relations committee holds confirmation hearing on three state department nominations, including harry harris to be ambassador to the republic of korea live coverage on c-span3. tomorrow night democrat and republican members of congress face off in the 57th annual congressional baseball game for charity. the game will be played at nationals park and live coverage begins at 7:00 p.m. eastern on c-span3. sunday on american artifacts on c-span3, tour the library of congress exhibit on world war i which showcases american ideas on artwork, posters, films and documents. >> the idea of contributing to the war through labor. the idea of growing your own food so as to conserve larger quantities for the war effort. this is actually by mab el

write, prominent illustrator in that day. again, another individual who kind of rises to the surface during world war i. you see here also food conservation, whole some nutrition food from corn. i know we make a lot of things out of corn but back then we didn't. but in world war ii we were rationed. during world war i hoover believed that as head of the food administration if you encourage people to act, they would do that. >> on american history tv on c-span3, sunday, 6:00 p.m. >> banking and financial executives testify before the senate banking committee examining the risk of financial attacks to the fn sinancial sere

sector. they include cyber security. and the role of state local and federal agencies. zbll the committee will come to order. today we will hear about cyber security in the financial sector. today's witnesses come from a wide range of organizations and can provide us with insight on the threats faced by the preparedness of the financial sector when it comes to cyber. four years ago this committee held a similar hearing where i noted recently aired "60 minutes" segment called 2014 the year of the data breach. given the data beaches most notably he can ka fax last year, i'm not sure 2014 still holds

that title. as our society increases its reliance on technology and becomes accustomed to immediate access to information and services from companies the risk of and potential damage caused by data breaches continually increases. americans are becoming more aware of the amount of information, including personally identifiable information or pii, that is stored by p cans. and there is a growing realization that this information can be stolen or misused. the collection of pi oorks by both the government and private companies is something that has trong troubled me. many question how both use the data collected and how such data is secured and protected. the collection and use of pii will be a major focus of the banking committee moving forward as there is broad based interest in this committee on examining it. today we will hear from our witnesses regarding cyber security and about the risks to financial services industries and it's preparedness.

we've heard from many regulators before there committee about their focus on and oversight of cyber security and how it is critical to the operations of companies and our markets. this is especially true for companies in the financial services space. financial sector itself is a main target for hack tears because as many have said that's where the money is. banks are under constant attack every day. because of this, they and other firms in the financial services industry have devoted substantial resources to protecting information systems. and the industry is widely viewed as one of the advanced sectors in protecting cyber security. today i hope to learn more about the risks to the financial service service industry from cyber ats antiques. thek being done to crease cyber readiness, combat cyber attacks and increase resiliency. and what more needs to be done by the private sector and government to help companies and

consumers to protect companies and consumers information. it is critical that personal dat data is protected, customers ability to access to credit and their assets is not harmed, and the financial sector is resilient enough to continue to function despite financial sector, a cyber breach at a financial sector company. i'll welcome our witnesses again. but welcome. and senator brown, you may proceed. >> thank you very much, mr. chairman. thank you for holding this hearing today. this committee last considered cyber preparedness financial institutions three and a half years ago. since year sophisticated targeted cyber attacks have become all too frequent exposing the personal information of millions of americans costing our economy hundreds of millions of dollars. cutting corners on cyber security risks real harm to real

people's lives. each data breach, each cyber heist that makes the news seems larger than the one before. and after a while we barely raise an eye brow. but think about a family who is trying to get a mortgage who finds their credit score has been wrecked, they don't have knowledge about t it's been wrecked through no fault of their own. it's clear these rigs cans to the financial system and these ricks are growing. today's hearing will give us a window into how the financial services sector works on cyber preparedne preparedness, promoting between entities. financial institutions must work dig gently not just to maintain standards but also improve protections for customer data whenever possible. as risks increase, as threats become more advanced, financial institutions and government agencies must facilitate and encourage information sharing. banks certainly have the resources to invest in

protecting customers. fcc says banks are doing better than ever, including the credit omhe tax bill. net income 27% compared to 2017. that's been consistent in most cases, double digit profit increase over most of the last eight years. even without the tax benefits, republicans in congress bestowed on the largest corporations and the wealthy bank profits would have been up 12.6% from a year ago. record profits for banks shouldn't just mean the top executives get bigger bonuses. and the largest shareholders benefit from stock dividends. banks should be investing in businesses, whether it's cyber security or a living wage for their employees tchlts i remember the average teller in this country makes $26,000 a year. rather than lobbying to be let off the hook rule after rule, nation's largest bank should

focus their time and effort in securing financial infrastructure against attacks and protecting sensitive consumer data. law enforcement also plays a critical role on assessing and warning about cyber threats and ability to share sensitive cyber threat information more quickly will help combat those threats. i know there has been good work done in this area. we need to build on it. we can't let up now. that's why i'm glad the five of you are here. secure the financial system is foundation of commerce hand economy. there is always the risk that cyber thieves will try to steal money and personal data. or a hostile country will disrupt our financial system. we can't risk under mining faith in that system. it would take one cyber attack to undermine our trust in financial institutions. once that happens it will take more than hearings, or policy changes to restore that trust. i look forward to hearing from all of you address these issues. thank you all for joining us. >> thank you, senator brown.

we'll now move to our witnesses and their testimony. we have with us five excellent witnesses today. and i'll briefly introduce mr. nelson, mr. daniel, and mr. venables and senator brown will introduce our two witnesses from ohio. >> thank you. >> mr. bill nelson is president and ceo of the financial services sharing and analysis center also known as fs isaac, did i get it right? and has held such a position since 2006. this is a nonprofit association dedicated to protecting the global industry from cyber attacks. members include organizations from banks, credit unions, security firms, and insurance companies. mr. michael daniel is the president and kooe at the cyber theta lie ance. formed in 2014 through informal agreement to share information between companies. prior to joining the cta mr.

daniels served from june 2012 to january 2017 as special assistant to president obama and cyber security coordinator on the national security council staff. mr. phil venables is the managing director and head of operational risk management an and analysis at goldman sachs. he's been there 18 years. his first 16 years sold as goldman chief information security officer or see sew. is that how they pronounce it? before moving into a wider role in risk division. he serves on the coordinating council for critical infrastructure protection and is cochair of the board of shelter harbor. senator brown. >> thank you. it's my pleasure to introduce two ohioans on this panel.

chief financial officer 25 years experience in technology, and banks, of which ohio has a number of them. while working in banking, mr. kessler has tackled a broad range of cyber security issues from building banking websites to designing security architecture. began his career department of defense after graduating from honors college at the ohio state university. welcome. and tom fraiser bank kiceo. welcome mr. kessler. bob sigh dough is a principal at earns and young. he has more than 30 years of experience working with fortune

500 companies. identify and threat management and cyber economics. i met with mr. seidel this week. i was impressed with his expertise in all things cyber security. and also impressed with his knowledge of all things cincinnati reds. and if you -- while i'm a cleveland indians fan at the other end of the state, i urge any of you baseball fans in this audience go at one time go to cincinnati game, since it's a baseball town. and i've been to opening day half dozen times. it's something if you love baseball you want to experience it. mr. seidel has promised any of you that will go, he will give you tickets and give you a tour and tell you all things cincinnati reds history. so thanks to the both of you for joining us. >> thank you senator brown, and i think i'll take you up on your suggestion. i'll not take the tickets, though. gentlemen, we appreciate you

being with us today and bringing your expertise to assist us with this issue. we will proceed in the order that you were introduced. i remind you we ask you to keep your oral remarks to five minutes. instrument a clock that will help you. this is one of those days we are jammed for time hence the reason we moved the time of the hearing are. both senator brown and i are bounds for time. so i want to remind the senators we want you to keep yourselves to your five minute limit if you can do so. we'll help you do so. and mr. nelson, you may proceed. >> sure. thank you. share chairman crapo and ranking members of the committee inviting me to speak today. i don't have one of the timers so cut me off. >> if you hear this sound that means the bell range. >> i'll discuss the topics you mentioned already. cyber risk to increase cyber readiness and what more needs to be done by the private sector and government to help protect companies and business and

consumers information. as you mentioned, in the intro, i've been ceo of this since 2006. and have seen major changes occur in the last 12 years. i this i the biggest change has been the growing sophistication of cyber attacks and threats. in response, they have made significant investment in cyber defenses and has come together as a community to back make teary sill enmake -- major resilience efforts. today it receives tremendous benefit from that relationship. improve detepgntion and threatso the risks. as a way of background, it is a nonprofit organization. we've been around since 1999. and formal mission is in the written testimony chlt if i can sum it up in a few words, it's really to protect the financial services sector.

inherent strength in sharing derived from three fundamental pillars, one the public private partner sheriff's, cross sharing, and most importantly number three, member to member sharing. we often think of this as a virtual neighborhood watch where financial institutions really keep an eye out for each other. one company reporting incident can help the entire sector respond and prevent the same attack from affecting their firm. driven by the direction of our membership, this performs a number of key critical functions. we share threat and vulnerability information. conduct coordinated exercises often with our government partners. we manage rapid response communications for both cyber and physical events. we produce education training programs. and we foster collaboration with other key sectors and with government agencies. we have grown rapidly in recent years. when i started we had 200 members. we have about 7,000 companies that belong with us today. these include like you mentioned earlier, commercial banks, credit unions, but also stock

exchanges, clearinghouses, brokerages, investment firms, insurance companies, payment processors, and financial services trade associations. headquartered in reston, virginia, and have expanded with members in 44 countries today and have staff over five continents. that's a long way when i started in 2006 when we had me and five out source people and that was it. so grown really in response to the threat. each day cyber risks evolve. we have invested significant amount of money. but they continue, these cyber threat actors to target the financial services sector. their motivation varies. it can be corporate espionage, stealing money, launchingist disrupting attacks like we saw in 2012 and 2013, 50 financial institutions and even destructive attacks.

as they grow in their sophistication targeting, the primary evidence of these attacks are the types of attacks that leveraged against financial institutions to steal money and disrupt. they include things like phishing, targeting emails, in account take over where they steal your money. also business email compromise which involves the compromise legitimate email counts to initiate unauthorized. ransom ware attacks, we all know about that. distributed attacks which can impede access to online services and data breaches which steal sensitive information. i think the sector rlly come together in a pro-active man or. as a result we've greatly expabded our products and services to our members. we have put large numbers smaller institutions and service providers. and we have done best practices.

we expand our exercise program that includes an annual cyber attack against caps exercise with thousands of participants last year. introduced new cyber range program that allows members to have hands on keyboards, gain experience to respond effectively to a real live cyber attack. and we have improved our cap tablt to respond 0 to major cyber and physical emergency, calls, last one we had over 3,000 members participate in. and expanded our in member training programs. in addition to these efforts, also created two new subsidiaries, one systemic risk. at the request of leaders in the industry, we established the shelter harbor in 2016 to enhance the industry resiliency capability in the event of major disaster event. >> five minutes.

>> in conclusion, i can provide more details in my written statement. but recommendations encouraging them to cyber requirements, and information share act, and u.s. pat react to more effective sharing programs. number three, establish cyber deterrence and response capability. encourage cyber norms. and fourth, support efforts to develop a technology capable workforce. thank you very much. thank you for the opportunity. >> thank you for your flexibility. and we do read your written testimony very carefully i want you to know that. mr. daniel. >> just about made you one of us. probably was a demotion. >> well, thank you very much. thank you, mr. chairman, ranking member, other distinguished members of the committee, thank you for the opportunity to come and speak with you this morning. what i think i can do is provide sort of a strategic overview of

the threat context in which this industry is it operating. and then talk a little bit about what we've done to tackle the problem and where we need to go going forward. when you look out at the landscape, because we live in a digital age, almost everything in our country is now heavily dependent upon the internet and cyber space. so therefore these threats affect all of us. but the threat is actually continuing to get worse. and it's getting worse in four ways. one is it's becoming broader as we create in internet of things, we keep hooking more and more stuff up to the internet. and not just laptops and desktops anymore, it's your watch, phone, car, light bulb bes, whole plethora of different devices. the threat is becoming more prevalent as more and more malicious actors, whether nation states or criminals, realize they can achieve their goals by operating through cyber space.

the threat is becoming more dangerous as those actors are willing to undertake more and more destructive activities. if we have been having this hearing back when bill first joined us, we would have talked about website defacement. none of us talk about that anymore because that's the least of our problems. and then, finally, the threat is becoming more disruptive. as i mentioned with our digital dependence, as it increases things that used to be merely irritating now pose organizational existential questions. i often say when i first started working for the federal government in 1995 f t, if the network went down we did something else, we worked on noninterneted computers or did other things. now when your computer goes home you pretty much send your work force home because you can't do anything. for the financial services industry in particular, they also face challenges in both criminal and nation state

enabled cyber theft. and those are a real problem for the industry. but it is also becoming clear dlet of disruption, those nation states that target the industry for the purpose of inflicting economic harm on the united states and the west is becoming a more prevalent threat as well. now one thing i want to hit on is actually there is a real question in here about exactly why cyber security is ita hard problem. because at the surface it shouldn't be. after all it's just computer and code. and so there is a question of why we simply can't create a technical fix to this problem. but the answer is because cyber security is not just a technical problem. while there are technical issues about it, it is also economics issue, a business operations issue, it's a human psychology issue, and it's a national security issue. and it's all of those things rolled into one.

cyber space also plays by different rules than the physical world. so a lot of our analogies for how to do things and how to actually go about securing things in the physical world don't work in an environment that is a known network that works at light speed where the concept of time and distance and approxima proximity have different borders than they do in the physical world. finally, this is a new environment. stretching it to the maximum cyber space is it barely older than me. and we haven't had time yet to develop the body of law and policy and practice that we need to operate effectively in cyber space. and we certainly made a lot of progress over the last 20 years, including particularly within the financial services industry. i certainly agree with the chaer characterization of the industry if not the most one, but the

sheltered harbor, the investments they have made is tremendous. but i do think there is more that we can do on both the industry side and on the government side. i think, in particular, on the government side there is a real need to look at how the government can focus on its comparative advantage, where it has capabilities of the private sector does not. and leverage of the private sector where the private sector has capabilities government does not have. the government can also focus on incentivizing. and we can take about that in the q&a. and lastly, how the large institutions can lep the smaller institutions ta don't have the same level of capability also make progress in cyber security is a very necessary step. so with that, i'll conclude my

opening remarks. thank you very much. >> thank you mr. daniels. mr. venables. >> thank you. other members of the committee, thank you for this opportunity to testify at this hearing today. as we all know this is increasingly important topic. a number of factors contributing to increased risk across the financial services sector and this is primary due to the digitalization of finance and globally inter kebted nature of the system. the same trends increasing benefits of the global financial system are bringing on new and enhanced risks. on threat we are seeing increased threats from around the world. and also worth remining ourselves we are not just facing cyber security risks. we are also seeing many risks in how technology is providing and risks from resiliency issues and software issues. so while cyber security is tremendously important, it's also to focus on technology risk

in general. it's critical to have shared defenses across the sector, so all institutions large and small can learn from each other's best practices and so threat information can be shared among firms reducing likelihood that attackers can enact their strategies with response. we have a long history of robust information sharing. and as bill describes, we have using the financial systemic analysis so-called and under department of treasury with vario vario various initiatives, and exercises that have spawned other itnitiatives to maintain immutable data to resist cyber attack. turning our attention to

regulation, we benefit from long regulations across the sector, that reduce the risk of major incidence. this clusz regular examinations and reviews. we continue to support the need for harmonization across regulation, domestically harmon and globally and commend the efforts to date from government regulators. notwithstanding the strong relationship between the public and private sector, we propose that we continue to focus on improvements here, particularly around metrics to make sure that we're able to quantify the value timeliness of the information flow between the public and private sector. despite all this coordination and response to cyber security threats, risks still remain, and we need to continue to be vigilant to adjust the defenses of individual firms in the sector as a whole by making sure we adopt innovative approaches to protect customer data as well as making sure we're protecting the services that we offer. the goal here is to reduce single points of failure and also single focal points of attack. finally, i would recommend all

organizations that operate critical public services or protect customer data to adopt strong defenses and security programs based on a number of different approaches. specifically integrate cyber security into the fabric of organizations from business risk management processes, strategy and product development, the foundation of how technology is built and operated. second, improving capabilities amongst people, processes and technology. there needs to be continued emphasis on the embedding of controls into critical products and services. we need secure products and not just security products. we need to recognize that cyber security risk mitigation is not solely the responsibility of cyber security officials but more importantly in domain leadership and management at all levels of security. we need more security-minded people, not just security people. finally, design for defensibility. our goals should be to design our technology, information processing environment to be more inherently defendable and

resilient in the face of attacks, and we need to keep examining our global supply chains to look for security issues and avoid excess concentration risk in services and geographies. thank you, mr. chairman, for allowing me to provide this input, and i look forward to taking questions as we look forward to the panel. >> thank you. mr. kesler. >> chairman crapo, ranking member brown and distinguished members of the committee, thank you for the opportunity to testify before you today. i will share the unique perspective of a front line practitioner on the product call pros and cons of cyber security regulation, information dark sharing and community bank collaboration. two key regulatory changes have positiontively improved the approach of community banks and managing cyber security risks. in the wake of the dodd/frank act reforms soupe vision of our affiliate banks migrated from the ots to the occ. in the last yearshe cer security assessment tool was developed. the c. a t. provides a standard way to

assess risks and provides guidelines for what controls might be appropriate. an exam is never a static check-the-box activity but always a dynamic conversation. my recommendation to this committee is to ensure the consistent availability of highly trained i.t. examiners whose skills are in high demand in both the public and private sectors. another consideration for this committee is to ensure that similar cyber security rigor exists among non-bank financial services companies. how do we safeguard customer data at companies who are outside the oversight of prudential regulators? community banks rely heavy on a network of third-party service providers. while we always maintain primary accountability for safeguarding customers' information, a significant portion of the risk lies with core processors, payment networks and large providers. this concentration of financial services into a few providers

creates both advantages and challenges. one challenge is that the current system relies on a high degree of blind trust in the service provider with limited transparency. we depend on our regulator to examine our service providers and identify patterns of compromise and ensure remediation. at the same time, law and regulation require us to monitor the effectiveness of our service providers' controls. this opaque approach runs contrary to best practices and vendor management. one solution might be to create a cyber security scorecard aggregating data for many sources including regulatory reviews. this scorecard will impact vendor selections and create positive momentum towards control improvements. it is most critical that we have timely access to information-sharing of active threats through public and private partnerships. the key for banks is that a comprehensive ecosystem of financial service providers shares threat information in realtime to an entity qualified to analyze, verify and then

communicate it back digitally to our bank where we can use it to adapt our controls. we need our third-party providers to share cyber threat information quickly with industry partners like fsi and the goal to be to respond in seconds or minutes, rather than days or weeks. timely sharing is important to combating a cyber security threat. we can't act on information we have. important questions remain if, how and when businesses can share threats. there's still a great reluctance to share information. liability, contract and privacy concerns are the most often cited reasons. while customer notification and privacy laws are clearly needed, simplification and modernization of the relevant laws and regulation should enable information-sharing. this is a good time to re-examine the effectiveness of cyber security law. certainly, any solution must guard against shifting the liability to consumers from those who fail to protect their

data. our mutual holding company is faced every day with the challenges required to implement an information security program. we deliver that same program to our affiliate banks in a manner that they otherwise could not afford, design or staff. in our three affiliations, we have preserved a local banking presence, improved security controls and done so at a minimal marginal cost. this has proven a game-changer for our affiliates. in summary, the best way to protect consumers is to increase transparency and information-sharing within the financial services cyb ecosyste. this committee cou help move this forward by encouraging the transparency of the performance of third-party service providers. you can also help by passing legislation which further encourages information-sharing so that active threats are identified and mitigated in minutes. thank you for the opportunity to testify before you today. i stand ready to work with you in any way that i can to protect consumers and our financial system, and i look forward to

answering your questions. >> thank you, mr. kesler. mr. seidel. >> thank you, chairman crapo and thank you ranking member brown for the kind introduction. the redskins need help. my name is bob seidel. i refer the committee to my written details on my remarks. cyber attacks are on the rise. no organization large or small, public or private is immune to the threat. our clients face three significant challenges. emerging interconnected technologies drive fundamental transformations and create plex third-party eco-systems. the volume, velocity and precision of attacks and the shortage of cyber security resources and skilled professionals. ey works with clients across all sectors, and many should be commended for their efforts. in my experience financial services, especially the largest banks are considered best in class. not only in terms of

organization and investment but also for leading the engagement with stakeholders across the ecosystem. large banks are accustomed to higher levels of regulatory scrutiny and the third-party management programs tend to be more mature and robust but challenges remain. today financial inns tuesdays deal with third, fourth and fifth-party risk. in addition to vendor risk, most institutions struggle to secure resources and talent. experienced cyber professional are in high demand. often small firms turn to third -- party providers to meet those needs. there is no one size fits all solution, so i will focus on three areas where e.y. believes risks can be mitigated. corporate governance and risk management. the aicpa cyber reporting framework and policy solutions. ultimately the board is responsible for governing a company's risk appetite and

providing credible challenge to management. by doing so, boards help protect investors and enhance the company's value and performance. banks use a three lines of defense risk management model. the large francis is are adopting this model for cyber. e.y. considers this a best practice. increasingly, regulators, investors and others want financial institutions to build cyber resiliency strategies into the three lines. another challenge is understanding and communicating about a cyber's program's efficacy. while implementation guidance have been developed, by no means have they eval slated or report or program effectiveness. this distinction is subtle and significant. in response, the american institute of cpas recently developed the cyber risk management evaluation and

reporting framework. this is voluntary and can provide stakeholders with reasonable assurance that the identification, mitigation and response controls are in place. no framework can guarantee against a breach, but the model can offer an independent, validated understanding of a company's systems, processes and controls. unfortunately, there is no single legislative regulatory or market solution that can guarantee against a cyber event. bad actors are not constrained by regulatory liability or jurisdictional issues let alone ethics. policy-makers and business communities should work together to foster collaboration and improve intelligence sharing. we need flexible and harmonized policy solutions that recognize the dynamic challenges of cyber

security and clarify conflicting directives. we need to balance the need for compliance with a need to manage cyber security and protect consumers. e.y. believes companies that engage in good faith efforts establish enterprise cyber risk management frameworks and adopt best practices should be recognized especially relative to liability and penalty measures. finally, e.y. encourages congress to support modernization of government's cyber posture to focus on developing solutions to address cyber workforce shortages and to educate the public and help the country as a whole improve its cyber hygiene. e.y.'s purpose is to build a better working world, and so i thank you for providing the firm an opportunity to share our views and expertise. i welcome your questions. >> thank you very much, mr. seidel. in the interest of time, i'm going to go last, if there is time before i have to leave, and

so we'll turn first to senator brown. >> thank you, mr. chairman. mr. kesler, do you think the current baseline for protection of consumer information is adequate, or would you like additional control over how your personal information is stored or used by financial institutions? >> well, i think -- i think we are all interested in knowing what is happening with our personal information. i'm personally assured when i'm able to receive realtime alerts of when that information is changed, when it's affected and changes to my credit reports. i think that there's obviously opportunities to continue to share more information with our consumers in that respect. >> and when there's a breach involving personally identifiable information, i assume you think it's important for financial institute to quickly notifytomers giving them thebility to protect themlv by freezing or monitoring their credit file? >> certainly. we like to take -- we like to take all the necessary actions to protect our customers in a

timely yes. so, yes, we find it very important to notify the customers as soon as practical after working with the necessary law enforcement officers. >> thank you. mr. seidel, many community bank i.t. services are provided through large third-party service providers. talk about the economies of stale when it comes to cyber security that community banks benefit from by using large service providers. >> well, it's a matter of resource, senator brown. the larger organizations can afford the staff and recruit and retain the kind of talent that you need in a cyber security department and the focus that they can provide. they have the resources to buy the technologies and install and implement those that a smaller organization would have, so if the smaller bank were to use those services, they have access to cyber security kind of resources that they wouldn't have if they tried to do that in an inhouse or on their own. >> okay. thank you.

president obama in 2009 established a position of white house cyber security coordinator to work a straight cyber security efforts across all government agencies. president trump recently eliminated that position. that's the position mr. daniel held in the obama administration. will that help or harm government's efforts to make the country and especially the financial system more resilient and stronger against cyber security threats? are you concerned about that is this. >> well, yes, i am, senator. i think the reason that position was created was because as a very new policy area that we need to drive better coordination across all the different parts of the federal government that have a role in cyber security, and so i believe that having a strong leadership at the white house level is a real necessity right now. >> do you know why he eliminated it? >> i do not. i presume that they were looking for ways to streamline the bureaucracy on the nsc staff. at least that was the statement

that was given, but i'm not sure of the reasoning behind it. >> okay. thank you. >> mr. seidel, you talked about workplace shortages in my office this week and then in your testimony. this is not really a question, but as evidenced by the look of this panel and frankly the look of most of us up here, as evidenced by the fact that the of the 30 largest banks in the country there is a female ceo only at key bank in cleveland. we don't really do a very good job in financial services and technology at bringing more diverse workforce. one of the reasons clearly we all face, that you, we face workforce shortages and attracting people as mr. seidel pointed out, so i hope that we all -- i hope we all pay more attention to s.t.e.m. programs for women and people of color. we will bring more qualified people in and give people more opportunities and frankly have more diverse perspectives in the way we all do our jobs. thank you, mr. chairman.

>> thank you. senator rounds. >> thank you, mr. chairman. mr. daniel, i would like to more or less just visit with you for a little while, and i would love input from the others as well. i have the opportunity to serve as the committee chairman on a subcommittee for the department of defense's cyber security agency. i'm just curious. along the same lines as senator brown has indicated, that there's just been a change in which we do not have anyone in the white house who is directly responsible for the cyber defense. i'm just curious. you've had the opportunity to work at the federal level and now you're part of a nonprofit organization that preps a number of different financial institutions. in february of last year, the department of defense's science advisory board put out a classified and unclassified version, not very long, 26, 27

pages, explaining the need for our country to have not only a strong -- the ability to attribute where a tttacks from outside the country were coming into the country but also that we would not have the capability to keep people out of our critical infrastructure if they wanted to get in. both organized crime organizations and near peer competitors nation states. along with that, it indicated that for the next ten years we would be at risk and that one of the best approaches we could do would be to make it very expensive for those organizations to get into our financial institutions, in fact y of our critical infrastructure, but it also made the point that we had to have a very strong offensive capability as a deterrent. similar to a nuclear deterrent today. i would like to know. right now at the financial institutions level, and you work

with a number of them, do you believe that we have a model in place today on a voluntary basis which i'm in favor of, but one in which we're at the same level across the difference institutioned that can then be protected almost in an umbrella-like position by homeland security capabilities, department of treasury capabilities, and then we'll talk about dod capabilities but just your thoughts on that and how they connect with the federal responsibilities. >> sure. so i think the -- i think you're very right that if you look at our level of digital dependence as i talked about and particularly in the financial services industry, clearly cyber threats are a major problem that this injury has to be dealing with. i think the -- when you look at the nature of the threats that they face, it's going to -- anybody that tells you they can give you what several of the panel members said, i guarantee

you won't have any cyber incidents at all they are selling you snake oil. what you can do, however, is manage that risk and drive that risk lower, and that requires cooperation between both the government and the private sector in some ways that we're not completely used to in the physical world, and i think it requires bring aust of the capabilities to bear, both from the private sector side and enabling good information-sharing and coordination and collaboration on the private sector side but also within the government, between, as you mentioned, the department of treasury, homeland security, defense, state, justice. and then between the government and -- >> let me -- we'rell going to be time-limited today. do you think the american public today think that -- with regard to their financial services, their assets, their checking accounts and so forth, do you think they believe the federal government has a role to play in protecting those assets? >> i think they do.

>> would it be fair to say that today homeland security has. ability to -- to try and notify you and that homeland security has the ability to try and assist in the defense, but with regard to going outside if the attribution indicates it's coming from the outside is it fair to say that homeland security does not have the ability to respond offensively to stop the attacks before they actually occur. >> well, i think that the ability to -- it's a shared responsibility on the defensive side, and that's why i say that you've got to do that good integration across all of the different parts of the federal government that do have both the network defense -- >> let me put it this way. if there had been an attack on an institution here and it was a -- and attacks like what we've had, a bombing and so forth, everyone would assume the federal government would have a role in protecting against that. is it fair when it comes to cyberer attacks that we have a challenge that we don't have the

policy in place to provide for that direct protection up front? >> well, i actually don't believe that it's possible for the federal government to provide the same kind of protection that it does in cyber space as it does in the physical world because of the way cyber space works and it will be a shared mission between the private sector and federal government to achieve the level of protection that we need. >> thank you. mr. chairman, my time is expired, but i think this is a very good meeting to start out that discussion. thank you, sir. >> thank you. senator reed. >> thank you very much. ? thank you for your testimony. let me ask the ranking member for his role. thank you. and this is an important issue. one reason i have legislation s-536, the cyber security disclosure act, bipartisan legislation with senator mccain, senator collins and senator warner, and it would essentially require disclosures by public

companies which is the usual tradition of public companies of whether they have a director who is a cyber expert or they have some other arrangement. we don't mandate what they do, but i think it's essential to have public companies tell their shareholders and the markets what they are doing at the highest level when it comes to this issue, cyber security, and you've described all the ramifications throughout your testimony. i would like to focus if i could for a moment with mr. daniel. that is chairman clayton was here a few weeks ago, mr. daniel, is and he said i think security security in this area where i said previously i do not think there is enough disclosure in terms of whether there's oversight at the board level that has a comprehension for cyber security issues. that is something that investors should know, where the companies have thought about the issue, whether it's a particular expertise of the boards or not. that's something companies should know. it's a very important part of operating with the company. any significant company has cyber risk issues, and my

question is do you agree with that sentiment? >> yes, i do. i think that the nature of cyber security right now is that we actually do need more disclosure. we have an information asymmetry, if you will, and it's hard for markets to operate efficiently when there's information asymmetry, so steps that the government can take to enable more, you know, investors, the public and others to have more information about how companies are tackling the cyber security problem i think is generally a good thing. >> and just a quick follow-up. you've noticed, i would guess, and i don't want to put words in your mouth, variable attention to these details. there's some companies that have very sophisticated individuals on the board or arrangements. there are other companies that are essentially free riders. is that true? >> well, i think that this is an area where companies are still learning how to address the issue, and some industries and companies have been way more

forward leaning than others, so i do think it is true that the capability across the board varies a lot. >> thank you. mr. seidel, again, thank you for your testimony. i was very struck with your comments. at ernst and young we believe boards must be educated about cyber security so they are able to make appropriate decisions and by doing so boards will not only be protecting shareholders, but they will be enhancing the company's value and interestingly enough, the vice chair of the fed, mr. qualls stated the idea of having a board member with cyber expertise when i've been on boards or had a board member with that kind of expertise has been extremely useful, not just a nice thing to have but extremely useful. again, basic theme. does this make sense to this this disclosure provision so that boards have some expertise? >> senator reed, thank you for your question. i've been in this role about five years, and i've gone to a

lot of board meetings, and i think there's been increasingly importance placed on cyber security in those discussed, and often there's a challenge between the translation and technical world and the business world at these meetings, and i think that is something that -- a gap that nodes to be closed. however, in my remarks i also said to you that there's a shortage of qualified cyber security professionals, especially the people that can make that translake, so as long as you have flexibility in that and allow the boards ways to get access to those kinds of individuals, i think that that makes sense. >> indeed, this legislation is not prescriptive. it is simply -- tell us what you're doing. the in fact, tell your shareholders and the market what you're doing which i think makes a great deal of sense. one of the reasons, among many, as a ranking member of the armed services committee, we had the general officer in charge of transcom, all of our transportation assets, and in a national crisis he would be

responsible to move people by aircraft, by sea, all of our military personnel, to get the mission done, and he just said, volunteered that he talked to cyber security offices and companies that have no dialogue with their directors, and i can assure you that if something happens probably the first strike will not be a kinetic strike against a military. it will be a cyber strike against this infrastructure of movement, logistics, et cetera, so this is another reason why i think we really do need some legislation like we're proposing. thank you all very much, gentlemen. >> senator heitkamp. >> thank you, ranking member brown and thanks for having the hearing. it's critical that we have the ongoing conversation. a couple of points to begin with. i think the american public has given up, and i think that there's a huge variance between understanding privacy and understanding cyber security. they are not the same thing, and, you know, so most americans

say, look, i don't -- i no longer believe that i have privacy. i don't know that you can regulate this. i don't know that you can control this, but they definitely want cyber security, and so one of the -- one of the things that i believe as a former law enforcement official is that, you know, you can have all the most sophisticated law enforcement equipment, surveillance equipment, but you've got to teach people to lock the door. you've do the to teach people to lock their cars. you've got to teach people to pay attention. maybe put surveillance equipment of their own, and so i talk about cyber hygiene and the role that cyber hygiene should play either with employees, not just, you know, at that level of the people sitting on the board but at every level being trained and understand the challenges but also with membership or clients or patients. what role do they play? what role do vendors play? we all harken back to what happened with target. the target breach was related to

a vendor and a back door, a worm that came in. so how do we build better resiliency, cyber resiliency within theommunity writ large, within all users so they understand there's simple things that they can do that will help protect the cyber system, protect our overall system while we're looking for that iron dome, let's put it that way, that iron dome that's going to make what we do inpenetrable which quite honestly i'm not sure you'll ever get an inpenetrable iron dome and the fault lines will always be at the lower level so someone, anyone on the panel who wants to take on the issue of cyber hygiene and what we should be doing here to encourage, it to educate, to move this issue of every user needs to be informed on how we protect ourselves on -- from a cyber attack as a country as a whole, kind of a

lock your door strategy. >> thank you, senator, for the questions. i'll go first and then others can chip in. i think you raise an extremely important point. i think in many respects we need to focus on basic cyber hygiene to make sure the easy attacks can't be successful so we can focus our energy on the most sophisticated attacks, and i think it's the responsibility of all companies, not only to make sure their employees and their own infrastructure is protected but also to educate those employees and to educate our customers. i think this is a partnership that we can do between government and the private sector to educate everybody around what best practices they can do to adopt the -- adopt the right controls for that kind of infrastructure. >> i really do believe as a former kind of customer protection, consumer protection advocate, that people want the tools. they want to understand how to do this. what -- what can we do to provide easier accessible tools

to lock the door? mr. nelson? >> yeah. thank you. just to give a plug for the multi-state isac, a state and local government isac and the october cyber security awareness month. they produce a cyber security newsletter and wait labeled so you can put it on your company's letterhead and give it to your employees. it's a great effort, been going on for a couple of years and we geared up for that month in october to educate the consumers. it's a government initiative, federal level and the state level. >> mr. daniel? >> thank you, senator. i also think that it's incumbent upon the industry, the cyber security industry to make that cyber hygiene and the cyber security that you talk about as simple as possible for consumers to do. you know, for example, right now our guidance out to consumers is to have a 16-charge password that's not any actual words in the english language that has all sorts of funky characters >> you know, for a spreadsheet full of media passwords they are

all going to be different, like, really? >> we fwheed to be much better at enabling people to have very simple ways to do cyber security. the analogy i use is we make it very simple for people to use seat belts. >> right. >> when you get in a car and we don't expect you to answer questions about whether or not you want the anti-lock brakes to work, and so i think we need to be trying to find the same similar kinds of solutions and approaches in cyber security. >> what grade would you give us right now in terms of how protected we are in a cyber hygiene world? >> well, i think we're certainly better off than we were say five or six years ago. we over made a lot of improvements but the bad guys keep improving as well so i think we still have a long way to go. >> just a couple more comments if that's okay. >> certainly educating all americans as you're suggesting is important but a monumental task. we try to approach it by educating our internal

employees, not only on how to properly handle customers' information but their own and then we attempt to engage with our customers when there is an event. for example, i think where you're going if somebody is willing to buy gift cards in order to pay the irs, there's a problem there, and how can we communicate to folks that this is not something that they should be doing. i would like the notion of a cyber education month, and one of my peers here suggested, including cyber security education in curriculums in higher education and in other parts of our academic and normal education which i think is a really good idea. thank you. >> senator cortez masta. >> thank you. this is such an important conversation and we've been having this on the various committees that i sit on. i appreciate the discussion today. let me just say about ten years ago i remember sitting with our nevada banking association and we were talking about how we

guard against identify theft. now ten years later we have a proliferation of cyber attacks and threats that we hadn't even contemplated at that time, but i was struck by mr. daniel, your comment to senator rounds was this cyber infrastructure is a little bit different in how we manage the enforcement and collectively address those issues, and it's not just government's role to comment. it's everybody's role now to play a part in addressing this cyber infrastructure and protecting against cyber threats, and i think that is important for everybody to understand. that's the first time i've heard somebody say that, and it is. it's important because it goes back to this issue that we've been talking about. everyone has a role in education, right? to me the education the first step in prevention, but everybody has that role in education. everybody has had a role in the coordination and the information-sharing. when i say everyone from the private sector and government and the consumer. everyone has had a role in businesses as well and workforce

shortage that we've had that i've heard here as well that we can all play in this discussion. can i -- let me follow up on a couple of comments that were made. one of them, mr. kesler, you talked about the need to pass legislation that encourages information-sharing. can you go into a little bit more about that and what you're talking about -- who is sharing the information? what type of information are you referring to? >> thank you very much. as a community bank and a smaller institution, we would benefit from a lot of what mr. daniels has already talked about in terms of the sharing of indicators of threat throughout the industry, so as another bank identifies something, they would share it, and we would automatically protect against that. there are challenges today when i talk to my service providers and ask them are they par tissing with fsi sac and the answer is yes. are they sharing threats in realtime. i often get the answer no, and

the cited reasons are is that they have confidentiality agreements with us and have privacy requirements, all things that we all agree are absolutely valuable and essential but at the same time from my point of view are preventing us from receiving some of that threat intelligence that would help us further protect the customer's privacy. >> i would like to comment on that. >> i think up. great things about the fsi sac you can share no mousily on the portal so it would encourage your third-party processor to get in touch with me and we can work on that. you get the legal objections all the time by the time we get involved, oh, i think my name is going to be in the paper tomorrow any share. well, it doesn't happen. we have a pretty good controls around, you know, that information. it's not shared with attribution. in fact, every time there's an attack our members are sharing online realtime. the in fact, i was visiting charlotte in north carolina, you

can guess which one, there's a couple big ones there, and i was meetg with him and h had to leave to go into a special meeting for an attack that was occurring. i whip out my blackberry or at that time i guess it was my iphone, looked at it, and there was the alert already. i didn't say where it was coming from. but i knew it was coming from him and it was happening that fast while they were actually in a war room handling the attack so it can occur. it's just getting the right people, and lawyering up is not the answer. the answer is talk to us, let's get involved in it. it's a pretty good voluntary system. we gets lots of member-sharing information and we have other third-party processors that are sharing. >> thank you. so i would be interested in knowing at the federal level if there's legislation that actually needs to be introduced or if it's more of just communication and working together. now, let me -- i know my time is running out, but we're talking a lot of acronyms here. fsi sac. can you explain a little bit more what that is and recognize

i come from nevada. i'm not so sure that we have that type of coordination. i know it's on the coasts, but i'm not sure it's happening in every single state or there's that collaboration. >> it's happening in every state. it's happening in 44 countries. we have 7,000 companies that are members now. interests wag in 2014 senator crapo mentioned that was the year of the data breach. that was also year that the ffic, which is the regulatory agencies, the banking regulatory agencies like the fdic and occ and even the national administration and others put out a policy statement saying you should share information if you're one of our regulated entities and you need to believe to fsi sac. >> which stands. >> financial services information services and sharing center. we referred to that as the information tsunami.

we had 2,200 companies and it's been growing. we had 200 members in 2006 and it's just been a hockey stick growth the last few years. >> thank you. i know my time has run out. thank you very much. >> senat jones. thank you, mr. chairman, and thank you to all the witnesses for being here. i agree that all of a sudden this -- everything that i'm seeing up here there is some element of cyber security. it doesn't matter what committee i'm on. it touches everything, and i think you guys touched on this before i got here, and that is the cyber workforce and trying to keep pace with the demand. you know in, alabama we've got auburn university which has an incredible facility. their cyber research center, the universities of alabama huntsville has one and we're doing our share down there. if you could, just expand a little bit on chal thanks are being faced because so much industries are now competing for this workforce and that's only going to grow, it's only going

to grow so what can we do? what can the industry do? are there any challenges, and is there anything that we can look at in the senate and the congress to try to help with increasing the workforce for cyber security? and i'll just let you guys fight it out who wants to answer. >> all right. i -- i can go first, senator. i think it's a really interesting question because i think while the backdrop we have to encourage s.t.e.m. education at all levels to feed a solid technology and engineering workforce for the nation. i think we also have to not just focus on having trained and dedicated cyber security professionals but thinking across all sectors from whether it's business risk management through to engineering, through to product design and making sure and encouraging in some way that every part that have, whether it's vocational training, academic traing and professionalualificaons have an element o thinking about cyber security, privacy and

other aspects of technology risk and ethics about how we use technology so while it's very important important to focus on creating more cyber security professional we all worry about making both part of our workforce, both private and public, is equipped with the scales to think about how to manage the risk as a core part of their job. >> that's good. >> the other thing we can do is expand the pool. right now females represent 9% of the cyber workforce and we have the same issue across technology. we need to continue to encourage young ladies to join the profession. i know at e.y. we do several things, girls that code, other things that encourage organizations that get women into the workforce. that would be helpful to expand the base. >> right. we've done a pretty good job that have in the political world because they are all running for office this year, by agree with you. that's incredibly important.

bishop state, i was down there visiting a junior college recently, and apple has a coding program that they are working on with the students down there, and i would assume that cyber security is always going to be a part of that as well, so thank you. i don't know if anybody else has anything on that, but if not, i've got one more. >> the only thing i would add, senator, is that i also think that we need to diversify our thinking about what we mean about the cyber workforce. just as in healthcare not everybody is trained up to the same level as a neurosurgeon specialist. we need to diversify our thinking about the levels of training and who does what in the workforce so that we, again, can also continue to expand that pool. >> perfect. thank you for those. those are great answers. thank you. i want to kind of follow up real briefly on something that i think senator reed kind of touched on as well, and that is the assessment of the risk because i understand his bill

and to try to get more information into investors in the marketplace about cyber security companies. but i'm wondering if any of you think that something about cyber security threats ought to be included in the risk. when a which is or in particular, for instance, a municipality is raided, you know. bondholders often would look as a municipality, for instance, as whether or not that would be safe as a result of cyber security. is there any way we should rate using cyber security as well? >> i think there's a number of existing disclosures that occur, particularly for public companies as part of their regular files and risk disclosures, and certainly all of the requirements to disclose if major events, particularly material events occur, and i think there's a lot of work in the industry where there's more and more public ratings of the

outward appearance of security at various companies and certainly i think a lot of the big audit firms as -- as the gentleman from ernst & young mentioned working on us through various standards of the iica and to assess and independently assess the level of security risk at certain companies. i think it would be interesting to further explore how that could be married with other types of public disclosures so you get a full picture of the risk of organizations. i think there's something there's a lot of activity on and worth future consideration. >> great. thank you all very much. thank you, mr. chairman. thank you. >> yeah. thank you. senator brown has one. >> it's really a yes or no question for mr. kes lefrmt you talked about how important it is to notify your customers. did equifax share information about you with the breach in time to help your bank's customers? >> no. >> okay. okay. thanks. >> senator warner, just under

the wire. you've got five minutes or less. >> thank you, mr. chairman, for that gracious accommodation. >> we always appreciate you. >> and this hasn't been asked. mr. venable, we have a lot of legacy i.t. systems that are out there and, you know, how do we make sure as we do upgrades? my understanding is is the uk just went through a complete meltdown when they tried to -- when one of the banks tried to do an upgrade of their system. how are we thinking through this issue of -- as we think about 21st century cyber security when we've got the legacy itc systems in place? >> thank you, senator. it's a fascinating question because one of the things in my

testimony i was keen to point out is cyber security is tremendously important but it's not the only risk that society faces. we have multiple risks, not least including how we maintain and update legacy systems to make sure that those are equally protected with all the new systems that we're building. one of the things that's interesting, i think particularly most financial institutions and many other large call corporations have exacting standards for change management, software quality assurance, standards for how they apply preventive maintenance to systems to reduce exactly that type of major product and major i.t. migration ring. the other thing i think it's worth pointing out as well while there's a tremendous amount of focus from financial regular regulators on cyber security, there's an incredible amount on change management and software acquisition and testing assurance and major project risk management. in fact, there's a whole shelf of ffic handbooks and quite a

number are about project risk and major itc project risk and something that i think all major experiences quite a lot of scrutiny over, not just cybererr but the project i.t. standards. >> don't a lot of systems, legacy systems, frank lit original soft wear vendor may not even -- may not continue to offer those systems, haven't continued to upgrade them show there are -- >> i think part of the challenge is not contained to the financial sector but across the world at large is make sure you stay up to date within a reasonable window so that the older windows may not be supported by vendors, you're not exposed to risks from those, so i think just like any other type of apparatus you have to invest in preventive maintenance and upgrades to keep yourself within some window to manage that technology risk. >> but as anyone can address on that. but my concern is because the

interconnectivity of all the systems, aren't you only as strong as your weakest link, if an institution doesn't keep up, doesn't that make the whole system vulnerable? >> not necessarily an individual institution but certainly what we look at through the organi s organizations. >> we're looking for the systemwide risks that could affect everybody that maybe contributed by one or more elements of that, and so we're definitely focused on systemic risk. >> and i think this is probably outside the scope of the whole hearing, but to me when we don't have a single data breach notification requirement, when we have an equifax making as gross an error as they did and no obligation to report or even what yahoo has hundreds of millions outside the financial

system and that's not even reportable on an s.e.c. filing and they don't think it was material enough, i don't see how these massive failures shouldn't fall into at least the level of a material disclosure in terms of s.e.c. files, so how -- and i think i'm down to 47 seconds. last question. maybe i'll leave it at that and come back to you individually because i would have liked to get the more macro approach of how we'll get from this. i just came from another intel brief, classified brief. this problem is going to only exponentially grow, and i'm not sure one of the things i think particularly as we think about both the hardware and software side and think about financial institutions that might be starting to purchase equipment. the vulnerabilities we may be building into our system because we, and this is more the jerns

community's responsibility are not fully information the financial sector and other sectors of some of what we now call classified problems that we've got to get out is only going to get much, much worse so my apologies for getting here late to the ranking member and my hope is i'll have a chance to pursue the conversations with you individually. >> i would like to comment. we're an information-sharing body and we have people embedded at the top level at the national cyber security center at dhs and we are seeing that and when it's relevant action for our community we're sharing it. fsr, you're a subsidiary of that, they are doing at a level to see if it's more systemic. we have some of that in place and i think we can do more. >> my concern is virtually every mid-sized larger financial institution around should have somebody who has a classified status and clearances because --

and this is where i'm trying to push on the intel side. the intel side has not been as forthcoming. >> we could use more help on getting people classified quicker. >> there's 740,000-person backlog is insane. >> that's insane. >> and that's a national security risk. >> i agree. >> we would certainly support a much better clearance process to achieve that goal. >> right. >> thank, senator warner. >> all of us, every senator can submit questions to you, and the questions -- the questions are due this thursday, may 31st, and if each of you as senators do submit questions in writing please respond to them as quickly as you can. this concludes the hearing. thank you for being here today. the hearing is adjourned.

thursday the senate foreign relations committee holds a confirmation hearing on three state department nominations, including harry harris to be ambassador to the republic of korea. live coverage starts at 10:00 a.m. eastern on c-span3.

tomorrow night, democratic and republican members of congress face off in the 57th annual congressional baseball game for charity. the game will be played at nationals park and live coverage begins at 7:00 p.m. eastern on c-span3. sunday on "american artifacts" on c-span3, tour the library of congress exhibit on the centennial of world war i which showcases american ideas about the war through artwork, posters, photographs, films and documents. >> the idea of contributing the war through labor, the idea of growing your own food so as to conserve larger quantities for the war effort. this is actually by may be wright who is frank lloyd wright's sister, a prominent illustrator in that day. again, another individual kind of rises to the surface during world war i. you see here also food

conservation, wholesome nutritious food from corn. i know we make everything out of corn today, but back then we didn't, so this is kind of new. again, one thing that's worth noting, too, in world war ii we were rationed. the government will actually step in and rationed food. during world war i hoover believed if you encouraged people to act correctly they would ration food themselves. you didn't need to impose it on them. they would pledge that. >> watch "american artifacts" sunday at 6:00 p.m. eastern on "american history tv on c-span3. now, a discussion on the changes in counterterrorism strategies from the obama to the trump administrations hosted by new america. this is 90 minutes. >> good afternoon, everyone. welcome, welcome. nice to see you today on this hopefully non-rainy sunny day.

i'm a senior south asia fellow here at new america. i've been a fellow for, let's see, since 2011, sings i left the government. when i started here right before that i was nse director for afghanistan and pakistan so worked quite a bit on some of these issues we're going to talk about, specifically on the case of pakistan, and now i'm also a senior adviser at johns hopkins. it's also a great opportunity to have this conversation today with my colleagues, some of whom were previously in government, and i can assure you we all look much more rested and youthful now than we did when we were in at the white house. steven who just finished a book, looks great for having written, trem dogs, and you brought the book, right? >> right. >> there's the book.

accessories sold separately. >> please buy the book. we have a begin itsation of the academic and practitioner's perspective and we look forward to the questions. the question we want to look at today, you know, how have the counterterrorism strikes of the u.s. government changed under the trump administration, so the -- the discussion is going to be a combination of what was the policy and framework as defined by the obama administration? what are the lessons we learned from that, hand hopefully we can take that and then have a conversation about what is the trump administration actually doing? how do you define what they are doing because a lot of these topics are very quiet and classified, and then hopefully that will lead us into a conversation about the future and looking at the threat of terrorism and what kind of posture and policies need to be in place for the u.s. to feel like it's protecting its people and the international community from terrorist threats, okay? so let me just briefly introduce

our guests today who will discuss these critil questions. josh geltzer who is a fellow at war america and executive director of georgetown institute law center institute for advocacy and protection and scenior director for counterterrorism at the national security council in the obama administration. also welcome to luke hartig who is a fellow with new america's international security program and a former senior director for counterterrorism at the national security council, also under the obama administration. and my friend stephen tinkel, assistant professor at american university school of international service and adjunct senior fell for center for new american security and the author of "with us and against us, how america's partner help and hinder the war on terror." and i haven't read the book because it's so new and i looked at the table of contents and it covers the theoretical and

conceptual and each chapter is devoted to kind of one of the -- the hot -- the several hot spots of counterterrorism that the u.s. has been focusing on over the past decade plus, and so it's a great kind of tour du force of where we've been so i definitely recommend reading it, and i look forward to that myself. you can, if you're online and you're inclined to kind of tweet or post about this, you did use the #ctundertrump and then follow at new america isp, and just quickly on the format. we'll do a couple of rounds of questions. we're going to keep this very informal. these guys are all friends. they have written articles together. they have worked together, so i think the best use of our time is to have it be as informal as possible, and after a few rounds of questions we'll open it up r your q&a, so se those good questionsor -- towards the end. >> okay. we're going to start with stephen, first, congratulations on the book.

>> thank you. >> in you outline problems with the current u.s. approach. some long-standing and then some that are unique to trump, and in other writings you've acknowledged that there's been a change in how the trump administration is pursuing terrorism or countering terrorism, but it's not really clear what their strategy is. >> yes. >> we see tactics in the news, but we're not actually sure why they are doing them, and they haven't explained themselves. so i thought it would be good to start with you to kind of give us a scene-setter of some of these topics of use of force, direct action, how they have evolved and how they have involved kind of our partners -- how they have shaped our partnerships and what you see happening today. >> absolutely. well, thank you very much, and thank you to new america for hosting this. it's a great pleasure and honor for me to be up here with three friends, you know, who i've worked with in one capacity or another, and i should also note that, you know, while i -- i wrote the book from an academic

perspective it was enveloped by my brief time that i spent working at dod as well. hi gone in thinking i was going to write a book that looked more at the threat side of the picture, and when i was working a lot on afghanistan, pakistan issues, at policy, i was real struck by the ways in which our -- our partner nations can be absolutely critical what we're trying to accomplish but also incredibly frustrating which i think is an understatement when using, you know, you know, countries like pakistan, for example, and so that was really formative for me to come out and rethink the book that i was writing diving in on your question of how we've seen direct action involve and how it looks under trump and partnerships, when we're talking about direct action so everybody is on the same page. we are talking about counterterrorism strikes and counterterrorism raids and air strikes, drone strikes, outside of areas of active hostility so

we're not -- i'm -- just to put it on the same page we won't be talking about what's happening in places like iraq or afghanistan where, you know, the united states has had larger military presence. talking more about countries

in uabs, an area of vehicles and the creation of a independent where she wiintelligence networ pakistan. independent of pakistani bell jensen. helps enavailable able that even if it's not the cause for it. obama comes into office and inherits those capabilities. and it's under obama that we see i would say a radical expansion of the use of direct action. especially in the form of drone strikes and in pakistan where the majority of them occur. i think it's important to put that escalation in context. when o pam comes in, he makes working by with and through partner nations a corner stone of his counterterrorism strategy. and there's more emphasis and

money behind building partnership capacity and also trying to develop government and rule of law and things like that. and the intention is to get partners to share the costs and risks of u.s. count counterterrorism, but it's also beyond burden sharing to try to make counterterrorism more sustainable on the ground. which is to say that military gains can be ephemeral by getting partners to buy in, you give host nations more legitimacy and you help build pat ernst and give them what they need to solidify those gains over the longer term. so this isn't just b about burden sharing. yet at the same time, while obama is trying to do more to work by, with and through partners, he's preparred to work around them when necessary and pakistan as well as you in particular will know but josh and luke in particular are imminently familiar.

an example of a partner where they are not willing or able to execute counterterrorism operations on the ground against terrorists that threaten united states directly. so drone strikes enable working around pakistan. they're also used in yemen where you have a problematic government. can get into more of that during the q and ark. while drone strikes enable, they yraise questions about use of lethal force outside of areas. 2013, the united states puts in place a framework to govern that use of force. i think luke you're going to dig more into the guts of that. i'll highlight quickly a couple of points before moving to trump then finishing up, one is that

the country where you're using direction action needs to consent or be unwilling or unable to address the threat themselves. pakistan certainly qualifies. not only unwilling or unable, but also the to give consent from drone strikes. there needs to be a continuing imminent threat to the united states of the individuals who are being targeted in those strikes. so that's the framework that is put in place by the time obama is leaving office however, the threat has evolved. on the scene and you haven't had the civil war's coming to fruition and uprisings at the time and there's an expansion of the way in which direct action is being used by the end of obama's turn. not just to work around

difficult partners, but to support them on the ground. so for example, libya is decl e declared an area of hostilities. this is the world tump inherits. reportedly as in 2017, the ppg has been replaced with procedures and new framework. it's not as transformtive as it could have been. i think my colleagues is are going to talk about that. so again, i'll just highlight two quick things. one is that it removes the continuing threat standard to u.s. persons. so previously, united states couldn't kill a kocourier if th didn't pose a threat. now it can. second, deinvolves authority downward. so rates don't go to vetting. what's the impact on our

partnerships of these challenges? first, there are some potential benefits. there are technical advantages to removing the imminent threat standard. both from a straightforward u.s. perspective but also in that the united states can also support partner forces on the ground. if you're asking your partnering to go and fight these fights and carry the lion's share of the load, being able to support them as benefits. streamlining the process allows us to be more streamlined of the process. the first is although drone strikes enable, partners were to support them, they also create, to consent or you need a partner unwilli unwilling.

much graelter detail. you really don't want to do a drug strike in somebody's territory. you're dependent on nations f for -- you need lodgist cal support, you're dependent on other countries to help support drone strikes as well. the danger of reloying more on them right or of lowering the threshold for using direction answer, one of the dangers is requirements for zroen triks. second, by removing the continue ing threat standard, there's the risk some some of those other

states, the global campaign, and then of course there's the risk of blowback. that's something that's been long standing. we're lowering the standards for drone strikes where we can support our partners more. i would argue raises potential that either hurts the united states directly r or harms. then finally, i would say the biggest problem is that none of this is happening in a vacuum. trump's strategy, to agree that we can decipher it because we haven't seen anything accomplished now. talk about this a lot. he personally appears to lean overwhelmingly on military centric tools. this is happening while diplomats are are being hobbled,

while development experts are being shutout. that sends a message to partner nations that the sbiunited stat cares first and foremost about the military instrument, about killing terrorist, not about other aspects of counterterrorism. it raises you know, potential risks that any military gains will be ephemeral because they won't be sustainable. i will close with this, which is to say ta direction action is an important part of any counterterrorism strategy for the united states, but it's not the only tool in the toolkit. when used on its own or divorced from a political strategy, that is not a recipe for success. we've seen that in past in the early years of the bush administration when they were overly reliant on military l tools. we run this risk again. so could some of these changes trump is put ng place have operational benefits, yes, they could, but only if married to a broader political strategy and we haven't seen that as of yet.

i'll stop there. >> thanks. you did a, you ditd a really go did a really good job of looking at the outcomes of the policy and framework and practice. i'd like luke to take us back to those conversations inside the government on what was the flos ty poll sni one is the intended purpose and two is the actual stated policy as it's defined then tle three is the implementation of it. right? so quite complex and a messy process that inside and when once it's kind of, once it quis exists, sometimes, you feel cao you don't have control over it. that's why i feel it's good to go back to the intended purpose of this. so you spent a lot of time at the nfc working in yemen then in the ct office. so i was hoping you could share

some of that with us. >> before i jump into that, i want to commend to the audience, stevens book. i think it's an exceptional read. it is written with the rigor, the prose, penmanship is that of writer. i was also impressed how much he wanted to underand the reality of policymaking. which i feel like is something that's hard to fipd in am demic books. that's very useful. back to the three part framework which is really useful in thinking about drone policy at least as was practiced in the obama administration as best we can discern is how we can put anytime the trump administration. i worked on development part of it at the pentagon. the actual drafting of it. somewhere between the pentagon and white house and the implementation at the white

house. just to orient my involvement in this. if you look back at what the obama administration was trying to accomplish, it's helpful to think of where the world of counterterrorism was at the time that the presidential policy guidance was developed and rolled out. president obama comes in. clear guidance we need to focus on the right war, as it were is both afghanistan as well as the broader fight against al-qaeda. it's not a good war on terrorism. it's a war against al-qaeda. it's affiliates and appearance. and he especially terrors that war with the capabilities from the military that have been b refined over the past seven years. mostly in the iraq theatre, but also in the afghanistan theatre. so we have highly developed special operations forces. highly developed ways of actually identifying and tracking terrorists then the emerging drone technology, which was developed quite bit at this point. it gives us a lot of capeabilit

to go after those and attack those who would give us harm. the theatres emerge accordingly. we're going all in op afghanistan. we've got the surge. then in other theatre, particularly places like yemen and somali, we're providing training and assistance to folks on the yond aground. the world ends up in many ways looking far more bipolar than i think it is today. so let me unpack that. i want to come back to that as i continue these remarks. you have on the one hand, kichbd an afghanistan or iraq like theatre. not to say it's full scale combat operations. we have u.s. forces engaged in the fight against the men my. when you're in that, a war like framework is really applied. you have to abide by the principles of precision and discrimination and the other principles that understood llie

conflict. when you have forces in contact, you're willing to lucien the reigns to make sure you have all of the use of force they need in order to accomplish the mission and be back enemies when they were under siege from the enemy. in a place like yemen like 2010 or 2011, with something approximating insurgency, that was very different from full scale combat operations and i think president obama realized that. we might use the tolls to go after them in that environment. the rules ought to be different.

so the rules that emerge from that, that are codified focus on some big principles. fif first of all, let's define the areas as something other than outside areas of active hostilities. say there's a different set of rules that go into place in that location or those types of locations. second of all, president says if we're in those locations, we're only going to take action against terrorists threats subject to a few specific conditions. the first of those is that the terrorist threat that we have identified poses a continuing imminent threat to u.s. person. it's not a direct thet reat to . interest, it's about u.s. people being in harm's way and by about the threat being imminent is is something that needs to be b disrupted. secondly, that action can only be taken if it can be assessed that capture is infeasible.

so we've look ed at our ability to capture. our partner nation's. other ways to minimize the threat and we've determined there's no other alternative. thirdly, that there is near certainty that civilians are not be harmed in the strike or the operation that takes place. which is a very high standard. what president obama felt was the highest standard he could set at that point and be able to go out to the tarks we need to go after. i think the final piece of it isn't something that's necessarily contained within the standards of the ppg, but that's a function of the entire document. i think it gets, which mile was talk talk iing about, the implementation piece is so important. therefore, the ppg prescribes a pretty intensetive process. for going over targets. we've made sure the targets use those certain imperatives and that we are aware, eyes wide aep and making good decisions around

the foreign policy implications, around the implications for intelligence collection. the full range of other equities that might be implicated by taking direction action. so that is the framework. what president obama puts forward in 2013 as kind of his best thinking on how to bound these operations and make sense of them. there are a few things that become a problem b. some of these steven alluded to, but i want to unpack them further because of the topic of the book. if you are going out and telling your partners that they are the answer. and a year after the speech, he goes to west point and says okay, the sfcenter piece is partnerships. if you say partnership, this is

exactly what we want to do. we want to invest in our partners then we tell them but if you're facing threat, we're not necessarily going to be willing to use protect you. you run into a conflict between what you say your strategy is and what your use of force policy allows e you to do. when we look at ways more effective like yemen and libya and small area, we find that often u what we need to do are exactly the kinds of tactics that our millennial tear got so good at. and that is that we are going to put more u.s. forces, more u.s. advisers out closer to the front lines.

to provide the intelligence support, a full range that allow a force to be effective. in some cases, that might lead to use of force. it might include the use of force because those partner forces come under attack and we might need to protect them. we need to help the partners by taking offensive action prior to the partners going in there. the framework doesn't really allow for that. well, part of libya are going to take against isis around carved oult. doesn't apply. so that works in so far as it allows the actions to be b more effective and to our state. to carve out some big -- is the

framework prominent. for six month, we don't know what to apply. we want them to be more forward leaning and to come back and e vail wait and develop a new framework. the framework that emerge, we don't know what this is because there have been no specieches about it. most mostly that have source sources on this. but miit is something that givea broader applicability. direction answer action and

supportive partners. the first reaction to to say we had a good framework. why did we throw it out? especially if you're upset at what the administration doing. this must not be the right framework. it's worth asking at this point, any proven policymaker to ask. does the framework match the world we find ourselves? both in term of the threat and what we want to do against the threat. i don't know that the answer on that has been fully answered in a satisfactory way. that's to say when i talked earlier about the bipolar world, a generally peaceful yemen with a stable government and full scale major combat operations in iraq and sk, what feels previously full scale combat operations in afghanistan has

turned into combat, what we're doing has always depended since 2014, air strikes in order to be effective. don't look like a stable yet somewh fragile place. they look more and more like iraq and afghanistan and syria than they did before. so i don't know that the old framework makes sense. but i think that's something this administration should be working on. >> thank you. well i'm going to have josh enter a question and topic you brought up. the policies we have worked to address that.

that you probably got some perspective there on the mind set of the team. how would you characterize what they're doing right now. even if it's not strategic an just tactical. i think it's worth explaining not just to the washington community, but to the american b public, given every once manyin while, you'll see a news story of something that happens in ninlger and and yemen. that you know, you have to work hard to put it together to give it your vantage point and walk us through how you see the, this war op terror. what kind of partnerships need to exist to give it those

challenges? >> i will abuse the opening moment or so to add my thanks to you for hosting this. and particularly treat to do this with two good friends. steven and i have been buddies since we were the lowest form of life, grand students, together. since then, i've very much admire d his work. a lot of people talk about pa partnerships and other foreign policy interests, to dig into what partnerships actually can like across the spectrum. steven has done a great service with the book and luke has been a very generous colleague and frie friend. now your questions or at least try. ipg the right place to start in talking about today's threat is still with ice is there's an

inclination to move on from that. in part because people want to talk about different things and because there's a generally good news story of that threat diminishing. i think it's a good place to start. the threat that it continues to pose, eradicate. if anything, we have what seems a slowing down in the progress to squeeze that -- to have the push on that my thoughts are are on the country versus

difference. i also think talking about -- piece of al-qaeda, has rebranded itself, renamed itself a number of time. i think it's easiest to think of it as a piece of al-qaeda that has set up a haven in a different piece of syria from where isis is now been cornered to some extent. they've been patient. played the woboth the local and regional as much or prioritized that as well as playing the global field but i think is perhaps a problem we will be talking about, a terrorist threat we will be b talking about in time to come. that's not to say other pieces of al-qaeda are gone because they're not. there's still yemen. shabaab in somalia and there's still al-qaeda's kind of

original senior leadership to the extent it remains in the afpac region. even some of the veterans of al-qaeda have shifted to northwest syria over time. i think you have those remnants, you asked quha we should worry about, the able toy reach into the united states and radicalize people here under whatever ideology a group wants to utilize. isis did this in way that app r appeared to be more compelling than they had done previously ch not just here in tus, but europe and elsewhere. it had this ability to make folks not on the battlefield with them, who might not ever go, somehow feel like they were part of the isis project and thus willing to kill and die.

that's a remarkable thing and i know these folks have thoughts on what to do about it. if anything, it's been revealed for others to try to it rate on and improve in the from their own vantage point. finally, i would think about what a terrorist group like isis that's losing key pieces of territory tries to do to maintain or regain momentum and that's what this idea of novel cyber operations. the type terrorism folks have worried about for a while that that haven't come to fruition yet. haven't to seen the working to bring down a power grid or disrupt hospital's operation, but you might because there's clearly some technological expertise that isis has had, probably continues to have and what they might turn to when they don't have the physical territory to plot and build networks and carry out the operations thaf been able to

carry out, i would begin to think about that. a word on the counterterrorism piece. i look forward to more of a discussion. you could tell different stories about the trump administration's to some of these issues. whether there's continuity there or not. you could tell a story of a strategy developed by the previous administration well underway by the time you got to january 20 oth last year and that continues. i think that's very much to the dret of the trump administration and to the foreign service officers and other personnel. all those folks who are implementing it. that has now retaken something close to 90, 95%. you see somewhat differing estimate of the territory the group once held that has squeezed the group, pressured the group. that soupds like a very good

thing. op the other hand, you zoom out and the pieces that go around it don't like as tidy. as much defined by continuity. you look at the diplomacy and it looks shakier. part of the reason that progress occurred and occurred as quickly as it did and i think both luke and steven reference this is because the u.s. had cape bable partners on the ground. in syria, it was largely a force le by the syrian kurds. fz they're the same folks one would continue to clear the pocket in the river valerie. i say this in large part thanks to eric's reporting on this. i see him sitting in the back thereful tough the kurds turning away from that. going back to defend against turry. some may be trickling back, but if you don't get a ground force, you don't clear out what

remained thousands of fighters and diplomacy may not be what folks first think about when they think b about counterterrorism, but it really matters. and those sorts of pieces don't seem to be exemplified by the same continuity you might see in the military operations in the cells. you don't see the holding together of the coalition as neatly in part because of the more erratic diplomacy from this white house and administration more broadly. so there's a story that looks less define as you zoom out from strictly military counterterrorism piece. one other day the point on the table for this. which is libya. towards the end of the obama administration, you see the campaign to clear isis from sur, where isis' level of control was similar to what it had in iraq. you can find these images online. you had isis flags being marched down in parades.

again using largely american air power and key partners on the ground. partners affiliated with the gna, the libyan government drawn from misrata. it looks at least to my mind, like almost a paradigm by with and through partners counterterrorism operation. where the u.s. adds its advantage and has good partners on the ground and plans for the day after, about what to do to make sure this doesn't need to be repeated in isis retaking the city and the u.s. having to show up again to drop bomb to clear the group. and to some extent, you see in this administration, some of the operations you would expect to see from any in the aftermath of that. strikes against the group as it attempts to regather in the desert. in fact, the first of those was on president obama's last full day in office.

we see these both when they're occurring and why and how they fit into a broader strategic approach into libya. you also see less of an interest in the day after show sur being rebuilt so it is more resilient as the group tries to retake it. again, you see in the broader diplomatic context, the lack of relationship building and diplomacy that could create for libya writ large a more sustainable arrangement where libyans can do the counterterrorism to the extent it need to be done going forward. i'll leave on that note which is to say in some ways, it's the level of generalalty which you want to talk about counterterrorism and how partnerships fit in and gives

you a different answer as to where we are. how similar it looks to where we were before and how effective things seem to be right now. just a couple of comments. we'll open it up. one thing i think we learned from the beginning of the obama administration to the end good counterterrorism policy is not just about counterterrorism. it's not an approach that's restricts to one government agency. that's something we learned by the end of it. froms that gets built upon and there's always some kichbd dismanhattaning of policy because that's what every government needs to distinguish itself. one would think and hope he would main thatain that approac

because without it, i don't think we get at the foundational issues of why terrorism is allows to persist in some of these countries. it's not just about the fact there are nonstate actors doing whatever they want. i wanted to say the u.s. isn't we've takenen at the extension of long-term objectives we want to focus on. that was my experience and ed education of working on pack. the it was the expedient approach was often the best one in time or if it was a security objective, the shorter approach was the one all sides waned to take.

only to learn you know, that few years later, we should have done something different. the key is we learned those leon sons and it would be prudent for the trump administration to take note of those. it's contant issue you struggle with in poll sicymakipolicymaki. so one thing realluded to, josh, is transparency. could you talk, all of you, but specificationly, could you talk about what are the exp peckations of transparency from the policy, or what should the public expect in terms of train sparnsy and reporting from the u.s. government? sometimes now i feel like a lot of these partners where hey don't really explain to their people what the u.s. is doing and we're just learn frg the headlines. what should we extect given this information is sensitive and it doesn't all need to be shared. then the second bigger question

is and we've talked about this before as well. are ceo wonts this fight indefinitely. what are the parameters for this new security environment we found ourselves in after 9/11 and how sustain bable is using thin thin things direct answer when there are bigger issues like cyber policy. that's a big question. would love your thoughts. i'll say a word each of those. on the tranz prarnsy point, i adwree with you and with the president. that one doesn't want to show the enemy what one is about to do. that's not what one would recommend about military or other forms of action, but there's a lot of space to say a lot more than this administration is saying about

counterterrorism that in my ebb appearance and the experience of many other, doesn't sacrifice sensitive intelligence, doesn't sacrifice the element of surprise. i think that's true in a strategic level. why are strikes up in yemen or somalia? it's hard to know whether one wants to criticize that, accept it or applaud it if they don't understand the streenlg context for it. what are the new generally types of actions being taken and what end. that's the high level discussion and even higher level than that, how does this administration think about counterterrorism. steef and i in a piece, they have not put out a counterterrorism vat ji. they did in the national security strategy in some traditional ways. i don't mean that as a bad

thirng but it's hard the to know what the to make of those changes if there's not a strategic context for them. e then there's a granular type of information sharing. that strikes me as responsible. which is information purely on what we're doing after we've done it. not before we've done it and in particular, who's it's killing. both in terms of combatants. this is something the previous administration worked towards more slowly and by the end, did so and entrenched that commitment into an executive order. ultimately congress entrenched related obl quigation on the defense department and when the deadline for both rolled around, just under a month ago, the deadline was ignored. the information wasn't there. to tell the american people that sort of information, how much are we doing and whom are we

killing, that strikes me as not just harming things, but it is generally helpful because auch this government and those who implement its policies are incredibly careful and it helps to defang a narrative to the contrary to put out the information as best we have it. sure, so the question of like where tuz this all go, what is the strategy look like, it's a really important. we had a counterterrorism strategy that says we can't kill our way out of this. can't overly militarize our responses to this. and yet, if you look at our resources in a number of different ways, whether they're sort of policy you know

financial or human rortss, we're overwhelmingly focusing on the military and intelligence angle of what we do. trz while it was important to get the policy right an we spent a will the o of toim in the maix administration convening meetings to make sure it was being implemented in the way the president wanted it to, that was very important. that has an opportunity cost associated with it as well. which is to say you know, that the real rubber meets the road on policymaking. and for every hour they're spending talking about a drone striker or proposed drone actions. they're not talking about thinlgs like the use of inkripgs and communications methods. cyber as josh mentioned.

some of these big x fakctors tht we think we have to get right if we want to have a fighting chance of really getting to the enemy. i just participate nd a working group that the stem son center put out. the total costs of efforts since 9/11. we concluded that over $2.8 trillion have been spent on it in the name of koent terrorism. that includes the wars in iraq and afghanistan. homeland security. a huge range of activities. the if you praek those down, the amount that was spent on foreign aid, that includes equipment for part and militaries. extremism measures we might take in foreign countries. it's less than 1%.

if you count the total cost of aid and operations, you get these incredibly expensive deployments to war zones. you're still under 5%. so waterboarding talk about our strategy all we want. we can say we're not trying to overly militarize it. as a prfs sor said, don't listen to my speech. read my budget. that's where i have to make real decisions. we have emphasized the military tools. there are a lot of good reasons for that that have to do with strictures that the congress has placed on the administration. color of money issues. on and on and we can get into those. to say the balance is not held up by analysis and what we've done. >> how long are we in this for? let me say first of all, thank you guys for the kind words.

you should know in the interest of transparency frk the book is good or better, it is better because josh and look spent long periods of time talking with me about a lot of the decisions they struggle. so to the degree i'm able to capture the flavor, it's because of i've talked to people doing policy level at the highest levels. >> in terms of your question of how long are we in this for, i think the nastional terrorism says it will no longer be the guiding perspective. as somebody who's spent over ten years working on it, i'm in vie leapt agreement with that. it should not be. but at the same time, i think it is nieve to believe we're going

to put this behind us anytime soon. terrorist threats will persist and if anyone believes they are overblown, which in some case, they may be, policymakers and especially elected officials, will feel the need to respond to them. and will sometimes leverage them for their own purposes. we are likely to see an ongoing focus on counterterrorism even if it's not the top security focus for the foresee bable future. i think there are several consequences that flow from that. the first, we need to do it more effective lichl thing project luke was part of. the fact we've spent $2.8 trrs is in and of itself right that i think the sticker shock should be right there for everybody. but the center had to go through and i think you guys had to estimate in some cases, what

wildfire not being spent or counterterrorism. and so the fact that we don't know and that we can't do effective assessment monitoring and evaluation, needs to change. if we're going to be in this for the long-term and we're not going to be able to spend like drungen sailors because we're look at other issues that are going to be higher level, then we need to be more effective and efficient. part of that means being harder on ourselves in internally organization alley in terms of how we do ct strategy and planning and evaluations. the other part is how to get more out of partners. i think that goal is to knowing what exwe can expect from that. josh i think your point is about the kurds ton glound and where that relationship is heading.

highlights two important factors. one is thatst not enough to share a threat. it's how ou you prioritize it relative to other events. we're not going to be able to get around that. can you change their perceptions? no. but goody diplomacy can help mitigate some of the worst case consequences. that's what's missing right now.

i've got a nice chart where i say here are all the different things that go under ct cooperation. and i do believe that diplomacy is part of that. if you don't, if you're not mind l of diplomacy as part of counterterrorism, you run into problems. if you're not mindful of counter e extremism, you run into proble problems. especially when you're not mindful of the trade offs that take place between this. the danger is that everything becomes counterterrorism. i think that's where it's a very, very rigorous and internal assessments become important because you need to be clear about where things fit in terms of counterterrorism strategy and where they don't. doesn't mean this everything is ct. it means you have to understand where ct runs up against other

foreign policy issues. i think that gets to the point about the short-term and long-term trades. the phase, the senior faces f m from -- the obama administrat n administration, and i think you're right. when you -- sometimes, maybe wrestle. for a long-term focus, i think the danger is is not that

they're confronting, it's that b i don't see them wrestling with this at the highest levels. so even if the obama administration fell short, even if the bush administration fell short, there's a cognizance of these challenges and wrestle wg them as opposed to it's sort o like well, let's just try to kill our way out of this problem. right? diplomacy is hard, let's not bo bother. the short-term, it's like focus on the military piece. that to me is one of the bigger issues is that we're not wrestling with them and so you're never going get the perfect answer. you're c trt or mitigate agains the bad stuff if you're not wrestling with thing things on a day in, day out basis. >> very well said. another thought to that is that ct policy can be very tra transactional if you want it to

be, but we don't want to go down that path because it's not effective. i think because the trump administration is a very transactional administration in everything. that's one ov the states objectives. it's a known approach of it, right? you can see that happening at commerce and within the military partnerships, you can expect it in ct as well. if that's what we are to presume, we're in for a lot of cleaning up in the future. i'm glad we brought this up. we don't want to dismantle a bureaucratic infrastructure to deal with ct that we didn't have when 9/11 happened. there's a wealth of expertise and knowledge in the bureaucracy we didn't have before, but now that the threat has shifted, there's a very natural tendency to say okay, we need to clean

this. let's dismanutle this b and focs on this part of the world. i think we all agree on that point. but it's just a note of caution as we watch the administration looking at where it can cut costs and in some places, for example, the state department, you need to trim some fat. but it has to be done in a careful and thought f way. diplomacy is critical to effective ct policy. i think there's a lot of good work to be done in that space. so let's thank you to our panelists. let's open up for some q and ark. identify yourself and ask a question. yes, we have mike runners coming around. >> center for global policy. so ct policy has it shifted in

the sense that we are now dealing with not your traditional terrorist threat. the terrorist entities have morphed into groups androm into state actors. if one of you can explain that. how has that changed ct policy. is it now bigger than ct. are we looking at a bigger enterprise than what we know as classic counterterrorism. >> go for it. >> yes. one of the issues people tend of think of counterterrorism, the nuts and bolds pieces of i. there's mechanics to this. law enforcement piece, military piece. and those are all still there. i think we were talking in the back that a lot of that is still, we've been doing that for a while and that's, that runs reasonably well, right zm i

think you've heard from the conversation, you're dealing with war fighting organizations. knop state actors that can govern territory for a considerable amount of time. he was referencing the risk factors, lack f rule of law poor governor indianapolanc governance, things like that. talk iing about the lack of diplomacy, when dealing with nonstate actors in terms of kurds. because the nature of the threat is bigger and because i think the not just the nature is bigger, but there are more factors we recognize are informing that threat. the nature of ct has changed. not to say it has to have a counterterrorism peerks but it

has to say that because the threat is big e, because there's a threat from state supported nonstate actors that have access to weapons and technology that states enswroi because they are able to take the whole territory for long periods of time because they're dealing with war fig fighting organizations that are able to sort of due propaganda. isis on the level that state were able to do propaganda historically. reach iing mass audiences. of course the tool, your tool box needs to get bet bigger. you need more instruments to deal with that. i don't mean every instrument is going to be an act instrument, but it means they're going to touch on different come poepts. i agree, you don't dismantle the bureaucracy. i think you try to get more out of it. but yeah, that's i think that's one of the reasons why you've seen that growth.

>> put in place and design to prevent another 9/11 style attack. right. that's what the investments were made and al-qaeda and the way they operate, our bureaucracy is meant to address that. thest a shadowy group where organizations individuals within the organization have in many cases known each other for decades. so you have these sorts of things where all shabaab and aqm swear by al-qaeda and bin laden says let's think about it. right? there's this long period of courtship where they're allowed in as a full scale entity. you have al-qaeda operating in the shadowy web forms and the understood side of the web and you have isis operating out in the wide open and operating a social media campaign attempting to build a movement and a movement that's not built on

these long-term plots that can be devastating on the scale of 9/11. but rather these home grown extremist type threats. the u.s. government is just not properly equipped necessarily to deal with these. our dealing with the online threat is is really difficult when we've got the first amendment and can't say this content which we find offensive but doesn't break laws needs to be taking down. we can't legally do that. b evooefb if we could, it woulde ha hard thing to do. you can ask are we pop proeperly equipped. the constitutional cape bababil we've built, can they be adapted to this threat? that's something i hope this administration and really any administration would be dealing with at this point.

the cycle you describe is the same one mao said. every group wants to become an insurgency. that's the classic sig iic cycl. the question becomes are we seeing folks in getting further down the cycle. re able to hold territory before isis. there was the farc. boko haram. but they didn't hold raqqa. territory the size of england. there was something about isis and the way it purported to govern including taxing and doing all sort of things very much for its own benefit. but to govern or looblg like it was on a way, on a scale that was different. this goes to the question about sustain bability of counterterrorism. because it's costly to do what we do in yemen or small area. maintaining the infrastructure to take strikes at the pace that the obama administration was taking them or at the pace that

the trump administration is taking them. it costs a lot. but that's dwarf fed by what the counterisis campaign looked like at its pique in iraq and syria. equipment involved in dollars involved i think you get to the point where it begins to look unsustainable when a group has taken territory like that. to dislodge a group from territory managed to take, it's really hard and eck pensive and requires military force. unlike some of the other ways you can intervene when it's more of a network operating, but not holding territory. which then begs the question, how do you do it again and how do you stop the next group from going down that cycle from the aspiring terrorist group to the next purported state or state

isis was. that comes before the military tool gets involved. you hope they're the type of deliberations that steven was mentioning earlier, that thyi'mt sure we are seeing now, but are critical if you don't want to be stuck fighting these fights over and over again. >> thank you. this gentleman from in the fron. >> i got a couple questions. in the sinterest of transparency -- [ inaudible ] can you elaborate? and for the panel at large, the failed mission focused the public's attention beyond yemen and somalia about the u.s. role in africa, writ large. what strategic goals -- u.s. goals do we have over there in africa, given that the national defense strategy talks about the -- [ inaudible ] >> tjust to answer the first on

briefly. the ndaa entrenched a requirement for the defense department to indicate in the previous years, by may 1, the number of strikes it had taken, the civilian and combatant casualties associated with them. and to his credit, secretary mattis was asked about this around may 1, his candid answer was, i gotta look into that. and my understanding is, dod has since indicated it plans to put out that figure by june 1, which is fast approaching, but i think it would be great to press on where that is. because i think these requirements, they're law. so that in and of itself makes them important, but i also think they serve a value in democratic accountability and giving people a sense of what their government, or giving the world a sense of what the u.s. government is doing in these various theaters. [ inaudible ] >> i'm happy to start with that. the sort of operations that come

to the public's attention sometimes in the tragic aftermath, or in the aftermath of a tragic event like the one in niger, they of course are going on around the world. in fact, they are often indicated in the report that the executive branch provides to the congress every six months on where we have troops doing certain things, and even the unclassified portion of that. and when they go as wrong and as -- when they become as tragic a moment as that is, where you lose service members' lives, it becomes -- you sort of zoom in on it and say, what were those troops doing there, worth losing their life for? that is almost an impossible formulation of the question to answer. instead, you say, why do we have troops in places like that, and what are they doing? obviously with the hope that you never lose their lives. and to its credit, dod has looked into it and is in the process of implementing things

to reprent that recurrence. but why are they in places like that in the first place? i think the answer is where i left off, you're trying to ensure the groups that are already emergent, not just nation threats, they are emergent, don't become t next is quasi state,heyon't take over the sort of territory that without our help can happen, unfortunately. that's agnostic whether any particular mission or set of authorities is the right one to accomplish that. but i do think if you want to cut them off before they become the insurgent, let alone the quasi state, to have our service members who can train partners, who can do so responsibly, and who can hopefully at some point then go home, rather than be stuck there forever, that's why they're there in the first place. and i think there's a validity to that. >> i would agree. i do think, though, that there's a point where when you're gonna put u.s. forces in harm's way,

even in relatively small numbers, that it's worth that dialogue and it's something that steven was speaking about earlier, to say to the american public, you know, we face the following types of threats. this is where they're from. this is what we think they can turn into, you can talk about the nature of that threat and the intelligence underlying it, without compromising sources and methods. and then use that to say, and therefore, that's why we have to be willing to take some risks, including sometimes the risk of putting our own service members into harm's way, to address that threat. i don't think that case has been adequately made by this administration. i could argue based on what i knew about the nature of the threat when i left government, two and a half years ago, why that would be the case. but i don't know what that threat picture looks like right now. and i haven't heard that discussion. and i think you're starting to see a blowback, not just in the case of the four service members who lost their lives in the sahel, but also a lot of questions around what's happening in somalia and particularly some of the

civilian casualties we've seen from operations there associated with our commando raids in our advise and assist missions that are really worth having that conversation about, and i would love to see that happen. >> i would just add a couple of quick points. one is, on that question of where service members are deployed, my understanding is that is another area from transparency has declined, and it's become harder to be able to determine where it is that the military is putting people at any -- at particular times. so that's just to say that that's another area where we've seen declines in transparency. second, yeah, i'm in agreement with -- with both the rationales for why we may proshlotentially service members in africa and in the need for a more full-throated discussion of that. we've talked a lot about the trump administration today. i think it's worth putting out there, congress has a role to play in this as well and has not

been playing that role for a long time. so i think it has an important role to play in that debate. and there are members that are trying to make that happen. but by and large, congress, i think, could be taking a much more forward leaning approach to this. and then the third i talking abt- ere's a way of looking at this, which is the geographic expansion of where u.s. forces are operating. i think the other question that deserves unpacking is what role are they playing. right? you heard us tossing around terms like partnership capacity, train and equip. and we've -- we're now at least from what can be gathered based on the open source, you guys may have more fidelity on this than i do, increasingly moving away from just training and equipping, or even training and advising and assisting, to doing train, advise, and accompany. and so we're doing partnered

operations where, you know, increasingly u.s. forces are out there with their foreign counterparts, potentially in more places. and the authorities for what they can do are, you know, are wider. and so i think that then raises the question of, was what's happening in niger, a training and advising mission, or was it something that was closer to a potentially combat mission if those authorities are going to be in place to allow them to go after somebody for a capture, kill mission and you get the firefight that you got? and that's something that's still being unpacked and that's hard to do in part because of the transparency issues that we're talking about. >> there's transparency and there's also basic communications outreach strategy deficit, right? i remember when we went into the balkans, bill clinton explaining on kind of night-time news, this

is what's going on and this is why we're going into it. i would argue, this is a lot harder, because these are not clear-cut conflicts, and it's not just one conflict. but we could do a better job of educating the american public on kind of the use of, you know, these kinds of soldiers in various parts of the world. so thank you for that question. i think there was this woman over here. please wait for the microphone. please wait for the microphone. >> i'm with the voice of america. and my question is that, if you could put in a nutshell the policy and the change, you know, in the spending, from obama -- from bush to obama to trump administration, and you talke about -- you spoke about accountability, transparency, so do you see any accountability efforts inwards? >> you want to talk about that?

>> in terms of accountability and assessment, so the ndaa mandated that the department of defense has to do assessment monitoring and evaluation for all security cooperaonnd programs. that's not just specific to counterterrorism. that means any time the united states is providing security assistance to a ally or partner, or it's doing training or other types of cooperation, military exercises, things of that nature, that there needs to be assessment, monitoring and evaluation, and dod set up an office that was working on putting all of that in place. that work continues. there are -- it is a massive undertaking. there are debates about how to do it. you know, there has been some good work in terms of applying best practices. there's ongoing debates about how much to spend on that. the international best practices, you spend 3% of your budget. nobody wants to spend 3% of

their budget on a.m. and e. i would mention the senate foreign relations committee earlier this year, i understood to be looking at a similar mandate for the state department. in part because of the acknowledgement that state needs to be measuring as well. and in part out of concerns that the department of defense, or the military, is already so far out in front, you know, in so many ways, in terms of driving our policy, that to now have them, you know, being so far out in front in terms of assessing monitoring and evaluating how this is being used and to not have that capacity could further widen that gap between each department's capabilities. >> i think in terms of that question of going from the bush administration to the obama administration to the early trump budget, there's a couple trends that emerged. first of alnitial big

investments were made in the bush administration. and it's helpful to maybe split this into sort of the standing homeland security intel-type apparatus we need to keep us safe on a steady state, versus the incremental cost of the wars, particularly iraq, afghanistan, and to a somewhat lesser extent, iraq and syria. and you have these massive investments after 9/11 in creating the department of homeland security. in creating the director of national intelligence. i think most people who track this would feel like those were largely prudent investments. although certainly a case can be made that we could spend more or less on homeland security in the particulars and achieve similar outcomes. that the one that has been tricky to rein in has been the cost of the wars. and it's been difficult for a number of reasons. early on the bush administration didn't want to put a real price tag on some of that. some of that i think they didn't know exactly what it was going to be. in other cases, i think they wanted to low-ball to the public

the total cost of those wars, so we did these emergency supplementals every six months and every year. and the obama administration tried to put some discipline around that, by creating the overseas contingency operation label to account for all of that war spending. and there's specific criteria for what you could put into that budget and what you couldn't. things that we saw early on happening, like the army and the marine corps saying there have been these modernizations and updates to tanks that we've wanted to do for years and we didn't have the budget for it. so when we bring the tank back from iraq or afghanistan, let's just go ahead and do that upgrade while we're at it, and we'll fund it out of the war spending. those sports of things that really caused the war spending to be bloated beyond probably what were the real costs of it, have largely been cut out and put away. and some of that is because the imposition of criteria and some of that is because we're spending a lot less money in those theaters to begin with. and i think that's good, to have that rigor around the budget and

also for us to have honest conversations about does it make to have so much of the special operations budget in the oco account. we'll need it at its current strength for the foreseeable future, counterterrorism, for a huge range of threats, and we shouldn't be saying that's a supplemental budget that could go away at some point in the future. i think with the trump administration, it's hard to tell, because there have been these irresponsible skinny budgets that are released, that it's hard to tell how serious of a policy document those are, vrs just an attempt to make a strong case about fiscal austerity. and in many cases, involve dramatic slashes to the state department's budget, and then congress takes an active role in reshaping it into what they think it ought to look like. and so i haven't seen a really frank and i think honest budget conversation with this administration yet, that really

lays out our resources and how they're going to help us accomplish a range of national security objectives, including but not limited to counterterrorism. >> all right, thank you. yeah, let's take two final questions, just have five minutes of these two folks here, and please wait for the mike. >> thank you very much. i'm from the russian embassy. as you said, the terrorism it's a global threat, and as it was mentioned several times by the representatives of the administration, no one country can fight it alone. russia has suggested to establish a global front to fight against terrorism, and it's still the goal. but i would just like you to think out loud about the -- what countries the u.s. must

cooperate with to raise the effectiveness of counterterrorist measures. thanks a lot. >> okay, and then this woman over here. just at the end. did you have a question, ma'am? >> yes. >> okay. >> kelly bla host, american conservative magazine. just a contextual question. we know, you had mentioned that the number of drone strikes had gone up exponentially from obama to bush. i think it's in the 50s for bush. and then i think obama it was like 565. we didn't get those numbers officially until the end of the obama administration. do we get any sense of whether or not there's been an escalation in direct action, or are we still waiting for some official numbers? you mentioned the ndaa mandate, but do we have a sense of if we're talking about an increase in direct action, or is everything just speculative at

this point? under trump. >> i'll jump on that one first. so i think that -- so first of all, the administration hasn't released its comprehensive role of the aggregate statistics of actions across the areas outside of active hostilities. that said, in some cases the pentagon has released specific numbers and then there are three really good outside organizations that track drone strikes, new america being one of them. the bureau of investigative journalism is very well, as is the long war journal house. so pretty good bipartisan-type trackers there. the numbers have definitely gone up outside of areas of active hostilities. if you look at the pentagon's actual release numbers for yemen, it's 120 this year. last year, it was 40 or 50, something like that. last year, being 2016 versus 2017. so the final year of the obama

administration, in the 40 to 50 range. and then 120 in the first year of the trump administration. and the numbers reported by those three organizations i mentioned show increases in somalia, and i don't remember exactly how the other theaters shake out. but the aggregate would be almost certainly higher. they also show somewhat higher civilian casualties. those are hard to assess without any context around them, which is to say, in some of the cases in yemen and somalia, it appears that our strikes may have been in support of partner nation ground forces. if that were the case, they might not have been abiding by the same rules of near certainty, of no civilian casualties, so you might expect some higher levels of civilian casualties. that's why that context is so important. and i'd be hesitant to sort of make any absolute statements about that in the meantime. and i'll just take a brief stab at the question on what ct partners we should be working with. the answer from my perspective is all of them.

in the sense that we too often think about partnerships, how do we help a country that is facing a terrorist threat within its own borders, build the capabilities it needs? but we also need to be thinking about traditional allies, regional partners, we need to be thinking about multinational organizations, and there are various case studies of these where each one of them, whether it's the french and africa, or the amazon mission in somalia, being incredibly effective against some of our shared threats. >> go ahead. >> i think luke nailed it on the numbers. i'm not sure i have much to add on that. in terms of partners, i begin where luke does, in terms of canvassing what's out there. often we go into counterterrorism endeavors with partners most readily available who are a lot like us. so we begin with western european countries that are not geographically proximate to wherever we're worried about the threat emerging from, who have

capabilities similar to ours. in a lot of ways, ours are superior or greater in number. but we go in with similar folks, that's not exactly what you need. that's not any way to shake a stick at the wonderful partners we have, but sometimes you need people who are simply the partners where the problem is emerging from, or those with different capabilities. and sometimes that can get harder because you want to engage in this effort with those who share a certain commitment to the law of armed conflict and policies about ensuring that there's an appropriate respect for, at least attempts to avoid civilian casualties. you can never guarantee you won't have them. that's where partnerships get more difficult. both with those who are host countries, a country where the threat emanates, and from others who may be active there. and ultimately, if you find a partner who is not meeting those thresholds that we consider either legally or just morally

appropriate, it then becomes quite difficult to figure out how to navigate that and either point them in a direction that makes them suitable as a partner, if they're open to that, or figure out how to deal with the situation without that. but there is this tricky balance between needing to work with partners who aren't like us, because they often have things that we don't have, including sheer proximity, and at the same time, adhering to the values that we both believe in, because we believe in. but also because we think they're important for counterterrorism and for maintaining the moral high ground that counterterrorism requires. >> yeah, i would just briefly add on the numbers. when you look at aggregate, that we've talked a lot, there has been the increase in yemen and somalia, i think i looked at the bureau of investigative journalism not too long ago. it looks like somalia had at least doubled in 2017 over 2016.

there's also questions about whether or not strikes are being reported as -- it might be five strikes, but it's reported as one strike because it was in the same location. so there's questions about that. but i would also point out, unless i'm mistaken, strikes in pakistan has come down considerably from the high point. so you're going to see more in yemen and somalia, fewer in pakistan. so that will sort of impact what the aggregate number looks like as well. it's worth keeping in mind that strikes in pakistan were partially intended for degrading al qaeda, were also partially intended for force protection for u.s. forces in afghanistan, whereas now, as luke was mentioning in places like yemen, it may be force protection for partner forces rather than necessarily for u.s. forces. so just put some context around those numbers. on the issue of partners that we work with, you know, i'm in

agreement with josh that i think there's an important -- importance of looking at both who our close allies are, that sometimes are our natural partners, or natural allies. and also places where we're going to need to work with somebody because that's where the threat is. but also i would add on another piece to that. which is, i think often when we look at partnerships and what we want out of our partners, we tend to come at it very much from sort of what is the threat and what is it that we think that we need? and i would argue and one of the things i do try to argue is that the united states would do well to be more cognizant of what it can expect from its partners. so not what we fwheneed from yod what do we want from you, because it's nice to want, right? but what can we actually expect from you? and i think that's where you get into, not just what is that partner's capability and capacity, but also what other threats does it face, what else

do we have going on with that partner when it comes to foreign policy, right? are we potentially competing in other places in trying to cooperate on counterterrorism, or are things sort of benign outside of ct, or do we have a preexisting relationship with you for other reasons? those are all questions that i think individual policy makers, certainly that i've spoken to, you know, pay attention to, but collectively as the policy-making community, we could potentially put more emphasis on. >> wonderful. well, thank everyone for joining us, and these great questions. please join me in thanking our panelists for a great conversation. thanks. [ applause ]

this weekend, c-span cities tour takes you to new orleans, louisiana, on its tricentennial year. with the help of our cox communications cable partners, we'll explore the literary scene and history of the city. saturday at noon eastern, on book tv, hear about tennessee williams. then author cody roberts with his book "voodoo and power." on sunday at 2:00 p.m. eastern on american history tv, explore the exhibit "new orleans: the founding era." >> new orleans is celebrating it's tricentennial this year in 2018, we're 300 years old. the historic new orleans

collection has decided that for our exhibition, we wanted to look back at the city's earliest years and what it was like when the city first developed. >> and then a visit to two jacks, one of the city's oldest restaurants. >> food here takes a much larger piece than it does anywhere else. we live to eat in new orleans. >> watch c-span cities tour of new orleans, louisiana, saturday at noon eastern on c-span 2's book tv and sunday at 2:00 p.m. on american history tv on c-span3. working with our cable affiliates as we explore america. >> c-span, where history unfolds daily. in 1979, c-span was created as a public service by america's capable television companies, and today we continue to bring you unfiltered coverage of congress, the white house, the

supreme court, and public policy events in washington, d.c. and around the country. c-span is brought to you by your cable or satellite provider. today in the british house of commons, scottish national party leader ian blackford objected to how the government was handling brexit and the future role of the scottish parliament. his protest led to his removal from the chamber, and a walk-out by fellow snp members. here's that part of the session. >> ian blackford. >> thank you, mr. speaker. the prime minister gave a commitment that she would treat scotland as part of the union of equals. yet last night she pressed ahead with a power grab in direct opposition to scotland's elect