♪ >> next remarks by 40e8ds under secretary spaulding, hosted by the american bar association. topics include cyber security operations and efforts to form stronger relationships with the private sector. this is about 55 minutes. >> thank you very much, joe,

thank you for once again taking the laboring war and putting together this very -- thank you to all of you, who are here today who have taken the time to be here, but who also, i know on a daily basis care about and in many cases work to achieve our shared objective of ensuring safe, secure, resilient communities where our -- this is like a class reunion. and in many ways it is, a lot of former dhs folks here, a lot of current dhs folks here, but also a lot of you in private practice and in academia and elsewhere, all of whom contribute to the solving, addressing, understanding the challenges that we face. so thank you all of you for what

you do. i bring greetings from secretary jay johnson, secretary of homeland security who would love to have been here today. like me, he is a recovering attorney. and we are very, both of us, well aware and deeply appreciate the importance of the rule of law and the role of lawyers. as a vital part of our team as we go forward to accomplish this mission on behalf of the american people. i am aided, as i said by my very able county schedule, i believe you're hearing from later in the program. so we're really quite fortunate in our legal counsel. at the department. i want to talk about three key

elements of how we accomplish and view our mission at the department of homeland security, but particularly with regard to the national programs director for which i have the honor of being the undersecretary. joe described a built about what we do, which is good because the name tells you very little about what we do. but our overarch -- critical infrastructure. and we do that in the context of an all hazards approach. so we look at the threats, the vulnerabilities, the consequences and mitigation across both physical, human and cyber. and that gives us a tremendous strength. we are working very hard, each and every day to make sure that we are not stove piping our approach to that mission of the security and resilience of

critical infrastructure. that folks who are our cyberninjas, who are really smart on the cyber front, and the folks who have gotten really good over the years of -- and the folks who are looking at human security from a biometrics perspective, for example, are all talking together. in looking at these things and understanding their own interdependencies a and that's critically important. we're able to achieve that and get better and better at that each day because we have very talented people at the department of homeland security and i'll talk a little bit about that. i'm going to talk a bit about the role of technology, and that's a particularly important and a challenge for on the legal front, so for those of you in this room, i think you'll -- some of the challenges that i want to talk about there will resonate with you, and i'm

finally one of the most important aspects of what we do which is the public-private partnersh partnerships, a lot of people roll their eyes, and have refused to even mention the phrase anymore, but in fact, i'm here to tell you, it is a reality. that we benefit from each and every day at n ppbd and the department of homeland security. i'm going to start with my favorite part of this is the -- we have always had the benefit of being led by people with extraordinary talentalent. i continue to be amazed at the people that we attract. the people in this ram who were there at the creation of the department and folks who have helped shepherd it along the way who have made this an exciting place for people to come to

work. we are very fortunate to be led by secretary jay johnson, who in addition to being a lawyer, most recently came to us after having been general counsel at the department of defense. so he brings not only the experience he had in private practice representing businesses, private sector, entities of all sizes, which is again, a critical part of what we do, but he also comes and as brought to the department that post goldwater nicholls sense, the importance of the sense of unity of effort. so those of you at the dod know this, about four years after the department of defense was created, the department passed goldwater nicholls legislation to bring greater unity of purpose to the department of defense. i remind them that it took about 40 years for the department of

defense to get where they needed to get to begin to get where they needed to get on unity of effort. we don't have 40 years to get this right at the department of homeland security. but it does help you to keep in mind how young we are, as a department. but secretary johnson has come with a sense of you are generality, to bring the legs sons learned from the department of defense with regard to bringing that unity of effort across those elements of dhs, a very important part of what he's doing. and it is perfectly consistent with what i have been doing, trying to do at mpbd since i came in october of 2011. to bring that unity of effort that i taked about earlier, across npbd, to make sure we are fully leveraging, understanding, data, knowledge, across those es

of mpbd and that we are helping to leverage that all across the department. we're also very component head, so he was the head of -- has moved up to be the deputy and i have to tell you that it really is wonderful to have someone in that position who has led one of the components of the department. and understands that relationship and how important that is between department of homeland security headquarters and its operational components and really appreciates the kinds of things that need to be pulled up and really centralized and managed from headquarters and those things that really need to be distributed out to the components. and as interesting as i watch that, because it is the same sort of lessons that i take back to mpbd, as i look at the

relationship for what i am, at mpbd which is headquarters and our sub components and have the same kinds of discussions about what needs to be centralized and what needs to be distributed to create a really effective, agile, dynamic and effective organization. so that is happening, so we are seeing changing at the departmental level. in an effort, as i say, creating that unity of effort to enhance effectiveness and efficiency. the challenge that we are facing on a daily basis is to make sure that we're in sync with each other. but it is in large part thanks to the great leadership that we have at the department. and within mpbd, so we were

increedingly excited to recruit our cyber deputy secretary. quite a while ago now, she can no longer play the i'm new here card. so for those of you who don't know phyllis, she comes to us from the private sector, she was the chief technology officer at mcafee. someone who comes with the understanding already of the importance of policy because she was chairman of the board at info guard, which was a private sector outreach group that was really managed by the fbi. and also with that terrific forensic analysis effort up in pennsylvania, outside of carnegie mellon, the center for republican sick and technology si analysis as it's called.

she's outstanding and-she also helped us to recruit for our assistant secretary for cybersecurity education officer u eat one that brings great technical -- but again, an understanding of the inner agency because he prior to joining us was at the white house, working with michael daniel at the national security counsel. and he has come in and provided some really outstanding leadership along with his deputies greg and bobby. we have got just an outstanding team in place in the leadership of cs & c. and they continue to attract the best and the brightest. we have turn over, which is to be expected when you're recruiting really top talent, particularly in the cyber

sector. it's not surprising that the competition would be able to lure them away at some point. it's always a los, and we're always sad to see them go, we just lost a couple of our key leaders, but we know that we have top talent lined up and ready to come in and join the fight. that is really a wonderful feeling, to know that we will continue to be able to recruit the best and the brightest to join us in this really important mission. we have great leadership across mpbd. and i just want to quickly highlight eric patterson, who's a retired air force general, who leads our federal protective service and they are increasingly, those are the folks that watch federal facilities all across the country. they are in charge of security at over 9,000 facilities across the country, and they do work

very similar to what our protective security advisors and our office of protection are doing for the private sector. they assess security at federal facilities, they provide recommendations for reconciliation. but then they also manage the guard force, the private security officers that stand guard at those buildings, day in and stay out. and the lessons we can learn, the insights we can get from that day to day interaction to see how these mitigation measures actually play out when they're implemented, is something we're working to bring back, in our private sector to help enhance the work that we do at the private sector. so our cyber folks have responsibility for the dot-gov.

fbs is the sector specific a gt si for federal facilities. so again, one of the things we're doing is saying, this is a really powerful combination, we have federal asset systems and networks, physical and virtual, that we have responsibility for protecting, and we are increasingly looking at that in a hole listic way. h how do we leverage those insights on a daily basis, not just to ensure the continue knewity -- protecting the people who work and visit those federal facilities each and every day. but to be able to bring that knowledge in, whether it's from what we're skiing in our dot-gov tools and programs or what we're seeing in the physical realm together to provide those

instilgts to our dotcom stake holders. that gives you an insight into what we are, when i talk about unity of effort at mpbd, that's what we're talking about, how do we bring all of these things together to help all of our stake holders, by leveraging more fully the kinds of things we are doing, and eric patterson is doing a great job leading the federal protection service. we have got great leaders at our office of bioidentity management. they are taking a leadership role across the departments how can we utilize buy owe metrics. and our newest entity which is the office of cyber infrasfrur and analysis, which is a real institutionalization of that looking across cyberand physical. and that group is doing glaet

work, bringing together, our cyberninjas, particularly those who have unequaled expertise in understanding industrial control systems. together with the physical people who can say the so what of cyber. so ow industrial control system folks can say, here's all of the ways that somebody could hack into you know, status systems and industrial control systems, and the processes that are controlled by those systems. and then the physical, the folks who understand how to model and simulate and understand those interdependencies can say here are the consequences from that. and that is a critical part of prioritization, right? all of us understand that we have limited resources, limited time, and we have got to make

decisions about how we prioritize the allegations of resources. will it's a superstorm sandy, a cyber attack or a physical sabotage. something on the scale that we at the homeland security department are worry -- to keep generators going, and it is the folks at npbd that says, there's a communications hub that people aren't paying attention to, that if it's running out of fuel in our generator, international communications up and down the eastern seaboard will be avblged, we got to get fuel or generator help to that facility. that's the kind of dynamic prioritization that our folks in ocia, the office of cyberand instruction analysis do.

so the growing expertise at npbd is actually increasingly being recognized by outside observers. for example, i mentioned phyllis snek, and bob stanley, they were recently recognized as two of the top 50 it professionals in government. our colleagues have won major awards from organizations like the -- and the information systems security education. phyllis i think has been particularly pleased to gain an expeer -- in the private sect ,

sector-she had said time and time again that she had never worked with smarter people than she has here. we recently got the most recent kudos from our stake holders out there, from a company that we had sent one of our sert teams out there to assess, who wrote back and said that he had never worked with a momore professional and talented team. for those of you again who ---.

my second point that i want to talk about is technology and how that impacts our mission. as we have talked about, we are increasingly at risk, our nation's critical infrastructure. and the technology, as technology advances, it challenges and opportunities for the folks who look at vulnerabilities, who look at threat vectors and who look at consequences of litigation, but it's also a challenge for the lawyers and dan and i have frequent conversations about how this presents increasingly challenges for us. because our adversaries are not slowing down in their evolution of technology and techniques, and we have to be equally agile. in the cybercontext, when people

ask me to summarize the nature of the threat, i typically draw a matrix, right, so on this edge of the graph is destructive intentional and on this angle is capacity. those who have the greatest destruct ty sbrnt at the moment, have the least capability. i always point out that this top -- those who have les capacity today are constantly gaining kpas capacity. and this bottom point, depends on what's happening in the world and at any point could flip up.

so that's the threat picture, it's very dynamic, and we're aware that it's very dynamic and we never get too complacent and a lot of that is because of technology, just as our adversaries are taking advantage of the advance in technology, the department too is looking at and making great strides in terms of the kinds of technology that -- our department -- science and technology director has some very innovative programs under way, both in the cyber context, and also in the physical context. so those of you who are familiar with the metcalf electricity substation out in california, understand the importance of transformers and that they are a long pole in the tent. our science and technology director has for some time now been working with their private

sector colleagues to develop transformers that can be -- as i said, that's a significant vulnerability and a long pole in the tent. our colleagues at ice, who are also involved in our cyberactivities and do terrific work on forensics, to uncover and prosecute criminal activity online are constantly innovating and using technology to get faster and better at the ways in which they are able to do that forensic activity. secret service is closing complex international investigations and they are crippling international crime networks and again becoming increasingly innovative, not

only in the ways in which they do prosecution, but also maybe really working hard and rolling up their sleeves in the way they can carry out a successful prosecution while sharing information with us to share to our private sector and government stake holders as quickly as possible. and that is a real challenge and something that has bedeviled in the past. we have terrific stuff going on in our cyber ops center, the national communications and cyber community integration center, the nk, it's our 24/7 ops center, it has sitting on the floor of that ops center, not only our colleagues across dhs, but also our colleagues across the interagency including law enforcement and the intelligence community, and programs most significantly our

colleagues from the private sector, who come together and with increasingly sophisticated tech until and tools are able to provide us with stational awareness in the event of incidents, but also understanding how to detect and stop and block those technologies. who are developing the tools and technology, we have the spopt for.gov. there we have employed our intrusion prevention technology, but also continuous diagnostics, which is going to revolutionize and assess the health of our government networks. right now under the federal information security management act, this produces every three years ago, a big, fat, binder

that's a compliance checklist. what cdm will do, and within a matter of hours, scan your network, assess your network being government networks, assess the health of those networks, and tell you where you've got problems and help you bri prioritize what you've got to assess first. in that you have got to have real time sense of the health of your network, it is really remarkable. and an example again of the ways in which the department is taking advantage of technology to try to stay ahead of the game here. the mkik. is again an illustration i'll talk about in a minute in terms of public-private partnership. since 2009, they have responded to nearly half a million incident reports, and they have put out over 26,000 actionable alerts and i will tell you,

these -- actually they are making a difference. we just got word from a private sector company that they had gotten an alert from our mkik, some of the information from that alert came from the secret service, we put that information out through our mkik and this private sector company got an alert about a possible mall ware and they said to their tech folks we have got to figure out if we have got this, and they looked and indeed they did, and they were able to take mitigation measures. that is exactly what we are about. we are all about getting that information out, making sure it is actionable. and trying to prevent, mitigate the consequences of cyberand

physical intrusions, cyberis impacting the law as i spoke about earlier. as you can imagine, we are -- dan and his famiteam are dealin with a number of cutting edge issues in the law but a number of them have to do with technology. and the reason you all understand this, is that there is really a disconnect, still, between the incredibly rapid pace of technological change and the intentionally deliberate speed with which the law changes. all right? the law is intended to be thoughtful, careful buildup over time, whether you're talking about the development of law through the judicial process which can take a long time. or the development of law through the conference, which

can sometimes take forever and which often runs the risk of being outdated as soon as it's enacted. so this is a huge challenge, it is one with which we wrestle and what you wind up doing is that you're going to laws for legal guidance that were written -- that lie behind those legislative enactments, you're familiar with the number of questions with which this takes place, speed is one of the issues, quantity is one of the issues that we are increasingly confronting and that you're seeing increasingly play out in

lower court cases. are we in a blase where a difference inspect quantity becomes a difference in kind? the amount of information that technology allows us not only to gather, u but to understand and make sense of so it's both the citizensing and the sense making part of technology, that has presented some interesting new issues for our courts and our lawyers as they look at those issues. the balance of the bucket in which these -- international or foreign and domestic. between nation state actors and nonstate actors, between criminal actors and nation state actors. and these lines that have served us pretty well in the past to try to understand who has the

authority and how that authority is going to be implemented achkd how just exactly how the fourth amendment applies, et cetera, those things are being challenged as we know. and that debate and those questions are being asked and we, you know, we're looking at do we need new kinds of buckets, how do we make sure that our legal framer is keeping up with the real -- the changes in the world. and one of the ones we deal with on a daily basis and that is roles, particularly the role of the government and the role of the private sector. those of you who like me came up in the traditional national security world, you will remember, that we basically -- if we interacted with the private sector, it was generally in one of two contexts. they were either a contractor providing you a specific good or service pursuant to a particular

good or contract. so this notion that the department of homeland security was in part stood up to implement and treating and recognizing the private sector as a full partner in achieving that security and resilience that are is our fundamental mission, that is a new concept. again, despite the fact that we have been talking public-private partnership it seems like forever now, it's actually a new way of thinking for traditional national security folks. and i have watched as negotiation have sort of begun to get their head around it. but it is something that we, again, work on day in and day out, at the department of homeland security and that we go to the traditional national

security table, you know, having to constantly remind our colleagues that the private sector actually is part of the security solution. so, for example, we have a private sector clearance program, where we can clear folks on the private sector, not pursuant to a contractual relationship, but pursuant to this partnership, and so we can bring in critical infrastructure, owners and operators, with top secret clearances, show them all the intelligence that we have, and say here's what we think we see in this intelligence, here's what we think this is saying, what do you see? what are we missing? and most importantly, help us to craft the unclassified alert that we can put out through our appropriate channels to all of our critical infrastructure owners and operators across the country, so they can take

action, tell us what in this classified information, you would really need to know as the chief security officer of a piece of critical infrastructure, or as the chief information security officer. and that gives us ammunition, then, to go back to the -- eater the intelligence community or the law enforcement community saying this piece of -- this is what they need to be able to take the action that we look to them to take, as our partners, in addressing the security challenge, that's a really powerful combination and just one example of the way in which that plays out. which leads smoothly into that next topic, which is that public-private partnership, because we really do recognize that we are not going to achieve the security and resilience of critical infrastructure. we are going to do everything that we can to assist the owners

and operators of that infrastructure, whether they're federal facilities or private sector or public seccor utility owners and operators to make weisser risk management decisions. so traditionally, that meant that the government would -- you know, would provide the threat information. all right? and we still do provide significant threat information as i just described. but increasingly, particularly in the cyber context, the private sector is developing threat information and in some cases, better and more threat information than the government. at least -- certainly with respect to what's coming at the private sector. so we are in a situation where, again, we're having to think about this in a very nontraditional way. not just threat information, but -- how do we do that that is consistent with private rights

and civil liberties. that task is made easier for me at the department because we have a statutory privacy security officer and i have an mpbd, my own privacy security counsel and she has a team, emily andrew and her team, they are a full part of our team, they are with us at the development of programs, we don't go to them afterwards, we have built this program, now tell us how to make it consistent with our privacy, they are right there from the get-go to bake it in from the beginning. not only do we have some legal obligations to make sure that we are complying with privacy laws, but our privacy counsel helps us to focus our efforts, and again in a time of scarce resources, we want to make sure that we're focusing on the things that really matter. so they are helping us accomplish our mission of str n

strengthening our security in critical infrastructure. that close relationship and doing this right is essential to that trusted relationship that we have with the private sector. that is, again that is our reason for being, we are only here to assist our stake holders in that security and resilience of critical infrasfrur mission. and we can only do that if we have the trust of the critical structure owners and operators of american people. so we are extremely grateful to have this team helping us with the privacy and civil rights civil liberty issues from the get-go and all the way through. the importance of our private sector partnership is reflected in the national infrastructure protection plan for 2013, and i system a number of people in this room, and so you know what a huge undertaking and what a huge challenge it is, always, to

develop this document. we have tremendous collaboration and input from the private sector. folks who worked incredibly hard and for whom this was not really their day job. i do have other things to do, but who rolled up their sleeves across our critical infrastructure sectors and helped to make sure that we got this right. so subtitle of that national infrastructure -- to strengthen the security of critical infrastructure. and it reflects the lessons we have learned and continue to learn day in and day out as we strengthen those relationships and that interaction. so, i'm going to wrap it up, you kn know, the bottom line of my message is, we're from the government and we're here to help. and that's a pretty guaranteed laugh line. but it really is true.

and i think increasingly, our stake holders are coming to see that we really mean it and that in fact that we have a lot that we bring to the table to help in what is increasingly seen as a shared mission, to preserve the functionality of those services, and goods, that under lie our way of life. than's when we talk about critical infrastructure, that's really what we're talking about, we're talking about all those things, that go into our day to day, that we depend upon to sustain and enrich our ways of life. that's critical infrastructure. this is that broad. and traditionally, 85%, we say 85% of it is owned by the private sector.

one of these days we'll figure out whether that's true. but it's somewhere around that number, in any event. the vast majority is owned by the private sector. so that relationship is very important. we have things we bring to the table. so as lawyers out there, those of you in this room who work with clients in the critical infrastructure owner-operator arena, lawyers are always very cautious and i think appropriately so, that's what we get paid the big bucks for. but i want you to know, that we do come -- when we come and knock on the door and offer to do a vulnerability assessment. when we respond to a call that says we think we have seen an intrusion or breach, those of us who are coming from npbd, we're coming for no other reason than to help you, we don't have a law enforcement mission our colleagues in the secret service

go after organized crime and financial crimes. but in npbd we don't have a law enforcement mission and we don't have an intelligence collection mission, our mission is just about helping strengthen the security resilience of critical infrastructure. so i would encourage you to encourage your clients to feel comfortable in reaching out. the information is protected under the protected critical infrastructure regime and we have never had an unauthorized disclosure of information that was protected under that regime, that was stet up when the department was -- i have been working with the american bar association to try to see if we can't get a more clear statement about the responsibility of

lawyers that are doing due diligence in mergers and acquisitions to include cyber security in the risks they are assessing and analyzing. acquired companies and later find out after they have connected all their networks and systems that that company they acquired did not have good cyber hygiene and was riddled with problems that have now infected the entire network. lawyers need to help with that. auditors need to help with that. venture capitalists, sayingive you're invested in a company, you're investing in large part in that intel lek k4u8 property, and if you haven't done your due dpil negligence -- you are throwing your money down a rat hole, because that intellectual property is going out the backdoor.

attorneys in this room and your colleagues work with these folks on a daily basis, i need your help in spreading the word. the more security any of us become, the more secure the rest of us are. this is a working collaboration and only by working together will we meet this challenge. but i am confident that those of you in this room understand that, that's why you're here today, that's why you're going to be here for the next couple of days, and i thank you for the work that you're doing and for all of your help as we tackle this significant changes. thank you very much. so i talked longer than i meant to for which i apologize. but i am happy to take a few questions. i see david wolf in the back of the room, which reminds me, you

should never sort of thank people oreck nice people in your organization, that i certainly meant to call out among the talented people that we have in npbd, our assistant secretary, for the office of infrastructure protection and has really been with npbd since it's inception, if not the day of, or shortly photograph brings tremendous expertise to that role and energy and passion. and david wolf who works with her as the head of the infrastructure security and compliance division, which is the office that manages cfacs. and david and kaitlin have done an outstanding job of turning around what was a very troubled program that was -- that had a very difficult time getting off the ground. and i'm here to tell you that within the last two years, they

have with their team gone from having approved zero, no sight security plans for highest risk chemical facilities across the country to having just signed the 1 ,000th approval, so they have gone from zero approvals to 1,000 approvals within the space of two years and they are on a great trend line to get through what became a pretty significant backlog of plans to be approved to raise the security for the country with regard to his highest risk chemical facilities, they are making a difference every single day. >> questions? >> yes. >> we have a microphone up here, please come up to the microphone if you have a question.

>> i'm not shy, let me ask a question if i could. suzanne, i know you can't look into a crystal ball right now and think about, it's been more than 10 years since the department was created, if you could project ahead what you might be seeing in this sector in the next ten years. i think you have touched on that already in your remarks. i'm going to ask a multipart question, this is always the thing you get sometimes with questions like this, but i'm thinking about the international piece, the second piece, the international, when i worked for tom ridge, one of the comments he made to me as he was going out the door, he wished he had spent more time on the international piece. so much of this is domestic, but if you could toich on the projection ahead and the international piece. >> that's great, joe.

i'll start with the international piece and i appreciate you bringing it up because it's a critical part of what we do, and our folks are very much engaged in conversations and collaboration with their counter parts across the globe. we have a particularly rich relationship, of course, with our what we in the intelligence community refer to as the five is, which manifests it's in the critical five, and the ottawa five and any one of these forums in which critics some together. but dealing with the eu on these issues and folks, as they say around the world, on both the general critical infrastructure protection across all hazards, in the counter terrorism context and of course in the cyber context. and in the cyber context in particular, we have very strong and active relationships fwun

our computer emergency readiness teams and certs that are being set up all around the world by other countries. the uk had a couple of certs, but there are certs in lots of countries with which they interact on a daily basis. and that is obviously essential. these threats i mean it's most obvious in cyber, but it's true across the board. mother nature really doesn't know borders and we saw that as we contemplated the effects of the tsunami in japan. we have got to have that international piece. the 10-year again, the landscape changes so rapidly that it is an incredibly hard challenge to think about what we might

confront. but i will tell you my utopian vision for where i would like to see us heading and where i would like to see us closer to in ten years. and again, it starts with this notion making. it is really all about better understanding and taking advantage of our comparative advantages. it goes back to these partnerships with our stake holders across dhs, across the federal interagency, state and local territorial, tribal, private sector and international that we would all understand each other's capabilities, authorities, limitations and that we would have an ability through our shared information exchanges. we would have tremendous situational awareness of what's going on in the world out there. we would be able to detect

property bagss. we would be able to quickly share that across all of those stake holders. and we would understand inherently, you know, who can bring what to bare to address that challenge. and as the situation changed, we would understand to -- okay. now you've got -- the situation has now changed. you now have the comparative advantage, over to you. i've got the con and that we would be able to -- in that way, you know, really bring all of the talent, the resources, the capability to bear in a very efficient and effective way to address these challenges. so, that's a pretty utopian vision. i understand that. but i think it's important to have some sense of where you would like to go, where you would like to be as you build capability and as you build those relationships. >> hi. my name is kimba walden at dhs.

you mentioned for a minute that you were working with the ava to encourage the private bar to do more effective due diligence on evaluating cyber security networks before they merge. i'm just wondering if you can talk a little bit more about the contours of what -- how your incentivizing the private bar to do that and what the response has been. >> yes. thank you. i have been working most closely with my former colleagues at the aba standing committee on law and national security, but they are reaching out to the business law section and others in the aba, very early stages of those conversations, but just before i went into the department, help stand up a cyber security legal task force in the american bar association and i met with them in boston at the aba annual meeting just a couple weekends ago and again encouraged them to put this on the agenda. and there is a resiptivity and understanding that this is really just a fundamental part

of what the -- of their responsibility and what they should be doing. so i don't think this is going to be a hard challenge to get lawyers to sort of again take this more seriously and stand up to it and there are a lot of lawyers -- don't get me wrong, who are doing this extremely well today and who have -- from the get-go understood the por s importance of this. the goal is to get those best practices out more broadly to folks. in terms of sort of how do you do that, it's the same kinds of assistance that we are providing directly to critical infrastructures owners operators into small and medium-sized businesses and businesses of all size all across the country. first and foremost, we're encouraging folks to use the sieb security frame work developed by nist with help of dhs and the private sector which was developed pursuant to the cyber security executive order. that cyber security frame work

is not just a compilation of best practices, which it is, it is taken from the private sector all of the standards and things that are already out there and best practices and they put them and they've organized them, what is, i think, most useful is really the tax onmy. it gives us a language and a way of talking about and addressing the threat. it's those five categories, right, identify your risks and the assets that you need to protect to look at the steps you're taking to protect them to detect things that might come in, to respond, and then to recover. pretty basic, but to have that framework and have everybody adopt that, gives us a way of talking about this. and then there's very useful guidance in there about how you would implement this in a business with a meeting of your board of directors to provide high-level guidance and make sure they understand the importance and the allocation of resources, providing direction to management that then provides

technical, you know, more granule lar guidance to the technical team and feeds it back up. all of these elements of framework are very important. the department of homeland security has the responsibility of assisting entities in using this framework to improve their cyber security and we do that through a program we call c cubed vp because you have to have an acronym for everything. it's critical infrastructure cyber community because it really is a community effort here. voluntary program. and if you go to the uscert website, u.s.-cert.gov. mitigation guidance, et cetera that the u.s. cert puts out. so that is out there for the legal community, law firms are increasingly targets themselves because they hold customer data

and oftentimes intellectual property of their clients, et cetera, so thank you for the -- giving me the opportunity to give that plug. and join ustion tuesday here on c-span 3 for programs focussing on health care issues. we'll show you remarks from larry murlow and a house hearing on medicare fraud all starting tuesday at 8:00 p.m. eastern. plenty more live campaign 2014 debate coverage coming up tuesday on c-span. starting at 8:00 p.m. eastern, an arkansas senate debate between incumbent mark pryor and republican congressman, tom cotton. recent polling has this race as a tossup. right after that, south carolina govern nikki haley faces off with vincent sheheen and tom

ervin. and then john kitzhaber versus dennis richardson. 10:00 p.m. eastern also on c-span. with live coverage of the u.s. house on c-span and the senate on c-span2, here on c-span3, we compliment that coverage by showing you the most relevant congressional hearings and public affairs events. then on weekends, c-span 3 is the home to american history tv with programs that tell our nation's story. the civil war 150th anniversary, visiting battlefields and key events. american artifacts touring museums and historic sites. history book shelf with the best known american history writers. the presidency, looking at the policies and leg sis of our nation's commanders in chief. lectures in history, with top college professors delving into america's past. and our new series -- reel

america. created by the cable tv industry and funded by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter. now more from the american bar association's annual homeland security conference. this portion features remarks from robert litt, general counsel for the office of the director of national intelligence. he discusses the relationship between security and privacy, while also looking at nsa surveillance. recent supreme court decisions and the fourth amendment. this is about an hour. >> should have brought my sunglasses. >> you can help us out if you speak directly into the mics. hard rule of thumb. not to be rude. >> okay. >> you can turn it towards you.

>> folks, we got -- we're round out the conversations in back of the room and then we'll get started. we'll get started now with our next panel, this is our first breakout session of the day and we're going to go to other breakouts as we go past the hour our lunchtime presentation. reminder about lunch. you should go get your lunch in room 207 and then resume -- attendance in this room. i'm going to call sergeant in arms to arrest those of you in the back of the room that are still talking and that will happen in another life time. let me mention that this topic is one that i know is familiar to many of you that practice law

in government and in the private sector, particularly here in washington, d.c. and that's striking the balance between privacy versus security. and, again, this year we are honored to have congressman turner from formerly u.s. congressman from texas as our moderator. jim served with distinction for four terms in congress. he has a military background, formerly a captain in the u.s. army. jim won praise from both parties for his work on homeland security issues in the time post 9/11. before congress, jim has a distinguished career in texas state government both serving in the house and state in texas and he is a university of texas law school graduate and aspired to be what jim turner is as both a leader and a lawyer. and if anyone in this room ever needs help on any issue both in front of congress or with the

executive branch, certainly with jim turner at the helm, it's going to be successful. or you'll get as much success as possible. so with that, let me turn it over to you, jim, thank you. >> thank you, joe. really appreciate the opportunity to be a part of this panel and i want to thank joe for all his many efforts this year and in previous years to organize this program for the aba. in this panel, we're going to be discussing, as joe mentioned, tension that exists between civil liberties and national security. we have a very distinguished panel and i would like to introduce each of them to you. first, to my left, we have jennifer daskal, stanlt professor of law, american university school of law. jennifer is an assistant professor of law and she focuses

on criminal, national security and constitutional law. prior to joining the washington college of law in 2013, she was a national security fellow anded a jujt professor at judgetown law center. from 2009 to '11 she served in various positions in the department of justice, including as counsel to the assistant attorney general for national security and served on the secretary of defense and attorney general led detention policy task force. she is the founding editor and contributor to the recently launched "just security blog" and she's a graduate of brown university, harvard law school and cambridge university. to her left, is chuck blanchard. chuck is a partner at law firm of arnold and porter where he -- i had the opportunity to see him frequently. he is in the government contract and national security practices at our firm.

prior to joining arlen and porter, he held several senior government positions over his 28-year legal career. chuck served as a general counsel and chief ethics officer for the u.s. air force. he served as general counsel at the u.s. army at the u.s. department of the army. and he served two terms as a state senator in the state of arizona. in 2003, he was named interim homeland security director for former arizona govern, january net that pal tan know. he graduated first in the class of harvard. next to chuck is bob litt. a name i'm sure you've come across quite often in the last few months in newspapers. bob is the general counsel at the office of the director of national intelligence. he was yun nam mousily confirmed by the senate in june in 2009.

prior to joining odni, bob was a partner at arlin and porter and served on the governing body of aba's criminal justice section and as an advisory member to to the standing committee on law and national security. from 1994 to 19999, bob worked in leadership positions in the department of justice at depsy assistant attorney in criminal division and principal where he was responsible for national security matters ranging from fiza applications, covert action reviews and computer security. bob has his bachelor's degree from harvard and masters in law degrees from yale university. so, the score on the panel so far is two harvard graduates, one yale. so i guess harvard wins today. >> even odds. >> but we are very pleased to have this distinguished panel and i'm going to let each of them make a brief introductory

remarks then we'll begin to discuss among ourselves the issues that are laid before you and, of course, i hope that it will spark some interest from the audience and allow you to ask our panel some questions as we proceed. so, first, jennifer, i'll let you lead off. >> well, thanks to the aba for putting on this wonderful program for inviting me here today and thank you for the kind introduction. i believe we're going to focus most of our discussion on the surveillance regime and the many debates and disputes and discussions about it. i want to spend a few minutes talking about some of the legal underpinnings of the government surveillance programs and to suggest that some of the doctrine on which the government has long relied is shifting under its felt a little bit and that this creates a range of opportunities and challenges for both doctrine and policy going forward. in particular, i want to talk about two aspects of the fourth amendment doctrine, chast moan

as a third party doctrine and territoriality doctrine in which is the long standing presumption that the fourth amendment only applies in the united states and outside of the united states it applies solely to u.s. citizens and persons with significant voluntary connections to the united states. so, just starting briefly with the third party doctrine, as i believe probably all of you know, the government's argument with respect to telephoning collection under the 215 program and presumably other meta data collections as well is premised to some extent on the idea that there's no fourth amendment issue involved because there's no search and seizure of information that's been turned other to a telephone company. and this is based largely on what's known as a third party doctrine which stems in part from a 1979 case, smith v maryland in which the government recorded the telephone numbers called out of a particular

suspect for two days and in the course of his criminal trial he challenged the government's collection of this information because the government didn't get a warrant and the court said there is no fourth amendment issue. there's no cognizable search or seizure because this individual already turned over the numbers that he called out to the telephone company and therefore had no reasonable expectation of privacy in those telephone numbers. and this case has now been relied on po argue that there is no expectation of privacy in all of our numbers called in and out and has been the basis or at least part of the basis for the meta data collection program. and i want to suggest that this understanding of the third party doctrine is challenged and is being challenged most recently by the supreme court's ruling in riley v california which came out late spring, early summer. and the very least the supreme court's ruling casts doubt on

the validity of the third party doctrine going forward. for those of who aren't familiar with the case the facts were that two cases were joined and one case the government seized a smart phone of an individual during the course of his arrest and another case the government agent seized a flip phone, those were the old phones that probably none of us use anymore but that basically they don't record that much information other than the call log who you called and the number dialed. and the cases were joined and in both cases the defendant in those cases claimed that the search and seizure of their phones was impermissible and the government claims no, it's totally valid as a search incident and arrest we don't need a warrant. we don't need to go through the ordinary fourth amendment procedures. and the court ruled unanimously that against the government. the court ruled that the seizure of these phones was not justified as a search incident and arrest and the court

disagreed with the government's arguments about exigencies said that there are ways to preserve this information if you're concerned about the information getting lost. the court disagreed with t government's claim that there was any sort of safety risk associated with these phones. and most importantly for the purposes of my point is that the government -- the court disagreed with the idea that there weren't any legitimate recognizable privacy interests in the phones and they describe the wealth of information that can be stored digitally on these phones as possibly providing more information than is uncovered during the search of one's house. the court distinguished both quantitatively and qualitatively between the wealth of information that can be seized and revealed through the review of one's phone from tangible evidence and they quoted -- the court quoted with approval from an earlier concurrence by jus sis sotomayor in which she

defined gps monitoring kprae hending record that reflects a wealth of detail about her familial and sexual associations. and what's very interesting about this ruling on this reasoning is it didn't just apply to the smart phone, which we all know reveals a whole host of information about us, but it also applied to that flip phone which doesn't tell us that much more than the call log details, who you called, who called you and for how long the call lasted, which is about what's collected in the meta data collection. and so my point is that this strongly suggests that the court will be highly skeptical of the claim that the third party doctrine can be applied in this new context, that it means that when the government collects the meta telephoning data and other meta data that there is no

fourth amendment violation. i'm not saying that meta data would therefore be impermissible. what i think is we'll see a shift. whether or not the foreign intelligence section applies and new pressure on what's known as the special needs doctrine which justifies a range of searches that require less than reasonable suspicion, sometimes suspicionless search based on compelling government needs separate from law enforcement needs. and then we have agreed to speak very shortly so i won't get into the details but i hope we get a chance to talk about the ways in which i think data challenges the very foundation of what i call territoriality doctrine, the idea that the fourth amendment is circumscribed and only applies in certain places and as to certain people and that the way data moves about and the arbitrariness with which data moves about and the difficulty of effectively distinguishing between u.s.

person information and non-u.s. person information ought to cause us to at least re-examine some of the foundational principles on which some of our collection programs rely. i'll stop there. >> okay. thank you, chuck. >> i'm also going to focus a little bit on the third party doctrine rule because i agree that recent concurrences can from the supreme court as well as the decision of judge leon in the district of columbia district was challenging the old version of the nsa-meta data program has put into doubt whether the viability the third party doctrine or whether it will be limited. i want to talk just briefly about a few things. first, it's important that you understand that the fourth amendment decisions that have come out of the pfizer court have largely relied on the third party doctrine as rational for

why there's not a fourth amendment issue, but there are also a lot of statutory issues that are in play and most of the decisions focus on those. even if the third party doctrine survives, i think the debate will continue to be going forward on the more regulatory and statutory govern ens here which may be ultimately where the action is going to be. but as jennifer said, there's been some recent decisions. i thinkty first one that's worthy of talking about is the jones decision which occurred a few years ago that involved gps trackers. and the majority opinion really went off on -- one critic said they looked at 21st century problem and came up with a 19th century solution. that is, they sort of ignored the technology and just focussed on the fact that there was a trespass on the car in order to

put the gps system on and that was enough for justice scalia to find a fourth amendment problem returning to the way the law was in the 19th century. but there were two concurrences that were important. one was by sotomayor where she did by herself she did a frontal challenge to the continued viability and wisdom to the third party rule in an age where a lot of our data is in digital form is out with third parties. our financial data, our telecommunications data and a whole host of other information and she raised the issue whether it was time to reconsider this third party doctrine because people do have -- if you ask them, a sense of privacy interest in the information that they send out to third parties. so she really put a frontal challenge. the other concurrence was by justice solito who was joined by

kagan and briar where he didn't directly address the third party rule but did suggest, similar to what justice sotomayor mentioned that in a modern digital internet-focussed world maybe we need to step back and rethink this doctrine of the third party rule. i don't think that the riley case, which dealt with cell phones suggests much more than in that case it was a concession that there was a search and focus was more on what the scope of a search could be. so i don't know if you read much into that, but that case, too, rejected an argument, at least, that there was no search because all that was on that -- those phones was were the kind of data that you could get from a third party. the argument being, no, it's -- it's not a third party, it's the person's phone. the third party doctrine doesn't apply.

where is this headed? it's hard to tell. the third party rule is important to recognize is not a narrow fourth amendment doctrine. it has wide applicability across fourth amendment doctrine. and it's used -- been used as a line of separation between what is protected in the home and what is not protected. so, for example, bank records, financial records, not the contents of your letter but the surface of your letter, who you wrote to, have long traditionally been held for decades as not protected by the fourth amendment. and owen fists wrote a few years ago wrote an interesting article where he tried to give a defense of this doctrine. his point is this doctrine is more about consent than it is a doctrine about anything else. and we ought not treat it as a petition of privacy but more the concept is that when you take information and put it outside yourself to a third party, you

are -- we legitimately can draw the line and give you less fourth amendment protection. his other argument which is -- i think is interesting is that the third party rule has a vantage of not being a technologically driven rule, that is you ought to change it every time the technology changes, while -- because we have -- the various ways we communicate is ever changing, so his argument was that the rule actually is technology agnostic. it's an article that's well worth reading. so where are we headed? i think we are headed for -- there's clearly some discomfort from the supreme court by the third party rule. i think in its present form it likely will see some change. and i don't think it will be completesly rejected because it is too embedded too many other parts of the fourth amendment, but i do think it might actually be truncated. and my suggestion would be that

we -- the best way maybe to approach the third party rule is by focussing less on collection and more on use because one advantage of the digital world when everything is 1s and 0s is that it's sort of like quantityum mechanics. you don't know what's there until you actually look. and once you look, then the damage is done, privacy is done. and it may be the best approach, which is similar to what is actually being done on the regulatory and statutory side with the nsa programs is to put more control on when you can look at the data that is collected and instead put less emphasis on restrictions on the collection. so with that i'll enjoy the conversation. >> thank you.

bob? >> thank you. as jim noted he and i were law partners for a number of years. any congressional staffers in the audience, nothing many my behavior should be attributed to anything that i learned from jim. i do have some thoughts on the third party doctrine, but i thought i would save them for later discussion and step back a little bit and give a slightly broader frame work. i think -- i actually reject the idea that what we're talking about is a balance or a tradeoff between privacy and national security. i think that our goal should be how to achieve both. if you read the newspapers today, i think it's pretty easy to understand the importance of national security and from my perspective the importance of intelligence to protecting the nation and its citizens, not only in the area of terrorisms but in cybersecurity and simply the behave or of foreign nations. but we have to do this in a way that also preserves and protects fundamental privacy and civil

liberties interests. and we have to find ways to accomplish both and not to say, well, there's an inevitable zero between them. so i want to offer a couple of thoughts about surveillance and privacy and technology in general that can help frame this. it's important to understand the nature of the problem today. during the cold war, it was pretty easy to identify our targets and if you wanted to do surveillance, you did the equivalent of clipping a couple alligator clips and listen to them. they were generally flowing over telephone wires. today, with digital communications in the internet it's entirely different. the communications that we're interested in are mingled with communications we're not interested in and they're all traveling over the same wires broken down into individual electronic pacts. they're not physically separated the way they were a few years

ago. what this means is that no matter how much we try to directly target our activities at appropriate foreign intelligence targets, we're also going to collect and look at communications of uninvolved people not only because they may be talking to the foreign targets, but also because they're all traveling together on the same wires. we don't have any interest in this information. we have absolutely no interest in what mrs. jones or her foreign counterpart are cooking for dinner. but in collecting this we can't avoid collecting irrelevant information because of the way the communications flow. one of my colleagues at odni phrased this there's no such thing as immaculate collection. there's really theoretically two ways you can deal with this problem. the problem that we're incidentally invariably going to collect incidentally communications that we aren't interested in. one is to say the risks to

privacy from this collection are so great that we ought to bar certain kinds of collection all together. and the other is the approach that chuck just averted to which is to say we're going to permit the collection but we're going to impose stringent regulations on how you use the data to ensure that it's not used inappropriately. and it probably will not surprise anybody in this room given my current position that i favor the latter approach over the former. i think it's unwise in the current security environment to say that the power of government is so great and the risks of surveillance are so substantial that we should bar and prevent us from collecting this information, particularly since we know that our adversaries are not so restrained. we simply cannot designate portions of the global communications infrastructure as entirely off limits. i think that the preferable way to do it is to say, yes, you can collect this. but we are concerned about the possibility of misuse. and so we're going to have legal

policy and oversight regulation to ensure to the greatest extent possible that you don't misuse it. that is, in fact, the approach that we generally take now and by and large it's worked. all of the collection activities that the intelligence community undertakes are appropriately authorized by law and to the extent they are conducted under the foreign intelligence surveillance act they're approved by the court. they're all made known to the appropriate committees of congress. they're subject to strict and multi-layered and interagency oversight within the executive branch. we don't conduct surveillance of political, religious or activist figures solely because they disagree with public policies or criticize the government. we don't use our intelligence collection capabilities to repress citizens of any country for their beliefs. we don't target ordinary citizens, americans or otherwise, who aren't otherwise of foreign intelligence value. in fact, the information that has been leaked over the course of the last year as well as the

considerable additional information that the intelligence community has affirmatively released as part of our desire to be more transparent about what we do has born out the effectiveness of this essentially regulatory approach. in all the information that has come out, it's important to know that there has been no indication of any kind of systematic abuse or misuse of intelligence collection capabilities for improper purposes. there have been a few instances where individuals have gone into collection data bases and used them for personal purposes. those people have been caught and dealt with appropriately. there have been a variety of technical and other compliance problems with the programs. those are self-identified, self-reported and corrected. what there hasn't been is any indication that we are abusing these collection authorities to improperly invade people's privacies. and this leads to the third -- the last point i want to make which is about technology.

when people have talked about technology in the context of surveillance, they've tended to focus on one of two concepts. one is the extent to which technology enables surveillance. the incredible capabilities that the national security agency has. people often fail to mention that nsa only uses these cape nlts as authorized by law, that for example, to the extent they work on breaking inkripgs techniques they do it so they can read the communication of terrorists in foreign governments who are using inkripgs to try to avoid our surveillance. the second way people talk about technology in the way of surveillance, how individuals can use technology to avoid surveillance. but there's a third way in which i they we should think about technology in the concept of surveillance and it goes to my theme that we're not talking about trading off security and

privacy but achieving both. that is that the technology can help us conduct our intelligence activities in a way that, in fact, maximizes the protections for privacy and civil liberties. as i said, the intelligence community actually has no interest in the activities of ordinary private citizens. and so one of the things we do is we employee technological tools like access controls, aud itting and monitoring of data bases and so on to try to ensure that only authorized and trained people have access to signals and intelligence collection and only have that for authorized purpose and no information disseminated except when appropriate. we would actually welcome the technological genius of america in providing additional technological tools that we could use to more precisely focus our collection and to provide more robust privacy protections while still preserving the operational capabilities we need. in fact, the president has directed the national academy of

sciences to provide some guidance in this regard to look at whether there are ways we can use technology to more precisely focus collection. but ultimately i think we have to rely on strong controls on use and strong oversight as the best way to achieve both national security and privacy protections. >> thank you, bob. it's interesting as you listen to bob's remarks and i've, of course, come from a background that's very sympathetic in the sense that i served as the ranking member of the house homeland security committee and had the opportunity to receive numerous classified briefings from time to time and i know that it is interesting that we are at a time where we're talking about a subject where, in fact, there's no examples

that anyone can site where the government has abused the powers given it to under law. much of what we're talking about today is of the nature of what edward snowden did. he decided to violate the law and disclose classified information because he disagreed with the policy and at the heart of this i think there is that underlying distrust of government that even though we can give assurances as bob did here today that there are going to be systems in place to assure that privacy is protected when there's a strong underlying distrust of government people still don't think that's enough. and i would be interested in -- after listening to jennifer, if jennifer in any way kind of disagrees with the solution that bob proposed or whether you think there needs to be more protections just on a constitutional basis for a u.s. citizen against the type of

surveillance that is now conducted. >> so i largely agree with what bob said. i think the one place where i think it's worth -- and i largely agree with what -- what everyone said, but i do think it's -- that we shouldn't -- i guess what i want to focus on is the way in which the united states has distinguished between collection of u.s. persons and collection of non-u.s. persons. and as bob pointed out and as we've heard today, that the intermingling of data means that even if there's strict regulations on targeted collection of u.s. persons relatively strict regulations, the fact that there's much looser regulations on collection of non-u.s. persons means that because all that data is intermingled we are collecting a whole lot of what is called incidental collections of u.s. persons and that we ought to at least at the collection stage

acknowledge some of the fiction that the distinction between the rules on direct targeting of u.s. persons and targeting of non-u.s. persons creates and acknowledge that we are collecting a lot of information of u.s. persons through our rules on non-u.s. persons and think about whether or not these distinctions even make sense given the way that data operates. i think that there are two distinct moments that we need to be focussed on. one is the moment of collection and the other is obviously the moment of use. and i think they're both important and they're both relevant to the discussion. the concerns about abuse not just by the government but by private individuals who get access to this information like somebody like snowden who has the possibility of revealing a whole wealth about a person make people nervous and that's a legitimate concern and that we shouldn't discount the concerns

about collection. that doesn't necessarily mean we shouldn't collect, but we ought to have a frank and honest discussion about it as well. >> although i would -- the abuse by the single individual is probably as great in the private sector as it is at nsa in that google and lot of the other companies -- private individual that wants to do great damage can release. so i don't think we want to eliminate the great value we have from our collection efforts because of the fear of individual one-off cases will be abusive because it can be very abusive and be very damaging. this is true of the private sector as the public. the real challenge is i think as bob eluded to is the globalization of our telecommunication networks in such a way that it really -- it is true in collection that distinguishing between u.s./non-u.s. at the collection stage becomes difficult.

clearly in some cases you know what you're collecting. you're largely collecting from overseas. but in other areas given how the internet package that i may send to a friend in san francisco may end up going through 15 other countries and communications between vladimir putin and someone in the disputed areas of ukraine might also end up going through the united states. so it's that global nature of our telecommunications network that i think creates the problems. and i think the -- so i don't think at the collection stage imposing a fourth amendment standard of requiring warrants for collection really are workable or feasible and i think the really alternative is ensuring that you have a robust oversight at the use stage and

that could be a pfiza or more judicial review. i think that's really where the real value in protecting privacy can be. and i want -- one thing that bob did every year was get all the lawyers who dealt with intelligence issues together in a large room, secure, classified so we could talk about lot of these issues. and i started attending those in 2009. i can say that the thrust, the focus, the concern of -- this is well before eric snowden did anything was how we deal with privacy interest and u.s. values. so this is not an issue that's only caused concern in the intelligence community since edward snowden, but it occurred long before and it's been an obsession, i would say with

lawyers in the intelligence community. in fact, one lawyer here in town, stewart baker, actually thinks lawyers are ruining the effectiveness and have ruined the effectness of the u.s. intelligence agencies because we told our clients to be more careful than he thinks we ought to be. >> i guess one thing that comes to mind is when we talk about the judicial precedence in this area and when you go back to smith versus maryland and you're talking about the old standard, what's the reasonable expectation of privacy in the age of big data, what is the meaning of a reasonable expectation of privacy? i mean, after all, the average citizen doesn't really know what the government or the private sector is collecting. we can see that everyday with the kind of things that all of us share on the internet and so

whatever we think might be reasonable is probably based on misinformation or lack of understanding about the capabilities of both the government and the private sector with regard to the collection of data. so, i mean, is it an outdated standard for that reason as well? >> so this is my opportunity to weigh in on the topic that jen and chuck have already talked about. i think it's important to understand that there's a reason why the doctrine that jen and chuck were talking about is called the third party doctrine. and that is that the information that's being talked about is not being obtained from you. it's information that you've given to somebody else. and the analogy is that if i have a conversation with you, there's nothing to stop you from going and telling anybody about it. i've given that information. i've lost my expectation of privacy information in that information. so the first case that announced this doctrine was actually a

case involving bank records where a subpoena was served on a bank for somebody's financial records, which are, in fact, far more revealing than the telephone meta data here. the court said, no these are the bank business information you gave the bank this information. the same thing is true of the telephone meta data. that's the critical difference between the situation we're talking about respect to intelligence collection and the riley case. the riley case it was the defendant's phone. it was his phone on which he had his information. so the question is, to what extent can you get information from that person around under what circumstances can you get information from that person? the third party doctrine says once you've given the information to somebody else under what circumstances can you get the information from somebody else? now, having said that, i do think there is a strong sense that that doctrine can't necessarily be applied unqualifiedly in the current

technological environment. and i do think that -- i tend to agree with chuck that what we're likely to see is a recalibration of the doctrine. and i think particularly of the context where people are storing their entire life in the cloud. it may be that there is a difference that courts will draw a difference between the types of information that you're giving to a third party and if it's -- if the type of information is the type that you used to formerly keep locked up in a file cabinet at home only now you keep it locked up in a file cabinet at google, they will accord one level of protection to it. but if it's the sort of thing that we always provided to third parties, maybe they'll provide lesser protection to it. but i think that that's something that will be worked out in the future going forward. >> yeah. one approach could be that they distinguish between information that really is just being stored by the third party versus

information that is actually worked and needed for the business purposes of that third party. so, for example, with bank records, banks needs those records because they actually are performing a service so they truly are the records of the bank. similarly the meta data and a telephone call, it really is needed as business records by the telephone company for its purposes so therefore you can do a third party search for those business records. but the content of the phone call, which has never been subject to the third party doctrine is really not kept or stored or the business of the third party. even though you use a third party to provide that content. so using the example of putting your stuff in the cloud, amazon, which provides cloud services, really doesn't care or use or do anything with what you put in its cloud. and so that would continue to bo b protected. that kind of line between what's truly business records of a third party and what's really being stored by a third party

might be a line that can be drawn. >> one of the suggestions that have been made recently about the storage of all this meta data is that it's better off if we contract that out to the private sector rather than let the government. does that change really effect anything here in terms of the appropriateness of the collection and storage of the data? >> well, there are sort of two different private sector models. the model that is actually been endorsed by the president and subject of legislation moving through congress basically says the telephone companies will continue to keep the meta day ta as their own business records and statutory yally mechanisms from obtaining that information from the telephone companies. there was an alternative that was proposed -- it's important to understand that what this -- what the program -- the metta data program was was a program

under which the government collected metta data in bulk and then subsequently made inquiries of it based on the reasonable suspicion that a telephone number was associated with terrorism and what they're moving towards now is you'll simply make that query of the telephone numbers. the intermediate model that was suggested is that let's give the bulk me ta data to a third party that will hold it and have the government have the ability to send those queries to the third party. i don't think there was any substantial support for that both because it simply creates a whole new security problem because you know have all this meta data held by somebody else and it didn't really seem to provide substantial additional privacy protections. >> let's open it up now for questions from the audience who will have plenty of time to

allow each of you to ask anything you might want to ask on any of the subjects that we've discussed here. >> hi, my name is ki bhrks ba walden at dhs. i wanted to poke the bear is little bit and sort of challenge that line of use or restricting the use of data and where that line is drawn. just what would be your response to the challenge that you really can't -- individual really can't -- it's not really voluntary anymore for an individual to provide meta data to a telephone company or to provide bank records to a bank. it's difficult to sort of function without using a bank or without using a phone so that it no longer becomes the voluntary giving up of data rather its necessary. so what would your response be when you're drawing that line. >> i think one answer is that

that was true with pin records in the '50s. that was true of bank records even before then. so this is an argument that would have been used at the creation of the third party doctrine. i know there's no more -- if you want a bank, you have to give your records to a bank. that's always been the case. i do think that there is a challenge in that the reasonable expectation of privacy line of thinking is circular because what's reasonable really depends on what the law is. and what the rules are. and so i think there may be room so sort of rethink how we think about privacy. we've moved from a 19th century trespass model to this new reasonable expectation of privacy and it may be time -- and i'm not smart enough on the fly to think of what that new regime would be, but to think about other ways to think about privacy interests that don't rely on this circular reasonable expectation of privacy. but owen fists in his article points out if you reject the third party doctrine, in effect

what you're allowing people to do is expand the scope of their home. that is -- and they can use third parties as tools -- affirmative tools to avoid surveillance and that would be the problem of getting rid of the doctrine. >> so i think that to me the key difference is not necessarily the consent question but just the wealth of information that's provided. so, at the time that those rulings were issued, the court was looking at very discreet areas of the law. they were looking at bank records in a discreet area. they were looking at telephone calls made and there wasn't a sense of a society where we have now where basically everything we do is in some ways can be recorded by a third party. and so the wealth of information that's available that's potentially available through this third party doctrine is quite staggering. and that's where i think some of the language from the riley case is relevant is the supreme court recognizing the wealthof

information that's available through digitally stored information and that digitally stored information is generally also provided to a third party. even though the riley case wasn't specifically about a third party issue, that's why i think the riley case puts pressure on the third party doctrine and i think it will in my view of this is that it will and should force the court and others to start thinking about drawing lines so we simply don't say just because information is provided to a third party that therefore there's no search or seizure when it's subsequently obtained by the government. >> yes, sir. >> hi, my name is dennis pittman from george mason university. i was interested to hear the panel's thoughts on the use side as far as the adequacy of current safeguards and theette kasy of information sharing

between agencies after the data is collected. what are your thoughts on -- are they effective for promoting sharing and on the flip side, are there adequate safeguards to protect the information once it leaves the hands of the agency that collected the data? >> this is obviously one of the principle challenges at my office has to deal with, one of the main reasons the odni was set up was to facilitate information sharing among intelligence agencies. and basically with respect to signals intelligence information, you can share finished signals intelligence products within the intelligence community according to the rules that govern the dissemination of intelligence products. there's -- we're working essentially on a set of rules to allow sharing of broader -- before it's evaluating but to the extent that one agency

shares them with another, they're subject to the rules that govern that agency. so the protexts follow the data. as i've said earlier, there's really no indication that these rule s been ineffective. i think what the argument has been is people think the law shouldn't allow what the law does allow, not that we don't have effective controls to enforce the law as it currently exists. >> yes, sir. >> patrick from mga. so if the third party doctrine were to go away completely or be radically modified, would that mean then that say local police would now get warrants to get pen registers which presently i don't think they have to do because of the third party doctrine? >> well, i think -- i mean, any of us -- i think that there's a

whole range of possibilities of the third party doctrine were eliminated. there's a whole host of other doctrines that might step in and take its place. there's the special needs doctrine that basically says if the government is engaging in certain types of non-law enforcement types of collection, that different rules apply and you don't necessarily need a warrant, you don't necessarily need suspicion to engage in certain types of activities. so there's the possibility that the special needs doctrine would expand to cover some of the types of surveillance activities and other activities that are taking place. there's the possibility before an intelligence exception. there's a whole host of other doctrines that may step in and take its place, but that would require at least in the special needs context and in other context to have a specific articulation of what the government's purpose was balanced against some sort of evaluation of the privacy interests at stake that simply doesn't happen once you invoke the third party doctrine. >> to shift analogy a little bit to the jones case then if in a future case the court were to

find that there is some kind of privacy interest in one's public movements as opposed to the trespass argument that scalia used, i think, to try to kind of -- >> avoid the issue. >> look down the road and see the unavoided consequences, would that then mean physical surveillance by a person then the fbi and police wouldn't then have to get a warrant if let's say they did it for a month, would that mean they would have to get a warrant to do that as opposed to in the past that was deemed to be, hey, your public, you don't have privacy interest in that so they can surveil you all they want if they're physically looking at you. >> there's sort of an undercurrent in the sotomayor concurrences that suggests how easy technology has made surveillance what is most troubling. i think they would say doing the old fashion way of following them in a bunch of cars, if you're willing to devote those

resources we'll continue to say that's not a reasonable expectation of privacy. but there's an undercurrent that there's an unease with how technology may make surveillance easy and cheap. scalia solved the problem about the trespass. lot of cars have data. what if we collected the data from a car manufacture that was getting a feed about where that car was going? that would, i think, raise similar issues to what we have with the meta data. my guess is that there will be a change in the third party doctrine. it won't be overruled. i think pen registers will continue to be pen registers but i think there might be limits or recasting. largely because these are older doctrines and there's a lot of unattended consequences from simply repealing the doctrine all together. >> i would hope that whatever recalibration of the rule takes place we don't end up in the position where the line is drawn between surveillance that you

can do easily and surveillance that's expensive to do. >> right. i agree. >> yes. >> hi, i'm rita from national security council with the constitution project here in d.c. my question i'm happy to hear from other panel lists from oth panelists but for bob in particular. i was hoping you could respond with the government's view of judge bates' suggestion two weeks ago that the government would not be as candid or for forthright if there was a special advocate present, security cleared, of course, there to represent privacy and civil liberties interests. >> so i should take this opportunity to say that i'm not here speaking for the government. i'm speak speaking for bob litt. i do think that the president has indicated that he supports the idea of a special advocate and i think that comports with

the expectation that the fisa court processes will continue to work. whether they change in any respect as a result of this will remain to be seen but i think there's a view within the executive branch that a special advocate ameek cuss curae construct will not unduly impede the operation of the court. >> we lost charlie. >> do we have anyone else that has a question they'd like the panel to address? do we have someone? >> we have more time here because our other panel is running longer so if there's any questions, take their time. >> i actually have one on the

tip of my tongue. i had a question for the panel on your thoughts of the categorization of information particularly the classification and how that affects the debate between the ability to achieve both privacy and security. >> can you explain what you mean a little bit more? >> there's a quote that i was reminded of and i forget who actually said it, when you classify everything you protect nothing and so, you know, i'm very curious to see once the information is collected, how is that information categorized by a particular department or agency and how does that affect the argument between being able to achieve both privacy and security concerns? >> well, classification is sort of an independent concept from collection. there's an executive order that tells when you can classify

information and it basically depends upon the extent of the impact on national security. obviously the more highly classified information is, number one, the more it's protected and, number two, the more difficult it is to share it and make use of it so there are counter veiling considerations. the extent -- i think for a variety of reasons that i think -- i talked about this at a.u. this past spring, there are a number of reasons why there are incentives to classify rather than not classify. it's not in my experience -- it does not reflect any malevolence or desire to cover up problem, it's simply a series of bureaucratic incentives that push people to classify things. but i guess the protections for

privacy that exist are sort of different category from the protections for classified information. >> there is -- there is a lesson over the last year since the edwa edward snowden disclosure came out. there is a problem and a challenge, i should say between the transparency you need to describe what it is you're doing in ways that are going to make the american people feel good about what you're doing versus your concern about protecting how you do things if you're too transparent, the bad guys know how to hide their tracks. if you're not transparent, then the parade of horribles that can come up in people's minds about how you're acting can take over and can drive policy and that can affect collection so my sense and i was there for part of this time, my sense is that