on homeland security. the temporary situation does not address the threat. if someone has a national -- a natural disaster, how do they use resources to start rebuilding? we did not get into who is right or wrong. what of the things the governors are relatively good at, maybe not perfected the process, is trying to look at the big picture and say, let's look at what our goal is and work on how to get there. >> a governor did ask that question. >> what was the answer from the president? >> the president did not agree he said he would veto the bill as written. >> do polls suggest it is a popular move to defund dhs? >> i don't think the president looks at it from that perspective. he looks at how -- he does not view amnesty. he is trying to find a way to

deport people who are the highest priority to leave this country and make sure there is a system of solutions that recognizes a lot of these folks are living in the shadows. i would urge people to look at the utah compact it is online. the colorado compact. these are basic goals. im not endorsing one part or not another part of the president's executive order, but the bottom line is, the notion to try and make communities safer, the notion that we will try to keep close families together, that we are going to recognize the economic vitality and trying to expand our economy, that is what he is trying to accomplish. >> he were nodding your head about the filibuster. democrats are saying, why not fully fund dhs now that the administration is saying that.

what is your thought about continuing this fight and only partially funding dhs? >> this was a question brought up the he might consider asking senate democrats to vote on the bill for dhs and give it an up or down vote. and then deal with immigration later. that is what i was nodding my head about. there was a discussion about that. i will mention one thing, i was encouraged when i asked the president about signing the keystone pipeline bill. i said i would be happy to stand by him as he signed it. he told me he was going to veto that. i asked if you would consider allowing the u.s. to export crude oil or gas. he said he was open to that discussion. i was encouraged that there were some areas that we could work together and that is why we meet

here. >> thank you. >> good job, john. >> monday afternoon, the senate failed to move forward with a bill to fund homeland security while blocking the president's executive action on immigration. that vote was 47-46 with a measure needing 60 votes to pass. after the boat and before the senate gaveled out, mitch mcconnell moved to break an impasse over funding for dhs by allowing a standalone vote against the immigration order. current dhs funding expires friday at midnight.

>> the political landscape changed with the new congress. not only are there 43 new republicans and 50 new democrats, and new democrats and republicans in the senate, there are 108 women in congress including the first african-american republican in the house and the first woman veteran of the senate. keep track of congress using congressional cup -- chronicle on c-span.org. it has voting results and statistics about senate's -- this is all on c-span, c-span2 and c-span radio. >> coming up next, a cyber security conference hosted by the new america foundation. first, mike rogers discusses the impact of the edward snowden leaks. then, a look at how the syrian

government is employing cyber attacks. later, john colin on the cyber threats posed by other countries. federal reserve chair janet yellen deserves the monetary policy report to congress thursday morning. we will have her testimony starting at 10:00 a.m. eastern live on c-span three. secretary of state john kerry testifies tuesday the for the senate foreign relations committee. he will be questioned on the state department's 2016 budget request and challenges abroad including isis russia, and iran. that is live at 2:30 eastern on c-span three. >> the c-span cities tour takes book tv in american history tv on the road, traveling to u.s. cities to learn about history

and literary life read we partner with comcast or a visit to galveston, texas. >> with the opening of the suez canal in 1869, bailing ships were really a death blow. with the opening of the canal coal-fired ships had a shorter route to the far east, to india to all of those markets. sailing ships really needed to find a way to make their own living. instead of high-value cargo, they started carrying lower val go cargo. coal oil cotton, etc.. alyssa found her niche in carrying any cargo that did not require getting to market at a fast pace.

alyssa's connection to galveston is unique. she sailed and arrived here in galveston probably about 100 years from where we are standing right now, in 1883, with a cargo full of bananas. she came again a second time later on in 1880's, in 1886. it was important for galveston to find a vessel that had a connection. the fact that she was a sailing vessel was all the more important. >> watch all of our events from galveston march 7 at noon eastern on book tv. and sunday, march 8 at 2:00 p.m. eastern on american history tv on c-span3. next rest -- mike rogers discusses data collection and what he sees as the damage done by the edward snowden revelations. this is from monday's new america foundation conference on cyber security. it is one hour.

>> thanks so much, everybody. >> thank you, admiral. it is a privilege and a pleasure to grill you in front of so many people. >> i am here to be grilled. >> we have the benefit today of some news, which i know you love to talk about. a story on the front page of the new york times about iran, and iran finding out in advance about -- or, just discovering a u.s. effort to continue to attack its system. and then, responding with retaliation, beginning in august of 2012, including attacks on u.s. banks. the first question i would ask is, how much of a -- how much alarm was iran able to discover this? >> i am not in a good position.

>> it is a nsa document. let me summarize. assuming it is true, you can also say you have no knowledge. it is a document written by your predecessor, saying iran discovered a program by the u.s. to infiltrate its computer networks and that, in part, in response to the u.s. effort iran then carried out its own wave of retaliatory attacks beginning in august 2012 including attacks that targeted the u.s. banking system the first question, does that sound accurate to you? >> again, i don't want to, if i haven't seen -- in broad terms though, if want of a broader discussion about, so did the actions that nation nation-states taken severely to

-- i understand that. the united states, like many nations around the world clearly, we have capabilities in cyber. the key is to make sure they are employed in a very lawful manner. i think we saw that in the president's direction to us in terms of presidential policy directive 28, which he laid out one year ago. here is the specific framework i want to make sure you use, here are the principles. this is the legal basis. that all remains. >> let me approach it in more general terms. the point that this story raises, and let's separate ourselves from the specifics, is it a danger that a number have mentioned, the idea of making cyberattacks more costly in order to deter them. the following danger is, if you're making the attacks more costly bike harrying out your

own attacks, are you starting a vicious cycle of attack in retaliation? and, do we see that with iran? that goes back even further. >> escalation is not something that is unique to the domain of cyber. just as we developed frameworks overtime to help us address the issue of escalation in the more kinetic, traditional world cyber is the same kind of thing. >> you believe you have sufficiently addressed it? for instance this event, are there others that give you concern that it leads us down a dangerous path? everybody is looking for ways to determine. we have seen the damage, god knows not just iran, countries like china, that these attacks can cause. we see the danger of a follow-up sort of -- are you comfortable that we have a handle on how to deter america's advert -- adversaries without further

creating a problem? >> the context of deterrence in the cyber domain are immature. we are clearly not where we need to be, where i think we want collectively to be. this is still the early stages of cyber, in many ways. so we will have to work our way through this. that is what of the reasons why frankly, i am interested in forums like this. i am interested in a broad set of respective's, many of which are going to be different from what i bring to the table. i'm interested in how we collectively, as a nation, come to grips with fundamental concepts like deterrence in the cyborg realm -- cyber realm. what is happening in the world around us, the threats are continuing to grow. >> let's look at the bigger threat. we have iran with a history back-and-forth. you have russia, a source of attacks in the private and government sector. you have china. i spent time in china dealing with us every day. you have an onerous costs to business community, the tens of

billions of dollars, plus, the target governments and apparently have had some success stealing secrets. people talk about the coming cyber war. when i look at that, as an observer and a reporter, it looks to me like we are already at war to some degree, a low-level war. these are attacks with real consequences, real capabilities. >> clearly, i would argue that history is shown is that you could name any crisis, you could name almost any confrontation we have seen over the last several years, and there is a cyber mention to it. whether it is what we saw in georgia, what we saw in the ukraine, iraq, challenges associated with iso--- isis, this is not isolated. among our challenges as we move forward, if cyber will be a fundamental component of the world we are living in, and the crisis is and challenges we are trying to deal with how are we going to work our way through

that? what we are trying to argue ways, overtime, if we can get to the idea of normative behavior if we can develop concepts of deterrence that lead us to collectively get a sense of how far can we go, what is aggressive, what is not aggressive what triggers response, those are all questions of great interest. >> it sounds like you're saying we are not there, we have not defined the concept of deterrent. we have a long way to go. >> we are not mature, we are clearly not where we need to be. i don't think there's any doubt about that. >> i want to ask you, leon panetta used a phrase which i'm sure you have heard. he fears a cyber pearl harbor. it is that look like? >> the way i phrase it is, my concern is an action directed against, in my case, as a member of the united states military, and action directed against

infrastructure with the united states that leads to significant impact, whether that is economic, in our ability to execute a day-to-day functioning as a society and a nation, that's what concerns me. you have seen, you look at what happened with sony and with nationstates attacking u.s. financial websites, those are all things that, were it successful were our abilities to as private citizens access our funds, if there were -- if that were ever contested, think of the implications or us as nations and as individuals. >> which states are capable of carrying out such attacks? >> we've talked about the big players in cyber, nations we see active. we have talked about concerns about china. clearly, the russians have

capabilities. we are mindful of that. you won't see me go into, this is my assessment of every nation. >> that is two. china and russia are capable. do you find that they are, in smaller scale attacks, there was one that went through the white house computers. you find it they are, on one hand, showing off their ability, and on the other hand, finding the weak points? >> i think nationstates engage in action, in penetrating systems in the cyber arena for a whole host of reasons. among them, things you have identified. whether it the the theft of intellectual property, diff -- depending on the source, we lose anywhere from 100 billion somewhere upwards of $400 billion per year, in the theft of intellectual property. certainly, in the department of defense, it is an issue of

concern, as we watch nationstates penetrate our key defense contractors enable technology that gives us operational advantages as a military. >> we have a cyber audience here. i want to go to the cyber audience and give everybody a fair amount of time. if i could touch on a couple of things outside cyber. the patriot act. i want to set aside for a moment the privacy concerns, which as you know, are severe, from some quarters. >> that is very legitimate. those are legitimate concerns for us as a nation to figure out how we will strike that competing requirement for security and technology at the same time our right as citizens is foundational to our very structure as a nation. it goes to who we are and what we are. >> since you brought that up, do

you think that the current, for instance, meta-data collection, did they get that balance right? >> i think, number one, metadata collection generates value for the nation. i believe that. it does generate value for the nation. what is it a silver bill -- but is it a silver bullet? doesn't guarantee that there will never be another 9/11? no. that is the criterion you want to use, it is not a silver bullet. it is one component of a broader strategy designed to enhance security. at the same time, we also realize that in executing that phone record access, we need to do it in a way that engenders confidence in our system, that it is being done on a lawful basis, with a specific framework, and that there are measures in place to ensure that nsa or others, are not abusing their access to the data.

that is fair and right for us as a nation. >> i would like you to quantify the value that is generated for the nation. early on, when the report -- the administration bandied about a figure. 50 plus. that figure was whittled down to a far smaller number, where the metadata itself was necessary where other programs could not have accomplished the same thing . can you identify a specific plot that, without the bulk collection, we would not have been able to identify? x >> in a larger classified forum, i'm not going to do that. >> does one exist? >> but i will say this. i base my assessment on the fact that i truly do believe it has generated value for us.

if you want to define value as, in and of itself, can you prove to me that without this, you wouldn't have forestalled an attack? if you didn't have that, you wouldn't admit able to -- have been able to forestall it? if you use that, you could argue, why do we maintain fingerprints? if you could prove to me that collecting fingerprints would forestall criminal activity, you wouldn't do it. i would argue that that is not the criteria on to use. >> don't you think this is it a higher standard for this? we fingerprint when we have a reason to fingerprint. >> if you look, for example, at the information retained by fingerprinting -- >> let me ask you this and because the reason i started the question by saying a privacy concern for a moment, because its officials from inside the national security, not industry, but institutions of government fbi and others, who are concerned that they will be --

lose tools that they find useful, hotel records, etc., in the battle to maintain phone metadata collection, which quoting fbi officials, the sea is less important. >> to be honest i've never heard that argument. that is not a conversation that i have with the director of the f dei. we talk regularly. >> you don't, you don't think the fight over metadata could hold up, particularly in context of 215? >> is it possible? yes. my comment would be the value of this effort and the legal framework to continue it is a conversation we need to have in and of itself. so what do we think? does the progress that's currently with the amendments directed by the president -- remember, this is derived from a

law passed by congress. the patriot act section 215. and should congress decide, as they look at because no action is taken the authority expires in the 31st of may 2015, and they could no longer access the data and generate insight connecting action overseas between action and the u.s., let's remember, that is what broke this in the first place. in the aftermath of 9/11, if you read the investigative report, one of the comments made was hey, look. you have at least one instance, phone connectivity between one of the plotters in the u.s., and overseas. hey, you guys should've had access. you should've connected the dots. you should have realized there was an ongoing plots in the u.s. with a born connection. that was a genesis of the idea.

how can we create a legal framework that women enable us to make a connection between activity overseas tied to a known group, and activity in the u.s.? how could we take that data and see if there is a connection between overseas and in the u.s.? and how could we would away that protect citizens? that was the idea behind it. i would urge us in the debate -- and it is important that we have a debate yet -- not to lose sight of what made us do it. >> what are the prospects for renewal extension? >> to be honest, this is a glad -- this is a time when i am glad to be a serving military officer. i realize, it is a complicated issue. >> if you lose it, will that greatly hamper your authority to thwart attacks? >> dwight think if we lose it, it makes our job harder? yet -- yes. on the other hand, you respond to the legal framework that is

created for us, we at the national security agency, do not, do not create the legal framework. that is the role of the legislative branch and our courts as they interpret the legality of the laws. whatever framework is developed, we will ensure that he was executed within its appropriate legal framework. >> i want to turn again to counterterrorism. another issue. a lot of talk with the two intelligence officials they will acknowledge that terror groups have altered the way they communicate. post-snowden. that's made a difference. i just wondered if you could quantify or describe your capability? >> i would say it has had a material impact in our ability to generate insight into what terrorist groups around the world are doing. i would rather not get into specifics, because i do not want them to have any doubt in their minds that we are aggressively out looking for them.

they should be concerned about that. i want them to be concerned quite frankly, concerned about the security of our nation. i'm sick -- concerned about the security of our allies in their citizens. so anyone who thinks this is not i would say they don't know what they're talking about. >> you have blind spots you did not have prior to the revelation? xmi lost capability? yes. >> how much is that concern you? >> it concerns me a lot. given the mission of the national security agency, given our footprint around the world us as a nation. we think about our ability to provide insights to help protect citizens wherever they are whether they be out there doing good things to try to help the world, whether they be tours -- tourists, serving in an embassy, whether they're wearing it -- a uniform and find himself in the battlefield, clearly, i

am very concerned. >> howdy respond to that? -- how do you respond to that? how do you develop new capabilities to make up for lost capabilities? >> we have to be an adaptive learning organization. as the profile of our targets change, we have to change with them. >> i would like to turn again this time, back to intelligence reform. recommendations what a bore and 25, we haven't talked about that yet. this is big news, the year and a couple months ago. >> i haven't memorized it. >> neither have i. one was splitting cyber command military leadership, civilian leader of the nsa. is that a problem? >> no. i would argue -- a specific point as many of you may be aware, i am both the command of

the united states cyber command, so an operational organization within the department of defense , who is charged with defending the departments networks as well as if directed defending critical infrastructure in the united states. that's my u.s. cyber command role. i'm also the director of national security. in that role, to primary missions. one is foreign intelligence and the second is information assurance. given the cyber dynamics, information assurance is becoming more important. about a year ago now, discussion about, should you separate these jobs? you have an operational individual running cyber command and an intelligence individual running nsa. should those be separated? the decision was made at the time, and when i was asked, my comment was, given where u.s. cyber command is in its maturity

and its journey, it needs that capability of the nsa to execute its mission and defend critical infrastructure he and defend our country. in the same way we have seen in the lessons of the wars of the last decade, integrating these seamlessly generates better outcomes. >> and the president has obviously come to that conclusion. do you think the pressure is off, to some degree? you remember the pressure. this was when your predecessor was in the hot seat. this was in a norm is focused inside and outside washington. we had this deadline coming up june 1. do you feel the pressure is off? the worst fears and concerns of -- have either been allayed or forgotten? >> i wouldn't say forgotten but i think we've gotten to a place where people say ok, so now we have seen this work under two different individuals. we seem to be comfortable of the construct is workable, generating value.

better outcomes, if you will. but if that were to change, we would clearly have to look at it again. >> thank you very much. i'm still going to ask you questions i want to give folks a chance to ask some question as well. i know we have a microwave -- a microphone coming around. and also know we have questions coming in via social media. right here in the center of the audience. thank you, by the way. >> admiral, thank you for coming. we were talking about the sony attack earlier, and we heard that justice department is investigating this criminal matter and we've seen sanctions from the treasury department. what exactly is your role in this? not just identifying this but do you see any action that you intend to take or have taken in response to this? >> i'm not going to get into the

specifics of what as a matter of the department of defense putting on my u.s. cyber command role if you will. we will start with

look at our time the potential of additional options for different applications and capabilities, that the positive side i think is the immediate actions remember the hack, that instructed these occurred in late november. this is unacceptable and that we don't want this to happen again. that seems to have had at least in the near-term the desired effect although i would be the first to admit as i said coincidentally just a couple of weeks before i am testifying in the house, i said look, i think it's only a matter of time before we see destructive authentic action taken against critical u.s. infrastructure. i believe, sadly in some ways, that in my time as commander of the u.s. cyber command the department of defense would be tasked with attempting to defend the nation against those types of attacks. and realize it's against a motion picture company. >> during this one phenomenon with regard to north korea is that china has to some degree, undron being alarmed by some events inside the political structure there. how much help did you get from china if at all knowing the internet is routed, north korea's internet is routed via china.

did they help? >> we reached out to to her chinese counterparts to say this is a concern of us it should be a concern to you. that in the long run this kind of destruction, destructive behavior directed against a private entity purely based on freedom of expression is not in anyone's best interest, this is not good. they were willing to listen. we will see how this plays out over time. the positive side were able to have a conversation. >> was the u.s. behind the retaliatory attack on north korea? [laughter] >> let's make some headlines. >> not going to go there? >> not going to go there. >> to china offer any material help other than listening to? >> i didn't work that specific aspect of the problem. my knowledge of the specifics -- [inaudible] >> ok. over here. where's the microphone? sorry. try to get to the other side of the room. >> good morning. david singer from the new times. good to see you. >> david, how are you? >> good. >> i apologize i did not read "the new york times" today. >> only my mother reads me

that early in the morning. my question to you goes to the question of encryption something that has, by recently. useful in the fall when apple turned out a new operating system for the iphone 650 basically put all the encryption keys into the hands of the users and said if they get a request either a legal request all they could really handle hand over from the phone itself would be gibberish. you would have to go break the code. they have made it pretty clear in recent times even with the president was out in california last week that they plan to extend that encryption eventually up into the cloud and so forth. and we've heard the fbi director, james comey, say that this is creating a dark hole that is going to get in the way of their investigation. we haven't heard very much from the intelligence community on

this. i wonder if would talk a little bit about this whole phenomenon of basically handing the keys to users, how it would affect your own ability, whether or not the computing capability are building up to its ideal to try to bre that, and with the solution she might have? >> broadly, i share director comey's concern, and i'm a little perplexed is the wrong word but most of the debate i've seen is that it's all or nothing. it's either total encryption or no encryption at all. part of me goes, can't we come up with a legal framework that enables us within some formalized process, a process i would argue me the nsa or the fbi would control, to address within a legal framework valid concerns about. if i have indications to believe that this app is being used for criminal or in my case foreign intelligence national security issues, can't there be a legal framework for how to access

that? we do that in some ways already. if you look at, for example, we have come to the conclusion as a nation that the exploitation of children is both illegal and something that is not within the norms of our society. so we have created both a legal framework that deals with things out there that would pass this photography and imagery that reflects the imagery of the exploitation of children. we've also told compass can for example, and you can screen comment by the, that's unacceptable. that it violates not just a law but a norm for us as a society. so from my perspective we've shown in other areas that through both technology, a legal framework and the social compact that we've been able to take on something like this. i think we can do the same thing here. i hope we can get past this, well, it's either all encryption or nothing. we've got to find some of the levers we could create that would give us the opportunity to recognize both very legitimate concerns and privacy which i

share as a citizen, slows i think the very valid security concerns about look, if these are the paths that criminals, foreign actors, terrorists are going to use to communicate, how do we access this? we've got to work our way through this. >> i walked around the other side of the room. thank you. there have been reports from cybersecurity analysts anthony snowden documents that the united states is engaged in spyware for purposes of surveillance. how significant is spyware to the nsa's surveillance capabilities? >> well, clearly i'm not going to get into validation. the point i would make is we fully comply with the law. it is provide a very specific framework about what is acceptable and what is not acceptable your want of a guiding principles which keep in

mind when we're conducting our foreign intelligence mission and we do the foreign intelligence mission operating within that framework. that's the commitment i make as director and with a legal frame and we will follow it. we will not deviate from it. >> bruce schneider, we haven't met, hi. your other question is not a legal framework that's hard as technical framework. that's what makes the problem hard. my question is also about encryption. it's a perception and unreality question. we are now living in the world where everybody attacks everybody else's systems. we attack systems. china attacks systems and i'm

having trouble with companies not wanting to use u.s. encryption because of the fear that nsa fbi, different types of legal and surreptitious access is making us less likely to use those products. what can we do, what can intelligence community do to convince people that u.s. products are secure, that you are not stealing every single key that you can? >> for so we don't. never two, that's the benefits of a legal framework approach. look, with specific measures of control that i put in place to forestall that ability. because i think it's a very valid thing to say look, are we losing u.s. markets? what's the economic impact? i certainly acknowledge that this is a valid concern to i iges if that's why the combination of technology, legality and politics, if you get to a better place than where we are now. realizing we're not in a great place now. >> it's not just encryption but it leads to high-tech executives, the talk by tens of

billions of dollars in business laws, whether social media cloud computing, et cetera. should that not be part of the cost-benefit analysis of something like phone metadata collection, et cetera? frankly it's not really a question for you. i'm going to ask you to anyway. it sounds like your technology that broader impact have to be part of the decision. >> i think we need to acknowledge there is an impact but i would also say look, let's not kid ourselves. there are entities out here taking advantage of this to make a better business case. there are entities out there using this to create jobs and economic advantage for them. let's not forget that dimension at all. even if we acknowledge it is a problem. >> just to move the microphone around, do we have a question from someone from the media? do we have a social media question at all?

on, we will wait a little bit. >> thanks. patrick tucker with defense one. a couple of reports come out in recent weeks about isis using the dark web to raise money for bitcoin, the dark web basically a bunch of anonymous computers come a bunch of anonymous users are able to find each other. can you speak a little bit to the problem in terms of intelligence collection of the dark web, what does it mean to you and how are you going about time a solution to some of these, these really big problems of how to find people using that you want to be found that are effectively using it for fund-raising? >> well, clearly i'm not going to get into the specifics but let me just say this. we spend a lot of time looking for people who don't want to be found. that is the nature in some ways of our business.

particularly when we are talking about terrorists and talking that vigils who engage in espionage or other activity, of our nation, or that of our allies and friends but in terms of what are we trying to do broadly, i mean, first i would acknowledge clearly it's a concern to isolate ability to generate resources, funding is something worth paying attention to. is something of concern to us because it talks about their ability to sustain them cells over time. they talk about their ability to empower the activity we're watching on the ground in iraq syria, libya, other places. so it's something we're paying attention to. it's something we're also doing more broadly than just the united states. this is clearly an issue of concern through a host of nations out there. i think it speaks to exactly what, this is an area where focusing attention on. >> as we move across here, just to follow on the question regarding isis am because when we speak to counterterrorism officials, they talk about isis supporters here in the u.s. different level of the problem

that you have in europe, and certainly in the middle east. since the web is the principal form of radicalization for a lot of these, particularly lone wolves, folks who travel, it must be pretty easy to track, is it not, if it's happening on the web, et cetera, can you identify pretty quickly and easily someone who was going down that path? >> i mean, it's not quick and easy. renewed out at the national study agents we are a foreign intelligence organizations agency, not a domestic u.s. law enforcement or surveillance organization. so when it comes to the home-grown kind of come in the u.s., that's really not our focus to our focus is on the foreign intelligence that i'm attending to find a connection overseas. and then quite frankly partnering with fbi and others to see if we generate insight about activity we're seeing overseas, hey, how does tie into the kitty that we

may a minute able to detect in the united states? as my partnerships are so important because we are a foreign intelligence organization. >> it's not as easy as it sounds but -- >> it's not easy but if something would pay attention to, something we track, where we have partnered close with the fbi. we have seen this, it may be a u.s. connection, it now becomes a law-enforcement question. >> right here. >> as director of nsa and united states cyber command, do you think we are positioned effectively to address the cyberspace as a new domain? and how does that differ from land, air, and sea with the think we need improvements and in what has been? >> so do i think we're where are where we ought to be? no. part of it is just my culture. you're striving for the best striving to achieve a check to. you push yourself. i would say we're in a better

position in many ways than the majority of our counterparts around the world. we put a lot of thought into this as a part of the u.s. cyber command, for example, will celebrate our fifth anniversary this year. so this is a topic that the department has been thinking about for some time. in terms of what makes this challenge and what makes it difficult, is let's look at this from defense. one of the points i like to make is, so we're trying to defend and in the show should have been built over decades literally and most of which was created at a time when there really was no cyberthreat. that we're trying to defend infrastructure in which redundancy, resiliency and defensibility were never designed here. it was all about building a network that connects me and the most efficient and effective way with a host of people and

let's be too much. you didn't worry about what people -- when we designed concerned that people's ability to penetrate, to manipulate data, to steal data really wasn't a primary factor. so there's also a component in the department is looking to change our network structure something that those are really coordinated statistics but so that's a chance to we are trying to work our way on the offensive side. kind of goes with one of the questions that was asked, how do we do this within a broader structure that jibes with the law of -- remember, when you look at the application of cyber as authentic tool, it must fit within a broader legal framework. the norms that we have come to take for granted in some ways in the application of kinetic force dropping bombs. we've got to do the same thing that clearly we are not doing it. >> this gentleman has been patient over here.

>> admiral, i'm a retired navy cryptologic office among other things. >> a fine man. >> i was a mket with another colleague that we were having the same discussions 20 years ago. there has been progress. there's cyber command, there's the fbi. but why is it taking us so long to grapple with this compare to, say, the advent of nuclear weapons and that the national security act of 1947? >> my first comment would be, i got was a cryptologist 20 years ago i don't remember having that conversation. in terms of, say the last part about again. why has it taken so long, right? >> i do not want to minimize the progress, and your position idea of progress, but it is taking us

a long time. if it's not 20 years, then it's 15 and that convicted much more compressed timescale for other cataclysmic changes in national security in the middle of the last century. >> take for example, the nuclear example. we take for granted today the nuclear peace as something with berries established norms and he become well-established principle of deterrence. my comment was did how long -- we take it for granted now because we look at over almost 70 years since the actual development of the capability. we taken for granted now but if you go back in the first 10, 20 years, we were still debating about what are the fundamental concepts of deterrence? this whole idea of mutually assured destruction. it didn't develop in the first five years, for example.

all of that has taken time. cyber is a different. i think among the things that complicate this is the fact that cyber really is unsettling in terms of the way we often look at problems but if you look at the military can we often will use geography. it's we have a center command one at the european command, a southern command. cyber doesn't recognize geography but if you look at the attack from north korea against sony pictures entertainment, it literally bounced all over the world before it got to california. infrastructure located on multiple continents in multiple different geographic regions. cyber also doesn't really recognize this clear delineation that we as a nation have generally create overtime about what's the function of the private sector, which the function of the government, and how does this whole national security -- cyber tends to blur that because the reality is, for example, if i go to work and i'm using at work literally the fact

same software, t same device i'm using at home on my personal. it just has blurred the lines so that makes it very, very complicated. but i share your frustration in the sense that it's not as fast as i wish it were. but it isn't from a lack of effort and it's not from a lack of recognition. [inaudible] >> thank you, admiral, for coming. i'm with yahoo!. it sounds like you agree with director comey that we should be building defects into the encryption in our products so the u.s. government can decrypt -- >> that would be your characterization. >> i think bush schneider and

all of the best public cryptographers in the world would agree that you can't just build back doors. it's like drilling a hole in the windshield. >> i to world-class doc rivers at the agency. we agree we don't -- >> ok. we will agree to disagree on that. if we're going to build defects, backdoors our golden master key fothis government to think we should do so, we have but 1.3 billion users around the world should we do so for the chinese government, the russian government, the israeli government, a french government, which of those we give backdoors to speaks on that point, the way you frame the question, response be deeply we should build back doors for other countries? >> my position is i think that one this is technically feasible. it needs to be done with on a framework. i'm the first to acknowledge that. you don't want the fbi and you don't want the nsa. what are we going to access and what we going to not access?

that should be for us. i just believe that this is achievable and will have to work our way through it. i'm the first to acknowledge there's a national relation to this. i think we can work our way through this. >> so you do believe that they wished build those or other countries you think that pass laws? >> i said i think we can work our way through this. i said i think we can work our way through this. >> ok. nice to meet you. thanks. [laughter] >> thank you for asking the question. is going to be some areas where will a different perspectives, and it doesn't bother me at all but one of the reasons why quite frankly i believe in doing things that is, i say look there are no restrictions on questions but you can ask me anything. because we've got to be one as a nation to have a dialogue. this simplistic characterization of one side is good and one side is bad is a terrible place for us to be as a nation. we've got to come to grips with some really hard fundamental questions.

i'm watching a risk and threat to this while trust has done that. no matter which are due on the issue is or issues. my own, would be that's a terrible place for us to begin right now. we've got to figure out how we can achieve that. >> for the last technological knowledge but which would only describe me in this room, just so we're clear, you're saying it's your position that encryption programs, there should be a backdoor to low althin a legal framework presumably approved by whether the congress or some civilian body the village to go ain backdoor? >> backdoor is not the context i would -- when i use the phrase background, that's kind of shady. why would you want to go in the front door? we can create a legal framework. this isn't something we have to hide per se. you don't want us to know about

it. but i think we can do this. >> you want that capability. i do want to get to the back but do we have a social media question? [inaudible] >> fantastic. we have 13 minutes to go. i see you in the back so we will get there as well spent first i would note that according to the internet and some of our fine profile twitter users we are now 20. so newamcyber is now ending. >> what are we in relation to birdman? [laughter] >> ok. so here is a selection. based on the previous comment about backdoors for russia and china, christopher, by the way i made pronounce half of these things incorrect, the question is, our foreign governments spun on cell phones in washington d.c.? our phones secure, and if so what could be done? >> i did not hear the beginning in

our foreign governments spun on our cell phones in washington, d.c.? our phones secure what should be done? >> to i think our nation's is run world attended to generate insight into what we're doing as individuals? i think the answer to that is just. the second question was doing think -- >> what do you think we should do about it? >> well, one thing, remind people is don't assume that, there's a reason why we have unclassified system in this department. there's a reason we have classified systems and unclassified systems. so for dod users i was reminded will, we are potential targets make sure you're using a cell phone, for example, in an appropriate way just as i make sure i use mine. otherwise the standards of encryption we talk about, get a not arguing encryption is a bad thing. nor will you hear me say secure it is a bad thing but i'm a u.s. person, a u.s. citizen. i use cell phone. i use a laptop.

i want those systems to be every bit as secure for myself and my children as you do but i as you do to understand figure out how do we create a construct that lets us work between two very important viewpoints. >> ok. so the question i'm sure came partially out of the concept of encryption of commercial cell phones. so on that point from russell thomas, what can be done institutionally to make collaboration between the private sector and the government marginally better on cyber sector be? >> clearly i would second the thought. i think clear this isn't a significant improvement. i think on the government side we've got to simplify things. one thing i constantly tell my counterparts is look, let's be honest, if you on the us and looking in, india and cybersecurity, it is a complex. we've got to simplify this. we've got to make it easy for our citizens, for the private sector for us to interact with each other, to ultimate ghetto subsidization we can share

information real-time in an automated machine to machine way. given the speed and complexity of the challenges we're talking about in cyber that's where we've got to get and put got to work our way through how we going to do the in the u.s. government homeland security the department of homeland security 30 place a central here. our capabilities support demand of u.s. government partners in our attempts to do that. >> on that topic as a journalist i've asked the nsa whether my cell phone communications have been monitored in any way. i submitted through proper channels i got a response. we repealed. and we got a stock response. i'm a journalist, as part of the work i spoke to people who i would imagine you might want to listen to. why as an american, a law-abiding american can why won't the nsa tell me if you've looked at my phone communicate and? >> first, if you ask me to record, i don't know. >> but it's a policy because they told us the same thing. >> look, it is a matter of law.

to focus collection against the u.s. person i must get a court order. i have to show a valid basis for why we are doing that. is there a connection with a foreign nation? i.e., the u.s. person is acting as an agent of a foreign country. yes, that does happen. is that u.s. person part of a group, let's say isil as an example, was attempting to do harm bikes i have to show a court a legal basis for the why. and it can't just be we don't like journalists. >> i wouldn't -- >> that's not a valid legal reason. >> but if that were to happen you would've had to that a court order to put that something you wouldn't tell the person who wasn't old? >> no. >> i have one more -- >> then we will go to the back. >> so from john, the question is based on last weeks announcement or research that they've

announced there was news that firmware hacking. has the firmware of routers or repeaters been similarly hacked? and if so, with this compromise the architecture of the internet? >> my quick answer would be no. but in terms of, i go to the first part. i'm aware of the allegations that are out there. but i'm not going to comment about them here but in terms of based on what i've read, does that lead me to believe that the internet somehow is compromised? no. >> thanks very much. >> back of the room on the left. >> mike nelson, a professor of internet studies at georgetown and recently started working for a company that protects millions of websites around the world. i was at the cyber summit the white house did a week and a half ago and one of the topics you kept hearing was about how american companies are very uncomfortable sharing information with the u.s. government if they cannot share

that same information with dozens of other governments. i would be curious to know how we can decide which government are ok to share with and how we deal with the fact the belgians and the french and the turks and everyone else wants to know what we are sharing. our customers want to know that, too. >> it is where legal framework becomes very important. i certainly understand. do not get me wrong. that idea is not unique to cyber, for example. you name the business segment and just because we share some thing internally does not mean we do so automatically everywhere around the globe. i would argue cyber is not exactly in this regard, nor is the challenge. the private sector needs to cyber. -- needs cyber.

>> there is one way in the back. we have to be geographically fair. >> listening to the conversation today, one thing that is fairly clear, we need to decide what the social norms are around policy and legal framework. listening to you all, the social norms are not worked out yet. what is the process by which we get the dialogue going so we can figure out what those norms are which have to proceed figuring out what the policy and legal frameworks are? >> i think interaction like this are part of the interaction with our elected representatives. they are the ones who create the legal framework. so i encourage all of you, all of us citizens to articulate our viewpoint to help them understand the complexity of this issue and help them understand just what our viewpoints are as were trying to

work our way through this. the other thing, at least for me, i'm trying to do outreach as well in the academic world. one of the things i'm struck by is, and to go back to your question, if you go back and look at some of the foundational work that was done in nuclear deterrence theory, for example much of that back in the '40s and '50s was done in the academic arena. much of the original writing kissinger and others, there was a strong academic focus on so how are we going to understand this new thing we call the atom bomb? or the hydrogen bomb? i'm trying to see is there a place in the academic world for the king of discussion? how do we get to the selective of a social norm and what are we comfortable with? >> way back.

>> thank you. sputnik international news. question -- >> leeann? >> leandra. >> i'm sorry. i could not hear you. i apologize. >> i'm with sputnik international news. russian press. so you've addressed the report and said you wouldn't comment. there was another report on the nsa gchq hacking encryption keys in sim card provider. can you respond to that? i mean, you have said that we need to have a discussion, a public discussion, so how would you get that started by addressing these allegations speak with the first comment -- >> i've heard these allegations are some period of time. i don't think they're unique.

and again my challenge as an intelligence leader is even as we try to have this dialogue which i acknowledge we need, how do i try to strike the right balance between engaging in that broad dialogue and realizing that compromising the specifics of what we do and how we do it provides insights to those that we're trying to generate knowledge, who do harm to us as a nation. so as a general matter of policy i just said look, not in an public classified forms get into the specifics of the very specific things like you reference. i'm not going to chase every allegation out of there. i don't have the time. we need to focus on our mission but making sure we do it within that legal and authority and policy framework. that's the promise i make made to all of you. that is what we do. >> when private companies make these allegations against you, can you address that impact

generally? >> i'm not going to get into the specifics. >> we have time for one more sensitive cyber conference and we are trending. do we have another one on the web? [inaudible] how about right here in the front? this will probably be our last one. >> joe marks from politico. i will not ask you about encryption. wanted to ask about standing up cybercom. you said earlier you think at this point cybercom and nsa had to let people in the service have said a lot of the process of building up cybercom has been shifting people already are working in the field over to cyber mission forces. are you concerned that you are not bringing enough new

people, new cyber experts into the military and your take away some needed cabilities ought to be in the services? >> the short answer is no. i say that, remember in the job before this i was also in my previous job before these two, i was a navy guy. i was the service guy responsible developing the navy's cyber force. i've lived in that world about how you man, train, equip. i find myself as a joint command with global responsibility across the department. our ability to recruit over time i was concerned about how we can retain them. a decade later collects i was pleasantly support -- a decade later, i was pleasantly surprised. i was glad we were able to gain

access to the people we need. we will watch this closely overtime to see if that changes. there is no doubt about that. >> final thoughts? >> thank you for your willingness to engage in a discourse. there are important issues to us and we are able to do this today without yelling and screaming at each other or pointing at each other and making accusations against each other. we have to as a nation come to grips with what is the balance here and there is going to be a lot of different perspectives out there. i understand that. i am constantly reminding our workforce be grateful that you live in a nation that is willing to have this kind of dialogue. that is a good thing for us. are there tensions along the way?

yes. it's not unique to cyber and it's not the first time we had challenges like this and it won't be the last. but if we are willing to sit down and have a conversation, we can move where we want to be. with that, i thank you very much for your time. [applause] >> on the next washington journal, north carolina congressman, walter jones discusses a new authorization for military force being debated in two house committees. texas representative, sheila jackson lee, looks at immigration issues and the current gridlock. after that scene in money talk about the state and local money debt collection practices. washington journal is live every morning at 7:00 eastern. you can join the conversation with your phone. your comments on facebook and twitter.

now more about cyber security issues including how the syrian government is targeting people and the everyday risk to information. this is one hour and 10 minutes. [applause] >> good morning, everyone. it is cold. you have to go through. so what is it like to get hacked for your beliefs? we go through why i am here in the u.s. today. back in 2011, i used to live in the beautiful damascus. at that time the movement -- a

lot of people they joined the movements when they were peaceful. they were really aware and how our government was really strong. they have regarding civilians and control for the internet's and infrastructure. the syrian government used to block -- only the people with good background, they had access. in a very smart movement in march 2011, the government moved to block all of it. these people joined the social networks and it became a really huge movement. it was good for the government because they were collecting information, but it was not only for collecting information. it was not only for social

engineering, but it goes deep into cyber attacks. back to june 2011 in old damascus, i got the chance to meet a journalist that came to film a documentary about the movement. sean mcallister worked for channel four. he asked me if he could join the training back at that time to teach people how to protect themselves online. he is telling me that and there was an agreement between us -- i will allow you to film this but you have to encrypt your data. let me teach you how because you are here as a tourist. they can arrest you for any matter. i taught him how to encrypt.

he is a filmmaker, he knows how to put a blur on our faces. he filmed a lot of people for the movie. very important sources. october 18, 1 a.m. night, i received a message from a mutual friend. sean mcallister got arrested in a coffee shop. i have to go hide myself because they arrested a lot of people. they got his storage is an backup. they got access to everything. he did not encrypt anything and it was like underestimating for the power of the government back at that time. in a very famous coffee shop in damascus, he was sitting in having conversation with other guys and both of them got arrested. he is still in jail until today.

she was arrested for three months and they released her and they removed her from the country because she is not syrian. if you're talking that cybersecurity for activists, actually it is important to know that technology today is really helping. technology is playing two roles and there are very to the important rules to it is connecting people to the other side a lot of technologies that they are helping governments to accept information. i believe now in the new modern movement governments get access more to the information than before. a lot of companies, blue coat which is a u.s.a. company, i mean, it was the main provider for technology for the syrian government, which allowed the government to get access, even to know the encrypted data that we were trasferring between, transferring in syria. for example, a very simple face

recognition technology that facebook uses, imagine that technology are actually in the hands of the syrian government how powerful that can be. today, isis, i don't know if you've heard, isis -- between assuring government which they started developing malware after six months of their social engineering. isis started with the malware recently and here they are, very active. they have access more than the syrian government because they're not under sanctions. as most of them have formed or passports. -- as most of them have foreigner passports. so, here we are. i moved to the u.s. it's a group of engineers trying to connect people on the ground with technology makers here in the u.s. in different places. explaining to them that this

technology is good to use but you have to improve this technology to make it better to help people. at the same time we are trying to protect people on the ground by teaching them. i just want to mention it's not only syria. it's half of the world that's been ruled by governments like the syrian government and many other governments. so today i can see the threat is not only, they are not only threatening syrian people but threatening everybody outside. we have seen recently how isis was active online at the same time the syrian army was active online. technology is so fast. i see a lot of growing up in a technology that at the same time i see there is a missed connection between all of these departments. that's what led us to problems that we face in syria. so i hope conferences like this event, like this will bring people from different places of

the world and understand better. thank you so much. [applause] >> many thanks. i would like to invite the first panel to join us on stage. [background sounds] >> good morning, everyone. my name is setaepena gangadharan, i'm a senior research fellow with new america's open technology institute. for the past three and a half years i've spent a great deal of time working with groups and researchers on the topic of the

digital divide. and today's discussion entitled "is cybersecurity the next digital divide?" will have us thinking about the concept of cybersecurity in a more everyday context. what does the common person experience and think about in relation to digital safety and security? it's not often as anne-marie slaughter was mentioning, that we use this term in relation to the potential for misuse or access to information. my information as it transits from one person to another. in addition to thinking about the common person, we will spend some time thinking about

society's most marginalized members, people who don't have access, not just a technology but to many basic needs. and we're going to do that by engaging three panelists who have thought long and hard about what it means to be secure, how to engineer a design for security, and what's at stake. joining us are tara whalen staff privacy analyst google and nonresidential fellow at the stanford center for internet and society. seda gurses, a postdoctoral fellow at new york university. and daniel kahn gillmor, technology fellow with the aclu speech privacy and technology projects.

all of you have a background in computer sciences, computer scientist by training, and have been involved in policy debates thinking about security and privacy. so i want to dive right in. as i mentioned, i spent a lot of time working on issues of the digital divide, looking at the long-term unemployed recent -- recipients of public assistance, typically older adults, perhaps individuals who have limited english thinking -- english-speaking skills, low levels of literacy. for example, and low access to the internet. for example, the national telecommunications and information administration reported last year that 30% of households in america still do not have access to the internet, access to high speed broadband.

are these individuals who are on the quote-unquote wrong side of the digital divide, are the more secure because they are not connected to digital services or digital infrastructure? >> well, so access to the internet and broadband is only one piece of the puzzle in terms of connection to the digital infrastructure. many of the people who are in these households most likely have mobile phones, and certainly surveillance can take place on the mobile phone network as well as the internet. in terms of people being more safe because they don't have internet access, i think there's surely no guarantee there. and for the population that you mention, people who are in

positions of employment, people who have other demands on their time, often things like a mobile phone that has to be on all the time and survive some level of tracking and other kinds of surveillance concerns, they simply they have to submit to them in order to go about their everyday life. so the lack of access to internet itself i think is not doesn't provide any sort of security guarantees for those people. >> seda or tara? >> i could add also people who want to get themselves involved, they want to build a group to get -- and being connected help you build a kind of group. you were not only able to put much of which are vital but you can have -- information was to be put on about you. it may be harder for you to become engaged with the broader community which doesn't help with your security as well.

>> maybe it's interesting in addition to the digital divide make a distinction between surveillance divide and the privacy divide in the sense that some communities are more likely to be subject to surveillance regardless of whether it is based on the devices or surveillance of the community, cameras and the police, and i think we know from studies that women are also more likely to be subject to surveillance or harassment online. so i think there's a divide as to what surveillance means to different communities. there's a second divide into the privacy divide in the sense of who has access to an understanding of what it means to protect their privacy and to claim the rights with respect to privacy. i don't think these groups necessarily overlap. >> so we will come back to that idea of your community connections and security, but i actually want to ask if you can describe to me what does it mean to be secure? if i'm walking into a public library and speaking to a group of people who haven't accessed technology very frequently, or on their own terms, what does it mean?

>> so, i think there's some basic things that you would like to have for communication security like making sure that your communication is only readable by the person who sent it. acting anonymously, being able to be part of communities that are not necessarily under direct surveillance by an adversary. all of these sort of things are ways to think about securing your communications and the communities that you live in. not just the individuals but also communities. technologically, provides encryption, anonymity services but it also has to do with sort of behavioral patterns, patterns of thinking about where are the

two forms of surveillance like seda mentioned, where those show up in terms of the other pieces of surveillance that you may not be thinking of. >> is that your same take on what technical security meets? -- security means? >> you have done some great work to show that the fundies are absolutely insecure, and there's been a great failure and the market of the parties responsible for getting the phones to us to make sure that they are secure and not just making us vulnerable in fact he said a lot of the for a lot of communities their only access to the internet is going to be through the phones actually makes them more vulnerable to these kinds of security weaknesses that are embedded in our current system of information. but i think we need to maybe take a wider look at what it means to be informationally secure. i think that one thing is to make sure that the data that emanates from the individual is

somehow security through the phone or communications, possibly using encryption, make sure that the eavesdropping. anonymity means they can use services without necessarily identify themselves. i think we need to go beyond. data breaches is also a matter of your technical security, and the companies that have breached databases should be reporting back and letting the individuals know, and i think there are serious concerns with some of the new information sharing legislation leading to let's say removing some of the liability and what the impact of what that will be on these communities. i think information security is also being informed about how your data is collected and having the choice to use services without having your information collected. and i think it's also a lot about how information is used to profile individuals or used to let's say design their

environment. what we see right now is a lot of data mining and data being used as an access to truth and a way of making decisions in policymaking. data becomes kind of the lens through which we look at the world, but we know that especially for communities that don't have a good representation, that the impact of data mining on them could be very different than on those communities that we have a better understanding of what the data points are, what they mean, what they stand for. so there's a different impact on different emerged that we are not even able to properly articulate it. i think this is also part of technical security. >> if i could add just a little on to it, about the impact on communities. so you talked about people unemployed, so the information security that plays a broader level of security i think in people's lives for things like

job security and physical security, the information about you for your communication, and maybe think you put on a social network that you did know how to configure to allow the groups you want to see certain information see it. this can go beyond just as information into your broader lies. a strong impact on someone who is in a marginalized community. >> so it sounds like what you're talking about is that technical security is really not a sufficiently to think about security among vulnerable communities. >> it's a precondition. having a device that apple insecure which her bones, you can talk about that in detail maybe later them is basically a bad precondition for having anything about that. so it's a precondition. >> let's actually talk about that now. what needs to happen to the technologies, the devices themselves?

you know, what constitutes a secure mobile phone? >> i don't know that we have one yet. >> so in your ideal world what does it look like? >> well, the issue is not just the devices so that the network is connected to. and so to save we can make a secure has hesitant if the handset is build the networks in such a way that allow access to one group of people that think are the good guys and simultaneously keep out the actors that we might think are the various. to these were quick to have networks that have security

built in at the level of the way we define them. -- it is not possible to engineer surveillance mechanisms. to allow just the good guys to surveillance. you cannot build a network that allows access to honorable people that we think are the good guys. we need to have networks that have security built in at the level the way we define them. >> so that's interesting because

when i thought about the question of making cybersecurity more accessible to members of low income communities or vulnerable populations, the thing that immediately comes to mind is the question of usability, right? so i have spent time in the field where i'm observing people in the classroom, usually older adults, again, someone, you know, that has limited language, english language skills, who spends -- someone who spends at least three classes literally trying to figure out how to drag the mouse from one side of the computer screen to the other right? so that's the first bit. the second bit, usually the last five weeks of the class, is in understanding what in the world is a username? and the password.

and so what i've seen is, you know, just like this complete cognitive dissident as to what does is mean to have an identity online, you know, people are definitely choosing insecure passwords, something that is easy to remember. and if you have low literate skills or limited english skills, you're going to pick something that is much easier to remember that a computer could decipher quite easily. you are more than likely sharing your password and username with other individuals because you've not done this before. and so usability, i mean, it seems like an obvious thing to really focus on. i guess i am hearing that's not -- >> i think we shouldn't pit usability with secured

infrastructure against one another. i think we need both. for me to say that the infrastructure needs to be built in a secure way is not at all to say that we should discard usability. i agree with you this is sort of a concern. but like we have usable tools like mobile phones that people understand and learn how to use, people who have a low technology literacy. the fact useability doesn't solve the security problem. >> interesting. >> seda or tara? >> it is a subject near and dear to my heart. usability, it is important i say obviously i agree with daniel, it comes down to a matter of priorities as to what things we focus on. these are very hard problems but i think some of the issues we're still grappling with come with a large number of users with this background levels of expertise

and people of disabilities questions around age, literacy and all of these issues come into how well are we serving our user population but we are working on it. i put a lot more discussions in the last or so and we've been hearing this talk about a lot more so i'm hoping that or there are more people were prepared to work on this issue, work on the research side, work and putting money into initiatives. a few recently i guess security and was the reset it did something. they put together a set of tools for people that were supposedly easier to use. so it was an effort shall we say to give people a set of tools that there identified as easy just to they did have to go in the world to figure out things themselves. so i'm hoping we cracked some of these problems but they are difficult or even something like the certificate has been issue for what these people understand

things break. it's difficult to explain nuances in which -- is this a risk? i'm not sure. what went wrong? i'm not entirely sure. how much information we give you see to make an informed decision? these are difficult problems and there have been incremental steps towards improving things and we haven't actually cracked this. ideally you wouldn't end up in a ideally you wouldn't end up in a situation where a person can make this decision but we all know systems are not perfect and they break. we need to support people when things break down. >> there's a very hard word to pronounce that hopes to analyze this problem it was picking up and it's called responsibilization. >> i agree. >> in very, very short description it's about encouraging individual to manage the risk themselves and for increasing asking individuals to manage their

risk. this comes as a result of organizations, companies governments streamlining their processes most likely potential information systems which incurs certain risk but these risks are not taken over by the organization that extra lives to individual users. so what we're doing, for example, is still collecting data and other risk associate with that, externalizing to the users thing you did want to be part of this issue to protect yourself. so we are pushing a lot of responsibility on to the user saying if you think there are risks become in your direction as result of new information technology, you are responsible for protecting yourself from it. this is very problematic, of course. we've done projects in the past, instead of burdening the users with protecting their privacy we should ask phone companies or whoever is making the phones were using to give them secure phones. we should make sure that the network is secure in a way that your communications cannot be eavesdropped on.

maybe partner, and i think in the case of like usernames and for a lot of sites that are asking for username and password when they don't need to. you can do those anonymously without giving information but they were pushing people to sign in and to be uniquely identified, incurring more risk. and in some cases i think there is a risk in terms you want to be logging in and securing a communication with that organization which is getting his services but they are not securing their service and they're asking security questions like what is your mother's maiden name, which is usually public information. and then saying the users are responsible for not taking care of keeping their mother's maiden name private can which is again burdening the user with bad security design but i think there's a lot to unpack there.

>> some i want to come back to a theme that daniel had mentioned earlier. i think you were referring to, i mean, i'm hearing that there's a shared responsibility that seems to exist. and you had earlier pointed to this idea that a community, right, that we shouldn't be thinking about individual security, but a community is part of the process. and i'm wondering what that looks like, what that entails in both the work that you've done as a developer of open-source tools and in your work at the aclu? >> so, there are many different ways that a community's security can be impacted by the tools that they use and recommendations that they use. i guess there's at least two different ways i like to answer the question and i will try to be brief.

one way is for a tool to be developed in a way that benefits the users, those users, the people developing the tool need to be engaged with the user base. the user base needs to get feedback. how you establish those communication channels and encourage people to contribute in those ways, to the tools that they rely on, is a tough question. i think we need more people working to try to get those communication channels open and value that kind of feedback. another way that i think, the communities themselves, there's also a way we can to surveillance of a community that doesn't amount to surveillance of any one individual. this is a separate question about how do we secure a community. i think we need to also think about the ways that communities have marginalized people. so, for example, lgbt communities in places that have homophobic laws or homophobic culture have ways of communicating with each other.

and rather than just surveilling any one individual you can book is a bit of the community itself and build up information based on the pattern as a whole. and so whether any one individual within that committee has protected information, the fact they're still participating highlights them as potential target and that itself is a risk. there are sort of two ways i want to make sure the community aspects gets brought up. >> so that suggests that we need a broader base of people using secure technologies. i want a reality check as to where we are at, because i heard you say something about hypotheticals. and tara, you also mentioned that we have a lot to do. so what's the state of the market, for example, with regards to secure technologies?

i mean, how many people are using, let's set aside the question of vulnerable populations for a second and just understand the broad base of consumers that do practice, you know, using encryption tools, tools that keep both the individual and the community, i mean, what are we looking at here? >> it's interesting at one level the user community is massive because there's already an infrastructure even if it's imperfect that already has a large amount of encryptions deployed. much of this we don't necessarily see. it's not the same as decided you're going to download a particular tool to add another level of encryption to your instant message or two off the record messaging or a particular tool, but you already sort of embedded.

at one level, it's all of the people who are already using it. that's probably not what you're talking about but we do we need to remember the already a bunch of people who are taking advantage of these tools who may and may not realize the degree to which they are using the tools that are already out there. i don't have a good read on who's using the other tools that are little more the off beaten path. it can be covered are people who've had an incident happen to them and they suddenly decide it's something need to do. they are maybe people are part of a larger communities who have brought this forward, taking more care on the communications. i think in those groups we are not seeing maybe the diversity that you might see in the broader community that he mentioned earlier who are already using tools. if you look at some of the developer communities where there's volunteer labor. so the way you hear about these tools is because you involve in a community -- the diversity is not particularly large. daniel may want to add a bit more to this.

and the numbers are pretty low and among those, for example, the number of women who are participating is low. anyone who isn't a group in which they are marginalized, for example, tends not to access to resources to participate in free labor market. you are someone who has multiple jobs, someone is taking care of children. you may not have the ability to decide you're going to sit down and dedicate a few more hours a week to develop a tool. this is exactly the sort of people who we are speaking with them for trying to bridge that gap i think would be an interesting challenge. if you want to hear from the users and not just the people who feel they know what the users want, you do have to involve people to design with people and not just for people. i am intrigued to see how we might bridge that gap. >> daniel, how good or bad? >> the diversity within the developer community, it's terrible. >> and also with the user

community. >> well, so the thing about looking at the user punitive, particularly for privacy preserving tools but that often the user community don't want to identify themselves because they're interested in protecting the privacy. so there's a bit of a chicken and egg problem in determining that the developers who build tools that do actually want to preserve privacy probably don't collect a ton of information so it's hard, but i suspect numbers are relatively low, certainly compared to get out of network users over all. >> seda? >> maybe it's good to distinguish like three types of use that is out there right now. one is basically what we know as https -- basically protects

the committee nation between you or your device and the service provided that you are sinking to. those are important to talk about men and their division now. the next one, and that's been being increasingly used on phones and tablets is man at the end attacks. so those are, so that's when companies use encryption to put controls over what we can do with the devices that we are using. and those two, amenity and encryption used is quite popular, getting more popular. the man in the middle is getting more popular due to also increase privacy concerns and then there's a third type which is kind of what you guys were talking about with the developer commits increase software and the lack of diversity and the miniscule number of users and that's what

i will for now call end to end encryption. these are three mates, the man in the middle, man at the end and end to end. it's not perfect but let's try in this kind of classification. and what happened in the last two months, which is rather let's say worrying is that we had a number of government officials speak against the end to end encryption and its possible popularization through applying end to end, companies applying end to end into a wider user base. so apple said it would provide an application to their users using imessage. google started developing something that we haven't yet seen deployed, and facebook said that they would integrate this into whatsapp. government officials react very identically saying that this would mean law enforcement would not be able to do their jobs. i think we would also banned encryption against man in the middle attacks which was not

well received, and obama said something similar, even maybe stronger. he said people with companies will be liable if because of the use of end to end encryption they would find out that an attack happened or somebody was harmed. sending the message to companies in my opinion that they should not implement these technologies. so i think that there is a whole economy of where in kuching gets applied and where it is encouraged and discouraged and would like to see into and encourage. one way to do that is have organizations with a large user base implement it properly, not like imessage, but that's another detail and make sure it is available for the privacy user but we haven't seen that happen. >> i want to respond, let's talk about that later maybe because i am actually interested in the quality of the security that end users are

receiving. so, one thing that has been of concern, particularly in marginalized communities, is that stuff that they use across the board doesn't work. it's of low quality, right? so i'm wondering, you know, are we at risk of seeing tools developed and deployed that are not quite protecting us as much as they should be? and i will come back to some of these larger questions, but i think from the perspective of the marginalized communities that i've worked with, that is a very prominent concern. are you getting what you think you're getting? >> there are very few tools that are providing people with full anonymity and

confidentiality and privacy protection. there are often gaps in terms of what i would call key management. how you identify the remote party you communicate with. there can be gaps in metadata analysis. there can be simply bad encryption of if are using encryption mechanism that we know to be broken or to be substandard. so, i think the communities you work with are rightly concerned that what they're getting doesn't maybe live up to the level of security that they want. that said, there are tools that are out there that are a significant step up, and you know, seda mentioned https three years ago, https traffic was a small fraction of what was going on on the internet.

and now even look at all web traffic, it is significant larger than it used to be. many people who run websites have decided we need to be doing this to they should be the default, this should be the new standard like why we sending clear text in an encrypted across the internet in the first place with the within that does is put our users ourselves at risk their so this doesn't all the way to the end to end encryption that seda is pushing for, but it is a step up and it does protect users against certain kinds of attacks. now, there are still failures. i don't know if people in the room heard about the nobel supervision incident last week? that was an attack against https? so when no permit so anyone who bought a lenovo machine and

outs click yes on the license agreement on just to be clear who here reads all of the licensing agreements? wow? two people, three people okay. so, that's very rare. it is usually zero. so if you click yes, they would actively intercept all of the communications going on. https is getting better and better, more widely deployed with are still attacks that can happen. so i think we need to be, that attack happened because people picked the machines are given by vendor and they just used in the way that everyone normally uses it. to make sure we have an eye on that kind of situation situation. >> thanks for asking the crowd about their doing a crowd check. actually i'm really curious to see a show of hands in the realm of how many people are working directly with more mobile communities or marginalized populations?

we have a few in the back as well. so for the benefits of those who raised their hands in the back of the room, and myself as well, i've heard you talk about usability. i've heard you talk about protocols and infrastructure. i've heard you mention the role of government. and, there are opportunities. for those of us who are working with vulnerable communities, what is the greatest opportunity that we have ahead to institute more secure technologies? what is going to get us to a place where these tools are easy-to-use? what should we be hopeful for? >>

i think what we should be hopeful for is that if we can get -- a beginning of an adoption of the tools. i think we are getting a bit of -- you are hearing more from users who are expressing a desire, hearing about the tools that might be helpful for them. if we can begin to break down some of these barriers, i'm hoping we can hear voices that we do not hear before you can give us information about what people need rather than what we believe you need. we never actually talk to you but actually bringing you into our group.

i'm hopeful that will be more funding for things like this, more availability for projects to be funded to look into usability issues, to look into tackling these issues. people handling very large complex projects on shoestrings. they are very dedicated an expert personnel who are asked to do a wide variety of very come located tasks to the best of their -- complicated tasks to the best of their abilities. there may not have the tools to bring in people who should be the testing with them. if they have a bit more of that, i will hope the tools will improve. there is more dissemination. it will be great if people can do documentation that has user support so people don't have to jump onto an irc channel, but want a close relationship with people to talk them through problems. i recognize we have a lot of large challenges, but i'm optimistic that we will perhaps move closer to that ideal of tools that are more available to a wider group of people and give them the security they are looking for.

>> ok. i think i will look at it more structurally. i think i will come back to some of the proposals for cyber security. what we see in the cyber security strategies as you look at the research and development strategy, there is also the executed order -- and move away from secure infrastructure to making it resilient. if i could very shortly -- we cannot add security to the networks we have. we should not rely on security. instead, we should try to make communities or systems or critical infrastructure adaptable to attack. let's say there were data breaches. we have to try to learn from past mistakes by surveilling everything all the time so we can recognize when those attacks will happen in the future. resilience is a failure of the

state -- a project that replaces the failure of the state to provide security for citizens and the people living within the borders and putting the responsibility on individual communities to secure themselves. that also goes towards private entities. in this game, the this enfranchised, more vulnerable communities will lose even more because they don't already have the resources to protect themselves and now the government will say why don't you make yourselves a little more resilient? i think the structural point we need to look at here is the very careful move towards resilience and seeing that not everybody is going to have the equal resources to make themselves resilient and maybe think about security as something we keep with us and not just give up on.

>> i want to send my response in terms of what can benefit the entire network. we desperately need extra security for emerging communities. one concern about providing targeted security to less communities is it highlights who is getting that. so, at some level, what we actually need -- this goes back to infrastructural change -- the more people that are not in marginalized communities that use tools that provide the same protections, a baseline expectation that these are the normal tools. these of the tools to be used. they will bring in a water user base and more traffic -- wider user base and more traffic that

will look the same as other communities. if one of the goals we want to see is better support for the security of marginalized communities and individuals in the communities, everybody needs to take on these same set of tools and use them actively even if you don't particular feel you are a member of the threatened group. >> we have time for questions. i'm just going to open it up to the floor. i know that we have a hashtag where people are potentially joining our conversation. i would just pointed out to you for those of you listening in. let's have a show of hands for questions. yes. in the back there. >> one of the disenfranchised

groups in afghanistan are women that fight every day for equality. we established the afghan trusted women's network. we think it is a matter of life or death. there is a secure means by which women can get on the network through a portal, entirely secure, and they can discuss issues from small businesses they are in to educational issues. there are technologies out there that are secure enough for people, especially those in a difficult situation like women and children in afghanistan, to discuss those issues that are sensitive. we look at that as a matter of life and death. in some cases, just the use of technology endangers their

lives. they not only have to exercise operational security when they log on, but when they are on that portal, they are very secure. second anecdote -- >> is there a question? i want to be sensitive to others. >> has the panel considered secure portals for the online collaboration for groups at risk? i mean that also in southern syria, subnational level where we know that people that have sent simple e-mails have been intercepted by isis have been taken away and never heard or seen from again. people that have sent simple emails have been intercepted by isis have probably been taken away and never heard or seen again. what is your experience with those secure portals as a solution for online collaboration securely? >> i'm afraid i don't know the architecture of the system you're describing

specifically. i'm happy to hear that you're working on projects like that. i think we do need more people trying to build these sorts of tools. one of the concerns that i would have based on the brief description that you gave in terms of secure portals would be that there's probably a large amount of information stored on the servers of these systems and if these communities come under attack or are targeted, then the fact that that information is stored in a centralized place makes that particular place a point of vulnerability and this is one of the externalities that seda mentioned where if the administrators of that system don't adequately secure it -- and i'm not saying your administrators aren't adequately securing it, i certainly hope they are, but if they lose because someone tried to compromise the system, if it's centralized in that way, then all of the people who have participated become at risk so that's a certain that i would have in a model that relies on a sort of centralized and trusted intermediary to provide that communication.

>> i saw another hand go up in that general area. yes? if you could be sure to ask a question straight off, that would be great. >> so i remember a couple of years ago the food stamp processing went down for a whole bunch of states and i'm wondering, seemed like a practical question here, is that the food stamp system as secure as the commercial credit card system? or do we even know? is anyone checking? >> the credit card system in the united states is based on things that you can trivially photograph with your mobile phone in a restaurant. and i can't speak as to the technical security of the food stamp system but my understanding is that the credit card system in the united states is backed by the legal