>> here on c-span, we are allied underneath the u.s. capitol. this is known as the senate subway stop. it is a connecting point to the senate office buildings u.s. capitol. it is a place where senators and staff and guest come into the u.s. capitol underground. the capitolects to visitor center, also underground. at this hour, the senate arms services committee is holding a meeting here behind closed doors. they will hear from chuck hagel and the joint chiefs of chaff -- .f staff chairman mark dempsey you can see we have cameras outside. there goes the center of

tennessee out the escalator. we hope to have them for you live or recorded as well. a long day of hearings on capitol hill tonight. we will have live coverage of a house veterans affairs committee hearing of whistleblower claims coming from veterans affair department employees and several of them will testify before the committee. that is coming up on c-span two at 7:30 p.m. eastern. a lot more talk about immigration headline here on the hill. ahead of a texas fundraising trip, the president will hold fundraisers in dallas and austin , writes the hill, during the two-day trip. no plans tot he has visit the border, where officials have struggled for .onths president obama is now offering to talkwith rick perry about the influx of children crossing the border according to abc's jonathan karl. on thatkeep you posted

story as well. thursday, the homeland security secretary jeh johnson and the health and human services secretary will be on capitol hill talking about the administration's new initiative, their request for more funding and the situation at the border. the appropriations committee will be live on c-span three at 2:30 eastern. to thelance threats cyber security internet freedom and the economy were the topic of a discussion at the new america foundation yesterday. they heard from an attorney working at google and a policy analyst and internet security technologies professionals. this is just about two hours. >> we will go ahead and get started. hi. welcome to new america, a nonprofit civic enterprise dedicated to preserving foundational american values in a time of rapid technological change.

i am the policy director of the open technology institute, the tech policy and development wing . we are focused on building a stronger and more open internet for a stronger and more open society. i want to thank you all for coming here today and braving the heat or tuning in on the webcast on c-span for today's panel event, national insecurity agency, how surveillance programs undermine internet security. leaks lastnowden summer, almost all the controversy around the nsa has been focused on its programs to collect phone records under section 216 of the patriot act and its monitoring of internet to medications under section 702 of the pfizer amendments act. threatening to the basic security of the internet. encryptiondermining

tools and standards, inserting backdoors into widely used software products, commercial software we use every day vulnerabilities, rather than making sure these get fixed, building a vast network of spyware inserted into computers and routers around the world, including by impersonating popular sites like facebook and linkedin, and even hacking into google's private data links. finally, congress is starting to pay attention to how the nsa threatening not just our privacy, but cyber security itself. the house, overwhelmingly voted to approve two amendments to the defense appropriations bill that would defund the nsa's attempt to undermine decryption standards and insert backdoors for surveillance into the to medications technologies we rely on. alan were sponsored by grayson and backed by a broad coalition. today, after it brief

prerecorded introductions by both lawmakers, who were today flying back from their july 4 invocations, we will focus on these issues, which have been mostly ignored, even though they were a central focus of the recommendations from the president's own review group in december. this discussion focusing on the costs of the nsa programs to our overall internet security is a follow-up to our internet discussion earlier in the spring about the economic foreign policy costs overall and previews the release of our paper later in the month, surveillance cost is, the nsa's the economy, information security, and freedom. with that, q the representative. >> hello. thank you for inviting me. i regret i cannot be here now to

talk about this important issue. on june 19 this year, the house took a big step toward shutting the back door on unwarranted government surveillance by an massive bipartisan margin, 293-123, the house agreed to an amendment that would prohibit the government from searching communication and data without a warrant and from requiring serviceanufacturers and providers create backdoors in their products and services for surveillance. as many of you know and as you are discussing today, when an individual organization builds a to electronic surveillance into their products placervices, they security of every business at risk. it is simple. created for law-enforcement purposes, it is only a matter of time before a hacker exploits it. onhave artie seen it happen more than one occasion. for example, in may of 2014, it

was reported a major security usedwas found in software by law-enforcement enforcement to intercept communications that allowed a hacker to listen into any call reported by the system. the amendment passed by the house was a step forward and will make a meaningful difference. our work is not done. this amendment in june was the first time congress had the opportunity to debate and vote on the distinct issue of the fourth amendment and the nsa. we need to continue pushing to protect private information and data security. we need the senate to follow suit. the house of representatives had the opportunity, finally, to vote on it, the result was overwhelming. the house stood up to the american people and for the constitution. that is something we can all celebrate. we sent a strong signal that if the government wants to collect

information on u.s. citizens, get a warrant. thank you for your hard work on this important issue and i look forward to working together with each of you to keep pushing for a safer and more secure internet. you congresswoman. next up, representative alan grayson. >> congressman, thank you for inviting me to share the panel on the nsa and thank you for all protect work you do to privacy and security in america and throughout the world. listen to me. if the chinese government had proposed to put in a backdoor to our computers and then paid a company $10 million to make that the standard, we would be furious. we would be angry. we would do something about it. what about when our own government did that? that is exactly what the nsa has

become, the best hacker in the entire world. in the weakness of the architecture of the software everyone uses, they are making it not just for their benefit, the benefit of anybody who comes along and knows about it. that is a shame. to our privacy as human beings. many of our economic activities cannot be done unless they can be done with some degree of security and safety. is protection the nsa purporting to provide to americans is actually being undermined by the nsa itself. it has to end. i am happy many of you joined me in passing two amendments recently, which represented the first limits on the nsa's ability to insinuate itself into our software for improper purposes. one was our society -- science and technology amendment, which says this no longer has to be a short order cook for whatever wants to dos it it

appear the other was an amendment on the floor of the house which passed unanimously among democrats and republicans for the same purpose. the first steps we're taking to take back our privacy and our own security and our freedom. i welcome your help in doing that. it is one of the greatest endeavors in modern life to make sure we can preserve it against encroachments of big brother. thank you again. >> thank you to both representatives for taking the time to tape those messages and start a too much delayed the nsa and about security, one we will continue today. i would like to invite the panelists to come up. if you are wondering what the representative was referring to about $10 million being paid to somebody for undermining security, we will explain. all right. joining me on the stage, in

alphabetical order, are joe hall, the chief technologist at the center for technology, who i was looking forward to working with when i was working at that organization. and the author of our upcoming cost,on the nsa program's david, the private policy council for google here in notedgton dc, bruce, technologist and author, fellow at the berkeley center of harvard and oti, and, amongst his many books and articles, including when you can find done some of the original reporting based on the snowden documents about the working with while the guardian. then we have amy, a senior policy counsel here in d.c. working on several of these issues. out just to tell you where we're going with this, we will rake up the conversation to talk about four sets of things the nsa has been up to

come along the lines of the handout those in the room might have picked up in the front. first, we will talk about the undermining of standards, second, the insertion of surveillance backdoors into products and services, third, the stockpiling of phone abilities in software, and finally, the range of tactics the nsa is using, taking advantage of many of those rules we have artie spoken about. after an hour on those issues, we will spend a few minutes batting cleanup, talking about policy recommendations we messed and then we will turn it over to you guys for questions. starting with the issue of standards. tools and there has been reporting about the nsa taking a variety of steps to weaken encryption polls that we asked businesses use online to keep our information secure. represented grayson made reference to that, as to the president's review group, talking about the importance of

encryption to ensuring our communications online and the continued health of the economy. i will start with a me to .xplain what the heck happened what did the nsa do, who were what is missed, and why does what they do matter? has twoe nsa actually different missions. intelligence. this is the one most people are aware of and the mission under which they conduct all the surveillance document -- that you have been hearing about pre-much ad nausea him in the last year. , themation assurance mission under which the nsa is supposed to be promoting security standards and encryption protocols, making sure all of your communications stay secure. it is under the information assurance that the nsa do this.

next, for those of us in d.c. deals withronyms, it many things. they said standards across the typesin so many different of businesses and jobs, not only encryption, the one of the things they do is set encryption standards. under a law called the computer security act passed in the 1980's, they coordinated with technologiesheir and information assurance mission on these encryption standards. act, whichr security was very well drafted and made after a lot of collaboration between security experts in the formative days of the internet, was preempted by a law passed 2002, that being a really key date in surveillance laws because it was post-9/11. federal information security management act came along and had language not as

find tunes as the imputed security act and allowed the nsa, if you look at it closely, to come in and undermined the encryption standards in a way under thenot able to previous language. it is absolutely required to consult with the nsa on all encryption standards. the amendment representative grayson actually alluded to earlier that passed out of the house, this is primarily an act that funds science and technology research and has not made it to the senate yet. in that bill, an amendment was added on in the committee that it is no longer required to consult with nsa on standards. they are still able to then this is a record -- recognition that the nsa is a lot of funding with a lot of smart people who do this work and they should not be prevented from being able to

help and assist. but they are no longer required inconsult with the nsa encryption standards. there will be a lot more accountability if the encryption standards the, undermined. later, as part of the defense appropriations that, a second amendment, again alluded to by representative grayson, is actually supposed to prevent any funding from being used by the nsa to undermine encryption standards. not only will this no longer be required to consult with nsa, but when they do, the nsa cannot less secure.s all >> press we can talk about why. the nsatalk about how actually undermine the standards set? >> it is surprisingly complicated.

nsa does a lot of undermining of the fundamental technology. intercepting cisco equipment as it is shipped to the customer and inserting back, the undermining happens all to the process. protocol, things that affect every single part of the product. it is encryption standards, implementations, software, and all of these, we have examples of the nsa going in and delivered lee weakening security of things we use so they can eavesdrop on particular targets. a standard modified by the nsa to put in a backdoor. there are a lot of standards

where this did not happen. it is a good place to do it. this was discovered in 2006. we did not know who did it and it was not until the snowden documents that we had more of a story. will see nsayou backdoors in places you cannot actually see. an operatinggine system in your computer and your phone in the program that you that is somehow modified and is not as good as we think it is. harder to find, harder to pin on. a lot of examples. we will find these sorts of bugs and they look like mistakes. they could be mistakes, they could be enemy action by the u.s. or somebody else. very act of undermining not .nly undermines our security

it is very toxic. seem undermining the standards not only undermines this tender but the trust. can curious if someone speak to the issue, we are number --out random used widely across the internet .y civilians like us can someone speak to the issue of rsa and its role in this and the $10 million the representative mentioned? >> this gets a little complicated as well. there with me. >> the subtitle of the panel is it is complicated area >> random number generators are extremely important in encryption.

encryption is essentially complicated math to make things totally unreadable, you have to be able to generate big numbers no one else can generate. they have to be random. if you have a flaw in a number generator, you may be able to predict the key, without much work, decide the shape to your key in the house and then go cut the key and break into your home. with a hatley did this particular random generator -- number generator. we knew this random number generator had been used in a lot of products and incorporated and other products used. one of the unfortunate things we was a lot of this stuff, i'm glad we know it. it is very scary but i'm better for having known it. there is a contract signed between the company that makes the popular piece of

and the nsa had paid them $10 million to make the default choice. you can be gracious and say the nsa was tired of figuring millions of computers and just wanted to be set up out-of-the-box. but it is the default set across the whole product line so anything that incorporates this whole thing would be used -- would use this random number generator. as far as we can tell, very few out there on the wild, at least the one you can measure by testing web servers and things like that, they use other sources of random number generators. from the point which we have learned about this too now, this is one thing that if you do not

know photographers, you learn very quickly those are some of the most paranoid people in the people being a little less paranoid. many of them have moved en masse to change the technology they use away from having the unfortunate flaw in them to ones we at least do not believe have flaws in them and have stood the .est of time >> thank you. i want to turn to david from google and talk about what you think this means from a company or user perspective and what you think it means from the government policies perspective of user encryption. >> thank you. what has been truly surprising is the extent of the effort to circumvent the undermining encryption. maybe the fact those efforts were undertaken is a little less surprising given the nsa's

mission. it is important to take a step back from a broader context and understand what the government's current view is about users use of encryption. underzation features section 702 and what those procedures say, not withstanding, a requirement to destroy holy domestic they'reons, whether used by u.s. persons or non-us persons, can be obtained at the invitation of the nsa director. it sends an unfortunate message that the use of an correction is inherently suspect, particularly in the aftermath of what we have seen, large-scale data breaches. it is not a positive moment for users or for companies. it has the potential to believe over not just into encryption

but toward where we offer and others offer. i do not know that users commonly distinguish. while the tools might be difficult to use, there are other things companies do that is relatively easy to use and implement. if all of these tools will ultimately be undermined or exploitable, that creates to taketives for users advantage of those tools. as a result, the future cyber serves thecident potential to exact greater harm than there would be if users were actually paying attention to the issues and be more cautious. >> i am curious moving forward, what are the policy options, prescriptions we have seen so far?

danielle, amy? i think representative grayson talked about this. one of the things is this relationship between ms. and the nsa. requirementthis with the nsa and the nsa being able to take advantage of that to undermines certain standards, that is very dangerous, because the standards themselves are used by developers in a lot lot of commercial products. take a not just, they particular product and insert a backdoor. it is actually the standards used in a variety of things. is also a standard setter, something united states has been a leader in for many years, probably since the beginning of the internet. part of it is making sure there is not a requirement in our law

that allows the nsa to take advantage. there is also, on the other side, it is a body that needs to rebuild its credibility and they have a gun to do that. they have started reviewing their own policy and guidelines. claiming they did not know what was happening in 2006 when a standard was issued. they are now looking for all of these things here they are facing a trust deficit right now. they need to build that so the u.s. can continue to be a leader so developers and ordinary users will trust what they say. here isundamental issue broad versus target. is issue is not that the nsa spying on whoever that guy is they want to spy on. they are deliberately weakening the security of everybody else in the world, so when we look at cap solutions, the solutions are on the orderto be

of targeted and not to the broad attack. the broad attack is what hurts everybody. as the representative said, once you build a weakened anything, you cannot guarantee you are the only person taken advantage of. once you do any kind of broad youck, broad surveillance, suddenly start losing control of what you're doing. it is not the target. it is the fact that it happens broadly. >> you also mentioned you actually wrote about and we headed out of the front desk, one of your pieces about a particular policy solution to the issue, where you said to break up the nsa. can you talk about that? >> it is a little on the lines of what amy talked about. darcy does missions jammed into one agency. attack them and defend us. those revisions all through the cold war.

you have the same basic expertise to do both, but their stuff and ourselves were different. navalg a soviet undersea cable had no effect on other nations. you are able to keep those missions under one roof because they were physically separate and what they did. what has changed with the internet, everyone uses the same stuff. the soviethack number without affecting all of us. does missions collide and that is where the problem is. what i view as how to go forward, i think we need a more formal breaking of the security mission, the insurance mission, which protects standards, makes us all safer, from all the attackers out there, from the

targeted espionage and surveillance mission, going after that guess. additionally, you get into more complications. espionage mission is now too complicated. it has two components as well now. during the cold war, it was very simple. we would spy on enter -- enemy government communications. we would ease job on them. that changed after september 11. now the surveillance is pretty much everybody. everybody, we get all of the telephone calls in and out of bermuda. every agent. we get the phone call metadata of every american. these broad surveillance measures, govern on population surveillance are much more a law enforcement mechanism. the government of government espionage, the cold war, that is a military mission.

government population surveillance, it is much more -- i think it belongs more in a law enforcement agency and i military agency. that is broadly the way i want to be morehings up, in line with what we imagined the rules and regulations governing these should be. >> the president has his review group agrees with you on most points. -- of those points. -- on those points. i was hoping we could be taken on a brief history lesson. we had this debate before in the 1990's. wanted to have a clipper chip insecure devices so they can have lawful access to the data that was encrypted and eventually, that cannot happen. could you talk a little bit about that. seems like we won those words and then the nsa kept fighting >> is a egret?

wonderful thing. for the longest time, it used to be entirely in the purview of u.s. militants, under the nsa. one of the crazy things that happened in our history was there were independent discoveries of fundamental that hadphic messages been discovered a decade before working in the military. now you have academics and other people discovering these things and realizing we are going to have a computerized network future and we were -- we might want privacy and confidentiality, some acute -- some security associated with that. need to have those methods outside of military control and in the hands of civilians. there is a tension going on with what the administration has something called a clipper ship,

a ship that had an encryption key on it were that -- the idea cut into two pieces and there'll be two part of the u.s. government that would have them and then, if they suspected you were doing something bad, they would get a warrant, get probable cause if they had evidence you are doing something bad, and then be able to listen in on your encrypted communications. that could sound like complete gibberish, like white noise. and thend get this key because they have this key, they could get access. this amazing group of experts, one of which was here right now, wrote an extremely compelling paper that basically said, here are the problems with keeping copies of keys around in places

where only the government could get access to them. foundation commission built for the clipper chips. i think i'm getting things mixed up. we were able to argue that, look , this is not a good idea and it will not work and there are other ways to get access to the stuff. fact, if you ever want to check out a cool book, read all about this back-and-forth were between advocates of complicated sector and civilian people who thought it would only make the world a horrible place because that guys would be able to hide stuff from the u.s. government, who have a duty to oversee the entire world. it turns out we won the crypto wars not only on that front but also on the export front.

the u.s. government would not let you export very strong encryption technology are many years. after a bunch of deep thinkers essentially put a bunch of very on newsgroup,code and if you do not know what that is, you will have to look it up later -- put it on newsgroup so people around the world could get access to it. happened, there was no vision we could keep this within the u.s. quarter. there were no assurances that happen anymore. essentially, the were stopped and we were happy to move on to other battles in the advocacy row -- realm. they decided, we will fight it in a way they will never know it. we will undermine encryption technologies, intercept routers on the way to their customers so

you are not even messing with that, you're messing with a hardware component. turns out, they have been doing massive amounts of things they do not describe the level of detail i would want to read in public release documents. who knows. >> it seems for allowing and if bored, there was an economic argument and a trust argument, the idea that, if we will be transitioning, if we want them to haveed and confidence in our transactions and grow the information in our economy, we needed to be secure. it is the same argument many have made in response to what we're learning about the nsa's assertion and backdoors and a andety of software products a variety of services. i was hoping we could be

introduced to what we have been learning in the past year. just described the transition and the public to attend to insert back door into all products to have the key. they turned to the companies and said to figure out a way to develop relationships to convince them and make it easier for the nsa to get access. the idea being only the nsa would have asked the spirit everyone can explain to you why that fear not necessarily sound. what we have learned in the past year is the nsa spends about $250 million a year in a program called enabling. it is one of multiple different programs to be revealed where they lived to leverage these relationships with companies to influence product design.

i think the words are to shape the global technology marketplace facility for this idea that they can convince companies to make it easier for them to get access to their products. this is inserting backdoors into marshall i.t. systems, into encryption, into end-user devices. the goals of the project are wide ranging to get access in as many ways as possible. this is a private way to get companies on their side and let backdoors into their products. we have also learned it is not always the knowledge of the company that they are in sorting -- inserting backdoors. intersection -- interception and -- we learned they were intercepting.

the nsa wants commercial products, that it might need access to monitor targets. the are all -- these are also products we all use every day for our communications and various activities online. they want to insert a backdoor only they will know about so they can access the information they need or insert malware if they want to or do whatever they want. there we go. i was a sign i should stop talking. >> it seems this is also a debate, we have had a version of the ford. that required phone companies in the 1990's send their systems why are laughable. there has been discussion in the past few years of expanding that and providing other online services and products. can you

talk to us about the debate and the arguments you and others into civil society security world had? >> sure. up until june 5 of last year, when the first it was made public, the fbi had been pushing very strongly internally to the obama administration for essentially the argument they made was, they're going dark. the fbi is going dark. that means back in the day, all they had to do was get a warrant for telephonic wiretapping. it used to be as easy -- easy as attaching alligator clips on phone lines and listening to a call. he got more complicated over the years with circuit switching and all sorts of crazy stuff. it got to the point where we , thed the law

communications assistance for law enforcement act, which said any provider of services must have a way to wiretap people. you must be able to respond to a law enforcement request to wiretap. the fbi has been saying, people do not use phones anymore. they sit there and talk to there is a variety of ways we communicate these days. over about two years, the fbi waybeen arguing we need a to make these things a little more bright. getting a little brighter for them so they can actually get access. what -- this was essentially a oneosal, essentially, no ever actually saw the proposal except a couple of reporters. basically said the fbi can come

to you as a maker of a piece of , and they would say, we need access to this stuff, please do it. if you said, the product is not designed to do that and it will take us a while, they will say, ok. make sure in the future when we come to you, you can turn on the wiretap capabilities for the stuff. it is sort of a way of putting you on notice that you need to build a backdoor into your product. unfortunately for them, this got leaked to the press in an absurd way, where you some propose -- proposals like, you're on notice and you wiretap your users, if you do not do it, you will get $10,000 a day, and it will double every day, which, if you do basic math, it would be all the money in the world three or four weeks and. it is ridiculous.

cdt organized a group of experts in a gorgeous paper i can point you to, the risks of wiretapping and point or something like that. they made a really important argument. this is a bad idea. putting backdoors on products is fundamentally undermining the structure of the universe if you think about it in a physical reality cents. everything by that, you do online involves communication. to the extent you want integrity , somebody you know who has not changed -- they will use encryption or other kinds, that will not work anymore because they will have these backdoors that no one can prove can only be used by good guys. the random number generator may give it a run for its money for technical reasons. the compelling argument was it

will not work and all the things you want to wiretap these days, because the firefox or the chrome browser, these things, it is available and you can get it or build it itself, it is easy and turn itiece out into a piece of executable software -- if you cannot do that in the u.s., you are moving all the secure parts into another country and we lose all the capability. these kinds of things will still be available. you cannot subtly erected treaty that everyone needs to be able to wiretap all software all the time. >> i am reminded of a particular example in the mid-2000's. like the u.s., greece had systems intercepted and they eventually discovered an unknown adversary, rumored to be the compromise thely

intercept systems there and had been using it for a long time to spy on the highest echelons of the greek government, including its prime minister and president. a good lesson in how these backdoors can backfire. any other thoughts about security implications of backdoors? >> a bit. >> bruce has written an essay on almost everything and they are great. is, should wegain compromise the security of theybody in order to access data of the few? in order to believe that is a good idea, you have to believe only you can use that compromised path. that in some way, no one else can use it. the greece example is an example that it -- where that is not the

case. a lot of examples where this global compromise is used by expect tole than you reconsider -- we can security. you also have to believe that path to the this few outweighs the security of the many. you have to believe that. that security in our communications, in our data, in our information, is a vitally important to all of us. ofre is a wide variety threats out there. government, criminal, foreign, domestic, and security is one of the ways we protect ourselves. what the fbi and the nsa are asked -- asking is, our mission trumps that, we want access to that nonen so badly of your security matters. it matters less.

we talk about harms and how the nsa harms security. this is it. it harms security because they believe their need for access to the few trumps the needs for security for everybody. greece was aom u.s. product. not want thed feature, the feature of global access was not wanted here it was just in the code. it happened to be there. it came with a product. was not turned on. someone snuck in and turned it on and used it. here is the government having their government communications breached because of a backdoor they did not even want. that is the kind of thing we have to worry about. you put it that your income of three years from now, criminals are using it. now what? i do not think this is a difficult trade-off to make.

the problem is, the nsa is not equipped to make it. these have to be made in public at higher levels. the seeome of these proposed, has congress making these decisions. at least we have a chance of them recognizing sick dirty from surveillance. >> we have the president's review group. i am dirty enough to have favorite recommendations, recognition .9, that nsa will not mandate that any product that the vendor of a product does not have to change a product to undermine the security and enable surveillance. cosponsored by representatives matthew and a pretty broad bipartisan coalition of folks, went even further and set nsa cannot that a or even request vendor or service provider weaken their product to enable

surveillance. that amendment was locally supported by -- vocally supported by google and a variety of other companies and civil society groups including my own. i was curious if you could talk about why google chose to support that. >> yes. that particular amendment has two backdoors, one with respect to require companies to build security of owner abilities into their products and the second was the perspective of a backdoor search loophole, an important but perhaps overlooked component of the original freedom act, which was introduced by senator leahy. backdoor search loophole, section 702 enables --elligence community prohibits the intelligence community from targeting the communications of people in the .s.

what it does not speak to is what happens to communications of u.s. persons incidentally collected. we learned more about that from an article that appeared yesterday about how sensitive that collection is. it reinforces the importance of the amendment. law, therent intelligence immunity can turn a blind eye to the fact there is a large cache of u.s. people being collected -- u.s. information being collected. this is something that has been core to google's advocacy in washington for quite some time, that there should be an ironclad content requirement, something the supreme court, at the very in the rileyto opinion from a couple of weeks ago. >> the searching of cell phones. >> that is right. so we thought it was important. this is a welcome and

unsuspected opportunity to weigh in support on both the back whole or -- backdoor search loophole, but for one year to build inompanies to these sorts of backdoors. it would seem -- maybe a year ago, this language may have seemed unnecessary, but it is now really important to restore trust, that these sorts of things are not being requested or required of companies. it is a positive step, but i think there is more to be done. an appropriations bill. it is an amendment and it is unclear if it will openly survive the entire appropriations process. yet, you have not read it i recommend this story in the washington post yesterday, on sunday. i think it will get them their next pulitzer on the topic. any other comments or thoughts about the backdoor issues before we move on to the issue of stock thing aboutne more

trust. we talked a little bit about this destroys the trust. i think it is important to talk about exactly what the trust was. it is not that we in the tech community trusted these products were secure, that they were invulnerable, that they did not have vulnerability that allows hackers and. we know that hard vulnerabilities are everywhere. that these security technologies would rise and fall on their own merits. what theywould be were advertised, not that there was some government can secretly sneaking in and twiddling with the knobs. that is the failure of trust and it is a big one, it is something we in the united states have to deal with as we try to sell our products overseas. other countries are saying, why should we buy the u.s. thing? you are lying to me when you say this product is secure.

you have been forced to make changes you are not allowed to talk about. we know this has happened. we know this happened with microsoft. made unknownsoft changes to skype to make it easier to eavesdrop. we do not know what they are. we do not know how they were done. we know they happened. in thethat going to play international market? germany recently kicked for rising out of a large contract because they did not trust that verizon was behaving in their customers interest. they did not trust the nsa did not come in and force them to do something and then lied to their customers. that is the the trail. it is a big one. we as technologists like to believe that technology rises and falls on its own. from theilling back broad targeting of everybody, to the more targeted.

eliminating backdoors and trying to make it so the nsa can insert them in products and services will not get rid of the targeted are trying tohey collect. we talked about the different ways the nsa has of collecting surveillance on legitimate targets. this just eliminates their ability to spy on everybody at any given time, which is really what we are continually trying to do, to take it away from target, too,a let's look at who the targets are. another commentator said, it makes them fish with a pole rather than a net. spinning off of bruce's comment about how we do not expect our products to be perfectly secure, but just not intentionally insecure, most software has flaws in it. bugs and vulnerabilities. what we learned in december in a great exposé, which son of us

are starting to wonder whether it came from a source other than snowden, we learned of nsa's massive catalog of vulnerabilities in a wide variety of widely used products, hardware, and software. they can pick and choose and say, oh, the target has that and here is a vulnerability for that. can you help us out with, where did those come from and where can i buy one? >> let's talk about software for a second. it is incredibly complicated, everywhere, and we as scientists and a community and how toogists do not know write this. we do our best, but all software contains bugs and vulnerabilities. you know every month, you get a dozen or so updates. those are all closing, fixing

bugs in closing owner abilities. can bewner abilities used to attack systems. earlier, i talked about the nsa 's dual missions, protection and attack. when vulnerabilities can be used for both. you discover vulnerability, you call up microsoft and say, you have this phone ability. microsoft fixes it. nobody else -- you discover that vulnerability and call and say, look what i found. that owner abilities now used to break into systems, still money, still passwords. we in the security community recognize the way to improve security is by continually researching, finding, and fixing vulnerabilities. the nsa can play either end. they have teed is missions. and use play defense those owner abilities to make things more secure, or they can

play offense, keep those owner abilities in their back pockets, and use them to attack systems. versus broad,ted those vulnerabilities affect everybody. they're in an operating system, the internet. now we have a question. what should the nsa do? there has been debate. should they poured them, to attack the bad guys, and come up with all these reasons why you might want to keep them. by keeping them as vulnerabilities, we are now vulnerable to them. or, should they fix them? fix theix them, you computers of the good guys and the bad guys. if you hoard them, anyone can use them to attack the bad guys and the good guys. that is the fundamental debate. again, the question comes down to, what is more important? security or surveillance? isn't it the surveillance of the few that beats the many, or the

other way around? learned the nsa has a large catalog of these vulnerabilities it is stockpiling and using for its own offensive for foreign intelligence purposes. one of the alternatives is simply disclosing immediately, or something in between that. research you have done on this. what have you seen out there in terms of the discussion on how nsa should be handling this? >> this is something that comes up in the president's review group but it has come up many times before and there is a great paper about the idea of lawful hacking by a couple of folks and what they talk about what is thelenge of best and most ethical way to get access to communications for lawful purposes. one of the big challenges is you

will always find some kind of own ability. when there is a tension between offense and defense of abilities is to say, we might need all of you, which ignores the fact that since you will keep finding security holes, you will just sort of continue to come up with an ever longer an ever-growing list of these. what they talk about is what a responsible practice looks like, where you find a vulnerability of some kind, you disclose it immediately, unless you have a very come telling an immediate need to use it. if you're looking for something specifically at that moment and it is high national security reasons, you might be able to use that vulnerability and then later, as soon as you have used it to get what you needed, then disclose it to the company so the company can patch it so all the use -- ordinary users are open to attack.

that they can have their software or products patched. the other thing they point out is that software patching is not immediate. even when you find a vulnerability, you can disclose it and continue to exploit it for a short time until you sort of run out and then you look for another way to get in. this is a very complicated issue because there is something allnge about the idea that of exploiting vulnerabilities to get access to information. the idea is this is inevitably going to happen and we need to figure out a reasonable way to deal with the problem while recognizing there may be legitimate law enforcement or national security needs. the president's review group says the same thing. the default should be disclosure of vulnerability. then onlymediate, and for a very compelling reason, following a senior interagency review process, the nsa might be able to withhold vulnerabilities so they can use it.

it says they should not be holding onto them and accumulating their own arsenal of phone abilities and not letting the companies know because it means general cyber security as we can do so that just in case the nsa might need that vulnerability at some point for some target, i have access to it. all or nothing approach, where there is no recognition of the fact that it is actually bad for everyone's security that these holes are out there, that these laws aren't being disclosed. companies, soe that they can responsibly patch them. saying no, we have this information. this came up in the debate about the heart worm vulnerability. did the nsa know about the vulnerability? and if they did, why didn't they disclose it? have they been looking for ways to explode the open ssl protocol for years, so that they could get access to things? that is a serious allegation. it is a serious challenge.

they talked about a disclose or process that they have, but they didn't say much about the details of it. at about what constituted its ordinary certain stances. >> there was a story that was denied, the nsa knew about heart bleed. it seems that is not true. but in response, the white house said -- by the way, we actually do have an interagency process to decide when to disclose former abilities. we have had it for years. we are now in the midst of ,eviving it, or revitalizing it in response to the review group recommendations. that would imply they weren't following it fully before. thiswe know, amie, about vulnerabilities equities process? >> you touch on a lot of it. we know that the nsa has a stockpile of vulnerabilities. we actually know that the u.s.

stockpiling vulnerabilities is one of the main drivers of the economy of vulnerabilities. it actually raises the price, because the u.s. is willing to pay quite of money for vulnerabilities for things they can exploit. process whereis they go, oh my god heartbleed, people think we know about it, what can we do? let's dust off this old thing that we haven't been using, and say this is going to be the process by which we figure out if we will reveal vulnerabilities so they can be patched. -- wei multilevel way ghing process. whether you are vulnerable versus their own security needs. we come back to the nsa's function, we see when they way availability versus assurance, the side wins. it is unclear how this process will play out.

there is no transparency built into it. i think one of the key things we need to talk about throughout this is the need for greater transparency, and how things are being applied. they haven't talked about his numbers are going to be made public about this process. who is going to be aware of, the vulnerabilities they turn over every year, and how many they keep back. how many days on average they keep things back. these are core questions that need to be answered. things that could be made public, numbers that can be made public without great risk to national security, if any risk at all. it is not built-in to this process that is inherently kind of tilted in one direction from the very beginning. the nsa values its surveillance missions so high. >> words, one thing we haven't touched on is the nature of this.

lots of countries are looking for vulnerabilities. the government of china is doing the same thing. , one ise cyber weapons called hacking team out of italy. they sell software to break into systems with vulnerabilities like these. governments like ethiopia, has on -- government thedon't want raking in two securities of their systems. we are not just making security better for us, we are making it better for a lot of people in the world that need security to stay alive and stay out of jail. the international nature of this makes it very subtle. there are a lot of arguments that we have two forward vulnerabilities, because if we don't, china will, and china will win. it is a zero-sum game, arms race argument. it fails to recognize that every remainbility we allow to is the potential in our armor --

chink in our armor. as long as we are a society, we are fundamentally a greater risk than the government of china is. then the government of ethiopia is, or north korea. important, much more not just in general, but to us specifically. because of this very international nature. add, i think it's encouraging that the it ministration is taking up this vulnerabilities equities process. talking about one of your favorite recommendations, this is one of mine from the review group. there are real differences. if nothing we have learned about the importance of language and trying to understand the divine intent and meaning of what the intelligence community is saying , based on sort the written word -- the review group's recommendation in this regard was to disclose, unless there

was an urgent and significant national security interest. in the aftermath of the accusations that the it ministration had exploited the -- they had said there was a strong bias towards disclosure, unless there was a clear national security or law enforcement issue. that is very different. those are two very different standards. oft would help to sort inspire competence that there is a strong bias towards disclosure is to have more transparency. quantifiable in terms of the circumstances under which a vulnerability is disclosed, or stockpiled and used, or even temporarily stockpiled it used. there is a lot to be done on this front. i think it is encouraging that the administration is undertaking this vulnerabilities equities process, and seems to have done so before they were accused of exploiting heartbleed. at the same time, there are a

lot of questions that remain about what the standard means in practice. >> correct me if i'm wrong, but the review actually said they should be used rarely. that is the word they use. rarely should they not be immediately disclosed. very strong. >> do know whether google has received any disclosures under this process? >> not that i know of. the whole concept of information sharing is a little bit more tricky these days. >> i would so use a cut out anyways. >> the senate intelligence roos --e tomorrow, so, bruce countered my argument. disclosing both abilities is universally disarming,. if you global bomb, you can't use it again. if you disclose the polar -- the vulnerability, and fix it, no one can use it.

the nsa has weakened encryption, and has these backdoors. backdoors into a variety of projects -- products. what are they doing with all of that? it seems that what they are doing is building a large network across the planet of compromised computers and networks. they can then use that to conduct surveillance. it seems the big part of this is something called quantum. i didn't really understand the quantum stuff. this is something that bruce has done reporting on. i didn't really understand until joe explained it to me. i was hoping joe could explain briefly what is quantum business is. bruce's just explaining article to you. i try to explain things in a way people can understand. jump in at any point. >> i try to explain things in a

way that people can understand. >> quantum is a scary thing. what --y to be like -- ok. if you fall asleep, i will yell you. quantum appears to be the u.s. government can respond quicker than any website. your browser says i want to go to cnn.com. in the internet that can respond faster than actual cnn does. that's what we call a rate condition. the nsa is trying to be the response from the actual thing you wanted to get access to, with their stuff. it appears -- this is where surveillance gets really strange. as --nd to think of it i'm watching a lot of stuff flow by, i'll jot down notes about what they are saying. this is active surveillance. what we mean by that is -- they

are actually changing stuff. changing communications to do this. one example -- if you happen to it's an this browser, anonymity tool you should all look into. haveu go someplace, they stuff on the internet. it's hard to know what it is, and the documents don't describe it. it's too sensitive to write down. i don't know. it's an indication you may be a bad guy. you may be looking up contraception in a place that doesn't allow that. you are a bad guy. they can respond so fast, and poke a hole into your browser. basically use one of these catalogs -- they have weaponize this catalog. it's not just a database of vulnerabilities that may be out there, but they haven't fixed yet, it's operationalized into tools that can pull cole's and your stuff. then establish a beachhead on your computer, and do things later, or do things right then.

it's scary. if you think about it, if you just happen to type the wrong thing in, or have the wrong book report assignments, you may get a hole poked into your system by this vast set of infrastructures that are using vulnerabilities and a variety of very clever ways. the internet is really competent. we could spend a whole day talking about how complicated it is. they have this global reach and what people are doing. it's not everyone, but it seems to be a substantial chunk of what people are doing on the internet. that is remarkable. the kind of thing where engineers think of -- hey, i'm designing this thing to make your communications confidential between here and here. there may be a bad guy listening, but we will design it with that bad guy in mind. so we sort that bad guy. the kind of bad guy we don't think about often is one that has infinite money, and has

global insight into everything that happens. that is akeley -- that is exactly what what happened to make it through design systems. >> let me try and sum this up. the nsa has compromised a bunch of routers and a variety of isps. a whole lot of vantage points around the global internet. it is watching for targets. whether it's someone using that browser, or searching for a particular thing, or using a particular isp address. fronten it jumps out in of that person's communications, pretends to be the site they are looking for, and uses that opportunity to inject malware into their computer. breakaway here to take you live to comments from senator john mccain, following the closed-door armed services hearing. >> terrorism that is history on their rack -- iraq serial border.

they have no strategy, and they could not counter our intelligence estimates over time it. >> today a lot and it plans -- did they outline any plans? >> i can give any details. can't give any details. [inaudible] >> we are hearing from senator john mccain. we will try to listen in here -- this is just after a closed-door hearing on iraq and afghanistan.

[no audio] >> we are live in the senate subway stop, underneath the capital. the armed services committee has been meeting behind closed doors. hearing from defense secretary hagel, and martin dempsey, about

iraq and afghanistan. you can see a crowd of reporters around senator mccain, just out of earshot. we will stay here live, and see if we hear from other senators as well. the senator made just a few that wemments on mic picked up. this is led coverage, here on c-span. -- live coverage, here on c-span.

[no audio] >> again, reporters waiting to hear from senators of the armed services committee. they have been holding closed-door hearings with defense secretary chuck hagel, also with the chairman of the

joint chiefs, general martin dempsey. that hearing specific refocusing -- senator going by, not speaking to reporters in front of the microphones. the hearing focusing on iraq and afghanistan. we hope to have more like coverage and recorded comments as well. news from capitol hill this morning that the white house is going to seek $3.8 billion for border control. the washington post saying the president will request that from congress. emergency funding to deal with an influx of unaccompanied minors from central america -- a far higher amount that the obama administration had previously signaled. more details about that later on. we will be back here live if we can, head of our house coverage at noon. in the meantime, we will take you back to our discussion at the new america foundation, on nsa surveillance and internet security. let's stay here live, perhaps hear from senator leahy.

>> i can say we are pretty much all the way there. you can never say you are 100% of the way there. the we have more -- we have been working pretty successfully. even before the post reported that particular revelation, we were working to encrypt the traffic between our data centers. particularly troubling and disconcerting revelation. there are mechanisms, including those that congress authorized under the fisa amendments act of 2008, that enable the intelligence community to seek information through the front door. and to do so in ways that weren't envisioned, or a combo spy previous types of fisa surveillance. to see their efforts to tap links between our data centers to track data traffic in ways it

wasn't targeted, and swept up hundreds of millions of communications -- i think it sort of reinforced our responsibility to redouble our efforts, and to do as much as we can on the security side. notwithstanding anything congress might do to limit the ways the nsa can conduct surveillance. >> it seems that, beyond fallacy reform, one of the responses -- all of the reform, one of the responses is to try and secure your services against these threats. more about what we should expect countries to be doing at this point. wewhen i gained access, talked about transparency reporting and how absolutely vital it is. reasons for that is we have this window into the nsa's activities. provided in large part by edward snowden. but it is time-limited. we only know what we know from the documents he was able to provide to us will he was there.

we are not going to know what is happening next month, next year, five years from now. we need ways into the future to keep that window open, or at least, as open as absolutely possible. so we can continue to have this dialogue about the extent of nsa authority. that is not enough. and spare the reporting only provides you -- transparency reporting only provide you numbers when the government goes to official judicial processes to get information. how may times they asked the court to provide them with information on their users or accounts. so what we are looking at is all the different times when the government doesn't go through toicial process, and taps in the fiber of the internet. and try to get communications that way. what needs to happen to make two that all of your indications are protected. planve a security action that has been signed by a lot of forward thinkers, internet

companies, including twitter. we have another big announcement coming tomorrow. teaser alert. it has been signed by leading civil society groups. kind of ay coalition, broad range of groups saying that here are seven things companies can do if they are going to collect information on people. in order to make sure that information is properly protected. unauthorized users, foreign governments, the nsa, bad actors, criminals cannot get a hold of it. it includes things like encrypting data when it goes between data centers, and what is flowing over the internet. making sure the data at rest is protected. making sure your passwords are strong, and that you have -- that you are moving towards a two factor authentication system. core things. really common sense -- seven pieces of really common sense

activities. we are finding that companies across the board aren't engaging. if these seven things can become a floor on internet security, that you can then start moving forward. here's the bare minimum of what is accepted. inventive, and protect people's information even more robustly. i did think of new ways to protect it. atyou register, that's gs.net.allthethin >> it seems there are a lot of things you need to encrypt if you want -- you need to encrypt all the things. you need to encrypt between you and the website. you need to encrypt between you and the e-mail servers, and them to in -- encrypt between each other. google released a transparency report listing a lot of servers that were not doing that. change a few of them in determining the encryption on. there is end-to-end encryption,

and recently put out a plug-in to enable you to use your encryption on webmail. can you talk more about we as users can or should be doing to try and protect our own privacy against the nsa, or anyone else? >> again, we will talk about focus. if the nsa, the fbi, the military wants into your computer -- your personal computer, they are probably going to get in. we, as security people, cannot defend against a well-funded, well targeted sophisticated attack against the system. we are not able to do that. that's not what we are trying to defend against. what we are trying to defend against is bulk surveillance. chinese, thethe criminals get into everybody's

computer? can they do it in bulk, efficiently, automatically, on a broad scale? they are, there is a lot we can do. we talked about encryption. double protect your data from flowing one place to another. they will be ways to get at it, if the fbi get the warrant, it gets more collocated. but in normal case of bulk surveillance, that doesn't happen. if it is easy to grab, it will be grabbed. there are things you can do there. you can protect anonymity. there are lots of different tools. the issue is going to be that a lot of the data that is being collected is not able to be protected in this matter. it's what's being called metadata. -- ista is the system dated the system needs to operate. you can encrypt your e-mail, but the time of day cannot be encrypted. you can have a secure voice

conversation, it was talking, how long they are talking, and when they are talking ashe that cannot be encrypted. your cell phone as a location tracking device. we can secure that, but then you can't receive phone calls. the system has to know where you are. this data cannot be protected by action to take, because the system needs it. when i talk about what you can do to protect yourself, the single most important thing you can do is agitate for political change. there are a lot of tech solutions, we will talk about them. but they are fundamentally around the edges. this is the political issue, and the solutions will be political. that is the most important thing you can do. with that, and we can talk about technology. enough,'t emphasize long policy moves slowly. it is critical -- a critical component of fixing this in the

long term. people who decide how your computers were, and how things work on the internet, skaters move a little faster than laws. something we are doing -- standards move a little faster than laws. we are making sure we are present in the conversation that the internet engineers are involved with. -- an industryn thing. it's something that regular people have interest in. getting to the tech specifically, i like to think of this in terms of hygiene. you can go about your life not caring about your hygiene. not caring about how you smell, when you look like, whatever. you will not have as good a time as somebody who might be more sensitive to those social norms. it is a little different on the internet. i like to talk let digital hygiene. what things can you do to keep your house in order, and a digital sense. there are a variety of things. vpn.

three letters, stand for something that is more competent. if you have one of these pieces of software, and turn it on, all the local stuff that is happening outside of your computers is encrypted. if you go to a coffee shop or airport, you will also -- often see free wi-fi. it won't have a lock on it like your home network should. click ongh you have to some terms of service, and pay money, or whatever, all adjudication to send through your computer aren't encrypted. youru use a vpn, all of communications locally are encrypted. it looks that you came from new york city if you are in washington dc. that protects you from people who are trying to subvert you that are local to your coffee shop or airport. some of these sound like they are not nsa level protections, intohey all sort of add

making you less smelly, in your digital life. another one is a password manager. i know three passwords. i only need to know one, but i have 1200. some of those i have used for years. they are all completely randomly generated. i never have to think about them. i password manager -- there are a bunch of different types of those tools. it manages all that. electronic frontier foundation makes a handy plug-in for firefox. that when you see the the lineour browser, will be going from ht gp -- http to https. that means it is secure. make sure that there is an option to have in a group to connection, use the encrypted connection.

these, butvariety of i will shut up. variety ofd about a tactical solutions. we talked about a variety of policy solutions. i have one more policy thought to throw out. aboutsue we didn't talk was the policy response to this offensive hacking by the nsa. that we alsosue see in the context of law-enforcement. we are finally starting to see and above board of her station -- conversation about what the rules of the road should be when the government wants to hack into a computer. we have a computer crime law that has a pretty broad carveout for law-enforcement and national security. we are only now starting to see if you court decisions about when is it ok for law-enforcement to use a vulnerability to break into your computer remotely. we are starting to see a discussion in the advisory committee of u.s. courts, that

discusses what warrants should look like. if you are going to use want to break into a computer. context't come in the of the nsa discussion, had a debate about what the rule should be if the intelligence community wants to break into computers. pulling >> the aclu has done some great work on that issue. to you, i will leave it guys if you have any other thoughts or recommendations or closing sentiments before we open it up to questions. means fact that you came you care. >> it is a little complicated area ic.who is working the m >> we know the sky.

>> i work with the aclu. surveillance you discussed relies on the assistance of companies. we are scared when companies are forced to give up this information. theerts our security and court order might force at&t to mao are probes and the networks. the subversion security that troubles me the most is when companies do it voluntarily. we have heard about companies have beefed up security in the last year. google has beefed things up. some places you are still providing voluntary assistance. your weakening the security of your users.

if the police don't want and they seize a cell phone they can go to google and google will unlock that phone for law enforcement. they insist on war and when other companies might do it with less. there is no law requiring circumventing the lock feature on the screen. snowden, if you are thinking if that is a feature that still exist or whether you should be taking it away. do so withr users the expectation that only they would be able to remove it. the police can go want then asked you to remove it may anger some users. >> by responses brief. i don't serve and a compliance role for google. i have not heard about that before but i will take it back and asked that question. thatwould be happy to say

i really think this level encryption is key technology. enabling this level of encryption is a kind of thing you would make me very happy. it is weird with ios. some things are encrypted and some things aren't. i know there are practical things to take a long time. it would be nice to turn that off. i am just a nerd. there is a lot of cool cloak and dagger stuff. and watch to go home "sneakers" when i get home. i think you make a great point about the password manager. i think people in this room and

at home argues that type of stuff. and type of activities steps have the companies themselves taken post snowden to make our communications more secure? reform?discuss it decreases as well. i was hoping you could address those two issues. >> i will shut up quickly. we have seen more encryption on the web. there has got to be a better word for this thing. ephemeral. it it stays thetion same forever. they are using models of encryption where you have one

key per session. you come back tomorrow and start up a new web browser. it is not the same as yesterday. it requires a little bit more work on the part of the company. is oftenth it and it not that much more expensive. is theplace to look major internet companies have seven or a different think they should be doing to encrypt the web to protect their root users. that is the place to look. whatan see who is doing and look at the history. that is a good way to get a handle on which company is doing what things to protect the security of their users. societyin civil technologist have personal incentives to organizations if they move to encryption by

default. in response, very briefly because it it is an important was oure privacy act first digital privacy law. it is so broken at this point. it was based on a lot of assumptions about how technology works. the e-mails that you have that are less than 180 days old require a war and. this is issued by a judge based on probable cause. these -- e-mails older than that only need a subpoena. have not opened it or if it is in your draft folder or if it is your sent folder. the mostrent law, protected e-mail in your e-mail account is everything in your

spam folder because you haven't opened it yet. >> don't read your e-mail. don't read your e-mail. many of us lead in an effort called digital do process. we were a coalition of companies and organizations trying to reform it. there is a single clear rule that if you want somebody's content you to warn. we think this follows a basic principle. what you store and drop off should receive the same protection as the file to keep at home. we are in a frustrating place where we have a bill in the has theat actually

majority of the house sponsor the bill at this point. whatever that magic number is. still not moving. in a weirdspective, and bizarro world where it seems like an essay reform has more heat than what should be a really an controversy 06 to the law enforcement digital privacy law. the momentum is still building at some point the leadership are going to have to move this bill because the tide is unstoppable. add, this is the lowest hanging fruit on the surveillance tree. there is a reason why majority of congress supports the bill. it enjoys rod bipartisan support from both republicans and democrats. passage where the

supreme court said some users not familiar with data is stored locally or remotely. it doesn't make any difference for fourth amendment purposes. unanimous supreme court. the supreme court is sending signals that that kind of case comes before it it will hold that. there should be an ironclad war and for content. what we are seeing in a different context is that warrant requirement isn't so ironclad. there should be circumstances where the nsa should be allowed to search communications if they have already collected if the data is lawfully collected. there shouldn't be any restrictions to query it. i think that skips a step in the analysis. it just deals with data after it has been collected.

i think that is really important. i should mention in case my overseers are following this at all, there was a plug-in you referred to. hopefully ato be browser extension. if it works right you will be able to use an encryption. we are not quite there yet. we're kicking the tires and encouraging people. people to discover security vulnerabilities. to reportge people that to us. is ae last thing to add lot of the things that we talked about today are things that security researchers have known or suspected for a long time. one of the good things in the past year is this is coming out for meaningful public discourse.

this creates greater opportunity for what roots highlighted. clear that a lot of these laws are outdated. these are things that affect real users and we get more stories like the one on sunday. there is collection happening that is incidental that makes people uncomfortable. they can talk about it now in a responsible and well-informed way. that is very positive for moving the political process forward and seen reform a wide variety of issues. this is sort of the beginning, this year of many years of fights in these issues. it is not going to be easy and the changes will not be easy. a lot of these conversations are happening and they are long overdue. >> the tinfoil hat crowd was right. i come at this from working

at the electronic frontier association. the nsa was sitting on at&t's network and sucking up everything and filter not the thought the things they wanted. they thought we were crazy conspiracy theorists. it is been validating and all the papers of record and nsa is sittinghe on our national internet act bone. we need to do something about it. thank you all so much for this. it is been very interesting. i'm with digital liberty and americans for tax reform. there are two other events this week. i have a question that i have written down because it is complicated.

what i wanted to ask is how does nsa target bad actors if any kind of weakening or strengthening of security affects the entire world? if they have the ability to target government to government asked the dodge -- espionage, how do we find foreign or criminal bad actors? do we not know who is whole poking in different browsers? how does the nsa target and had ?" find out who is" we.' >> how to they do it technically or how would they do if we encrypted everything? >> it would be great to answer both of those. i guess what i am curious to say is the nsa does have ways

besides getting everybody's information. i want to know what those are to target bad actors and bad government actors. >> this is the same technique that criminals use to target target. want credit card numbers. they break into the network. they did it through partner. they use standard hacking techniques and death the data and left. that is with the chinese government did a couple of months ago. we indicted some chinese military officers doing that u.s.thing to steal corporations data for the chinese government. we believe the nsa does this. of targetings techniques for targeting targets. everybody uses them. we can talk about the tech elegy.

that is what is done. that is very different than targeting everybody. what is the nsa do? as near as we can tell there is a series of filters. they will put a computer on the internet backbone and it is nothing the chinese doesn't do in their own country. as magicnk of this technology. any well-funded government will do this. they will do a broad collection of everything and then very quickly based on names, keywords, topics, watching cap videos, they try to focus on things that they are interested in. getswhittling process things you don't care about. you hope to do pretty well. --t weekend

cutting away after a closed hearing. this is senator mccaskill. >> it's what we should and can do. this is a problem in iraq. the government is refusing to knowledge that they must include all of iraq and the government. we're going to do what is politically necessary. >> did anything sound like a strategy to deal with this? >> i think they have a strategy. if people are looking for a simple soundbite, it would be irresponsible to give one. this is complicated. sidese iran on different and we are talking about neighbors.

we have to make sure that we are working with our allies and continuing to appeal to the moderate sunnis. the type of government that cuts off your finger for smoking a cigarette. it their extremism will not help. administration is being appropriately cautious and careful. there is not one-size-fits-all. >> our airstrikes still in the table? >> i am not going to talk about that. [no audio] >> comments from the critics

senator claire mccaskill following the closed-door hearing that is happening in the hearing room at the capitol visitor center. the armed services committee hearing from chuck hagel and the chairman of the joint chiefs martin dempsey on what is going on in iraq and afghanistan. we heard from senator mccain briefly. reporters are still standing by. this is the area known as the subway stop. this brings the senators and guests and staff in the capital. microphone, to the we will bring you comments live and have them of a little later on our website. websitestreaming on our . we will take you back to the new america foundation. >> that change to the law happened without us overly having a discussion about that

shift in the way we investigate people made sense in terms of the trade-offs we are making. we are starting to have that discussion now. it is far too late. >> thank you. i am a former member of the british parliament. having exploited for 200 years. we did abolish slavery quicker than you did. we are in deep trouble and would like you to pay tax toward us. i was on thehat,

defense committee for 30 years. i chaired it for eight years. i was moving up the hierarchy. morality i learned is in politics is important but not too important. what you have to do is protect your society. byyou are being confronted evil using every trick available to make like difficult for us and extorting money and putting us in danger, the idea of responding to that with an excess of morality seems bonkers, stupid beyond words. it is difficult to say that. we knew who the enemy was. they were plain nasty and if we did not lay nasty we would be

pilloried. somebody has a perspective that is not a very nice perspective. it is a realistic perspective. you had your big inquiry. some view you think that hasn't been good enough. you know your intelligence services play dirty games. thank god they do. 30 as thed not plate other side did. the bigger problem you would have would be exploitation and the possibility of political and economic disaster. if i do appear a little bit off message, it is based on 30 years experience. countries, notil

evil people, evil countries. i knew all of my peers new we were fighting dangers for our country and our alliance. areglad to hear that we having a strong degree of realism. it there should be a greater degree of realism. defending every nasty thing that your government has done. snowdendefending mr. who went up to that great democracy in the world russia. adam think we need any lectures from people like that. if we have to play dirty we don't admit it but we have to play dirty.

frankly, if you have to play dirty you play dirty. me speak for letting so long. want to allow you to finish. it is not an uncommon perspective. i wanted to hear it all so can fully cover hand why we through a revolution. [laughter] i do want to reflect on what you said. i think much of this discussion and the discussion we have been having in the spring is trying to step away from a moral argument or a privacy argument or a civil liberties argument, even though that most motivates

me. let's talk clearheaded lead about all the various costs of these programs may not talk to. the top -- cost to our foreign relations. the cost of our internet freedom. there are a whole bunch of reasons to be concerned separate from civil liberties or the morality of those who are engaged in it. that is my answer to that question. argument is a fear argument. i can summarize it in one sentence. that is the argument. these awful things or the terrorists will kill your children. it sets down debate. it is an argument that wins over every other possible argument. it can't be argued with. the problem here is that

argument short-circuits any discussion of is this actually effective? doesn't do any good? we are making inefficacy argument. we're making the cost argument. yes there is a threat. the bad guys don't play by the rules. that's fine. what does that mean the defense should be? there are many threats to society. we are talking about government overreach. that is a very serious threat. you are eight times more likely to be killed by a policeman than a terrorist in the united states. we are trying to balance that. we balance them by looking at costs. we have talked about the costs. if the costs of broad surveillance are greater than the benefits, we don't do that. even if the bad guys are bad guys. what is the best way to deal

with them? the arguments we are making is there are more effective ways to go about it. not that we are moral and they will win. variousquestion of the tactics and right threats and the best ways that we can deal with that. in order to get to this argument you have to dampen fear. all the discussion goes away. no congressman will vote against something. there will be blood on your hands if you don't vote for this. that is never explained. it is never justified. as soon as it is said, the fear sets in. one of my great fears is that if we asked congress to oversee the

nsa we will get a more permissive nsa. congress is scared. they are not just scared of the they're scared of being blamed if something happens. getting beyond the sphere is the single most important thing we can do. honestly, this might take a generation. we simply cannot be terrorized. we have to be able to stand up in large clinical pressures and our group -- argue very soberly that it is not worth it. i was just wondering if this issue about the encryption and ,he internet security aspect

has this appeared on the radars of other countries around the world? looking at their data privacy framework the moment. that the reason the nsa can do this so extensively is because the companies involved are us-based. does this create an incentive for more european companies to develop software that has encryptions and it that cannot be hacked into by the nsa because they are not subject to u.s. laws? think some are doing this. it is most certainly one thing that we look at.

rise in the huge competitive advantage from foreign companies in europe and elsewhere claiming they have more secure products or products that have not been tampered with. they are doing this as a way to lure does this. it is incredibly profitable. the broader thing we talked about today is the cost of internet security and having to protected. we may be weakening our security. we are doing it at a great economic cost. the him out of money we're spending to weaken our own security, what are we doing to american companies? that is a serious problem. >> you can see all of the said c-span.org. the u.s. house will come in for short speeches. they will recess with legislative business at 2:00

p.m. eastern time. .ight bills withor the tsa to come up an x bedded screen ross s for veterans on honor flights. in order. the chair lays before the house a communication from the speaker. e clerk: the speaker's room, washington, d.c., july 8, 2014. i hereby appoint the honorable steve womack to act as speaker pro tempore on this day. signed, john a. boehner, speaker of the house of representatives. the speaker pro tempore: pursuant to the order of the house of january 7, 2014, the chair will now recognize members from lists submitted by the majority and minority leaders for morning hour debate.