>> i think trevor did a pretty good job earlier discussing what happened last year. he covered the civilian side quite well. we are on a call so make sure i don't ask anything too outlandish. we talked about what you wrapped up doing which was the leg work of sending all of the letters to people who have been affected. what has been the impact broadly since then with that in mind? >> it was a monumental activity. not just the letters, but i think one of the things we learned from it especially at the senior level there was data

and mission critical data. we did just finish and mailed 21.4 million letters and two million were returned to sender and we had to find correct addresses. until you go through something like this you don't understand the undertaking of everything involved in a breach. we had a lot of help from the white house because we certainly wanted to situation handled in a certain way. a lot of political help and just find of a lesson learned for all of us. congress decided the department of defense would run the it for the clearance process system in the future. we are in the process of working

closely with opm and making sure the current system is secure enough. at the same time we are working closely to develop a new cysyst. >> the it was affected different by the opm breach versus the standard person with a clearance. >> that is true and not new. for our agency, we were probably not as impacted as much of the government with clearances. we do our own clearance. but we also hire from outside. so, you know, we did have people who were involved and who did get letters because their previous employment might have been in dod.

>> i did not get a letter >> i did get a letter. >> we had a lot of people who got letters and were upset. we still worry about it. we have to worry about it. but as marianne said, there is always a silver lining and none of us were aware of the data that was being processed in opm and what was potentially acce accessible by internet activity until this started. it is more extensive than any of us thought. a lot of the attention and focus was paid on this.

we think we are on a path to improve the protection around that level of information in the future. >> and also, what's other mission sets do we have that retain private data? medical cyssystems and those things. it made us do a deep dive across the mission systems. >> we are talking about more forward thinking. i want to start with you marianne. you have a lot of roles and there is a lot we can dive in. but let's go broadly on what dod is doing. there is a lot of rules. >> so pushing out the strategy

here is very encompassing. after releasing the strategy the cyber implementation plan was put in place and has all of the cyber defense and that stuff in it. and we have the cybersecurity discipline implementation plan. about a year and a half ago we made a concerted effort we would focus on the basics. there is a million things you can do in cybersecurity and we decided we were going to do a back to basics campaign because we looked at the intrusions, any successful intrusion we have had in the last year and year and half and 98% of them were due to something simple and trivial somebody knew they should have done. we went to coming up with a top ten list and pushed that out and have been marching down the path. do you want to ask me questions

or keep talking about it? >> you can keep talking. when trevor was talking i heard about accountability and following up on this stuff. i want you to look at the score card because that is new and important. >> all of these top ten things there have been like one formal military order that has gone out to do this stuff. it isn't like anybody should have been surprised by it. people were not doing it. there were so many things to do. it didn't get prioritized high along with the other mission things they had to do. we decided to do a score card and that has been treme metreme effort on our part but nobody likes a bad grade so it has been beneficial. we have meetings every friday. all of the services, all the data rolls out and they have ten score cards for each service and

they have to sit in front of and tell them why they have the numbers they have. examples are every user logs in with a pki. why don't you do that? what percentage is the air force? what percent subject the navy? windows is a huge operating environment and getting off the legacy stuff especially for end users machines to move into ten. briefing that to the cio. for the secretary, i think he thinks they are very positive. >> i bet he does.

what i have seen is initially when we first started this, at the very senior level, they thought it was the commander at the owner of the network level to worry about this stuff. they did want have visibility or any idea of how good or bad they were. they got into the caring about it. congressman is caring about it. they need to care about it. we have seen improvement but the culture and accountability has been crazy. cheryl has been waiting for this their whole career. >> have you seen terry speak before? >> i see it every day. >> i feel like he is an interesting guy to tell you didn't do something well and like he is intense. >> very smart person. how about from your cia perspective? what has changed since opm?

i want to get into how that affected how the agency deals in cyber. i guess there was two questions there. >> right. so, opm didn't cause major disruption at the agency. we spent the last year trying to get the definitive list of what might have been compromised from opm that belonged to us. but as far as what happened did what happened at opm change the direction of how we protect our information or systems? absolutely not. we have been on that path for a long time. >> ahead of the game? >> i don't know if i would say ahead of the game but aware of the issues. i shouldn't say the bad word, it isn't in my talking point, but we had a breach.

we have been focused on insider threat and protecting the data for pretty much as long as i have been doing cybersecurity and that has been quite a while. >> going through the strategy five or six years ago when you had a big move to cloud which was, you know, got a lot of headlines and attention over the years. what has changed within because of that? has there been a mutual learning? has it changed the way you do business internally at all? >> so eyesight and cloud have been significant changes for the entire ic and our agency in particularly. we are the ones with the contracts with amazon. we are responsible for the security of what is provided to the entire ic as far as the

hosting infrastructure. when amazon came in we started off with what we thought was still a very short timeline for approving its operation. when i say short, if you go back historically, big acquisitions they can loot and big services like that like, you could see years spent on analysis of the system. in our case when amazon really got everything in place and where they thought it was ready for us to make sure it was secure enough we ended up with two months. in that two short months we had the assessors working with us and with amazon. we may be one of the first that they actually opened up the hood and let us see some of their inner workings.

it was under specific agreements so i cannot give you details on what we might have found. but it was a really good learning experienceme. we got to understand all of what amazon does to protect your information commercially and our information internally. we found a few things and gave them feedback on changes we would like them to make for us and the good news is they took a lot of that to heart. so they implemented a lot of the changes made for the intelligence community, commercially and you all are benefiting from that when you are using aws hosting. it is a great learning experience. the other thing that changed significantly as a result of eyesight and cloud is the focus on, hey, you know, i can spin up a cloud on the internet. i get this all of the time and

two hours i am up and running. i still can't meet that two-hour time frame to give you an approval to put a system out there but we are under extreme pressure to enable mission, to spin things up more quickly, put it out there more quickly. you talked about the need to share and protect. we are focused on both. we are focused on trying to move at the speed of mission and insure that mission information is adequately protected. so it has been a great experience. i will say one more thing about amazon that we hadn't realized. people love that elastic compute. you think about it more for analysis and punching data together and getting results quickly. from a cybersecurity it is great. when we told people to audit in the past it would shutdown and

cyber people were yelled out because the cysystem didn't wor because there is too much data. we tell you the encrypt the data but the time for encryption makes the user upset because it takes too long. now go to elastic compute, when the system fills up, it spins out so there is no longer an impact from the systems filling up and being unable to do the work because we filled it up with security information or we are telling you to encrypt and you are telling us this is adding overhead. it doesn't anymore. so cloud has been a god send for the folks trying to implement systems quickly and for us to secure their workloads better. we are very happy with it. our agency and many of the other

id components are working to move their work loads into the cloud and off legacy. so into the new. >> is there a lot of collaboration between all the agencies on that front? >> there is. every time we provide a new icu wide service we have 17 components that have the opportunity to look at it. they often have the opportunity to participate in the testing. they are certainly given the body of evidence and the ability to adopt what the existing findings and structure provide. so then they only need to focus on the delta and what they are implementing on top of what is already approved. as an ic, absolutely we have been working together very closely on this as well as the cloud. i should not leave that out.

>> going back on the dod funding. you are sort of underway with your own effort. the joint information environment. i think you are in the -- was it the jro phase right now but maybe you can talk about what ramifications that should have on cyber for dod-wise. >> sure. on just operations also. people that don't know the dod and i have had people say they thing we are this homo genius environment. we have a good command structure so we know who is in control and who is below. but it is losely frosely struct. when general alexander came in and said i cannot see across my

networks that i am supposed to cyber command we were looking at doing some kind of common information infrastructure and that is what jie is. the joint regional security stack is a common set of security capabilities at mid point locations around the army, airport, navy and gives us the ability to have consistently implemented security and also the ability to share. it goes a long way to having a ho h homogenerous environment. >> it is important for cyber defense, too probably which is part of the plan as well. maybe you can talk about what changed from the threat sector

and this might apply to you over the next couple years. we are looking at the threat and what protections we have across the infrastructure. are they the right protections? where do we need to focus? i see that changing. i see it changing because initially we did parameter protection. that was the name of the game. if you were protected like in the department of defense we have internet access points. those are big deals. we have 1.7 end users. that is a lot.

we don't have that any people but i have three computers on my desk, a laptop i use at home, a bla blackberry i carry around. we need a way to protect all of those. we say we are spending the money on the perimeter devices. how far does that get us? what are we seeing with the threats coming in and what is the best way to attack them? starting to move toward in point security. all of the issue papers were things we do in the department to get money for new initiatives. we are focused in cybersecurity on the end point. >> there was a comment made in the closing remarks about the most difficult to guard against is such. is that the case for you as well? none of them are necessary easy;

right? >> we have seen much damage one individual can do. we are looking at what we can implement better. anomaly detection is what we are looking at where they come every day and do the same thing or he is on late at night or accessing systems he doesn't usually access and then you have to question it. >> he was talking about in two years he wants it done and something in place to look at behavioral patterns and things like that. >> he said end of cat card and that is used for many things but

he meant used as an authentication. it is a physical id. we are not looking at replacing that but using it for authentication we are looking at better ways. >> i am mobile so you can talk about how that is changing for you. you are still in the stone age with using mobile technology. >> we are in the stone age. i commented it was cool my cellphone was in my purse and i have remember to take it out of my purse when i get to work. mobile deviceed that are provided by the government in

and out -- devices. if you get a blackberry, we don't use them anymore. but if you get a cellphone you are supposed to use it away from work. you may have the phone on the desk and i still have a pager. one of the thing weez want to focus on the most is how do you take notes?

i still know how to write with a pen and paper because i have to but we are focused closely and work closely with nsa on this; how do we provide secure mobile computing to the workforce in our facilities and how do we support wireless within the facility? you know you cannot walk into a best buy and buy that desktop computer and have the monitoring. i like my big monitor. i have two and i can do tons of work and spread it across the monitors. we were looking at how you dock them so when you are at your desk you are not limited to the tablet but when walking around in the meeting i don't want to carry around a 20-pound brick. maybe it will make me stronger but that is a pain.

>> i am guessing that is not a lot of pokemon go players within the organization. >> those who do it is very, very obvious is all i can say. i am going to say something that is not in the script but it is pretty funny. there is another government agency i know of that spends a lot of time going around the compound eliminating the pokemon go points. >> have you talked about the across government collaboration and industry. let's talk about that.

>> 'anybody who ever looked for the secretary of defense -- >> this has been going on a lot. >> you know he is huge on industry relationships/partnerships/ collaboration and brought industry people in to bring a more innovative flavor into the department of defense. he started something called digital services -- defense digital services, right? so looking at the key things we do and how they can bring industry practices or products in and actually -- i watched this evolution byself. it is pretty interesting.

white hat actors. it was very, very focused. it is not just like wild and wonderful. anybody can come in and hack anything. west front end we picked a specific end and we had people out watching to make sure the hackers didn't go beyond. it was planned methodically. if they identify something, they have to give the government 30 days before they can release it into the wild. it is very specific things. i think it was extremely successful and we are looking at other places to do the same thing. i think you have to be careful to maintain it. we don't want people to say okay, blah, blah, is it day and everybody hacks you. you don't want anything like that. it is very specific, persistent

and you make sure you protect yourself. >> and christmas, the guy who had it, is an interesting character. he did a panel and he came in in a hoody, chill dude, and he said outside the office this is the center where we get shit done. that is the kind of guy he is. i thought it was cool bringing those fresh perspectives. >> mr. iverson has spent a tremendous amount of time with the office. we do silicone valley trips, trips up to new york, and not just a couple of us but a whole enterage. it can be 40-50 people. party bus. we meet with venture capitalist groups. it is amazing. the thing as they do to bring

sensation into their team. trying to push us to establish things differently. you heard the wholesale facts and that is the kind of -- the kind of process we are trying to bring into us to look at things, try it out, compile it, and then depict something fairly quickly. he looks at what industry does and says why can't i do that? and comes and tells us to do it. it is hard to do but you figure it out and knock it out one at a time and get them implemented. it is exciting to work in an environment -- people think of the pentagon, i did even, policy organizations it is not going to be this but it is nothing like that.

it is crazy and wild. >> sounds like a pretty cool party bus. maybe the smartest party bus i would ever attend. lost my train of throughout there. >> have you having party buses. we are low-key more so? >> i would never call it the party bus probably but we do partner very closely. we have labs where we actually bring industry in to help us resolve and determine what is out there that they have and we need. assess it quickly, bring it in for quick review and the cloud helps with that.

you want to try out quickly, see how well it works, share that and we can use it even further. you can work it closely with the marketplace. when you don't have a complete clone of what is out there commercially in the ic. we look at the commercial products we think people want and various agencies come and say i would like to try to use that. vet the company to make sure yes, we are going to have a contract. bring it up and let people try it out. whatever agency determines they want to use it and implement it at that point they will have to do that security assessment of the tool. but the cool thing is they can share that with the rest of us.

lots of partnership with industries and groups like incu-tel to tell us what is coming. they help us solve the really difficult problems we don't see a lot of market share right now. >> i was looking at the innovation pipeline where a lot of companies that would not normally do business in government have a chance. it seems like it made sense after going through the vetting. and the acquisition challenging you could talk about that for an entire day i am sure you run into on the west coast with the party bus. >> it is not really a party bus, really. it is an exhausting long week.

it is big bus. but the other thing with industry collaboration, we are looking at how we can do a better job with things like certification. bringing things in and bringing the technology in more quickly. we have been talking to a lot of industry partners about how they do things and we are at a point where we are looking at almost a mature model. some companies are mature and do robust things. when we look at cloud, the first thing we look at, we look at what they do and then there is an auditing, they come in and audit what they do and then it comes into our environment, then we go through our standard testing and it is taking about like 18 months before we actually implement something. it is way too long. we are doing the same thing three times.

it is not like certify the process, but really understand the process and say okay, we don't have to test it three more time. the other thing we are looking at and just talking to the industry is every single factor has different requirements and they call it something different. we are looking at how we can kind of energy sector certified this and we understand what they did and accept their certification. >> i want to open it to questions with that. so, microphone. >> mike nelson, i want to ask a

variance of the cia question i asked trevor earlier. cia means confidentiality, integri integrity. we hear about the hacks but not the ones that close down websites. >> so, again, we have confidaconfidanence confidenconfidence but we experienced [inaudible] to the cia website a few years ago. it went from once a month, then every other day, then almost every day. so and not to name any particular vendor or product but

we worked through the issue with our service and network provider. first off, we monitored it closely and have a mechanisms to lose our website into a more protective octave every time we see this coming. we also have taken some of the best practices of having the website throughout the internet. so the actual home website you don't even touch. since we made those changes i cannot think of a time when we actually were experiencing a true d-dot. >> i would echo her.

years ago we had this problem but now we are looking and watching and it has been a long time since something we worked for. >> a little bit off topic. but electric magnetic pulse is limited and can have an impact on the structure. do either of you play in that world? >> you have to realize, i have to go through a publication review process to get permission for what i am allowed to say publically. imp, not really, other than looking at planning and making sure all of the eggs are in one

big data center. so, you know, something like that happens we try very hard to make sure that unless you are doing it worldwide we will not lose everything. we are likely to lose something just as everyone else is. >> i would be general and say we look at that, and the offers and what the likelihood is and take appropriate action >> that is around lately in the last year because the white house put a strategy out for this and dhs has been examining the issues as well. also dealing with solar flares like the one in '96 that could devastate power grids and stuff like that. but i don't think there is any simple -- >> no, everybody has resilience

and i think across the government we identified what is critical infrastructure and that is what we are looking at. >> question back there. >> first i would like to say we appreciate everything you do and appreciate what you have given to the agencies you represent. the first topic you presented on that letter that was sent oo the 20-something million people. i am one of them that received the letter. i think actually more than once. i think it was mailed several times which i thought was confusing. i didn't know if this was another breach or you know? it is very confusing. the question is why do those

federal employees given protection for just two years? or maybe three years? and how can that information really be protected 20 years from now whoever has it? how are we going to figure out they have time to use this later? >> no, i think those are great questions. i don't think it is three years anymore. i am not positive but i think it has been extended to like ten years; right? so there is conversations happening about if this should be for life or what is the appropriate time limit. this is a whole new area, this privacy protection, and how long you should be protected for. it is interesting because i provide my information that was taken and i setup the stuff with the credit agencies and i feel

like i cannot even walk without getting a text on my phone saying i am walking. my daughter went to college, tomorrow we are taking her to college in florida, i went down there and used my credit card in the walgreen's and before i left the store, are you using your credit card in florida? yes or no and the transaction goes through. but i don't think we know the whole fallout of what this is going to be in the future. >> let's get the last couple ones. go to the fellow in the blue and then you. >> thanks. so we talked a lot about the move to cloud and industries doing a lot and security as a service. so security as a cloud enabled service. i know there are challenges with that but is that something you

are using or able to use in the near future? >> we do now. we have invested quite a bit of time to determine the best tools and solutions to secure data in the cloud. but the other nugget there is knowing your data. so not all data is equal. would i apply the same security solutions to all data equally? absolutely not. so as i said, and i wasn't kidding, every time we have a new capability, our systems move into the cloud and we are not really focused on the it. we are focused on the data and who needs the data and how well we need to protect the data. we spend time making sure the secure solutions are around theidatthe

data so it doesn't go where it doesn't belong. i have a blue team of testers, think of them as white hat hackers. they work with the system administrations and the people developing the system directly so they are learning better techniques and what bad things can be done against their system. the cool thing is we work with people monitoring the network. when the blue team is testing if they do something they reach out immediately to the folks doing the monitoring saying did you see me? if they didn't, they tell them what they did, including screenshots so if the next time someone other than the blue team comes to try it we will stee and track it. it is cool stuff >> you guys were an early

adopter of cloud. >> since 2012. >> you put the rsp out? >> it has been in operation for two years with a focus on other sensitive data and answers questions about the techniques and security solutions we will add to try to put more sensitive data out. and dod has been more cautious about cloud use. >> we were moving strongly with no clouds and i think we are looking at different variants. we are looking at different ones and in some cases we use commercial cloud and in some cases we have our own. i think things that cheryl said for us apply just as well. all data is not equal and those

are things we are working through. >> last question up here. >> thank you. my question is the government has issued out the defense authorization clause and by december 2017 industry is going to have to be compliant. my question is two-fold. number one, from your vantage point what are you seeing in terms of industry challenges with meeting that? and number two, based off where dod is going with their cloud services and so forth do we really think we will be able to bridge the gap with these requirements based on the fact it is significant investment for industry for maybe marginal recover and investment? >> i will probably disagree with you a little bit which is okay; right? i am a huge proponent of the

clause because i spent 30 years at nsa and saw how people get into the network and saw the dod intellectual property. you can look at airplanes developed around the world and they look like our airplanes. i think the game has changed a little in the whole economic advantage activity. i think we just need to be really cautious but knowing that is kind of an achilles heel for us. you are familiar with the industrial base and we are working with all of those partners and the rest of industry. i started having this conversation with the back to basics talk and that is the default really. a back to basic and good cybersecurity practices and implementation. yesterday, or the day before, i

talked to mr. iverson about the stats we got. six months out industry was required to report to us how they were doing. we had a lot of things that were great but the more traditional and physical security was looking good but the two things they were struggling with the most were the multi factor authentication. so we don't necessarily look at industry as having a problem. the company is having a problem. we are looking at it as what are the products they are using and why aren't the lenders of the products providing better capabilities. they challenged us to help solve the problem. i don't see us -- that is really an achilles' heel were us.

any major dod weapon system being developed there is multiple vendors behind it that have our data and are connecting to our systems. you have to kind of connect all of it. i want to thank marianne and cheryl. you have a good rest of the day. if you ever need press on your bus on the west coast. >> i am going to take it for that one, i am sure. [applause] >> up next, two former cia director and former editors of "the new york times" and

"washington post" talk about the public's right to know versus the responsibility to protect classified information for national security. this is a part of a conference at the george w. bush center looking at the people and the press. >> our next panel is right to know versus the responsibility to protect. leonard downing, jr. is the professor of journalism at arizona state university walter cronkite communication. he was executive editor of the "washington post" from 1991-2008 and during the 17 years as executive editor as the "washington post" the paper won 25 pulitzer prizes. michael hayden served as the director of central intelligence from 2006-2009 where he was sfibl for overseeing all

information burning the plans, inentions and capabilities of america's advisaries and producing timely analysis were decision makers and conducting thwarting organizations. jill anderson is an author and teacher. she spent 17 years in the most senior editorial positions at the new york times. she was deputy washington bureau chief and investigative reporter covering money and politics at the "wall street journal" before that. lion pinetta is the cofounder and chairman of his group and former secretary of defense. his long and distinguished public service career spans the

united states army, the united states house of representatives, the office of management and budget, president clinton's chief of staff and the 23ered second of defense. steve call is a staff writer at the new yorker, author of sef n non-fiction books and a two-time winner of the pulitzer prize and is currently the dean of the university of columbia journalism school. please join me in welcoming our panel and our moderator. [applause] >> thank you for being here. no one up here is shy. so hopefully asking you to talk to your moderator and ask questions.

we have a lot of ground to cover and lively subjects. let's start with the basics and then i think maybe toward the end of the conversation i want to move into the world we are in now. the digital age and age of social media that creates a whole new set of questions looking ahead. let me start with you, editorial decision making, our colleagues in the audience know it is like case law. you have certain principles and standards and you try to apply them to complex facts and make good judgments. when a reporter comes with a story that reveals sensitive national security information what are the principles you have in mind as you evaluate what to publish and what not to publish? >> certainly in that example, steve, unless it was something extraordinarily sensitive where

innately i would know lives were really at stake i would, you know, encourage the journalist and the reporter with the story to find out more about it because in order to make very difficult decisions about what stories to actually publish and whether to hold a story or, you know, in very unusual situations, actually not publish something information helps you. in the end, these decisions, i should say explicitly were, you know, the most excruciating. i confronted both of washington's bureau chiefs because stories involving national security and intelligence were rooted in washington as managing editor of the times and certainly as

executive editor. so the balancing test i would always -- excuse me -- applied is of one of the panelists this morning pointed out, you know, we have a constitutionally protected mandate to hold power accountable and keep the public informed. so that is our first responsibility. but in the balancing testing that has to be balanced with is the story really going to cause larm to the country. -- harm. as journalists we are citizens, too and want to do everything we can to keep the country safe. but, you know, our professional duty is really to inform.

and you know, i had these jobs during the period immediately after 9/11 with the war on terror and all through the end of the bush administration. certainly closer to 9/11, there were fewer of these requests but, you know, you had to ask yourself the fundamental question that colleagues put brilliantly which is if a war on terror is being waged in the name of the people shouldn't the people know about it? shouldn't the people know about its dimensions? ...

i found the importance of keeping them informed and holding himself accountable. you don't want to make a decision that could actually hurt the country. and then your own reporters because to what adds to the excruciating nature of these decisions is that the reporters had usually worked really long on the stories and can get them in the sources have been and how our harms way.

their sources expect a story to be published. but all of those balls are in the air the first thing at least that i did is when an administration raised serious national security concerns to either hold a story or not publish it entirely you hit the pause button. i worry that a lot of the public have the impression that we get these leaks about intelligence programs and then we just publish them right away but that could not be further from the case. i don't think it's right to just assume that the

administrations and presidents and their chief intelligence that being cavalier to publish something quickly i think is not the right response. i know overtime because the request became more frequent from various news organizations to hold stories that there are news organizations that no longer call the white house for comment on some of these stories which is sometimes not always how the administration finds out that you have a sensitive story in the works. that you have a sensitive story in the works. in search for principles and they referred to one is

probably easy. if they will directly go to the death of the individual or the publishing of the details or messing up on ongoing battlefield movement that no public interest reason those are relatively easy principles but when you get to the assertion of harm to the country that jill referred to it may involve less direct effects exposure of agreements or other sensitive matters how do you think through that territory and are there times i worked with you and watched you make some these judgments. how did you define national security damage while you considered whether to withhold

a certain detail. >> we seek information about that and that then we try to make the best decision. and from experts on our own staff. and it's probably the best answer with one illustration. i was the intelligence agencies she is a very gifted reporter who in many sources from the top to the bottom. there some years after 911 when she realized that her sources were very concerned about something it was a leak. she is picking up the bits and pieces from a variety of sources particularly in eastern europe. high-value terror suspects were are being held in question.

we now know once he pieced together a lot of this. you went to the sources. and that she was sent to the senior person in charge of this entire operation. and listen to the about what was going on you want to know if it's true. you want to know if it's right and that's another reason why he goes to the government. here they may be publishing things without talking to the government and all. it may not even be true. so you want to establish that and then you want to establish nestle -- national security concerns. she kept me informed.

and finally when it became clear to them that we were going to publish some kind of story but were still try to figure out what to include and not to include during my quarter century of making these kind of decisions we usually ran the story but we often withheld very specific details. names of individuals and locations of where the earliest drones were shot up from. and kept the name of that country. not because the government told us not too. if we named that country at that time that's how it would end. in this case we went to the cia and the national security. they first argued that we shouldn't run the story at all. what is a specific thing involved here.

the various kind of harm we were going to introduce. it would be bad for the agency's reputation. you can strike that out. maybe the allies would not trust us with secrets. and then we got into serious things. once they are located. but more importantly there was other kinds of cooperation going on with one or more of these countries going on in eastern europe they were identified with the country it could bring down governments my ears perked up to that. they could do this without naming the countries. working to consider this agenda along with us. we were more well-informed and then we were invited to the white house and don graham the

publisher and myself in the president was there he is sitting in one. i'm in the couch over here. he really glowered at me the whole time. he was hovering around. and the president made the same presentation against specifically about different kinds of harm. i ask a lot of questions. most worry answered. and on the way out they said we would make a decision. by the publisher. it was the way we always did things. on the way out one of the gentlemen in the room really put his arm on my shoulder. and said you're not getting in those countries.

we could tell that was where i was headed. nevermind anybody else. and after some further start --dash thought. that's what we did. as a result we took a lot of help from people who thought it was terrible for us to reach this national security secret. we said we did not name this countries are you chicken. from the other side saw the camera and having run through some of these conversations from the cia or at the pentagon what rules would you write and what is your reaction to what you heard do you think were on the right track. frankly my experience with leading newspapers like the times in the washington post and others was that they

really did try to exercise good judgment here. these are tough calls. it's not easy. and the only times that i have those discussions was where we have the potential if the story went out that a very sensitive source would probably be revealed. it meant jeopardizing the life of that source. and when i have the discussion reporters are doing their jobs. they go after those stories. and a lot of them have good sources. within the agency whether you like it or not. the fact is they do get their stories. and when you pick up the stories you look at them and quite frankly i would say nine out of ten stories they go because reporters are doing

their job. you don't like the story getting out there but that's the name of the game. but on the tent story where you have somebody's life in jeopardy if in fact this goes out and you can make that case and frankly most of the time i talk to the reporter i confirm the reporter story in the reporter would be sensitive enough to take it to his boss and i think the very fact that a life was in jeopardy was enough to kind of balance and turn the scales. i was never in a situation where it involved a broader policy issue. and thank god i always felt

and there was one time where it involved the post and actually i talked with the editor of the post and i have a fair hearing on the end, they delayed the story and then ultimately they said we will delay it for a while and then we would like to come back to you and they did. so i have to tell you my experiences at work that this was pretty straightforward and that i was really pleased that when you are making these decisions and don't forget they do have a reporter they have a hot story it will make a lot of news and to be able to put back from that because the national security and interests as a vault is not an easy call at least in my experience the papers always made the right call. >> we welcome your comments

but to go we are not you have and steep speaking in a very striking way about the need for transparency and three letter agencies in order to build the credibility with the voting public that a democracy requires and i remember when you are at nsa been surprised as a reporter to call up in the phone number was answered and it used to be called no such agency. and when i ask for some help the next thing i knew i was having lunch or coffee with you in your garden i was struck that you seemed to have a conscious strategy of trying to build some kind of balance and visibility for secret agency what was on your mind in those days and what is the broader goal that you think we can reach. >> the traditional answer when someone called the office was

how did you get this number? we made a conscious effort to put a more human face on the agency. at the time for an essay we knew we were going into very un- charted territory. there was no national debate about the appropriateness of nsa intercept soviet rocket force communication. looking for words of interest like a launch or something like that. we know that the 21st century equivalent would be out pursuing terrorists communications they were

coexisting with your e-mails. we felt we could not get the sanction where the money that we needed to pursue 21st century targets still at the bunker and had built up a stronger sense of confidence that we could be on those networks we could bump your e-mails but we would not miss treat them. it was a conscious effort to raise our profile. it could not have gotten more dramatic. the last great story is the revelations. in fact it was there responding to it. they really needs to be there out more. and telling their story.

it took the story to a very dark corner of the room. it was very hard to explain what the agency was doing but one of the reasons is that they thought they were fine. after the great intelligence scandals of the 70s he used to be actually frankly still is in most democracy the province of the the 215 program overseen by the intel committee. we will check with that. the executive.

there was a sharp reaction from the general american population it was really substantial and see what happens reinforcing what we were trying to do and i were doing and 11, 12 and 13. what have happened was a lot of good americans would point to that court and that's a no longer constituted the government. that may be the consent of the governors but it's not consent you didn't tell me until the social contract we had built we have really big mind subsidence. the social contract was gone and now american democracy like it's in every aspect of government want to have a more

personal knowledge of what the intelligence services do before they validate the activities make no mistake that is just the way this business works. my point is you will take a step away from us anyway and when i can do anything. so now the great challenges how do we inform the public to a degree that we never informed them before in order to have the legitimacy that the public used to concede to us by keeping a couple of committees informed. >> i want to follow up on them. between the intelligence services this is a good example of that. i've not been in charge of that coverage.

it has been a very important for the protection of national security for communication to go on during with the journalists. i've been very good about that. it is for the advantage to make sure that it is that advantage. in some cases it turns out to be a proposal and not something that actually went into action. there many things that have not been published. the response of the government was unbelievable. that it would greatly out way that. the problem is the most responsible and then you go over here to the london

guardian a little less so. there are no limits. this is a question i wanted to come to. they thought in the end that it have done some kind of public service. ended up doing that. a little bit something of a discount. do you agree. it was necessary to bring the public into this conversation. >> i have actually spoken a lot about this. the bottom line is the young man accelerated but badly

distorted the necessary national conversation in the other 98 percent of the stuff he gave to these reporters have nothing to do with your privacy or mind --dash mine. i have actually been offended by the attorney general thinking that that slice there somehow says all of that. >> look, you have an individual, and the intelligence agencies you are dealing with national secrets classified information president of the united states has the responsibility to defend that. and overt operations to protect the country. in order to maintain covert operations used to maintain

classified information. and you need people who swear on oath to protect classified information. they could not operate if everybody decides on their own that what they think should be revealed and what they think ought to be held. the reality is things are classified. you are sworn to protect classified information. so when you have somebody who decides i'm going to jump -- dump a bunch of classified information he violates the law. and he ought to be prosecuted. he ought to be subject to justice in be tried i think if he really felt loyalty to this country there's no reason why he should hide out in russia or china he ought to come back here and face justice on that issue. he could prevent every defense he wants. it's wrong and it ought not

happen. now, is the debate on the issue that he discussed is that a good debate that this country should have of course it is but that does not justify what he did it doesn't make him a hero. because we now know we should protect our money in the banks. in the same thing is true for that. he violated the law he is subject to being prosecuted under the law and let to being prosecuted under the law the information that was revealed in fact did damage the security that we had developed in terms of being able to track terrorist and the reality is that they don't use the same systems anymore. we have to re- develop our

approach to how we track terrorist it is impacted on the security of this country. it is impacted on lives that were out there because there are sources out there whose lives were jeopardized a virtue of revealing the information. understand the damage that was done should we have a debate on transparency and what were doing absolutely but you don't do it by dumping a bunch of classified information that could jeopardize in damage the security of this country. >> the secretary and i are talking about snowden. that's not the way it would go in some other countries. can i let you go in on this. given what he pointed out that they did make that decision. he turned over the judgment of where the balancing test lied.

say he decided that. it brings up the question of whether the government will again after the pentagon papers case make an argument for prior restraint on the test and jill you mentioned to meet when we were preparing for this that there were a couple of times after the close call decisions were made that at the time you feared prior restraint talk a little bit about whether you think we are close to that. i'm not a lawyer but my understanding is it does not preclude prior restraint. i don't think the website

would not cross that. i don't know but you are right that i worried that the decision that that supreme court reached in the pentagon it is the ironclad but the bar is really high as you said i just wanted to make a further point about the precursor in a way to the snowden story was the 2005 story that the times broke about what was illegal and of conversations between people in the u.s. and people

overseas. that was not legal and in the balance of that. if i remember this correctly it was when you were the washington bureau chief they ask you to with hold that story. and then later it was published i received the urgent request that both jim and eric ceased all reporting on the story and when they actually noted that. i think any responsible editor what he said wants more information the reporters who cover intelligence tend to be

very careful on their own. i said no to stopping reporting and then there was a request from the white house that when we have enough confirmation that we not accomplish that. the ultimate decision-maker he consulted with me in the reporters who said that. it was made literally days for the 2004 election and that brings up just another kind of the sensitivity that we have. the story when we did publish it caused huge ruckus. if you could do it again you

would do it differently. i certainly would not have held the story and in fact there were two occasions when i made the decision that we would withhold information for very long time. when i added history as part of the balancing test that is an important part of that before we leave the prior restraint. in that case the information it weighs is a difficult question that if there is someone in your agency who knows that something illegal is happening are they under the same blanket that you agreed to not disclose classified information it's a

slightly different set of facts. >> did you ever hear anyone propose in your councils i was in there inner circle with all of this. there are a range of views. in the primary source was not somebody from the intelligence agency. it was someone from justice was not read into the program. we don't need to re- litigate this but i would not and cannot let a just it just stand that it was presumptively illegal. we did not think it was. you have to go back to the congress to have that. until to actually put what was

then done into what was described as a safe harbor and the other political branch on the part of the program that jim did not know anything about. and we have gotten it about eight months before jim wrote the story. every other country in the world hasn't including great britain which is why they end up over here. they simply would have sent a notice saying or you're going to go to prison. that is why in the snowden case they have no power or strength and they literally had to let the government officials watch as they take

sledgehammers. it was increasingly serious. so for instance it was the executive that we were to publish something involving the cia. and they took us over to the university club. they immediately called the justice department. if you run the story. a number of government choices in one case they cited him as

aiding and abetting. i think we are getting closer and closer to the inflation. it is that reporting process a couple of times in those cases i just want to go back to your theory of transparency about secrecy it is in the peeling and complicated subject to wade into another sensitive case. i think you ended up at different places. you thought they were valuable and unnecessary to the national defense. they produced unique information. now, in your view was an opportunity lost by keeping

all of these operations so secret for so long it's easier to explain i kind of inherited that. and i was trying to re- shape it and resize it so it would be politically acceptable going forward. but in this case one of the big issues in the story and one aspect of the was actually the 215 program. and they have pretty much gone on largely unremarked in the program. the is meta- data. very closely guarded. it is the good part of the story. unfortunately it did ministration did not tell.

all you heard was they got you with your phone bills. it seems like it might be. in retrospect we i think could have immunized the community against the public reaction that that program got by the way it was wrote out my simply by simply be more candid about the value of that. how it is used and maybe even pointing out that it is not constitutionally protected. in other words begin to let the public broadly in on the broad trajectory it will be placed so that you have a better idea. i use the word transparent. the is a you have to be more transparent. great guy.

we need to be translucent. it's a very elegant distinction you can when you turn the gang up on the microscope get to the fine print and begin to make public those things that make doing that stuff in the first place is not worthwhile. because the adversary knows as well. for the public not the oversight committee. the public gets translucent which they get to see the broad shapes in the broad movements of what their intelligence services are doing. the fine operational print. it could be destructive to get a broad sense of what's going on and to go up again against

the level of validation that i think we are going to need going forward. >> i think the fundamental principle here is trust in the american people and the reality is if the american people know that steps are being taken to protect their national defense and the national security and they know what the steps are the american people will be supportive if you try to keep that from the american people or hide it then obviously there will be a lot of concern about that. i remind people that when september 11 happened this country rose up in anger asking how the hell do we let

that happen. the national commission came together that was established in order to determine why did that happen what went wrong. and they determined that the agencies were not sharing information they determined that other agencies were not working effectively to track terrorists and be able to determine who was trying to attack this country. as a result i could do a number of steps to improve our operations our intelligence sharing. our counterterrorism operations. basically aimed at trying to protect this country and making sure that we did not have another september 11. it is important that the american people be reminded of the fact that these are steps be taken to protect them. i don't believe that we have to choose between protecting

our freedoms and protecting our securities. you do had checks and balances. you do have a judicial branch. all aimed at making sure that we protect our freedoms at the same time we are protecting our security but there is an additional job there which i think mike is getting too. you can't just keep this to yourselves you have to be able to define this for the merkin people. a big part of that responsibility is with the president. they rest with people who had the agencies. we are not just operating behind the wall. what were trying to do is to fundamentally protect this country from another september 11 type of attack. i think we could be transparent about that and they would support the steps that are being taken in order to ensure that another attack does not happen.

when that was actually put to the test. a few years after their would be secret prisons torturing of some of the terrorist who were being questioned the photographs of those. and what was going on there. that really kept some of the fundamental issues as americans that that's how they were going to behave. there was such a huge reaction to that because it came out of the blue the public have no idea that such things in such methods were being used. i agree with you in the end these decisions had to be the

white house because the white house and the president is charged with defending every word of the constitution and that's what happens on inauguration day. at least the amendment concerns should come up but certainly in the case of weak investigations i don't think there was ever anybody in the world when they were discussing whether they were going to approve a criminal case against a source or not about what the consequences were for informing the public and what is the role of the press in the society that has to be informed to make informed decisions. so i was always uncomfortable when they had request to hold

the stories came from the department of defense because you have a specific mandate and i understood and expected how carefully you take that it is a little bit different. it is supposed to take what we do and the importance of informing the public into account. in the end that's why i actually went on one of my trips to washington and i ask many of the requests were coming from him. so i ask him can we just get together and kind of talk through all of this and he was very open to doing that i

thought they may have helped. the weight of the responsibilities are all of the actors here in the play i am probably almost as uncomfortable as you are with the prosecutions in the last several years. not that these were bad things and they didn't did these things. but the collateral damage was can be very considerable but at the same token let me talk about the weight and the burden on folks like this. i think they should've gone with that story. i don't think they should have gone with those. i'm here to tell you that my professional judgment there are americans today who are

dead because they published those pictures we can argue about where they necessary or not for the intent of the story my judgment is probably not and certainly if you weigh the influence not that they head on the american public but the influence they head on our enemies so the structure of the digital age is global. it's one of the reasons why extra credibility. it is instantly global so i want to ask you back to the editorial decision-making they are seeking global audiences. they are global publishers everybody is in the digital age. so are your judgments now affected by whether or not the public interest in the federal

republic of germany is served by disclosing that we are listening to his phone that doesn't concern me but the possibility of human life in germany would. just as the possibility of saving human life in fairfax virginia. they have asked not too. it would be part of our decision. and i can't see anything different in germany or thailand or anything like that. in terms of political impact no. know. i was not concerned about that. i was concerned about whether the american authorities and the harm that would have been done to counterterrorism and the relationships with them.

so we are a few minutes away from taking your questions as we wrap up. if any of you do had questions i want to make your way to the microphones please go ahead. i want to get in one question about the time we are in now because we talked about how the structure of disclosure and national security information by the snowden's have changed. you can pick out all of this information but so has the structure a publishing were having a conversation remembering the universe where they were just doing all of these things. and one manifestation is the rise of social media platforms. they are global in their business models they had interest that are very divorced from the way the newsroom would have defined such judgments. i was struck as i'm sure anyone reading the news was by

your statement about the apple encryption case when you came out and thought against the fbi's pursuit of breaking that encryption. can you explain why you ended up on that side of the issue and also where the dominance of the social media platforms takes us as we wrestle with the issues we've been talking about? ? i think the government have the authority to direct apple to do it. it's not a privacy question. it was he was dead and it was not his phone. it's a question of security. my judgment was although they have the right to do that i just didn't think it was a very good idea to do that. there were a lot of dangers to american security.

so our cyber attacks. and frankly you will be better defended by apple in the cyber domain then you would by the american government. it is the nature of the domain. why would you then for a legitimate counterterrorism need here i would think three or four times before i went over here in crippled what an american industry provided looked like pretty good encryption to keep you safe. in the security land alone i think i go with apple. that is the most important thing that has been said here. i just finished a book and i did a lot of research just setting up my home computer. one of the things that people

are can have to live with his even though you had sources and they may give you a point of light here. the ability now of a good reporter to fill in between those two points because of the nature of modern communication is greater there may be more secrets out there but it may not be because there are more leaks. it might just be the nature of the modern communications environment which leads to all sorts of fundamental reconsiderations of what is necessary or legitimate secrecy. let me comment on this. i think it is a sign of the times. the fact is whether it is apple or silicon valley or the u.s. government. hopefully we are all on the same side.

i don't know what broke down in the situation. it is a personality problem. it's usually what happens. it is just the reality of things. the fact is when i was director and i think it's true for mike we have a very close relationship with companies in silicon valley. at a very close relationship with people in hollywood and these are all good patriots. they were very loyal to this country they were willing to be helpful. we to keep it confidential and i understood that and we did keep it confidential. but we were operating in the same team and if we needed help they would give us help. and that is frankly the way it should be. i don't know what broke down here and white suddenly

justice take apple to court. and they have to defend itself in that situation. my recommendation was that both sides need to get back in the room and agree we have the right to protect its consumers around the world. protect their privacy but when it does come to clear evidence of a terrorist who is going to use that information to attack his country there ought to be away to be able to get that information. and we ought to be able to work together to achieve that. but as i point to be done if it's done out of the public if it's done in the courts or if congress tries to get into it. the reality is has been done in a room where people are sitting down and talking through in developing a process that both sides can agree to.

they are really catching my attention. perhaps they can explain to that. during the attack and the reason i ask that is i have to take into that during that effect. it's all been recorded. yes it was several hours before i heard anything in the media here in the u.s. the secretary was in the government at the time.

we can't get away from the stop. >> look, there was no pause button. they knew the attack was taking place. [indiscernible]

who makes the decisions for what is allowed and what is not? >> they look at these cases and then makes a decision. they made clear that there can prosecute those cases. the mitigating circumstances are. that takes place between the confines of the individual case. and then the judge makes a determination based on that.

>> i strongly opposed criminalizing what mr. eisen did. i was asked as director of caa. my view is this was an actual breach on part of the cia officer. >> i'm talking about what sterling head done. because of that dynamic how many more secrets do you want to make public.

number one is the number of times when there has been leaks of important information it is from a relatively low-level person and you kinda wonder how did they have to access to that in the first place. and so there were breakdowns in the intelligence services about how secrets are being kept and that needs to be remembered when you consider these things. i know the general agrees with me about. it's ridiculous. we saw all those documents.

everybody knows that. and there was a commission. a presidential commission created and the administration has done nothing with it. absolutely nothing with it. i think that's terrible. >> we already went through this. but when we did our books referenced some operations that my agency was involved with. those are stories that were in the new york times. they said you just head to have all of this up presented to the agency. i said it was in the new york times. the president of the united states spoke about it what am

i missing here. if you do have the job of classifying things. two both of you from your experience at cia both of the authors are very useful. i have a office groaning with the memoirs just groaning and there is no other secret agency in the world that has produced so many books. they are available at the bookstore. so inside the agency i think there is some tension about this.

that was obviously illegal. there are a range of views. you do have a generation of caa officers who at least want to give their view of the story out there. and so there has been a pretty strong brush and a very good officer. that's not the way i saw it. we just want to put that out there on the public record. you ask a short question we will get out of here on time. >> one of the things seems to be trust in the american people's judgment. but i think may be the root cause is the lack of trust in the agencies that you guys run most recently with the apple thing. i wanted to veer in on something that the secretary

said. you said he did that. there was other ways to have a conversation. but that conversation was not being have and there's no evidence that it would've ever been have absent that. we need to talk about it. i disagree with you. i think frankly if he have taken the time to go up and talk to diane feinstein. she would be more than willing to listen. mike rogers was a chairman on the house side. he would certainly be open to anyone coming in and providing that kind of information that concerns snowed in. he did not even try. he wasn't even effort to at least talk to somebody in a responsible position and say

wait a minute i'm concerned about what's going on here. the fact is our system would respond to that. once some somebody talks to somebody they know they will get that. that could be a story. at least in my experience working with good people these are the people that you ought to turn to to say i'm concerned about whether or not our freedoms are being protected. in this program. and here is the evidence that i have to show that. if you don't mind. i will make it quickly. as we made many references and in that case he actually did approach a senator he very

much wanted the senate to hold hands on what was in the pentagon papers including the fact that the johnson administration have told epic lies about the war and he was basically told were not getting anywhere near as this. we could go on for another half hour about whistleblowers inside government systems and your experiences would be interesting to hear about. my impression is if government bureaucracies in general are able to manage internal assent. we would be out of business.

it makes it very difficult. let me just conclude by asking you to join me and thinking this great group -- thinking this great group. during the most recent term they made it easier for landowners to challenge decisions by federal regulators under the clean water act. a minnesota company seeking to operate a mining operation can immediately file a lawsuit against the u.s. army corps of engineers over the agency's determinations over the waters of the