iraq, i will repeat what i said before, which is we are committed to providing assistance to the government of within its efforts to work andal and regional leaders expel al qaeda affiliated groups from those areas. we're going to continue to do that to help them achieve that goal and help them discuss, at a think thelevel, as i national supervisor did the other day with an iraq you leader -- with an eyiraqi a spirit of reconciliation so the common interest of rejecting al qaeda is achieved.

>> is the president paying for the flight back from hawaii? personal travel the first family will appropriately fund in line with past presidents. viafirst lady will travel government aircraft preview are accurate in your description that this was a -- government aircraft. you are accurate in your discretion that this was her decision to remain in hawaii. kids, you know that telling your spouse they can spend a week away from home is a big presence. not that we don't love our kids. acknowledged her birthday. we will see what we can come up with. i have to run to a meeting. >> [inaudible]

>> on the disclosures issues? the president will speak about those issues prior to the state of the union. on january 28. sometime between now and then he will address those issues. great to see you all. good luck. [laughter] missed any of our coverage of today possible i tell's briefing, it is available on our website. .o to www.c-span.org live at the brookings institution, a group of analysts a group ofas that journalists discusses cybersecurity -- a group of journalists discusses cybersecurity issues. you'll hear from two panels of theespondence, from guardian, wall street junior -- wall street journal, the new

york times. it should get underway in just a moment. this is live coverage on c-span. >> hello, everybody. brookings. at i work for a magazine called "foreign policy." i am really honored and i am really excited to celebrate the of a really interesting

book, which i have right here in my hand, "cybersecurity and cyber war," which has already been endorsed by everyone from the former commander of nato to the head of google to the homeland." "24 and we are going to talk today about some of the big issues in cybersecurity. what are the policy implications? what are the policy responses? what can we do with ordinary folks? i am sure you all know, is the director of the center for 21st century intelligence here at brookings. is now a visiting scholar at the cybersecurity policy research institute at george and was here at

brookings for three years. just interesting to me -- to kick things off -- this book is coming out now. we have had a stream of cybersecurity stories, mishaps, even sit in the last five years. -- events in the last five years. i'm curious as you guide -- curious as to why you guys decided that right now was a time to go back to basics and to lay out a primer for folks about what they need to know on the topic? >> i first want to thank you and thank you all for coming out. it is an exciting time for us. that actually links to your question did -- to your question. e-book is a journey. it is coming out now but it shows the journey of almost two years. and why wehind it

think it is particularly relevant right now is -- i would argue there is no issue that has and lessre important understood than cybersecurity. , more say more important important in terms of its policy workcations, whether you on classic military issues, national security issues, to legislative questions and the roleess side, to your own as a medicine -- as a citizen. the issues at play here are we as to the weighty future of politics and your kids on what they are doing on snapc hat. we can see a gap in lots of different ways. the former director of the cia

he has neveras dealt with an issue where there was less knowledge from people around the table making decisions. 70% of business executives have made a cybersecurity decision for their company. thoughts of these percent -- not 70% of cto's. no major mba program teaches it as a regular management issues. the way we handle our self favorite terms of our story -- the most popular password is still "password." was that is what i use on my luggage. theset we -- to all different issues popping up, whether it is the an essay or the like, that the nsa or the is the nsa orr it the like, it goes back to

basics. it gives you a primer for all the key questions from how does thism work to how can we do it? we are emphasizing what everyone needs to know. as long as we have the internet and we are using it we will have issues of cybersecurity and cyber war. thet seems to me 2013 was year of the leak in terms of cybersecurity. i don't know if you heard but there was a contractor who got his hands on some documents. 2014 -- where do you see tony 14? see 2014?o you >> it is going to be like the past, but more so. one of the interesting things about 2013 was it was the first year that no major person in the

policy world gave a speech that amounted to -- the problem with the internet is it was built without a security and line. -- a security in line. want to move from an area where cybersecurity is something that is seen as unique wholeparate and cut out a new cloth into an issue that is integrated into everything. a manager cannot just say, i will call my cyber guy. one thing we expect to see is boards of directors are going to start demanding briefings. they are going to say -- how are recovered? -- how are we covered? we are going to see more , moving fromcks taking advantage of human error and finding new challenges.

one of the largest questions that is always at the intersection of the technical and the economical and political. the responsibility of securing your cell phone? is the manufacturer of the phone, manufacturer of the operating system, or yourself on company? in 2014 those questions will come to head and we -- or your cell phone company? in 2014 we will see those issues come to head. we will work towards a more coordinated approach. ofi am going to ask a couple more questions of these guys and then we will open it up to the audience. get your questions ready. both of us have worked around pentagon types for a while. it always seems like the answer to any cybersecurity question is more offense.

if we are being hacked, the answer is to hack them back 100 times more. do you see that trend continuing in the government, that everything has to be about offense? trend, sodoes that far, make any sense? >> it is a big question of consequence and we think about not just what we are spending on but the potential to spiral out in directions that we do not want it to or we lose control over. this notion of cyber offense is very appealing. --is appealing in terms of if someone attacks me i will attack them first. the best way to defend yourself is a good offense. we can see its implications and assumptions that we are being -- that we are starting to bake into our military doctrine. there is a pentagon statement

"in cyberspace cyberspace --"-- in our next panel we are going to hear from experts on it. to do something like that is quite difficult. we have not seen senior pentagon officials describe it as -- they are a couple of teachers -- a couple of teenagers sipping red bull. and they can pull off a weapons of mass destruction style event. no they couldn't. to do some of the more effective stuff, it is not that easy. the defender has a series of steps they can take to make cyber offense difficult.

it is not as easy offense. when you start to connect both technical side to the military site to the policy side to the history side, you see some lessons crossing back and forth. every time in military history were someone has said the military offense will be dominant, history had a great way of teaching them that it played out the office -- layout the opposite. where doproblem is these assumptions sometimes take you? we have seen this in what we are spending on right now. it depends on which study. roughly 2.5 to four times as much on cyber offense research as they are on cyber defense research. if you go back and connect to security studies, it is a lot

like thinking the best way to protect your glass house from a gang of roving teens is to buy a stone sharpening kit. that is the implication here. we need to come to balance on not only how we talk about how we assess these threats, but also a balance in what we are spending on and how we approach it. >> just from a political perspective, one of the things that i think is a novel aspect from the international conflict prospective is we talk about attacking their systems and they talk about attacking our systems. they are the same systems. we are using the same platforms. often we are going to be faced exploitecision of do we the other guy or two we work towards defending ourselves? once you realize it is not just them,st them -- us versus

you find many different ways and the many different them's. we are all better off if we move toward security. >> i think one of the reasons people are outraged is because they're not just undermining access to e-mail accounts of terror suspects that they are undermining the fundamental security protocols that work for all of us. >> i think that is a key point. we don't want to overstate it. there is a headline in "the washington post" this weekend that's at the nsa is trying to -- this weekend that says the nsa is trying to break our phones. othert to make sure that national goals for diplomacy, for commerce, for trade are balanced in the government's

process. that is why many people around the world said, what does this mean for us? that does not lead to a very stable world. >> i was doing some policy work here. frankly it relied on trust in the government that i feel i cannot take anymore after the snowden leaks. maybe talk to me a little bit about how those leaks are affecting policy prescriptions across the board. challenge of what was disclosed is the massive but together a variety of things. leaks -- iabout the categorize them into three types of activity.

smart, sensible espionage against american enemies. there was a series of activities that was disclosed that way. the second category i would put in terms of questionable -- legally questionable, politically questionable, a sickly efforts that involve u.s. citizens -- a sickly efforts that involve u.s. citizens -- involvey efforts that u.s. citizens. to be blunt and direct, a third category we could call " "stupid," which is collecting close intelligence on american allies. we have these three categories out there so when people talk about this issue and how upset they are about what the government is doing or upset

they are with snowden and should he get clemency or not, they usually focus in on one of those categories. in turn it is effective in the way we have talked about it. we have defended these programs to the public in what matters in the lyrical discourse is category two, the legal and questionable stuff in -- and the political discourse is category two, the legal and questionable stuff. categoryrkel is an three. the real effect is not just in terms of how it has changed the political discourse here, but the long-term impact of it is probably going to be most felt -- one, american business will lose as much as $180 billion of revenue because of disclosures around these activities. goes into is -- it thee 2014 questions --

ongoing debate of the future itself and its governance. andalked about these issues looking at the itu. these questions are around internet freedom. frankly, the internet freedom agenda the state department has been pushing seems almost dead. in the years ahead there will be some big decisions to be -- decisions to make. we may have lost certain key swing states that were with us previously. if we don't watch out in the year ahead, the internet that all of us have grown to know and love will not be the ones that our kids inherit. because of why? >> it is the idea that there is very different visions about the internet and how it should be governed, so to speak, and what

should be the role of states layers ofti-actor responsibility. we have rightt up now has worked so well. we see this push by authoritarian states. when you try to enter in an address that doesn't go where you want, that- could very much be the future. that is different than the nsa -- the monitoring side. is to different state problems. in the politics of it they got wrapped together. >> they have been tied together. so you have genuine concern about the process that peter -- which, that ad hoc to be fair, seems close to human interests. we set up this organization and it works well.

if you look at the structure on paper from a political perspective you say, that's not fair. let's move away from a representative style. the problem is while that may sound good from an organizational perspective, the consensus seems to be that it will really empower two types of countries, those that want to throw up barriers around their own national network for national security regions and countries that want to throw barriers around for economic reasons. they longed to go back to the local telecom monopoly style. this discussion has been pushed since last december. it came to head at a conference in dubai. ,nited states and its allies including brazil, held off on this. we lost the vote but maintained enough to keep the status quo working. beennk if that vote had

taken shortly after the snowden leaks, i don't know how many european allies would have voted with america. ,e risk a vulcanized internet were each country sets of its own policy level and says we want to make sure our technology is in the network. we are going to have national level policies about what kind of crypto algorithm you can use the at everyone making this technology needs to make a separate chip for each country. that is really going to hurt the pace of innovation and change how this whole cyberspace evolves. out --e are two things on the domestic side we see the classic security questions. this has done to the politics of cybersecurity on capitol hill. we have not had major cybersecurity legislation passed since 2002.

that was five years before anyone heard of the iphone. because of this and a number that and a number of other factors -- because of this and a number of other factors it will be a number of years before we see this come to fruition. it is trust in the computer labs , which -- ivalley met with a senior leader of a silicon valley company who described it as an arms race with their own government, with the u.s. government. in the book we talk about the importance of finding the i.t. folks and how we deal with this capital problem in cybersecurity. our government agencies now have a major issue at the same time where we need to do a better job of recruiting cyber talent. by one measure we are only getting around 10% of the cybersecurity we need.

>> i would like to take some questions from the audience. please raise them in the form of a question, not a rant, statement, or diet try. have a? at the end or have your voice turn up at least. question mark at the end or have your voice turn up at least. this iss been said that as much of a threat as an attack -- in the administration does this issue about governance reside? many people believe that the model is too u.s. centric. where in the administration does this reside? ,> like a lot of cyber issues

it covers a lot of ground. the question of internet governance covers everything donor naminget new names for top-level tone name names -- new domain names for top-level domain names. that is a trademark issue. it is versus the very real question of how to be secure the domain name system? how do we allocate the remaining ip addresses? those cover very different issues and this has been in the department of commerce traditionally, who has the contract to negotiate the head of the internet in the domain name system. we talked about this in the book. there is a nice graphic to help you understand it. what the past administrations have been successful in doing is working to make sure that this is not a purely american question.

at the same time, the organizational questions of who is going to be in charge globally is a question of international diplomacy, with people lobbying on either side. >> part of the challenge when it comes to the policy is to keywords, ignorance and in balance. balance -- and imbalance. can make theo policy decisions are not equipped to deal with these issues. we have all the wonderful and great anecdotes on this in the it is a senior diplomat about to go to negotiate with the chinese on internet issues, who asked us what and i at -- what an isp was . this but my mocking

mom does not know what an isp is and does know what and i cpm is. icpm is. former deputy of homeland security had talked about how she had not used social media for over a decade. you have that level of ignorance. it is just there. the imbalance site is also there. this may be as big a policy issue as there is. aboutat is not talked when it comes to the notion of cyber attacks as opposed to a structural problem. i would argue the massive campaign that is going on in the u.s. right now may be as much as $1 trillion worth of value lost. that matters far more than the

narrative that is out there. a half-million times we talked about cyber 9/11 or cyber pearl the 30,000 magazines talking about cyber terrorism, despite the fact that no one has been hurt or killed by cyber terrorism. week a lot like "shark turcotte we access about sharks even though we are 15,000 more times -- "shark week." we fantasize about sharks even though we are 15,000 times more likely to be hurt by the toilets. squirrels have taken down the power grid more times. whether it is our spending when it comes to budget to the decision-making questions -- in the white house you have 12 people on the national security staff working cybersecurity

questions. you have one on the economic side, who also has responsibility for things like copyrights. we very much need an approach that is both informed and balanced. >> next question, over here. >> thank you. , a strategicdowney consultant. you mentioned a little bit about corporations and how they protect -- how well they are or are not protected. intuitively you would just assume that large corporations or banks have lots of resources and would do what is required to protect themselves against these kinds of threats. is a cybersecurity maturation model that measures how prepared organizations and even countries are against these kinds of

threats. zero isfe axis, defenseless and the curve goes -- an-- and ask why axis axis, euros defenseless and the curve goes of to resilient. -- goes up to resilient. >> there are a number of approaches like that. i think it helps us understand the issue a little bit. probably the leaders in developing the senses and working together how the risks are connected in the financial sector, why? the financial sector vases very real threats from criminals. why do you go after banks? that is where the money is. the financial sector has learned to work together am a developed

good defenses, and also understand it from a risk perspective. they don't have to stop every single attack. i have some models to understand the relationship between how much to invest and what they're given. companies in the broader economy do not have that. they do not have that for a number of reasons. one, we do not have a good way of understanding what our loss is.ood -- loss often when we talk about the theft of competitive data we think about the special sauce. in 2010,-cola was hit an attack that was later to be did to a group associated with the chinese government, did the bad guys go after the secret formula for coca-cola? no. no one really cares about that. than 10do know is less days after the attack happened, the chinese government rejected

coca-cola's bid to buy the largest soft drink bottler in china. that everyone in wall street thought would go through. we have to think about what is at risk from a very broad perspective. the challenge is actually understanding what is at risk and how to defend ourselves. that is a really big job. it involves having a holistic view of what is at stake in an organization. that has to come from the board, top-down. it also has to come from thinking about the risks we face . the managers will say we have immediate losses we can tie to failure to act. from the markets, it may have to come from a more interventionist government approach. >> one of the main lessons of the book is that -- as opposed to how this is often framed and ,alked about, this problem area

whether you are talking about it at the national level all the way down to you as an individual, it is not about the software. it is not about the hardware. it is about the people. it is about the incentive that drives them, the organizations they are in, the level of awareness. it is all about people at the end of the day. , in your question you used an important word, which is "resilience." one of the ideas we want to push is the idea of a resilience model. someone has the secret sauce solution for all your problems or i can hack back and i will -- no,ll the problems all we need to do is build up and a vaginal -- and i that defense.an imaginable

it is the idea that bad things are going to happen. it is how you bounce back from them. your body doesn't have an defense.\ayer of important, itas recovers. think about the psychology side. resilience, you can't go through life thinking things are going to happen. a resilient mentality and relationship is something that can deal with the bad things and recover. to go back to what we were talking about before, part of the problem of how and why we talked about this cybersecurity issue is -- we joke we turn the .olume up to 11 get scared. i have all the solutions for you. -- iower grid scenario guarantee you someone will lose

power in the washington dc area within the next 48 hours. "cyber" inhe word front of it, we would suddenly have congressional panels asking who's is to blame and what is wrong. -- who is to blame and what is wrong. resilience, again, whether you are talking about the nation down to you as an individual and how do you protect your cherished memories and files? you ought to be thinking about that for yourself. >> let's go here. >> thanks a lot gentlemen. i'm an attorney here in town. i focus on national security and human terry and law. -- and humanitarian law. i think the and this is a pretty easy whipping boy. there are problems with corporations not taking their own initiative.

when the opportunities for leadership and policy move things forward in the absence of legislation, president obama signed the work -- signed the order on cybersecurity -- i am wondering what you three think or hear about its prospects of enhancing the resilience of security posture of the u.s. nation. does the executive order move us closer and in the direction of where we need to go in the absence of legislation? the core -- for those of you who do not know, the core of the executive order is to develop a voluntary framework to implement existing standards for more security. this applies to all could go infrastructure, which is a legally defined but we think of it as the basic essentials --

light, air, water, things like that. the challenge of this framing -- we can think of the government as being good at some things like hitting people with a stick to do things. and they are bad at other things, like developing technical standards. one way to look at the executive order is we sort of flipped that. the government is collecting all the technical standards. that is why able are skeptical. i think there is some reason to be optimistic for a number of reasons. this exceeded to get the right people in the room to pay attention paid representatives from all the major industries have stood up. they are watching what is going on. they are tying to figure out how we get ahead of this. this is theere is last opportunity that industry has to fix the problem themselves. if we think about the executive ," and i haveit now

a stick of regulation behind my is one area to identify where areas are not working. tide need to have a rising preach we need to find the tools to get various players to work together. -- rising tide. we need to find the tools to get various players to work together. that sounds fluffy. that is where we want to be. cybersecurity should not be this sexy new thing. work ofd be the boring lawyers talking to other lawyers , economists talking to economists, and having everyone talk to each other. a lots of conversations -- lots of conversation so we can work together.

>> let's go to another -- jim? >> jim hansen and -- jim hansen. security is focused on the permit her. you big -- you build bigger walls, make sure nobody can sneak in. between him and snowden we did not make a whole lot of progress. backed a panel up to a data center and took off with all the servers -- backed up a van to the data center and took off with all the servers. at where theyg are stealing the data itself? >> you hit it exactly right. we are making a military parallel.

walls never work. the past question of infrastructure, sometimes they will say they don't need a an air gap.ust need i like an air gaps to those that teachers would put between catholic school dances. they just do not work in the end. the iranians had a wonderful air , keeping bad malware out of their nuclear research. it did not work. also following basic measures in terms of not only trying to keep dad out but monitoring what is happening on your own network, including by your own people. snowden -- those

organizations are as sophisticated and well-funded as they were -- the u.s. military they were not following basic procedures that a cupcake store should have. to basic cyber most important penetration of a u.s. military network happened because a stick inound a memory a parking lot and thought it was a good idea to plug it into their computer. that is not cyber hygiene, that is basic hygiene. that is the five second rule. it carries across this. we were laughing that there is the same story of a major technology company who was hit when a guy picked up a cd that he found in the men's room. would you pick up anything you found in the men's room?

he took it home. he did it with a cd. all of us go to conferences where you are given these memory sticks as favors. hygiene.c it goes that this notion of the standards. one study found they would stop 94% of all tax. 94%. what about the other six percent? it may come from someone sophisticated. i would hate to tell you, but all of you are not being targeted by that six percent. even if you are someone with a sophisticated operation, go talk to your i.t. folks. if you do not have to spend 94% of your time running down the low level stuff, you can focus on the advanced stuff. the advanced stuff often gets into these low level things. my favorite recent story of this was a diplomat at the g 20

fished.ce who got spear they received e-mails that led them to click on a link where they thought they were of theding nude photos french first lady and they were downloading spyware instead. better and then get to some of the more sophisticated technological responses. does anyone else have a question about picking things up in the bathroom -- >> does anyone else have a question about picking things up in the bathroom? we have to stop talking in cold war frameworks, which is the main way this is talked about in this town. it is just like a wmd, which has been said about everything from national security to these data centers. if we are going to use these comparisons, the period of the one war is not the only

to draw upon. we are in the early stages of the cold war where he did not understand the technology but we took characters like dr. strangelove seriously. >> i am a student across the street. bit,u zoom out a little people talk a lot about the u.s., russia, china. people don't talk often about countries like israel and the eu in a tear down -- in a tier down. report saysernment very sensitive information was protected by passwords like "123 systems.ry weak

what do you think of the place of those countries, the lowest tier, on cyber security in the future? luxe there are a number of different issues. for example, -- >> there are a number of different issues. for example, the number one trader of malicious information on the internet is indonesia. it did they it to be this -- is a separate discussion, which is also interesting. this is a real issue for every country. there are some benefits to being small. you actually can have a trusted group of people. i know we have chatted here at brookings with some governments who have been the victims of aber attacks and they set up volunteer army to react in the case of crisis. that works at a small country.

there also is a very real danger of cybersecurity ghettos, where more and more countries build a basic defenses and you will have more of those seeking to exploit infrastructures and have a much higher bar to make themselves more secure. not having toe of outrun the bear, just outrun you, we have a lot of people who are slower. korea has said of cybersecurity capacity building should be a priority for the world bank. they are trying to figure out how they can build that international cooperation to raise everyone up to at least above a minimum level. space where you

have sony different types of players. we fell into that old political science flaw of just talking about the states. yet this is a domain where everything from states large and small to nonstate actors that range from targeting google to anonymous to you and i all matter. we all have levels of power. we all matter in this. we are talking about problems and solutions. we have to move out of that classic framework. back to the policy from-- we can draw lessons other actors out there. there is an active debate in the u.s. military right now about what is the role of the national guard and reserve when it comes to cyber. we are approaching it in a very classic model versus a estonia's

model. it may be far more effective. if we are talking about the makeup of the internet itself fundamentally shifting to the antidote -- to the anecdote where we illustrated the internet is changing -- "cute cat videos" are losing out to cute panda and cute goat videos. it shows the power of chinese and african uses of the internet. security threats and concerns are growing with the number of videos that are out there. >> i am unaffiliated but i do have an atm card.

how hard or easy is it to to forge a cyber attack? >> from whom? fool your trying to basic cis abdomen -- basic sysadmin, very forward. you also have to have perfect operational security. you have to remember that among the defenses that countries have is not just to let me look in this package and see the technical frame. -- andve been dropped ease dropping on satellite and telephone calls. then you have to narrow it down eavesdroppingeen on satellite and telephone calls. then you have to narrow it down.

it depends on what kind of attack you're worried about and what kind of resources you have to if you're trying to fool your local police department about who is spending all the money in -- who is sending all the money in a bank account to a foreign country, very simple. if you're trying to fool them in into a false flag operation, you need to do it a lot more carefully. >> you made a joke at the start about your atm card. it is a great illustration of the earlier points. your atm card is a multifactor approach to security. it is something you have but then they also ask you for something you know, your password. things. points to two first it points to why does the bank have that structure as opposed to the way we approach security in other sectors and it goes back to what alan was saying, the differences of --entives in the industry

oh, by the way, there is a legal framework that drives that price for them. they put in those kinds of security requirements that you think are quite simple and easy versus a power company that does not have these kinds of approaches. 80% of small-- power companies that are under regulation right now. it points to the value of the incentive but also how personally we should all be thinking about our own security. you have that multi factor for your atm, do you have it for your gmail? if you don't, you should. (wee have about 10 minute s are going to roll into the next panel with the talk to reporters -- 10 minutes left. we are going to roll into the next panel with top reporters.

>> i am with the dutch embassy. we have ay much that colonization of the human factor. is gettingomain extended not only to our digital age but our human nature. i want to talk about the last where a roll of the government could exist. i want to give you three examples and ask your opinion. the first one are the black -- one of the internet of the main successes is the use of zero day exports. another example is the industry leading processes in chip manufacturing -- the underlying doesption is cryptography

not lie only in software but also on hardware. and it can have an origin in our industry, hence our government has a role in that. the last example is about the have seen the professor .o a lot of research on isp these are responsible for a spyware version that lands on our blackberries. how you think about these -- what you think about these three examples with respect to the government's role. them i will jump on them real rapidly. first, on the black market, it is a very good illustration of the lessons to be learned from both contemporary security history, notl as just within the cyber domain.

thinking about current counterterrorism policy, playing like a mall is a loser's game for since going after the underlying structures. book,hing in the understanding the parallels to seacy and privateers at back in the 1600s and 1800s. actorsgreat pirate versus privateers, state groups that give you deniability. it is like the example between classic cyber crime versus some of these more state linked efforts and patriotic cappers. by going after the markets and going after the structures, that is how you dealt with it, rather than try to chase every individual one. this leads to the isp question. ofis a perfect illustration by how going at the structures

-- perfect illustration of by going after the structures, you have a cooperation that you don't think is possible. the u.s. navy and the british fight each other in the 1800s. they had fought two wars against each other. they also cooperated in antipiracy campaigns. much like the u.s. and china, there is a lot of issue for conflict. there are also areas we can work together. part of this is also facing the fact that we americans, we have some issues. one study showed 20 out of the top 50 cyber crimes viewing eyes peas are american -- cyber crime spewing isps are american. i would point to in a military example -- to a military example. it was revealed df-35 program effort--- revealed the

35 program allowed certain chips in -- we would be dropping certain waivers around them. >> i think these examples really cap sure how you understand -- you cannot address this issue without understanding the technical, economic, and political side. different countries have looked into the options. should the isp tell me whether my computer is part of an international plot? the challenge there is on the we don't know much about what's the likelihood of detection is and how we will respond. if you are going to be reinfected immediately, it is a waste of money and effort it on the black market side, i think this is -- and effort. on the black market side of your

doing greate we are work with gsw. -- discoverr mall vulnerability in a major piece of software, what is the likelihood you, as an adversary, will find that vulnerability vulnerability? we need to understand the technical details, how code is secured over time as well as the market side. >> we have time for one last question. >> i am an attorney in town. my question is about resources. i am thinking of the post-9/11 era where there was a lot of talk of soft targets.

how do we stop people from going into movie theaters or shopping malls and stop them from blowing themselves up? there is not much we can do to harden those targets. have been fortunate that we have not seen many attacks. seems to me, if this is a good analogy, there's a lot of opportunity for those soft targets. they can get my credit card information from target or a cupcake store. we have all the resources we need? -- do we have the resources we need? >> i will give an example of the military implication of this. what is fascinating about this is how we have approached , which hasthin dod heartened -- which has hardened the dod.

we try to incentivize one part of the defense economy, the major contractors, to get much better at their security. they have seen these kinds of threats to their intellectual property happening. they are not facing the fact that there is this wider set of targets out there that are quite soft because the incentives are not right, the awareness is not there because just as much implication -- to give an , how our entire logistics systems is dependent on these companies. let'sve a perfectly -- imagine you have a perfectly hard and safe and secure u.s. military network. what happens when someone enters into the logistics company and changes the barcode numbers for the shipment of gasoline to that uniter? you have

that gets a delivery from the supply train and it is toilet paper, not gasoline or ammunition. thinking about the defense industry, the big times have paid attention to getting themselves secure. did agree the small copies are not well protected. that is where we are going in. small copiesthe are not well protected. that is where we are going in. we need to raise the level of resilience and awareness. >> very quickly, on the private sector side >> it comes down to two things we are still trying to understand but are working towards. returnhow we think about in investment, how we create investments, saying if you make yourself more secure, it will be in your interest. to communicate

that. the second thing is scale. defense comes down to making it cheaper to defend van to attack here that means we need to raise the costs of the attacker and that is a technical question, but also in organizational question, an economic question, and it fundamentally is a question of politics and governance. .> we have got time i want you to join me and give me a round of applause. [applause] aty will be signing books our next panel. i would now like to ask a second group of panelists to come up to the podium and we ask you all to sit tight and be right into our next panel. >> thank you all.

[indiscernible] [captions copyright national cable satellite corp. 2014] [captioning performed by national captioning institute]

>> ok. so, peter asked me to put together this second panel of reporters. ahead and fit four of my favorite reporters who are not only great on this issue but are just great in general. and fabulous treatment. great cooks. [laughter]

so, starting right here to my immediate left, a reporter with the lost -- wall street journal, and the chief washington correspondent of the new york times. tom of national public radio, and in the awesome news, we have, from the u.k., james call from the guardian. let's just start with the nsa stuff, since it is the big issue right now. bit aboutk a little how the introduction of the snowden leaks has changed the way we are doing business and how much harder were easier it has been?

class it has cut both ways. i have not been writing much on the snowden documents themselves, but i have been writing on related nsa issues in the midst of all the resolution -- revelations. found as many people, less inclined to want to share information. there are probably at least as many at this way who feel -- i do not know if it is emboldened or they just feel it is an issue that will get more attention and it is worth their while to share what they know with reporters, whether context or additional information and detail. i think on balance it has led to a greater amount of information

that reporters are learning, even beyond the snowden documents. the government is behaving somewhat differently from the way it did. the nsa is setting up a whole task force to deal with the snowden leaks. argue they have not been as forthcoming as they should. if you are looking at what their baseline was, it was more than it was. i found it fascinating the , the directorself of national intelligence has released huge waves. especially in the beginning, and recent ones. we have seen a lot of court opinions from the surveillance court that in a lot of ways were more condemning of nsa practices than anything noted that out. i do not think it cuts one way or the other. add that iagree and

think there are three different elements of this to think about. the first is that even before the snowden leaks happened him thatf us would say reporting on these topics has not been easy in washington. i could recite for you all of the cystic about the number of by thisations underway administration, including against many people on this on stories they wrote. even beyond that, these topics have all been topics on which the obama administration, i have found, has been wet -- less willing to discuss than the bush administration. the bush administration did not exactly when a reputation as a font of openness. response to the snowden revelations i think was for many of the intelligence agencies to hunker down and not

answer any questions. then they discovered in the fall probablygetting them into more difficulty than if they actually came out to explain some of these programs. what has struck me about the have comementioned out in recent times, it is reasonable to ask the question, did all of these programs need to be classified to begin with? answer toot know the this. had the nsa revealed the collection of metadata programs, would it have truly helped any group, or, could they have one some democratic i in, particularly in the years after 9/11. element is what we have learnt from the documents themselves. many have been very regulatory. some of them have been quite dated.

you have to avoid the temptation of looking at a document and assuming that just because you are looking at it now, it represents what events are like today. we are at a point with the documents were two things are going on. first, for our general reading public, it has become a blur. there are so many documents out there they cannot quite sort out what is new and what is not. we are at the point where we really have to supplement them with a form of other reporting to be able to explain them. >> i have found this to be a difficult story to recover -- to many ways. a radio reporter who needs to tell people stories and not just -- give the opportunity to read the story several times before you get it.

these are really complicated we are learning about. from that point of view, it is extremely difficult. then as manyy has errors in reporting this story as i have seen in a while. that is partly because of the difficulty of understanding what it is we are learning and communicating. that, i have been covering national security for a number of years. whereot recall a story there has been as much polarization as there is in this story. david, a colleague at the time, had a piece over the weekend. saying he had a friend in silicon valley saying 90 but techof the people in his

company were convinced edward snowden was a whistleblower and that every single person you talked to felt edward snowden was a traitor. verynk we have seen this the polarization throughout way we have reacted to these disclosures. it is not that we should shy away from stories where there is a polarization of opinion, but, in this case, we, as a news organization, the guardian and have big players in this story. there has been a lot of -- it has been a situation where you have to almost decide what kind of posture you will take, approaching these disclosures. for all those reasons -- none of these are issues we should be

afraid of dealing with. but it is a really complicated story to report. >> it is easy to understand it when you are with actual access to the documents. we have been doing the primary reporting. wasially, it edward snowden turning over two or three at the time. actually, much more his approach was to trust reporters as opposed to various other places. themselves find out and have to structure it. that is an extraordinary challenge. very few of them were here with this one document. they went out in the first week or two. the document now seems like an

extraordinarily simple story of the onessome that have more on cybersecurity we talked about, where they are trying to build up the impression. we start to see clear skies -- clear signs to deliver efforts not to improve security. and the nsa having enough confidence they could take it back to other people and would keep the vulnerabilities there. that starts with you seeing a on dozensnts touching more and dozens more. what happens is you have diplomatic correspondence who are very good at the international relations aspect. you have reporters with a more technical background. trying to separate men -- separate which -- some reporters look at this --

you're not looking at a guide. it is not a tutorial. everyone else knows all the lingo. you have a entrance which means absolutely nothing to any sane human being, but perfectly copper hannibal to anyone who knows anything about national security. i think, especially on cybersecurity, on all sorts of intelligence issues, it has been where of a kate or more if we need more spending, more did is and what snowden give a chance to get this public debate. america has seen it quite well, britain, not so much. you may have noticed, we had a few issues over there. that is fairly commendable. whatever your stance, though

debate can be quite constructive. an alarming moment, even if you are not someone who believes snowden is a whistleblower, as i do, there was a very strange moment where the head of mis the chances ofs anyone like snowden in the human intelligence services and he dismissed it. as if it could not happen. it already had. there are a lot of documents amongst this material. the fact that he seemed to eventer this a one-off should terrify you. he evidently did not understand the question, let alone the risk. i think whatever you think should be done, it is clear there are a lot of questions to still ask.

collected things like a hallmark of cybersecurity reporting over the years has been the desire by government agencies and outside contractors to always heighten the risk. the sky is always about the fall. it is amazing how every minute of every day, the sky is always about to fall. did these documents change that at all? you talked about a high-ranking intelligence official lowballing risks. see the end of .he uncertainty and doubt has this changed at all? >> who you mean in terms of hyping the cyber threat itself? abouthe question earlier a big meltdown or something e --

something? >> yes. >> it seems like the insider threat is higher than estimated. the outsider threat is lower than that. maybe making investment is not the wisest thing one could do. the concern free snowden, the one i would hear particularly from government types, is not so thatit was high risk but so many of these cyber attacks could be high consequence. it was pretty high consequence. way, thus snowden revelations show how one individual, this is an a semester at best asymmetric challenge. -- this is an asymmetric challenge.

you only one example to show it is a big deal. the security experts i would talk to, who point to , is not so threats organizationse with the greatest capability like china and russia will do it, but more that there is a black market out there and are -- there is an only -- there is only a matter of time before things get out of hand and you have a reasonable risk of getting into the hands of someone who wants to do something bad. insider threat poses higher risk. i would makeoint is we now know one of the recent u.s. government is so concerned about the infrastructure attacking the united states is that these documents underscore what we knew before the document it is not allh is that difficult to do some of these things elsewhere.

theirnderscores understanding of the risk to the u.s.. >> for me, a big revelation had nothing to do with the snowden disclosure. the story last week of the a reading the bottom line analysis of the revenue projections and stock price projections for this company, i think that was important to me because ito account has been a really important source of information to us about the threat out there. when you read about how much making,ey are convincing companies and organizations they are under threat and then proposing ways for them to mitigate that , asat, it makes us

reporters, want to think twice thet the issue about hyping threat. there are some really big financial stakes involved in this debate. coreat touches on the issue. as reporters in this particular sphere, almost all of the incentives are which -- with people to hype up the threat. no one wants to say this is low risk and quite safe. you do not know what will happen in the next 12 months. also, you are trying to defend a large budget and budgets often which do not have the same degree of accountability as other areas. you want to stress the dangers. there is a huge industry struggling with defense budgets not going up like they used to and security budgets not going up like they used to. ciber is a nice little area which still has potential. if you read the report of big

wheree companies, this is they are hoping to keep growth or stall shrinking. so, look at the lobbying money spent in this town on cyber in the last five years. it has gone up spectacularly. off.are talking off -- far- the rate of growth is huge. not much money in saying -- hang on and let's calm down for a bit. there is not money in that. few people will push on the cipro -- civil liberties front. not many people are going, hang on, you know, we are looking to try to fix deficit. should we really be spending this much money on cyber? how do we judge what a win is like? how much responsibility should the federal government be taking e should we leave it more to banks and try to speculate internationally e there is not a

boring common sense floppy in the middle of this going, hang on, you know, maybe it is not that bad. my position is, maybe we have to be more skeptical in the cyber field. and that is oh is difficult for journalists. if you say, i have got a great story about terrible threats, you're much more likely than if you go, you should tell people to chill out. it does not yet on the front quite so often. inversion of the fear, uncertainty, and doubt, is that you have the nsa and other operations saying, the core cryptographic algorithms are totally secure. we did not really undermine them, do not worry. the documents do not say what they mean. in a way that usually, these are the guys saying the sky is about to fall, and now they are saying it is totally fine. i found that interesting. i will ask one semi-related

question and then i want to open it up to the audience. this is like, are these documents, are they actually just a shiny object we are chasing and being distracted from real, bigger issues in this space, or, is the big issue , how vast its spying network is? >> to me, i feel like there has a story that has gotten less attention. i referenced it earlier when i talked about the documents released by the director of national intelligence that i actually think there is quite a lot of questions to be asked about the nsa's overall competency. they seem to mismanage all of the programs. storyis a weird hubble that it is omnipotent, but also incompetent.

i do not know what makes a civil libertarian feel better. i think it is more of a nuanced story than that they are taking everything. they are not exactly doing that. what we have seen is when they were attempting to do the phone call records, they claimed to have all of these records and they did not understand their own program well enough to enforce the rules they promised the court they would. we saw that with the internet metadata collection. internetapping the backbone. all of a sudden, they are scooping up domestic communications. to me, it has raised a lot of of considering that so many of these programs perpetuated themselves for a decade, as these technologies coloringow much more outside the lines does the nsa find itself doing just by accident and the fact it does not necessarily understand the implications of changes in

ofhnology, and what sort bearing does that have on all of the other programs we do not know about? >> i am struck by two elements of this, to go to the question of how effective the programs are. if you look at one of the programs they abandoned in 2011, which was the e-mail metadata program, they were looking at roughly one percent of all of the e-mails in the united states, a lot of e-mails. ultimately, they dropped the program in part because of critiques set up internally but in part because they were not getting much out of it. then you go to the presidential advisory committee report that came out a week before christmas, and they were a lot what theinced about metadata program had actually yielded in the way of preventing terrorist attacks that you would get if you were just listening to the congressional testimony of the generals.

if you consider them to be highly competent and highly good at what they do, and i think, for some of these programs, probably better than any other intelligence agency we have seen around the world, there is still a reasonable question, is the amount of time, effort, money, and, in this case, diplomatic and business cost of this, worth what you're getting out of it? >> i can say the amount of time chasing nsa surveillance stories over the been vastlyths has in excess of what i would've preferred to spend my time reporting on. does that mean it is a shiny object that does not warrant the attention we're getting, i am not sure. i think what the review group said about the effectiveness of these programs is extremely important given that michael, the former deputy director of

the cia, was on that. there is real reason to question some of the more extreme claims made by the generals in this regard. i do think however that these disclosures raised a couple of issues that are hugely important and really warrants all of the attention they have gotten. not just the trade-off between national security and civil liberties, a debate we have been having for many years. is the trade-off between the advantages of protecting the good guys versus going after bad guys. we have seen the trade-off come out really clearly in these documents. undermined nsa has

havesecurity and we learned a lot about the vulnerability market in the last few months and the way nsa has actually held onto vulnerabilities for work , versus helplessness of the homeland security, which you get completely in the dark all of time about what kinds capabilities the country has, it really does seem to correct something peter and alan mentioned earlier, all of the priority in this government has in on offense of cyber securities to the expense of cyber defense capabilities. it is a hugely important issue. that has really been revealed as a result of some of these disclosures. >> maybe the most extraordinary competence issue, foreign policy, a brilliant tale from an

anonymous cia official internally promoting the next data program and bring them in a vast, printed out network diagram talking about how you could use it to find keynotes keeping different suspects in contact. he punched out a couple of things where hundreds of people had been contacting this number and saying, look, we would like to identify these. goes -- weter he just decided back here to take a look at that number. it was a pizza parlor. [laughter] which a lot of people call. alexander, one of the more technologically nerd- ish, because he knows what he is talking about, relatively speaking, intelligence officials, and his big case completely failed.

it is just one of those concerning fragments you get. it makes you wonder the extent these large scale trolls we felt a struggle to see much evidence in terms of resolve to justify, how to -- distracted from other missions. obvious threat to subtlecurity, a more -- to do a worth combination of intelligence and security coming together and being run by the same agency and the same people. fitting in bits of the backbone of the internet, you can see traffic sometimes. it can help you get an early warning on denial of service attacks. that kind of stuff.

but if you are trying to persuade companies to let you in to help defend them, if you're trying to encourage foreign governments to cooperate with you on security and so on, while often -- also using cybersecurity as a front for intelligence operations, you are undermining trust in your companies, in your agencies, in all of the defensive steps you could take. that kind of overreach is not easily fixed. that is all about your relationships with the tech sector, allies, everyone. so, when will the u.k. government, german government, other people who should be working and cooperating, foreign banks, the world bank, the u.n., and that you, when will they take advice from the u.s. security intelligence agency on cybersecurity den? it will not happen soon. us all in a bit of a

mess. where there are not even just the technical side, it is the political mess that has been made of combining intelligence and security. christ that is a really good point. people do not quite understand, the way the internet moves because of a series of handshake agreements, there is not a lot of formal documents and contracts that guarantee my traffic could make its way to japan or what have you. it is just a series of trust arrangements. if you undermined those, you undermine the core of the internet itself. >> which is why this may be the first scandal in modern history that has a eger is this affect than diplomatic effect. >> right. i will open questions up to the audience. allen'sis is peter and book coming out party, i want to give them the privilege of asking the first question.

>> thanks. hi. i am co-author of a new book, which you can find more about. what i love about the structure of it is the first panel tom a we tried to wrestle with what everyone needs to know. you have been exploring how we report and talk about it. thank all ofirst you for coming. i deeply appreciate it. i want to pull the thread further. how do you see news organizations? you are from different types, newspaper and radio and etc.. how do you see them organizing reporting onpic of cybersecurity questions in the future? do you see that evolving? second, the training for journalists themselves. the technicalut side of reporting on these stories. one of the interesting things to me is that news alice -- news outlets have been among the most notable targets of cyber

security threats, from state organizations, certain large power that shall not be named, to recently syrian electronic army, not an army, but has been having a lot of fun with different news outlets from noteworthy ones to the onion. how do you see the training for journalism evolving on this as well as the organization? >> i tend to find especially with reddish journalists, journalists do not like computers and math. to involve both. it is a bit of a team effort. journalists have to start taking it seriously. we have talked about source protection since the dawn of everything. tedious amongst the profession that you would go to prison

rather than reveal a source and so on. now, you could very easily reveal a source just because you are rubbish at computers or your .mail password is 123456 we have to get better at that and take it seriously. is a consensus. part of what else we have to do, start making encryption technology, secure technology, and source protection technology usable by regular humans. a lot of these systems are very competent it, even if you think, personally, that they are important. fine, however brilliant someone is at computer security, if you look at what its wrong, with most things, is not often that someone did not have the right system. at three clock in the morning, when you have been hours, the servers

are met to hold are not working, you give up and send it e-mail, or you cannot face the barrier, every time you have to get in touch with someone doing what you have to do, the technology has to get easier and has to start to be made with regular, normal, fallible human beings in mind. we also have to learn to prioritize. if you get on my twitter account, you will embarrass me. but you will not do much more. if you get my e-mail account, you might find a couple of low level gossip. you will not completely screw me if you get in either. i have got all of the things you should do. but i do not lose sleep about the idea of people getting in there. we learn what to protect and what not to. it is all about team approaches.

if you have a cybersecurity reporter, i can see why in the last few years, to get people to understand broader things and get them to work together. to understand politics. journalists are much better when we work in teams. today we willrned factor in our own system, which i would say is a direct result of the lessons we learned over the last two months. recently, almost all of my collaboration as a reporter was with the foreign and washington desk. since i have been covering the story with the technology reporters, i have become dependent on them to help me on,re stuff out and working we are working on a series now about the arms race, the digital

arms race between the nsa and the tech companies. i am completely dependent when it comes time to talking about encryption security measures. i really take -- depend on technology people at npr to help me with this. case, itust in our own has really opened up a whole new area of collaboration. really not there before. the times hasight been the target of at least two different big groups. a chinese group came in and lived in our computer systems for several months back in 2012. we think searching for the theces of stories about how prime minister of china passes family got so wealthy while he was prime minister. they did a remarkable job

finding their way around a computer system that has stymied me for decades. [laughter] and then we have the electronic army, less sophisticated, come in and attack. one day last summer, they actually managed to close down part ofite for a good the day. the paper came up with an innovative response to take all the stories we wrote that they and printed them on paper and then drove around different parts of the country and drop them. remarkable technological approach. that was gutenberg's best day. itself, we the paper are pretty accustomed to having collaboration that move the tween the technology and foreign policy. and domestic policy side. i worked for years with no in our science department and we proliferationr

stories together and worked for years with john, one of our best silicon valley reporters, and we did much of the early games reporting that way. but it is always a challenge internally because you have to cross your craddick barriers within a news organization. more newsre and organizations have discovered the necessity of that. it is no longer really a choice. if you tried to do an analogy to a previous era, it would not have made sense in the 1940's and 1950's to just have a summary and reporter or just have a reporter covering nuclear weapons when they were coming out. ultimately, while you wrote a lot about those, that had to get integrated into a broader national strategy.

the argument all of us have been making, i suspect, is that this reporting more than anything needs to be put into a broader national strategy. snowden has helped with that. you made the point in britain, it has helped -- been hard to get in much of the debate. i thought after many of the revelations about the u.s. the beldingn in stood cyber weapons, there would be a kind of debate in the u.s. about cyber weapons that there was about drones. but that has taken longer to generate. these things are hard to predict. the journalof how handles cybersecurity, i becaused that evolution i came to the journal in 2007 and had been covering nsa quite a bit when i was at the baltimore sun. i had just done a larger story on this effort we later learned was the comprehensive national

cyber security initiative. i spent a year trying to get our editors to care at all saying, who is being hurt and doesn't involve people? - does it involve people? find me the company. this is 2008. in 2009, we were able to shake loose a few stories that got our editors attention. they work one over. we did too good of a job. covere sudden, and i intelligence. it is not the whole thing. i have an internal lobbying campaign thinking this is a cool set of stories to do. it is kind of interesting. in 2009, i was supposed to do every hacking thing ever. over time, i think it started the banking and financial reporters, that they realized this was a story

companies really cared about. little by little over the last few years, different reporters responsible for different sectors, energy and what have you, have taken their own interest in it and will work together when it is relevant or not. but the journal was a little late to the party in that it was only last year that we actually started a dedicated reporter, which is not necessarily just to make sure this person's prom, but almost to make sure they could traffic copy issues and this is someone who is in d.c. and is now based out in san francisco. corporate from the side, recognizing this is at least as much a corporate story as a national security story. the way we break it down at this point, i handle some but not all the national security stuff. we all work with our colleagues. cybersecurity, the

journal was also hacked. reporting that story was quite an interesting phenomenon, probably different from what david probably experienced. i heard from my editor, it is 10:00 at night, you do not need to do anything with it yet and this may be our own problem to report. i was waiting for someone to call me and explain it. nothing. the next morning, i showed up in the office and said, ok, what are we doing. and they said you could report the story like any other hack. the journal was not quite so forthcoming. it took until 4:00 in the afternoon the next day to get the intangible statement from our own company that admitted we had been hacked. they claim they need to wait until all of the new security

procedures were put in place before they spoke about it. where the kind of thing even after that, we have to call communicationst people and give us the assurance nobody is moving around systems. what i learned from my experience reporting that particular story, my company was not necessarily going to tell me who had been hacked. bureaurs in our beijing only heard on the down low that they had been hacked. obviously, it can happen to us. we take precautions but operate under the assumption it could certainly happen to you. >> that is an amazing story. asm an editor point of view, other technical issues have become more important to general reporting, there has been a training of reporters and reporters that maybe came up in

clinical, that were ok with the he said she said, and there were no real right answers, it is rightactually, there are and wrong answers when it comes to technology. there are things that technology cannot do. i think of one reporter in particular it took a year and a half for me to eat that out of him. it was a process. now he knows. we are all better for it. >> spoken like a true editor. >> management well. [laughter] >> all of his successes are of course trip -- attributable to meet. let's start in the back there. >> retired ceo of publishing and physics. bit about thetle controversy, the trade-off between intelligence and civil liberties.

there is also another one that has not been mentioned as much. that is trade-off for intelligence and democracy. there is such a in as a black budget. not many of us know how big it is. decisions, and what is democracy is a large fraction of our national budget is made without public debate and public knowledge? does in that issue come to the fore with all of the funding for the nsa and what they are doing, and congress has decided? who has decided whether to fund this? what happened to the appropriations process? >> that is a good question. >> i will take a first shot. even before snowden happened, there was the beginning of some revelations about the size of the intelligence budget. the snowden regulations themselves included a lot more it turnedbers during

out a lot of the budget numbers were wrong. that actually tells you something about why you have got to be careful about some of these documents. there was one budget document we looked at that i think the post extensively.bout it indicated 231 offenses cyber attacks in 2011, was that it? appropriation it came from. >> right. it turned out later on the document had been put together by a budget here who did not know much about what a cyber attack is like. most of those were not what people on this stage would call offenses cyber attacks. have got to does layers of problem. one is the secrecy around the budgets themselves. the second is a definitional one that would enable us to

understand how much is being spent in a lot of areas where even in the u.s. government, there is argument about how you would define it. >> it epitomizes a broad problem. i worked on the state department cables, wickedly -- wiki weeks -- wiki leaks released those. public interest rates. in those,hat you read these are pretty good public servants. one or two of them could write one that -- more like -- more nicely than i can. a lot of privacy policy gulls were more or less in public. you think, about two thirds of the president's job is probably foreign policy and military policy. the vast majority is kept secret. the thing that struck me when was what is going on with the reflexive secrecy.

this is the bulk of what the administration is doing and a lot of it is fairly innocuous. the same is with these intelligence budgets. , whichd the black budget was a budget appropriation and a fairly significant chunk of it was released. if you read that, it is very top line. quite broad. of stuff in that that could be made public. it is not particularly useful information. it might also make you think, should we be spending $500 million on this ticket listing? if nothing else, the democratic issue, are we not also possibly wasting a lot of money that we could do something better with? when you have that degree of secrecy, you do get massive democratic issues that touch

into a lot. you are right. >> let's go here in the second row. >> thank you. an any of you envision scenario in which the united states government gets custody of snowden on american soil? that could be an embassy in another country. >> anything is possible. not -- i do not know a lot about snowden since i do not know we know a lot of the ministrations calculations except for the fact they have .ot been amenable to the notion one interesting thing we will see in the coming years, is whether or not that issue gains political momentum and becomes a of publicct discourse, or whether that has played itself out. i think that is where he ends up.

of -- as a legal decision as apolitical one. >> the president decides it is no longer in his interest to have snowden as a guest of the state, you could imagine him being placed on their plane someplace and landing somewhere he does not want to land there it >> he has only got permission to be there for one year. it is not necessarily an issue that will be up to snowden and his lawyers. wonder whether the likelihood of people fleeing the country when they make these kinds of things rather than doing -- dan ellsberg and all that. you wonder if perhaps the pretrial treatment of money has made it more difficult -- difficult to convince people to and truste country that the justice system will give them a hearing to decide if they are a whistleblower or a traitor. that a really quite

long sentence, given that everyone acknowledges there are no proven harm coming to anyone as a result. whether it makes it likely in the future whether the justice system will be able to make these decisions and maybe that was a mistake. >> over here. >> thank you. you have talked a lot about the nsa. getting to your point about the intelligencetween i heard only about 10 minutes. i was driving. but richard clarke described the fact that what they are doing with the nsa review panel was, number one, we had been asked to

take a look at what intelligence we actually need. second, we had been asked to look at how transparent we can be in getting the intelligence in a way that matches our democratic values in a democratic society. i did not hear much more. i really wonder given all we have talked about here, with the nsa review panel, are we on the right track? or will this deviate? i would have found out if i heard the rest of the show. i look forward to hearing your views. panel, it that review is fascinating. one of the things we talk about. somebody called in and said the report was very good. , youersed -- i responded appreciate one written in clear language. an easy to understand. that was a really important report. and mike andclark the others, i think they really

nuanced an effort to be about this and to be sympathetic to all of the concerns raised, but also to a national security establishment from which they themselves come. was a veryt interesting report that really set the stage quite properly for precisely the kind of legislative and executive branch action that is probably forthcoming now. of the most interesting things about the report is that the group was and so much in the beginning as being a hand-picked panel by the administration and everyone looked at them membership percent these are allies of the administration. i remember hearing rumblings in october or so that these guys were taking a broad look at an essay structure and i am thinking, is that really their mandate? the start to hear a little rumbling along the way suggesting they might actually

make recommendations that would get noticed. i do not know whether or not that played a role, but it seems like they took it quite seriously. thenderstanding was individual and members of the panel were spending multiple days of the week of their own time on the panel during that time. it seems to produce something debatell really drive a and a policy discussion. >> one of the things said this morning is that we are in a time of peace right now. really an important opportunity for us to think about what we do not want to happen in this future, the schema kind of fiasco we have seen with the nsa. it is the time to come up with roadblocks to make sure we do not have these kinds of abuses in the future. i think the word, abuses, is a central one here. the group was not really asked to come up with the answer to

the question of what is legal. in the past couple of weeks, we have seen court decisions on all sides of this. eventually, you suspect somebody will end up in the hands of the supreme court. instead, the question that president asked them to answer was, do we have programs here we are doing just because we can, instead of because we really need them, because we should do them. that is a very different question. then you get into a cost-benefit if the amounth is of intelligence you are gleaning itm this useful and worth given the diplomatic cost to confidence in american companies, whether it is apple or google or server manufacturers. thirdly, is it useful to us diplomatically?

it has done this kind of damage to our relationships with germany and mexico and brazil, and who knows who else is on the list, with things that may be disclosed in the future, you have to then ask yourself a question, is what you are learning about the internal workings of the mexican government or the brazilian government, or the journal -- german government, actually worth it for the cost of revelation. the most remarkable thing i learned in the course of this is that while the cia asked that question very often about covert programs, if it got revealed, would the damage done be worth it, in the case of the nsa, because they did not believe their programs would be revealed, i do not think they asked the question very often. >> will -- we have time for one last question.

>> speaking about wiki leaks, the counterpoint was zuckerberg, facebook, social media. is there a counterpoint? is there a technological trends that might say, the internet and cybersecurity has a positive future, and we do not have to vulnerabilities, state all the way down to the individual, is there a counterpoint to this discussion? a positive future for technology and the internet? >> twitter's ipo? [laughter] align a response. the governance issue is a big one for the next year. almost any development on it would be negative for internet freedom in areas where it is really important. important -- unfortunate thing is the u.s. government has very good programs, but there is no trust for them now andfor them, and it

will not be taken seriously outside. speaking american, as well, there is a perception that it is a serious international institution and it leads americans. the actual architecture of the and the attitude that the government and the intelligence itncies have taken to that, is now no longer given, u.s. dominance of the internet. something is going to have to give there. it may still be true, or if they can work out how to go for multilateral, something that actually works and protects what is good about the internet.