these problems are in solvable. the only thing that i think we have to know from our perspective is we should defend our country and our people. >> we have looked at this a lot and heritage. there is political islam. it is welded itself with the powers of government. there is a civilized, more religious islam. making that distinction is very important in solving the problem itself. some other questions? >> to your point about separation of powers how do we get that into an everyman a definition.

♪? >> we fall into the mess. >> unelected bureaucrats shouldn't write laws. who are they working for? all the bureaucracy of government works for the president. we have abdicated our role as congress. the regulations are 20,000 pages. so much of it is being done without our knowledge. there is a debate over defunding the immigration executive order. i am for that and about 1000 other things on every bill. people say you were trying to tie the hands of the president. that's our job.

i don't care if it's a republican president. the power of the purse, that is instructions. as a consequence, they do many things that we didn't intend to. i think that regulations that are written and very expensive optic comeback. jim was a lead sponsor of an act when he was in the senate. it says that any regulation written by a branch of government that is expensive have to come back and be voted on it to become law by the congress. that would reassert our authority and the balance of powers. >> your father was one of the big founders of the libertarian party.

are you for regulations and a constitutional way rather than just more red tape? >> i will give you an example of that. we passed the law, the clean water act it's as no one can discharge pollutants into a stream. i would vote for that. if you have a company and you are dumping benzene in the ohio river, you should be in prison for doing that. i am for that regulation. that is a federal government regulation. that was passed in the 1970's. over time, they have defined dirt as a pollutant and your backyard is a stream. we spend $100 million policing private property. we do so much to harass private property owners.

we forgotten the things we should be doing. there is a role for government in communal property. we've gone way too far to individuals. ken lucas but clean dirt on his own land to raise the elevation in mississippi. he has been in prison for 10 years. he was 70 when he went to jail. that is a crime. whoever put him in jail is the one who really ought to be in jail. >> one more question. >> do you agree? >> i have mixed feelings. you are talking about the authority that is given for the trade agreements.

the trade promotion authority there is an argument to be made on the separation of powers that i given this authority to the president that you have taken power that should be congresses. these are really treaties and they should be done is treaties and they are not. i'm a big believer in free trade. i think free trade is a good thing. there have been libertarians who voted against some of the trade deals because they felt like they gave up sovereign entity to international bodies. like a lot of things i outweigh the good and the bad. i think the good of trade has caused me to vote for things that i think are not perfect. the perfect way is we would lessen our trade barriers and do that through the congress. i think what we have been offered to vote on is not that. trade has helped people.

it helps the poorest among us. the average person who shops in a walmart saves $800 year because of free trade. >> let's thank senator rand paul. [applause] >> next, a look at the impact of the sony cyber attacks. at 7:00, your calls and questions on washington journal. >> we are featuring all day programming on book tv and american history tv. monday morning cornell west on a six revolutionary african-american leaders and their impacts on their own generation. sandy fair editor on her life in journalism. -- vanity fair editor on her life in journalism.

on american history tv, what he did jones abernathy on her experience in the civil rights movement. historians talk about the history of race relations in a ferguson, missouri. find our complete television schedule at www.c-span.org. the us know what you think about the programs you are watching. you can e-mail us at c-span.org. you can join the conversation. like us on facebook. follow us on twitter. the deadline for the student cam video competition is tuesday. get your entries completed. produce a documentary on the

three branches. for your chance to win a $5,000, go to student cam.org. >> speakers included mike rogers. this is an hour and 25 minutes. >> thank you for coming this afternoon to our event on the sony cyber attack and its strategic implications. almost four years ago, i had the pleasure to work with general hayden and some others to put on

cyber shockwave, which i don't know if any of you remember. you can get a dvd or buy it on youtube. the idea was to simulate a cyber attack at the national security council cabinet level and see how the united states would react, and see if we had the policies in place to actually be able to, if not prevent, than to react in a reasonable way to a cyber attack. one particular exchange that stuck in my mind when we did the simulation, the person playing the attorney general at the time said mr. president, we don't have the authority to do what you're looking to do, which at the time was to turn off people's cell phones that had been infected with malware. and stewart baker, who is always selling his book, which is a great book if you haven't read it, who was playing the white house cyber czar, founded the desk and said if the attorney general doesn't have the authority he should actually go and find the authority. i am not sure we have found the

authority. but something has changed in the conversation we have been having this last week. new proposals suggest that perhaps we have turned a corner and are finally going to see some policy and legal changes when it comes to cyber security. it's interesting. i know that in trying to move the needle, we put a show on about a cyber attack but it took a cyber attack on a show to get things to start changing. to figure out what the impatiens are and to look at some of the controversy around the way the u.s. government specifically has reacted, whether it is a question of attribution, a question of severity, we have an excellent panel today.

to -lead that discussion -- if you follow cyber security, you have surely read her articles, as i have. she knows more about cyber issues than probably 95% of the policymakers in washington. maybe 96%. >> thank you very much, and thanks to the bipartisan policy center for putting on a very timely panel. the panelists don't need much introduction and you all have their bios, so i will keep it brief. he was the chairman of the house intelligence committee. he is now a radio talkshow host doing commentary on important issues of the day on "something to think about with mike rogers"

on westwood one. a retired air force general, former cia director, and as a director, director of national intelligence, history major and now principal at the chertoff group, he is now writing a book about his career. then we have dr. paul stockton the former assistant secretary of homeland defense at the pentagon. he helped lead the department's response to superstorm sandy and the deepwater horizon crisis. he guided the critical infrastructure protection program and is a managing

director at an llc. i want to open by saying that we at the "washington post" have a cyber security summit every year. for a couple of years, we created our own war games which we came up with fictitious oil and gas companies and banking firms that were attacked by fictitious middle eastern and asian countries sending viruses to cause oil disruption and create chaos in the economy. but never did across our minds to have north korea target a hollywood movie studio for a film about a cia plot to assassinate kim jong-un. did the koreans want brad pitt

to play kim? what were they angry about? >> i thought it was funny. >> thank you. seriously, we have had countless intrusions into the u.s. critical infrastructure and companies dealing with intellectual property saying this is the biggest transfer of wealth in history. we have seen penetrations into the white house and pentagon but it took a hack into sony for the government to come up with a firm response, unprecedented really. and to actually name north korea. obama named north korea, and vowed to punish the country. so, we are going to go over the attack and the implications. briefly, what happened at sony. you are all familiar with this.

just before things giving, sony discovered viruses in the system. then the guardians of peace, as they were called, began posting embarrassing e-mails online, showing executives making racially insensitive remarks. that started to get a lot of attention and become a problem for sony. about mid december, the hackers ratcheted up and put a threatening message online threatening violence against theaters that showed the film and alluded to 9/11. at that point, theaters get nervous. they talk about not wanting to show the film. sony decides they have to cancel

the planned release for christmas day, and that leads to a huge controversy. the very next day, president obama convenes a meeting in the situation room with his national security council. they decide, based on unanimous recommendations, that they are going to publicly name north korea, give attribution, say north korea was behind it and we are going to take a proportional response. so, that is the scenario. i want to turn to you, chairman rogers. how do you view the attack and do you think the president made the right call in naming north korea? >> you forgot to add that i decided to take four days off and i spent three of it on a

beach dealing with this issue, so no one is angrier about it than me and my wife. this marks a significant change. we have seen cyber attacks before, clearly. we have seen denial of service attacks before. we have never seen a nationstate use its capability -- albeit somewhat limited -- in a way that actually destroy data. so, they went in to a company, and not only did they play the fun and games part, cause embarrassing pr problems, all of which was significant. they destroy data. they destroyed intellectual property that made it very difficult for sony to operate. there was a time when it was very concerning as to whether they would be able to function as a business. it was more than a little disruptive. it was on the verge of economic calamity for a company like

sony. that was a very different game. we have seen other countries do it. we have seen iran do it to saudi arabia. but for a nation to decide it was going to have an impact in america by attacking an individual company, we have never quite seen that before. this is a whole new day in cyberspace for a host of reasons. now the united states is going to have to show that it will not tolerate it because everyone is watching. iran is watching. russia is watching. china is watching. every international criminal organization is watching. these are the steps we are going to have to work through as a country. naming them, i thought was an important thing. there are other things we need to do to move ahead and it needs to be smart.

if we are talking about this six months from now, we will have made a serious mistake. >> sony is not a critical infrastructure company. it is a hollywood studio. it doesn't fall into the critical infrastructure categories of oil, gas, banking. general hayden, take us into the situation room. how would you have assessed the attack and what would your advice have been? >> first of all, this was an arc that was predictable and i don't think any of us were surprised. this was going to happen. it happened then to these actors. it's all a continuum and a very protectable continuum. this is a nationstate attacking an american business. loss of profit is a big deal and

a relatively new deal. that's one. the second point is yes, north korea did do this. i am quite comfortable with the government assessment and i am glad that the president said that. i would probably have tried to strike the word per portion all. i don't think we should give them comfort that the response would be proportional. i think it should be a response of our choosing. the president did say at a time and place of our choosing, but i think a word proportional gave them too much comfort. north korea is a nationstate doing destructive things, not for profit, but to coerce. these are all new flavors.

and then finally, i am going to take responsibility for this because i have 39 years in government, our government is kind of feckless and our response. we are going to get around to our usual effort here, which is to beat up the victim. we will get to that directly and sony will have to answer a whole bunch of questions. >> so, you were surprised that the government came out and gave attribution? >> i was pleased. i would have struck proportional. this has implications beyond cyber stuff. this is a pathological little gangster state that wants to hold at risk different things of value to different people in the world and we have allowed them

to take their game into a different domain. if i could just for a moment -- again, not particularly cyber related -- north korean foreign policy has been kind of like the instructions on your shampoo bottle, provoke, accept concessions, repeat. provoke, accept concessions, repeat. but it has not been along a stable line. it has been along this line. they have taught us to tolerate ever more provocative actions. i really would've fought to get the word proportional out of the talking points. >> i agree with what you said about this being a game changer. the game changer in another way as well, and that is, we know

now that a nation with .001 of the u.s. gdp has weapons they can use to launch an effective attack against the united states. that's very different from seizing control of the power grid or the natural gas system. nevertheless, we have had a wake-up call here. the trend is one way and that is toward nations acquiring increasingly sophisticated cyber weapons, increasingly destructive, and a growing number of nations being able to acquire these weapons. i am going to disagree with my old friend general hayden for just a moment here. i think it is terrific that the president has emphasized the importance of proportionality. we are in an era now where cyber conflict is burgeoning and we lack the rules of the road derived from armed conflict.

we have to begin to think about this in a new era. i think proportionality is a standard the united states ought to be espousing. i think we need to be standing up the laws of conflict in the cyber realm that are going to be good for the united states and good for security in the long haul. i believe proportionality is an important principle, and that the legitimate military objective doesn't cause disproportionate suffering in the civilian population. we can imagine how an attack on a power plant might affect the nearby military facility, but if that attack creates mass civilian casualties, as it

could, if it is an attack on a hospital, those are not legitimate plans of attack in a cyber conflict. >> people often get up in debates about what is an act of war. what this attacker had showed in a sense is that even ask that fall below an act of war can have significant impact, national security issues, and cause a u.s. government response. do you think this is a teachable moment in that regard and that maybe, to your point of creating norms, are we working toward

articulating clearer norms about what is acceptable behavior in the realm of cyberspace? >> i think we know what is unacceptable. the problem is, we wrestled with this for years. what is the appropriate response? i mean -- >> it's hard. >> i think you're both right and i am not even in congress anymore, so that's hard for me to say. i think the general is trying to say that you don't want to advertise what we do believe we have the right to do in a case when a nationstate attacks a u.s. company. that's what i thought i heard you say, and i think that's exactly right. i think the debate has to happen on what exactly are appropriate responses. we had this argument ad infinitum behind closed doors.

how much authority do you did of our capable ready cyber forces who are ready to go? they were ready to go on a sony case. they were absolutely ready to go, just waiting for the right instruction. and we never got to what the right instruction was, which i think is why we find ourselves where we are. you have to establish your defenses first. if we don't have some way for the government to at least assist the private sector in protecting their networks, it makes very little sense to try to create offensive trouble anywhere. they are not going to go after government works. they are going to go after private companies. that is a small case of what we see with sony. you start multiplying that with companies that are in the supply

chain of critical infrastructure and you don't even have to go after critical infrastructure. you can go after the supply chain. now you have a whole other discussion. you can understand how layered this problem is and why we are not ready. i argue to dig in, put on the helmet, strap it on, and then we can have a conversation about how to move forward. >> do you think if the theaters and sony had not canceled the release of the film, would you still have advocated public naming of the state responsible, north korea, and then taking some sort of response in response to the destructive action alone? >> i would have. you saw the congressman kind of dance around -- iranians did massive denials of attacks on banks. you cannot find someone currently in government to say

the iranians did that, but they did. i think that gets wrapped around a whole lot of macro, political -- right. now that i have said it, we can move on. i was heartened that we said what we said about north korea. of course, the principles of proportionality, distinction and necessity apply at the tactical level when you use a weapon. i am talking about proportionality in state response. we don't have to tell them we're going to limit our response. i want them to think we have a lot more power and we feel free to use it. to your question. what was it?

hard to say. we have not yet worked out a taxonomy in the cyber domain that mirrors the taxonomy we have in the physical domain. they tried to do some heavy lifting at the nato center of excellence a few years back where they actually did try to suggest definitions. it's not even an official nato document. it's certainly not u.s. policy, but it reflects the struggle we now have. how do you categorize events in the cyber domain in a way that frankly, tells you what is or is not a legitimate response? we haven't done it yet. >> what do you think, doctor when you were at the pentagon for a number of years when they try to come up with scenarios

and appropriate responses? >> i think there has been important progress on exactly the line that you mentioned. the important of understanding that the resilience of privately owned infrastructure makes a very important contribution to deterrence of attacks against the united states. we need to be able to create doubts in the mind of the attacker as to whether the attack can succeed and whether it is worth the retaliation that is going to come. moreover, if we are going to retaliate, we need to believe and understand and our adversary needs to understand that if they escalate and come back in our infrastructure at a more intense level, we can handle that. how are privately owned infrastructure is sufficiently resilient that we can except that attack and we will not be deterred from retaliating the way we need to be retaliating in

the future. >> deterrence by denial. >> deterrence by denial. the pentagon is making progress in that direction. >> let's talk a little bit about the response the obama administration chose. they announced new financial sanctions on three north korean entities and 10 individuals. how likely do you think are these to get kim jong-un and others to change their behavior? >> i think they are pretty light, symbolic at best. we have had sanctions in the past that have worked. i was in government when it happened.

we were all surprised it worked so well. the sanctions imposed last month are not that. >> what more is there to be done? have we done the most far-reaching sanctions we can take? >> now, i was not in the meetings. i have been in the meetings. these are hard. there are always second and third order effects and you have to be careful. but looking at what is in front of us, we have been pretty light in our response to date. >> exactly. there are a whole series of second wave of events that i think we ought to engage in. and the longer this goes, by the way, the worse off we are. it really needed to have a more instantaneous impact, because it

was announced, and shortly after it was announced, everybody buckle down, including the north koreans, and happened. of any real significance. i agree. the sanctions were light at best. there is no real financial grind they are going to go into to impact the people who are living well in north korea. most people don't even have electricity. one in 10 have electricity and that's not for 24 hours a day. so, if you're going to do this, you have to impact the people who are enjoying the nicety of life with no consequences. that's the challenge. i assumed after the announcement we would see a list of sanctions and then have some other series of events know it happen that would make the north koreans say you know that just wasn't worth it, and the movie wasn't that good either. >> have you seen it?

>> i have not. i can't give them the money. >> china is north korea's only real purveyor of internet access. what do you think of asking china or getting china to exert its influence over north korea in order to contain north korea's behavior in this area? >> chinese policy is self-defeating. i think it's contrary to chinese interests. what they need in northeast asia is a root canal, and they are afraid to go to the dentist, so they just pop in aspirin to deal with the pain. this is a pathological gangster state, a dangerous source of instability for the chinese and will be as long as it exists but they have not quite gotten themselves to the position where they feel they have to go to the dentist and do something drastic. you would think when junior

killed his uncle, who was china's man in the politburo that would have nudged in a positive direction, but so far president xi has enough challenges with his own transition, he is just not ready to strap this one on yet. so we can cajole or we can exhort, we can begin to exert a bit of a price here and there in the sino-american relationship i don't think they are ready to act yet. i think that is contrary to long-term chinese interests. >> now that north korean troops are going across the chinese order, as happened yesterday in order to steal food from chinese civilian villagers, i think we see further evidence of the instability that confronts china there. i am more optimistic that the sanctions the president has announced are going to have bite, precisely for the elites. i think as secretary of the

treasury glaser pointed out the other day, third parties who are assisting north korean agencies under sanctions in conducting business. in flowing cash back to the north korean elites. they will be facing sanctions and that is the kind of like that could be helpful over the long term. let me say one other thing, and that is i don't believe that when nations such as north korea launch cyberattacks, we automatically default to retaliating in kind, that is launching cyberattacks response. i believe we ought to keep our most sophisticated and effective cyber weapons in reserve. they are our crown jewels. let's keep them until we face a much more severe threat than occurred at sony. >> of course they don't have much infrastructure to attack in the first place, but after obama announced that he was going to take a proportional response their internet did go down for a

few days and there was much speculation as to who was behind it, then we heard recently from the white house that the sanctions were there first response, implying that they were not behind the shutdown. who do you think might have done it? >> i think somebody tripped over the extension cord.

it is not a very sophisticated system, and here's the other part of this, by the way. what was interesting about this was that the north koreans didn't have some new cyber technique, they didn't have any new malicious source code that we weren't aware of, they just went around the net and took things that had already been exposed and put them together, and then they found ways to get it out of north korea to find surreptitious ways to get it at its target. this was not horrifically sophisticated, so when you talk about not using your best weapon, couldn't agree more, but that should really scare all of us. that a company that was attacked in 2011 was penetrated by what was essentially known to the hacker community all over the world. you could get online right now and probably compile most of the malware that they were able to use. which tells you that a company that was hacked in 2011 did not secure intellectual property they didn't encrypt secure property to the tune of tens of millions of dollars. i think this one will be cost them about $30 million to make. they got through the shell, they obviously knew they were subject to being hacked. that is what worries me more than anything. >> and the hackers were in for at least three weeks before they were detected. >> that can be defined as part of the problem that sony will eventually be beaten up for. what were you thinking? what were your cyber defenses? again, a routine approach here is to beat up the victim. but, it was an attack by a

nationstate, and that should affect our own government's calculation as to what the government's appropriate role might be as opposed to a private enterprise out there on their own. >> the extension of that was, if a group in north korea can put together something to go after a company that has already been hacked, imagine a nationstate with capability that is far superior, and we know there is malicious code out there that not been seen to the public, imagine what they could have done. >> we have been cataloging cyber-sins here, let's go ahead and catalog cyber-sinners. you very powerful nationstates you have criminal gangs, and then, kind of like, the disaffected. i think in between, and this is what both the iranian and north

korean activities are teaching me, in between the criminal gang and the powerful nationstate are these isolated, perhaps dispirited nation states who have a lot less to lose in going deep in a cyber attack. let me explain. we imagine the scenario, chinese are turning out all the lights on eastern power grid, that's really bad. but i have allowed myself to make the statement, if that were

>> in a power mature state that has more to lose. >> and that's why i think woe need to continue to encourage the private sector to adopt the cyber security framework that's put out by the nashville institute of standards and technology. but that's not enough. we not only need to be ensuring

that our networks are better protected from attack. we need to assume i think it's prudent, we need to assume that precisely because cyber attack capabilities are getting better and better, we need to presume that the perimeter defense is going to fail. we need to be ready to restore the functionality of critical infrastructure. we need to begin thinking further about if for example, the power grid were taken out or a significant chunk of the united states, how could the government support the restoration of the power grid in the same way that the national guard supported the power restoration operation in superstorm sandy? what's the functional equivalent of providing security removing debris how does that apply in the realm of cyber? and not only for electricity but for water waste water, and everything else

that's life line infrastructure we need to not only take better precautions against attack and security, but how can we restore the functionality of critical infrastructure and how the government can actually be useful to industry as opposed to being in the way. >> well, you know actually that's an interesting question. what is the role really of those government -- the federal government -- in responding to attacks on infrastructure and critical infrastructure. i'd like to know what you think if there's a big debilitating attack. should it be up to dod or dhs to rush in and get into the systems and try to help restore what's gone wrong? or do you think companies would say, no, no no. don't listen. >> i think you'd get a mixed reaction from both. but if the power grid goes out from the eastern united states, fill in the blank whichever power grid you want to pick clearly, there is a public

interest in restoring power. clearly, i mean, do you want the fire truck to show up? do you want the police to show up? in this case you want, you know the guy with the 80-pound head to show up as well that can get in there and help fix your problem. the problem now is, and this is why i think many of us worry sony is the destructive nature of it. it wasn't just the fun and games of what rich hollywood executives were saying about rich hollywood starlets. that was kind of tantalizing and good reading. the real game changeure was the destruct of property. that was possible in our electrical grid. it's not a matter of turning the power off with a few switches and turning it back on. it could take weeks and months. sometimes it may mean bringing in new equipment that wai we-- we

may or may not have are access to. that is the destructive nature. no matter what we say about china or russia rational actors, china doesn't cut off the power if they don't give much money. come on, that's good. [laughing] >>. so if you think about this we know by published reports that they're already on our electric grid. why are they there? it's the battlefield you want to be in if you ever need the opportunity to flip the switch. this isn't 20 years from now. we know that nation states have are flipped the grid. some nation states can do it so they're ready. you want to know where our nuclear weapons are? they want to be ready to flip the switch. that's what i find so concerning and now with the new destructive attack, the other nations are willing to put that much talent and effort on one company. by the way, if a nation state

wants to get in your company, i have news for you, they're going to get in your company and that's what those of us are saying, is that there has to be some sharing arrangement between what we know in the classified space and the private sector to shore up our defenses. >> president obama this week announced new legislation on information sharing and liability protection immunity to companies that share private data, in this case cyber security. >> the seiz sharing bill that gives liability? what a great idea. why didn't i think of that? >> well, yes, is it legislation you can support? do you think it goes far enough in in? >> it's a good change. it's a significant change from where we were. >> he threatened to veto your bill. >> he did. he vetoed the cyber sharing bill

two years ago and a year and-a-half ago. >> private right? >> actually yes, and the liability piece. for the president, this is a good thing don't get me wrong. it's a good thing because now we'll get into the debate but i've been here before and we are a long way from the cyber sharing piece of legislation. we've planted the seed in the field, and will have to tend to it. there's still difference in the senate. i've had a senior senator who's now in the minority, at the time he told me this he was in the majority, after the election, that they still have to get to 60 votes which tells me we are still in an uphill battle on getting something done that works. because we can pass cyber -- the congressman passed cyber security -- this is really hard for me to say, which is bad if you're going into radio, i might

add. [laughing]. the problem is that if it has no functional sustenance to it it's truly like kissing your sister and when nations are destroying data we best move beyond that very quickly. >> i'll add. the two of us have had this conversation, and he's projecting he's going to get it to go past congress and i said that's never going to happen. and i also said, you're not going to get it past the next congress either, but i think i'm wrong in the second part of my premise premise, and what sony in a parallel way paris, has done, we're probably now entering the post post note era, and things that were flash frozen because of that debate are beginning to thaw. >> you mean the pendulum is swinging back? >> i'm using temperature for my metaphor here not pendulum. [laughing].

they did. it froze the debate. and now we're returning to it. and that's a good thing. what ends up we'll see, but your point is, we're at least coming back to the question now. >> friends of that bill, all of the players in the house and the senate, the bill collapsed literally the friday of the week before we adjourned literally. it was still in play up to that friday. and then it -- just the weight of it collapsed on itself and people walked out of the room and it was done unfortunately. i do think it was that close. so you can do it again but now you have new players new fights, and all of that will rejuvenate itself. can they do it? they may be able to do it in this year and it can happen in this year and that would be the challenge. >> that would be wonderful and there's not only more motivation as you point out, i think the president's proposal has some strengths compared to previous

legislation. i think the role of the end kick now, trying to centralize a single portal for industry and government to share information, that's a step forward. i think the proposed changes to keep -- achieve -- i've got the disease too, i could be a radio announcer. [laughing]. the computer fraud and abruce act to make it explicit to those who sell bot nets to criminals, to bad criminals like north korea, not only bot nets, the kinds of sophisticated networks that we need to be concerned about from a critical infrastructure network. not only has north korea given us more impetus to pass legislation but i think it's a very strong legislative proposal. >> again, after going through this, every ornament you hang on this tree becomes a weight and an anchor, because someone will have a problem with every one of those issues that you talk about. that's why we narrowed it down

so much. my argument, if they want to be successful with doing this. woerp very close working with the white house. it's doable. that deal was on the table. i really didn't believe it was going to happen. >> how much good will it do if it does pass? a lot of companies may not even have the trained personnel who can make use of this information. >> disagree, because you're targeting up stream. you want as much of that malicious source code out of the system. and that's the one argument with the portal and you make it real time, machine to machine, speaking to each other thousands of times a millions of times a second, zeros and ones at the speed of light. if there's not that, if there's any hiccup in that system, it won't work, as sony found. sony did a decent job in their external security? they thought they were good and the security company said they were good, but they penetrated the wall. so you have to hit that up front, and if you don't hit it up front, it's not going to

work. it sounds great but it won't work. >> i criticize the government for being late to the response, and frankly, by the way, i'm partly, not to blame, i'm 40 years in government, but i think that's a continuing state. we have not yet as a people decided what it is we want our government to do or what it is we'll let our government do in the cyber domain in terms of the newly important federalist paper kinds of things. all right, so i think in this domain, the private sector is far more the important factor than the government in both intervention and frankly in response and resiliency. so when you pass a law like this it's about liability protection. what in essence that's doing is the government unleashing the private sector to do far more than it's felt comfortable being able to do in the past. so i think -- i think it's a recognition that the main body in this fight is the private

sector and therefore the legislation to the degree it empowers the private sector i think philosophically is on the very correct course. >> i agree. i think the private sector always is and needs to be in the lead for not only prevention but response for government and support but we've only been talking about the federal level at this point. state governments and above all state and public utility commissions have a vital role to play here. because if industry it going to make the kinds of investments that are essential to build resilience to sophisticated cyber threats, they need to be able to recover their costs and rates for electricity and other regulated utilities are set at the state level. what we lack today are the criteria, the decision criteria, of what constitutes a prudent investment against these increasingly severe threats, non-traditional threats. we understand what kinds of

investments ought to be recoverable against superstore bandy type threats. how can at the state level at the utility commissioner level we begin to build consensus to provide for cost recovery for the investment that's going to be essential going forward. >> i'd like to open it up for questions, but before i do, i'd like to ask this question what can you tell us, maybe chairman or general state and chairman rogers about bureau 121, the main north korean cyber warfare hacker unit. how large is it? how sophisticated are its abilities? are they really trained, you know, by overseas bite -- by the chinese? shed some light there. >> i can't talk about the specifics of the question but i can tell you most countries like north korea early on had to have this investment because for a relatively small investment, you can have a very powerful tool in

your arsenal. and now i've mixed my metaphors too. but it's catchy up there. but what we found was, they had their own limited capabilities even from in their country to do certain things, so that they had to go external to their country. but they were willing to put a program together that stretched beyond their borders both physically and then of course their ability to put something together that used proxy servers and other things to get their malware on target. so again, to me, this should be one of those teachable moments for all of us, that somebody like north korea that has -- so few people have access to electricity, were willing to make this commitment because of the impact for them. think of the impact. we talked about it all day. it almost took an american company off the map. it came as close -- i can't wait until the book is written on that. i think people will be surprised

at some of the damage that was done. i think they've recovered nicely and done a great job of getting the right folks in, getting it back up doing all the functions again. when you lock at how close it was, it gives you a little bead of sweat.ok at how close it was, it gives you a little bead of sweat. as we're one investment away from all these companies, another organization that has ill will to the united states and these companies to put it in the right place to pull this off. it's not huge. obviously, they have capable with access to the latest technology intellectually, but they got over those hurdles because they were so invested in it. but i walked away from this pretty interesting, chinese have huge operations. and they're getting bigger, by the way, not smaller. the north koreans don't but they have this new capability they've decided is very important to their ability to inflict pain other than firing artillery rounds at the island

and stuff. that's what they did before. now look at what they were able to do. >> i think that's the very important part. this is a country that survives by its ability to provoke, and they're kind of running the table on conventional methods, so they invested in nuclear weapons. here's a country with probably half a dozen weapons, close to having a functional rcbm and close to each mark. that's remarkable commentary on how committed they are to doing this, and the secret to their provocation is someone once described it as, they're surrounded by a powerful mature country. someone described it as the house in the nice suburb with the house unkept and several vehicles on blocks in the front lawn and the rest of the

neighborhood wants to do something about it, but they're afraid to because they threaten to burn down the neighborhood. and frankly, getting these kinds of tools makes that kind of threat more realist ivtist ic. besides all the things you're talking about in the cyber domain and completing the arc and getting to the next level it's really troubling, at the northeast asia geopolitical level is also very troubling. >> okay on that note, i'll open it up to questions. do we have a microphone? okay, and yes, sir, with the yellow tie identify yourself, please. >> steve conkers. so i've been listening and i understand the passion, and let's imagine that all the constraints come off, legislation passes, economic

strengths and so far information sharing. i think ella's question towards the end, i want to ask more pointedly. sony was vulnerable. north korea had the tools to attack. what is all this legislation and all this capability going to do to prevent that? i don't quite see how the pieces connect. still, the company is given all the authority to do whatever it wanted to do. what, in fact is there to be done? you can share all the information you want. sony still gets swiped off the map. >> well okay. yeah, again and this was the biggest myth we couldn't get over when we were debating legislation in the last couple of years. the nsa does not monitor proivt private networks in the united

states. that's a shock to us. they're not monitoring private sector networks. it's against the law and don't do it. that's 85% of the networks. so to prec ourselves -- protect ourselves, they come back with interesting stuff. by this, you can share with the private sector. by the way the private sector can share with you. this is really important. because when they see some anomalies, they can fire it back and the nsa can see it. that is bad. let me figure out where that's coming from. right now, they can't do that. the only chance we have now is an f.b.i. network knocks on the door and says, you've had a bad day. i'm here with the government and here to help you. it's gone. that means the f.b.i. has detected it. this spreads out the ability to do that. so now the private sector i helped in the distribution chain, if you will at the provider level, can protect

itself against really nasty stuff, and then you have this mutual sharing back. so if north korea -- and they may have done this, by the way sampled somewhere else, somebody sees it they share it back with the n.s.a. or whoever, which i supported in our bill, the portal to do that, they look at it, oh this is a problem, we're going to share this back out in a classified way so they'll hit sony and can see it coming before it comes. i believe it will help. they won't help in every case but it allows your cyber security companies to focus on a whole host of other problems. but they've got to fight everything. china, russia, iran, north korea, international criminal groups and the only help they get from the government is when the f.b.i. shows up, would you like some help forensically on who did this to you? i think it's unacceptable. >> right now, in some sectors and infrastructure there's pretty darn good sharing within

that sector, the electric sector, for example. there's not enough cross-sector sharing. very important that this legislature will provide for organizations that will allow threat signatures that are hitting one sector to be shared so other sectors can protect itself against it. >> what are the criticisms i hear from industry and part of the defense from defense contractors, is even when the government declassifies and shares data and we find we have those signatures or they're old or came too late to help so if the private sector shares this information with dhs who then shares with the n.s.a. and the n.s.a. says okay, we'll share something back. >> only because we lived this problem the last four years. so there is a mixed bag of capabilities in the private sector. there are some companies who are exceptionally good at this, and

would likely have a good percentage of that source code if you will. i will tell you that all of a sudden more that was even -- that was not able to be -- remember, we collect it in a classified way, it has to remain classified. so there was even pieces that some of these really good top-notch, i would trust them companies, with my information just didn't have by the very nature of our ability in the intelligence sector to select that information and protect its own network. so they didn't get everything, number 1. they got a lot. so in this case, it goes on capability. we would learn from them. they've probably seen things that the government hasn't seen in this cases, maybe. so you would want to learn from them. the higher we build this wall the better we all are. that's a terrible analogy because it's not bad. but the better the capabilities we build up on all levels.

we're sharing it with everybody including the supply chain, who is not very good. which probably went after targets. so the guys, you've got to be kidding me i went to school to learn this trade and now i have to understand how some company in europe eastern europe, is getting into my system to attack my customer, target, you've got to be kidding me right. so this builds all that capability. you can continue to be the best guy to deliver the product. that's how this in my mind works. everybody will get better. the government the get better in this case and the companies at ground zero will also have an expoeptex exponential capability. >> reinforcing your point if we do this well, we will advance along an important front not only one front. just by definition, sharing what is known with one another can't

protect you against the zero day, which is unknown all right. which is a good step. there are a bunch of other things that we can do that we've got to advance across a broad front. but we are all first generation drivers in the cyber domain. we all think traffic lights are suggestive, rather than mandatory, and there's a whole lot of education that needs to go on. there are whole industries out there ready to break into this domain that will actually make it better. insurance, all right. the insurance industry has made the automobile safer. the insurance industry, once it mastered what the domain are will make it safer to be in. it won't be through government regulation, it will be economic incentive. i don't want to pay that much for insurance. i want to pay this much for insurance, and you do things. internationally, at some point, like-minded nations and i include the chinese in like-minded. because again, it's against their long term national interest to foster a regime in

the cyber domain. like-minded nations will begin to adapt international norms of acceptable and unacceptable nature. but this is lower hanging fruit. this is there. let's take it and move forward. >> yes, sir? dave international professional. ohio state had a great defense when they played oregon. and that was a big enabler for them to win that game. but if ohio state had not had a good offense their defense would have been on the field the entire time and oregon would have found a way to score big and deep against ohio state. sitting back in the deep end is waiting for someone to punch you in the face. i'm curious, what is the panel think about allowing both at the government level the corporate

level sxshg and at the individual level, to having more offensive capability against each one of those, i.e. symantec having the tools that raises the risk factors to attack you. >> terrible idea. >> the chairman is mumbling about it being a terrible idea. let me distance myself from the terrible remarks. this is beginning a standard round of legislation, but i'm not 100% sure it's 100% wrong. people who know this problem very well, really start to get quaky when i talk this way all right right. i've already told you the government is late, and i'm predicting the government is going to be late to act.

and the fraud and abuse act, in equal measure someone trying to defend his network compared to someone who's trying to attack someone else's network may be unwise. and there may be some space for the private sector to conduct what in the physical domain i would call counter battery starter under very strict and limited circumstances because it's very difficult for the government to do that in this domain. when i say this really smart people like the chairman, the doctor, and jim lewis over at csis, begin to get very forceful in response. i want to entertain the idea. you think this is really crazy, all right, when you talk about domain cyber, but in one of the other domains, the maritime domain, the government was also late to lead. and the constitution offers the letters of mark and reprisal. which fundamentally, it's the

private sector doing what we consider to be a governmental function in this domain when the government was inadequate to lead. but i don't take it out of hand, it could turn into a prefire zone which is not beneficial. >> they may not shoot back at you. that's the problem. and so i'm not necessarily opposed to authenticate. as a matter of fact, the government has a very good offensive capability. we have not decided as a public how to use it or has the government policy body decided how to use it, so we don't. but here's the problem. you're asking a corporation who's -- you're going to get all these mixed capabilities. and you're going to get the one guy who shows up. i can't tell you all the c.e.o.s i've met in my time that will say, i don't even know what's the problem. woops, you'll have somebody come in and go i've got this one.

i can figure this out. i have such confidence as i have in people in cyber space, god bless them. but i tell you somebody will do it, and it won't be that particular company that pays the price. it will be a swath of people that pay the price, and a foreign nation state like iran russia, china or north korea, say-- won't say it's from company a. they'll say it's from the united states of america, let's pay them back. so you have this problem in which you didn't start and now you have to stop it. we are not mature enough to have any, i think, private sector offensive capabilities. i think we can do some things now that are offensively defensive, if you know what i mean. >> let's talk about that and another potentially crazy idea rather than capturing the

arrows, kill will archer, right? there are opportunities, if it appears that there is an imminent attack on the united states and its critical infrastructure on its national security networks to preemptively attack, before we suffer the attack. this is riddled with problems, because, of course, we get into a situation of great instability. if there's an enormous advantage to go first in the cyber realm, we begin to build doctrine to take us in that direction you can imagine how ultimately we could end up in a situation of strategic instability that would lead all of our nations, including the united states, to be in a more precarious position. >> okay. >> bill marshall, i'm kind of surprised exactly of the red line that was crossed that made the white house respond in the case, and chairmen rogers said it was destructive and a lot of other people said that too the

manual says data in this case versus actual machines. the state department hearing earlier this week described it as a freedom of speech issue and didn't mention the destructiveness of the attack. and there were other atransactions, it's really good in this case, it's big, hitting north korea is not the worst thing in the world compared to china. i'm wondering if the panel could say, what was the red line because this is going to set precedent in the future both domestically and internationally. >> for me it was the coercion. it wasn't for profit or just for random destructiveness. it was to change behavior, and i do think that sets in motion an awful lot of concerns inside our broader society. it was coercion. >> so again if there had been no coercion and just the destruction, perhaps no response, no real response. >> again, you have to put it in

perspective. if that was to happen at a financial institution and now the bank doesn't know how much money you have in it and you don't know how much money you have now we have a problem. they've stolen my damage and it's damaged and will have a magnitude larger impact on the -- in the economy. obviously, it has an economic impact for the company itself so i look at it a little differently. i thought the data destruction in and of itself was the first sign trouble that to me was the game changer because we've not seen that before. we've seen countries or nation states or international creminal organizations with the capability to do that poking around a little bit, which is always, you know, makes you a little nervous, but then they took it one step farther. then they threatened violence. they said, if you show this movie at these theaters, there will be violence. that's a whole nother magnitude of problems that they introduced into a cyber threat. >> that's right.

they're trying to get up to adopt their version of the 1st amendment, which is no 1st amendment. political coercion, that's why it crosses the red line. >> and i think the other mike rogers n.s.a. director said publicly last week, that this is not the fevrt destructive cyber attack onirst destructive cyber attack on u.s. soil. there have been other cyber attacks that destroyed a casino, for instance. but there is this other issue that's not truly sdrukive, in the sense of an international law where you actually destroy something, a computer a building. disrupted data and business praegzs. i'm not sure was it really destructive? were computers did they actually have to be replaced? >> oh, absolutely, i'm positive and the fact -- imagine if i

walked into your server farm where you put your most sensitive data and i pull a grenade and walk out. nobody's killed. it blows up right. i've destroyed a lot of valuable data. that's not coming back right. so this was the problem here. that they had data destructed that's the phrase, to the point where there were operations that could not function, and it wasn't easily replaced. it's not like they went in and unplugged it and plugged it back in. that's not happening. so in my mind it's destructive, and it's destructive in the sense that if i'm willing to do it for the finances of a company like sony, pick another company that is apart at some place in our logistics chain of our critical infrastructure, which is a lot. that multiplies that amount of companies that could be impacted pretty significantly either defense or finance or electric grid or food, water

distribution, all of that, airlines. now you start thinking well, gee, if they did that exact same attack somewhere else, and again, it pulled us in, because it was a stupid idea to pick sony over a movie but what if they were smart enough not to pick sony over a movie and still wanted to make their point and shut down an electric grid in every theater that wanted to show the movie. let's do it all that way. now we could be having a very important conversation but the destructive data meant their business was both economically impacted and candidly and physically impacted. think about it if people had to go back to writing checks to pay your bills. >> so that's the red line for you is data destruction. >> absolutely because you can extrapolate that to any other sector that would cause much more significant economic disruption. i think it disrupted that

company economically. i would be interested to see the total tally of loss. and i understand their p.r. firm does, they circle the wagon, everything's fine, nothing to see here move along, go rent "the interview," right? that's good on them and the smart thing to do. but the real damage i think is yet to come out and by the way you'll have another series of events here. you're going to have consumer suits and shareholder suits. so the fun and games for sony is just about to begin. i think it's going to have a tremendously bad economic impact on that company. >> the next time there's a cyber attack on a u.s. company that destroys data and has a significant business disruption, do you think we'll hit the u.s. and the u.s. should come out and name the country they believe is behind it and impose some sort of sanctions? >> i sure hope so. otherwise, you invite further attacks. this is such an important step that the president and the administration have taken.

>> sir, with the blue sweater? >> we're talking about capable of a big corporation to deal with that issue but what about federal government and state government? because last government's report by a government to build the office showed that up to 9,000 federal government facilities are vulnerable for cyber threats, because of lack of strategy of d.h.s. so do you think that now the federal government and probably even state level government have a good strategy to deal with that kind of issue and second short question thinking about russia iran, north korea, but do you think that kind of groups like isis can use this cyber

weapon against the united states like north korea did? >> well i'll start on the second one. maybe you can answer it with the government side of it which i don't think is prepared, by the way, the way it should be. late adopter for technology, late adopter for everything, other than raising your taxes good or bad. come on, people, lighten up. so on the isis problem are, here's what we saw developing over time. we saw that al-qaida groups were advertising for people with capabilities. which told us they had the aspiration to do it. i don't think they were, at least even when i left two weeks ago, had the capability to do it. but you see something different in isis you saw it in france, in the 19,000 attacks, a lot of it was the softer targets but they were able to shut things

down through lead-off attacks. isis capability in social media is shockingly good shockingly good. they're very, very -- they're on the cutting edge of using social media to provoke their aims goals and objectives. so it would end one to believe that it is going to be easier given the level of people that are interested in participating. i would worry and i would try to monitor their ability to get from -- they also have the same aspiration, can they get from that aspirational stage to an operational stage? remember, what was concerning about north korea is they took things that were in the open put it together engineered it and used it, so they didn't create anything new. they just took what was out on the internet. so i don't think they're there yet. i know they have the aspiration. i worry if, you know, what is their learning curve? and it takes getting three or four people of the right capability in the room dedicated

to this cause to cause somebody some harm. now, i don't think it would be horrifically 75sophisticated, but they could do it. and you see these other jihadist organizations, including those supported by iran causing bad problems out there on other fronts and other things so you could make this leap pretty easily given capability and intent. i'm not going to lose any sleep about it. i would begin to worry about it in the weeks and months ahead given their level of recruitment to places like syria to their cause. >> i wouldn't be surprised that it hasn't happened yet. it would so many to be an easy approach, the cost is low. the ability to disrupt is high or the impact of disruption is high. so i've searched in my mind, why not? they're really good on the net recruiting and training, raising funds and so on but we haven't

yet seen disruptive attacks either networks or data or physical destruction. i don't know, and i told you everything i have confidence in. i'm going to continue to talk, however. just go ahead. it may not be the kind of heroic destruction that fits the model. they criticize us as being unheroic and unmanly for u.a.v.s and targeted killings all right. this would be the ultimate in remote creation of destruction, and maybe it just doesn't fit the style, and that's why they're late to it and that's why i'm with the chairman they're late to it and i suspect they'll get there. >> that's the retaliation against the islamic state, and the arabian peninsula. we can't hold it hostage.

certainly for cyber retaliation that will drive their behavior. that's why we need to be able to strengthen their networks so they don't have the incentive to attack us. our networks don't present the lucrative target they might today. >> a question about the federal government and the state government. >> federal government is working very hard in order to strengthen the resilience of government networks against attack important steps to be taken both by d.h.f. and the department of defense to harbor networks. most interestingly, state governments and state governors across the nation, the national governors association, is beginning to take this very seriously. because if there is a successful attack on lifeline infrastructures not only do we have to restore the functionality of that infrastructure, we have to deal with the physical consequences the large-scale threats to public health and safety that could occur if water and

wastewater systems for example, are disrupted. governors are taking this very, very seriously. it's a great opportunity for progress and for partnership of government in support to industry. >> there are a lot of interesting things happening at the state level and in some states, you wouldn't expect louisiana, for example has got a very aggressive dynamic original kind of program and what a lot of states are doing, or the governors in the rules commander and chief are repurposing national guard units and using them in a malicious status to create, to protect, dot sc or dot tx, or to protect state networks. so that's actually a nice ferment to allow ideas to be created and disseminated. >> and the state units are the most effective on the cyber

security front. if you look at a sampling of all our military cyber defenses. the reason is they go to work in the day and have the benefits of the private sector real time and come on weekends two weeks a year and bring it into those units. it has really been very effective. >> a couple of more. how about you. >> the proposal that was unveiled on tuesday -- thank you very much. so one of the corner stones of the proposal unveiled on tuesday is the ability to share data about cyber threat indicators and most people in organizations know that, you know the job of identifying cyber threat indicators is the guy that does insider threat detection. so i wonder, especially general hayden, someone familiar with insider threat detection if there's any lessons there that can be applied to cyber security more generally because it seems really broad and vague and no

one's sure what that is, and that's something that we'll be talking about a lot more and the second question is, on a post note environment, does everyone agree that that's what we're in? and what are the other indicators of that besides just more enthusiasm on the white house for better cyber security legislation intel this week? >> so insider trading. yeah. one of the things i've seen in the shift and the fight, and there's a lot of ways of doing this right. and kind of the history of cyber defense has been defending at the criminal look defending at the firewall and to prevent penetration, and i think we've all three of us have made the case, that it's getting in and getting over it. so now, defense has got to begin to think about -- or revk reduction has to begin to think about how to manage breaches,

how do i operate while under attack and how do i operate while penetrated. the difference between an a player and f player is not whether you're penetrated. everybody is penetrated. the difference between a and f is is the discovery of the penetration. and here, unlike traditionally defended firewall where you're log outward trying to guess the next zero day, here the focus is not out but in. here you're looking at the behavior of your own network and looking for anomalies, looking for one of those powerful algorithms to learn normal on your network. you big your own big data and suddenly the algorithm goes oh, i never saw that before over there. no indication of a zero day or penetration. it's just anomalous behavior. and i think that's where the current technological and

entrepreneurial energy is and i think that's a very good thing. >> we can also do a lot better and are going to be doing better on security clearance management and making sure the people, including systems administrators, who have the keys to the kingdom are vetted in a more appropriate way. so instead of having periodic reviews of your suitability to have a security clearance once every five or 10 years, there's going to be now there's going to be continuous evaluation to make sure that you are suitable to hold these clearances. that's one of many important changes that came out of the washington and navy yard shootings, and that addresses the broader context of insider threats, including in the cyber realm. >> a post comment? >> that was just wishful thinking on my part. >> i do think it's waning. i do. >> look not snowden but the snowden phenomenon raises

serious questions, all right. this is not a battle between the forces of light and the forces of darkness. this is a question of a free people trying to balance their privacy and liberty with our security and safety and frankly, one of the by products of the snowden phenomenon was simply freezing the debate, not advancing it. >> i think that's exactly right but on the insider threat before this happened, we actually put money in and chairman, we understood i'm a little f.b.i. guy so i always worry about counter intelligence first which ovents the counter intelligence guys. one of the things upfront our audit capability was very inconsistent in certain places. there's a whole host of reasons for that. not all of them, most you come to the decision about making the right decision at the right time. we added manufacture money to push out this notion of

auditability, which makes it more difficult to to something that the n.s.a. contractor did, break in, steal stuff and run out the dor. so the problem we had is there was a slow down in the program and one of the areas that didn't get the audit capability was hawaii. so you look at it and you think, well, we had it right. we resourced it right. and the capability was growing. somebody got one step ahead of the system, and by the way, that person would have known that because he did some time back in here where that audit capability was. i found that fairly interesting. >> last question anyone? please use the microphone. >> thank you very much, peter nielsen. much discussion about the sort of corosisive nature of the attack. was vandalism sort of the right cauterization of the attack?

>> no. >> and now you're going to ask what would you have called it, and i'm not sure? vandalism just sounds like somebody spray painted a subway car, you know? and this was far more serious and i've actually had some exposure to the real effects. just on a human level. this was really traumatic for an awful lot of people. and so i -- not an act of royalty, i'm okay with that. but in a search for some other good work that was higher torque that vandalism, this is undoing the look. it really did. again, i don't know what i would have called it either but it really gave them a pass for doing something really dangerous, very destructive, and by the way the next level, again, remember, they were threatening people who were going to the movie theater and thought they were doing it through some cut-out, which was you know i feel very confident

in the f.b.i.'s public statement that it was north korea. i feel very confident in that piece of information. that was such a big game changer when you diminish what they actually did. i think that's not helpful to the cause. >> i think representative colt called it cyber terrorism. was it cyber terrorism? >> it was an attack on the innocent to create a political effect. that political effect is very important but it's clearly not an act of war. so what we need going forward is a spectrum of response that is we think about clearly in advance that are tailored to the kind of attack that adversaries inflict upon us. >> okay. well, thank you very much. thank you all for coming, and james. >> hi folks. one of the great folks of my job is to thank terrific people for coming and sharing their thoughts with us. before i do just one reflection, which is we do this a lot. we have a lot of meetings, so

you've come to them before. in my mind there's one thing that marks a great discussion and it's constructive disagreement. this town is full of lots of agreement and there are lots of insightful agreements today. it's still destructive disagreements, and that's part of the realm. the idea to bring these guys together in a public space and in a few instances in a moot way shows different ways, makes me proud of the activity. this is a great panel, and i want to thank chairman rogers stockton and all of you for joining us and it's now dark outside. mrauz. [applause]

>> next, live your calls and comments on "washington journal" then newsmakers with john hoeven and presidential candidate mitt romney speaks at the national winter committee meeting. [captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> if someone came in with aids, the survival would be six to eight months, which means half of them would be dead in eight months. now, if tomorrow when i go back to rounds on friday, and someone comes into a clinic who's 20 plus years old, who is relatively recently infected and i put them on a combination of

three drugs, a cocktail of highly active antivoiriral retrotherapy, i could look them in the eye and say if you take your medication regularly you can live an additional 55 years. so to know from going that 50% of the people will die in eight months to knowing if you take your medicines, you can essentially live a lifespan, a few years less than a normal lifespan that's a huge advance. >> the director of the national institute of allergy and infectious diseases, dr. anthony fauci tonight at 8:00 eastern and pacific on cspan's q&a.