>> we welcome them to the debate. the state of nebraska, deb fischer, as a great workplace flexibility bill that we try to get considered in the last congress. >> you talked about forging relationships with the house and senate. one issue that is coming up is up -- that is coming up expires february 28. how is it going and what does it look like, the future of that bill? >> well, the magic number in the senate is 60. and when we have these discussions, as we have today and yesterday, with our colleagues in the house obviously we share the same goals. we think the president overstepped his authority, acted in an unlawful way, way in which he said 22 times on his own and

that he didn't have the authority to act. notwithstanding that, he went forward. we intend to challenge that. the house has done that with an appropriations bill and the rider attached to it. the outlook in the senate is going to depend on what we can get 60 votes for. this is the start of a process and that discussion continues and well, as we have now until i think every seventh when that legislation or funding expires. -- february to when she seventh -- 27th when that legislation or funding expires. i don't want to say what leader mcconnell will ultimately decide to do, but that is a discussion we're having as a congress. we want to give people a chance to vote to express their opposition to the president's action, but we understand that at the end of the day in the senate it is going to take 50 -- 60 votes.

>> a general man was arrested yesterday -- gentleman was arrested yesterday who had hoped to use a pipe bomb against members of congress. he expresses sympathy with isis. how and when did you learn about this and was there any concern about the safety of lawmakers? >> it reminds me that we are grateful to the capitol police and to those who protect us and the fact that they were able to expose this plot before anything happened is very important. i learned about it yesterday. yesterday afternoon after we were already on the road here. but it also highlights then, i think impresses on all of us the threats that face america. going back to the importance of getting the homeland security bill funded, we take that. seriously. it is on all of our hearts and minds what is happening around

the world and what it means not just potentially to members of congress on capitol hill at all across this country. we need to be very serious and we need to take the appropriate steps and make sure that our agencies and our officials have the resources they need to do the job to protect the american people. it really is the number one risk on stability of the federal government -- number one responsibility of the federal government to keep the country safe. this is an area where we will be working very closely with the president. >> the tax burden is expected to be the worst in over a decade. some is saying this is due to irs budget cuts. what do you make of that? >> i don't think based on the irs's record over the past couple of years that there is a whole lot of sympathy for the

complaints they are now making about not having enough funding. obviously, they have a job to do. it's an important job. we want to make sure they have the resources to do that job, to collect the taxes. but wasting resources targeting conservative groups and things like that is obviously something we take great issue with. i expect as we go through the budget process this year and the appropriations process, like every agency we will look very carefully at their mission and making sure that there are resources to do the job we ask them to do on behalf of the american people. but as i said, in the last couple of years, the irs, in terms of the way they are perceived by the public, are probably not in the best place. that doesn't mean they don't have an important job to do and that we are not in support of ensuring that they do it well. >> what are your predictions for

the funding bill at the end of the day? >> like i said earlier the discussions of how to process a particular bill, discussions continue. clearly, we want to give our members an opportunity to vote as the house did on that issue. ultimately again we recognize the important role the department of homeland security plays in this country, and the fact that it needs to be resourced in order to do that, but there may be different ways and approaches to this issue that we can get the point across. we will see. >> can the house bill passed the senate as it is? >> good question. >> why would the house pass a bill the senate can't agree to?

>> coming up at the bottom of the hour, we will go live to the bipartisan policy center on a discussion of cyber security in a way to prevent future attacks in the wake of the sony cyber attack. the former head of the nsa and cia, michael hayden will be live at 3:30 p.m. eastern coming up here on c-span. a reminder that next tuesday night president obama will address the nation in his annual state of the union address. our pre-speech coverage starts at 8:00 a.m. eastern with the speech itself starting at 9:00. we will open up the phone lines to take your comments and also look at reactions on twitter and facebook. again, that all gets underway tuesday night, january 20 at 8:00 here on c-span. coming up tonight, more state of the state speeches, beginning with kansas governor sam brownback. at 9:00 p.m., governor brian sandoval.

>> here are some of our featured programs for this weekend on the c-span networks. on c-span two, saturday night at 10:00, on book tvs afterwards, wall street journal editor bret stephens argues that our enemies and competitors are taking advantage of the situation abroad created by the u.s. as it focuses on domestic concerns. sunday night at 10:00, steve israel on his reason novel about a salesman in a top-secret government surveillance program. and saturday at 8:00 p.m. eastern on c-span three, george mason university professor john turner on the early mormons and their attempt to create a new zion and the american west are in the 1830's. sunday afternoon at 4:00 on railamerica, nine from little rock the 1964 academy award-winning film about the forced desegregation of little rock arkansas's all-white central high school. find our complete coverage at c-span.org and let us know what

you think about the programs you're watching. call us at 202, six to 6, 3400. e-mail us at comments at sign c-span.org. join the c-span conversation on facebook or twitter. craig's a reminder that we will bring you live coverage of the conversation on cyber security coming up at 3:30 p.m. right now, a look at the role of government funding from today's washington journal. company -- q and a." host: we welcome lee goodman former chair of the federal election commission, as we come up on the five-year anniversary of the citizens united decision. how has it changed election law and campaign finance in this country? guest: the supreme court issued

its decision in 2010, and did it midstream in the 2010 election so people have been watching the effects really in the 2012 election and the 2014 election. my own view is that the citizens united decision corrected the shift of speech in america by opening up more avenues for speech more nonprofit organizations can now participate in elections. the labor unions and business corporations now have a voice in democratic elections that they did not have before. now, some people bemoan this and say we are going to flood out and drown out the populace that populist voices of others. i do not think that has been borne out by experience. i think what has happened is the american people have been able to see more speech, here more points of view -- hearing more points of view. incumbents have less protections

in office, and you have seen the number of incumbents displaced go up after citizens united. prior to citizens united, congressman had a greater chance of dying in office and being replaced in an election, and after citizens united, the number of incumbents have been replaced either in primary or general elections. it is increased to close to 10%. it used to be 2% or 3%. we hear more speech. i do nothing populist voices have been drowned out. -- i do not think populist voices have been drowned out. more people are giving at the lower end as well. i think this is all that good for the democracy. host: in terms of the total cost for elections, here is a chart from the center for responsive politics.

it is right up to almost that $4 billion mark as the total cost. you work at the federal election commission. you are a former chairman. has the fec then able to keep up with citizens united in terms of the corporate spending that has been unleashed by citizens united? host: absolutely. we are the clearing house for all the public campaign finance reports filed by political action committees, campaigns political parties super pac's which disclose all of their money in, all of their expenditures -- they file reports with the fec. most of those reports are filed electronically and as soon as they are filed they are immediately available on the fec 's website, and then number of

organizations take the data, nash and it it, and add editorial content, meaning to it. we have been able to keep up with the additional reporting that comes as a result of citizens united. when we have had some issues is because the u.s. senate candidates still file on paper with the senate clerk's office. we had one episode before the election where there was an avalanche of paper that came into the fec but we got, by and large, most of those reports published enough on our website within 48 hours. host: if our viewers want to talk about citizens united, campaign finance issues, lee goodman is with the federal election commission. is one term as chairman ended in december.

to stay on citizens united for a second -- complaints we hear about negative ads, untruthful ads, did citizens united change any of that? guest: i do not think it did. it is not within the purview of the government to regulate. we do not regulate truth or accuracy. it is up to the american people. there are defamation laws in other ways people can enforce accuracy or inaccuracy in political speech, but we are not the speech police at the federal election commission. we merely are the clearing house to disclose all the money spent in elections. host: didi on our twitter page -- we see a lot of speech but reflects the views of those that have the money to buy a super pac. do you agree? guest: i do not think so. there is as much money at the low end of the spectrum as a

result the high end of the spectrum in the elections, and also, contributions to political parties, contributions to candidate campaigns, they are limited. in other words, no individual can give a senate candidate or a house kennedy more than 2006 -- candidate, more than $2600 an election. when you look at the money spent in the election -- you showed a chart and i want to make a comment. if you notice, the numbers have leveled off. we don't see a large increase in the total amount of money being spent in 2010 from a midterm election to 2014. the number in putting 10 was about $3.7 billion -- in 2010 was about $3.7 billion. host: in the congressional. guest: right. we do not have the total numbers today, but we are looking at probably a $3.7 billion to $4

billion election cycle in 2014. about 85% of that money was spent by the congressional campaigns themselves, and the political parties, and all of the contributions to the political parties and the campaigns are limited. so, by and large, 85% of the money is still being spent within federal limits. about 15% of the money to run ads in the 2014 election, about $500 million of about $4 billion was spent by political action committees, interest groups, super pac's, and the like. average donations are up. small donations are up. about 5 million americans gave donations of under $200 to political campaigns and political parties. so, ordinary people are still playing a role in politics. the internet has given more

people the opportunity to give. the internet has given campaigns the ability to raise money from smaller donors at very little expense. it used to be very expensive for campaigns to go after donations because of the cost of a postage stamp. e-mail has allowed campaigns to reach more people at a cheaper cost. so populist voices still have quite the role in these elections. guest: --host: you talk about contribution limits -- the provision in the crown of us that passed, what will that mean for the 2016 election, and did you agree with the move? guest: i have a background in the political party. i was the general counsel of the republican party of virginia for about four years before i joined the federal election commission, and a lot of people characterize the parties as smoke-filled

rooms, overtake organizations -- overtake -- opaque organizations, but the truth is to the contrary. they are the most ordinary organizations were any ordinary person can walk in and get involved and half, i daresay more influence and access to elected officials as a party member with no financial contribution at all, but just to participation and efforts. there are a lot of saturday meetings, a lot of efforts to go knock on doors for candidates, but the political parties are essential. they are critical to the health of our democracy. what the ground of us did -- what the crime the bus did was recharge -- host: and the charge is money?

guest: excuse me, the charge? host: what you recharge it with his money? guest: yes, the parties need more money. it created three new accounts for the democratic national committee, the republican national committee, as well as their affiliates, the campaign committees and there were corollary republican senatorial committee and congressional committees. it created set or it accounts for them so that they do not have to spend all of the money they raised on administrative overhead, so they created a legal account to pay for lawyers. they help the lawyers comply with our laws at the federal election commission. they created a new building account so that the parties can raise money to pay for their buildings, operations, furniture, and a meeting that goes into housing the national headquarters.

by creating those accounts, what they did was they allowed the primary accounts of those parties to be spent on electing candidates. so, it relieves some of the burden on the main accounts. now, all of the contributions to the parties are fully disclosed to the american public on the reports of the parties, and there are subject to limits. by creating the additional accounts, people may now give more money to the parties, but it will all be disclosed, and it helps the parties be more effective to attention the political process. host: let's get to our callers. we are talking to lee goodman, a commissioner at the federal election commission. the chairmanship ended at the end of last year. he is here to talk about the five-year anniversary of citizens united or any more questions about campaign finance. lynn is waiting in san antonio texas, our line for republicans. good morning. caller: good morning. the reason i am calling -- i am

seeing a lot of ads that at the end of them says is an ad for a law firm, but at the end it is a democrat that says no more child should be abused no child should wake up hungry, have this or that problem -- they are mimicking the ads the stars are doing, but i think they are getting around calling it a political ad by making it a personal ad for this lawyer using only democrats. it is on every station. it is pervasive. you see every station, every democrat begging for the poor children. host: it sounds like basically a de facto political ad under a different name. guest: i cannot speak to the specific ad and the content of the entire ad that lynn has talked about, but from her

description -- and i do not know if they are federal candidates or state candidates, in which case state law would regulate -- but, by and large, if these are issue ads about nonprofit causes, for example, as a general rule nonprofits want to bring attention to their issues. as long as there is no expressed, in the torah advocacy -- elect oral advocacy in those ads, those are issue ads, it sounds to me. officials readily appear on public service messages and do participate in issue advocacy whether it is appearing on a show like this, a national interview show, or appearing in an ad when they are trying to draw attention to an important cause. host: james in valley village california. our line for democrats. caller: good morning. i would like to thank mr. goodman for appearing and thank

you for the service that you do. i am not sure how you focus or friend this correctly, -- frame this correctly but the founding of our country, the notion of taxation without representation -- there are not a lot of parallels to this, the impact citizens united has created. if i understand it correctly the money that is raised is primarily used for advertising and lobbying, and so, to me, that flies in the face of one of our primary concepts of the one man, one vote concept of participatory politics. that is one reason why people like myself feel it is an unequal playing field. it's so much of what happens in our government is determined by politics, or big-money politics, which means major corporations,

or even the large, wealthy families that can have more influence another class sectors of our nation, to me, some extent -- to some extent, this whole policy has, sort of, made it an unfair process for getting people elected. host: it seems like james is able to frame his question for you. guest: james, you articulate the question quite well, and the way you framed the debate is the way this issue has been debated before the united states supreme court. it is the way it is debated in the halls of congress. it is the way it is debated at the federal elections commission. james, if you are ever tested and seek a position with the federal elections commission, it sounds like you know the issue -- interested in seeking a position with the federal elections commission, it sounds like you know the issue well. here is a decision made in citizens united and other decisions over 40 years. that is that there is no wealth

test in the first amendment, and the first amendment protects your right to speak, and the supreme court and the government does not have the power to equalize speech. it does not have the right to limit my speech if you do not want to speak as much as i want to speak. so, the supreme court has consistently said the government cannot try to equalize speech, but let's get to the policy merits of your point james. first, on liberal versus conservative viewpoints being expressed in a democracy -- neither side has a monopoly over the debate. there were the liberal groups in the last election. they were competitive financially, and ran as many ads and had as much speech is the conservative organizations did. secondly, at the end of the day,

what citizens united did was it freed up speech. the people still vote. the people can be empowered under citizens united to hear more speech on liberal causes and conservative causes, and at the end of the day, the people choose whether or not to listen to those messages or not to listen to them. i often turn the ads off, or i use my remote control to flip the channel when the ads come on. i get direct mail. i often do not open it. i choose not to read a lot of it. it is my choice to listen or not. second i have a choice, and you do, too, james, to be influenced by it or not. many people know who they will vote for in the 2016 presidential election right now because some other issue or controlling factor controls our vote like partisanship. some people can tell you i will vote for the republican candidate in 2016 or the democratic candidate. third, the people still choose

whether or not to i think that rather than people running for office, having a real interest in serving the public not our big banks, not wall street, not citizens united

and all of this stuff they have left out people. if you paid to post an ad online, the fec regulates that just likely we would a tv ad or radio ad. if you are a political committee, a campaign, or political party, and you post content and ads, whether it is on youtube or your own website we require disclaimers and you have to expose your expenditures for your weather-based political activity. however, if you are a group of citizens or an individual, or an individual blogger, for example, and you post information for free and you create your own website, we can call it john rants, and you want to express yourself every day, and you post

videos for free, there is no dissemination costs, you not paying advertising fee -- in any one of those examples, or if you have a facebook page with a lot of friends and you want to post political content there, for free, low-cost postings on the internet, the fec said hands off, we will not regulate. that has served the american people well, but we recently had a case involving organization that posted two videos on youtube for free in the 2012 election. they were critical of the senate candidate and the president, and the case came before the commission. the office of general counsel of the fec said this is exempt under the 2006 rule, and the commission split in a vote of 3-3. my two republican colleagues and i, matt peterson, caroline hundred, and i, voted to follow the advice of the general

counsel and free those youtube posts from regulation under the 2006 rule. host: i want to read some quotes from the current chairman has this -- debate has played out on whether internet statements should come with disclosure. she writes "some of my colleagues seem to believe -- a statement that she put out last october. in an interview in december, she said "my passion is transparency, and i am frustrated that has not been the same willingness on the part of some of my colleagues at the fec." guest: right. this has been a lively debate fec at the.

let me say chair ravel have had a great relationship and agreed on several issues. this is one where we respectfully disagree. she believes her needs to be more reporting on online political speech. i believe this is one sphere of human endeavor, human activity and political speech, that can go unregulated because it is low-cost. there is no evidence free postings online are corrupting politicians. because the internet is the most democratic forum for political speech ever invented. it levels the playing field. it gives ordinary people a printing press in their hands in the form of a personal computer and an internet connection. individual citizens can put out an opinion on the internet and it lays out there on a level playing field with well-funded forces in large media organizations, for example. individuals have had a greater voice through blogging. also, remember, in order for any

individual to go get information on the internet, you have to go search for the information and political opinions you want online. it is an opt in medium. i think the policy makes sense and it has made sense for a decade. it has been my position that we are going to defend the 2006 internet freedom role and the freedom it guaranteed to the american people, and we have had this debate since october. host: let's hear from more american people. tim is waiting in new mexico on our line for independents. caller: good morning, how are you doing? host: good, you are on the commissioner goodman. go ahead with your question or comment. caller: yeah, with citizens united, you sound like a corporate shill when you talk about it. what has happened is the likes of at least evenson rolling into

congress to watch -- adlai stevenson, loin into congress to watch his team play. are we going to give him a skybox? guest: i am not a corporate show. i am for free speech, and that is what the citizens united ruling was based on -- the first amendment frees people even if they form in a corporate form. not all of the corporations that are funding speech in our democracy are large business corporations. there are many nonprofit corporations that were excluded from the debate and prohibited from speaking in elections, and they include, for example, in this last election, the league of conservation voters incorporated, that spent nearly $7 million in speech that prior to citizens united the league of conservation voters was prohibited to doing. the environmental defense action fund spent nearly $3 million in

this last election to fund their speech. they are an incorporated organization. fundamentally, just because you incorporate your association does not mean you shed all of your first amendment rights. when you look at all the total spending in this last election there were as many liberal groups, as there were conservative groups. >> thank you for coming this afternoon to our event on the sony cyber attack and its strategic implications. almost four years ago, i had the pleasure to work with general hayden and some others to put on cyber shockwave, which i don't know if any of you remember. you can get a dvd or buy it on youtube. the idea was to simulate a cyber attack at the national security council cabinet level and see how the united states would react, and see if we had the

policies in place to actually be able to, if not prevent, than to react in a reasonable way to a cyber attack. one particular exchange that stuck in my mind when we did the simulation, the person playing the attorney general at the time said mr. president we don't have the authority to do what you're looking to do, which at the time was to turn off people's cell phones that had been infected with malware. and stewart baker, who is always selling his book, which is a great book if you haven't read it, who was playing the white house cyber czar, founded the desk and said if the attorney general doesn't have the authority he should actually go and find the authority. i am not sure we have found the authority. but something has changed in the

conversation we have been having this last week. new proposals suggest that perhaps we have turned a corner and are finally going to see some policy and legal changes when it comes to cyber security. it's interesting. i know that in trying to move the needle, we put a show on about a cyber attack but it took a cyber attack on a show to get things to start changing. to figure out what the impatiens are and to look at some of the controversy around the way the u.s. government specifically has reacted, whether it is a question of attribution, a question of severity, we have an excellent panel today. to leave that discussion -- lead to that discussion -- if you follow cyber security, you have surely read her articles, as i have. she knows more about cyber

issues than probably 95% of the policymakers in washington. maybe 96%. >> thank you very much, and names to the bipartisan policy center for putting on a very timely -- thanks to the bipartisan policy center for putting on a very timely panel. the panelists don't mean need much introduction and you all have their bios, so i will keep it brief. he was the chairman of the house intelligence committee. he is now a radio talkshow host doing commentary on important issues of the day on "something to think about with mike rogers" on westwood one.

a retired air force general former cia director, and as a director, director of national intelligence, history major and now principal at the turnoff group -- chertoff group, he is now writing a book about his career. then we have dr. paul stockton, the former assistant secretary of homeland defense at the pentagon. he helped lead the department's response to superstorm sandy and the deepwater horizon crisis. he guided the critical infrastructure protection program and is a managing their -- director at an llc. i want to open by saying that we at the "washington post" have a cyber security summit every

year. for a couple of years, we created our own war games which we came up with fictitious oil and gas companies and banking firms that were attacked by the tisch is middle eastern -- fictitious middle eastern and asian countries sending viruses to cause oil disruption and create chaos in the economy. but never did across our minds to have north korea target a hollywood movie studio for a film about a cia plot to assassinate kim jong-un. did the koreans want brad pitt to play kim? what were they angry about? >> i thought it was funny. >> thank you. seriously, we have had countless intrusions into the u.s. critical infrastructure and companies feeling -- dealing

with intellectual property saying this is the biggest transfer of wealth in history. we have seen an attrition's into the white house and pentagon, but it took a hack -- penetrations into the white house and pentagon, but it took a hack into sony for the government to come up with a firm response, unprecedented really. and to actually name north korea. obama named north korea and vowed to punish the country. so, we are going to go over the attack and the applications cash implications. briefly, -- implications. briefly, what happened at sony. you are all familiar with this. just before things

giving sony discovered viruses in the system. then the guardians of peace, as they were called, began posting embarrassing e-mails online, showing executives making racially insensitive remarks. that started to get a lot of attention and become a problem for sony. about mid december, the hackers ratcheted up and put a threatening message online threatening violence against theaters that showed the film and alluded to 9/11. at that point, theaters get nervous. they talk about not wanting to show the film. sony decides they have to cancel the planned release for christmas day, and that leads to a huge controversy. the very next day president obama convenes a meeting in the situation room with his national security council.

they decide, based on unanimous recommendations, that they are going to publicly name north korea, give attribution say her career was behind it and we are going to take a proportional response. so, that is the scenario. i want to turn to you, german rogers -- say north korea was behind it and we are going to take a proportional response. so, that is the scenario. i want to turn to you, chairman rogers. how do you view the attack and do you think the president made the right call in meaning -- naming north korea? >> you forgot to add that i decided to take four days off and i spent three of it on a beach dealing with this issue, so no one is angrier about it than me and my wife. this marks a significant change.

we have seen cyber attacks before, clearly. we have seen denial of service attacks before. we have never seen a nationstate use its capability -- albeit somewhat limited -- in a way that actually destroy data. so, they went in to a company, and not only did they play the fun and games part, cause embarrassing pr problems all of which was significant. they stray data. they destroyed -- they destroy data. they destroyed intellectual property that made it very difficult for sony to operate. there was a time when it was very concerning as to whether they would be able to function as a business. it was more than a little disruptive. it was on the verge of economic calamity for a company like sony. that was a very different game. we have seen other countries do it. we have seen i to it to saudi arabia. -- iran do it to saudi arabia.

but for a nation to decide it was going to have an impact in america by attacking an individual company, we have never quite seen that before. this is a whole new day in cyberspace for a host of reasons. now the united states is going to have to show that it will not tolerate it because everyone is watching. iran is watching. russia is watching. china is watching. every international criminal organization is watching. these are the steps we are going to have to work through as a country. naming them, i thought was an important thing. there are other things we need to do to move ahead and it needs to be smart. if we are talking about this six months from now, we will have made a serious mistake. >> sony is not a critical infrastructure company. it is a hollow in -- hollywood studio. it doesn't fall into the

critical infrastructure companies of oil, gas, banking -- categories of oil, gas, banking. general hayden, take us into the situation room. how would you have assessed the attack and what would your advice have been? >> first of all, this was an arc that was predictable and i don't think any of us were surprised. this was going to happen. it happened then to these actors. it's all a continuum and a very protectable continuum. this is a nationstate attacking an american business. loss of profit is a big deal and a relatively new deal. that's one. the second point is yes, north korea did do this. i am quite comfortable with the

government assessment and i am glad that the president said that. i would probably have tried to strike the word per portion all. i don't think we should give them comfort that the response would be proportional. i think it should be a response of our choosing. the president did say at a time and place of our choosing, but i think a word proportional gave them too much comfort. north korea is a nationstate doing destructive things, not for profit, but to coerce. these are all new flavors. and then finally, i am going to take responsibility for this because i have 39 years in government our government is kind of feckless and our response. we are going to get around to

our usual effort here which is to beat up the victim. we will get to that directly and sony will have to answer a whole bunch of questions. >> so ewers apprise that the government came out and gave attribution -- you were surprised that the government came out and gave attribution? >> i was pleased. i would have struck proportional . this has implications beyond cyber stuff. this is a pathological little gangster state that wants to hold at risk different things of value to different people in the world and we have allowed them to reach -- to take their game into a different domain. if i could just for a moment -- again, not particularly cyber related -- north korean foreign policy has been kind of like the

instructions on your shampoo bottle provoke, accept concessions, repeat. provoke, accept concessions, repeat. but it has not been along a stable line. it has been along this line. they have taught us to tolerate ever more provocative actions. i really would've gotten -- fought to get the word proportional out of the talking points. >> i agree with what you said about this being a game changer. the game changer in another way as well, and that is, we know now that a nation with 1000 of the u.s. gdp -- .001 of the u.s. gdp has weapons they can use to launch an effective attack

against the united states. that's very different from seizing control of the power grid or the natural gas system. nevertheless we have had a wake-up call here. the trend is one way and that is toward nations acquiring increasingly sophisticated cyber weapons, increasingly destructive, and a growing number of nations being able to acquire these weapons. i am going to disagree with my old friend general hayden for just a moment here. i think it is terrific that the president has emphasized the importance of proportionality. we are in an era now where cyber is burgeoning and we lack -- cyber conflict is burgeoning and we lack the rules of the road derived from armed conflict. we have to begin to think about this in a new era. i think proportionality is a standard the united states ought

to be espousing. i think we need to be standing up to the laws of conflict -- standing up the laws of conflict in the cyber realm that are going to be good for the united states and good for security in the long haul. i believe proportionality is important -- an important principle and that the legitimate military objective doesn't cause disproportionate suffering in the civilian population. we can imagine how an attack on a power plant might affect the nearby military facility, but if that attack creates masks civilian casualties, as it could, if it is an attack on a hospital, those are not

legitimate plans of attack in a cyber conflict. >> people often get up in debates about what is an act of war. what this attacker had showed in a sense is that even ask that fall below an act of war can have significant impact, national security issues and cause a u.s. government response. do you think this is a teachable moment in that regard and that maybe, to your point of creating norms, are we working toward articulating clearer norms about what is acceptable behavior in the realm of cyberspace? >> i think we know what is unacceptable.

the problem is, we wrestled with this for years. what is the appropriate response? i mean -- >> it's hard. >> i think you're both right and i am not even in congress anymore, so that's hard for me to say. i think the general is trying to say that you don't want to advertise what we do believe we have the right to do in a case when a nationstate attacks a u.s. company. that's what i thought i heard you say, and i think that's exactly right. i think the debate has to happen on what exactly are appropriate responses. we had this argument ad infinitum behind closed doors. how much authority do you did of our capable ready cyber forces who are ready to go? they were ready to go on a sony case. they were absolutely ready to go, just waiting for the right instruction. and we never got to what the

right instruction was which i think is why we find ourselves where we are. you have to establish your defenses first. if we don't have some way for the government to at least assist the private sector in protecting their networks, it makes very little sense to try to create offensive trouble anywhere. they are not going to go after government works. they are going to go after private companies. that is a small case of what we see with sony. you start multiplying that with companies that are in the supply chain of critical infrastructure and you don't even have to go after critical infrastructure. you can go after the supply chain. now you have a whole other discussion. you can understand how layered this problem is and why we are not ready. i argue to dig in, put on the helmet, strap it on, and then we

can have a conversation about how to move forward. >> do you think if the theaters and sony had not canceled the release of the film, would you still have advocated public naming of the state responsible, north korea, and then taking some sort of response in response to the destructive action alone? >> i would have. you saw the congressman kind of dance around -- iranians did massive denials of attacks on banks. you cannot find someone currently in government who say the rainy instead that, but they did. -- the iranians did that, but they did. i think that gets wrapped around a whole lot of macro political

-- right. now that i have said it, we can move on. i was heartened that we said what we said about north korea. of course, the principles of proportionality, distinction and necessity apply at the tactical level when you use a weapon. i am talking about proportionality in state response. we don't have to tell them we're going to limit our response. i want them to think we have a lot more power and we feel free to use it. to your question. what was it? hard to say. we have not yet worked out a tech summit he in the cyber domain that mirrors the taxonomy -- we have not yet worked out a taxonomy in the cyber demesne that mirrors the taxonomy we have -- domain that mirrors the

taxonomy we have in the physical domain. they tried to do some heavy lifting at the nato center of excellence a few years back where they actually did try to suggest definitions. it's not even an official nato document. it's certainly not u.s. policy but it reflects the struggle we now have. how do you categorize events in the cyber domain in a way that, frankly, tells you what is or is not a legitimate response question mark we haven't done it yet. -- response? we haven't done it yet. >> what do you think doctor, when you were at the pentagon for a number of years when they try to come up with scenarios and appropriate responses? >> i think there has been

important progress on exactly the line that you mentioned. the important of understanding that the resilience of privately owned infrastructure makes a very important contribution to deterrence of attacks against the united states. we need to be able to create doubts in the mind of the attacker as to whether the attack can succeed and whether it is worth the retaliation that is going to come. moreover, if we are going to retaliate, we need to believe and understand and our adversary needs to understand that if they escalate and come back in our infrastructure at a more intense level, we can handle that. how are privately owned infrastructure is sufficiently resilient that we can except that attack and we will not be deterred from retaliating the way we need to be retaliating in the future. >> deterrence by denial. >> deterrence by denial. the pentagon is making progress in that direction.

>> let's talk a little bit about the response the obama administration chose. they announced new financial sanctions on three north korean entities and 10 individuals. how likely do you think are these to get kim jong-un and others to change their behavior? >> i think they are pretty light , symbolic at best. we have had sanctions in the past that have worked. i was in government when it happened. we were also prized it worked so well. -- all surprised it worked so well. the sanctions imposed last month are not that. >> what more is there to be done ? have we done the most

far-reaching sanctions we can take? click certainly -- >> now, i was not in the meetings. i have been in the meetings. these are hard. there are always second and third order effects and you have to be careful. but looking at what is in front of us, we have been pretty light in our response to date. >> exactly. there are a whole series of second wave of events that i think we ought to engage in. and the longer this goes, by the way, the worse off we are. it really needed to have a more instantaneous impact, because it was announced, and shortly after it was announced everybody buckle down, including the north koreans, and happened. of any real significance. i agree. the sanctions were light at best

. there is no real financial grind they are going to go into to impact the people who are living well in north korea. most people don't even have electricity. one in 10 have electricity and that's not for 24 hours a day. so come if you're going to do this you -- so, if you're going to do this, you have to impact the people who are enjoying the nicety of life with no consequences. that's the challenge. i assumed after the announcement we would see a list of sanctions and then have some other series of events know it happen that would make the north koreans say you know that just wasn't worth it, and the movie wasn't that good either. >> have you seen it? >> i have not. i can't give them the money. >> china is north korea's only real purveyor of internet access. what do you think of asking china or getting china to exert its influence over north korea and ordered to -- in order to

contain north korea's behavior in this area? >> chinese policy is self-defeating. i think it's contrary to chinese interests. what they need in northeast asia is a roux canal, and they are afraid to go to the dentist -- root canal, so they are afraid to go to the dentist, so they just pop in aspirin to deal with the pain. this is a dangerous source of instability for the chinese and will be as long as it exists, but they have not>> you would think that when he killed his uncle, that would have nudged him into a positive direction. so far i think president g has enough challenges with his own transition. he is just not ready to strap this one on yet.

we can exhort. we can begin to exert a bit of a crisis here and there. but i just don't think they are ready to act yet. i think that is contrary to long-term chinese interest. now that north korean troops are going across the chinese border. >> in order to steal food from chinese villages, icing weeks -- i think we see further effort of instability that confronts china there. i am more optimistic that the sanctions that the president has announced, especially for the elite, i think it was pointed out the other day third parties are assisting agencies and conducting business and flowing cash back to north korean elites. they are going to be facing

sanctions. i think over the long-term that could be helpful. let me say one other thing. i don't believe that when nations such as north korea launch cyber attacks we ought to on a medically default to retaliating that is cyberattacks in response. i think we should keep our most effective cyber weapons in reserve. they are our crown jewels, and let's keep them. >> there's not much in for chiefs -- infrastructure to attack in the first place. it was just announced. there was much speculation as to who was behind it. we heard recently that the white house said the sanctions were there first response. who do you think might have done it? >> i think someone stepped over

the extension cord, and the thing went down. it is not a very sophisticated system. what was interesting is that the north koreans didn't have some new cyber technique no malicious source code. they just went around and took things that had already been exposed and put them together. there was some engineering in the code. they found ways to get it out of north korea to find surreptitious ways to get it out. this was not terrifically sophisticated. that really should scare the jesus out of all of us. it was penetrated by what was essentially known to the hacker community all of the world. you can get online right now and probably compile most of the

malware that they were able to use. a company that was hacked in 2011 did not secure intellectual properties. to the tunes of tens of millions of dollars. this movie cost about $30 million to make. it was unsecure. they obviously knew they were subject to being hacked. that is what worries me more about anything. >> the hackers were in for at least three weeks before they were able to detect it. >> that can be defined as part of the problem that sony will eventually be beaten up for. what rethinking? a routine approaches to beat up the victim. it was attacked by a nation state. that should affect our own government calculation as to what the governments appropriate role might be as opposed to private enterprise out there on their own. >> the extension of that, my point was if a group of north

koreans can put together something to go after a company that had already been hacked and what a nation state with their capability that we knew was far superior, imagine what they could accomplish if they decided to go that way. >> we have been cataloging. let's catalog cyber centers. yet criminal gangs, and the disaffected. i think it between. this is both the iranian and north korean activity is teaching me. in between the criminal gang and the powerful nationstate are these isolated, perhaps dispirited, despairing nationstates who have a lot less to lose in going deep in a cyber attack.

we imagine the scenario. chinese are turning all the lights on the eastern power grid. i have allowed myself to make the statement if that were really happening in the real world, that would probably be the second or third item on the agenda that morning. there would be enough other stuff going on that that is a subset. what scares me is the isolated nationstate with acquiring cyber capability that feels that they have nothing to lose. we just saw north korea. iran is not quite as isolated. let's play a scenario forward where the talks fail and somebody has a big idea as to what it is you do with the iranian nuclear program. this is an achievable option for them to create great havoc.

it gives these not even regional powers, sub regional powers, a global reach they have never had before. perhaps a mindset in which they would be formally to use it then he more powerful mature state that has more to you -- more to lose. >> we need to encourage the private sector to adopt a cybersecurity framework that is put out by the national institute of standards and technology. that is not enough. we not only need to be ensuring that our networks are better protected from attacks, we need to assume that precisely because cyber attack capability are getting better and better, we need to assume the perimeter defense is going to fail. we need to be ready to restore the functionality of critical

infrastructure. we need to begin thinking further about it for example the power grid were taken out how could government support the restoration of the power grid in the same way that the national guard supported the power restoration operation in super storm sandy? what is the equivalent of providing security, everything that we have, how does that apply in the realm of cyber? not only for electricity, but for water and wastewater and everything that is lifeline infrastructure. we need to think not only about better protection against attack but also how can we restore the functionality of critical infrastructure and how the government can actually be useful to the industry as opposed to being in the way? >> that his district -- that is

interesting. it brings up what is the role of government in responding to such a tax? i would like to know, chairman rogers, what you think. should it the up to deal s -- d os to restore what has gone wrong? >> i think you get a mixed reaction from both. power grids, whatever power grid you want to pick. clearly there is a public interest in restoring power, clearly. you want the fire truck to show up, in this case the guy with the 80 pound head to show up as well that can get in there and help fix your problem. the problem now is the

destructive nature of it. it wasn't just the fun and games of what rich hollywood executives were saying about rich hollywood starlets. that was kind of tantalizing and good reason and -- and good reading. the real danger was be destruction of property. it's not just the matter of turning the lights off and we hidden and flip it back on. that would take weeks, if not months. sometimes it would mean bringing in new equipment that we may or may not have access to. it is a new level of concern because of the destructive nature. no matter what we say about china, russia, and others as rational actors, china does not want to cut off our power, lyons them too much money. we know by reports that they are

already on our electric grid. cut the battlefield. you want to be in so that if you ever need the opportunity to flip the switch. this is not something 20 years from now. we know nationstates have penetrated our electric grid. some of the more capable nationstates do it so that they can be ready if there was something to happen. just the way you want to know where our nuclear weapons are they want to be ready to flip the switch. with this new destructive attack you have a nationstate that is willing to put that much talent and effort on one company. if a nationstate wants to get in your company they are going to get in your company. we are saying there has to be some sharing arrangement in what we know and what we can provide to our private sector. >> president obama this week announced new legislation on information sharing and

liability protection. sharing information with government. >> shipe -- cyber sharing bills that give liability protection what a great idea. [laughter] >> is it legislation you can support? do you think it goes far enough? >> i have been through this many times. i think there's a light mix -- a lot of excitement this time. a big change is. >> once he threatened to veto your bill. >> over insufficient privacy protection? >> that was the plan, but it was the liability piece. this is a good thing, don't get me wrong. now we will get into debate. but i have been here before.

we are a long way from a cyber sharing piece of legislation. we have planted the seed. we will have to tend to it for a while before something comes up. there are still a lot of differences. i had a senator tell me after the election that they still have to get the 60 votes. which tells me we are still in an uphill battle on getting something done that actually works. the congress can pass. the problem is it has -- if it has no substance to it, it is truly like kissing your sister. when there are nationstates that are destroying data we should move on behind that quickly. >> two of us has had this conversation.

i said that is never going to happen to get the bill passed. you're not going to get it passed in the next august it are. i think i am wrong in the second part of my premise. what sony and apparel away paris has done things that were flash frozen are beginning to thaw. >> the pendulum is swinging back? >> i'm using temperature for my metaphor here. it froze the debate, and now we are returning to it. that's a good thing. your point is, coming back to the question out. >> the bill collapsed literally

the friday of the week before we adjourned. it was still in play up to that friday. and then the weight of it collapsed and people walked out of the room, and it was done unfortunately. i do think it was that close. you can do it again, but now you have new players. all of that will rejuvenate itself. they may even do it in this year. but it is going to be a challenge. >> there is not only more motivation. i think the president's proposal has some strengths compared to previous legislation. i think to try to centralize single portals in industry and government to share information is a step forward. i think the proposed changes. the computer fraud act.

to the dental bad actors like north korea. we could prosecute them. the kinds of more sophisticated weapons that we need to be concerned about from a critical infrastructure. not only has north korea given us more impetus to pass and to -- to pass legislation, i think it is a strong legislative proposal. >> every ornament you hang on the street becomes a weight and an anchor. someone will have a problem with every one of those issues. that is why who we have narrowed it down. if they really want to be successful at doing it, it is doable. that deal was on the table. >> how much do will it really do if it does pass? a lot of companies may not even have the trained worsen l.

>> you are targeting upstream. you want as much of that malicious code weeded out of the system. machine to machine speaking to each other millions of times a second. if it is not that, if it -- if there is any cap in the system it will not work. sony thought they were good. you have to hit that up front. if you don't, it won't work. >> i criticized the government for being late. i'm 40 years in government. i think it is a continuing step. we have not yet as a people decide what we want our government to do.

i really do think in this domain the private sector is far more the important actor than the government in both prevention and in response and resiliency. when you pass a law like this that is about liability protection, what in essence that's doing is the government is unleashing the private sector to do far more than it has felt comfortable being able to do in the past. i think it is a recognition that the main body to this fight is the private sector, and therefore the legislation philosophically is on the correct course. >> i agree. i think the private sector always is and needs to be in the lead for not only prevention but also response with government support.

state government, and above all state public utility commissions have a vital role to play here. if the industry is going to make investments that are essential to build resilience against cyber threats, they need to be able to recover their costs. rates for electricity and other utilities are set at the state level. what we lack today are criteria, the decision criteria of what constitutes a prude investment against increasingly severe threats, nontraditional threats. we understand what kinds of investments ought to be recoverable against superstorm sandy type threats. at the utility commissioner level how can we begin to build consensus to provide costs recovery for investments that will be essential? >> i would like to open it up to questions. what can you tell us about euro

121? how large is it? how sophisticated are its abilities? are they really trained received by the chinese? shed some light for us. >> i can tell you that most countries including north korea understood that early on they had to have this investment. for a small investment you can have a very powerful tool in your arsenal. now i have mixed my metaphors too. what we found was they had their own limited capabilities even from within their countries to do certain things. they had to go external to their country. they were willing to put a

program together that stretched beyond their borders both physically and then of course their ability to put something together that use proxy servers to get mauer on target. -- to get malware on target. for so many like north korea that has so few people that have access to electricity were willing to make this commitment, because it could have such a big impact for them. it almost took an american company off the map. it came as close, i can't wait for the book to be written on that, i think people will be surprised at some of the damage that was done. i think they have recovered nicely and did a nice job in getting it back up and doing all their functions of again. but when you look at how close it -- it was, it gives you a little bead of sweat. we are just one question away

from one of these companies or an organization that has ill will against the united states from getting the rights of people. obviously they have the capability to issue both. with access to the latest technology intellectually, and they got over those hurdles because they were so invested in it. the chinese have huge operations and are getting bigger, not smaller. some don't. some have new capability that have decided is very important other than firing artillery rounds. >> i think that is a very important part three this is a country that survives by ability to provoke. they were kind of running the table on conventional methods so they invested in nuclear

weapons. here's a country that's got probably a half a dozen weapons and most of the population. that's a remarkable commentary on how committed they are to doing this. the secret to their provocation is that someone once described is that they are surrounded by powerful mature countries. someone once described north korea as a house in a very nice suburb where the lawn is a -- unkept and several vehicles are on the front lawn. the rest of the neighborhood wants to do something about it but they are afraid to because they threaten to burn down the neighborhood. frankly, getting these kinds of tools makes that kind of threat more realistic. it's really, besides all the things we are talking about in the cyber domain and getting to

the next level, at the northeast asia geopolitical level it is disturbing. >> on that note, i will open it up to questions. we have a microphone. yes, with the yellow tie, identify yourself please. >> i have been listening, and i understand the passion. let's imagine that all those constraints come out. the legislation passes and we do all this legislation. sony was vulnerable. north korea had the tools to attack. what is all this legislation and all this capability going to do to prevent that? i don't quite see how the pieces

can act given all the authority what in fact is there to be done ? you can share all the information you want. sony still get swept off the map. >> again, and this was the biggest myth we could not get over when we were debating legislation the last couple of years. the interstate is not monitor private networks in the united states. it is against the law. they do not do it. when all of this capability to protect ourselves, they come back with some pretty interesting stuff. by this we can say now you can share with the private sector and the private sector can share

with you. this is really important because when they see some anomalies they can fire it back. right now they can't do that. the lachance we have now is if an fbi agent knocks on sony's door and says i'm with the government and i'm here to help you. it's too late. they are penetrated. this spreads out the ability to do that. now the private sector high up in the distribution chain at the provider level can protect itself against really nasty stuff. then you have a neutral sharing. north korea, they may have done this by the way somebody sees it very they look at it and we're going to share it.

we see it coming before it comes. i do believe it can help. it won't help in every case. it allows your private studio companies to focus on other problems. right now they're fighting china, russia, iran, now north korea. the only help they get from the government is when the fbi shows up and asks if they want help trying to figure out who did this to them. >> right now in some sectors of infrastructure there is pretty darn good sharing within that sector. in one sector for example there is not enough cross sharing. what if the criticism even when

the government. we have the signatures, they are older came too late to help. if the private sector shares this information with dhs and nsa says will share some things back? >> there is a mix bag of capabilities in the private sector. there are some companies who are exceptionally good at this and would likely have a good percentage of that source code if you would. i will tell you that there was more. it has to remain classified. there were even pieces that some of these really good top-notch i

will trust them companies with my information didn't have just by the nature of our ability in the intelligence sector to collect that information. they didn't get everything. they got a lot. at this stage it builds on capability. they have probably seen things the government has not seen. you would want to learn from them. the higher we build this wall, the better we all are. the better capabilities we build up on all levels. now we are sharing that with everybody, including your supply chain who is not very good. the guy says you got to be kidding me i went to school to learn this trade. now i have to understand how some company in eastern europe is getting into my system to attack my customer target.

this builds all of that capability, so that guy does not have to worry about it. he can continue to deliver his product or it that's how, in my better. folks at ground zero, will have an exponential capability. >> i.e. reinforced everything that has been said. if we do this well, we will advance along an important front, but only one front. by definition, sharing what is known with one another cannot protect you against a zerio do day. we are all first-generation drivers. we think traffic lights are suggestive rather than mandatory. there is a of education that needs to go on.

there are whole industries about ready to break into this domain that will make it better -- insurance, all right? saved her -- the insurance industry has made the auto industry safer. it will be to economic incentive. i do not want to pay this much i want to pay this much for insurance. international -- at some point like-minded nations, and i include the chinese, because it is against their long-term national interest to foster a pirahnical regime. is is lower hanging fruit. let's take it and move forward. >> yes, sir.

>> ohio state had a great defense when they play oregon, and that was a big enabler for them to that game. if ohio state had not had a good offense, their defense would have been on the field the entire time and oregon would have found a way to score big against ohio state. waiting in the deep end will allow someone to cut you in the face. what does the panel think about allowing both at the government level, at the corporate level and at the individual level to have a more offensive capability , given each one of those i.e., have companies begin to offer rather defensive tools, but tools that raise the risk factor for those they are attacking? >> ok. >> a terrible idea.

>> the chairman is mumbling this from being a terrible idea. this is beginning to smack of cyber legislation that cyber stand your ground legislation but i am not sure if i am 100% wrong. people who know this problem well start to get quickie when i begin to talk this way. i had told the government -- and i am predicting the government will be permanently late. so the application of the computer fraud and abuse act in equal measure to someone trying to defend their network compared to someone who is trying to attack someone else's network may be unwise. and there may be some space for the private sector to conduct what in the physical domain i would call counter battery fire

under very strict and limited circumstances, because it coul is difficult. what i would say what people begin to get forceful in response, but i am willing to entertain the idea, and if you think it is really crazy, we talk about domain, in one of these other domains, the maritime domain, the government is late to lead, and the constitution allows the congress to issue letters of mark and reprisal which is the private sector doing what we consider to be a governmental function in this domain when the government was in adequate to leeds. i do not dismiss it philosophically, but i trend back toward the chairman here, there are a lot of practical issues that could turn this into a free fire zone which is not beneficial. >> when you are shooting, they

may not shoot back to you. that is the problem. and i am not necessarily opposed to offense -- the government has a very good offensive capability. we have not decided as a couple of use it or has the government policy body, no one has decided to use it, so we do not. the problem -- you are asking a corporate duration -- corporation where you will get these mixed capabilities, and i cannot tell you how many see i cio's i have met who say this is not a problem. i can figure this out. i have never seen such confidence as i have people in cyberspace. god bless that. somebody is going to misfire and it will not be that particular company that pays the price. it will be a swath of people who play the price. a foreign nation state like iran or russia or china or north

korea will not say it is from company a. they will say it is coming from the united states of america and let's pay them back. now you have the problem of an escalation of which you did not start and you are not sure how you are going to stop it. i think we are not mature enough to have any private sector offensive capability. they can do things now that are offensively defensive, if you know what i mean. >> let's talk about that and another potentially crazy idea, rather than capturing the arrows, kill the archer, right? there are opportunities it appears there is an imminent attack on the united states, critical infrastructure, national security network, to preemptively attack before we suffer the attack. this is riddled with problems because we can get into a

situation of great instability. that there is an enormous advantage to go first in cyber realm, we begin to build doctrine to take us in that direction, you can imagine how ultimate league could end up in a situation a strategic instability that would lead all of our nations, including the dates, to be in a more precarious position. >> and trying to figure out exactly the red line that was crossed that made the white house response in the case of sony, and chairman roger said it was distracted and other people said that the manual makes the decision between destroying data and machines. the state department had a hearing earlier this week described it as a freedom of speech issue and did not mention the destructiveness of the attack, and there are other issues, attribution is good in this case, it is big hitting

north korea is not the worst thing in the world compared to china. with the panel say, what is the red line, because this is going to set president in the future, the mystically and internationally -- precedent in the future, domestically and internationally? >> it was to change behavior and i think that sets in motion an awful lot of concerns inside our broader society. >> again, if there had been no code version just a distraction, perhaps no response, no real response. wouldn't that cross the threshold? >> if that were to happen in a financial institution in the tank does not know how much money you have in it and you do not know how much money you have, you have a problem. they have stolen my money and the damage will have a magnitude larger impact on the economy. it has an economic impact for

the company itself sony, so i look at it differently. i thought that data destruction in and of itself is the first item of trouble that to me was a game changer because we're not seen that before. we've seen companies -- countries or nationstates or international criminal organizations with the capability to do that, poking around a little bit, which takes you nervous, then it they took it one step farther. then they threatened violence. as if you show this movie at these theaters, there will be filed. that it is a another magnitude of problem that they introduced into a cyber threat. >> they are trying to get us to adopt their version of the first amendment, which is no first amendment. political coercion, that is why it crosses a redline. >> i think the other mike rogers stage director said publicly last week that this is not the first the suckered of that first

instructive cyberattacks -- the first destructive cyber attack on u.s. soil. there is another issue about was really truly destructive destructive in the sense of international law where you physically destroy something, a computer or building, or destructive in a more general sense, destructive of data business operations. i'm not sure, was it really destructive? work computers -- do they have to be replaced? >> absolutely. i am positive. and the fact that -- imagine if i walk into your server farm where you put your most sensitive data and i put the pen on a grenade and rolled in and walked out. it is killed it blows up, and i have destroyed a lot of valuable they that. that is not coming back. this is the problem here, that they had data destructive, that

is the phrase, to the point that they are were populations that cannot function, and is not easily replaced. not they went in and unplugged it and plugged it back in. that did not happen. that in mind mind is destruction and destructiveness of the prime willing to do it for the finances of a company likes nonie -- like; get other company that is part of some place in our logistics chain of our critical infrastructure, washich is a lot. that impacts a significantly defense, finance, electric grid, food, water distribution, all that come airlines. now you think, if they did that same attack somewhere else, and again it lulled us in because it is a stupid idea. and so wanted to make a point

and just down the electric grid in every theater that showed the movie? let's do it that way. now we would be having a very different conversation, but that distracted data meant their business was economically impacted and can be physically impacted. think again about people who have to go back to writing checks to pay your bills. >> so that is the red line for you, is data destruction. >> absolutely, because you can extrapolate that to any other sector that would cause more significant economic disruption. i argue it disrupted that company economically. i would be interested to see the tally of loss when it is done, i understand their pr circle and that. they circled the writing, go rent "the interview." that is the smart thing to do, but the real damage him now you

will have another series of events where you will have consumer suits and shareholder suits. fun and games for sony is just about to begin. i think it is going to have a tremendously bad economic impact on that company. >> the next time there is a cyber attack on a company that destroys data, do you think the u.s. should come out and name the country that is behind it and post some sort of sanctions? >> i would hope so, otherwise you invite further attacks. it is such an important step that the president and the administration have taken. >> with a little flair. >> we speak about the capability of a big corporation to deal with that issue, but what about federal government and state governments, because the last

government report by government showed that up to 9000 federal government facilities were vulnerable for cyber fronts, dhs. do you think that it is now the federal government and the state level federal government had good strategies, and a second question, we are speaking about russia iran, north korea but do you think a group like isis can use this cyber weapon against the united states like north korea did? >> i will start on the second one. maybe you can answer this, and i will go with the government side, which i do not think is prepared way they should be.

late adopter for everything. other than raising taxes, or good or bad. that is what we are good at. oh, come on, people, like it up. on the ice is problem, or is what we saw developing. we saw al qaeda groups were advertising for people with capability, which told us they had the aspirations to do it. at least the people when i left a couple weeks ago have the capability to do it. you saw a lot of in france, a lot of it was too softer targets can that they were shutting down. isis capability in social media is shockingly good. they are on the cutting edge of using social media to promote their goals, aims, and objects that spirit it would lead one to believe that it is easier given

the level of people interested in participating i would worry and i will try to monitor their ability to get from -- and they have the same aspiration -- can they get from that aspirational stage to an operational's stage? in north korea, they took things in the open and used it. he did not create anything new. they just took what was out on the internet. i do not think they are there yet. i know they have the aspiration.' i worry, what is their learning curve? if it takes getting three or four people of the right capability in the room dedicated to this cause to cause some of, and i do not think it would be significantly sophisticated, but you see them do it. you see these other jihadist organizations, including those supported by iran out there. you can make this leak pretty easily -- leap pretty easily.

i am not going to lose sleep tonight about it. again to worry about it in the weeks and months ahead in their level of recruitment in places like syria to their cause. >> i have been surprised it has not happened yet. it would seem to be an easy approach. the cost of entry is low. the did ability to disrupt his high. why not? they are good on the net recruiting training, proselytizing, raising funds but we have not destructive attacks either of net or data or physical best of networks or data or physical destruction. it may not be the kind of heroic destruction that fits the model.

they criticize us as being unheroic and unmanly. this would be the ultimate in remote creation of destruction and maybe it just does not fit the style, and that is why they are late to it. i am with the chairman, they are late to it, but i expect they will get there. but i'm with the chairman, too. that is why we need to focus on deterrence by denial. threats of retaliation against al qaeda in the arabian peninsula, we cannot hold things hostage, certainly for cyber retaliation. that's why we need to be able to strengthen our networks so they do not have the incentive to attack us. so our networks did not present the lucrative target that they might today. >> did you want to address -- >> [indiscernible] >> the federal government is

working very hard in order to strengthen the resilience of government networks against attack. important steps are being taken by dhs and defense to hearted networks. state governments and governors across the nation, the national governors association, beginning to take this seriously, because if there is a successful attack on infrastructure, not only did he have to restore the functionality, we have to deal with the physical consequences of large-scale threats to public health and 80 that could occur if water and wastewater systems are destructive. governors are taking this very seriously. a great opportunity for progress and partnership of government and industry. >> there are a lot of interesting happening at the state level and louisiana has

a very aggressive dynamic original kind of program. what a lot of states are doing the governors in the role of commander in chief, are reproducing national art units in using -- guard units and using them in a militia status to protect . state networks. that is a nice thing that will create ideas to be disseminated. >> those national guard units are the most effective on the cyber security front. to take a sampling of our cyber defenses, and recent is a good or are you today and have all the benefits of the private sector real time, and the, weekends and two weeks of the year. it has been very effective. >> a couple more. how about you? >> [indiscernible]

one of the cornerstones of the proposal unveiled on tuesday liability protection of shared data, and most people know that the job of identifying the guy that does insider threat detection. i wonder, the special general hayden, somebody who is familiar with insider threat detection, can it be applied to cyber security more generally? anomaly detection seems broad and no one is what it is, but it seems that is what we are going to be talking about more. on a post-snowden and environment, does everyone agreed that is what we are in, and what are the indicators of that besides just more enthusiasm on the white house for better si cyber security

legislation like we saw this week? >> one of the things i have seen in the shift in the fight, and a lot of ways they are doing this, and history of cyber defense has been defending at the perimeter wall, the firewall, and that penetration. the three of us have made the case that they determine actors are getting in. now defense has got to be thinking about how do i manage consequences, presents for -- presumption of retirement -- and by people who know this for better than i can everybody gets penetrated, the difference between -- is between flash and bang, the difference between the penetration and the discovery of

the penetration. and here, unlike traditional firewalls where you are trying to guess the next zero day come here to focus is not out, but in. 30 you are looking at the behavior of your own network and looking anomalies using one of those powerful algorithms that somebody else develops to learn. to become your own big data, and suddenly the outdoors and goes never saw that for over there. no indication of a zero day or penetration. it is just anomalous behavior. that is where the current technological and entrepreneurial energy is. that is a very good thing. >> we can do and are going to do a lot better on security clearance management and making sure people, including administrators who have the keys , are affected in a more appropriate way. instead of having periodic ways

of your suitability to have a security clearance every 5 or 10 years, there will be continuous evaluation make you are suitable to hold these clearances. that is one of the changes that came out of the washington navy yard shooting, and that addresses the broader context of insider threats, including the cyber realm. >> wishful thinking on my part. >> i think he is waning. >> as a guy who lived through -- >> not snowden but the snowden phenomenon raises serious questions. this is not a battle between the forces of light and the forces of darkness. this is a question of a free people trying to balance their privacy and ve liberty with security and safety. one of the byproducts was

freezing debate, not advancing it. >> on the insider threat, before this happened, we put money in and as chairman we understand -- and i worry about counterintelligence issues first. one of the things we realize upfront was our audit capability was very inconsistent beyond certain places. and was a whole host of reasons for that, and most of them you would come to the conclusion they made the right decision at the right time. we added more money to push out this notion of audibility, makes it more difficult for someone to do what the nsa contractor did break in, steal stuff, and run up the door. one problem we had was the rize slowdown in the program and one of the areas that did not get the audit capability was hawaii. look at it and we thought, we had it right, we resourced it

right, in the capability was growing, somebody got one step ahead of the system. that person would have known that because he did some time back here where that audit capability was. i found that fairly interesting. >> last question anyone? there is a microphone. >> thank you very much. much discussion about the coercive destructive nature of the attack, but was vandalism the right categorization of the attack? >> no. >> no, and i would not have even asked what you would call it. i am not sure. vandalism sounds like somebody breaking into the subway car, and this was more serious. i have had some exposure to the real effects. just on a human level, this was

really traumatic for an awful lot of people. not an act of war i am ok of that, but i would have to search for a good word that has higher torque than vandalism. >> it was beyond the glue in the lock. i do not know what i would've called it, but it really get the desk gave them a pass for doing something dangerous, destructive, and remember they were threatening people who were going to the movie theater and thought they were doing it through some cutout, which i feel very confident in the fbi's public statement that it was north korea. i feel very confident in that piece of information. so that was such a big game changer when you diminish what they actually did. i think that is not helpful to the cause. >> it was called cyber terrorism. is it?

>> it was an attack on innocent to create a political effect. >> that political effect is important, but not an act of war. what we need going forward is the spectrum of responses that we think about fairly in advance that are tailored to the kind of attack that adversaries infant upon us. >> ok, thank you very much. thank you, all, for coming. >> hi. one of the great perks of my job is to thank terrific people for coming century their thoughts with us. for i do one function, is we do this a lot. we have a lot of meetings, so you have come to them before. , in my mind there is one thing that marks a great discussion and it is constructive disagreement. this town is a full of a lot of agreement, and we hear a lot very thoughtful, insightful agreement today. it is full of destructive disagreement, and the ability to bring these kinds of people in a

public s where they sharep different views is something i'm product. i would like to thank general hayden for joining us, and it is now dark outside. [applause] [captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

>> state of the state address coverage continues. governor sam brownback white at 730 p.m. eastern. another state of the state address with the governor of nevada, live at 9:00 p.m. eastern. in baltimore the president met with democrats at their retreat.