terms of what can benefit the entire network and we definitely need extra security for marginalized communities. but one concern about trying to provide targeted extra security support at the technical level to marginalize committees is that it highlights who is active. ..

to take on these tools and pick them up and use them actively even if you don't particularly feel that you are a member. >> we have time for questions. i'm just going to open up to the floor, and i know that we have a cache -- hashtag where people are potentially joining our conversation and i will point out to those of you listening it is #newamcyber. we have questions? yes, in the back. >> one of the most disenfranchised groups in afghanistan are the women that fight every day for a quality.

we established the trust of the network. we think it is a matter of life and death and not just whether you lose your account. there is a secure means by which you can get on the network through the portal entirely secure and they can discuss issues from everything from small businesses that they are attempting to educational issues. so there are things out there when it comes to the portal technologies that are secure enough for people especially those in a difficult situation like women and children are in afghanistan. to discuss those issues that are sensitive and we look at that as a matter of life and death in some cases just the use of technology and dangers are they so they not only have to offer

operate when they are on but when they are on the portal they are very secure. second and active -- the question i have is has the panel considered secure portals for the online collaboration for the groups that are at risk and i mean that in southern syria where people have sent simple e-mails that have been intercepted by isis and have been taken away and are never heard or seen from again. what is your experience as a solution for the online collaboration? >> i am afraid i don't know the picture that you are describing specifically. i am happy to hear that you are working on a project like that and we do need more people to build up a sort of tools. one of the concerns that i would

have built on the description that you gave in terms of the portals there's probably a large there is probably a large amount of information stored in the system if the communities come under the attack the information is stored to make that particular place a plaintiff vulnerability and this is one of the externalities that has been mentioned where if the administrators of the system don't adequately secure it and i'm not saying they are not securing it because they are. if they lose because someone tried to compromise the system it is decentralized in that way because they become a risk so that is a concern that i would have that relies on the centralized intermediary. a >> i saw another hand go up in that general area.

if you could be sure to ask a question that would be great. >> i remember a couple of years ago they went down for a lunch of stating that seems practical here it is as the commercial credit card system or do we even know lax >> the commercial credit card system in the united states is based on things that you can photograph with your mobile phone. i can't speak to the technical security of the food stamp system, but my understanding is the credit card system is backed by the legal framework not around the technology or the use if so.

>> when you talked about security and confidentiality we didn't mention the availability parts to talk about the confidentiality that comes up a lot and this would be a case of people dependent on the system in order to come and this isn't having the secure attack is where they failed people and again nothing to do with confidentiality that availability we have to think of that as well. >> one of the things in the communities of the development is the system for the poor are poor systems and hopefully we will see that changing in the future. i saw a hand go up. yes, the gentle man in the green.

>> my question is the geography of how the digital world actually appears. think about the weather the status. the weather doesn't fall a long county lines and the internet obviously doesn't fit necessarily in the national borders. so how should we look at the internet and how we connect to it and how we interact with it perhaps just markers of which we change our behavior when we get online and use our phones and things, what are some things to understand based upon how you would describe what the internet is actually, how it is actually designed and how we should interact with it. >> can you be more specific? >> i guess on the technical side we use the tor servers.

but my digital identity can be copied and i can fake it. so that's what i am more curious about. if this can be done all over the world and i can appear anywhere in the world than how do we if we don't understand it as well go about protecting ourselves or interacting, just things to keep in mind. we can come back to that. >> thanks. great panel. i'm wondering what you make of the trend of providers beginning to charge users for the

privilege not to be trapped. for example, reportedly a tnt in rolling out its gigabit service will allow you to opt out of the trafficking of all of your online activities and ads for $29 a month over the answer is perhaps fairly obvious what do you think this means for the low income communities in the privacy and security and do you see this to be a growing trend? the >> it isn't just a tnt. -- at&t. there are folks on aware of how this stuff works. facebook says to your mobile provider we will cover the connectivity cost as long as we are talking to facebook. what if you can get your mobile phone plan and it is free as long as the only parties you are talking to our face looks within facebook becomes your mobile phone and that's the network

setting up a central point and the answer to your question is a the only way that they will get initial access and the long-term view what we think of as the internet could become the domain and i think that is a tragic outcome. >> we have time for one or two more questions. >> my question has to do with existing infrastructure that's already in place affecting every day cyber security issues for everyday people. in the proliferation of the use of the tor browser like this gentleman mentioned, how do you deal with security issues affecting every day people?

do you think that is a good solution? thank you. >> i would love to see more people using the tor browser. i don't think it's a solution to all of the problems we face. it provides a very specific set of bounded anonymity preservation's got it would be great to see more people using it. again it doesn't solve all the problems. i would be happy to see facebook opened a tor service. not because i have a particular stake in facebook. i don't use it but i am happy to see that it's there because it points out that the use of tor is a fundamental activity that many people would want to do simply because they are blocked from the network services they want whether it is by their government or their employee or were there home internet

provider. >> i want to end with a question that will hopefully get us thinking through the connection in the conversation and the rest of the conversations that we will have throughout the day. throughout the day we will see this concept of cyber security in all of its permutations. i get the sense that the conversations into some of the ideas that we have been talking about in terms of accessibility, availability, now afford ability the protocols and standards setting what do you hope of these issues that we have been talking about this morning in this session travel and intersect with some of the conversations that are happening later today?

>> maybe i can follow up on two questions. the anonymity question, there are a lot of times where we rely on anonymity and the digital world, the way that it is designed right now makes it very difficult to enact bees in the real world anonymously. crisis lines have been an example and i think it is important that we think is a digital and virtual weekend no longer make that distinction between i'm anonymous online. they are so that we have to make sure that certain basic cultural and societal practices like anonymous speech or acts and services remain available i'm not saying in this new environment and the gentle man that was talking about afghanistan in syria are not

only in the u.s. but making the infrastructure available where enabling parties in those countries to survey on their own populations in the case of syria they bought massive amounts of software from the company's mostly in the west and they've been using meth to survey the population which endangers any project for any of the minorities or this disenfranchised people or vulnerable populations in the societies. so while we can always look at the security and privacy of the tools that we develop, they are only as secure and private as the general environment in which they exist and if we go for the government that is based because we think that is a good strategy, then we are endangering the sense of the tools and therefore the anonymity and privacy in this --

the world. >> things in the interacting system. i just want to get a word or two from tara and daniel. >> i like the discussion of the virtual world and the physical world that we feel. we spend so much time we tend to forget that we have these broad communities and social systems that we interact with. so i would like to hear a lot more discussion about software larger social and interpersonal systems in the discussions throughout the day and beyond. >> to add to what they said, i just wanted to reinforce the idea that is the policy proposals are made they often have technological proponents. if you ask for a proposal that allows the kind of deep surveillance that we can sort of worn out about here, that surveillance isn't just going to deal with the cyber parties that

you think will be active. i just want to make sure that proposals like that are understood in the risks they pose to the network. >> thank you. please join me in thanking the panelists. [applause] >> i want to let people in the back note that we have plenty of seats up front so please feel free to move appeared especially up to your left and my right. the next speaker is doctor heather ross and i'm pleased to welcome her today after two flight cancellations. she's a visiting professor at the university of denver and she will talk about new and old ethics and what account as the manual count philosopher can teach about cybersecurity.

please join me in welcoming her. [applause] >> thank you everyone for coming and peter for inviting me into future for america. so i am a weird individual for an academic. i'm trained as a political scientist but i do law and ethics and political philosophy so i like to merge all of these together to think about new technologies. so today my job is to tell you how to look back 200 years to somebody to help us find some information to help us in the future. so this is how political scientists think about the war. this is a bargaining model. what it is doing is to rational actors making rational decisions and this is how political scientists think about the war and this is how they think about the cyber war. but we don't really face-off in

cyberspace with our adversaries. we don't look them square in the face like this. for those of you who don't know we don't square off in the face area and we don't even really do good battles like fun battles in cyberspace. we hit below the belt. we do just enough to be irritating but not enough to trigger what we consider an act of war. and this is really telling. so how do we figure out when all of these below the belt issues are coming out? it would be really nice if we had something like a dark mark from harry potter told us when our networks are insecure and that in all of the data on the screen you are owned. but we don't have any of this stuff and it's hard to try to enforce our rights in

cyberspace. so this is where we come to the rescue. when we think of cyberspace and the rights claims and enforcing our claims of justice and making sure that we can protect the data and different types of things, he tells us a couple of things. one, he says that the state needs to have the monopoly in order to protect our rights. to do this you have jurisdictions and borders and everything is great but in cyberspace we don't have the monopoly and jurisdiction is a problem so then he says while when that is a problem or do you do, you go and actually fight with other states and that's how you prosecute your rights when you don't have the jurisdictional claims that you need. you go to your army and/or navy. and it's completely insecure and it's not a good bet so then you

need to create a free federation state for the defense of community much like nato. so i call this the social contract step if you know any of the people in the back of my photoshop faces, kudos to you and and if you can point out who hobbes is come even more kudos to you. what is happening is we need our friends and our allies. we need to get together and have cooperation. that's what we learned. we need to trust and allies to trust. but when this happens and we have the defense communities and allies and trust we can't do certain things he says. in fact, we can't spy on our allies and he makes a big claim about not involving what he calls dishonorable strategies and it is to be involved in plotting is to be engaging in a

dishonorable stratagem. as we know that all of these reports that come out over and over again about spying and different types of things and breaking down trust we have all of the different leaders of state saying that they are breaking trust and this is huge when we think about cybersecurity because the justice that we want to enforce our rights that we want to protect and require our allies and it requires that we trust our allies. but now we are kind of not doing so hot with that. in fact google's executive chairman said we are going to break the internet if we keep doing what we are doing. you're doing. so we have to really bring it back down to building trust. we can't be an unjust enemy. that is someone who is engaging in these dishonorable stratagems and is threatening the very

fragile bond between allies and peace. so to be an unjust enemy to square off and fight against another unjust enemy is ultimately to go back to a state of war, which he would call the state of the war and this is huge because all of the international agreements or the wall that we have in all of the cooperation we have, we don't involve ourselves. spaced on the very basic rules of trust. but if we keep breaking those bonds of trust, we will undo this great thing that we have created, the internet that has given us communication. he was a big fan of shopping and commerce. he felt that it would create bonds of trust. he said if you visit somebody else, learn about them and their culture. so, we need to continue to engage in the sharing of ideas

and commerce. and we have to stop i think he would say we have to stop thinking about short-term goals of militarizing cyberspace spying on our enemies and breaking down the very basic relationships that we have two enforce the rights claims. so the way that i like to think about this is if you were to quote neo from the matrix, i can't tell you the future but i can tell you how it's begun and we need to stop militarizing cyberspace. we need to think back to the claims of justice how we enforce our rights and how we utilize our rights. how we make laws and stop engaging in what he would call dishonorable stratagems. thank you very much. [applause]

>> i would now like to announce the next speaker who will be introduced by peter bergen the director of the national security program. and i would like to welcome john carlin assistant attorney general from the fbi.

i know he's here. so while we wait for him to come up on stage i want to point out during lunch he might have noticed in the agenda we have pop-up speakers during the lunch break so we invite you to go outside to get your lunch and then bring it back in. that also applies to the coffee outside of the room for those of you that might have joined us later. here is peter bergen. i will hand over to peter. >> i get the honor and the privilege of introducing the next speaker john carlin has the assistant attorney general for national security. he runs the national security division which is about 350 federal employees who basically are responsible for prosecuting cases of terrorism espionage, cyber issues and national security in general. previously he was a chief of staff and security council to

director robert mueller. he's a graduate of harvard law school and i'm going to engage in a conversation and then open up to you. what is the role of the national security division when it comes to cyber? >> the national security division is a litigating division at the department of the department of justice in about 50 years and relatively knew we were founded in 2006. it was one of the reforms from post 9/11 and the recommendation was relatively simple. prior to the existence of the department of justice, the cases, caregivers and cases applications for intelligence before the foreign intelligence court and cyber cases are reported through different chains at the department of justice. as of the idea was just set up a one-stop shop at the department of justice that would be it would have the sole responsibility for the national security portfolio and be a

bridge to the intelligence community and law enforcement. and in particular one of the founding reasons for the creation was to tear down the wall that had existed prior to 9/11 both legally and culturally between law enforcement and national security. and based on the fact that we formed such a response to 9/11 and the terrorist events in the beginning we focus on the terrorism portfolio but with time it became clear that the national security cyber threat was growing. it was is a threat that is here in the economic information by the nationstate actors and gathering of intelligence and the growing threat to use the attack for destructive means by a nationstate or a terrorist group. so starting in 2012 we really started to try to apply the lessons we learned in terrorism to the cyberspace and that meant engaging and developing in every u.s. attorney's office across

the country so 93 94 offices, specially trained prosecutors who were trained on the one hand to handle the bites and and bee particularities of the particularities of the electronic evidence in the cyber cases and on the other hand, how to handle the classified sources and methods and learn the patterns and practices in the intelligence about the terrorist groups and nationstates area that is called the national security cyber specialist network and we administer it through the national security division and as a part of it we make sure we have our criminal colleagues because at the beginning of the case it will be difficult to determine who the actor is. that's approaching a change in 2012 i think simultaneously the fbi put out a field that said we are going to start sharing what is on the intelligence side with these new specially trained prosecutors just like we do in terrorism cases and we are going to use this new approach to make sure we are bringing all of the

tools against those that are going to harm the nation through the cyber needs. it is a direct result of that approach that led to a first-ever and vitamin that state actors in the case against the five pla officers in the spring of last year. i think last year was a significant change where we saw the results of this new approach and i think it also led to the ability to very quickly have attribution in the case of the sony hack which from the beginning we were able to treat as a national security matter. >> you mentioned the case of the people's liberation army officers that you pursued. do you think that's going to be an effective approach with china and to what extent is it possible that they did get inside of the american courtroom? >> i think that it was a necessary change in the approach. we got good at the community working for the director mueller and the fbi and the rest of the intelligence community. a vastly they vastly improved

their game at being able to watch with a nationstate adversaries were doing to the system and see the amount of information that would be exfiltrate at a dalia in the private systems. but with that increased ability to watch came an increased obligation to act. we can't just go out. we need to do something. part of that approach in the terrorism arena and we use the phrase often in the terrorism cases is the all tools approach meaning we have to look at the fred factor, what are they doing in this case they are stealing from american companies from the economic benefit of their companies, how can we increase the cost using every lever of american power so at the end of the day they say that it's not worth this approach. we will stop stealing day in and day out with american ingenuity is producing and we will compete fairly. so in order to do that that means we effectively decriminalize it cause we were not before looking to make the cases. that means we find the resources to look at the facts and the

evidence that leads to a criminal group in the u.s. into the lead to a criminal group in europe where the actors in china we are going to follow it and bring charges where appropriate and it also means looking as you saw in the sony case can we do the sanctions through the treasury department and designate certain entities based on the conduct of the commerce department, can use use them as diplomatic power through the state department, so looking across the spectrum of the u.s. power and then gradually increase the cost to make it clear there are consequences and when it comes to these cyber events, number one i think people assumed for too long that you can be anonymous and we won't find out who you are we have proven that is not the case we can find out who you are and who did and when we do there will be consequences. >> a quick attribution to you expect and indictments to come?

>> i will just say this. we continue to investigate this as a criminal case and i think that with each one of the national security related intrusions, we will be looking to do as we did in pla and see if one of the tools we bring to the table can be a criminal charge. >> if they left china with the baby arrested by some sort of an other antique wax >> i won't talk specifically about what we do but it is a charged criminal case and he very much hope to bring them to the united states court room where they will be accorded in all due process under the law and tried as we have other individuals. >> are they subject to a red notice or whatever interval entities? >> i'm not going to discuss the specifics of how he might bring them to the courtroom although we've asked the chinese government to provide them.

backing up a little bit on this approach, in the beginning when we were doing the nonproliferation approach one of the tools we've got to prevent the proliferation of weapons of mass destruction was the prosecution of export related cases that have violated the proliferation regime. in the beginning i think that some in china and others thought that this was a proxy for a trade war and that we were not really serious about the proliferation problem that we were using it for economic reasons. over time they realized no we want to stop the weapons of mass distraction from getting into the hands of the rogue states and we realized that's why we are using the criminal tool in that arena and we have had countless cases of individuals arrested overseas extradited and brought to justice in the united states court room for the proliferation cases in the similarly with narcotics kingpins in the beginning.

folks asked why would you bring a criminal charge against someone protected by their home country because they are the head of a cartel, and over time it's taken a long time in some cases but we have brought the heads of the cartels sitting in the u.s. jails. so it's an approach that has been used on others. it will not solve the problem of the criminal justice system. it will not solve the nationstate national security problem, but it needs to be a tool in our arsenal. >> would you consider criminal charges against people who are kind of proliferating isis social media sites were involved in the isis social media production flex >> yes. you need to look at the particular facts and the evidence is. but that brings the use of the material support statute so this should be when when there's a dozen terrorist groups and you are providing your services to that terrorist group either by providing an actual material money technical expertise or your self these are cases that

we have and will charge under the criminal justice system and that approach i think you saw in 2012 about 27 countries were part of the global counterterrorist form that produced something called the robot memorandum of best practices. what type of legal code should be on the books should enable you to bring the charges before someone commits a terrorist act and what i think you have seen since then is the adoption by nearly 20 countries of the criminal codes to address the cyber conduct some bottled after the material approach and use all in the fall the unprecedented unanimous approach at the united nations through the security council and the same counterterrorism group to talk specifically about the problem of the foreign terrorist fighters with international and in over 90 countries contributed

the fighters to syria iraq region and that part of the approach to stopping the all tools approach would be making sure that the nations have on their books coming out they are required to have on the books statutes so they can take a criminal action to prevent citizens in their country to joining the fight before they become a bigger risk. >> so isis is using social media to recruit and it's also an advantage for people in the department because they can monitor twitter and facebook and we've had quite a a lot of cases stopped in the airport. what extent is social media a good or bad thing for you? >> so, pulling it even further back social media is huge and it's been an enormous boom to the american economy. it's a change in technology that has many advantages to the world and it can be used for many

positive. it also presents a challenge to those who want to combat the terrorism threat. it is actually a free form of communication that you can use to plot and plan. this is something people would invest billions of dollars to come up with a communication system this fast, sometimes the secure and that would provide essentially for free. it is a new way to propagandize and reach individuals in a very targeted fashion in their home and the ability to produce the slick propaganda is cheap and widely available. so it presents a new threat. there is some intelligence collection opportunity that comes from that threat but i would say that it's one that we saw in the recent events now in meeting with my counterparts and ministers of interior interior from france, germany the uk

australia, canada that as the nationstate was still learning how to confront this new threat, what is the best way to counter the use of the social media in particular for this targeted type of recruiting. >> the private sector is much of the cyber infrastructure. what is the responsibility of the private sector? take are for instance, which has been quite slow and it comes to taking down content from isis and other groups like this which of course is against that. what role should twitter or facebook have in being careful about the kind of content that's coming up next >> we talked about two issues, the cybersecurity, so much of what we value and we store in cyberspace and soap need to worry about it being stolen or destroyed in that space. social media for the purposes of

the propaganda or communicating. i think in both instances these are areas where we really need the private sector cooperation particularly when we talk about the critical infrastructure. it's pretty much all in the state or private hands and so in order to effectively defend the american people from the threat, we need to work with companies so they improve their defenses but we also need to look at the ways in which they can effectively share information to the government so that we can coordinate and put out the threats to cut across the sectors and also we need to be able to share the information that we have collected as a government to them to best enable them to protect themselves very i think we've made enormous strides in the area but given the scope and the scale as the commission report put it out earlier in some respects we are in a pre- 9/11

moment given the threats we can see coming to the cyber infrastructure so although we have made progress, we still need to do more and faster. >> when you say we are in a pre- 9/11 moment, what do you mean? >> in click >> in some respects, the terrorist groups have the intent to cause the maximum amount of harm that they can against the critical infrastructure and they define it broadly against things able associate with the west or america and try to damage here. so back in 2012, we had also hear -- taking these types of attack and they issued similar calls. we know what they want to do. we have seen a pattern of practice in the past of the terrorist groups announcing what it is they want to do and then doing it. so that means as a country

before that devastating attack occurs, we need to put the attention and resources statutory changes into place so hopefully we never reach the moment where that catastrophic attack has occurred and then we are suddenly putting in a new variety. his back on 9/11 al qaeda had the intent and capability into the question is i'm sure the groups have the attention but cyber terrorism so far is in the area of the cyber nuisance rather than the national security problem. >> so i would characterize it in a couple of different ways. i don't think they have the capability to do the attack they talked about or they would have done it because they have the intent and there is no beer year to entry. you have seen the district of cyber attacks where they turned

the computers into bricks and resolve the sony attack that wasn't done for economic advantage or intelligence that was done to destroy and the damage the nationstate in particular are doing by stealing economic information for strategic purposes but to use indirect conversation with companies is real. i agree we haven't seen the kind of sophisticated asian state capability make its way into the hands of the terrorist group that is a matter of time and when you look at the criminal groups there was a case taken down last spring. it was composed of thousands of computers all across. botnet is the term for an internet of compromised computers.

they've gotten into people's computers and they use a thought or ability to take control of your computer and use it for their purposes and that can be used to launch attacks and it can also be used as it was by this criminal group a type of probe called cryptolocker. so they would blackmail you and say if you want to see your data again i'm sure there's so much you value on your computer you need to pay us money. various groups get access to that type of botnet they can block people's access to health information or try to keep people out of the financial sector and they are not going to offer payments to set it loose. they will just cause they massive amount of destruction. so it doesn't take too much imagination. and some of the botnet are for rent. it's even without is that even without having the in-house capability in the terrorist group, you can see how over the

horizon this is a capability they are going to develop. >> what about the states that are the enterprises like north korea or terrorist groups that are proxies to the states like hezbollah? >> we need to look at the particularly sophisticated nationstate like russia and china and see what we can do to deter their activity and pay particular attention to north korea and iran and launch the district of attacks and part of the purchase to be proving that it's not cost free because we can do attribution and we can determine who you are behind that keyboard which is why that case was important and why the attribution in north korea was important and then we also need to show that after we do that we are not afraid to publicly say what we found. so you won't be hiding in the world stage and third, there will be consequences for that type of activity. but it's a threat but i'm very

concerned about. >> one final before we open up to the audience. what is the framework that exists or should exist that would prevent -- that would be employed for the future sony -- i understand as american law but is there enough international law to prevent his going forward but at least make it harder for the states like iran and others to do this attack? >> we need to continue to work on the norms in this area which is relatively new although some of the activity that takes place i think violates already the international norms. but second, to make sure that we develop partnerships and capability in the same way that we do with the traditional terrorist threats or instance with our our partnered nationstates and that means getting prosecutors, giving fbi agents, getting experts from the department of homeland security out to train and familiarize themselves with their

counterparts. it's a fundamental international threat and even when your thread actor is in one place, the tools that they are using to launch the attack they come from another country's infrastructure. so just like here in the united states we need to work with places like the universities that have a lot of bandwidth and server space so that they are attempting to criminal groups or bad actors who want to use the space not necessarily that space not necessarily to steal something from the university but to launch attacks against others and we also need that same concern with certain other partner countries to work with them so that we can take action when other people are trying to maliciously break infrastructure and you see this new approach. some of the cases like the botnet case involved coordinated action by the public and private sector partners throughout the world, 30 or 40 different companies taking simultaneous action to disrupt, so that has to be the model moving forward.

>> thank you. if you have a question raise your hand and identify yourself. thank you. >> i'm interested in relation to the terrorist propaganda that we have seen in the social media or on websites the internet service providers in social media companies taking those down and deleting them or are the security enforcement here doing more to remove some of those insightful postings? >> i think there was a call from the attorney general to paris after the attacks and we met with the interior ministers and

any of our partner nations and from that meeting there was a call that was echoed again when a 60 the 60 countries were in town last week and we need to find a way where we can work with internet service providers to obtain the information that law enforcement and intelligence services need to prevent the arrest attacks before they occur. and at the same time we need to do that in a way that is protective of the civil rights and civil liberties of the many users that are using the system for innocent purposes. and i think that is a balance that we can obtain and something that there is great interest not just in the united states but with partner countries across the world to make sure that we find that proper balance. the other thing we need to do which isn't my expertise to focus more on finding who did it and holding them accountable but

it's to figure out the best way and that counter method so that when you are competing for those that are getting propaganda by the social mediums in the campaign, how do you reach that audience in a way to explain the ideas we ought to be able to win and why the ideology that is based on their individual's killing children and innocent civilians in the fundamentally nihilistic is one that you should join and that's where we also meet the creativity of those that are experts in space and the private sector married particularly with our countries in the middle east on making sure you have that message and that you figure out a way to reach those at risk of being targeted for the propaganda and recruitment.

can you wait for the microphone. >> i'm with the american bar association. thank you for your service. my question as you know is there's a lot of legislation on the hill and the issue for sharing information to help the government concerns in the end of the issues. so i would like to hear your perspective on what you think may happen and how it can be pushed the private sector and sharing that information with you. >> thanks for that question. legislation in this area is needed. we know that we need the information. the private sector needs to be able to share information effectively with each other and they need to be able to share information effectively with the government when it comes to

cyber security threat information and likewise the government needs to have a method. for instance for instance the finding that the signature meaning meaning and identification for a piece of malicious code in need to any to have mechanisms so we can push that out so that private companies can harden their own infrastructure and protect against those that would use that data signature to attack their systems and that's why the president has called upon the congress to introduce legislation that would provide immunity. the companies know clearly what type of information it is that they can share to the government in the absence of legislation, we tried talking with private partners and we are meeting together in a sector to talk about cyber security issues and it isn't going to be a

violation. we've tried to issue based on the questions from when i was doing outreach in the general counsels that the electronic communication privacy act is into a bar to the sharing of information in certain instances in this space. and you've seen the president more recently issued the executive order on the information sharing to try to set up these industry specific groups that could share the information. i'd heard again and again from the general counsels during the outreach that to reach the level they feel like they can share in the space we need legislation and so i very much hope and i know that the members of both parties are engaged and active on this issue and i hope that we will see the legislation in the coming year. >> i have a question sent on

twitter for the two of you the question is for casper and it says on february 5 you view the privacy authorities that the united states stop the collection of the european data. while you? [laughter] >> it's twitter. >> peter has the power to press you to answer that question. >> i think the united states alone at this point among the nations throughout the world has had a president that has announced what we will and will not do in terms of our intelligence collection three at = every major country in the world, western and otherwise has an intelligence service and that intelligence services have been

recognized under the international law and what the president has said is that it's not a question, we need to make sure it's not a question of what we can do what we ought to be doing with those technical expertise and authority. as so we could solve constraints on what the community can do in the space and also in the american system for unique system of oversight as well that dates back to the original passage of the fisa foreign intelligence surveillance act where it's not just the executive branch but the involvement of the court system and these are the same judges that appeared as a prosecutor that are giving in addition to the regular duties they sit on the foreign intelligence surveillance court. and we set up a unique structure in terms of having the intelligence committees in the hill in their response and abuse that was set up and regularly so

where they were needing to be briefed on every single activity and you see the national debate as to whether the involvement of the intelligence committee and foreign intelligence surveillance court and restrictions in the executive branch is sufficient or whether we should change that structure. and you've had a different version of the house and senate and the president endorsed different proposals to change the current structure. but i would make some sense perhaps from someone who oversees the point that there isn't another country in the world that has the robust and transparent approach to the collection of intelligence but i guarantee you that they are collecting intelligence. so although we should continue to hold ourselves to the highest standards to make sure that we reach the right balance that we are comfortable with here and we

look forward to seeing what approaches including the european partners apply to reach that same balance. >> it seems the obama administration realizes the collection of the telephone metadata for several years by the government was sort of an overreach. >> i think where you heard the president say what we are talking about here is the potential for abuse on the one hand but it's a report in a different place than where we stood today after started today after the church report where we found information being used for improper purposes. there is a potential of abuse because of the information that you are collecting and you are balancing that against the potential to prevent terrorist attacks. looking at the balance i think what you find is another way to

achieve the goal for the national security implications. there is another way to get it that doesn't involve the government holding the data so it decreases the potential and that is a change that has been called for in part and the president said because the law enforcement enforcement intel agencies law-enforcement intel agencies work for you and me to the trust ultimately of the american people to do their jobs and so that can increase the trust and confidence then we should do it. >> one more question over here. >> i'm from the social media exchange and we do a lot of research on the digital rights in the region. so thanks for being here and i'm particularly interested in

the partnership of the country in the middle east and i am concerned about these partnerships because i see in the middle east there is so much of a lack of expression and if the partnerships could actually -- i want to ask basically what are you going to do when you are partnering with these countries and there is an initiative announced last week at the violent extremism about working with the uae to mesh message on social media. but what are you going to do to make sure that we are not drawn closer to their idea of what should be free expression online versus asserting our freedom of expression online. >> perfect. we got it. >> so, to discuss with peter earlier, there's so much good that can be done for the social media giving access to this new

form of expression. so, why do we need to make sure that we can approach and meet the national security threats, i think we can do so in a way that is consistent with our values. and speaking from the own division, that's why we have lawyers that are steeped in the protection of civil liberties. also, the use of genuinely independent court systems in the institution of the rights and how to balance that against the national security threats. what we are working to -- and we do not have all of the answers but here is how we were able to draw the balances is the protection that we were able to provide, the limitations in terms of the protection of the first amendment speech. and we are trying to draw best practices with partners that would enshrine those rights and there would be an ongoing conversation.

he .. people from foreign policy background when they hear cybersecurity, i think of military, national security. this is where it starts. so the nsa has several missions, both signals intelligence and

information assurance. u.s. cyber command has three missions. obviously, defending dod's networks of the department of defense's networks, dividing combat support, and strengthening the country's ability to prevent and to respond to cyberattacks. so typically when admiral rogers is asked to speak at events like this one, is asked to talk about how we reform the u.s. intelligence community, how the nsa should work going forward. and that's a very important debate, and new america is active in that debate. the open technology institute has done a lot of work around trying to inform the public about the policy dimensions of that debate. and i have to just say some of the time we are not exactly on the same side with admiral

rogers in our positions on this debate. that's not what we are going to talk about today, although we are always happy to engage. what we want to do now is to talk about the role of the national security establishment in the nation -- mission in both the nsa, the nation's of information assurance and also strengthening our nation's ability to withstand and to respond to cyberattacks. so in this conversation, cnn national security correspondent jim sciutto will be configuring admiral mike rogers. please join me in welcoming them. [applause] >> [background sounds]

>> thanks so much, everybody. thank you, admiral. appreciate the privilege privilege. in front of so many people. we have the benefit today of some news which i know you love to talk about. a story on the front page of "the new york times" about iran, and iran finding out in advance about are just discovering a u.s. effort to continue to attack its system and respond with its own retaliation begin in august 2012 including attacks on u.s. banks. the first question i would ask, how much of alarm you did iran was able to discover the? >> i iosa have not read what you're talking about. >> it's an nsa document.

let me summarize for you because it's an nsa document. assuming it's true, you can also say you have no knowledge of it but the document saying, written by your predecessor, was saying that iran discovered a program by the u.s. followed the stuxnet virus a couple usually to infiltrate computer networks. and it in part in response to the u.s. effort did iran then carry out its own wave of retaliatory attacks in three ways of attacks beginning in august 2012 including attacks that targeted the u.s. banking system the first question, does that sound accurate to you? >> again, i don't want to, if i haven't seen -- in broad terms though, if want of a broader discussion about so did the actions that nation nation-states taken severely to responses in others question certainly understand that. you know the united states like

many nations around the world, clearly with capabilities and cyber. the key for us is to ensure their employed in very local, very formulated, very resonated many. i think you saw that in the president's direction to us in terms of presidential poll is directed 28 in which he laid out about a year ago sort the signal intelligence come here's the framework i want to make sure you choose, the principals i want you to be mindful of. this is the legal kind of basis. speed and let me approach it differently in more general terms because the point that this story raises and will separate ourselves from the story is a danger that a number of major including yourself, the idea of making cyberattacks more costly in order to deter them. the fall on the danger is if you're making those the tax more costly by tearing out your own attacks, are you starting in vicious cycles of attack in

retaliation? do we see that with conference in a country such as iran? that goes back even further. >> my comment with the escalation is not something -- semitism we develop frameworks over time to help us address the issue of escalation, in the market had come for traditional world, i think cyber is the same kind. >> do you believe you have addressed it sufficiently? for instance, this event, or the other security concern that it leads us down a dangerous path but everybody is looking for ways to deter. with servicing the damage and god does not just a rental country such as china he also sees the danger of a follow-on. accountable we have a handle on how to deter america's adversaries from cyberattacks without creating a further problem? >> i think close the concept of deterrence in the cyber domain

are still relatively immature. workload on i think where we need to be. what i think we want to collectively be. this is still the early stages of cyber in many ways. so will have to work our way through this but it's one of the reasons why quite frankly i'm interested in forums like this because i'm interested brought to perspective, many of which will be interested from what i bring to the table. i'm interested how to be collectively as a nation come to grips with some fundamental concepts like the cyber command. if you look at what he sees happening in the world around us at the threats were facing insider, continue to grow. >> no question. let's look at the bigger threat. you have iran with a great history back and forth. you have russia, source of frequent attacks both in the private sector and government sector into china. has been a couple of years in china dealing with us everywhere have enormous costs to the business community in the tens of dozens of dollars, plus we know the target government

institutions and that some success stealing secrets. people talk about the coming cyberwar but when i look at that, just as an observer and as a reporter it looks like we're already at war to some degree a low-level war but with these countries, these are tax with real consequences, real capabilities. >> clearly i would argue that history shows to date you could name any crisis in almost any competition we've seen over the last several years and there's a cyber dimension to it, whether it's what we saw in georgia, whether what we saw in the ukraine, iraq, challenges associated with isil. this is not something isolated. and i think among our challenges as we move forward is, so if cyber is going to be a fundamental component of the world we're living in and the crisis and the challenges we're trying to deal with the how are going to work her way through the? what we're trying to argue is

overtime if we can get to the idea of norms of behavior, if we can develop concepts of deterrence that latest to collectively to get a sense for how far can you go what's aggressive, what's not aggressive what starts to drip response thresholds, those are all questions i would argue for a spirit it sounds like we haven't even defined the concept. it sounds like you're saying we've got a long way to go. >> i think he used the word we are not mature and that's not what we really need to be. i don't think there's any doubt about that. that. >> i want to ask you, leon panetta used a phrase which i'm sure you heard he fears a cyber pearl harbor. what does a cyber pearl harbor look like? >> the way i phrased it is my concern is an action directed against come in my case, as a member of the united states military, and action directed against infrastructure within the united states that leads to

significant impact, whether that's economic, whether that's in our ability to execute our day-to-day functions as a society, as a nation. that is what concerns me. you've seen some can look at what happened with sony. you look what we've seen nation-states having to do with u.s. financial websites for some number of years now. those are all things that were they, take the financial piece with a successful, ability of private citizens if that were ever really contested, think about the implications for our nation and individuals. >> which states today are capable of carrying out such an attack like that? >> we briefly talked about the big players in cybercom if you will, nations we see active. we've talked about are concerned with china and what they're doing in cyber. clearly russians and others have capability. we are mindful of that. generally you won't see here's

my assessment of every nation aroundaroundaround the world. >> i understand that there is to read there, china and russia. because we see them, defined that they are in some of these smaller scale attacks, even one that went to the white house computer system, not the sensitive system but still do you find that they are on the one side kind of showing off their ability a little bit and on the other side testing, finding the weak point? >> i think nation-states engage in action in penetrating a system in the cyber arena for a whole host of reasons, among the two you've identified, whether it be the fifth of intellectual property. i think depends on the source you want to lose as a nation i think we lose somewhere upwards approaching $400 billion the year, in the theft of intellectual property but certainly the department of defense is an issue that is of great concern to us as we

watched nation-states penetrate some of our key defense contractors steal the enabling technology that gives us operational advantage as a military. >> if i can we've got a cyber audience here and i want to go to the cyber audience and give everybody a fair amount of time. so if i could touch on a couple of the topics just -- first on the patriot act. i want to set aside just for a moment the privacy concerns which as you know are severe from some quarters but -- >> and very legitimate. there are legitimate concerns for us as a nation. we try to get out of going to strike that competing requirement for security and technology at the same time our rights as citizens, its foundational to our very structured as a nation. it goes to who we are and what we are. >> let me ask you since you brought that up. do you think the current

metadata collection did not get that balance right? >> i think that metadata collection generates how you for the nation. i honestly believe that. that it does generate value for the nation. now, isn't a silver bullet that in and of itself gear teeth that there will never be another 9/11? or there will be a successful terrorist attack? no. that'sthat's the creek anyone choose i would be the first to acknowledge it is not a silver bullet. it is one component of a broader strategy designed to help enhance our security. at the same time would also realize that in executing that phone records access that we need to do it in a way that engenders a measure of confidence. that is being done in a lawful basis with a specific framework and that there are measures in sight, in place to ensure that nsa or others are using their access and that is fair and

right for us as a nation. >> i'd like you to quantify the value that is generated for the nation to early on when the program was revealed, i was reporting this heavily at the time, the administration bandied about a figure 50 plus florida. in overtime that figure was whittled down by among other senator patrick leahy to a smaller number where the metadata even doubt he would argue to zero, where the metadata itself is necessary where other programs could not have accomplished the same thing. can you identify a specific plot without bulk collection we wouldn't have been able to -- >> in a larger classified forum i'm not going to do that. >> does one exist? >> but i will say this. i base my assessment on the fact that it to do believe it generate value for us to now, if you want to define value as in

and of itself can you prove to me that without this you wouldn't have forestalled an attack, he if he didn't have this you couldn't forestall. the criterion i would argue is if the user that then they would argue things like why do we maintain fingerprints? if you couldn't reach me by that collecting fingerprints in and of itself would forestall criminal activity, why would you do that? >> but we don't -- i would argue that's not the criteria. >> don't you think there's a higher standard because we don't think that everyone in the room. he fingerprints when you have a reason to fingerprint. >> if you look for example at the not think the information retained -- >> global entry. let me ask you this and because the reason i started the question by saying a privacy concern for a moment because its officials from inside the national security, not industry, but institutions of government fbi and others were concerned that they will lose the tools that they find extremely useful

tangible ability to go after hotel records, et cetera, in the battle to maintain phone metadata collection which day, i speaking only fbi officials rather than myself say see it as less important. >> to be honest i've never heard that argument. we talk regularly. >> you don't, you don't think the fight over medicaid could hold up, particularly wednesday in the renewal or extension up 215, other more useful tools in fighting terrorist? >> is it possible? yes. my comment would be the value of this effort and the legal framework to continue it is a conversation we need to in and of itself. what do we think? does the progress that's currently with the limits that we are directed by the president, or changes the congress, because remember this is all derived from a law passed by congress, patriot act

specifically section 215 of the act. and should congress decide as they look at them because no action is taken the authority expires on the 31st of may 2015 in which case on the first of june we could no longer access this data and try to generate insights a connection between activity overseas and potential activity in the united states. matching member that's what drove this in the first place. and the aftermath of the 9/11 attack, e3 the 9/11 one of the comments made in the report was look you have in at least one instance own conductivity between one of the plotters who was in the united states and back overseas. hey, you guys should have access to this but you should've connected the dots, you should've realized that there was ongoing plots in the united states with a foreign connection. that was the genesis of the idea how can we create a legal framework that would enable us to make a connection between non-activity overseas either a

nation-state group or individual compact within try to take that overseas day and see if there's a connection in the united states? and how can we try to do it in a way that protects the broad rights of our citizens? i was the whole idea behind. so i would urge us in the debate on this, and it's important we have a debate not to forget what led us to this in the first place. >> what are the prospects for renewal extension? >> to be honest, this is a glad to be a serving military officer. i have no idea. this goes beyond the expertise to i realize it's a public a issue. >> if lose it was a great -- greatly hamper your authority to thwart attacks? >> do i think if others and makes our job harder? yes. on the other hand, you respond to the legal framework that is greeted, we at the national security agency do not do not

create the legal framework. that is the role of the legislative branch and our courts that the introvert the legality of the law. whatever framework is developed, we will ensure that he was executed within its appropriate legal framework. >> want to turn again to counterterrorism. another issue. a lot of talk with the two intelligence officials they will acknowledge that terror groups have altered the way they communicate. that's made a difference. i just wondered if you could quantify or just described how much expert your capability? >> i would say that is had a material impact in our ability to generate insights into what counterterrorism and what care groups around the world are doing. i would rather not get in specifics because i don't want them to have any doubt in the mind we are aggressively out hunting and looking for them. they should be concerned about that. i want them to be concerned

quite frankly. i'm concerned about the street our nation the security of our allies and their citizens. so anyone who thinks this is not i would say they don't know what they're talking about. >> d. ofd. have new blind spots jeanette prior to the revelation? >> have i lost capability bikes yes. >> how much does that continue? >> it concerns me a lot. given the mission of the national city agency given our footprint around the world us as a nation. we think about our ability to provide insights to help protect citizens wherever they are whether they be out there doing good things to try to help the world, whether they be tours, whether they be be serving in the embassy somewhere, whether they be wearing a uniform and define us as an about it in afghanistan or iraq today, clearly i'm very concerned as well as our key allies stick out to respond to

that? sounds like an obviously sure but have you found yourself forced to develop new capabilities to make up for the lost capability? >> right. to be successful we have to be an adaptive learning organization and as a profile of our targets changed we have to change with them. >> i wonder if i could turn again, what's again because i do want to give time to the audience but this comes back to intelligence reform to some degree. recommendations 24 and 25, we haven't talked about it. this was big news the year and couple months ago but it's been as often happens in washington -- >> i hope you know i have it memorized. >> need have i. i just -- one was splitting cyber command, military leadership civilian through the nsa. of course, we have you. do you think that's a problem? >> no. i would argue -- a specific point as many of you may be aware, i am both the command of

the united states cyber command, so an operational organization within the department of defense charged with defending the departments networks as well as if directed defending critical infrastructure in the united states. that's my u.s. cyber command will. i'm also the director of national security. in that role to prior missions. one is foreign intelligence and the second is information assurance. given his habit and immature scene in the world around us today, that information assurance nation is becoming more and more critically important to so the discussion in the past about a year ago now about so should you separate these two so have an operational kind of individual cyber command and have an intelligent kind of individual running nsa? the decision was made at the time which i fully supported it when i was asked what has been edited for potentially to fulfill these jobs my comment was given were u.s. cyber command is in his maturity and it's a journey right now, it needs to get to those of a

national security agency to defend critical u.s. infrastructure and to defend the department. in combining both intelligence and operations in the same what we've seen and the lessons of the worst of iraq -- the last decade to integrating these almost seamlessly generate better outcomes. >> and the president has come to that conclusion. do you think the pressure is off to some degree? you remember the pressure and this is when you were in a seat but this was an enormous focus from inside and outside washington. we know we have this deadline coming up june 1 but it's not the same. do you feel the pressure is off? the worst fears and concerns of either been laid or forgotten? >> i wouldn't say forgotten but i think we've gotten to a place where people say okay, so now we have seen this work under two different individuals. we seem to be comfortable of the construct is workable, generating value. but if that were to change, we

would clergy have to look at it again. >> thank you very much. i'm still going to ask you questions i want to give folks a chance to ask some question as well. i know with a microphone going around. i also know with questions coming in via social media. i will wait for those. why don't we start with the crowd seems you guys have taken the trouble of coming here today. right here in the center of the audience. thank you, by the way great. >> admiral, thank you for coming. we were talking about the sony attack earlier and we heard that justice department is investigating this criminal matter and we've seen sanctions from the treasury department. what exactly is your role in this? not just identifying this but do you see any action that you intend to take or have taken in response to the? >> i'm not going to get into the specifics of what as a matter of

the department of defense putting up my u.s. cyber command role if you will, we may and may not be the i think of presidents comments about we're going to start with economic peace and then we will look at our time the potential of additional options for different applications and capabilities, that the positive side i think is the immediate actions remember the hack, that instructed these occurred in late november. this is unacceptable and that we don't want this to happen again. that seems to have had at least in the near-term the desired effect although i would be the first to admit as i said coincidentally just a couple of weeks before i am testifying in the house i said look i think it's only a matter of time before we see destructive authentic action taken against critical u.s. infrastructure. i believe, sadly in some ways that in my time as commander of

the u.s. cyber command the department of defense would be tasked with attempting to defend the nation against those types of attacks. and realize it's against a motion picture company. >> during this one phenomenon with regard to north korea is that china has to some degree, round on being alarmed by some events inside the political structure there. how much help did you get from china if at all knowing the internet is routed north korea's internet is routed via china. did they help the? >> we reached out to to her chinese counterparts to say this is a concern of us it should be a concern to you. that in the long run this kind of destruction, destructive behavior directed against a private entity purely based on freedom of expression is not in anyone's best interest this is not good. they were willing to listen. we will see how this plays out over time. the positive side were able to have a conversation.

>> was the u.s. behind the retaliatory attack on north korea? [laughter] >> let's make some headlines. >> not going to go there? >> not going to go there. >> to china offer any material help other than listening to? >> i didn't work that specific aspect of the problem. my knowledge of the specifics -- [inaudible] >> okay. over here. where's the microphone? sorry. try to get to the other side of the room. >> good morning. david singer from the new times. good to see you. >> david, how are you? >> good. >> i apologize i did not read "the new york times" today. spent only my mother reads me that early in the morning. my question to you goes to the question of encryption,

something that has, by recently. useful in the fall when apple turned out a new operating system for the iphone 650 basically put all the encryption keys into the hands of the users and said if they get a request of the either a legal request all they could really handle, hand over from the phone itself would be gibberish. you would have to go break the code. they have made it pretty clear in recent times even with the president was out in california last week that they plan to extend that encryption eventually up into the clout and so forth. and we've heard the fbi director, james comey say that this is creating a dark hole that is going to get in the way of their investigation. we haven't heard very much from the intelligence community on this. i wonder if utah a little bit about this whole phenomenon of basically handing the keys to users, how it would affect your

own ability, whether or not the computing capability are building up to its ideal to try to break that, and with the solution she might have? >> broadly, i show director comey's concern, and i'm a little perplexed is the wrong word but most of the debate i've seen is that it's all or nothing. it's either total encryption or no encryption at all. part of me goes can't we come up with a legal framework that enables us within some formalized process a process i would argue me the nsa or the fbi would control to address within a legal framework valid concerns about. if fight indications to believe that this app is being used for criminal or in my case foreign intelligence national security issues, can't there be a legal framework for how to access that? we do that in some ways already. if you look at for example, we

have come to the conclusion as a nation that the exploitation of children is both illegal and something that is not within the norms of our society. so we agreed both a legal framework that deals with things out there that would pass this photography and imagery that reflects the imagery of the exploitation of children. we've also told compass can for example, and you can screen comment by the, that's unacceptable. that it violates not just a law but a norm for us as a society. so from my perspective we've shown in other areas that through both technology a legal framework and the social compact that we've been able to take on something like this. i think we can do the same thing here. i hope we can get past this, well, it's either all encryption or nothing. we've got to find some of the levers we could create that would give us the opportunity to recognize both very legitimate concerns and privacy which i

sure as a citizen, slows i think the very valid security concerns about look, if these are the paths that criminals, foreign actors, terrorists are going to use to communicate, how do we access this? we've got to work our way through this. >> i will walk around the other side of the rim. thank you. there have been reports from cybersecurity analysts anthony snowden documents that the united states is engaged in spyware for purposes of surveillance. how significant is spyware to the nsa's surveillance capabilities? >> well, clearly i'm not going to get into validation. the point i would make is we fully comply with the law. it is provide a very specific framework about what is acceptable and what is not acceptable your want of a guiding principles which keep in mind when we're conducting our foreign intelligence mission and we do the foreign

intelligence mission operating within that framework. that's the commandment i make as director and with a legal frame and we will follow it. we will not deviate from it. >> bruce schneider, we haven't met, hi. your other question is not a legal framework that's hard as technical primer. that's what makes the problem hard. my question is also about encryption. it's a perception and unreality question. we are now living in the world where everybody attacks everybody else's systems. we attacked systems. china tax systems and i'm having trouble with companies not wanting to use u.s. encryption because of the fear that nsa, fbi, different types of legal and surreptitious access is making us less likely to use those products.

what can we do what can intelligence community do to convince people that u.s. products are secure, that you are not stealing every single thing that you can? >> for so we don't. never two, that's the benefits of a legal framework approach. look, with specific measures of control that i put in place to forestall that ability. because i think it's a very valid thing to say look, are we losing u.s. markets? what's the economic impact? i certainly acknowledged that this is a valid concern to i iges if that's why the combination of technology, legality and politics, if you get to a better place than where we are now. realizing we're not in a great place now. >> it's not just encryption but it leads to high-tech executives, the talk by tens of billions of dollars in business laws, whether social media cloud computing, et cetera. should that not be part of the

cost-benefit analysis of something like phone metadata collection et cetera? frankly it's not really a question for you. i'm going to ask you to anyway. it sounds like your technology that broader impact have to be part of the decision. >> i think we need to acknowledge there is an impact but i would also say look, let's not kid ourselves. there are entities out here taking a vegetable is to make a better business case. there are entities out there using this to create jobs and economic advantage for them. let's not forget that dimension at all. even if we acknowledge it is a problem. >> just to move the microphone around, do we have a question from someone from the media? do we have a social media question at all? on, we will wait a little bit. >> thanks. patrick tucker with defense one.

a couple of reports come out in recent weeks about ice isis using the dark web to raise money for bitcoin, the dark web basically a bunch of anonymous computers come a bunch of anonymous users are able to find each other. can you speak a little bit to the problem in terms of intelligence collection of the dark web, what does it mean to you and how are you going about time a solution to some of these, these really big problems of how to find people using that you want to be found that are effectively using it for fund-raising? >> well, clearly i'm not going to get into the specifics but let me just say this. we spent a lot of time looking for people who don't want to be found. that is the nature in some ways of our business. taken are talking about terrorists and talking that vigils who engage in espionage or other activity of our nation, or that of our allies and friends but in terms of what are we trying to do broadly, i

mean, first i would acknowledged clearly it's a concern to isolate ability to generate resources, funding is something worth paying attention to. is something of concern to us because it talks about their ability to sustain them cells over time. they talk about their ability to empower the activity we're watching on the ground in iraq syria, libya other places. so it's something we're paying attention to. it's something we're also doing more broadly than just the united states. this is clearly an issue of concern through a host of nations out there. i think it speaks to exactly what, this is an area where focusing attention on. >> as we move across here, just to follow on the question regarding isis am because when we speak to counterterrorism officials, they talk about isis supporters here in the u.s. different level of the problem that you have in europe and certainly in the middle east. since the web web is the principal form of radicalization for a lot

of these, particularly lone wolves, folks who travel it must be pretty easy to track is it not, if it's happening on the web, et cetera, can you identify pretty quickly and easily someone who was going down that path? >> i mean it's not quick and easy. renewed out at the national study agents we are a foreign intelligence organizations agency, not a domestic u.s. law enforcement or surveillance organization. so when it comes to the home-grown kind of come in the u.s., that's really not our focus to our focus is on the foreign intelligence that i'm attending to find a connection overseas. and then quite frankly parting with fbi and others to see if we generate insight about activity we're seeing overseas, hey how does tie into the kitty that we may a minute able to detect in the united states? as my partnerships are so important because we are a foreign intelligence

organization. >> it's not as easy as it sounds but -- >> it's not easy but if something would pay attention to something we track, where we have partnered close with the fbi. we have seen this, it may be a u.s. connection, it now becomes a law-enforcement question. >> right here. >> as director of nsa and united states cyber command, do you think we are positioned effectively to address the cyberspace as a new domain? and how does that differ from land, air, and seek with the think we need improvements and in what has been? >> so do i think we're where are where we ought to be? no. part of it is just my culture. you're striving for the best, striving to achieve a check to. you push yourself. i would say we're in a better position in many ways and the

majority of our counterparts around the world. we put a lot of thought into this as a part of the u.s. cyber command, for example, will celebrate our fifth anniversary this year. so this is a topic that the department has been thinking about for some time. in terms of what makes this challenge and what makes it difficult, is let's look at this from defense. one of the points i like to make is, so we're trying to defend and in the show should have been built over decades literally and most of which was created at a time when there really was no cyberthreat. that we're trying to defend infrastructure in which redundancy resiliency and defensibility were never designed here. it was all about building a network that connects the and the most efficient and effective way with a host of people and let's be too much. you didn't worry about what people -- when we designed, concerned that people's ability to penetrate, to manipulate

data, to steal data really wasn't a primary factor. so there's also a component in the department is looking to change our network structure something that those are really coordinated statistics but so that's a chance to we are trying to work our way on the offensive side. kind of ghost one of the questions that was asked, how do we do this within a broader structure that jibes with the law of -- remember, when you look at the application of cyber as authentic tool it must fit within a broader legal framework. the norms that we have come to take for granted in some ways in the application of kinetic force dropping bombs. we've got to do the same thing that clearly we are not doing it. >> this gentleman has been patient over here.

>> admiral, i'm a retired navy cryptic office among other things. >> a fine man. >> i was a market with another colleague that we were having the same discussions 20 years ago. there has been progress. there's cyber command there's the fbi. but why is it taking us so long to grapple with this compare to, say, the advent of nuclear weapons and that the national city act of 1947? >> my first comment would be i got was a cryptologist 20 years ago i don't remember having that conversation. in terms of say the last part about again. why has it taken so long, right? >> i do not want to minimize the progress, and your position idea of progress, but it is taking us a long time.

if it's not 20 years, then it's 15 and that convicted much more compressed timescale for other cataclysmic changes in national security in the middle of the last century. >> take for example, the nuclear example. we take for granted today the nuclear peace and something with berries established norms and he become well-established principle of deterrence. my comment was did how long -- we take it for granted now because we look at over almost 70 years since the actual development of the capability. we taken for granted now but if you go back in the first 10, 20 years, we were still debating about what are the fundamental concepts of deterrence? this holiday of mutually assured destruction. it didn't develop in the first five years, for example. all of that has taken time. cyber is a different. i think among the things that complicate this is the fact that

cyber really is unsettling in terms of the way we often look at problems but if you look at the military can we often will use geography. it's we have a center command one at the european command a southern command. cyber doesn't recognize geography but if you look at the attack from north korea against sony pictures entertainment it literally bounced all over the world before got to california. infrastructure located on multiple continents in multiple different geographic regions. cyber also doesn't really recognize this clear delineation that we as a nation have generally create overtime about what's the function of the private sector, which the function of the government and how does this whole national security -- cyber tends to blur that because the reality is, for example, if i go to work and i'm using at work literally the fact

same software, the same device i'm using at home on my personal. it just has blurred the lines so that makes it very very complicated. but i share your frustration in the sense that it's not as fast as i wish it were. but it isn't from a lack of effort and it's not from a lack of recognition. [inaudible] >> thank you, admiral, for coming. i'm with yahoo!. it sounds like you agree with director comey that we should be building defects into the encryption in our products so the u.s. government can decrypt -- >> that would be your characterization. >> i think bush schneider and all of the best public cryptographers in the world would agree that you can't just build back doors. it's like drilling a hole in the

windshield. >> i to world-class doc rivers at the agency. we agree we don't -- >> okay. we will agree to disagree on that. if we're going to build defects backdoors our golden master key for this government to think we should do so, we have but 1.3 billion users around the world should we do so for the chinese government, the russian government, the israeli government, a french government which of those we give backdoors to speaks on that point the way you frame the question, response be deeply we should build back doors for other countries? >> my position is i think that one this is technically feasible. it needs to be done with on a framework. i'm the first to acknowledge that. you don't want the fbi and you don't want the nsa. what are we going to access and what we going to not access? that should be for us. i just believe that this is achievable and will have to work our way through it. i'm the first to acknowledge

there's a national relation to this. i think we can work our way through this. >> so you do believe that they wished build those or other countries you think that pass laws? >> i said i think we can work our way through this. i said i think we can work our way through this. >> okay. nice to meet you. thanks. [laughter] >> thank you for asking the question. is going to be some areas where will a different perspectives and it doesn't bother me at all but one of the reasons why quite frankly i believe in doing things that is i say look there are no restrictions on questions but you can ask me anything. because we've got to be one as a nation to have a dialogue. this simplistic characterization of one side is good and one side is bad is a terrible place for us to be as a nation. we've got to come to grips with some really hard fundamental questions. i'm watching a risk and threat to this while trust has done that. no matter which are due on the

issue is or issues. my own would be that's a terrible place for us to begin right now. we've got to figure out how we can achieve that. >> for the last technological knowledge but which would only described in this room just so we're clear, you're saying it's your position that encryption programs there should be a backdoorbackdoor to allow within a legal framework presumably approved by whether the congress or some civilian body the village to go in a backdoor? >> backdoor is not the context i would -- when i use the phrase background that's kind of shady. why would you want to go in the front door? we can create a legal framework. this isn't something we have to hide per se. you don't want us to know about it. but i think we can do this. >> you want that capability. i do want to get to the back but do we have a social media question?

[inaudible] >> fantastic. we have 13 minutes to go. i see you in the back so we will get there as well spent first i would note that according to the internet and some of our fine profile twitter users we are now 20. so newamcyber is now ending. >> what are we in relation to bergman? [laughter] >> okay. so here is a selection. based on the previous comment about backdoors for russia and china, christopher, by the way i made pronounce half of these things incorrect, the question is, our foreign governments spun on cell phones in washington, d.c.? our phones secure, and if so what could be done? >> i did near the beginning in our foreign governments spun on our cell phones in washington, d.c.? our phones secure what should be done? >> to i think our nation's is run world attended to generate insight into what we're doing as individuals?

i think the answer to that is just. the second question was doing think -- >> what do you think we should do about it? >> well, one thing remind people is don't assume that there's a reason why we have unclassified system in this department. there's a reason we have classified systems and unclassified systems. so for dod users i was reminded will we are potential targets make sure you're using a cell phone, for example, in an appropriate way just as i make sure i use mine. otherwise the standards of encryption we talk about get a not arguing encryption is a bad thing. nor will you hear me say secure it is a bad thing but i'm a u.s. person a u.s. citizen. i use cell phone. i use a laptop. i want those systems to be ever bit as if myself and my children as you do but i as you do to understand figure out how do we create a construct that lets us work between two very important viewpoints. >> okay. so the question i'm sure came

partially out of the concept of encryption of commercial cell phones. so on that point from russell thomas what can be done institutionally to make collaboration between the private sector and the government marginally better on cyber sector be? >> clearly i would second the thought. i think clear this isn't a significant improvement. i think on the government side we've got to semper fi things. one thing i constantly tell my counterparts is look, let's be honest, if you on the us and looking in india and cybersecurity, it is a complex. we've got to simplify this. we've got to make it easy for our citizens, for the private sector for us to interact with each other, to ultimate ghetto subsidization we can share information real-time in an automated machine to machine way. given the speed and complexity of the challenges we're talking about in cyber that's where we've got to get and put got to work our way through how we going to do the in the u.s.

government homeland security the department of homeland security 30 place a central here. our capabilities support demand of u.s. government partners in our attempts to do that. >> on that topic as a journalist i've asked the nsa whether my cell phone communications have been monitored in any way. i submitted through proper channels i got a response. we appealed. and we got a stock response. i'm a journalist as part of the work i spoke to people who i would imagine you might want to listen to. why as an american a law-abiding american can why won't the nsa tell me if you've looked at my phone communicate and? >> first, if you ask me to record, i don't know. >> but it's a policy because they told us the same thing. >> look, it is a matter of law. to do bulk collection against the u.s. person i must get a

court order. i have to show a valid basis for why we are doing that. is there a connection with a foreign nation? i.e., the u.s. person is acting as an agent of a foreign country. yes, that does happen. is that u.s. person part of a group, said isil as an example, was attempting to do harm bikes i have to show a court a legal basis for the why. and it can't just be we don't like journalists. >> i wouldn't -- >> that's not a valid legal reason. >> but if that were to happen you would've had to that a court order to put that something you wouldn't tell the person who wasn't old? >> no. >> i have one more -- >> then we will go to the back. >> so from john, the question is based on last weeks announcement or research that they've announced there was news that firmware hacking. has the firmware of routers or

repeaters been similarly hacked? and if so with this compromise the architecture of the internet? >> my quick answer would be no. but in terms of i go to the first part. i'm aware of the allegations that are out there. but i'm not going to comment about them here but in terms of based on what i've read, does that lead me to believe that the internet somehow is compromised? no. >> thanks very much. >> back of the room on the left. >> mike nelson a professor of internet station george gipp and i recently started with the cloud which protects the 1 million websites around the world from attacks. i was at a cyber summit at the white house a week and a half ago. one of the topics that you get during an always was about how american companies are very uncomfortable sharing information with the u.s. government if they can't share the same information with dozens

of other governments. i would be curious to know how we're supposed these which governments are okay to share with and how we deal with the fact that the belgians and the french and the turks and i've what else wants to know we are sharing with you. and our customers want to know that, too spent another reason why i think that legal framework becomes very important. i'll be honest, i will get into the specifics of an area that isn't my personal focus. i understand the concerns, don't get me wrong, but my comment would be that id is not unique to cyber, for example. you name the business sector, just because we share something internally within the trendy doesn't mean we do so automatically everywhere in the globe. so i would argue to cyber is not exactly unique in this regard nor is the challenge that it presents. as a challenge but acknowledged that. >> we have time for a couple more, way in the back another area we haven't -- to be

geographically fair. >> listening to the conversation today, one thing that's very clear and you mentioned, we need to decide what is social norms are around which we build a policy and legal frameworks. but clearly listening to bruce schneider and alex and you, the social norms are not worked out yet. so what's the process by which we get a the dialogue going so we can to get what those norms are? which has to proceed figure out what the policy and legal frameworks are. >> i think interaction like this are part of the. the interaction with our elected representatives. they are the ones who create the legal framework. so i encourage all of you, all of us to citizens to articulate our viewpoint to help them understand the complexity of this issue and help them understand just what our viewpoint are as were trying to work our way through this. the other thing, at least for

me, i'm trying to do outreach as well in the academic world. one of the things i'm struck by is, and to go back to your question, if you go back and look at some of the foundational work that was done in nuclear deterrence theory, for example, much of that back in the '40s and 50s was done in the academic arena. much of the original writing, kissinger and others, there was a strong academic focus on so how are we going to understand this new thing we call the atom bomb? i'm trying to say is there a place in the academic world for the king of discussion? how do we get to the selective of a social norm and what are we comparable with? >> way back. >> thank you. sputnik international news.

question -- >> leeann? >> lee enter. >> i'm sorry. i could do you. i apologize. >> i'm with sputnik international news. russian press. so you've addressed the report and said he wouldn't comment. there was another report on the nsa hacking encryption keys in sim card provider. can you respond to that? i mean you said that we need to have a discussion, a public discussion so how come we do get that started by addressing these allegations speak with the first comment, i've heard these allegations are some period of time. i don't think their unique%. and again my challenge as an

intelligence leader is even as we try to have this dialogue which i acknowledge we need, how do i try to strike the right balance between engaging in that broad dialogue and realizing that compromising the specifics of what we do and how we do it provides insights to those that we're trying to generate knowledge can do we do harm us as a nation. so as a general matter of policy i just said look not in an public classified forms get into the specifics of the very specific things like you reference. i'm not going to chase every allegation out of there. i don't have the time. we need to focus on to our mission but making sure we did it within that legal and authority and policy framework. that's the promise i make made to all of you. that is what we do. when private companies make these allegations against you can you address that impact generally? >> i'm not going to get into the

specifics. >> we have time for one more sensitive cyber conference and we are trending. do we have another one on the web? [inaudible] >> joe maurer some political. i will not ask you about encryption. wanted to ask about standing up cyber. you said earlier you think at this point cybercom and nsa had to let people in the service have said a lot of the process of building up cybercom has been shifting people already are working in the field over to cyber mission forces. are you concerned that you are to bring enough new people new cyber experts into the military and your take away some needed capabilities ought to be in the

services? >> the short answer is no. i say that, remember in the job before this i was also in my previous job before these two i was a navy guy. i was the service covers possible developing the navy's cyber force. i've lived in that world about how you man, train, equip. i find myself as a joint command with global responsibility across the department. ..