[inaudible] there is a soldier that has contributed. in the and a soldier is a man dedicated to the american way of life. remember, there is a soldier. host: thank you for that, sir. we did not talk about the number of women in the military and how that has changed over the past decade. why don't you close with that. guest: it has held between 12 and 15%. if we went back to the start of all-volunteer force and has grown from 3% to 15%. there are sizable part of the force.

they are certainly going to be exposed to dangerous situations in convoy or escort. they are trained for it and ready. they acquit themselves well. women have earned a silver stars. they have very strong performance that they bring to bear every day in the military. it is about 50% of the force. they are remarkable group of americans, as are the men. the equip themselves magnificently. host: thank you. did we appreciate it. we have one more day to go in our series. we will be back tomorrow and looking at programs available to veterans who have served. that is and for our thursday morning. thank you for being with us today. we will take you to apply even to. at the heritage foundation, homeland security 2020, the

future of defended the homeland through cyber security. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2010] . . billion up to $100 billion worth of information. so, it is a real problem. on the other hand, it is a real

value. if you have been watching, if you have been on amazon lately or ever purchased anything on ebay or you have a facebook accounts, you understand that the expansion of information through the cyber domain has been truly transform intent of our social networks to -- today. that is why there is a lot of money. there's a lot of talk about cyber. but as of yet, at least here in washington, no fully developed theory of what we should do about it. how we should realize all the gains that we can from the enhanced information sharing abilities that come from the cyber domain while avoiding the worst problems. we will have two panels today to begin talking about some of the ideas on the table for discussion. i do not think we will get to any answers but i do think we will raise interesting issues. our first panel will focus primarily on the civilian side,

looking at private sector responses and the interaction between private citizens and the civilian government authorities. our second panel which will come in the second hour of our discussion, will look more at the official side and then nature of government the responses, particularly military responses and non-military. that is gonna be outlined. let me introduce the other two mammals of the -- members of the first panel. immediately to my left, dr. jeffrey cohen. he works for elysium digital, technology litigation consulting company that helps lawyers and technology-related cases. phd in computer science from duke and also holds ab the woodrow wilson school of public and international affairs at princeton. areas of focus include program designed and java programming. prior to joining elysium he worked for ibm, it did it

general, can't generalize -- anybody who is anybody in computer field. i first met him when he first participated with me at a national academy of sciences study panel on american policy toward cyber deterrence. to his left is jay stanley, the public education director for the technology and liberty program at the american civil liberties union. i would note with happiness that a member of the aclu has walked into our building and the walls have not fallen down. [laughter] which is remarkable. i know that. we had to reconstruct it after the last visit. he writes and and it's a large number of aclu report on privacy in technology issues. if you have read anything by the aclu in this field, you have seen his work, whether credits it or not. he was the co-chair into thousand nine of the biggest computer freedom and privacy annual conference held here in

washington. prior to joining the aclu he worked for a technology research firm. he is a graduate of williams college and holds a master's degree as well from the university of virginia. our plan would be for each presented to give about 12 or 50 minutes of discussion and then we will follow it with a q&a step -- peace at the end before we transition to the second panel. >> thank you very much. thank you to paul for inviting me and for putting together this event. i think it is really interested and i am glad i got to participate. paul introduced me. so i did not have to say much. i will say that what i am talking about is an outgrowth of work i did on the national academy study on cyber deterrents and there is a publication for coming from that. how technical the audience is -- paul warned me probably not everybody would be

technical so i thought i would start with a very quick technical the deduction. internet is a series of tubes. for the people at home -- a picture of a series of tubes. i should say that little bit in that introduction that most of the pictures from my slides are actually from the library of congress but no collection. you can see the notches in the upper right corner, but not code that tells the developer what kind of film it is. i am told this is kodachrome b something from the early 1940's. i think ted stevens probably got a bad rap, maybe more than one, but everybody uses metaphors to talk about the internet. it is inevitable. you have to use metaphors because the only thing else like the internet is the internet. an internet is no less a series of tubes that the information superhighway or cyberspace or the matrix or any of these

things. metaphors are enormously helpful to let us reason about things but they are also misleading. we always need to be on guard that we are not using a metaphor that traps us in a certain way of thinking. i see a lot of that in the current discussion. people say it is cyberspace, therefore it is like space or some physical space weekend dominates, for example. that is dangerous thinking. through my talk i tried to warn people off certain metaphors when we are talking about certain kinds of things. the internet really is a series of wires. what is interesting to remember about that is it is all physical objects. they are all owned by somebody and they are all within the control of some nation state. everything, every inch of the internet, every component of the, is a physical object somewhere that somebody has control over at least. so the idea that it is this new domain that is independent from

nation states in a separate dimension, is really false because some country has control over every router, every table. if there is nothing in the internet that is not part of a nation state. -- there is nothing in the internet that is not part of a nation state. it has huge implications for our ability to control its or regulate it. if i had to use a metaphor to talk about conflict within the internet, i think it is more like urban more for -- warfare and space or naval combat. every block is owned by somebody. there are countless civilians. no way you can dominate. you do not even know the state from minute to minute. it is very difficult to identify what is going on. if any -- someone is shooting at you, you don't know where it is coming from. a very different kind of any kind of conflict, then example a fighter up at 4,000 feet where you can see all around the curve of the earth.

this is another test for how geeky the audience is. this is a cartoon --ma verizon or comcast. on a computer, probably running microsoft. so the problems that are going on are in many ways deeply rooted in the u.s. infrastructure and decisions made by u.s. companies by regulatory authorities at every level of government. we should not say it is not a threat. this is a great photo that i think from 1905 to 1910. german scientists with a detective camera. amazing that cameras that small in 1905. when i was looking for pictures i found this one and i like it so much. there is espionage. i don't mean to say that it is not a threat, that it is not real. but i want to focus a little bit

more on different kinds of threats. this is one threat, and espionage. for that matter, before i leave that, i think understanding cyber-conflict within the view of espionage and intelligence is one that makes a lot of sense. i think we can see what is going on in government right now is the idea is whether cyberspace is more like intelligence work or military conflict more like tom clancy. the tomkins -- it will predetermine a lot of the judgments we make about how we think about it. these are two cute puppies would have a valentine's day cards. just in case you have noticed, valentine's day is coming soon, don't forget to get flowers, keep present or nicely designed valentine's day card and make sure you grab the kit and get started -- download the death kit. probably everybody got this e-

mail. hopefully of it -- it was filtered out upstream. maybe you did see it in this in box. hopefully none of you downloaded the valentine's decade because what you did, it was the virus, successor to storm worm, over 1.5 billion >> messages a day -- 1.5 billion spam messages a day. these are not computers owned by hackers in russia. these are people at goldman sachs, the pentagon, at home. these are people's computers sending out spam which, incidently, the money went back to russia. if they manage to do identity theft and grab your credit card. that was a real threat and it was a threat that honestly is not that hard to detect. finding an infection on a computer is not hard. isp's know which addresses are sending out those spanning pact.

it is not prohibitively difficult or technologically challenging to know that your network has been compromised. the problem is the highest fees don't know what to do with the information. they don't want to be accused of spying on the customers. they don't want to get hurt by electronic privacy laws that regulate what you can look at. i think a lot of ways the ideas. 's are begging for guidance on what they should do -- isp's are begging for guidance. i think palm mentioned already, this is a picture of the f-35, joint advanced shrek technology fighter, america's most advanced fighter. close to my heart. my very first job out of college was working for the congressional budget office and we were doing cost estimates on this program back in the dawn of it. the files were this that were down loaded -- according to open sources, i should say -- i have seen estimates of terabytes of

data downloaded by possibly somebody in china. this is going to be the main aim of our air superiority for decades and probably somebody in china has terabytes worth of data about. the first big lesson i want to say -- and hopefully the walls will not collapse -- cyber security is a classic market failure. other than smokestacks, you can put in economic textbooks, it is an externality that people who make things like software operating systems, computers, they do not get the direct cost of security failures. in fact, a lot make a lot of money because they are selling in sufficiently secured operating systems and such. the knowledge on how to deal with it is highly distributed. a bunch of reasons. but the market deals with cyber security terribly. there may be some parts week in these markets for but relying on the market has failed and will

continue to fail. the news of not necessarily all bad. this is a law professor from stanford, now at harvard. incidently, he clerked for both richard posner and judge scalia so hopefully have some credit in this room. four forces -- the law, norms, the market, and code. and all of those different things can constrain action. you can use any of these as lovers. at the weekend solve this problem, we will have to use all four. some market things where the market hopefully -- hopefully we can shake the market to reward cyber security. but we also are going to need new laws. we will also mean no norms of behavior. a lot of what is going on with isp's right now is developing what are called best practices. no one is required to do that

but as publicly issued standards of best practices, what do you do if you know that a customer has been infected with a virus. this says -- i am told, access denied. this is a screen shot from "green dam," the chinese government software that they mandated be installed on all personal computers in china. i have introduced a problem. what you do to solve it? this is one approach, as you say. everyone has to install it and it will make sure that everybody is safe. the problem is, of course, it so it was insecure and had they deploy did it would have created the world's biggest botnet, so thankfully they did not. but that is one option that you can impose some sort of regulation on end users. the open problem is always end users especially for botnets, can you control their behavior.

a lovely photograph. what of my favorites from the library of congress. the point here, a little plea for a detailed matters. it is all well and good to have a 12-minute discussion on cyber security. hopefully i will finish up. i have two minutes left. details really matter. he can't really have an informed discussion without understanding a lot of what is going on. which means you need to know what it is about the gateway protocol that route between pure networks that is insecure. the chinese telecom isp use that intentionally or not to shut down about one-third of the internet by accident because they issued out all routing tables that route but most of the internet through them. they were not actually able to do that so anyone who accepted the routing table basically just cut off all of their use is a from the internet. it may be a mistake but the fact is not everybody knows you can do it and most people accept

that table. you have to understand that bugged, and that is one slice of the problem. a little please -- i do not think necessarily people in the audience, but in general, maybe people watching, i do not think computer scientists have engaged in cyber security enough. not enough real academic research. thinking of a parallel being strategic defense. strategic defense basically created the field of software engineering. started doing analysis in the mid-1980s about the use all software problems. we need something like that for cyber security. or we can do more police regulation -- computer fraud and abuse act, a lot of instruments that exist now to try to regulate the computer activities mostly around the idea of copyrights. and we don't even have stopped that good for regulating security problems. you can't send a take down notice for somebody hosting

malwware but -- for someone hosting avatar. we need better vaccinations, anti virus software. we need more protection of the end point. so that we can create better perimeter -- the distant warning -- early-morning live from the nuclear standoff days. pushing out the defensive perimeter so we can see what is coming and from inside the house. thank you. >> perfectly timed. excellent. not at all. jay? >> the aclu, as a civil liberties organization, our primary concerns are about free speech and privacy issues when it comes to cyber security. it and the internet is of course the primary place for americans to exercise their rights of free space. it is a newspaper, entertainment

medium, research library, reference work, it is a soapbox, a debating forum, the closest we've ever had to a true free market of ideas. and a lot of the success and this vibrancy and is blossoming and blooming is because of its open architecture. everybody can contribute. the architecture is neutral. but that same open architecture obviously makes it vulnerable to security problems. can some ways the internet is a reflection of the human cycle -- psyche. all the wonderful creativity but also the dark side. the question is, how do we address the security problems that we are experiencing in the internet without killing the goose that has laid many golden eggs and has made our country much more wealthy and powerful than otherwise would be pared cyber security is a vast and complicated area with a lot of very technical areas.

and a lot of the areas in discussion don't really have any implications for our rights. but some do. and there are many legitimate roles for the government in cyber security. regulations governing security standards for power plants and other critical infrastructures, public education and exportation, research -- perhaps encouraging a greater academic vibrancy in that area -- procurement standards to try to address the market failures that goeff talked about. a push for greater openness and dissemination of -- it is the decentralized medium. and a larger managerial problem of the government getting its own act together and getting its own security practices up to snuff. the basic level of corporate america.

but are some areas and some proposals that do raise a lot of questions about our liberties and raise questions about whether we might be flirting with destroying the goose that laid the golden eggs. i will talk about three recently. einstein program, so-called driver's license for the internet, and emergency authority over the internet. let me start with einstein 3. which we did not really know enough about because it is shrouded in a lot of secrecy, but the program is an effort to protect government computer networks in a centralized way, more or less. einstein two, which is currently under deployment, it uses database of signatures to protect malicious code a entering or exiting government networks. einstein 3 would add to that -- it would be more anticipatory and conduct real-time inspection

to try to try to make a "threat- based decision making" based on signatures and scenarios. which might include personally identifiable information. on traffic to and from government networks. it would be unlike -- unlike feinstein two, it would be placed on the servers of telecom companies, private internet providers. talking about the balance between the government side and the private sector, this crosses a line into the private sector which raises a lot of issues. for the aclu, when you talk about nsa and at&t joining together to stand traffic, it raises flags given the history the last 10 years of war and as a wiretapping that anyone who cares about the rule of law should care that no law was flagrantly broken by those two organizations -- that the law was flagrantly broken by the two

organizations. the concern was that the government was -- would be placing its own filters over the private sector crosses the line. in short of the short term, one of the concerns is whether it would sweep up private traffic. president obama in his cyber suffered a speech to say we will not be monitoring the civilian networks, private traffic. i have no doubt that he meant that. but security dynamics and in paris is have a light of their own. security institutions are bigger than any individuals and they have their own bureaucratic -- bureaucratic imperatives. so we do not trust that it will remain true. this idea of a threat signatures and scenarios, being used in a very pro-active way, raises questions about how that will be implemented and how -- whether we are going to see sweeping algorithms that cats

far too broad a variety of threats. what we don't want is a watch list for the internet. we have seen in the airline context, which have been kafka- esque to abroad, swept -- it let true suspects through. they are based on a sloppy lists and questionable computer algorithms. people are not able to remove themselves. we don't want a computer internet version of that. the question is what this einstein three exactly looks like. and what it means extended to the private sector. moving from einstein's three to the broader issue, there is a lot of talk about how does the government's cyber security efforts, and how they interact with the private sector where much of the internet takes place. there's a lot of broader talks that should raise concerns among

americans about the government's role in the internet. nsa director keith alexander says we need real times situational awareness internet works. former nsa director and director of national intelligence said we need to develop an early warning system to monitor cyberspace. the -- they could be referring to person -- perfectly rational basic security practices or to grandiose visions or imposing a government role on the internet the likes of which we have not seen. it raises questions -- what is the role for a centralized top- down command and control approach to cyber security when the internet itself is a distributed thing, internet problems of this debate, software is distributed among millions and millions of computers. in what way does it make sense for there to be a centralized command and control response and in what ways is it really a distributive problem where openness and disturbing

information about how to combat threats is the best way. in particular, what should the role of the nsa be? the aclu got a view is an cessation not get anywhere near civilian cyber security. it is a military organization, publicly accountable, a record of illegal interference in private -- publicly unaccountable. it has the mission of spying and the defending networks. we cannot have confidence that if it, for example, discovers a certain vulnerability that it will spread to give award to millions of people to fix that will vulnerability when it is tempted to keep that vulnerability see the so it can exploit it for spying. defenders of the nsa says they bring two things to the table. they have a tremendous center of expertise in server security and the u.s. government, and i say if that is the case then that expertise it needs to be spun

off to another institution that does not have the club -- conflicting roles, not part of the military and does not have the tremendous history and institutional culture of reflexive secrecy. number two, defenders say, well, the nsa has access to a lot of secret threat signatures. that may be true but we don't know because of their secrecy to the extent it is true so we can judge the benefits and costs. but if you take all of the different threat signatures and knowledge of different cyber security threats, there is some subset of those in -- by an essay and a subset of the nsa was that they must keep secret that opposed to the ones they habitually keep secret but could share without harm. that subset of the subset, how big of an advantage are we getting from this and as a secret intelligence about cyber threats -- nsa cigarette

intelligence about cyber threat? if they are going to protect us based on secret information -- if it must keep the threat and mason secret and will protect everyone using the secret of the mission it must be done centrally. because it cannot be decentralizing because then they would be giving away their secrecy. we are skeptical about the size and the benefit of the nsa's contribution, balanced against disadvantages of centralized approach to security and all of the secrecy -- secrecy that is involved. secrecy is out of control in the u.s. government, everyone from left to right and commissions that studied it had acknowledged, but particularly inappropriate in cyber security in many ways. the internet is decentralized and because the best way to combat many security problems is to get information out, pushing information out.

we have this vulnerability, this is how to fix it. much of the security problems in cyberspace result from people not doing very simple patching and so forth. so, the idea of the government and the military spreading its tendrils and to the private networks is one of the main concern is that we have. and it seems as though there is a push to do that. there has been talked about doing it. this report that just came out yesterday with the existing code name -- what was it, paul? buckshot yankee. >> operation buckshot yankee. >> raises questions in that area. so, we need to be very careful not to put the government in that kind of role. the second of the three of want to talk about is drivers' licenses of the internet.

the crudest form. some people in the security community -- people say we need a driver's license for the internet. in today's world, it is basically proposing a driver's license to speak. because the internet is where most speech as a practical matter takes place. the can't do that under the constitution. other proposals are not so crude but you basically would lead to the and the possibility of anonymous action online. what cyber security officers caught attribution or add to be of ability, being able to figure out who did what. anonymous speech is one of our oldest american traditions. a lot of the founding fathers and the people of the american revolution wrote anonymous pamphlets. federalist papers we now know were written by john j. and james madison and hamilton. so, a lot of these proposals

would raise great concerns. we have to ask the trade off. mike mcconnell said we need to reengineer the internet to make act of fusion, ngo location and intelligence analysis more manageable. that raises red flags for people who care about the internet as a vibrant form for free speech. people going in senate to discuss and get advice for very personal problems. people speak more freely to power when they can speak anonymously. and we do not want to ruin all of that because the intelligence agencies cannot figure out how to stop foreign spies from getting to their deep secrets. the white house have listed date -- we are running out of time. we did talk about that and q&a of people are interested. the idea of emergency government authority or the network, the

idea contained in current legislation proposed in congress. when the government shut down the internet is interfering with people's speech and rights of association. and we have not seen convincing scenarios under which this would be necessary. there are many scenarios in which over time, this kind of a sweeping power could conceivably be abused. at the very least, theoretically there could being -- could be for extreme emergencies, it could be conceivable we would want this kind of power to take place, but at the very least we need to have very well defined parameters and checks and balances over any kind of power like that. and so, that is something our lobbyists are working with members of congress to work on. let me just this with two quick points.

there are a lot of different problems that are several problems for all cyber security. criminal and malicious security and -- fraud, id fred. there is by versus spy, and espionage. was taken -- taking place off line and now one line. attack on critical infrastructure. the scenario of failure of the electric grid. then there is a war fighting. foreign attacks degrade our military these are several problems with separate solutions and should not be lumped together. then what happens is you get the existential threat to our nation of the collapse of society that is theorized coming from wiping out all our critical infrastructure, which is, according to many experts i talk to, a highly dubious scenario,

one that is talked about a lot. you get that at that urgency of that and importance conflated with all kinds of everyday very real threats that did take place. and that leads to justifying wrapping cyber security in all kinds of secrecy and gives added weight to justify radical interventions and re-engineering the internet, which really would kill the goose with the golden age. it and cyber security -- there has been tremendous amount of hype. we can talk about that. a lot of scenarios like the fighter, a lot of that was publicly available information, i understand. nothing secret was taken. and it these duties circulating around about different threats. let me just stop there. >> i give him a cut sign -- i love jay.

>> the virtue of being on one of your own panels is you get to talk last and decide what you want to talk about what the others are talking. i will be shorter than day, mostly because of what to insure we have a good 15 minutes for discussion. i will make one overarching point with two sub points. but over arching point, is it is a problem. right? i know that it sounds trivial, but listen to what you just heard. you heard gpeff very ably describes why we have a market failure in cyber security today, and the normal answer to market failures is some kind of federal regulation or liability regime or federalization of the problem. typical of things like the environment. environment is a market failure. pollution is a problem -- everybody's problem but nobody's concerned, right? so we federalize response by having a large set of federal

regulations, a very intrusive regime because of pollution is a horrible thing. you could imagine a regime like that in the cyberspace domain but then you would run right into jay's problem, which is the internet has become something more than the common good of fresh air but also at the core of our current perceptions of freedom and liberty and democracy. free-speech happens there. a great list -- even the psychiatrist is there. that is actually a problem -- it is a wicked problem but a social problem that actually does not have a neat set of solutions. the answer to weaken problems, though, is not to give up. in my perspective, essentially what we have done so far. everybody is barreling ahead without any coordination. with their own set of solutions

as best they can. an answer we will eventually wind up with if we do not change the trajectory of how we talk about cyber security is the cyber security solution that arises from a weather gets there first and fastest and best. the first guy who actually comes up with the solution, that will be the dominant result. and it may not be the best results. what i perceive right now, for example, is the nsa and u.s. cyber command are by far and away the most significantly powerful and effective federal actors in combating cyber intrusions. they do have more expertise than, for example, the department of homeland security, and they certainly have a much more centralized set of authorities banned, say, -- and then, say, disbursed systems that operate on a private network. so we are rushing ahead with a system that is likely to result in a default of some form of the

military or semi-military control or protection of vital critical resources without deciding whether that is the right answer. it may actually be the right answer. unlike jay, i am probably willing to entertain the possibility if we put in place and of oversight activity, and of protecting of a tank ability, regulatory, independent ombudsman, we could empower federal action at that level. but we are rushing ahead without doing any of that. it took from 1998 when president clinton first proposed it until 2009, when president obama did it come it took 11 years to develop a centralized coordinated -- not directed, but centralize coordinated function in the white house. the white house coordinator is not the first amongst = who can actually nudge and forced the different agencies to work

together, but rather he is the least amongst =, if you must know, who exist right now: sufferance within the context of the other agencies. what we principles should be thinking about at least on the federal level, in my judgment, is enhancing the coordinating authority and structures of the white house to ensure that -- decisions on where we want to reside at our cyber security efforts in the federal level, in the military or dhs or other institutions, are made by somebody who connects lee direct response to that. right now budgets are disassociated. no unifying cyber security budget within the annual budget. it is one -- within each of the agencies. there is no person task which actually directing conformance with cyber policy. imagine the guy who gets to

articulate policy but actually has no mechanism to ensure the policy is carried out. that right now is more or less -- i am being a little unfair to howard schmidt who is very able, but in terms of his actual authority right now, that is where he is. he is none of authority over anybody who exist in that agency. my second point, what i will close on, we have talked and talked and talked about the need for a public-private partnership, one that will solve a lot of these problems by allowing interchange between private sector a disease outbreak 80% to 90% of the backbone that we use and the federal government which may or may not have enhanced ability to protect. what we have built so far simply doesn't work.

the information advise the sharing councils are good in theory, the work somewhat in practice, particularly between and among its private sector actors but they have not yet to become an effective tool for actually bringing private and public sector people together. one possibility that i think i will lay on the table and we can talk about either in the q&a or perhaps in a paper i will write for heritage or something like that, is to actually consider whether we need to formalize the concept of public as private partnerships. we have public and private corporations. some are in zeolite fannie mae and freddie mac. but others like millennium challenge account and american red cross have been very effective for a number of years. and maybe it's time to think about formalizing the structure, can call it the cyberspace assurance corp. -- it is

copyrighted. you have to credit me if you use the name. cyberspace assurance corp., which would be a locus for public and private activities in a way that is beyond what they do now. with that brief summary, i will turn it over to questions. we are on tv so if you have a question you must wait for the microphone. if you don't, no one will hear you. the floor is open for the next 15 minutes. this lady right here -- right behind you. please identify yourself as well so that people want to be no new york. >> joanne, university of wisconsin -- i teach i.t. there. i have a question about google and microsoft in terms of the search engines they control. the search engine data are especially of interest in cyber security. i of wondering what the appropriate relationship between the government's and these private organizations would be?

again, we know of the tension between google and the chinese in terms of their relationships and i am just wondering if you could project a future in which these private organizations would be able to run their search engines and still provide information when needed to the government for cyber security reasons? and i think that one is in your field. -- >> i think that one is in your field. >> search engine dated if you think about it is one of the most personal sources of inflation about you, if you use the internet regularly, that exists. your every interest and thought, but you want to read, things you want to buy, every passing fancy and interest and research thing and diseases you worried that you might have, people you might suspect our day, all types of things go into your search thing -- people it uses back are gay.

that information should not leave the walls of the search engine companies and certainly they should not retain it as an longer an absolutely necessary. which unfortunately they did. and it should not be given to the government unless the government has specific evidence that it is evidence of a crime and they come to a private company with a warrant. there should not be a routine relationship or prophylactic preventive use of that information all. -- at all. >> i think i would just say that we have the mechanism in this country for law enforcement getting information from companies, it is called a warrant. there is no reason that cannot work more or less the same for computer information. it happens all the time. when someone sends a threatening e-mail from a yahoo account and a secret service, fbi, would ever, thinks it is worth investigated the issue a warrant to yahoo and says who does this

account along to. sometimes it reveals actual information and sometimes it does not. i do not -- think search engine data should be more protected than that or less. i did not think the government should have a magic back door, but i also don't think necessarily that we would say it would be completely off some -- i think he is right, there probably needs to be better standards, possibly probably within the government how these companies retain and use personal and formation. right now it has been a free for all. maybe we are still letting the market work that out. maybe not. i think there is an interesting discussion there, but they're already in mechanisms like the computer assistance law enforcement act, or whenever, technical and legal frameworks to do wiretaps when actually they have a warrant to do so. you don't want to get in the way of that but i did not think you want to make it such an easily

smooth path. that is the balance. >> i will take a different tack and probably in disagreement with my two colleagues. two points. the first is, in my judgment, the increase in computer power that is attending data analysis and a decrease in cost of data storage are going to inevitably cross. we are running towards the world in which, whether we like it or not -- and they don't like it and i understand why -- whether we like it or not, the half life of secrets is plummeting dramatically. your ability or desire for legitimate personal reasons to keep profiles of you secret is eroding prospective of the irrespective of government actions. i do not need to be too apocalyptic but i think in and it is a lost cause to assume there would be any way in the

world that we could prevent the development of profiles, whether based on search dado or travel data or whatever. i would add parenthetically that even if we in america decide not to do it against americans, it does not mean the chinese will not do it against americans or the indians or what ever. unless there is a worldwide disarmament of analytical capacity, the game is over. the other point i would make is that one of the things we found in the last nine years is this metadata is powerful and effective as a counterterrorism tool. it has allowed us to engage in better targeting of scarce investigative and screening resources on people who are of greater risk. like most such album rhythmic assessments of risk, it is not a perfect system and also a system that can be dialed up down

depending upon our sense of threat posture today. if we have a sense there is a greater threat in the next two weeks because we have hired chatter over here, we could change in the screening mechanisms at our airports. when i was at dhs we very successfully used travel packages -- not google certification state of the same sort of meta data to target inspection resources that resulted in a number of successes of turning away potential terrorist activity. that is not to say that wholesale government access is without threat. indeed, it is not without threat. nobody would say otherwise. i actually think that's one of the very biggest missing pieces in the whole puzzle right now is that congress has provided for the existence of an independent oversight board that is supposed to figure out or help us figure out how some of the the rules are to be applied that will

allow us to give the benefits of that data analysis without but threats that arises that jay sees. it was legislated into existence in 2007 and there is a bipartisan agreement apparently not to staff it because neither president bush nor president obama has seen it fit to put people on it. i will cite that as one answer. next question. this lady down here and then that gentleman will be next. >> from japan. i want to ask you about cyber security bills by senators rockefeller and lieberman. critics saying it gives the president a kill switch. they say there is no kill switch. what do you think about that?

what do you think about -- national security, how should you balance them? >> you had spoken about the bill so -- what you did not get to say. >> basic going -- basically we do not have the objection of the sort of very concept of some kind of emergency power, and some of these emergency powers may already exist in existing law. whitehouse what not say what it thinks its existing authorities are which conflicts the debate. it needs be careful about that with the checks and balances. a very narrowly tailored. nearly -- narrowly tailored in

the way it is executed and that has to be a compelling interest. so we are working with members of congress, our lobbyists from on that issue. in terms of the balance between freedom and security, my organization represents those americans who put freedom as their highest priority. and a lot of the larger threats, as opposed to the day today at tax and fraud, the larger threat are quite a theoretical in the cyber security realm and we do not want to interfere with the freedom unless we are very, very sure that there is a very, very real threat to security. >> i think it is really instructive to look at what happens with the -- virus. microsoft went into closed session and introduced export take restraining order motion against the federal judge in

northern virginia, laying out in enormous detail the technical problems of that virus. basically, look, 244 domain names hosting the command and control servers for the virus that tells them, here is how to upload the new version. and since all of the reports and a public you can go to the court sites and read them. microsoft almost sieglinde leaf forged this doctrine say you cannot -- if you let them know they will do that they would just update the routing tables and will not know where they are. what you need to do is tell verisign to shut down the main server entry for all of those names and that will decapitate the network. the judge agreed with them and they did it. i think that is a pretty good parallel with the kind of emergency powers that are reasonable. we identified a specific threat. this is why we have to take

action to shut down this, as narrowly construed as possible. there is a huge body of american law on injunctions and narrowly crafting them and doing it to minimize the impact to the public. that is a great template for emergency powers -- here is the threat, this is why we have to act now and this is the proof that it is the most narrow possible remedy and then you do it and then maybe the other side gets to sue you and say, that was done completely and properly and we want damages and we have been harmed. i thing microsoft had to put some reasonable amount of money into an escrow account for damages should they be used once it became public. i think it is a fascinating legal case. the technical background is really interesting. and i really urge people to just go and search for microsoft versus -- i forget who they were suing. i agree with what he said -- you

have to narrowly constructed so it is not too easy to use. >> i think that is right. justice goldberg, the conservative, saying the constitution is not a suicide pact. it cannot be our protections of first amendment and liberties are so strong that we can allow a virus to take -- take down the entire american electric grid in fear of restraining free speech. on the other hand, as jeff has outlined, the mechanisms by which we allow that need to be very carefully thought through. or we are going to run the risk of shutdown -- shutting down people who just disagree with us. one more question, from this gentleman here in the front. and then we will move on. >> thank you. students in cyber security at university of american university college. we know that most of the

problems -- actually under cyberspace, related to lack of proof -- most security implementation. is there a way the focus should be shifted to the security of those software, principally the software targeting the critical infrastructure? thank you. >> i think that is exactly right. a vast amount of the problem is insecure software. it is badly designed software. software written by people who did not take security into account, for budget reasons, trainee -- training and adequate research, and probably most important, market reasons. it does not paid to spend the extra time building security into your system.

it is a bad economic decision for any company to make these days. partly what we need to do is figure out how to jigger the market so it is a good economic decision. if wheat increase -- if we increase the insecure software we will make less money and our stock will go down. but there is always going to be software vulnerabilities. o'reilly has a new book out called "inside hacking." the current generation of threats -- it is so subtle, so clever. as long as people are running computers that have 50 pieces of software on it and they are using the latest plug on top of this release of windows, there is going to be a vulnerability. there is a huge incentive to figure out the mobility and and in the fight it and use it. we should definitely do more research. there is a lot we can do to make

software more secure, teach it so people write better software, but it will not solve the problem -- it may move around a little bit. because there is always going to the vulnerability. >> a very important point, the fact that the software bugs are such a huge part of the problem. we just don't know how to write complicated million-line programs without bugs. we probably never will. one of the best solutions to that is open this. you open up the codes so that coders over the world can see it and can exchange and the nation about the law vulnerability is the seat did open source software is some of the most secure there is. the idea that we need to put the military in control of domestic cyber security or that we need to create a national identity system for the internet, those are attacking the wrong problems in many ways. in fact, there are going in just the wrong direction, putting in

more secrecy into the system. >> with that, i want to ask you to join me in thanking the first panel for a very enlightening presentation. [applause] we are going to do a quick change -- do not moved out of your seats because of the time they get off and they get on, i need the guys to come up and help me with herb's -- you have to sit next to me because this is the computer. .

>> welcome back to panel two. thank you for sticking with us. as i said, the second panel will look a little bit more at the former mechanisms that the federal government is doing. the last panel had a civilian/private-sector focus. let me introduce my degree panelists.

immediately to my left is dr. alan holdbonades. she has held positions at singapore institute of strategic studies. also at the center for strategic and international studies in washington. she has a master's and ph.d.. given the recent reorganization at the college of international security affairs, she is also now my boss when i teach there as a professor. i am very glad i invited her before that happens. immediately next to hers is dr. stephen boucci. he has a strategic emphasis on

on v how ibm internal security k tank. earlier he was part of the u.s. army serving in leadership positions and among the 82nd airborne division in special forces. he was on september 11 military assistant to the secretary of defense, donald brunn's fell -- brunn's build and served as secretary of defense for civil authorities in that administration. he is a graduate of west point, and has a master's and ph.d. from the university of south carolina. i am really stunned to note he is also a graduate of the hellenic army war college in greece, which is really cool. our last panelists is dr. herbert wyn. the chief scientist of the

telecommunications board of the national academies of science where he is a study director on a bunch of major products and balding public policy and information technology. most recently he was on the study on offense of information and warfare, offensive capabilities of the united states in cyberspace and also participating in the cyber deterrence study that dr. cohen and i have been participating in. prior to his service year, he was on the house armed services committee and has a doctorate in physics from mit. i am fascinated to learn that he is a long-time open and swing the of certain styles himself as a very poor magician. but denied his call, we will ask him to do tricks for us. -- if we don't like his talk, who asked him to do tricks for us. >> i will begin at that the ideas are my own and not

reflected on the university or the department of defense. after a few public speaking engagements i have come to the conclusion that i actually speak too much. notably in this case we're talking about the time of former deputy assistant secretaries and the chief scientist, so i should know better. therefore, i will ask for your patience in what will be a bit of a rather scripted presentation that i hope will contribute to a much livelier discussion later on. i want to begin by thanking the heritage foundation for the kind invitation. i also want tou underscore the events of in line with my most broad and my most urgent recommendation on the issue related to cyber domain.

as mentioned, the average person will note that this topic is widely covered in the media and it is increasingly becoming part of more than one of washington, d.c., agenda. however, at the time is right for the discussion to be shaped or included informed rigorous, responsible, open, and impartial efforts undertaken by scholars, experts, decision makers, with two goals in mind -- to educate constituencies and to contribute to the adoption of measures that will ensure the viability of our wider definitionation. i want to touch upon the role of states and state actors. i think it's a nice link between

the previous panel is. i also want to explain how i got interested in this topic. for several years i spent quite a few hours per week listening to the actual conversations and observing the interactions between al qaeda and affiliated members. however, i did not have to leave my office to join al qaeda as a new generation of trainees mckelwa. instead all of these interactions took place in cyber substitutes through a virtual portals. there i became familiar with explicit documents that listed responsibilities for what they called al qaeda cyberkids or on

line for gates. -- or online brigades. while the most prevalent focus remains the use of information technology as a research and support of other activities, clear intent on the use of cyber means as tools for disruption and destruction, appeared in their dialogues as part of their long-term strategic goals. forcing myself to engage on the empirical and sober dialogues that actually advocate for, i must emphasize that relative offensive aside for capabilities from al qaeda are yet to materialize. and one specific trend that i observed at that time told me it would be responsible not for me to continue paying attention to the engagement of our non-state engagement. and that trend i noted how al

qaeda was researching and developing a specific sets of weapon system, into things were read me from this trend. first, i noticed the relatively steep learning curve. they learn important lessons by topping -- tapping into networks of sophisticated experts and unknowing length granted them with no how. -- with a knowing be granted them with the know-how. -- with unknowingly granted them with no how. the should inform the mission and those in charge of devising cyber strategies advanced 21st century ad the series. and amongst those in charge of this task is the recently formed u.s. diaper command.

the mission of cyber p.m. as for the amusement of some -- cyber cam, is the amusement of some. it means a series of numbers that appear in the fields of the organization that stands for the 58 mission statement. admission that includes a defensive but also an offensive component to cyberspace operations. now, to seriously think of offensive and defensive cyprus strategies domitian's pursued by u.s. departments of defense is really to think about dilemmas ahead. the effort to do this is certainly under way. proposals on the adequacy and and adequacies of the legal preachings have been put forward by various specialists. among the remarks discuss, one proposal is the use of armed conflict as a possible platform

from which to draw for their insights on the legality of cyber warfare by states. serious advocates of this agreed that even if we take into account the principles of armed conflict to guide us and a separate domain, this analogy does not solve many of the future policy and strategic challenges. i will not go over each of the postulate of a lot of armed conflicts and the links to cyber warfare, something that has been done an eloquent writing, including some of my fellow panelists. instead, for the next few minutes i will focus on one or two examples following -- supporting the following arguments. the arguments that i want to talk about is first, the first nine -- and post-9/11 and are meant we have come across the

challenges of waging warfare with marked differences from the great 20th-century wars. second, this challenges characterize 20 percent through warfare, and i am referring to the most general physical expression have not perfect but interesting parallels in the cyberworld. according to the law of armed conflict, there should be a number of conditions to justify it and find the use of force. one of these actually relates to the need to clearly identify come patent for this accountable for military action. it for the last 10 years the u.s. has been engaging warfare theaters were the adversary is increasingly presenting itself as an unidentifiable combat and that purposely seeks to discuss activity in shield actions by operating from within the population.

locations that and other circumstances would have been considered as neutral spaces and sometimes even protected zones. in the cyber domain this can be linked to something that was referred to previously, and that is known to the problem of attribution. as a common practice, cyber attackers seek to exploit and hide behind a wide and complex set of networks, commonly used by the location at large so the word -- said this cannot be tracked to them. -- so this cannot be tracked to them. back into the physical world and into the problem of retribution is a common practice of states to use proxies.

i can think of the few groups are linked to iran. in the cyberworld this is increasing. although some of the information can be in a total or uncooperative, but there is increasing evidence that they seek reliability but outsourcing attacks. an example of this is the inconclusive but probable connection between the russian government and the business network who played a notable role in the cyber offensive against georgia in 2008, which brings me to another point. most of the law of armed conflicts in strategic thinking concerning the use of force in modern times has adopted as the eccentric approach, war was reached between states and for many years we used force against

non-state actors by calling it under a very interesting categories such as operations other than war. we have the element of surprise by realizing it is actually non- state actors that our adversaries capable of hosting strategic challenges against the nation state and the most powerful nation states. in our effort to devise adequate responses to these threats, we have tended to create another set of neatly distinguished categories that distinguish from one state at this area to another. in theory, we speak of terrorist international organized criminals and insurgents. however, in actuality late 20th- century warfare was and will continue to be characterized by the convergence of these entities. simple examples would be the colombian connection with

narcotics trafficking and the opium networks. the convergence of at the series is replicated in the cyberworld, continuing with the previous example of russia. when not functioning as an offensive sector against russia, the russian business network is also known to post scores of the legal cyber activities, some of them linked to the web sites dedicated to credit card fraud that actually on occasion have posted one or two al qaeda bombers. technically the nation's have problems waging war against non- state actors, yet as far as i am concerned, some of the most offensive campaigns have been waged against adversaries. the greatest threats to are linked to states. the u.s. must also be prepared to find responsible and legal recourse is to engage in complex cyber offenses against

adversaries that may fall short or contain full-pledged five rewarfleged cyber war. finally, regimes will have to account for a number of the implementation problems. for example, because of technical issues, cyber warare or simple cyber intrusions may look alike. who, when, how, and to what extent shall we respond. the assessment, planning, and response of government should be done with these challenges and mind. some of the decisions until serious transformation that will affect the public. ultimately, and particularly the cyber domain, it is the public, the private sector who will have the right and the

obligation to determine if they are willing to assume their risks and costs or if they're willing to adopt action and support policies in order to secure the benefits of of my yard and increasingly wireless cyberworld. >> in queue. perfect timing. -- thank you. >> probably a bigger stretch for army guys that i am a graduate of the state department's senior seminar, which is the state department's equivalent of war school. i have to give my own disclaimer -- these remarks are not ibm's policy positions. they are my own. please do not attribute them to ibm. also, i will tell you some of the things i am about to say are disagreed with by many people.

dick clark, people for whom i have enormous respect as experts, but i do not think they think with terrorists, and maybe i do. there are some differences there. some of this step has been touched on -- stuff has been touched on. if you made a graph with a number of incidents on one side and the consequences on the other, the beginning part of the crop would be huge. there are lots of things that go on on the internet today, enormous numbers of intrusions, attended intrusions that frankly our noise. -- are noise. there are some down at the other end of the graph that are pretty darn significant. not as many of them, but if they are successful in the malcontent that the perpetrators

are using, there are bad things that will happen. it is not as their radical as some people would think. i am not a technical guy, so i can tell you i do not sit at the keyboard and plan how to do this stuff, but i have lots of people that i know that our people with that kind of technical ability to will tell you it is not as hard as it might seem. it is like reichepas rocket scie to most of us, but to experts in this month thait is not that dit to cause great amounts of damage. we have individual hackers out there doing their thing. unfortunately some people in authority like to think the whole threat is the 22 year-old kid in his mother's basement with the star wars figures going after everything. they are not that big a problem. they really are not. small criminals are trying to affect you as an individual,

your money, identity. there are particularly painful if you have to be the particular target. on a societal basis, not that big a deal. organized crime is an enormous problem. if you talk to the fbi and people like that, for organized crime is a bigger deal now than drugs. -- cyber by organized crime is a bigger eelpodeal now than drugs. that is an enormous thing. they are all over the map doing all kinds of things to all sorts of people. cyber espionage. this is really tough. there is organized crime and trying to steal things from american companies, because the console that intellectual property to other folks and make lots of money. there are american companies dealing from american companies. old-fashioned industrial espionage now been much more

efficient and savor to do it through cyber than the older methods. there are foreign intelligence service is trying to steal from american companies to use p by their own governments or to pass through state-supported industries that are in competition with our company's, and there are the old-fashioned national security type espionage of intelligence services tried to steal from our governments. basically we have made espionage a lot more efficient, a lot safer for the people who are the perpetrators of it, because you do not have to try and go into a government building and walked out with a briefcase full of documents. you only have to recruit someone to do that for you. you can do it from a desk in some other part of the world. that is an enormous problem that will be there forever. it is the way we do business now

in the espionage world. terrorist use of the internet -- if you talk to the experts, they have always used it for propaganda and fund raising and some degree of recruitment. there is some evidence of them using it for some operational planning, there is even some interesting things of fund transfers through things like second lights and things like that. a liggett ways of doing that sort of thing. -- some interesting ways of doing that sort of thing. the biggest problem of terrorists using the internet is proof radicalization. -- through radicalization. hthere is a lot of evidence.

most of you have heard about the blonde lady from the south east that are recruited. that is a problem now, because that covers of vulnerability that the law enforcement used to be able to utilize to capture bad guys. at the other end is the nation state things. we have examples of a cyber nation state attack and the other a nation state cyber attacks enabling connecticut attack -- connectict attack. this is where dick clark and

they said that is the where it will go. i think we will continue to do so. if you look at all of those threats there is a lot of threats out there. how you plan against those threats, and the way you do it in my experience is to pick and the most dangerous threats and prepare for those. then you also have to prepare against the most likely threats. in the cold war we did that with thermonuclear war. we have to prepare for that. fortunately it was not too likely. the most likely send or proxy wars, which we had a couple of those. today the most dangerous threats are the nation state types in

areas where someone comes after us with. pure cyber. most dangerous threat, but not very likely for all sorts of reasons. and the most likely threat in my mind is a cyber terrorists attack enabled by cyber criminal capability. a lot of people said that is not true. they think terrorists will not use cyber because it is not spectacular enough. terrorists like blood and guts in the street and burning buildings. they think terrorists will not do it because it requires too big of a capability to harness and develop.

it takes more than one guy at the keyboard to do&s this, but t does qu require an entire army to pull off one of these events. the reason i say that is a terrorist group will not try to conquer the entire american electrical grid or take down the entire american financial system. they will be more focused d. a cyber terrorist attack will be much more focused than a nation

state attack. it could be the water control system in the northwest. it could be if the electrical grid in one state. they can do that. the way they develop the capability is by hiring criminal networks that are more than happy to work with anyone who has the money. i will end with this point. when i came up with this idea, i did not have approved case for it. it was just my analysis. since then, if you recall last year when israel made its incursion into the gaza strip, they announced they were going to go in there. right before they went in there was a massive denial of service attack against the israeli civil defense system. when they did the forensics at that event, it looked pretty much exactly like the event that had happened and estonia in

2007. i do not have definitive proof they hired the same criminal elements that were involved in the estonia event, but it is a pretty big coincidence they look at similar. did they hire the same criminal networks? i do not have approved, are pretty strong circumstantial evidence. i will end with this, in this business i have the non- technical guys confidence that we will figure out the technology to increase our security while still protecting our privacy. i think we can do that. they are not mutually exclusive, however, we have nothing like any sort of agreement on postings today. until we do, we will have a devil of a time addressing these issues appropriately regardless

of where you stand on these issues. but we have to do as soon or the terrace are going to use the delay we have to their advantage, and i do not want to be prophetic, and as think we will see this kind of event somewhere in the united states. >> thank you. i think you are right. demancyber security lawyer is probably a growing field for the next 20 years. to co>> mostly we think about cr security in terms of defending ourselves with fire walls and so on. i will talk a little bit about that, but there is a lot of stuff about how we may use offensive capabilities to defend ourselves as well. i will start with a metaphor,

which has some benefits. there have always been good guys and bad guys and technology may have evolved from spears and of bell and areasbow and arrowse have a sidebcyber space. the first thing we do is put a bullet proof vest on. this is a good thing to do. when you do that you are more protected. i have a sheriff's badge here. if he think about bulletproof vest as an inch of fruit for defense to have to ask a variety of question.

you have to answer a variety of questions. we do not just give them the best, we give them the funds as well. now you have to ask a variety of other questions like what types of guns and the cops use? and when did they have permission to fire? how did it actually paid in the field when they're using their guns? if you take a look at these types of questions, the questions about the defense, the bulletproof vests are very different in nature than the questions about offense. in the defense's case they are all very narrow questions about the technology and implementation questions. on the offense they are policy issues. how did they believe in the fields, that is not the technical issue. we have to really understand all of the dimension his for this. we have a situation where you have a good guy and a bad guy,

and the bad guy sometimes fires a gun at you. and sometimes he hits you. those are good scenarios. sometimes the public goes into your head, and that results is not very good. what i am trying to illustrate is the shows you might really want to think about having all of the tools at your disposal to help defend yourself. let's take a look at the specific technologies involved. you have a bulletproof vest, which is a technology. in cyberspace and as better fire walls and anti-virus programs and the like. sometimes the attacker comes up against those, but the attacker learns and then he gets a bigger gun. now all you have is a bulletproof vest and are in

trouble. ultimately the bad guy will find a way through these. we want people to defend us. we call the cops. in cyberspace the cops take a very long time to figure out what is going on. one might this be true? one reason is the nature of the attack. here you have a scenario in which the bad guy is attacking the good guys in blue. if the world was like this, this would be a simple thing to investigate. the real problem in cyberspace is there are no arrows. you cannot figure out where it is coming from, and you are still being attacked. you do not know where the other

things are coming from. then there is another question about the laws. it is security in cyberspace. if you look pretty closely at the statistics given graphic you will see that in some cases there are blank spaces and that means they are missing. blogger are very unclear. -- the laws are very unclear. you are in a jam. from the defensive side, you are focusing on defenses and can put up better fire walls and you need to call the cops. what you cannot do is return fire. what does that mean? here is the situation when you think about defense. you are outnumbered by the bad guys. they have all kinds of guns to

deployed against you, and you have the cops who are out numbers on trying to protect you. and this is not an entirely satisfactory state of affairs. let's take a look at the offensive side. the offensive side is something that is not talk about. it is starting to be, but not very much. in march 2009 report on cyber attacks as an instrument of national policy called for a national discussion. there are handouts that summarize the report, which are somewhere else there. pick one up on the way out. it is an eight-page summary of the report, and you can get the report tree on the web. -- you can get the report free on the web. what i wanted to do was take a look at things and show you how some of the questions that we

have already encountered in the criminal case apply to cyberspace. what kind of the weapons dukakis to use? in cyberspace to have a variety of choices. you could go and remotely, but there is another kind of an attack. many of you bought your computer's mail order. it was sitting on a loading dock. how do you know that someone did not go into the box, open up the computer, swap out a tip or put in a different piece of software and seal up the box. how many of you check for that? i know i did not when i got mine. i am a nobody, but and if i were the wife of the chairman of the joint chiefs of staff, that might be an interesting computer to do that too. that counts as a cyber attacks. then there are other types of weapons in cyberspace. it could target one computer very seriously.

you can't attack minicomputers at the same time. that would be a good thing, too. -- you can attack minicomputers at the same time. -- many computers at the same time. off you get some interesting questions. what happens if someone uses a cyber attacks to steal money from new? 1 trillion dollars at all goes away. is that an armed attack? what if you caused a blackout? is that an armed attack? what if you have at the electronic voting machines of another nation and try to influence the outcome of its elections by throwing the election one way or the other.

does that count as an attack? what if you just changed things in the database. the left side and write said are identical apparently predict right side are identical apparently -- right side are identical apparently. what if the program runs a nuclear power plants. spying is not against international law, so you are allowed to plant agents into another guy's computer to spy. what'd you change that instrument into an attack agent? does that count as the use of force? you may have certain rules of engagement that say in the private sector you say you cannot fire unless the bad guy is pointing a gun at you. here we have someone who was pointing something at you, and it is not clear if the is a good guy or bad guy.

how do you know who you are allowed to fire with in cyberspace and what conditions are for that? have you know who is an innocent bystander? -- how do you know that guy is an innocent bystander? bad debt is probably my father's computer. what are you entitled to do against an innocent bystander attacking you? have you get the bad debt to surrender in space? use and no more. -- you say no more. how do they know that we stops firing at them? there is still lots of war -- laws of war. q. are allowed to target a airfields and military facilities and animals factories, which are not allowed to target churches and mosques

and hospitals. what are the analogs in cyberspace? should a peacit be cyberspace? hot the bad does have a gun. we have something that looks like a gun. -- the bad gus guys have a gun. how does the bad guy know whether you are conducting an exploration or an attack? and the fact that there is the private sector is very much involved in this process. this will be a point made by previous panelist at the private sector and government will have to start working together in this. for example, if you do a cyber

attacks and want to go over the internet you have to a three u.s. internet provider in will tell u.s. service providers the next several attack you see is legitimate. do not shut it down. is that we're going to do? how will be managed that problem -- how will we manage that problem? it is a serious problem. the bottom line is we need a national conversation. get a copy of the summary sitting out there, and if you do a search on macarthur foundation technology policy and cyber attacks you will get to with great website that will download the full report for you. it is fascinating reading. >> thank you, herb.

>> i want to commend him especially. never before has anyone done 63 slides and 15 minutes. that is impressive. we have about 15 minutes left for q&a. as before, you were on tv still wait for the microphone. who would like to start today? come on. gentlemen right there. >> new president of dc -- resident of d.c. what are the implications of cyber security it end-users have the ability to have encryption on their computers? >> herb -- >> encryption is certainly a

good thing to have in some situations. it does protect you against some sorts of problems, but it is by no means a cure all. you can't encrypt -- let's say you have the best encryption program in the world and in courts all your files. the question is how you get access to it? what ever your answer is, what prevents a bad guy from getting it also? it will steal your password and key and so on. sometimes it can help, but by no means a magic bullet. and as one element of solving some problems. >> you have to be cautious with any sort of security at add on that you do not get lazy with doing all of the other things you need to do. cyber hygiene is really one of the keys. if you can do those things, you can protect yourself much more

than you would if you did not do those things. we have not yet figured out, no one has, how to protect ourselves completely short of going on the internet. that is not an option if you're born to be connected with the rest of the world. do not depend on one particular element, you have to do the whole thing. you always hear the the cops and they do not want encryption because then the bad debts can use it. bad guys use these technologies generally faster than the good guys do. cloud computing. that does have figured out they can use this to get passwords faster. rather than take two months to do it, they can do it in a week. the bad guys will adopt faster than the good guys on almost any kind of technology.

the cops are not going to keep encryption away. and but we have to keep working at it and help the good guys can stay competitive with the bad guys. >> the point about passwords is a good one. they can use all the cloud computing to get passports because people choose that passwords and they are too short. how many of you have a password that the 16 characters or more? >> not sixteen. no. [laughter] >> when i gave you the example of the learning curve of the terrorist that i was looking at, that a successful what i meant. there is no way we're born to be able to have definitive answers. everyone will catch up with that. that cannot be the solution. it has to be more strategic. >> next question.

the gentleman in the back room. >> i am a military fellow with c s i s. one of the big findings was the wall created by the fbi and cia to protect civil liberties and one of the reasons the system failed. do we run the risk of creating a similar wall between nsa and homeland defense, and if so, what policy measures can we take to prevent it? >> again, this is my personal opinion, our system requires some of those walls. it will add an some inefficiencies or imperfections and our ability to do security. as a citizen, i am ok with some of those, but as paul mentioned it is not a suicide pact. we have to find ways to do it correctly.

when we had the d.c. cyprus -- snipers we use military technology to try to find those guys. that required a presidential finding, special protections be built so the law enforcement guys could use those technologies and protect the information. all of the kind of protections that has been pointed out that we need. and we need to do that stuff in cyber as well. is it worth it? i think so. i value our privacy and civil liberties. we have to find a way to do it smart. privacy and civil liberties are not mutually exclusive. people who try to paint it that way are wrong, regardless of which end and they come from. we can do both, but both have to give a little. how much we give is a policy debate.

>> let me move away a little bit from the issue of privacy versus what we do in order to protect. you will find there are number of redundancies at this point. lack of communication. although i take the point that that is how we are built, and in some cases it is necessary, call me naive if you want, but when i see at the series that are somehow perfectly able to communicate and function and that have the networks and horizontal departments within their organizations that make them much more efficient, it is easy for them because they are smaller, but they are faster and to respond in more effective ways. i have had conversations with different law-enforcement agencies, secret service and other people that are doing some of the crime and you see one

would benefit tremendously from more cooperation. >> the gentleman over there in the corner. >> [inaudible] i just wanted to ask what do you think held back the definitions to start to be implemented? >> the thing that is holding it back are really good intentions. i have seen very lahorittle -- nobody is doing it to screw up the system. there are different issues that are important to them. he looked at all of the laws that we have better in contractor -- in contacflict wih

one another. this will sometimes put them in conflict with laws written by committees that have different jurisdictions. the pluralism builds and conflicts. i agree, it would be nice if we can streamline it a little bit, but i do not think we will jump the whole system to have him more streamlined. those are called dictatorships. we do not one of those here. -=- we do not one want one of those here. >> for example, we have such as a matter of national policy on one hand that we want secretary clint to have global dialogue and promote secure information technology and infrastructure

around the world. if we have offensive capabilities, which we do, a secure information technology infrastructure around the world will not facilitate that. do we really want everyone else in the world, including ourselves, to be secure? where do we want everyone vulnerable, including ourselves but enables us to go attack? that is part of why we did this report. we need to have that conversation. are we better off in a world where everyone is a cure or everyone insecure. i think the nation has not decided on that. >> down here. >> i am from the university of wisconsin. the u.s. largely imports computer chips and technologies. is ramping up the industrial base and ramping of manufacturing of these components and necessity in order to secure our cyber

defenses in the future in order to make sure what is manufactured conforms to the standards that are needed? >> lot of people think so. people worry that if you had chips that are made in plants that are controlled by foreign nations that leaves us more vulnerable. one alleged solution to that is to have more indigenous capability. whether or not that will solve the problems is unclear. i can give you lots of scenarios in which that will not solve the problem. some people believe you just suggested. >> speaking as the one person from the private sector appear, i think that is a really bad solution.

it totally destroys the business model a pretty much every tech firm in the world, which would drive the prices on everything out of the world. it would not have at the ubiquitous communication stuff because nobody could afford it. there are capabilities that different tech companies do that have additional security pieces build and. if you try to expand that out aside from the incredible price increases, it will only protect you for a little while. it just makes it more difficult for the bad guys to and treat your supply chain and try to mess with you as opposed to giving them opportunities overseas. it cost the company's money, but there is a lot of motivation to do that because companies like mine and all of the other

companies, our reputation is built on that. if we let our things get the old with so it affects the clients to whom we sell it, that is a ding on us. we do not want that. they are working hard to secure the supply chain. it is really hard to implement and is really a red herring. it will not give you the degree of security you think it might. >> we have one formore question. does anyone want to take this up? well then i will ask the last question and i will ask the panelists to give me a short response. what do you think will be the major surprise in the next five years in terms of cyber security, policy, or threat?

will it be an attack/ ? let's make it 10 years. i will start here and work down to the end. >> i think there are tremendous disincentives for the most powerful big threats to actually go ahead and attack. we have been consistently surprise about not what is a cyber attacks but cyber exploitation in order for them to gather information. i think we cannot measure that, but it is always surprising to me. it should come as a surprise and continue to come to look a surprising amount of information that is gathered by what i call adversaries. the way we are losing our information, information that probably should be stored and carefully managed. >> i will reiterate what my final comment was.

i think sometime in the immediate picture, clearly within the next 10 years, we will have a major center event in the united states. i think it will come from a terrorist organization with enough funding to hire help from the criminal networks. the thing that will be interesting about it is how the president, whoever the president is at that time, response. will they respond with cyber means, because remember there is not ruled that you have to respond with cyber capabilities. they can respond with old- fashioned stuff too. how the president will respond to that and a lot is how we can contribute interest the people to to give him those options for that response. i think that will be a surprise. >> the definition of surprise

police is that i would be amazed if that happens. and for me it would be if the u.s. sgot its act together and figure out what the policy is. that is my own personal belief. it does not reflect on any organization i am a part of. >> i want to thank the second panel for their excellent comments. i want to thank heritage for hosting us today. i want to remind those of you that are interested that there is a lunch of sandwiches and ships across the hall. i want to thank everyone on c- span who might be watching for sticking with us. i want to thank everyone for attending an issue of verifying the rest of the day. we are adjourned. [applause]

[captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2010]

>> > finishing up date for of this conference on homeland security. if you miss any of the prior panel discussions, they are available to see any time online at our home page, c-span.org. more live programming coming up today. later shepard smith will be among those looking at media coverage of hurricane katrina from a museum in washington. live coverage at 6:30 p.m. eastern on c-span. . .

the aftermath of hurricane

katrina, and he makes an argument. the finance journalist offers a critical view of glenn beck, and sebastian goes inside the high risk, fast money world of hedge funds. for a complete listing of programs and times, visit booktv.org. >> district attorneys from around the country gathered on monday for a national conference. in the next segment, the topic is child abuse research, prosecutions, an investigation. it is about one hour, 15 minutes. >> i will ask who has signed a. i will hunt you down with one of these. i hope to talk to each and every one of you with these during the week. it is my honor to introduce my colleague and friend, chris newlin, who is the executive and director of the national to the men's advocacy center and

provide some leadership, guidance, and management. -- children's advocacy center. they provide the same type as for adults. chris is a unique person. this past april, chris and myself, and a few other professionals were supposed to do a dedicated t.a. to some communities in parts of eastern europe and russia. we were all scheduled to leave on a sunday or monday night, and chris says something about flying together. i managed to have those fine through german airspace. do you remember the volcano? single-handedly, chris trained professionals through eastern europe and russia all by himself

because he was the only faculty member who made it. he is the kind of professional will show up, regardless. [applause] >> i appreciate it, thank you. that was truly an interesting expense. i'm glad to be here with you. i can hear myself ago, so i'm not concerned whether those in the back can hear me. let me talk a little about research. many of you thought they would check out. i'm really pleased to see that many of you have shown up. research is important, and for a variety of reasons. i will not go through them all here. but as the field of child abuse

and children's advocacy centers have been investigating, we learned a lot from the practice that we engage in daily. we learn from colleagues, stories -- the cases give us ideas of how to go about responding to the needs of the java and. -- of the children. there is also the world of research. it is only when we engage the aspects and merge them together that we are truly able to become a professional response. who has time? suzanne asked earlier if anyone has too much money. does anyone in your not having enough child abuse cases to investigate? similarly, everyone is pushed to the gills. the number far exceed our capacity at times. many of your colleagues do not

fully understand, probably, that investigating child abuse is a very difficult job requiring a lot of time. many times more than other criminal activity that may require investigation. because of that, how many people have time to stay up with the research regularly? is anyone in your -- in here interested in research at all, like me, a geek? there is some much out there that i cannot cover at all. but i can take what i think are some important studies, put them into relatively straightforward descriptions, and challenge you to think about how that research impacts your practice. the evaluation -- but never, put it down, but the best of weather

this workshop has any value -- is not whether you learn something this week, but when you return and the future and challenger team and the -- in a challenging discussion -- what to you think about this? what do you think about this study and what it says, and how does it jive with our experience. there we need to think about doing things differently? if we're not always changing, we are losing traction. that is the core principle of this whole multi-disciplinary response. to always challenge how we do things and look for a better way. ok, great -- maybe it is a

different button. as i organize this presentation, i try to start at the beginning of the case and follow it through. that starts with reporting. how that are we doing with reporting? the studies of talked-about all begin within the last three or four years. in this one from 2002 the look debt middle school and high school professionals in new york city, and would try to find out what the process of reporting is? they identified three issues that affect reporting of child abuse. the first is legal concerns. the legal issues in your particular state. each state is a little different. in my state, ministers are not

mandated reporters, for whatever reason -- although podiatrists are. every state has a little different mandated reporting law. as a caveat, germany has no mandated reporting mall. they're very anti-reporting l aws. what is going on with the case? you see a child, hear and see things -- what are those characteristics? what may affect whether or not you will report? finally, what ever personal experiences that i have -- my train, my childhood, my past experiences reporting. those three variables come together to influence whether someone will make a report.

they have 500 schools selected. they ended up having about 300 people participate across the schools' present. first, they found of the entire group that teachers and school personnel were suspected of abuse 92 times. of those, the 92 -- that they suspected it, they reported it 59 times. the immediate question is, what about those other kids? what about the 32 or 33 kids for whom he did not report? it is our philosophy that we say we are not professionals -- wouldn't want to come into the schools and educate. but we do want to investigate. it is a nice trade-off if you educate, and we investigate. what are the barriers that prevented reporting? they found they were either

personal, something about themselves, or some school- related issues. something in the school made them feel they could not bring your report, have to keep it within the school -- reported to a supervisor to be taken care of. the only good news is that 91% said they had reported the last time they suspected abuse. this is supported by another research report. we can do the greatest job investigating, but if we are not aware of the case, how can we investigate it? we must engage the community and better reporting. the greatest predictor as to whether an individual will report was the level of confidence about whether the abuse occurred. think about cases you discuss on a regular basis. what are the cases you will most

likely charge? it is the same way, isn't it? the ones with the greatest confidence and evidence. usually the evidence is related to the amount of confidence. how do we improve the education and awareness of those reporting so they have more confidence? i do not know about your community, but many times there are concerns or issues about parents, and how much they are aware. every problem in your community, how much parents are aware of, how much i care giver may be aware of -- interesting study done. it was to look at what mothers necessarily know. the slides changed a bit. if you want the entire

presentation, i will e-mail it to you. what is it that mothers necessarily do after a child has been sexually abused? they had 125 families with kids in treatment. it was clear abuse had occurred because either the perpetrator had confessed, a criminal trial was held and the person convicted, or the was overwhelming evidence. there is a high degree of confidence abuse occurred in these cases. and the perpetrator in these cases was someone we would anticipate -- someone known to the job. children are nearly always sexually abused by someone they know. no big surprise there. they asked the mothers, what was your initial source of learning something had happened to your child? and the number one answer was

that the child disclosed to the mother. but the child this close to the mother only 42% of the time. more than half the time the child will not disclose to the parent. do you ever hear of a mother who says that my daughter and i were like this -- she would tell me everything, but because she did not come i'm not sure that something happened. if nothing else, you can say listen, mother, more than half the time, kids do not tell their parents first. that is something to say that. for others, the child's behavior was indicative. weekend necessarily guess what that behavior might be. go on down and there is the hunch -- that would be a suspicion from the parent as opposed to actual behavior. and then, the doctor's

examination -- a small percentage. and the abuser tell me -- i don't know where they are. really, those in your committee -- community, afford to confess. i'm really sorry, and know it probably has some long-term ramifications. i do not know where those votes necessarily are, but god bless them that there are least taking some level of responsibility. if that is how mothers first become aware of abuse, with this study, it was interesting that half of the mothers said, before i found out something happen, and had the feeling that something was not quite right. for the ladies in the room you have that intuition. creepy guy, not so, nice guy, not so nice, want to stay, want

to go now -- these mothers had their leader up, and about half said that something doesn't feel right. -- they had their meter up. ladies, when something does not quite feel right, what do you do? do you walk away? no. it is kind of unrealistic that we would walk away. what do mothers do? if you had a suspicion something happened to your child, you would probably do what two- thirds of these mothers did. you talk to them. if i had reason to suspect that my child was sexually abused -- a work in this field -- i would go talk to my kid. i would not say, listen, i understand as the coordinator, the multi-disciplinary response -- i will defer having any conversations with the job. i will merely say, i love you, all that i want you to do is

tell the truth. no, i'm going to talk to my job. about half of the mother said that they would wash things more closely. any of you with teenagers are familiar with that -- that they would watch things more closely. near the bottom of the list are some interesting things that shed light. if you have reason to suspect -- guys like to hold it in -- but mothers do not. lots of times they said it would talk to friends and relatives. there is some information that can be gleaned. what was the attitude of the parent when they call? did they feel they had caught the person, or were they crying, or upset? that emotional response may be somewhat indicative of for the case might be going. the other is, because of the recognition that no one raised their hands that you have too few cases -- these mothers said

that i know you are busy, so i will do the interview with the suspect. so, it is not uncommon for mothers to confront the suspect. then they asked, what is it that decrease your doubts? ok, so we all are my interview experts. it did those of you -- have you ever done an interview where it is so compelling? you said, we need to do a good, coordinated and to view -- but

i'd bet my paycheck something happen to this job. i have had an interview like that. for some of the mothers, of the over 70%, hearing the disclosure of their child was the biggest thing that led to them decreasing their doubt. then there were a number of other things you will see here. one was the opinion of the therapist. to have someone in a position of expertise to give them some input and feedback was really important. do we always do that? do really still appears that i think something happened here, or not? we said we have investigation work to do -- for them, they say, gosh, they're not sure, maybe i should not be. what i think is so interesting -- of all these mothers -- and these are cases we know

occurred, less than 40% never doubted their child's disclosure. nearly 62% at some time out of their child's disclosure. is that shocking? given the option of, my child has been sexually abused, or these are well-intentioned professionals who are maybe not getting something quite right, and maybe something has not happened -- which would you rather have? time out for second on that. i have two boys. my oldest son at 17 -- we had some moles removed from his back -- no big deal. the report comes back and he has a malignant reading. it is probably one of the most aggressive forms of skin cancer. if not caught early, it can be fatal. there is a part of us -- no way. the laboratory got it wrong,

mixed up the samples. surely, our son does not have a malignant cancer at age 17. we did not want to believe the report from the university of massachusetts medical center. there is a reluctance to believe it. it is important to remember that it is not uncommon for mothers to dow whether something happened. -- to doubt it. do you ever have the parents who are non bleeding? -- non-believing? i guess you and i are the only ones who have this cases. everyone else does such a great job of educating that we can take lessons. what increased your dog, made you concerned? it goes back to the most prominent answer with the mother saying that i should have known. -- what increase your doubt? i should have known because my

daughter and i are just like this. the abuser deny the allegation is the other thing. the usually honest, forthcoming individuals? many times if asked, they will say no. people who did say no, and people who did not say no, so does not help to differentiate. do you ever have this cases -- i know that john is a good, god- fearing man, goes to church regularly -- he would never do something like this. when you're talking about a 40 figure -- of 40 figures -- those are difficult, a dentist, an airline pilot -- authority

figures. the child's story -- 22% said i was more doubtful because the story of the child changed. and maybe it was enhanced. more information came out over time. that is different from the story changing. this study has a lot of very useful information to share and communicate. and potentially with parents, if some scenarios come up. so -- and i have been around long enough. it was a simplistic approach. it we had a supportive parent, or non-supportive community. do you ever have those discussions? it is either one or the other. this is a very intriguing study

because it challenges to think in another dimension about parents and how they are responding. they wanted to look not only at amount of support, but ambivalence. does anyone have a teenager, especially at 13 to 15 year-old? they have good hormones flood. -- flow. unless you want to confess to the roomful of professionals that you care for your children and provide for them in a nurturing environment. is that accurate? yes. are there time she would be willing to admit that you cannot wait for this job to leave your house? you sometimes even wonder whether they will reside in a penitentiary because of their

lack of regard? they are so individually-focus that they would not be a fully functioning member of society as we have now? i had two boys. my second one definitely was there. thank goodness, i now see more than glimmers, consecutive glimmers of maturity that gives me hope. but for parents of teenagers, often times -- listen, you are frustrating the heck out of me. you're not doing what i expect you to do, but if anyone does something to you, i will protect you, make sure that you are fed. that is the difference between how we feel -- ambivalence. you are frustrating me. i cannot wait for you to move out, versus the support which is

what we do. one is how we feel, the other how we do. think about that within the context of child abuse investigations. they had 29 mothers whose kids have been abused by someone in the home. 24% of the mothers said they had a good or excellent relationship with the perpetrator. when thinking about the sexual abuse cases, it challenges to wonder whether 76% of the mothers are in our relationship that at best is average? that is kind of it concerning. why are you staying in a relationship that average -- it is either a grade of c or worse?

by these people remaining in these relationships? two-thirds of the mothers said their spouse or partner had physically abused, assault of them in the past. she also challenged as to whether we always ask about domestic challenge been the home -- not just using the big words, but more specifically to find out whether there is a conflict between domestic violence, child sexual abuse? we'll talk about therapy dogs, and then animal abuse will be an issue. put on the thing that chris works well with only one button as opposed to 17. we found concerning ambivalence and other factors that they were unrelated. there may be parents who were ambivalent, not sure whether something happened, were not convinced of the abuse, but with

their support, they could still be supportive, and could engage the supportive behavior. it is important to think about looking at both sides, not only how they feel, which is their ambivalence, but how they are acting, which is their support. what predicts whether a child will disclose at a forensic interview? this was an interesting study done to look at if there are things that necessarily predict when a child may disclose in an interview? the converse is also true. is our system always designed to meet the needs of every child? there are certain things that may impact the disclosure, so we need to make sure that we are looking at the process, and when all we can to give every child the opportunity to disclose abuse. this study was done with cac's.

they defined a full disclosure for the purpose of this study as during the forensic interview of all sexual acts related to have -- taken placeplace concerning the interview. 90% or more of cases that we see we never get a full disclosure. i have done many interviews that involved lots of investigations during the course of my career. it is very humbling now in the digital age where people are recording documented evidence of the actual abuse they had engaged a child with, that your interview gets only about this much. i have become more skeptical of how much we get from the job. it may feel like they're telling us everything, but reality is, it probably is not.

they first looked at the time from the last incident, first incident, until when the child is closed. in two-thirds of cases, your kids disclose within the first year. when suzanne and stir it chonju question about how long you have been in the field -- and i kept my hand up, and up -- not until 30, but long enough that i remember -- and i do not have data to support it, but it seems like there was a longer time from when an incident first happened until a child reported. it was common to see a case of a child the teenager that reported something that happened when they were six or seven years old. that is shrinking. some german still not disclose until adulthood -- some

children do not disclose until then, but we have increased awareness, and they're more likely to report a sinner. of all kids in the study who participated, 73% made a full disclosure. 12% made a partial disclosure. 10% of kids made no disclosure. they did not deny, but did not disclose. 5% of the 1000 interviews denied anything occurred. girls are more likely to disclose. the bottom line is, they talk better than boys do. the disclosure rates were also higher for older kids. the least likely to report or disclose is a young boy. they have of a harder time to report abuse according to this

study, than do girls. they also looked at the impact of a child making a prior disclosure. those who had, before they came to the cac -- the had actually told someone about something happening to them, 81% disclosed during the forensic interview. but for children who had not, but for whom there was enough indication, they did disclose. if they have previously disclosed, they are also more likely to disclose. here are the kids who did, the kids who did not -- what is different about the interactions or actions of the type of

caregivers? the things related to to making full disclosure -- kids whose parents contacted law enforcement. they prevent any contact between a child and alleged perpetrator. they remove the suspect from the home. they get in contact with someone else about the allegation. it is the parents who do not do those things are in an environment he did not make overt actions to protect their to them. -- where they did not take over action. children hear these things. in some ways it seems to be helpful for them to know that their parents will be responsive.

my approach to research is that as a scientist you should be -- you should have about the cs -- hypotheses, but be open to anything. we have this report which may or may not be true, and there may or may not be other things that have happened to the job. i need to be wide open. i cannot have a mindset about kolbe said in the report. as opposed to a descriptive title, it seems to be a statement of fact. -- i cannot have a mindset about what will be said in the report. it challenges the independent researching approach. let me give you some background on this study. there were 125 young kids in a

program. they were invited to come to visit the fire station. they were at school, have someone help to address them in a far man's jacket, -- fire man's jacket. they touched each child on the shoulders, back -- non-sexual touches. they spun the children are around three times to turn into a firefighter. then the kids went down to the fire station on a bus. they were spoken to by a spokenfireman. when the return to school, there were all given a medallion for

being good. all the kids experienced this. then they interviewed each of aboutids one month later of what they may have experienced. they showed them the medal, and each child was asked to make a drawing to show where he or she was touched during the expense. do you like these drawings? the german have an extraordinarily large hands and feet. if -- the children have large hands and feet. the difference between the boys and girls is here link and clothes. are these the kind of pictures

anyone would necessarily use? no. i'm not sharing it because that i think it is a quality city, but i think it is a dangerous one that could be potentially used to harm children, and you will see that. the children who did recall having put on the costume were given this instruction -- you have are they told me that you put on a costume when you visited the station, and i heard that so and so help you. i want you to use this picture to show me where so and so touched you when you put the cost him on. any concerns with that question? -- at were and you put the costume on. >> it is pointing out that

someone touched him. >> if you take these to interviewers, what would they say? these are five-year old children. it is a lot of information mingo is also misleading. --. it is also misleading. they put it on at the school, not at the station. it is bad in a range of ways. of all the children who participated, 101 not included because they said they had not been touched at all. -- 10 of them were not included. they did not report touch -- it was no big deal. they were only putting on a jacket. only four of the entire group

were included in the analysis, and only four of all those included were reporting on having been touched. so, only four made a full and complete disclosure. of all the things that they did this close, less than half were accurate. -- that they did disclose. this is concerning. if you have an expert testified to this, and tell how inaccurate the children were -- 11% indicated that they received at least one gentle touch. we know that they did not during the entire activity, but 11% say that yes, someone touched me down here.

25% say that someone touched them on the breast. that is pretty amazing. you have the experts that testifies. the research study was published, and much of an were interviewed using drawings. 10% inaccurately reported because tear, 25% on the breast. -- 10% inaccurately reported being touched share, 25% there. it is just too inaccurate, so we cannot accept the testimony of a five-year old child. would that be a surprise moment if you were not prepared? i bring this up because i want you to be prepared for that, if someone were to use this study and try to make those points. they said, we want to change this up. we want to -- do the same

interview, but interviews some immediately after, some 24 hours later, some one month later. think about the difference between the way this experiment was designed, and what happens in real life. why would children have more difficulty remembering touches to put on a jacket then physical or sexual abuse? your test all the time in daily activities? tell me about that. -- you're touched in daily activities? >> [inaudible] >> she was right on.

but she said that children are touched all the time, and there are things she would not necessarily remember that. if you are on the elevator and it was crowded, someone made touch your arm -- but for the most part you are crowded in there, and possibly a touch occurs, but it does not stand out. with physical or sexual abuse, that touch is the primary organizing feature of what happened. it was not like my dad and i were laying in bed together and were going to watch a movie, and during the course of that, he put his hand between my legs. if that is the case, then we have to go back and find a context. it is important to recognize the fundamental differences between

but touches we would expect to receive on a regular basis, compared to those that are unusual. we will talk about questions asked at the time, and later in an interview. children remembered more of the correcttes right after the of that -- more of the correct touches right after the incident. you would probably remember right after you got off the elevator. but if you wait until the next day, or a month later -- really poor, probably. again, 7% of the kids so that they were touched on their genitals when we know that there were not, and 24% were touched on their breast when we know

that they were not. we have the expert in the courtroom who says the greatest science is when experiments are demonstrated in a different population. about 10% of children and accurately report, and 24% inaccurately report touches of the breast. for that reason, and based on replications of that this study, you cannot rely on that. so, you cannot necessarily rely on this child's stigma. it could be problematic if you had a skillful jurist -- you cannot rely on this child's statement. this study concerns me because it could be used to harm to them. what is the difference between what they did and what happens in real life?

they want me to give you the answer? first off, they do not interview kids the way we interview kids. they do not build report, go through the same kind of training, but go straight to this topic. they introduced a body map drawn is not consistent with those commonly used in the u.s. to identify parts of the body which are not closthed. they asked inappropriate questions, and about touches in way we would not necessarily. that is why they got their skewed results. those coming to the cac help kids? do they and their families?

coming as valuable? the way that the study was done, there are four committees that have cac's that had to be with nearby communities with similar cultures and dynamics. you had one youa cac, and one that did not in each of the four sites. -- you had one that had a cac, one without. you asked how satisfied they were with going to goingcac. more caregivers that went were more satisfied. overall, caucasian families were more satisfied. -- i mean were less satisfied

than other ethnicities regarding intervention provided. they were asked what they liked about how the investigator responded. the investigators got higher scores when there was some action taken. an arrest made, or the investigator said, i believe abuse occurred. why would they be more satisfied if the investigator says that something has happened to the child? because there is believed. -- belief. who have not shown up? they either have a transportation issues, or they want it to go away.

the people who show up and are 10 minutes early, and the children are dressed up for the video -- those are people who want something done. it is just logical there will be more happy if people make things happen. they also found caregivers were more happy with the cac response compared to the comparison committee. the most interesting things relate to the children and what they reported -- compared to the comparison community. do you remember your first forensic interview? were you scared? i first remember -- i remember my first. two boys allegedly abused by their older brother. i thought i would never be able to do the job again.

i was sweating all this stuff. all these things. i felt very scared. i think the study really challenges us to remember, no matter how we feel doing that -- the analogy would be the first time you are in court prosecuting the case as an attorney -- a little intimidating. every time these kids come into a forensic interview, it is their first time. they are not adults, have had no training. they have never been there before. they do not know what to expect. we have all those advantages, and are still nervous. 11% of kids said they did not feel that investigators understood them well. do you know anyone in your committee who is better to observe and conduct an interview? i have known them.

great detectives or investigators, not so great interviewing kids or suspects. 19% of kids felt they did not think the interview really understood what they were talking about. you took me away from my mother -- all these things. 33% said they felt the investigator, that they had to explain things to many times to the investigator. why would it be that investigators want kids to continually go over and over their story? it is because a lot of times we are doing a forensic interview and get a little bit information. we will ask a question from this angle and that to elicit more detail.

detectives and prosecutors need details to have things to pursue. it helps to know whether the abuse really occurred. going around the block and asking in a different way is the son of a good interviewer. it is important to remember that kids experience that as you been stupid. -- it is the sign of a good interview. how many times do i have to tell you not to put your hand on the stove? that is there to flee. after the interview, tell them i know i asked a lot questions -- that is the kids' takeaway. help the kids to understand the context. we want them to walk away with a

positive experience. they found significantly more children coming from the cac committee's the spread themselves as being not at all or not very scared as the other kids. they were a lot more comfortable than those being interviewed at the school or hospital or police station. a follow-up study that covers some of the same things in the same areas look that parents and caregivers. what did they like, as they expected, and not as good as expected from investigators? regarding the process, the parents had the idea that the evidence being collected the early was not that great. did not have the feeling that justice was being pursued, or that interviews were not necessarily done in a timely fashion.

over half the kids got skills in interviewing could be better. is interesting to hear, homeland. we have to pay attention to it. -- humbling. they did like that we did a good job of providing emotional support. we may not be very good at doing some things, but do at least provide emotional support. it is something to build off of. the children reviewed that our patients, thoroughness, and helping to respond to them was good. we were not pushy or overhauling, were demanding. it was not like a c.s.i. interview. now, regarding the

investigators' abilities, caregivers expressed concern about a lack of communication, of knowing what was going on with the investigation. do you ever get calls? this is a great role for the victim advocate to play, to be intermediaries. because investigators are moving on to the next cases, frequently. 20% did perceive a lack of commitment from investigators. i would guess you may know or have known of an investigator assigned to your section -- it was not a good fit. unfortunately, that happens. it is important when it happens for that to be noticed and addressed immediately. every child deserves a quality investigation.

better than expected -- 27% of the parents said they felt the interviewing was good, positive. it challenges us to get everyone into the really good pile. there was support given by investigators. it challenges us. almost 20% say the investigation is taking too long. matt described a case -- some are complicated, and maybe take longer. we need to help educate and engage them. so, we see this a spread between

some caregivers, some feeling engage, some not necessarily as much so. medical exams. we have done our reporting, an interview. talking to the mothers. now we're looking at the medical exam. this is an interesting study to me. we had nearly 780 kids who participated -- some were seen urgently, within 72 hours of the allegation. another sample, some were non- urgent. it had been more than 72 hours -- no hurry. they also looked for disclosure rates among other things. the kids in this closed -- when there was an urgent exam, about

86% disclosed sexual abuse during their forensic interview. for those non-urgent exams, only about two-thirds disclosed. it goes to the factor of been recent. the closer to the disclosure, the better off. we're pretty much responsible for all child sexual abuse. we can be proud about that. they found that males committed nearly all the sexual abuse. look at the age of perpetrators. many are often surprised to hear that adolescents commit about 35% of all sexual abuse.

this study takes it further -- nearly 800 cases, all seen at this hospital. the perpetrator for the urgent cases that happen within 72 hours, the perpetrator was older than 15 in 55% of those cases. the flip side was that they were under 15 in 45%. it is even higher when you go to the non-urgent exams. they found the alleged perpetrator for the non-urgent cases was nearly 60% under the age of 15. a dramatic number of criminal sexual offenses under the age of 15. it is an alarming trend. we all know that we live in a highly sexualized cited. if you go into the brush restore when you get back,, you'll see a bunch of magazines. on those is thought to have a better orgasm, have to look hot, sex tips in bed, how to look good for your man, how to

lose weight. all these things are very much oriented towards sexuality. our children are growing up in this environment. is a challenge. the perpetrator is almost always, commonly someone known or in the family. but they found the rate of positive findings -- in an urgent exam, 13% -- less than 4% in non-urgent exams. do you ever have families and say, we just need to go to the doctor. because the doctor will tell and say. if the doctor says the job is if the doctor says the job is