today than when i first began practicing due to the advent of sophisticated forensic examining and dna evaluation as well. the second exception is that a military judge may admit evidence of specific instances of sexual behavior by the victim with the accused that is offered , as madam chair noted earlier, to prove concept by the alleged victim in the -- consent by the alleged victim in the case. ..

the exception that would allow evidence in the words of the rule the exclusion of which would violate the constitutional rights of the accused. what does that mean? the rule does not define what that means for the practitioner. but in my experience come evidence of the sort usually falls into one of several readily recognized categories. for example, evidence of previous sexual behavior that establishes bias, prejudice or motives that fabricate on the part of the alleged victim in the case. similarly, this exception is used in military practice to admit evidence of don sturdily false allegations of prior sexual behavior by the alleged

victims or sexual behavior of predisposition that's so distinctive and so similar to the sexual offense at issue that explains or provides context for the instant delegations. interestingly, many states codify these commonly encountered circumstances in their own rules of evidence for criminal cases, but in military practice practice these are adjudicated on an ad hoc basis by the military judge upon the request by the defense counsel in the given case. we will return to some issues encountered by practitioners and judges in this exception of little but later in the presentation. before i turn to the procedural requirements, it's helpful to look at what the rule of evidence is intended to do and as the madam chair ken probably cite from memory, this analysis points out the rule in to

safeguard the victim against an invasion of privacy, potential and there is good is that in the sexual stereotype that is with the public disclosure of intimate sexual detail. and the infusion of sexual innuendo into the fact-finding process. the analysis goes goes onto say by affording victim protection in most instances, this rule also encourages the victims of sexual offenses to institute and continue to participate in the proceedings against the alleged offenders and under circumstances without which the victim might be tempted to not go forward with her allegations. >> if i could have the next slide please. the procedural requirements under the military rule of evidence are very similar to those of the federal rule of evidence. i won't read this lady to you but i will point out the two

differences from the military practice. whereas the federal rules of evidence allow a 14 day period in which the typically defense counsel must submit a written motion giving notice of an intent to use one of these exceptions to admit evidence of prior sexual behavior, the military justice system applies a much shorter deadline. they file such a motion five days before the entry as opposed to 14. this is because of the open pace of the military trial work then federal or state and criminal trials. it also requires that the victim be notified by the defense counsel or the government of an intent to use prior sexual behavior or sexual disposition evidence and allows the notification to be provided by the victims representative for counsel.

when a military judge receives a motion like this indicating the intent of the by the party to use evidence of the prior behavior or sexual disposition, that judge must hold a closed hearing that is closed to the public. the federal rule refers to it basically means the same thing although it is typically held in the courtroom but without public presents only the court staff are present. quick staff are present. the jurors are never present for this hearing and the military judge must act to seal the hearing of the review unless ordered by the court itself. usually military judges have an order that allows the exhibit to be in the reviewing court is not necessarily the convening authority or other counsel in the process. in any issue must under this

rule to specify exactly what other evidence is going to be offered permissibly in what areas may be explored on the cross examination. i've summarized the decision-making under the rule of evidence in this graphic and. this chart depicts and i chose the perspective of the defense counsel to admit evidence of prior sexual behavior of predisposition under this rule and there are at least four hurdles that must be jumped by the defense counsel in order to obtain the omission of such evidence. the first is they must demonstrate evidence of the victims of sexual behavior or predisposition and if not the ordinary rules of evidence govern the case. that's not much of a hurdle and we proceed quite frequently to

whether one of the three exceptions apply. one is the evidence relevant to one of the three exceptions that provide admissibility in the circumstance that is other source of it in the previous consent or is the evidence constitutionally required. and if the evidence fits into one of those categories and a military judge must perform a balancing test that may not be familiar to those that practiced in federal jurisdictions that may be familiar to those that practiced in state jurisdictions the first test requires the military judge to examine the evidence and determine whether the value of the evidence outweighs the danger of unfair prejudice to the victims privacy interest. madam chair may recognize this from a civil context and the

federal rule of evidence the president in 2007 added to this protection for victims privacy to the military rule of evidence and military judges to this threshold analysis of the comparison of the value of the evidence to be admitted against the danger of unfair prejudice to the victims privacy interest in the judge can proceed only if she finds the value outweighs the danger of unfair prejudice to the victims. the next step is familiar to any litigator and it is found in the military rule of evidence that is identical to be admissible if must not be substantially outweighed by the danger of any of the factors identified in the rule of evidence 403 confusion of the issues, waste of time

more confusion of the jurors in this case. the circumstances frequently used by judges to exclude evidence of the circumstances the trial over the victim's sexual behavior or predisposition. if and only if the defense needs these hurdles relevant come exception caught probative value and the analysis made a military judge admitted the evidence at the trial. i would like to make a bit of an observation concerning a practical difficulty in the case law and in practice right now for the practitioners that involves this process and i have told the panel's attention to the unique balancing test that was added by the president in 2007 in which they compare the

value of the evidence sought to be introduced with the danger to the victims privacy. the court o appeals has recently any line of cases cast doubts as to the constitutionality of this provision as applied in the criminal setting. the court of appeals house in a rather expansive way he said that notwithstanding the plaintext of the military rule of evidence that requires the judge to do this balancing test that the privacy interest of the victim, the danger of unfair prejudice to the privacy interest will never trump the evidence that is material to the defense and favorable to the defense at trial. that is the constitutional right to prevent the defense will

always trump the members of the victims privacy interest. this case is found invalid and 70 in the military justice reporter beginning i believe on page 248. and the court court also decided in that opinion is in its skepticism towards the applicability of this provision and whether the victims privacy interest is ever relevant to the determination of the admissibility of evidence in a court martial setting. i do not speak to the judge advocate general in my next observation, but i don't believe that this result is either necessary or appropriate under the military rules of evidence. but i do the leave, and this is based on evidence reported by military judges and practitioners that it's created a great deal of uncertainty

about what the state of the wall is concerning the rule of evidence and whether the victims privacy interest. the danger of unfair prejudice to the victims they ever be considered by a military judge if they follow the laws promulgated by the president and the risk and ad hoc evaluation of their decision by the court of appeals. to disregard the military rule of evidence and obey the victim in the court of appeals decision

it may be possible to explore other state and commonwealth jurisdiction of a balancing test has been successfully incorporated in the criminal jurisprudence without the constitutional objection. because i really got a balancing test is important to protecting the victims. that is the only thing that we are looking for in this case. the next slide i would like to consider. you have to panel members asked questions about the military rule of evidence 412 or any of my observations. >> i would like to echo something that he talked about.

the cases case has come up in a relatively small places where the population is relatively small and i think the reason why we have to kind of added civil part of 412 into the military rule of evidence is to account for the fact that in our small environment getting the behavior out on the record into this community does have a danger of affecting the victims privacy. so that's why i think the balancing test is there and we think it's important that we provide provide over practitioners a little more guidance into this area.

>> thank you colonel and i would agree with that. the twin purpose of the military justice system is describing the preamble to the court martial, for example are not only justice but also disciplined and good order and discipline within the armed forces. and i think that the unique nature of the military communities and service may justify the considerations of the victims privacy interest which perhaps in a federal setting or elsewhere might be constitutionally suspect. this is an area -- yes madam chair. >> to ask questions on 412. does any member on the panel have any questions for 412? >> thank you for the testimony.

even if the proposed evidence passes before 12 scrutiny that the vendor is still the 403 examination that takes place. >> the military rule of evidence requires to analyze other admissible evidence under the military rule of evidence 403 at the last sentence i believe the military rule of evidence 412 c. three expressly requires that. it's a military judge and my reference doesn't necessarily result in the exclusion of an entire incident of the prior sexualization or sexual

predisposition on the part of the victim. the narrowing of the scope of the permissible cross-examination perhaps and that is what the military judge did she narrowed the scope of the cross-examination to present the defense going too far afield into the victims previous sexual behavior. to provide additional examples from the case law. i hope that addresses the question. >> before three balancing test applies with some sort of a delay. while the evidence may come over the hurdle of unfair prejudice to the victims privacy rights, it's still going to take a while

to get the evidence in and it is just not worth the fighting of the trial to get that evidence into court. particularly in japan we frequently have witnesses that would have to come out there. >> in fact, in a particularly troubling aspect of the conquering opinion, the former chief judge proposes a methodology where 403 would even be overcome by material evidence favorable to the defense. he would propose that the constitutional prepared if we can prevent the operation of the 403. and there is no logical constraints on the reasoning of the case. but why stop there? i not allow hearsay and do away

with authentication clicks and i think that as a worst case scenario but you can't avoid the slippery slope argument. i don't think the court meant what it said yet it is creating a certain amount of anxiety and uncertainty as to how 403 applies in this new universe. >> let me start by saying that i'm speaking from public record what i read in the newspapers that from what i read in the newspapers involving the cadets i was not under the impression that the military judge in that case bothered with any of the four kernels and i didn't see anything about an in camera hearing. the only exception i understand

was that it was the constitution required it without explaining how the constitution required and when as i understand the prosecution tried to resort to the specific court over the judge they didn't take the case and the petition was filed with the armed forces and they did not take the case so basically you're telling me about before hurdles but it doesn't sound like it's being followed and i would like to know if you have a comment on that work well the other panels to get the record on the case as a very public example of that upsets most of the people.

>> this is one case the army is happy to be sure to the naval service to provide an answer as to how the court-martial process worked, but i would give the kernel the time to prepare by singing the bad cases make bad law. every day throughout the world coming military judges are routinely apply the provisions of the military rule of evidence and in 513 without the media attention and with solicited concern for both the due process rights of the accused and the privacy interest of the victims. with that i will turn over to colonel baker to discuss the particular instances in the naval academy case. >> i have not reviewed the record of the case and my knowledge of that is based upon the other newspapers, so i cannot provide a comment whether the rules were or were not followed in the case.

certainly the rules to require the judges to make a difficult decision to balance with the rights of the accused. in the case is as bill said across the globe this happens a lot. are there cases where it doesn't, yes. but i don't think that it is because of a problem in the rules and i'm not trying to say the judge improperly applied the rules and i don't know enough about the case to comment on whether the judge presided over the case and the judiciary and it's a very well-respected

jurist. that's kind of the best that i can do. they do properly provide the ability to apply it as we discussed in it he added value of unfair budgets. >> let's turn to those rules to process and talking about what i thought of as a proposed rule to allow victims the right to be heard through the council. i guess i don't understand correctly what the point is of having a closed hearing if it is not currently the practice victims can be heard through counsel. the victims are the people with a privacy interest during that hearing into the prosecution may

care about it but they have a broader concern to get the case to trial and they are not going to have to live with the adverse publicity about the sex lives that the victim will. and if it is going to be hearing they certainly don't expect the victim to be representing themselves and so why is it that the military needs to propose the rule why isn't that a matter that is accepted across the board? they have the right to be heard in these proceedings. the purpose of the joint can be proposing that we could verify that that right occurs through the council, there has been some to the court of appeals and we wanted to ensure that there was

no question about whether the victims rights could be reasonably heard of before 12 or the 513 hearing included the right to be heard in the council >> the fact that you have to provide clarity is evidence that there's an awful lot of military not allowing the victims to be heard to the council and they are expecting a young military recruits to speak for themselves on legal issues and not to be heard through the council which the services are providing you to argue on behalf of the privacy but it is an indication that there is something wrong. >> in the current military rule

of evidence in this regard, the victim must be afforded a reasonable opportunity to attend and be heard. so there is as the colonel noted a fundamental right for the victim to be present and to be heard. what is reasoned as the advent of special victim council or victim legal counsel which have been now provided by congress the statute and i believe in 2013 -- now create a specific position to advocate on behalf of the victims the joint service committee change that is being contemplated is in response to this new phenomenon by the council that are now part of the legal landscape and which need to be accounted for in the rule. assuming judges everywhere are

not respecting victim rights in the face of the commander in chief svd do so it's not just by my own experience and i would venture to speak in colonel baker as well. >> my response to that is that the victims rights council have not only been around for decades but they were trying in the federal law to govern every federal court in 2004 in the crime victims rights act. so all you're telling me is recently the congress made a victims counsel freely available to victims, but the council has been available to the victims for ten years and it's long overdue that the military judges doesn't expect the victim who has council to have to get up and make the claim about privacy himself or herself and went through the counseling. >> i was going to say it's true that the federal victims rights

act cost the council that the reality is most victims do not have counsel in the civilian world or any other world because they can't afford them. it is a relatively new phenomenon within the states and so it doesn't surprise me that it's also now a new phenomena and a good one in the military. and actually come in the military if you get council, automatically if you want it and you don't pay for it, so it's gone beyond most of the programs that exist in the civilian world. i was interested in how the article 32 is working now because i think the colonel started to talk about -- did you say something about eliminating the constitutional aspect of the rule click sign interested in math and i recognize that. >> i will start with the second one first because it's easy.

the proposed -- the proposal that's currently out in the joint services committee is to specifically exclude the constitutional exceptions and article 32 on 513 and 514. so, add the article to preliminary hearings and the first two exceptions would apply added the third exception would not. does that answer your question on that issue? that staff can get you a copy of the proposed deal on the web.

>> the practical impact of taking away the third exception would be a the debate in the article 32 hearing about such things bill talked about. >> the prior false allegations, things that are typically raised under the constitutionally required would not be deemed relevant at a preliminary hearing whose only real purpose now to determine probable cause, whether the accused should be court-martialed for a particular offense. >> the first exceptions could provide information to that hearing officer that would did there wouldn't be probable cause if there was a valid evidence and somebody else in the other

exception. >> it also, removing that exception also kind of reflects the fundamental change to the article 32 hearings have narrowed the limit and the scope of the hearing and have made it so it's not a discovery tool. the other question was power 32 hearings and how is it being applied in the hearings now. >> were there always hearing in the article 32 or were there always supposed to be? >> anecdotally i can say they were not always done right. i talked last evening with the kernel into legal organization and they are actively involved in filing, they are not calling the motions at the preliminary hearing that they are actively involved in litigating for 12 issues at the article 32

hearings. we are applying them now frankly better than we have in the past. >> the other change is that the judge advocates are now serving the article 32 officers. the military attorney is now presiding over the preliminary investigation and preliminary hearing as we transitioned the terminology and the purpose. and the presence of an attorney in the room that is sensitive to these issues makes the system better able to protect the rights while reaching the probable cause determination as well be a stack i think that i understand this now because if you eliminate the constitutional analysis, you are eliminating those types of rulings that you may need to make if it goes to trial or would, that would not be relevant to just look at the

facts and the probable cause determination. is that the idea? >> you opened the remarks by saying the rules of evidence when the rules are properly applied workflow to that effect. are there some repeated issues with regards to the proper application of procedural rules perhaps they had been addressed? >> one of them was applied in the article 32 hearing. a lot of it because the wide open nature of the proceeding that has really focused on the discovery and so with the judge advocate presiding over the

hearing into the counsel representing the victim, i think you have a much better chance of an article 32 hearing in the procedures of follow with the military judge those have been done well in the vast majority of the cases the court-martial across the globe do a fantastic job of balancing the interest in the victim against the accused. >> if i could target the 513 privilege i would candidly tell you that this is a challenging area for investigators, for counsel and for military judges, and this is giving the supreme

court decision several years ago and the add event of the military rule of evidence. there is no better -- federal privilege so this is a relatively new rule and proper sensitivity to the logical counseling records of the victims is something that everybody is learning as we move forward from investigators who in the past might have just gone to the hospital and obtain those records from counsel who might redo them to the judge who didn't have guidance in the past but now has eight constructed rule of evidence. all three of the participants of the process are learning and it's getting better. but it places a premium on the ability of the military judges to monitor the progress of the

learning and to intervene with protective orders when appropriate to safeguard the victim privacy concerning the psychological or mental health counseling records. for example, much like judge baker after the rule was enacted i found myself reviewing the health counseling records of the child victim of sexual abuse, and not only was it psychology but it was pediatric psychology. not only with a pediatric psychology, but the person writing the note was a master social work as well. how they got time to do all these degrees i don't know, but i as a layperson in attempting to screen the psychological counseling wreck or it's in my chambers on the road without expert assistance and the like. i could point to an expert to assist me in reviewing the records and making sense in the medical into the sociological

notations that were in the record. the judges may need to enlist the help of mental health health practitioners who screened this as well wait for word in the future. if we are to be properly sensitive to protecting the right of the privacy interest as a victim and an shortening of in shortening the potentially exculpatory information is released to the defense counsel. >> i would like to go back to 412. first of all, you talked about the relevance of the sexual predisposition of the victims. why is that a standard? the >> is a standard that was taken under federal rule of evidence.

>> what you point out where it says predisposition? >> i did have to look at where that language came from briefly. but -- let me suggest it's not in the federal rule. the federal rule was having then the author to eliminate the idea of the predisposition and the logical fallacy that if a woman ever said yes or said yes five times or so yes 50 times, she might say no next time that was the whole point of that statute, so i find myself troubled to say the least at the use of the term predisposition to sexual behavior as a standard for anything under 412 and i would urge you to reconsider your use

of the terminology. >> it is an explicit exception. it is excluded. >> maybe i misunderstood what you were saying that that could be introduced. >> i intended to communicate to you the military rule of evidence excludes as irrelevant evidence offered to prove a victim's sexual predisposition. >> i'm glad to see that we are on safe ground. okay. now i'm at the second point you make is about how well the rule is working and i must say that i found myself quite astonished, i will just use that adjective can add to the decision of the court of appeals for the armed forces in the case of the u.s..

if that is the position of the court of appeals, then i don't know how we can more clearly state that the military rule of evidence was designed to accomplish because i think the court is understood that. going back to the point that i raised before, in this case and i'm sure that you are familiar with it. >> at a different judge writing opinion but the same issue. >> and here we go again as i see it where the court made a very good point both were much more persuasive to me that basically the court said that basically she didn't want her marriage to end and that showed she had a

motive to fabricate a. if you have done fabrication before, then after, that seems to me to be relevant. but just because even assuming that that insect is the case that she didn't want her marriage to end, i don't know that shows she had a motive to lie about rape site very concerned about how the courts are interpreting this and particularly because i think if we go back to the underlining purpose of the 412 and going again to the constitutional point you have raised, the reason it is favorable to the defendant to raise the history of the victim is because it is a huge smear tactic and that is not just prejudice to the

victim, but prejudicial to the fact-finding ability of the jurors or the courts because it is so prejudicial given the stereotypes into the cultural attitudes that we have in the society. so i'm just wondering, you are asking us to look at that specific issue about how the states handle this but how do we get the judges in the military to understand because a woman said yes before doesn't mean that she is going to say yes again. is this a training issue, is that it the statute, is that clear enough? the >> we have a five judge panel of the civilian jurists appointed in the civilian life, specifically excluded until recently from the military ranks in order to provide oversight to

the military justice system. i cannot defend in fact i brought it to your attention they represent a curiosity at best and a perplexity at worst to the practitioner in the field because the plain language of the 412 as the judge says in his concurrence until the rule is changed it remains in effect subject to the obligation to interpret the walls in accordance with the constitution and applicable legislation. in the absence of any meaningful justifications for the court actions, that the practitioners and the judges in a very difficult explanation and i don't think that many of us would jump to the defense of what you just described. it is inexplicable to this practitioner and i don't speak to the judge advocate general in that characterization.

i think it violates the language of the statute and here we are the federal rules of evidence here we are almost 40 years later and the same cultural prejudice are affecting the court decisions. if you take this decision that has to come in as a constitutional matter. that is the concurrence in fact what the judge will follow what is left at 412? >> does that make the country argument, but i would point out that the trial judge that uniforms the judge in that case got it right and by your criteria and most observers, it

was the superior court to the justice system that produces the result that is so difficult to understand today. >> what suggestions do you have for the panel assuming that my colleagues agree but i cannot i'm surprised to find myself in the majority but i'm glad to be in the majority on this case. but what suggestions do you have for the panel to deal with this? >> as i was preparing for testimony today and reviewing the states in the commonwealth territories, i was struck by the variety of ways in which the victim privacy was incorporated into the criminal evidentiary area codes without raising

constitutional issues of this sort of court of appeals to the armed forces impacted that significance to. all it can suggest is to reiterate my earlier suggestion that often times the symphony of the symphony of the voices under the state and commonwealth and in the recommended revision to the rules of evidence that might clarify, for example, the thing that occurs to me and this is not a proposal to the the judge advocate general, but as a former policy official in the professor i think one of the fundamental flaws of the court of appeals decisions is that they view the conclusion that it's required to be admitted as a static decision. but i think that a more coherent way of viewing it is that that is a category into which the

defense counsel is attempting to fit the evidence. until it is examined in the interest and until the danger of the undue delay a substantial confusion to the members, waste of time and all those other things are considered, the question of whether that their sexual behavior and sexual predisposition could ever be relevant is a dynamic decision that isn't finished until we get to the last step of that diagram that i provided to you. you cannot start with a conclusion and that is what the court of appeals to the armed forces appears to be doing in galveston. perhaps a more dynamic description of front in the evidence for 12 as to what the draft may be intending to the evidence was constitutionally

required to be admitted to help clarify the military judges that that is the ongoing determination is being made. >> what it clarified the matter is that the definition of the consent were changed? >> that would have the most effect on the exception of the military rule for 12 and the previous interactions with the accused in a given case. but i cannot foresee how that would directly affect the other types of evidence that are commonly introduced under this exception the constitutionally required exception. i can see the narrowing of the consent for example there is a class of cases which the behavior is so instinctive that

it communicates to the accused either because he saw it or because he knows of it but somehow the victim has given her consent to the same sort of activity by narrowing the definition of the consent i think that we would exclude a large majority of the cases from ever getting past the initial threshold of the military judge because of the consent consent that is at issue is the consent today to this particular military service member and this particular setting up a circumstance not whether the person chose to do six months ago with other individual or individuals. so i can see how it would narrow or ease the judges burden in clarifying the practitioners walked in certain circumstances. >> it also helps in terms of the quote unquote constitutional and ellis is taking analyst is taking place because of the crime. thanks. i think we took all of your time

on 412. do you still have something that you want to stay on 513 clicks >> i said what i intended to say in that it's important that the judge know when the judge doesn't know and seek expert assistance. that's something we can do better in the future. we have the regulatory authority to do so in practice it's not often done but i noticed -- >> on 513 i thought the point of the proposal, which president clinton authorized in 1999 and 513, was that kind of psychological council evidence did not automatically get to the judge in every case to do what he felt like doing, and my understanding is that is exactly what's happening and i think that it undercuts the 513 rule just like you were discussing

how the 412 rule is undercut just as i understand it. the practice has been that military judges told the prosecutor to get the military hospital records of the people in question come and they get them. then the judge decides in camera the rule is intended to make that a very narrow exception in a small number of cases and not a standard operating procedure and at the military hospitals because they are in a chain of command at turning these records over and unlike the hospitals they are not requiring the releases from the patient and inducted into go back to to that, and the naval academy case, the records of counseling on the navy base were ordered and it just showed up. so i would like your comment whether or not i can tell you

that's also been completely undercuts because it is in the business of the military judge to decide every case in his discretion whether the records come in but in a very narrow view kind of cases. >> i certainly would agree that there has been no -- there has been an increase in the number of cases with which it has been litigated. when the cases first began i don't know if there was a black of awareness or that more people are getting council. it may be a combination of the two. in my experience this is a bifurcated process. first, the motion has to be filed. second, the judge holds a closed hearing and not until the closed hearing is done is that council

ordered to go into direct so the rules layout the process. then to make the determinations whether they will. it's not an automatic so i can only speak for the cases with which i know about the judges are properly provided the -- mre 513. >> now the military services have the sexual assault counseling, i think it's become uniform that the sexual account counselors told the victims that

they can get psychological counseling if they feel that they've been raped and where to get it. so now the rule rather than the exception that the defense counsel are going to expect that there are psychological counseling records. the victims were getting more counseling than they have before. there is a requirement and we have an obligation to provide the materials, so part of their due diligence is to find out upon the request from defense a request from the defense to suspend the records and to find out if the records exist and if the defense if there is a motion filed the victims notified of the victims provided a council and at the closed hearing the judge and the parties talk about whether those records should be provided to the judge in camera.

the wreck are not provided before the hearing. that's not the way the rules are written. so if there are cases where that's happening, they are not applying the rules properly, and again the advent of the victim legal counsel, special victims council provide the victim another tool to protect his or her. it's hard for me to talk to the cases where the procedures are not followed because in my experience it is not acceptable. the supreme court said in the decision that brady is not a reason to engage somebody's psychological counseling records which you just articulated. and if the the right curves are routinely being obtained as if the prosecution from the military hospitals on base and you were to change the procedures had the procedures ever demand that people seek psychological counselors

off-base because those records should not be released as you just outlined the reasons like rape. >> there are a series of cases that talk about the requirements for the prosecutors in the material. and i want to make sure that i am clear. i'm not saying that the trial counsel upon the request gets final and starts looking to them. that is not what is happening. but what is happening is the request and there is a motion filed the judge made a determination whether or not the judge at the review of those records. so, they are acquiring them as written at the judge has has to weigh out the balancing of the privacy interest of the victims and their due process rights of the accused. >> they are doing exactly what we heard in the context. they are using, "the

constitutional exception to order the records in every case. that's all. and that, therefore, they have completely undercut the rule as we heard on the 412. >> did you have a point you wanted to make with response? >> no but thank you for the opportunity to. >> one quick question please for you mr. barto. in one of the reading materials that was provided to us, which was 2003 article on the mre 513. it was stated that under the army regulation about time that tribal council agents and commanders could access mental health records if they had an unofficial need for the information. individuals contrasted with the air force rule which did not allow that because of 513. so my question is has changed, has the army changed so it's operating in concert with the spirit of the 513? spinet i don't want to overstate

my knowledge on this area, mr. taylor, but i think it has changed with the advent of hippa and the increased privacy interest. my understanding is that it is no longer army policy. i will verify that and provide information to the panel. >> admiral tracy? >> thank you mr. tracy and mr. barto. thanks for your testimony this morning. to the next panel which is privacy sexual assault cases, sexual conduct. >> looking at campaign 2014,

here are three debates tonight for seats in the house starting at 8 p.m. with the illinois 12th congressional district debate between incumbent democrat who is running for a second term.

the wisconsin governor's contest is one of the races we've been covering and it's available at c-span.org and republican scott walker and democrat challenger mary burke that for debate. here are a few ads in which they address the states drunk driving laws. >> mary burke lied about the jobs plan. it turns out it was plagiarized and now she's at it again at hacking scott walker's records on drugs and the sentinel says it's false. she's twisting the numbers and it's not the first time.

the truth come in the last year wisconsin ranked third in the midwest of job growth and the facts are wisconsin gained 100,000 jobs under scott walker and we can't trust mary burke. >> he made a pledge. >> 250,000 new jobs by the end of the first term in office -- and asks us to hold him to it. is this promise something you want to be held to? absolutely. today wisconsin is dead last in midwest job growth, ten out of ten. >> wisconsin is behind most of the country when it comes to job growth. >> the 250,000 jobs, not even close. broken promises come in dead last in jobs. scott walker isn't working for you. >> it's been called the lie of the year. if you like your healthcare plan you can keep your health care plan. >> and mary burke supports it. >> it doesn't mean the government is going to tell you which doctors to go to or which planned to have.

>> while millions have lost their doctors and their plans, mary burke says she still supports obamacare unequivocally and wants to expand it. wisconsin can't afford liberal mary burke, period, and of story. .. >> not only is it 185 deaths, it's 5,000 crashes that have alcohol represented. so this is costing us, costing

our society a lot of money along with the type of personal injury that it causes. so we have to take a tougher stance on this. i've been endorsed by the wisconsin professional police association, and i will work with law enforcement to make sure that we have in place what we need to cut down on the number of fatalities, to cut down on the number of crashes, also work to make sure that this doesn't overburden our justice system by having alternative methods to be able to address this. we also have to make sure that people who have addiction problems are able to get the treatments in order to do this. but right now we don't have tough enough consequences that are going to make a difference and really addressing this. we haven't moved the needle enough, and it's time for wisconsin to join the rest of the country and realize that this is something that is important to insuring the safety on our roads. >> moderator: governor walker. walker: yeah, this is one of those just tragic issues out there, and one of the biggest

problems i remember years ago when i was first elected official as a state representative, one of the most heart wrenching cases we had to talk about was a family from our area who had lost a son because of someone who had been a multiple repeat offender. the numbers of people out on the road multiple times committing drunk driving. that's something we've got to crack down on. i agree with the other two attorney general candidates that criminalizing that, first-time offenders, isn't the answer. upupi will work this session, i think one of those issues that democrats and republicans can come together and work on. but i'm going to work with law enforcement, i'm pleased to talk about endorsements to have the endorsement of the men and women in the milwaukee police department and the wisconsin troopers' association, the people out on the roads who understand we've got to crack

down who are repeating this criminal activity over and over again. >> ms. burk, you're rebuttal. >> well, governor walker has had four years in order to address this, and the fact is you would avoid a lot of the repeat offenders if you had tougher consequences on that first offense. i think people need to know right off the start before they get into those habits of drinking and driving that there are real consequences that come from that. >> governor? >> again, it's one of those where i was just at our annual governors' conference on traffic safety, and i'm pleased that with the good work of law enforcement, first responders, the department of transportation and others across the state we've actually seen traffic accidents go down and some of the safety factors improve over the last year or so. we want to continue to build off of that. and, again, the way to do that is to crack down n this case, on repeat offenders. show the consequences are serious particularly for those who continue to go back on the road own after they've been pulled over and, ultimately,

brought to justice. >> here are the a few of the comments we've received on our ebola virus coverage. >> caller: why can't we all get behind the president and what he wants to do for the good of the people, and that's this ebola thing which, as i told greta this morning, i think it's overhyped by the media. and i've timed the time they give it, 10-12 minutes every morning, and when it first came out, they're still talking about it. there are other things that are important to talk about too. but they don't do it. >> caller: i would like to see c-span do a question about is this ebola virus the roof that we need a national one-payer health care system. we've just seen what happened in texas with this capitalistic health care system and what now it's going to cost us millions and millions to clean that mess up.

>> caller: regarding ebola and hospitals not being ready, you had a guest on, oh, gosh, it could have been eight, nine years ago, and i forget the author's name, she wrote a book called "pandemic." and she went into how our hospitals weren't prepared. it was worth -- worse under the bush administration. there was readiness for nothing. we had a shortage of doctors and nurses, i wonder how that fares today. her book, "pandemic," said it all. we were not ready then, and we are not ready now. you should have her back on again. >> and continue to let us know what you think about the programs you're watching. call us at 202-626-3400, e-mail us at comments@c-span.org or send us a tweet at c-span hashtag comments. join the c-span conversation. like us on facebook, follow us on twitter.

>> c-span2, providing live coverage of the u.s. senate floor proceedings and key public policy events. and every weekend, booktv. now for 15 years the only television network devoted to nonfiction books and authors. c-span2, created by the cable tv industry and brought to you as a public service by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter. >> well, news agencies including the associated press reporting today that jeffrey fowl, one of three americans held captive in north korea, has been released. that's according to the state department. today state department spokeswoman marie harps said he was home on tuesday after negotiators left pyongyang. he said the u.s. is still trying to free americans matthew miller and kenneth bay. a u.s. government plane was spotted at the international airport today, trying to send a

high level envoy to seek the release of the three men. and here's what josh aeronest had to say -- earnest at today's briefing. >> i am in a position to confirm that jeffrey has been allowed to depart the dprk and is on his way home to join is his family. we certainly welcome the decision to release him. this is a positive decision by the dprk, we remain focused on the continued detention of kenneth bae and matthew miller and calling on the dprk to immediately release them. we're appreciative of the efforts of the government of sweden, for the tireless efforts of their embassy in pyongyang which acts as the protecting power of the united states in the dprk. as a condition of his release, the dprk authorities asked the united states government to transfort mr. foll out of the country upon his release. the department of defense was

anal to provide transportation -- able to provide transportation in the time frame specified by the dprk, and if we're in a position to release additional details about his return, we'll do that. but that's all i have right now. >> can you give us the timing, when was the administration made aware that this was, that this was a possibility? how long have you been aware that this would be occurring today? >> well, as you know, this is, this is -- the release of these three individuals is something that the united states has long advocated both publicly and privately. in terms of the time frame of this announcement, i'd refer you to the state department. they'd have more details on the specific release. >> and there's nothing on the other two, no indication that they would be released? >> well, we continue to believe that they should be released. >> right. >> but i don't have any updates on their status at this point. >> and now a conference on cybersecurity and what's being

done to protect sensitive information of government, consumer and the private sector. michael daniel, a special assistant to the president and white house cybersecurity coordinator and jeff moss who founded the black hat and deaf con hacker -- def con hacker conferences and also cochairs a task force with the homeland security department take part many this conference. it's cohosted by the christian science monitor and the center for national policy. >> is the wire covering my tie? [laughter] well, good morning, everyone. it's great to see you all here today. scott did a good job on acknowledging a number of folks we want to thank. i'm going to do a quick repeat of that. but, again, our thanks to the center for national policy. as scott mentioned, this is our second event that we're doing together and it's, hopefully, the first of many more to come. also a great thanks to northrop grumman, our sponsor, who really makes this event possible and

intelligent conversations move forward. scott mentioned our speakers. we're delighted to have michael daniel, jeff moss, peter singer and frank saluffo, they're going to be part of a panel discussion i think's going to be quite remarkable and informative. a hitting bit of promotion, the monitor has a big announcement today. we are pleased to announce the day but a of -- debut of pass code, but we call it the modern field guide to security and privacy. it relies on a global network of monitor reporters from around the world led by mike farrell, our editor, and our deputy editor, sarah. both of them are here today, and they'd be happy to talk to you more about the monitor's new initiative. we intend to provide deeply-reported, solution-oriented, non-fear mongering coverage that moves your understanding and the

discussion forward. again, you can find us at csmpasscode.com. stay tuned between now and january when we do our formal launch. so we're here today to talk about cybersecurity, an important topic, one that the monitor's, obvious, investing resources in. and why is that? well, primarily it's a big story. it's a big, complex story that touches a lot of lives. more people than ever impacted and concerned about both privacy and digital security. much of the discussion often times, to a degree, focuses on fear, uncertainty and doubt. and so what are the monitor values that we're trying to bring to this coverage and discussion? well, 107 years of journalism that is deeply reported and global, and we'll admit to our biases. we're constructive, progress-minded and solution-oriented.

these days all media companies have to decide where to invest and what to cover most particularly, and one of areas we're investing in the cybersecurity. passcode is how we're doing it, so remember csmpasscode.com. it's now my pleasure to introduce vern voylex one of his colleagues described him as the rare breed that is a deep technologist that can speak english. [laughter] i immediately tried to hire him. [laughter] vern is director of technology for northrop grumman's cyber division, and his team leads an advanced, he leads an advanced cyber technology team responsible for understanding emerging problems and solving those problems in advance for customers worldwide.

vern will introduce a vision for a new paradigm for cybersecurity thinking with the goal of making our systems more resilient. after vern finishes, we'll take some q and a, and with that, verp, the floor is yours -- vern, the floor is yours. >> thank you. good morning, and thank you for having me. i'm here today to start a new conversation, a conversation about looking at cybersecurity a little bit differently with the goal of making our systems more resilient. my hope is that this conversation can move us past the age of the high profile breach. many of the breaches are very well known, they're very personal, like the home depot breach, the target breach, this week the jpmorgan chase breach was in the news front and center. these are very personal to us because they're criminal in nature, and the idea of money coming out of our wallets is a scary thing. but there are also other high

profile breaches that in some ways are even more disturbing but aren't always as well known. so you have the chimoon attack some time ago, an attack on a national critical infrastructure provider. and you have the issue with the french and british navy back in 2009 with the conficker virus. and these attacks were aimed as disabling those organizations' ability to conduct their primary mission. and you can imagine the military unable to perform its mission as a result of a computer virus. this is a very real potential problem. and then you have the insider threat. we're all familiar with the snowden case, and you have the cyber vigilantes like anonymous conducting espionage, disrupting some ises for a -- systems for a wide variety of purposes.

so this is a borderless problem, and it's not going away anytime soon. so the real question is why is it so easy for the attacker and seemingly so hard for the defender? how is it that they seem to march in and out of these systems as if nobody's watching? and you'll get a lot of different opinions on that. people spend their careers trying to figure that out. but when you plow away all the -- blow away all the smoke, i think it comes down really to two root problems. the first is that the cyber systems that we rely on are inherently vulnerable. so the commercial operating systems, the commercial software packages, the commercial hardware platforms, these are all designed primarily to address profit motives, they're easily obtained by the attacker, they can exploit and find the vulnerabilities in those systems, and that's largely what they take advantage of. that's probably not going to change anytime soon.

and then a second problem is that you have machines against people in a high speed battle. now what do i mean by that? well, you have hundreds of thousands of malware samples being generated every month. so that's not people writing that malware, those are machines. and those are machines automatically circumventing all of our defensive systems. that hall ware typically -- malware typically operates inside of an infrastructure that is also automatically controlled by machines. so the command and control nodes, the hot points, the channels that connect these different adversary systems together are typically set up, used one time or for a very limited period of time, and then they're torn down, and they're never seen again can. now, let's contrast that with the way we defend our systems. so we have fixed infrastructures monitored by thousands of people climbing up mountains of data

trying to sort through what's happening. patching software, writing signatures, reacting and chasing and trying to find this machine-driven, fast-moving target. so you have a static, human-controlled system battling with an automated, machine-driven system. and at the end of the day, the machines are going to win that battle every time. it doesn't matter how many people you try to put up against those machines. and so how do we fix that? how do we overcome that? how do we develop a protective strategy that makes the systems inherently resilient? one way that i'd like to introduce into this conversation is by making our cyber systems disposable. and i don't mean disposable in the sense that you throw them away like a paper cup. i'm talking about disposable in the sense that they are single use. because if you think about it, that is exactly what the

adversars doing. their malware, their command and control, their channels, single use. and we can do the very same thing with our own cyber systems. this would make it far more difficult for an adversary to gain access and persist into the system if what they saw on tuesday was no longer there on wednesday, and it was different yet again on thursday. so this would shift the battle from us chasing them to them chasing us. and that would move the advantage in favor of the defender. there's six technologies that make this concept possible. you're going to recognize them, because they're already out there, and they're in varying degrees of maturity. so three of them are sort of the biggies, and then there's three smaller enablers underneath that. so the first is the cloud computing paradigm. so this is a technology that is designed to be flexible, reconfigure bl, you can establish compute and storage

devices anywhere, anytime. it's essentially a dispose able technology. the second big pillar is software-defined networking. think of this as cloud for communications. so, again, rather than a static communication channel, software-defined networking allows you to do ad hoc networking, allows unconventional devices to behave as routers and really provides a lot more of that sort of flexible, reconfigureable, dispose able capability. and the third big pillar are these increasingly mobile endpoints. and while many people think that the the mobile endpoints are more vulnerable when you look at the security architecture, it's actually moving in the direction of being more secure. and again, it enables a very flexible, reconfigureable, dispose able approach. when you bring those three pieces together -- the software-defined networking, the

cloud and the increasingly mobile endpoint -- you have the opportunity to create an entirely dispose able system. so rather than fix static gateways, static routes, static endpoints that never move, we would have virtualized, moving gateways, ad hoc networks and single-use private endpoints. this system would be controlled by our network defenders. so rather than spending their time reacting and chasing and climbing up that mountain of data, they would spend their time proactively reconfiguring these systems so that they are very hard to understand and breach. underneath those three big building blocks, there are three other critical enlabellers. they are route of trust, identity and always-on encryption. part of the disposable concept of operations is to configure, operate, dispose and restore. that restoration piece comes

from the root of trust. identity is a very important thing within this paradigm. being able to understand the identity of the machines and the people and permitting them into the system, permitting them the access to information based on their identity and their role is a key to keeping unauthorized people out of the system. and the always-on encryption is a no-brainer, all right? you don't open the door and let somebody come in and walk all over your network, right? you need to lock down zones and lock down different information based on always-on encryption. so when those six technologies are brought together, again, it creates the opportunity for us to enable a disposable system concept of operations. let me talk about a couple of scenarios of how that might be used to kind of illustrate the application of this system. so the first one i'd like to talk about is an operation center scenario, more of a

strategic network. so imagine operators coming in to perform their job, and rather or than carrying their device with them or finding device on their desk, they walk into the building, and they pull it off of a rack or out of a bin. that device would have been established to a known good state by a team of people, network defenders that know how to do that, from the root of trust. when he turns the machine on, it has an identity, it turns on encrypted channel. that machine authenticates itself into a central system. the operator then uses his fingerprint, his voiceprint, his cat card to authenticate himself into the system, and his personal configuration is loaded onto this device. when he walks into the operations floor, his other analyst friends are there with him, and they form be up a -- form up a private, ad hoc network among the team. fully encrypted, only the people

permitted to participate in that mission are allowed inside. those people can outside the --n be outside the building, they can be around the world, they can be anywhere. so those operators can function throughout day within this private, trusted environment. and at the end of their shift, they turn the machine off, they toss it back in the bin, and they leave. that machine is then wiped clean, it's given a new identity, and the next shift of operators can come in and do the same thing. so that system is, essentially, disposed of. it's never used again. the routes, the nodes,the identities. if somebody were able to see and understand it when they came in the next day, it wouldn't be there anymore. now, let's take that into a more tactical environment, because tablets and laptops are not the only kind of endpoints that we need to be concerned about. we need to think about up manned vehicles, uavs. we need to think about sensors on uavs. we need to think about fire control systems. all of these can function within

the same dispose able concept of operations -- disposable concept of operations. so imagine, if you will, a special forces team has been asked to go perform a rescue mission. they need to have overhead surveillance to help them out, and we're going to use some uavs for that support. so once again, the uavs should not be sitting there with untrusted software on them, with untrusted operating systems. they should be loaded for that specific mission at the time of the mission from a strong root of trust. the people flying the uav and controlling them should have their identity authenticated into that system so that they can move the uav over to the area of interest. and then the ground forces will have some device that is also built from a strong root of trust so that they can receive the realtime video they need to conduct their mission. and in the end, all of those systems will come back, they'll get wiped clean, they'll be give new identities, and once again,

that system is essentially disposed of, never used again. so this is a concept that would be very frustrating to an adversary. imagine them spending their time mapping, trying to find holes. maybe they actually identified some, but the next time they come back to take advantage of that, that system's no longer there. so how do we get there? how do we move from the the react and chase model to this proactive, disposable concept of operations? well, one thing you don't do is take the current security or architecture and implement it onto this flexible, reconfigure able infrastructure. so, for example, you wouldn't want the take today's monitoring applications, virtualize them and put them into the cloud, because all you're really doing is implementing the same paradigm, and you're going to still be reacting and chasing. what we need to do is take those six key building blocks, we need to bring them together, we need

to accelerate the integration of those six technologies, and then we need to build that proactive model for security. this will make it far more lift for the adversary to gain access and persist. if there is an insider threat, it'll make it far more difficult for him to reach out and and grab information he's not permitted to have. so if we want our systems to be more resilient in the future, we these to think about making them disposable. thank you. and i guess we'll take some questions now. >> thank you very much. [applause] >> so i've been given the opportunity to ask the leadoff question, and i'm going to seize that opportunity. [laughter] first of all, vern, i love this image that you present of moving the momentum from the attacker to the defender. and it's very helpful to look at the three core and three

supporting technologies that could create a disposable system. within those three is there an area that your team is thinking most about and/or next steps in this integration that would move us forward in creating these disposable symptoms? ie, where should we focus next? >> well, we're researching each of those technologies, and some of the customers are also researching each of those technologies. i think where we need to go next is in the direction of bringing those six pieces together and really figuring out how to implement that disposable command and control, that disposable security model to wrap around the six key technologies. we're already working on the individual pieces. >> excellent, great. let's have some questions. from the floor. and i think, is there a mic that -- gentleman here on the, on my right. >> hi. thank you so much.

this is very informative and interesting. my name is guy taylor, i'm the national security team leader at the washington times. and i have a question about you were touted as someone who speaks establish or common man language about this. so what, let's say this hypothetical uav mission that you're talking about involves recording some vid deny -- video. where would those be recorded, and would that system on which that video is restored be something that gets recycled constantly? it sounds like an inconceivable amount of data that would have to be wiped and moved, wiped and moved all the time. >> yes. ..

>> in the back. and could you state your name and affiliation employees when you take the mic? >> hi. brian. my question is what about cost and risk analysis? you talked about having multiple sets of laptops, infrastructure, businesses have the huge cost of their so how are you going to get them to buy into this?

>> right. so that's a good question. i've been asked that before, what is the cost of something like this. and i think you want to look at this from a lifecycle cost perspective of a breach. what does it cost when an organization, whether it be a military organization or a financial organization, experiences a breach? what does that cost? the second dimension of cost is a man hours. how much time, how much money are we spending chasing, reacting, searching for things that are no longer there? we want to shift that to a more efficient use of those man-hours. so those are really the two biggest variables in the cost equation. cost of the breach and the cost of the people. i think if you move the needle on those, you're going to wind up coming out ahead. >> we have time for one last question. that was fast. yes, the gentleman in the black

shirt. >> i'm with voice of america. in terms of the rapid response that you mentioned that is going to shift and you're going to have disposable responses, is that country specific? for example, we know iran, china and russia use different tactics. do you also analyze what kind of methods they use so their response that you give would be specific to those countries? >> i think one of the advantages of a proactive security model is that somewhat agnostic to the attacker. so our goal is not to try to analyze, react, and chase what the adversary is doing. our goal is to take control of our own systems and proactively configure them so that they are very hard to gain access to. so independent of who is attempting to gain access, whether it's criminal, a cyber vigilante, a nationstate, we want to take control of our system. that's what a proactive security model is all about.

>> vern, thank you so much. it's fascinating to have a potential more agile response to defending cyberattacks and we appreciate your thoughts and mentally today. thank you. the ground of applause. >> thank you. [applause] >> were not going to move to the next phase of today's discussi discussion. a veteran tech a business correspondent who shared in "the boston globe"'s recent pulitzer prize. we're delighted to bring mike from the globe back to the monitor where he was reporting from our san francisco bureau and was one time our mideast editor. we are thrilled to have him leaving our past cocaine. mike is going to introduce you to our next speaker.

>> [inaudible conversations] >> [inaudible conversations]

>> everyone can hear us? okay, great. i mike farrell, editor at the "christian science monitor," and i'm pleased to introduce michael daniel, probably in this crowd needs little introduction, but he is special adviser to president obama and the cybersecurity coordinator, which i think he himself has described as sort of the job of herding cats is your many different agencies who have many different protocols when it comes to their security implementation and issues, and so i'll turn it over to michael. he's got the smarts to say and then we will do a brief q&a and then turned over to the items. >> thank you, michael. thank you, everyone, for coming out this morning and participating in this event. i would be remiss if i didn't remark it is national cybersecurity awareness month,

and so appreciate all the interest in this particular topic. i think one of the points that i would like to make just a start, you know, i think that cybersecurity, you can click see it emerging as one of the defining policy challenges we face for the 21st century here and i think that is actually driven by several factors. one of them is actually it's not obvious why cybersecurity is, in fact, such a really hard problem for us. if you look at the data on intrusions, it actually is pretty clear that most of the time the bad guys are getting in through holes that we know about and holds that we know how to fix. so at one level cybersecurity wrote should actually be a hard problem. but if you take a step back and you think about the very aspects that cyber has taken on and given the depth of penetration it has had into all of our social lives, our private lives, our public lives in terms of the

interaction with the government and in the private sector, our commerce and economic, you start to realize that cybersecurity is not primarily a technical problem. it is also an economic problem in terms of incentives. it's a human behavioral and psychological problem. it's a physics problem because of the way networks are constructed. it's a political problem because of its international dimension. when you start to roll all of that together suddenly have what the folks in boston might call a wicked problem. >> very good. >> and that's what i think starts to actually make cybersecurity be particularly difficult challenge that it is for us. that's what they think it takes such a wide variety of disciplines to begin to address the problem. from the administration side, one of the things i wanted to highlight for this audience

today is our efforts to actually expand the cybersecurity workforce. so to address that problem purely want a much larger and much broader workforce than we currently have. we need a much bigger workforce to deploy against the problem. and it needs to have an incredibly wide array of skills ranging from a lot more technical focused folks to companies out with, and government agencies out with their immediate technical problems associated with cybersecurity, but also people that understand how cybersecurity interacts with her industry. how it interacts with industrial control systems. how it interacts with our financial sector. so from a policy standpoint, from a legal standpoint, from an international standpoint. so from the administration standpoint we are really trying to drive a connection with the administration's jobs driven training initiative. in fact earlier this month we rolled out a whole slew of

grants for community colleges and other universities, a lot of which will go to cybersecurity related programs to support efforts in expanding that. and, of course, because this is washington we have an acronym for our efforts in this area. the national initiative for cyber education. nice. it's a nice acronym. that is focused on three different efforts. one of which can expand i think map, developed heat map of we cyber steady ride jobs are, to really expand the number of cyber centers of academic excellence that are accredited by dhs and the national security agency and expand a scholarship for service program that funds specific cybersecurity related scholarships. and all of that effort we're trying to just do what we can from a policy perspective to drive an expansion in our cyber workforce so that we have the

personnel that we need to address this wicked problem that i've talked about. i'm sure there are a lot of other topics folks want to get into, the more strategic, some are topical, and -- >> you bring up some great points about how to confront this wicked problem. you also say that really in many ways it's not that difficult a problem. in hindsight when you look at a lot of the breaches that occur, some of them are occurring because of vulnerabilities we already know about. it's not just an issue of throwing bodies at it. it's also a mindset shift. so how do you confront that issue? is it training? is it sort of redirecting the existing workforce to do their job that they should be doing in a better way, or is it a technical fix? how do you see that? >> i see it as a combination of all of those factors. some of it is baking the security up front so that

developers as they think about developing software and apps and other things, that security is just one of the aspects along with usability, along with the interface that you consider when you do development. so that's one aspect of it. another israeli i think some of the ideas that are embedded in these hypersecretive framework of standards and best practices. so it's come as a business, as an organization, how do you think about cybersecurity risk? starting to embed thoughts about risk management and cyber risk management, the same way that companies manage their litigation risk over there product risk. and that is something that you invest in to manage the risk. and other pieces of it are really us understanding how to enable technologies and capabilities that are focused on how people actually have to

interact with their information technology. so one example is killing off the password. frankly, i would really love to kill the password then as a primer security method because it's terrible. but when we think about replacing it, it has to be replaced with something that is actually easy for people to use. >> right. so what would replace the password? >> i think is going to be a variety of technologies that will be able to do that, some of which will be biometric related. you started to see some of that with the emergence of the fingerprint readers, but also you can use the cameras on cell phones which are now ubiquitous so the selfies are actually used for something besides posting on facebook. there are also, you know, all sorts of different related technologies that can make use of multi-factor authentication that is too easy to use because of the way that people use their

devices, card, card readers. all of those factors will be combined. i don't think there will be one solution for everything. there will be multiple, different solutions. the other thing is will do solutions at the levels because there will be things with really care about securing like your bank transactions and things that you're less worried about like a cat videos on youtube. >> those are important. is being cybersecurity awareness month, the monitor did a poll to see exactly what people are doing to improve their security. especially after the string of high profile breaches we have seen. we found that basically half of the people did something to prove the network and have the other people do nothing. of the people who did nothing they said, well, they are not really concerned about it. is that a realistic view of the current landscape given what we are confronting? >> so i mean, i think that

cybersecurity, you're not going to be surprised that a cybersecurity would need to cybersecurity is an issue that affects everybody. i would probably not be doing my job well if i said otherwise. buddy do think that, i do think that it's an issue that if one should be concerned about at some level because almost everyone lives some aspect of their lives online, either in the form of how you interact with a company, what a company -- the data that the company might have on you. even people that are largely not connected, still their data is online in various places. so it's something that everyone should really have some concerns about. but i do think that what that shows though is that we still need to work on, again, i come back to making it available and easy for people to use and to do and to make a sort of security by default rather than something you actually have to work really

hard at. >> so what would that mean, security by default, in terms of the apps people use on the websites they use? >> sure. i think a lot of this comes back to how do we do development work to make sure that we're developing secure code from the beginning. how do you have systems that are much more intelligent themselves about monitoring their own activity and bringing the disciplines of things like biology, and how do you have networks that are sort of have the equivalent of, you know, the t. and b. cells that live in your body that down in triggers so that it sort of just present on the network. and all that happens much more in the background rather than being something that people have to actively engaging. and it also i think is making

the service is available to both businesses and consumers so that they can set them up and have them be functional on their networks. >> should the government be pushing the private sector harder? this framework is nice, it's a framework volunteered. should be mandatory or should to be aspects of it that should be mandatory? >> so from our perspective we firmly believe that it can remain a voluntary standard, a voluntary framework and still be effective. we actually have a long history of voluntary standards being quite effective in the united states. i think that ultimately it's the market forces that will really make that take off and go someplace, and that's the most effective tool that we can harness in that area. >> the whole focus of this talk is developing america's edge in cybersecurity. clearly anybody who looks at the news can see we don't have the edge.

i think probably everyone read the times story yesterday about the white house being concerned about jpmorgan. that shouldn't be a surprise. but the times article really didn't say what the white house is talking about so we're glad you're here to close in on that a little bit more. go ahead. >> so i think that in general, we have watched for several years, you know, the trend of the malicious factors in cyberspace can figure out how to target our critical infrastructure. and the financial sector, as we all painfully learned in the mid-2000s is a critical part of our economy and definitely a critical infrastructure for us. so obviously anytime we see one of our major banks being targeted and successfully targeted, that is going to be a source of concern for the white house. i would put it in its more general context of though, that it is really the broad trend of the targeting of u.s. critical

infrastructure and how is it that we can do better job of protecting that critical infrastructure over the long term that is particularly concerning to us? we are concerned about any incident that exposes that many people as that incident seems to have done. it's also the broader, longer-term trends that we are very concerned about. spin specifically which trends? can you point to a few things you're most concerned about? >> sure. so if you look at sort of three broad trends that you can pick out. one, we are hooking more and more stuff up to the internet all the time. the so-called internet of things that has already somewhat arrived, your thermostat, your coffeemaker, your car, your refrigerator. they are all now threat of actors in cyber terms. that's making we thought doing cybersecurity in a world of wired desktops was hard to now we're going to do it with big

data mobile cloud, just throw in all the buzzwords at the same time. that makes the problem just that much harder. >> right. >> we've also watched the malicious actors be willing to move up the threat spectrum. so now it's not just a matter of doing the digital equivalent of graffiti, but they are actually willing to take constructive steps to resolve it with the saudi arab american country in 2012. we have seen it with a south korean banks in 2013. we've seen that in the attacks our own financial institutions here, and we also know that the tactics and the capabilities that are available to the malicious factors are also growing. they frequently don't have to use them, yet, but we know and we can watch their sophistication growing. if you look at, there's this myth now that a lot of these hackers are still like the

disgruntled teenager in their mother's basement to which there are still some of those, but hacking is a big business. they are run like businesses. many of these organizations actually operate along very structured corporate, corporate lines. and so the sophistication is available in the resources that are at they look to them are far, far more extensive than they were say 10 years ago. >> that's pretty interesting, right, because the hackers are basically many steps ahead of what we are doing now to try to protect our network. given that that's the case, when you think about this world of critical infrastructure, i guess there are 16 sectors, some are critical, so are really critical when you think about the electrical grid or the nuclear power plants, should some of us even be connected to outside networks of? could you just pull the plug

essentially? is about the best way of protecting a nuclear power plant, for instance? >> as tempting as that might be to do as a solution, i also don't think it's possible for us to wind the clock back and not have some of these systems in a bold forward axis. i think you need to think about that and maybe some systems that we actually decide that we may want to set them up so that you may be able to get data from them remotely, but if you actually want to make changes to them you have to be physically present. you could set up the systems to do that. one of the rules that we have around our office is that expedient he will trump cybersecurity every time. so that unless you have specifically put in policies to prevent that, most people will take the expedient route. you find a lot of times when the systems end up being connected to the internet, it's because, well, that was easier for the

engineers, or whatever, to do the job. and that's true but there is a security downside to that. organizations did you think about that convenience versus security trade-offs and actually do that as a more explicit risk calculation but in some cases it may well be the case that the asset is so particularly critical that you don't want to directly connect data. in other cases that may be a risk you are willing to live with with putting into place other compensating control. i think that's something that needs to be given a lot more explicit thought rather than sort of letting this kind of happen. >> are there particular areas you think that we should sort of limit that access? >> it's a little hard for me to say from not being deeply involved in sort of all the technical aspects of all the different industries, but clearly what i would argue is that that's where the combination of the subject matter experts and the security folks in any given organization

need to have some real conversation about what the risk is and what the benefits are, and really explicitly make that trade off. >> one thing that's come up recently i think in debates in washington and industry is this notion of having a professionalize cybersecurity workforce. so in addition to just having more trained people in the field or just more people, the notion of having somebody who is certified in some way being cybersecurity specialist. what's your view on that? >> i think that cybersecurity will evolve as a discipline. it is i think becoming its own discipline, and it's not the same as some of the other technical computer science fields. it involves i think bringing in capacities from other areas. so i think it will evolve into its own discipline. i think having some of those certifications will be a good thing. >> so you yourself have had to

learn a lot about this field, right? you're not a techie. >> i'm not spent you are not an engineer. you took some grief for that and the press. what did you think of that? >> actually, it happened during august like on a friday so that was kind of par for the course in washington. it kind of just comes with the territory i think. i think some of it though was a misunderstanding of what i was trying to say, which is that the -- and that was my point about why i think cybersecurity is such a hard problem is that, in fact, actually it involves a whole bunch of different disciplines. and we need a bunch of different disciplines in order to address the problem effectively. and so we certainly need, and as i was mentioning about our workforce initiative, a huge chunk of that is focused on the hard-core technical workforce that we really need to run the firewalls and develop the software and manage the security systems. but you also need people that

are savvy about cybersecurity from a policy standpoint. and about how to actually get organizations to make those risk management trade-offs. how do you actually get organizations to make changes? how do you get the government to actually do something? and how to get the bureaucrabureaucra cy to actually function? those are all different, those are actually different skill sets. you need all of them in the cybersecurity area. so if you look at, for example, the cybersecurity directorate on the national city council staff, they have an incredibly wide array of people who have very, who are engineers with technical skills but also people who primarily have legal backgrounds, people who have done development work in the international space. people who have spent time in the military. people who spent time in law enforcement, because all of those are different aspects of the problem that we need to bring to bear on the issue.

>> i am a junior experience in government various agencies helps you with hurting the cat issue. in your role as a coordinator you don't have any real power over these organizations, right? you can make suggestions but you can't say you have to do this. you think that rule has changed in the future of? >> actually i don't. i think that, i believe that as with any of the white house jobs, a lot of it is about the soft power and the way that you work within the bureaucracy in the different agencies to get them to a line policy and move roughly in the same direction. i think you can be very effective in that space as long as you understand how that space actually operates. i think that cyber is such a

humongous issue that you're not going to be able to put any one person in charge of it in that sense. i actually think that would be, i actually think that would not work very well. and instead you actually do need somebody who can get to the various aspects of the law enforcement agencies on what we're doing to protect our critical infrastructure, what we are doing in the military and ashes to be space. you're never going to put that under one spot come under one person. i don't think it would be a good idea. you need to have those skills to manage across other different agency minds. >> can you give us a bit of an update on what you are doing in congress to get the savagery legislation moving? >> sure. i think we've been heavily involved with working with committees on, relevant committees of jurisdiction in both the house and the senate to work on the legislation and make improvements to it and get it into a place that could pass both houses and the president

could sign. we remain committed to doing that. but obviously getting anything passed on capitol hill right now is quite a challenge. i think that we try to be realistic, but it's something we remain heavily engaged with. >> we talked a little bit about, mark, before going on stage and another thing in the news is that apple and both google are strengthening their security protections on their phone. something the fbi director and the attorney general don't really like so much. what's your view of that? >> well, i think the issue is not so much strengthening encryption itself but obviously if you look at the newest framework, encryption is the best practice in cybersecurity, and encrypting data interest and emotion are smart things to do. it's not so much encryption

itself but its how is it that the government and our law enforcement agencies can continue to gain access to information in the course of an investigation in a court-approved process, into what it is about something completely beyond the reach of law enforcement. ..