn't just versus them. it is us defined different way and a whole lot of them. we need to emphasis the fact we are better off if we all move

toward the same >> people are outraged they are not just accessing the e-mail of a few terrorist but they are undermining programs that work for all of us. >> there was a headline saying the nsa is trying to break all of their codes. that is kind of their job. their job is foreign intelligence. the challenge is how we will scope it and how well it is playing with other national priorities. we want to make sure other goals are balanced in the governmental process and that is why americans were upset. and people around the world said what does this mean to us? should we doing this if we have the power to as well?

it doesn't lead to a stable world. >> i think pre-edward snowden and i was doing policy work here, and frankly it relied on trust in the government i feel like i cannot take anymore after the edward snowden links. maybe you can talk about how the leaks are affecting policy across the board. >> i think the challenge of what was disclosed is the massive scale brought together a variety of things. i talk about the leaks in three types of activity. the first was smart, sensible, espionage against enemies.

and the second category i would put in terms of questionable. legally questionable and politically questionable. they involved united states citizens using a foreign effort but it is the category of questionable. to be blunt and direct the third category we could call unstrategic or stupid which is collecting intelligence on close american allies. we have these categories and when people talk about the issues and how upset they are with what the government is doing and edward snowden. they focus on one category. but it is affecting the way we talk about it. where much of what matters in

the united states political discourse, doesn't matter to everyone. the real effect isn't in terms of how it changed the political discourse but the long-term effects will be felt in two ways. one, on american business. and including to a report will lose as much as $180 billion because of disclosure of these activities. and the second is going to one of these 2014 questions and that is the on-going debate over the future of internet and its

governance. the questions the state department is pushing seems like it is dead. in the year ahead, there is going to be big decisions to make. i worry we will lose the slager on internet issue and may have lost certain swing states. the internet that all of us have grown to know and love will not be the ones that our kids irn inherit. >> and that is why? >> they are talking about how the internet should be governed. and what the states setup should

be? we are seeing this being pushed by states that put it like if you like the way russia blacklisted 82,000 website's. that could be the future. that is different than the nsa where that is monitoring. but the politics have been wrapped together. >> that is right. they are tied together now. we set up this organization and it works well. if you look at the structure on paper you will say that is not fair and let's move to a

representative style. and that might sound good, but the concensus is it will empower those that want to throw up barriers around their own networks and counties that want barriers for economic reasons. they want to go back to the local tele com style. this discussion has been pushed in december of 2012 in dubai. i think if the vote was staying the edward snowden leaks, i don't think how many would have voted with american. so i think where each country

sets up policy on the network level and wants to make sure their technology is used. there is a separate chip for each country. and that will hurt the space of innovation. >> and on the domestic side, like the classic cybersecurity questions and one is what has this done to the pop politics on capital hill. we have not had major security legislation since five years before the i-phone. it will be another year before we get anything around it. the other goes back to your

original idea of trust. it is trust in the computer labs and in silicon valley. i met with a senior leader at a silicon valley company that felt they were in an arm's race with the united states government. and the same when it comes to -- in the book we talked about the importance of finding the i.t. crowd and some of the governmental agencies have a major issue at the same time we need to recruit cyber talent. we are only getting around 10% of the cybersecurity professional we need. now it is more difficult paubece of the tenor around the subject. >> i would like to take questions from the audience.

please form them in the form of a question. so have a question mark at the end or your voice turn up at the end. starting at the front and we have a microphone here. >> i am jim pain. i am going to pull the thread on internet governance. my question is this: where in the administration does the issue about internet governance reside? who sets the issue? as we evolve, where does this issue reside? >> like a lot of cyber issues, the question of internet governance covers how we get new

domain names and that is a trade mark issue. versus how do we secure that dome? or allocate the remaining i.p.addresses? we are running out of them. the head of internet is able to be negotiated and this is talked about further in the book and there is a nice graphic to help you understand it. the past administrations have been successful to work toward this not being an american question. but the organizational questions of who is going to be in charge globally is a question of international diplomacy and that is predominantly in the state

department. >> part of the challenge when it comes to policy and strategy is two key words: ignorance and balance. the people who can truly make kig decisions are not well-equipped to make the decisions. whether it is the senior diplomat about to go negotiate with the chinese who asked what an isp is. i am mocking this but my mom also doesn't know what an isp is and does know what an icbm is. one is more important to her

because she was a nurse. to the homeland security leader who proudly said she didn't use e-mail because it wasn't useful. so you have that level of ignorance that is just there. put the imbalance side is there. it is there when we talk about that threats. it was noted this may be a big policy issue, but it isn't talked about. when it talks about cyberattacks, i would argue the property threats, maybe as much as a trillion dollars worth of value loss matters far more than the narrative of half a million times talking about cyber 9-11 or the 31,000 news and articles

that have been written about cyberterrorism. despite the fact no one has been hurt our or killed. it is like shark week where you are 15,000 more like to be hurt by your toilet. squirrels have taken down the power grid more than hackers. so whether it is the spending and budget and the focus on certain agencies to the decision making question. in the whitehouse you have 12 people on the national security staff working cybersecurity questions. and one on the economic side who has responsibility for copy rights as well. we very much need an approach

that is informed and balanced. >> next question over here. >> thank you. richard downy and thank you for the interesting discussion. you mentioned corporations and how they are protected or how well they are or are not protected. and you would just assume large corporations or banks with lots of resources would do what is required to protect themselves against these threats. ... is a cybersecurity maturation model that measures how prepared organizations and even countries are against these kinds of threats. zero isfe axis, defenseless and the curve goes -- an-- and ask why axis axis, euros defenseless and

the curve goes of to resilient. -- goes up to resilient. >> there are a number of approaches like that. i think it helps us understand the issue a little bit. probably the leaders in developing the senses and working together how the risks are connected in the financial sector, why? the financial sector vases very real threats from criminals. why do you go after banks? that is where the money is. the financial sector has learned to work together am a developed good defenses, and also understand it from a risk perspective. they don't have to stop every single attack. i have some models to understand the relationship between how

much to invest and what they're given. companies in the broader economy do not have that. they do not have that for a number of reasons. one, we do not have a good way of understanding what our loss is.ood -- loss often when we talk about the theft of competitive data we think about the special sauce. in 2010,-cola was hit an attack that was later to be did to a group associated with the chinese government, did the bad guys go after the secret formula for coca-cola? no. no one really cares about that. than 10do know is less days after the attack happened, the chinese government rejected coca-cola's bid to buy the largest soft drink bottler in china. that everyone in wall street thought would go through. we have to think about what is

at risk from a very broad perspective. the challenge is actually understanding what is at risk and how to defend ourselves. that is a really big job. it involves having a holistic view of what is at stake in an organization. that has to come from the board, top-down. it also has to come from thinking about the risks we face . the managers will say we have immediate losses we can tie to failure to act. from the markets, it may have to come from a more interventionist government approach. >> one of the main lessons of the book is that as opposed to how this is often framed and talked about, cybersecurity in this problem area whether you're talking about at the national level all the way down to u.s. and individual, it's not about the software. it's not about the hardware. it's about the people. it's about being --

the incentives, the organizations that they are in, the level of awareness and all about the people at the end of the day, and in turn and your question leads to really important word which is resilience. one of the things we very much pushes the icy -- i give a resilience model rather than this discourse that is sometimes out there about someone who has the secret sauce solution for all your problems or i can hack back and i will solve all the problems or no, all we need to do is build up a national line kind of defense. no, it's about resilience and in resilience whether you are pulling from the resilience human body or from psychology. bad things are going to happen. it's how you bounce back from them. your body doesn't have an

exterior defense. no, your body is set up to do everything from isolate that to triaged to figure out what's important and what's not. the different thing about the psychology side, resilience. you can't through go through life thinking you know bad things are going to happen. a resilient mentality and a resilient relationship is something that can deal the bat things and recover and take go back to a weird talking about before part of the problem of how and why we have talked about cybersecurity issues is you know we turn the volume up. get scared and i have got all the solutions for you. and the power grid scenario. i guarantee you someone is going to lose power in the washington d.c. area within the next 48 hours. but if we put the word cyber in front front of that we would suddenly have congressional panels going who is to blame? what's wrong?

that is part of it so resilience is the model that i prefer us to have. resilience again whether you're talking about the nation, how do you protect your cherished memories and files? i to be thinking about that yourself. >> let's go here. >> thanks a lot of gentlemen. i'm an attorney here in town and focused on national security and humanitarian law and cyberinitiatives and defense work. my question is we talk about the problems. the nsa has been the whipping boy. there are problems with corporations not taking their own initiative but in the opportunities for leadership and the opportunities for government policy moving things forward in the absence of legislation president obama signing the executive order on cybersecurity i'm wondering what the three of

you actually think or hear about its prospects for actually helping enhance the resilience and security posture of the u.s. nation on the global security and starting with u.s. national in u.s. interest. is that executive order move us closer and move us in the direction we need to know in the absence of the legislature? >> so, the core of the executive order is to develop a voluntary framework to implement existing standards for more security so this applies to all the critical infrastructure which is legally defined but we usually think of it as basic essentials like water and things like that. the challenge of this framing, we can think of the government as the good at some things like hitting people with a stick to

get them to do things and bad at other things like developing technical standards. one way to look at the executive orders to say we sort of flipped out. government is collecting all the technical standards but there's no enforcement tool so that is why a lot of people are skeptical. i think there is summary reason to be optimistic for number reasons. this has succeeded in getting the right people in the rim to start paying attention. representatives from all the major industries have set up and watching what the is going on. they're trying to figure out how do we get ahead of this? the notion here is that this is sort of the last opportunity the industry has to fix the problem themselves and self we think of the executive order as they do it now and i have got the stick of regulation behind my back and in fact part of the executive orders to identify areas where this isn't working. another approach is we do need to have a rising tide lifts all boats so we need to find the tools to get various players to work together and it provides a

platform and an organizational venue for different parts of complex supply chains to get together and talk about how their risks are interdependent. so, that sounds fluffy or even worse it sounds warring but that is really where we want to be. cybersecurity shouldn't be this new thing. cybersecurity should be the boring work of lawyers talking to other lawyers. economists talking to other economists. technologist talking to each other and having everyone talk to each other. lots of conversations so that everyone is on the same page and hopefully we keep turning that paging getting a little better. speeches take quick sales now. i'm not sure you won't cybersecurity is warring. let's go to another one. jim. speech m. hansen.

i had a question. historically information security is focused on the perimeter. you barreled bigger walls around the data andy make sure nobody can sneak in and hack. unauthorized or. between snowden obviously didn't take a lot of progress. when the major breaches we have had no an backed a ban up to the data. people are stealing data. have you seen any advances or moves beyond primitive security to look at what they are actually doing with the data itself and that is the focus? >> i will jump in on this one and then you can do it as well. you hit it exactly right. in this mentality if we are making a military parallel its national lines thinking or the walls of jericho. the walls never work. frankly it's the same, to go back to this issue in the past question of infrastructure. sometimes they don't want a wall

i like air gaps to those balloons that the nuns would put between the teenagers at catholic school dances. they just don't work in the end. the iranians thought they had a wonderful air gaps defending keeping you know bad malware out of their nuclear research. it didn't work for them. and so instead we have to change this resilient model but also following basic measures in terms of not only trying to keep bad all at but monitoring what's happening on your own networks including by your own people. and you know whether it's the manly episode or snowden. those are his sophisticated and well-funded as they were u.s. military nsa, they were not following basic rules and procedures that a cupcake store should have. the same when it comes do you

know the power of very basic cyber hygiene. the most important penetration of the u.s. military network by an outsider happen because a soldier found a memory stick in a parking lot and thought it was a good idea to plug it into their computer. that's not just cyber hygiene. that's the 52nd rule. [laughter] and it carries across this and we are laughing but it's the same story of a major technology company who said when someone, a guy picked up a cd that he found in the men's room. would you pick up anything you found in the men's room, pizza food or home are plugged in or whatever? he did it with the cide. all of us who work in a policy world go to conferences where you were given these emery sticks out as favors but again very basic hygiene and it goes back to the question of

standards. the top 20 controls that one study found they stopped 94% of all attacks. 94%. we go wow what about the other 6%? it might come from someone sophisticated. i hate to tell you but all of you are not being targeted by apt's. the second is even if you are an advanced persistent threat a sophisticated operation even if you are go talk to your i.t. folks. they would say if i didn't have to spend 94% of my time running down the low-level stuff, i could focus on the big stuff and finally guess what, they have been stuffed also gets into these low-level things. my favorite recent story of this was a diplomat at the g20 conference who god spear fished so to speak. they received e-mails that let them to on a link where they thought they were downloading

photos of the french first lady and they were downloading spyware. we could go on and on with the stories. all these very basic levels, where we could do a lot better and get to some of the more sophisticated technological responses. >> anybody else have a question about picking things up in the bathroom? [laughter] >> using this in part also we have two stop talking just in kind of cold war frameworks which is the main way this is talked about in this town or it's just like a wmd which has been said by everything from national security visors to senators alike. if we are going to use metaphors and comparisons, the period of the cold war is not the only one to draw from. in fact if we are trying from the cold war, to me, we are in the period of the early stages of the cold war where we didn't understand the technology but we also took dr. strangelove year's seriously.

>> not exactly about hygiene. i'm a student at sais across the street. if you zoom back a little bit and think of the world, i mean people talk a lot about the u.s.-russia china but very few people talk about countries like israel and the e.u. and that is another tear down which is i guess latin america or central asia. i come from turkey where they resent government report said that very sensitive information was protected by passwords like 123 and very, very weak systems. what do you think is the place of those countries, sort of the lowest tier in cybersecurity in the future? >> so there are a number of different issues there.

for example the number one generator of malicious traffic on the internet right now is indonesia. so how did indonesia get to be this is a separate discussion which is also interesting but we have seen this real issue for every country. now there are some benefits to being small. you actually have to have a trusted group of people ,-com,-com ma so i know we have chatted here at workings with some governments that have been the victims of cyberattacks and they have set up a voluntary -- a volunteer army to react in case of a crisis and that works in a small country. that would never work in a country the size of u.s. or china. there is also a real danger but i called cybersecurity ghettos where as more and more countries develop a sick defense is you're

going to have those who are seeking to exploit insecure infrastructures move to a smaller set of countries that have a much higher bar to make themselves more secure. and so the downside of i don't have to outrun the dash i just have to outrun you is you have a number of people who are just slower and i worry we will be some source of attacks. this has been identified as an issue. in fact the republic of korea has had said listen cybercapacity building should be a priority for the world bank and they are chine to figure out how they can go about telling that kind of international cooperation to really raise everyone up at least above the level. >> one of the other things he touched on is that this is a space where you have so many different types of players and in this question response. we fell into that old livable science flawed just talking about states and yet this is a domain where everything from

states large and small to nonstate actors that range from targeting google to anonymous to uni all matter of. we all played. we all have power. different levels of power but we all matter and is so if we are talking about problems and solutions we have to move out of that classic framework. and that leads do you know one, back to the policy side we can draw lessons from other actors out there so as an example there is an active debate within the u.s. military right now about what is the role of the national guard and reserve when it comes to cyber? we are approaching it in a very classic national guard and reserve model versus i think a a -- model. it offers a lot of interesting things to draw from that might be far more effective. similarly we are talking about the makeup of the internet itself is fundamentally shifting

to the anecdote that we still illustrate how do you know it's changing is that if you look at google tracking, cute calf videos are now starting to lose out to cute and the ink you go to videos. it's a fun way of showing that the power of chinese users of the internet and african users of the internet are growing but also their cybersecurity threats and concerns are growing with a number of videos that are out there. >> right here in front. >> arthur silber unaffiliated but i do have an atm card. how hard or easy is it to obscure or indeed to forge the origin of a cyberattack lacks.

>> from whom? it depends on who you are trying to fool. if you are trying to fool your basic person fairly easy. if you're trying to fool a national intelligence organization you not only have to use technical but you also have to have perfect operational security. so you have to remember that among the defenses that countries have its not just let me look at this packet and try to use technical forensics. it's let me see as they been in eavesdropping on satellite invoke calls what if they talking about? you also have to narrow it down further to who wants to attack you without you knowing it was them which is also a smaller set of people. so, it depends on what kind of attack you are worried about and what kind of resources. if you're trying to will your local police department about who is sending all the money in a bank account to kazakhstan,

pretty straightforward. if you're trying to fool the federal government into a false operation needs the do it a lot more carefully and it's much much harder. >> you made a joke at the start about your atm card but it's a great illustration of some of the earlier points. the first is your atm card is a multifactor approach to security. it's something you have but then they also ask you for something that you know, your password. that points to two things. first it points to why does the bank have that structure as opposed do you know the way we approach security may be in other sectors and goes back to what allan was saying the differences in incentives in the different kinds of ventures he he -- industries where banks because they understand and oh by the way there's a legal framework that drives that kind of price for them, they put in those kind of security requirements that you think are quite simple and easy versus a power company that

doesn't have these kinds of approaches and still does use the 1234 password approach and the 80% of small power companies that aren't under any cybersecurity regulation right now. so to me it points this value of the incentives but also how personally we should all be thinking about our own security so you have that multifactor for your atm. do you have it for your gmail? if you don't, you should. >> we have about 10 minutes left on this panel and we are going to roll right into our next panel with some of the top reporters in d.c. and new york. let's do two more quick questions and then we will bring in our next panel. >> hi. i'm with the dutch embassy and i like her in much that we have a conversation about the human year with the internet because the space and the mpac space domain is extended not only as

an additional agent but a human agent. also the last 6% where the role for government could exist. so i want to give you three examples and ask your opinion about it. the first ones are the -- of the internet. actually one of the main drivers are one of the main successes of the stuxnet was the use of exploits. there's a local government here and another example is the industry's leading processes in manufacturing. the underlying assumption is that the cryptography is does not lie only in software but also in hardware and breaking these on a hard roll level can have an origin in our industry and hence our government has a role in that.

the last example is about isp. i have seen a professor doing a huge research on the role of isp in combating botnets and these are responsible for spam and for spyware version that arrives on our library is at the ge 20 conference. what do you think about these three examples with respect to the governments role? >> i will try and jump on them real rapidly given the time. first on the black market, it's a very good illustration of the lessons to be learned from both contemporary security policy as well as history, not just sort of within the cyberdomain. so if we are thinking about current card -- counterterrorism policy playing whack-a-mole is a loser's game versus going after the underlying structures. the same thing and in the book and noaa has written about this,

understanding the parallels to piracy and privateers at sea. back in the 1600's to 1800's and the great pirates individual criminal actors versus privateers like the example between classic cybercrime versus some of these more stately efforts in page rettig hackers but in neither case both on the naval side by going after the markets, going after the structure, that's how you deal with it rather than trying to cheat chase each and every individual one. to the isp question, it's a perfect illustration also of how going after the structures that everybody agrees. it may give you space for international cooperation when you don't think it's possible. as an example of the u.s. navy and the british navy throughout the 1800's trained to fight each

other because they cooperated in antipiracy campaigns. much like the u.s. and china in the space where there's a lot of issue for conflict. they are real bad things happening that they are also areas that we could work together against what the chinese called double crimes. part of this is facing the fact that we americans, we have got some issues so isps one study showed that 20 out of the top 50 cybercrime spewing isps are american ones. the ship question, absolutely. this is a hardware vulnerability that could be baked into our systems and i would just point to give the military example, it was revealed that the f-35 r. graham allowed certain chips made in china to be dropped with waivers around them. some very deep concerns about what we might call a hardware attack. so very quickly it really

captures how you need to understand. you cannot address this issue without understanding the technical the economic and the clinical side. for example on the isp side different countries have really looked into the options, should the isp tell me whether my computer is part of the international.net the mite be attacking estonia and the challenge there is on the technical side. we actually don't know very much about the likelihood of detection is and what is the reinfection? if i tell you you could be reinfected immediately then it's a waste of money and effort. on the black market side it's a great example and we are starting from some work on that it gw where the focus really is understanding what technical questions shaped the effect of the market. for example, if i discover a vulnerability in a piece of software and what is the

likelihood that you as an adversary will but we discover that vulnerability? if we are both going to find it we are going to have different equilibrium and market. we will have different policy solutions than if the chances of rediscovery or zero. so we need to understand the technical details. how a code is secured over as well as the market side and that will lead us to understanding the government side. >> we got time for one last question before next panel. >> hi three of breast cancer and i'm an attorney in town also. so my question is about resources and i'm thinking of the post-9/11 era when we talk about major tax and there's a lot of talk about hardening soft targets and what we do but people going into shopping malls and shooting people. they want up saying there's not much we can execute a hard in those targets. fortunately we haven't seen as

many attacks as there could be. here if this is a good analogy the problem is there's a lot of of -- to those soft targets. someone who wants my credit card can get it from target and they can get it from the cupcake store or amazon.com. i'm wondering do we have the resources in the soft targets that we need to and if we don't what is that mean? >> i will jump in on the example of the military implication of this and please weigh in. to me what is fascinating about this is how we have approached security within dod, which is try to delink it from these threats which as we talked about before have improved possible both because of threats coming in and massive amounts coming out to trying to incentivize what part of the defense economy the major contractors could get

much better at their security and they have. they have seen these kind of threats happening but then not facing the fact that there is this wider set of targets out there that are quite soft. the incentives are not right. the awareness is not there. they have just as much implication so to give an illustration. the first book i did was on private military contractors and how are higher logistics system is the pen on these companies. you have a perfectly, let's imagine you have perfectly safe security military network. what happens when someone enters into the logistics company and changes the bar code numbers for the shipment of gasoline to toilet paper. you have that unit out there that gets the delivery from the supply train and it is toilet paper and not gasoline or ammunition or if we are thinking about the industry the big prime

that pays a lot of attention to getting themselves secure, but supply chain of the mid-and the small companies aren't well protected and that is where we are going in. so, it circles back to what we were talking about before, understanding that we were all in the space and we need to raise the level of resilience and awareness in it. very quickly on the private sector side and the economics information security for a decade now and it comes down to two things that we are still trying to understand that working towards. one is how we think about return on investment. how can we create incentives i saying if you make yourself more secure it will be in your interest. we need a way to communicate that as well and the second thing is the scale. ultimately defense comes down to making it cheaper to defend then to attack. and that means we need to raise the cost of the attacker and lower the cost of the offender and that's a technical question

is also an organizational side question and fundamentally as peter said it's a question of politics and governments. >> so we have got time for this panel. i want you to join me in a round of applause for our panel. [applause] they will be signing books at the end of her next panel also available at cybersea 30.com. now i would like to ask the second group of panelists to come up to the podium. we will just sit tight and roll into her next panel. >> thank you. >> thank you. >> so, peter asked me to put

together this second panel of reporters and so i just went ahead and picked for who are not only great on this issue that are great you know, just great in general. and fabulous people, great cooks. so starting right here to my immediate left, siobhan gorman and david with the new york times. tom gjelten of "national public radio" and an awesome shoes we have from the u.k. as you can tell by the shoes, james ball from the guardian. let's just start with the nsa stuff since it is a big issue right now.

can we talk a little bit about how the introduction of these snowden leaks has kind of change the way we are doing business and how much harder or easier it is to report on the nsa and the intelligence community as a result of them? siobhan you have been covering the nsa. >> i think it kind of cuts both ways. you know, i haven't been writing so much on the documents themselves but i have been writing on sort of related nsa issues in the midst of all this revelation. i've actually found that as many people might feel a little bit less inclined to want to hear information about it there are probably at least as many at this point that now feel, i don't know if it's emboldened or

they just feel this is an issue that's going to get more attention now so it's worth their while to share what they know with orders whether it's by way of context for additional information and details. i think probably on balance it has led to a greater amount of information that reporters are learning even beyond those documents. in addition to that obviously the government is behaving somewhat differently from the way that it did. the nsa setting up a whole task force to deal with the snowden leaks. that's a fairly unprecedented thing for them to do and one could argue that they haven't been as forthcoming as they should assert me if you are looking at what the at what their baseline is it's a lot more than what was. i have also found it pretty fascinating that the government itself, the director of national intelligence has released this huge document dump in waves and especially some of the recent

ones, we have seen a lot of highly will revelatory court opinions on the surveillance court that in a lot of ways are more condemning of the practices than anything they put out. i don't think it's all one way or the other. >> i would agree with that. i would add that i think there are three different elements of this to think about. the first is that even before the snowden leaks happened, all i think all of us would say reporting on these topics has not been easy in washington. i can recite for you all the statistics in the investigations underway by this administration including against many people on this panel. for based on the stories that they wrote but even beyond that, these topics have all been topics on which the obama administration i have found has

been less willing to discuss than the bush of frustration and as we all recall the bush of didn't win a reputation as a -- so that's the first thing. the second is the immediate response to the snowden revelation i think was for many of the intelligence agencies to sort of hunker down cannot answer any questions and then they discovered, the fall but that was getting improbably into more difficulty than if exley came out and explained some of these protests. and what has struck me about the documents that siobhan has mentioned have come out, it's reasonable to ask the question did all of these programs need to be classified to begin with? for example, and i don't know the answer to this but at the nsa revealed the full collection of metadata programs would it have truly helped any terror

group that was trying to evade it? or could they have won some democratic buy into this concept particularly in the years immediately after 9/11? i think the third element that what we have learned from the documents themselves, many of them have been very well -- wrote -- revelatory. you have to avoid the temptation of looking at the top unit and assuming just because you are looking at it now it represents what events are like today. we are at a point where two things have gone on. first for general reading public we have become something of a blurb. there have been so many documents out there that can't quite sort out what's new and what's not. and secondly we are at the point where you really have to supplement them with some form of other reporting to be able to explain them.

>> i have found is to be a really difficult story to cover in many ways. first of all the complexity of it and this of course applies to a radio reporter who needs to kind of tell people stories and not just sort of ride it out and give you the opportunity to read the story three or four times before you get it. you have to get at the first time. these are some really complicated issues that we are learning about. so just from that point of view it's extremely difficult. i think that there actually has been as many errors in reporting the story as i have seen in a while. i think that is partly because of the difficulty of understanding what it is we are learning and communicating. and then added to that i don't recall in i've been covering national security for a number

of years and i he carries on how the rest of you feel about this, i don't feel there is as much polarization as there is in the story. peter baker did, a colleague at the time smack at a piece over the weekend where he quoted pierce swire which is what the presidents review group. he had a friend in silicon valley say 90% of the people in his tech company were convinced that edward snowden was a whistleblower and every single person he talked to in the national security establishment felt that edward snowden was a traitor -- and we have seen this deep polarization throughout the way we have reacted to these disclosures. it's not that we as journals should shy away from stories where there is a polarization of opinion but in this case you know because we as news organizations and the guardian and the post as well have been

players actually in the story. you know there has been a lot of of -- it's been a situation where you have to almost decide what kind of posture you were going to take in approaching these disclosures. for all those reasons, i mean none of these are issues that we should be afraid of dealing with. this is a really complicated story to report. >> i think it's quite easy to -- with access to the documents. obviously the guardian has substantial number of them and we have been doing that primary report. i think initially there was the impression that edward snowden was coming over to her three at a time and explaining. it's actually much more great hyssop roach was to trust reporters and to trust outlets as opposed to the guardian and

subsequently to find out for themselves what is interesting in how to structure it. that is the extraordinary challenge and very few of them and they were the ones that went out. now it seems like an extraordinary simply story compared to say some of the ones that touched on cybersecurity that we talked about. while you are trying to build up this pressure, you start to see clear signs that not to increase security but to keep the week in the nsa having enough confidence that they could take vulnerabilities back to the people and it would keep those probabilities they are. that starts with you seeing a

few documents. there are dozens more in dozens more and you have diplomatic correspondents who are good on international relations asked that. you have for porters with a technical background who are trying to sort of separate which acronyms are program names in which our technical acronyms which some who are looking at the stuff can do. you were not looking at a guide. it's not a tutorial. everyone else knows all the lingo so you the of the sentence which means absolutely nothing to any sane human being that is perfectly comfortable to anyone who knows about national security. and so you have to challenge that a sort of what it has done this challenge especially on cybersecurity on all sorts of intelligence issues. there has been this decade or more where there's just been that sense of we need more

spending and we need more powers and what the snowden files did was give a chance to get this public debate trait i think america sees it quite well. written, not so much. as you may have noticed we have a few issues over there. and that's very -- fairly commendable. whatever your stance on the second debate can be like construct event i think quite alarming even if you were not someone who believes snowden is a whistleblower, as i do, is there was a very strange moment in the u.k. intelligence committee where a member of the mi-5 was supposed to assess the dash and he'd likely in one sentence said not a risk as if it couldn't happen. of course at heart he has. there are lots of documents amongst the material. the fact that he seemed to have

considered this a black swan should terrify you. he just evidently didn't understand the question. i think whatever your stance, whatever you think should be done in these areas it's clear there are a lot of questions still to us. be it seems like a hallmark of cybersecurity reporting over the years has been the desire of a government agencies, by outside contractors to always heighten the risk. the sky is always about to fall. it's amazing how every minute of every day the sky is about to fall. do these documents change that at all talked about all of a sudden a high-ranking

intelligence official kind of lowballing risks. so have we finally seen the end of -- where's how does the stuff change? >> do you mean in terms of heightening the cyberthreat itself collects. >> yeah and also the risks associated, the risks with these leaks. >> it seems the insider threat is higher and the outsider threat might be lower as i understand it. it's not the wisest thing one can do. i mean the concern, and this is really affected by the snowden documents the concern that i would hear from government types and security types is not so much that it was high-risk but so many of the cyberattacks could be high consequence.

their cyberbreach was pretty high consequence, so in and away the snowden revelation sort of show how one individual, this is asymmetric, and asymmetric conflict or challenge so in a way they could actually prove that point, that you don't need a lot of examples to show that it's a big deal. you kind of only need one. the security experts who i would talk to the point to the more traditional threats that this is kind of like a second pearl harbor and this and that in the other ring is not so much saying you know the countries or their positions with the greatest capability like china or russia are going to do it the more that if there is such a burgeoning black market out there that it's only a matter of time until those kinds of things get into the wrong hands and therefore you have a reasonable risk that they'd just getting into the hands of someone who wants to do something bad. i think it remains fairly

amorphous although like i said it's a higher risk. >> anyone else want to tackle that? >> the only point i would make is we now know one of the reasons the u.s. government is so concerned about the united states is that these documents underscore what we knew even before these documents came out which is that the u.s. finds is not all that difficult to do these things elsewhere so that underscores their understanding of the risk to the u.s.. >> for me, a big revelation had nothing to do with the snowden disclosure. it was the story last week of the merger of -- and reading the bottom-line analysis of mandy and in the revenue projections and the stock price projections for this company i think that was something, it was important for me to take into account because ambient among other

cybersecurity forms has been an important source of information to other cybersecurity reporters about the threat up there and when you read about how much money mandy and and now mandy and in fire i are making, convincing companies and organizations that they are under threat and proposing ways for them to mitigate that threas want to think twice about this issue that came up before about hyping the threat. there are some really big financial stakes involved in this debate. >> i think that touches on the absolute issue of reporters missed particular sphere appeared almost all of the incentives are with people to heighten the threat. to say this is very low risk for this is very safe. you are trying to defend quite

large budgets and budgets don't often have the same degree as other areas. there's a huge sort of private industry that is struggling with defense budgets, security budgets that are going up like they used to. cyber is the sisal area which is still in growth area. if you read the annual reports of the defense companies, just cyber companies everywhere this is why they're hoping to keep growth or at least all shrinking. so if you look at the loving money spent in this town on cyber in the last five years it has gone a step accurately. you are talking for fivefold and this is still an annual growth of -- rate of growth that is huge. there is not much money and saying actually let's come down for a bit and maybe we should do something about it.

there are not many people going hang on, you know, we are looking to try to fix the deficit. should we really be spending this much money on cyber? how do we judge what a win is like? how much responsibility should the federal government is taking for it or should we leave it to banks? there is not really a sort of boring common sense lobby in the middle of this going hang on, maybe it ain't that bad. so maybe, my position is maybe we have to be more skeptical in the cyberfield than the rest of it. that's always difficult for journalists because if you go to the desk i have this great story about threat unless it go let's just tell people to chill out but it doesn't get on the front as often. >> i guess i'm on the inversion

of the thud of the fear of uncertainty and doubt. you have these other operations saying no, the core cryptographic algorithms are actually totally secure. we didn't really undermine them, don't worry these documents they don't really say what they mean in a way that usually these are the guys that are saying the sky is about to fall and now they are saying actually it's totally fine. to me i found that interesting. i'm going to ask one more question than i want to open up to the audience. i guess it's this. are these documents, are they the shiny object that we are chasing and we are being distracted from real bigger issues in this space for is the big issue itself the nsa? you know, how fast the spy network is? >> i guess to me i feel like there has been sort of a sub story that has gotten less attention and i reference it earlier when i talked about the documents that have been

released by the director of national intelligence the fisa court documents. i actually think that there is quite a lot of questions not to be asked about nsa's overall competency. they seem to have mismanaged all of these large programs so you know it's kind of this weird double story that we are hearing that is sort of you know omnipotent but it's also kind of incompetent. so i don't know which makes the civil libertarian feel better but it's not, i think it's a little bit more for new wants story than they are just taking everything. they are not exactly doing that and what we have seen is when they were attempting to do the phonecall records they claimed they had all these protections and they didn't understand their own program well enough to actually enforce the rules they had promised the court that they would. we saw that with the internet metadata collection. we saw that even in the internet all of a sudden we have tens of thousands of domestic

communications. they swore to the court they wouldn't take. tomatoes raise broader questions of considering that so many of these programs have perpetuated themselves for a decade as these technologies change, how much sort of more coloring outside the lines to the nsa find itself doing just by accident and the act but it doesn't necessarily understand the implications and changes in technology and what sort of airing this that have on all the other programs we don't know about? >> i'm struck by two elements of this to go to the question of how effective these programs are. if you look at one of the programs they abandoned in 2011 which was the e-mail metadata program, they were looking at roughly 1% of all the e-mails sent in the united states which is a lot of e-mails. think about it. and ultimately drop the program in part because of critiques of

it internally and in part because they warned getting very much out of it. then you go to the presidential advisories committee report that came out the week before christmas and they were a lot less convinced about what the metadata program actually yielded in the way of preventing terrorist attacks then you would get if you were just listening to the congressional testimony of general clapper and general alexander. so even if you consider them to be highly competent and good at what they do and i think for some of these programs they probably are. the reasonable question is come is the amount of time, effort money and in this case diplomatic and business cost of this worth what you were getting out of that? >> i can say that the amount of time that i have spent chasing

nsa surveillance stories and edward snowden stories over the last six months has been vastly over -- does that mean it's a bright shiny object that doesn't warrant attention? i not sure. i think what they're review group set about the effectiveness of these programs is extremely important given up for example michael morel former deputy acting director of the cia was on that review group. i think there is a real reason to question some of the more extreme claims made by general alexander and general clap her in this regard. however i do think that, i think that these disclosures have raised a couple of issues that are hugely, hugely important and really warrant all the attention that they have gotten. it's not just the trade-off between national security and civil liberties which is the debate we have been having in this country for many years.

but particularly for purposes of this discussion today it's the trade-off between the advantages of protecting the good guys versus going after the bad guys. and i think we have seen the trade-offs in that regard, not really clearly in these documents. the way that the nsa has undermined cybersecurity and haa lot about the vulnerability market in the last few months and the way that the nsa has actually held onto vulnerabilities for work purposes for cyberwork purposes versus you know sort of the helplessness of organizations like the department of homeland security. you get the feeling that they have been completely in the dark all this time about what kind of offensive capabilities the country has. it really does seem to get to a peter and allan said, it does

seem that all the priority in this government has been cybercapabilities really to the expense of cyberdefense capabilities. that is a huge and important issue and i think that's something that really has been revealed as a result of some of these disclosures. >> i think maybe the most extraordinary sort of confidence issue and the whole thing was this brilliant tale from an anonymous cia official of internally promoting the metadata program and bringing this vast printed out network diagram talking about how you could use it to find the keynotes and the people who are keeping different sort of suspects in contact in the wanted out a couple of things where hundreds of people have been contacting this one number in saying see, look what weird doing lets you identify these. the cia i must say, we decided

to take a look at that number. it was a pizza parlor. which a lot of people call. this is you know regarded as one of the more tech-savvy nerdish advocates because he knows what he's talking about relatively speaking for military intelligence officials. his just- >> case just -- internally and it's one of those concerning fragments that you get. make sure wonder the extent to which these kinds of large-scale trolls that we have struggled to see much evidence in terms of results to justify to distract from other missions and this vast ambition has undermined other goals. the obvious threat to cybersecurity is this undermining of security.

there's a more subtle law which is maybe worse which is to do this combination of intelligence and security coming together and being run by the same agency in the same people. sometimes that can lead to good things. if you are sitting in bits of about one of the internet, you can see floods of traffic sometimes when they're coming in and it can help you get an early warning of denial-of-service attacks and that kind of stuff. but if you are trying to persuade companies to let you into their systems to help you defend them, if you are trying to encourage foreign governments to cooperate with u.n. security and so on while also using the cybersecurity is a front for intelligence operations, you are absolutely undermining trust in your companies, in your agenciee defensive steps you can take. that kind of overreach is not easily fixed because that is all about your relationship with the

tech sector, with your allies and with everyone. and so when will the u.k. government in the german government and other people who should be working at incorporating, foreign banks, you know the u.n. and the e.u. when will they actually take advice from the u.s. security agency for intelligence agency on cybersecurity? it's not going to happen soon and that leaves us all in a bit of a mess. it's actually the issues that aren't even just the technical side. it's the lyrical mess that has been made of combining intelligence, security. .. ay to japan or what have you. it is just a series of trust arrangements. if you undermined those, you

undermine the core of the internet itself. >> which is why this may be the first scandal in modern history that has a eger is this affect than diplomatic effect. >> right. i will open questions up to the audience. allen'sis is peter and book coming out party, i want to give them the privilege of asking the first question. >> thanks. hi. i am co-author of a new book, which you can find more about. what i love about the structure of it is the first panel tom a we tried to wrestle with what everyone needs to know. you have been exploring how we report and talk about it. thank all ofirst you for coming. i deeply appreciate it. i want to pull the thread further. how do you see news organizations? you are from different types, newspaper and radio and etc.. how do you see them organizing

reporting onpic of cybersecurity questions in the future? do you see that evolving? second, the training for journalists themselves. the technicalut side of reporting on these stories. one of the interesting things to me is that news alice -- news outlets have been among the most notable targets of cyber security threats, from state organizations, certain large power that shall not be named, to recently syrian electronic army, not an army, but has been having a lot of fun with different news outlets from noteworthy ones to the onion. how do you see the training for journalism evolving on this as well as the organization? >> i tend to find especially with reddish journalists,

journalists do not like computers and math. to involve both. it is a bit of a team effort. journalists have to start taking it seriously. we have talked about source protection since the dawn of everything. tedious amongst the profession that you would go to prison rather than reveal a source and so on. now, you could very easily reveal a source just because you are rubbish at computers or your .mail password is 123456 we have to get better at that and take it seriously. is a consensus. part of what else we have to do, start making encryption technology, secure technology, and source protection technology usable by regular humans. a lot of these systems are very competent it, even if you think, personally, that they are important.

fine, however brilliant someone is at computer security, if you look at what its wrong, with most things, is not often that someone did not have the right system. at three clock in the morning, when you have been hours, the servers are met to hold are not working, you give up and send it e-mail, or you cannot face the barrier, every time you have to get in touch with someone doing what you have to do, the technology has to get easier and has to start to be made with regular, normal, fallible human beings in mind. we also have to learn to prioritize. if you get on my twitter account, you will embarrass me. but you will not do much more. if you get my e-mail account, you might find a couple of low

level gossip. you will not completely screw me if you get in either. i have got all of the things you should do. but i do not lose sleep about the idea of people getting in there. we learn what to protect and what not to. it is all about team approaches. if you have a cybersecurity reporter, i can see why in the last few years, to get people to understand broader things and get them to work together. to understand politics. journalists are much better when we work in teams. today we willrned factor in our own system, which i would say is a direct result of the lessons we learned over the last two months. recently, almost all of my

collaboration as a reporter was with the foreign and washington desk. since i have been covering the story with the technology reporters, i have become dependent on them to help me on,re stuff out and working we are working on a series now about the arms race, the digital arms race between the nsa and the tech companies. i am completely dependent when it comes time to talking about encryption security measures. i really take -- depend on technology people at npr to help me with this. case, itust in our own has really opened up a whole new area of collaboration. really not there before. the times hasight been the target of at least two different big groups.

a chinese group came in and lived in our computer systems for several months back in 2012. we think searching for the theces of stories about how prime minister of china passes family got so wealthy while he was prime minister. they did a remarkable job finding their way around a computer system that has stymied me for decades. [laughter] and then we have the electronic army, less sophisticated, come in and attack. one day last summer, they actually managed to close down part ofite for a good the day. the paper came up with an innovative response to take all the stories we wrote that they and printed them on paper and then drove around different parts of the country and drop them. remarkable technological approach. that was gutenberg's best day.

itself, we the paper are pretty accustomed to having collaboration that move the tween the technology and foreign policy. and domestic policy side. i worked for years with no in our science department and we proliferationr stories together and worked for years with john, one of our best silicon valley reporters, and we did much of the early games reporting that way. but it is always a challenge internally because you have to cross your craddick barriers within a news organization. more newsre and organizations have discovered the necessity of that. it is no longer really a choice. if you tried to do an analogy to a previous era, it would not

have made sense in the 1940's and 1950's to just have a summary and reporter or just have a reporter covering nuclear weapons when they were coming out. ultimately, while you wrote a lot about those, that had to get integrated into a broader national strategy. the argument all of us have been making, i suspect, is that this reporting more than anything needs to be put into a broader national strategy. snowden has helped with that. you made the point in britain, it has helped -- been hard to get in much of the debate. i thought after many of the revelations about the u.s. the beldingn in stood cyber weapons, there would be a kind of debate in the u.s. about cyber weapons that there was about drones. but that has taken longer to generate. these things are hard to predict.

the journalof how handles cybersecurity, i becaused that evolution i came to the journal in 2007 and had been covering nsa quite a bit when i was at the baltimore sun. i had just done a larger story on this effort we later learned was the comprehensive national cyber security initiative. i spent a year trying to get our editors to care at all saying, who is being hurt and doesn't involve people? - does it involve people? find me the company. this is 2008. in 2009, we were able to shake loose a few stories that got our editors attention. they work one over. we did too good of a job. covere sudden, and i intelligence. it is not the whole thing.

i have an internal lobbying campaign thinking this is a cool set of stories to do. it is kind of interesting. in 2009, i was supposed to do every hacking thing ever. over time, i think it started the banking and financial reporters, that they realized this was a story companies really cared about. little by little over the last few years, different reporters responsible for different sectors, energy and what have you, have taken their own interest in it and will work together when it is relevant or not. but the journal was a little late to the party in that it was only last year that we actually started a dedicated reporter, which is not necessarily just to make sure this person's prom, but almost to make sure they could

traffic copy issues and this is someone who is in d.c. and is now based out in san francisco. corporate from the side, recognizing this is at least as much a corporate story as a national security story. the way we break it down at this point, i handle some but not all the national security stuff. we all work with our colleagues. cybersecurity, the journal was also hacked. reporting that story was quite an interesting phenomenon, probably different from what david probably experienced. i heard from my editor, it is 10:00 at night, you do not need to do anything with it yet and this may be our own problem to report. i was waiting for someone to call me and explain it. nothing. the next morning, i showed up in the office and said, ok, what

are we doing. and they said you could report the story like any other hack. the journal was not quite so forthcoming. it took until 4:00 in the afternoon the next day to get the intangible statement from our own company that admitted we had been hacked. they claim they need to wait until all of the new security procedures were put in place before they spoke about it. where the kind of thing even after that, we have to call communicationst people and give us the assurance nobody is moving around systems. what i learned from my experience reporting that particular story, my company was not necessarily going to tell me who had been hacked. bureaurs in our beijing only heard on the down low that they had been hacked. obviously, it can happen to us. we take precautions but operate

under the assumption it could certainly happen to you. >> that is an amazing story. asm an editor point of view, other technical issues have become more important to general reporting, there has been a training of reporters and reporters that maybe came up in clinical, that were ok with the he said she said, and there were no real right answers, it is rightactually, there are and wrong answers when it comes to technology. there are things that technology cannot do. i think of one reporter in particular it took a year and a half for me to eat that out of him. it was a process. now he knows. we are all better for it. >> spoken like a true editor. >> management well. [laughter] >> all of his successes are of

course trip -- attributable to meet. let's start in the back there. >> retired ceo of publishing and physics. bit about thetle controversy, the trade-off between intelligence and civil liberties. there is also another one that has not been mentioned as much. that is trade-off for intelligence and democracy. there is such a in as a black budget. not many of us know how big it is. decisions, and what is democracy is a large fraction of our national budget is made without public debate and public knowledge? does in that issue come to the fore with all of the funding for the nsa and what they are doing, and congress has decided? who has decided whether to fund this? what happened to the

appropriations process? >> that is a good question. >> i will take a first shot. even before snowden happened, there was the beginning of some revelations about the size of the intelligence budget. the snowden regulations themselves included a lot more it turnedbers during out a lot of the budget numbers were wrong. that actually tells you something about why you have got to be careful about some of these documents. there was one budget document we looked at that i think the post extensively.bout it indicated 231 offenses cyber attacks in 2011, was that it? appropriation it came from. >> right. it turned out later on the document had been put together by a budget here who did not

know much about what a cyber attack is like. most of those were not what people on this stage would call offenses cyber attacks. have got to does layers of problem. one is the secrecy around the budgets themselves. the second is a definitional one that would enable us to understand how much is being spent in a lot of areas where even in the u.s. government, there is argument about how you would define it. >> it epitomizes a broad problem. i worked on the state department cables, wickedly -- wiki weeks -- wiki leaks released those. public interest rates. in those,hat you read these are pretty good public servants. one or two of them could write one that -- more like -- more nicely than i can. a lot of privacy policy gulls

were more or less in public. you think, about two thirds of the president's job is probably foreign policy and military policy. the vast majority is kept secret. the thing that struck me when was what is going on with the reflexive secrecy. this is the bulk of what the administration is doing and a lot of it is fairly innocuous. the same is with these intelligence budgets. , whichd the black budget was a budget appropriation and a fairly significant chunk of it was released. if you read that, it is very top line. quite broad. of stuff in that that could be made public. it is not particularly useful

information. it might also make you think, should we be spending $500 million on this ticket listing? if nothing else, the democratic issue, are we not also possibly wasting a lot of money that we could do something better with? when you have that degree of secrecy, you do get massive democratic issues that touch into a lot. you are right. >> let's go here in the second row. >> thank you. an any of you envision scenario in which the united states government gets custody of snowden on american soil? that could be an embassy in another country. >> anything is possible. not -- i do not know a lot about snowden since i do not know we know a lot of the

ministrations calculations except for the fact they have .ot been amenable to the notion one interesting thing we will see in the coming years, is whether or not that issue gains political momentum and becomes a of publicct discourse, or whether that has played itself out. i think that is where he ends up. of -- as a legal decision as apolitical one. >> the president decides it is no longer in his interest to have snowden as a guest of the state, you could imagine him being placed on their plane someplace and landing somewhere he does not want to land there it >> he has only got permission to be there for one year. it is not necessarily an issue that will be up to snowden and his lawyers. wonder whether the likelihood of people fleeing the country when they make these kinds of things rather than doing -- dan ellsberg and all

that. you wonder if perhaps the pretrial treatment of money has made it more difficult -- difficult to convince people to and truste country that the justice system will give them a hearing to decide if they are a whistleblower or a traitor. that a really quite long sentence, given that everyone acknowledges there are no proven harm coming to anyone as a result. whether it makes it likely in the future whether the justice system will be able to make these decisions and maybe that was a mistake. >> over here. >> thank you. you have talked a lot about the nsa. getting to your point about the

intelligencetween i heard only about 10 minutes. i was driving. but richard clarke described the fact that what they are doing with the nsa review panel was, number one, we had been asked to take a look at what intelligence we actually need. second, we had been asked to look at how transparent we can be in getting the intelligence in a way that matches our democratic values in a democratic society. i did not hear much more. i really wonder given all we have talked about here, with the nsa review panel, are we on the right track? or will this deviate? i would have found out if i heard the rest of the show. i look forward to hearing your views. panel, it that review

is fascinating. one of the things we talk about. somebody called in and said the report was very good. , youersed -- i responded appreciate one written in clear language. an easy to understand. that was a really important report. and mike andclark the others, i think they really nuanced an effort to be about this and to be sympathetic to all of the concerns raised, but also to a national security establishment from which they themselves come. was a veryt interesting report that really set the stage quite properly for precisely the kind of legislative and executive branch action that is probably forthcoming now. of the most interesting things about the report is that the group was and so much in the

beginning as being a hand-picked panel by the administration and everyone looked at them membership percent these are allies of the administration. i remember hearing rumblings in october or so that these guys were taking a broad look at an essay structure and i am thinking, is that really their mandate? the start to hear a little rumbling along the way suggesting they might actually make recommendations that would get noticed. i do not know whether or not that played a role, but it seems like they took it quite seriously. thenderstanding was individual and members of the panel were spending multiple days of the week of their own time on the panel during that time. it seems to produce something debatell really drive a and a policy discussion. >> one of the things said this morning is that we are in a time of peace right now.

really an important opportunity for us to think about what we do not want to happen in this future, the schema kind of fiasco we have seen with the nsa. it is the time to come up with roadblocks to make sure we do not have these kinds of abuses in the future. i think the word, abuses, is a central one here. the group was not really asked to come up with the answer to the question of what is legal. in the past couple of weeks, we have seen court decisions on all sides of this. eventually, you suspect somebody will end up in the hands of the supreme court. instead, the question that president asked them to answer was, do we have programs here we are doing just because we can, instead of because we really need them, because we should do them. that is a very different question. then you get into a cost-benefit if the amounth is

of intelligence you are gleaning itm this useful and worth given the diplomatic cost to confidence in american companies, whether it is apple or google or server manufacturers. thirdly, is it useful to us diplomatically? it has done this kind of damage to our relationships with germany and mexico and brazil, and who knows who else is on the list, with things that may be disclosed in the future, you have to then ask yourself a question, is what you are learning about the internal workings of the mexican government or the brazilian government, or the journal -- german government, actually worth it for the cost of revelation. the most remarkable thing i learned in the course of this is that while the cia asked that question very often about covert programs, if it got revealed,

would the damage done be worth it, in the case of the nsa, because they did not believe their programs would be revealed, i do not think they asked the question very often. >> will -- we have time for one last question. >> speaking about wiki leaks, the counterpoint was zuckerberg, facebook, social media. is there a counterpoint? is there a technological trends that might say, the internet and cybersecurity has a positive future, and we do not have to vulnerabilities, state all the way down to the individual, is there a counterpoint to this discussion? a positive future for technology and the internet? >> twitter's ipo? [laughter] align a response.

the governance issue is a big one for the next year. almost any development on it would be negative for internet freedom in areas where it is really important. important -- unfortunate thing is the u.s. government has very good programs, but there is no trust for them now andfor them, and it will not be taken seriously outside. speaking american, as well, there is a perception that it is a serious international institution and it leads americans. the actual architecture of the and the attitude that the government and the intelligence itncies have taken to that, is now no longer given, u.s.

dominance of the internet. something is going to have to give there. it may still be true, or if they can work out how to go for multilateral, something that actually works and protects what is good about the internet. it could go quite a bad direction. theould be a shame if resulting exposure of the u.s. abusing its -- allowing other states to start abusing newfound powers of the internet. i think that is the opposite direction we want, but it isn't a given yet. a large degree of what happens next depends on the u.s. response. >> i think we are out of time. let's give a hand to our panelists. [applause]

they will be signing books in the next room over here, and thanks, everybody, for coming. [inaudible conversations]