they will out-innovate adversaries. i think that is less true than 30 years ago. there are worthy adversaries in the world in the competitive sense who not only have our intellectual property but can innovate. with the best of us this is insidious. that is what i worry about the most. that is less the problem. if your wealth and treasure is stored in cyberspace on a network, it is going to be interesting and lucrative to a potential adversary. judge said to the willie sutton, why do you rob banks?

he said it is simple. that is where the money is. loom large because we have stored wealth and treasure in this space. the things that depend on it beyond that are even more critical whether it is a lexical grids, financial systems. the u.s. department of defense estimates their ability to move material is 90% dependent upon the confidence they have in cyberspace. most of the production and acquisition occurs in that sector. most of transportation occurs in the private sector. there are no warehouses. everything is choreographed by cyberspace. that is a huge dependence. you need to think about wealth and treasure being dependent on that and other things dependent upon that space. >> getting more specific, tapping your many years at nsa,

what is the most frightening cyber issue you ran into on wall street? i think many of you experienced this alongside the and 2013t in 2012 where there were a denial of service attacks on the financial infrastructure of the united states. london and sydney also suffered some of this. what was surprising was the rate at which the adversary, i think it was attributed to the iranians. the u.s. government is more circumspect about naming names. the rate at which they could up the ante, scale up. telecommunications providers provide the backbone to provide a level of service to serve so many customers per hour and minute were prepared for something on the rate of what is called for two gigabits per second. somebody is asking services of your system.

they were saying i can do that at the rate of 20 gigabits, but to be safe we will do 40 in terms of the sanctuary reserve. the adversary quickly went to 60 and 80. the only thing that made it so the system prevailed was the adversary's rate of increase was so slow, and the ability of the providers to build infrastructure was invigorated that we essentially prevailed. if the adversary had chosen to go faster or use more of their stolen infrastructure, those systems would have gone down to a greater degree not for minutes or hours. some would have gone down hard. we asked what that meant. they said we don't know. how does it come back? we don't know. work is being done to create more resilient infrastructure. we are very concerned about that. think about the primary drivers

for cyberspace. almost never was security a primary consideration. it was, i want to build this feature and application. once i figure out how to make the data flow, i want to make the user experience good. i want to compress it to do more of those per minute. i want to squeeze out the cost rendered for doing that. all of those things are the common drivers in an economic marketplace. security was something we said we would catch up with were self indemnify -- or self indemnify. if we have some risk, we will cover that by having some margin. the slope of the curve is controlled by the adversaries and by not -- not by those who build the systems. security has got to be a primary consideration upfront. that is why it has to be coherent across multiple facets of what you do with your

internet or network connections. if there is an i.t. and hr component and business component and critical business process component, those need to be integrated in a coherent fashion. it needs to be built by design able to be defended against an adversary that will try to out maneuver you in that space. >> let's tap the wealth of experience in the audience and go to the first question. have a cyber security problem, i think of the government as -- >> do i get to answer this question? >> how would you answer that question? governmentn, the should be helpful.

i think that is a nice middle ground. neither imposing burdensome regulations were essentially standing off and saying this is the issue of defending are the property. but stick the case in point i offered earlier. say on some future morning, iran determines the best way to bring the fight to the united states is to hit us where it hurts, to take on the infrastructure that underpins critical activities. is that an attack on private property or an attack by one nation on another? what is the role of the government? if we are to create a resilient the iranianshat have a less interesting target, who incentivizes that? that is not to say the private sector does not have the largest piece of this. 80% of it is owned and innovated by the private sector.

it has to be a full partnership. there is an opportunity cost is not a critical flaw in our ability to make the space defensible. >> 74%, helpful resource. no one seems to be avoiding the government. >> good. on the government relationship. what is your sense of the impact of the snowden disclosures on american companies? particularly thinking of technology companies that have a stake. >> unfairly maligned and unfairly injured in terms of their ability to take and serve the global marketplace. there is not a country in the world does not have an ability when necessary to acquire information from tunnel

communications -- telecommunications providers under law. in may of 2013, there was a report published by a law firm which compared all of the various systems the western world has devised. they said the united states alone brings the judiciary into the mix. all the countries under rule of law cooperated with the united states government were maligned by an exaggerated set of stories and 2013 -- in 2013. there is this flashback response by foreign nations. in some cases, because they are concerned about a relationship that places them at risk with respect to the united states government. in some cases, they see a market for their own industries. it is useful to talk that up. long story short, i think the snowden revelations have done

damage unfortunately to the private sector and they deserve the government's assistance in reestablishing confidence that what they do, they do under the rule of law and do that for the benefit of nations, not just the united states of america. >> let's compare that to the next audience question. revelations of the nsa spying .broad the interplay between the snowden revelations and cybersecurity. there was a big push on cyber security legislation around the time the snowden revelations happened. where are we on that? then the spring of 2013, u.s. government in open dialogue with the chamber of commerce and

private entities was close to signing off on legislation the administration could support that would effect the greater collaborative relationship. it was going to be less about regulation and more about creating incentives and suppressing liability so that there could be a freer flow of information between parties that share cyberspace. not all of us need to suffer the threat before we are prepared to protect ourselves on the second occurrence. righteone to my left or detects a threat, we should have an ability to exchange that approaching real-time. the legislation would have been helpful. i think it would have increased the standards and behaviors in the space. that got pushed to the right when the snowden of fear came out. in part, because we are trying

to understand it the government has been irresponsible player. my sense is the government has been very responsible. we have got to figure out how to get the story back on the rails. there is not room left on the legislative agenda to consider that. in part, because the private are smartingies from the relationship they had with the government before. it makes it hard to put the legislation on the table. it holds us back from bringing to bear some positive contributions to a collaborative relationship between the private sector and public sector, and even between entities in the private sector. >> the poll went away. it seemed the government was faring well on that one, too. just 19% talking about it hurting their business. sense of the relationship between telco's and

nsa? how has it changed over the last year? have said the telco's i am looking at my fiduciary responsibilities and expectations of a global customer base and need to be more careful about making sure i understand the rule of law and what i am compelled to do. not simply making sure that is right behind the closed door, but that i can talk about that and give confidence to the shareholders and international marketplace that i am doing what i should do on the straight and narrow. they have been more demanding of the government with respect to transparency, somewhat more demanding in terms of the government needing to publicly compel them so there would be no suspicion they are doing something inappropriate. that sometimes looks like an adversarial relationship.

it sometimes feels like that. i don't see it that way. i think they're trying to do right by all stakeholders, and we are going to have to help them. we are going to have to figure this out with them. aboutr successor talked openness to the issue of amnesty for snowden. >> he took care to say that was a personal opinion. rick is a good friend. i respect his personal opinion. i think snowden should get his day in court. it is inappropriate for individuals to aggregate for themselves to speak for the whole government. in the case of the entities that were discussed and maligned in the summer of 2013, you had an executive branch under the rule and fully participating

judiciary determined that is the right answer for this nation. across two administrations and multiple parties. on the house committee on intelligence, that rides herd on nsa and other entities, they had staunch supporters of nsa that were dyed in the wool republicans and democrats. this is not an ideological issue. this is a whole of government issued. mr. stone -- mr. snowden has to answer for why he took the wheel to drive the ship aground. he may have a good answer. our system of justice allows people to make that case and defend themselves. a minute lefty before we go into question and answers. what is the main lesson you take away from the last year with snowden? >> there are three things.

i would remind myself nsa does not have equity. only the nation has equity, and it needs to support that. with nsa, we talk about balancing security and privacy. i think there is a third leg under the chair which is sufficient transparency, not complete transparency because that is impossible in the intelligence world. but sufficient transparency so people have confidence about the first two. even before mr. snowden came out, nsa had a presentation about this. depicting that as the scales of justice, we said it has got to be like two rails under a car, a train car. if they are not straight and true, there is no way this could work, that you could meet your constitutional obligations. transparency has been lacking to give people confidence we got

that right. the thing that will be new and different is transparency by the government parties about what we do and how we do it. not just the national context, but international as well. >> let's open it up. the ipad is printing out at the nsa office. [laughter] that was unfair, but i could not resist. any questions? >> i have one. governor huntsman and dennis blair issued a report last year that said maybe what we should be thinking about is giving license to hack back, at least in the form of diminishing the damage done.

perhaps locking the data in the hacker's files taken from their company or shutting down their computers in some manner. this has been described as vigilantism. these are distinguished and vigils -- established individuals. is there some reason for that in your mind as one of the arrows in the arsenal for dealing with this big problem? >> with all things, it is dangerous to pick an extreme and say you can never defend yourself or have the ability to go all the way back to the adversary. either is an extreme option. there are analogs to this. if someone is shooting at you and your own home, you have the right to defend yourself. if someone is shooting at you from across the neighbor's yard,

you also have the responsibility to be incredibly careful about how you should cross the neighbor's yard. youomeone is harassing you, need to leave that to the police and let them deal with that. the same thing plays here. my concern about that taken to you say thiss if is all about the defense of private property and people can hack back, they will do two things that are very dangerous. they will be hacking back on neutral territory. if you had seen the attacks coming in 2012 and 2013, you would not have seen where they were coming from. you would have seen the last place of approach from places like germany and australia. if you had unleashed the mob, you would have created mayhem in a neutral zone. >> you might shut down a server serving a hospital. >> even if you did get it right and say i will take this back to the miscreant, if that is a nationstate or has other capabilities and you provoke

, you have created not simply a diplomatic incident but a nation on nation incident. now the government needs to deal with a bigger mess. of the case is to prevail, the government has to figure out its role proactively and how it exercises that so the private sector does not need to. what we have been asking too often is who is in charge of cyberspace. i don't think it works that way. >> is the government doing enough? >> i think it is doing what it can given the understanding at this point. there are many challenges in the space. i don't think we have a strong enough understanding of how it works. there's not a well-defined set of normative behaviors. we could say you can't steal intellectual property.

they could say if it is on the internet, i thought you wanted me to have it. that is somewhat disingenuous. we need to be clear on what the are of what we find acceptable and unacceptable. we need to be clear of the consequences and the roles assigned to individuals, businesses, sectors, and the government. we have not done that yet. we think of this as a domain unto itself. when something happens in cyberspace, we think the right response is in cyberspace back to it. ismight be a legal action required or a public shaming. locatedyear, they hacking activity into a building of the people's liberation army. >> they take all the chinese

holidays off. >> exactly right. given your construct that you just presented, would it be in the purview of the u.s. government to shut that building attackth its own hacking were cyber activity? >> it might be. it depends on the nature of the provocation. in national affairs, there is the question of necessity and the right response. you have to apply limited means to be a responsible organization. the u.s. government has taken that problem on and given a rendition of the answer which i find elegant. two weeks ago, the u.s. government, as opposed to hacking back against the chinese, essentially indicted five individuals they found partially responsible for some of that theft of intellectual property. it is an interesting application of natural power.

it gives the chinese an interesting situation. they say we did not do it. now you can test the proposition. they can defend those five individuals or stand off they swing in the wind. what message does that send to others that may or may not work for the chinese government? i think it was an elegant application of national power proportionate to the challenge. perhaps late to need, but we are all late to need. we have to take steps into the space as opposed to careening into the woods in the dark with no headlights. >> could we get a microphone over here? a reminder to identify yourself. deloitte.rom my question is on the cost and the level of investment. is the private specter spending enough currently? how quickly is that going to go up?

maybe a second part to the question. are there innovative things the private sector could do to band together, to reduce the costs on anyone enterprise with industry groups? know sonk you would all i join this. i think we are spending an enormous amount of money on this problem already. i don't think we are spending that well. if you go to most companies and say, what are you doing? they throw up a plethora of icons and devices at the perimeter of technology. what you see is this massive application of band-aid after band-aid. those are not well integrated which creates space for an adversary to worm into. they are not taking advantage of

the knowledge in the sector or from the government. the amount of dollars probably should not go down. but i'm not sure the answer is an increase in the dollars. we need to be more thoughtful about applying those, examine , and have a collaborative effort. if you suffer a threat, i don't need to because you will share that with me and vice versa. that is separate and apart of sharing intellectual property or competitive advantage. this is just a crazy idea. you can tell nsa i am being vexed why something from a foreign quarter. that might put in a say in a position to use appropriate abilities to learn more about up for they that national apparatus to do something about it. that exchange does not occur freely today. it is every man for himself. we aret has a huge hole

all saying it is on your side. happen exchange does not business says because the government is cautious about information and is willing to share. business is concerned if it shares too much with government, the liability it faces for customer complaints about sharing data with somebody outside are too onerous to contemplate. it seems there is a standoff. >> both have been true to some degree. i don't know they have been the principal thing that have held us back. but they have been contributed aspects of the problem. faith have acted in good and shared or taken advantage of information in good faith, your liability will be suppressed. the government does have a tendency to restrict the free flow of information.

afternoon.ar it this it has been more aggressive and proactive trying to figure out how to push the information and share it. it should be pushed harder and faster. if the nsa collects the information to protect itself or its own systems, i know how we can save a lot of money. but it must be done for national or international benefit. effort. international collaboration needs to cross international boundaries. >> any last questions? thank you very much. [applause] here is some of the recent reporting on iraq. the u.s. conducted monthly

surveillance flights over iraq, they provided photos instead of real-time feeds to the iraqi government because of what the "wall street journal" reports was distressed that the intelligence would make its way into iranian hands. as signs of instability grew, president obama authorized a againstenable them sunni militants. now the u.s. and iraq are racing to catch up to a threat they had already identified but have been slow to counter. that again from the "wall street journal." president obama announced sending 300 military advisers to barack. we will keep you posted on the latest. >> i think my colleagues in journalism would give a symbol -- similar grade whether legal -- liberal or conservative.

freedom of information was already a joke. but this ministration has perfected the delay and excuses. it is shocking because i feel strongly the information they withhold and protect longs to the public. we own it. there is no sense of that when you ask for it. they covet it as if they are private organizations defending trade secrets rather than understanding what they hold is in formation they have gathered on our behalf. emmy-winning reporter on the changing face of news and her career on sunday night. carext, a look at health insurance enrollment. general america hosted a discussion -- enroll america hosted a discussion that included kathleen sebelius. this was her first public appearance since she stepped down. this was an hour and a half.

>> good morning. please welcome the president of enroll america. [applause] >> hello. good morning, everyone. welcome to the first national enroll america conference, the state of enrollment, getting america covered. very excited to have you all here today. [applause] we first started planning this conference months ago, our hope was to bring together enrollment leaders from across the country to reflect back on the historic first open enrollment and share best

practices for the future. ofthought maybe a couple hundred of our friends would come for this. but we never expected more than 900 attendees would join us from communities in 48 states. incredible. [applause] not just that. including the district of columbia and as far away as guam, thank you all for being here. whoks for generous sponsors make our work possible. especially those who helped make the conference possible. health for, go helping us all gather here today. the fact that there are so many of us in this room shows just how strong and passionate this coalition is. you represent a cross section of the many industries who work together to make this first enrollment period a success.