ptd-28. in which he laid out about a year ago in the conduct of intelligence here's the specific framework you use. these are the principles i want you to be mindful of. this is the legal kind of basis that will continue. that's all that remains. >> approach it differently and more general terms. the point this story raises, and we'll separate ourselves from the specifics. is a dange they're a number have mentioned, including your sefment the idea of making cyberattacks more costly in order to deter them. the the follow on them, if you carry out your own attacks, are you starting a vicious cycle of attack and retaliation and do we see that with for instance, a country such as iran? and that of course goes back even further. >> well, escalation is not something that meets to the domain of cyber. >> true. >> so just as we developed

frameworks over time to help us address the issue of escalation in the more kinetic traditional role, cyber is in a different arena. >> do you think you addressed sufficiently and for instance this event, are there others that give you concern that it leads us down a dangerous path, that everybody's looking for ways to deter, we've seen dangers, these attacks can cause, but you do want to raise the cost but you want to see the follow-on sort of cycle, are you comfortable we have a handle on how to deter america's adversaries from cyberattacks without creating a further problem? >> i think clearly the concepts of deterrence in the cyber domain are relatively immature. i don't think we are where we need to be, where we collectively need to be. this is still the early stages of cyber in many ways. so we're going to have to work our way through this. it's one of the reasons why quite frankly i'm interested in

forums like this because i'm interested in a broad set of perspectives, many of which are going to be different from what i bring to the table. i'm interested how do we collectively as a nation come to grips with some fundamental concepts like deterrence in the cyber arena, how are we going to do this? you look at the threats we're facing in cyber continue to grow. >> no question. let's look at the bigger threat. you have iran where there is history back and forth. you have russia, frequent attacks in the private sector and government sector. and china, i have been in china where you have enormous costs to the business communities and the tens of billions of dollars plus, as we know, they target government institutions and pay leernt -- apparently have success stealing secrets. p.j. talk about the coming cyberwar, it looks to me we are already to low-level war.

these have real capabilities. >> clearly i would argue that history has shown us to date you can name any crisis, you can name almost any confrontation we've seen over the last several years there is a cyber dimension to it. whether, we saw in georgia, where what we saw in the ukraine, iraq, the challenges associated with isil. this is not something isolated. i think among our challenges as we move forward is, so if cyber is going to be a fundamental component of the world we're living in and the crisis and the challenges we're trying to do with, how are we going to work our way through that? what we're trying to argue is, over time if we can get to the idea of norms of behavior, if we can develop concepts of deterrence that lead us to collectively to get a sense of how far can you go, what's aggressive, what's not aggressive, what starts to trip response thresholds, those are

all questions of great interest i would argue, for all of us. >> it sounds like we're not there, we have not developed concepts of deterrence we have a long way to go. >> i think i used the word immature. we are not where we need to be. no doubt about that. >> i want to ask you leon panetta used a phrase which i'm sure you've heard cyber-pearl harbor. what does a cyber-pearl harbor look like? >> my concern is an action directed against in my case as a member of the united states military, an action directed against infrastructure with the united states that leads to significant impact, whether that's economic, whether that's in our ability to execute our day-to-day functions as a society, as a nation that's what concerns me. and you've seen some -- you look what happened with sony, you look at what we've seen nation states, something

against u.s. financial websites for some number of years now, those are all things were they -- take that financial piece, were that successful, where our ability to access funds, if that were really contested, think of the implications of us as a nation,s a individuals how to deal with that. >> which states are capable of carrying out such an attack like that? >> well, we previously talked about, you know, the big players in cyber, if you will, nations that we see active. it's a matter of matter we've talked about china and what they're doing in cyber. clearly the russians and others have capabilities. you know, we're mindful of that. in general you won't see me going through a -- well, here's my assessment of every nation around us. >> no, i understand. that's two right there, china and russia, already capable of carrying out such an attack. that's concerning. do you find in some of these smaller scale attacks -- there was one that went to the white house computer system, not the

defense system but still, do you find on the one side kind of showing off their ability a little bit and on the other side testing finding the weak points? >> i think nation states engage in actions in penetrating of systems in the cyberarena for a whole host of reasons. among the two you identified. whether it be the theft of intellectual property. i think depending on the source you use as nation, you lose somewhere between $100 billion to somewhere approaching $400 billion in the theft of intellectual properties. certainly in the department of defense, it's an issue that's been of great concern to us for sometime as we watch nation states penetrate some of our key defense contractors steal the enabling technology, if you will, that gives us operational advantage as a military. >> if i can we have a cyber audience here and i want to go to the cyber audience and give

everybody a fair amount of time, but if i could touch on a couple other topics related to the patriot act expiration of 215 on june 1, i want to set aside the privacy concerns which are severe from some quarters. >> i would comment very legitimate. those are very legitimate concerns for us as a nation as we try to figure out how we strike that competing requirement for security and acknowledging at the same time our rights as citizens as foundational to our very structure as a nation. it goes to who we are and what we are. >> do -- well, let me ask you since you brought that up do you think that current -- for instance metadata collection, do they get that balance right? >> i think number one the metadata collection collects -- does generate value for the nation. is it a silver bullet that in and of itself guarantees there

will be another 9/11 or there won't be a successful terrorist attack and my comment would be no. if that's the criteria you want to use, i would be the first to acknowledge it's not the silver bullet. it's the one component of a broader strategy designed to help enhance our security. at the same time we also realize that in executing that phone record access that we need to do it in a way that engenders a measure of confidence in our citizens, that it's being done in a lawful basis, with a specific framework and that there are measures in sight, in place tone sure that n.s.a. or others aren't abusing their access to metadata and that's fair and right for us as a nation. >> let me ask you a question because i'd like you to quantify the value that is generated for the nation. early on when the program was revealed, i was reporting this heavily at the time, the administration banded about a figure 50-plus thwarted. over time that figure was

windled down by among others, -- whittled down among others senator patrick leahy the metadata, even down, he would argue, to zero, where the metadata itself was necessary where other programs could not have accomplished the same thing. can you identify a specific plot that without the bulk collection we wouldn't have been able to -- have identified? >> in large and classified forum, i'm not going to do that. >> does one exist? >> but i will say this, i base my assessment on the fact that i truly do believe it has generated value for us. can you prove to me without this you wouldn't have forestalled an attack, if you didn't have this you wouldn't have been able to forestall an attack, the criteria i would argue, if you use that then it would argue things like, well, why do we maintain

fingerprints? if you don't prove to me collecting fingerprints would forestall criminal activity, why do it? i would argue that's not the criteria to use. >> don't you think there's a higher standard for this because we don't fingerprint everybody in this room, you fingerprint when you have a reason to fingerprint? >> if you look at the amount of frint information. >> global entry. set aside the privacy concern for a moment, because it is others -- it's officials from inside the national security -- not industry -- but institutions of government, f.b.i. and others who are concerned that they will lose tools that they find extremely useful go after tangible things, hotel records etc., in the collecting phone metadata information, quoting f.b.i. officials than myself, see as less important?

>> to be honest, i never heard that argument. nor is it a conversation that the director of the f.b.i. and i have. we talk regularly. >> you don't -- >> and other issues. >> you don't think the fight over metadata could hold up, particularly when we speak of the renewable or extension of 215, other tools in fighting? >> yes. the value of this effort and the legal framework to continue it is a conversation we need to have in an of itself. so what do we think? and does the program as currently with the amendments that were directed by the president or changes that congress may -- remember this is all derived from a law passed by congress, patriot act, specifically section 215 of the act. and should congress decide as at the look at -- because no action is taken, the authority expires on the 31st of may 2015, in that case the first of june we will no longer be able

to access this data and generate activities overseas and potentially activities in the united states. remember that's what drove this in the first place. in the aftermath of the 9/11 attack, if you read the 9/11 investigative report, one of the comments made in the report was, hey look, you had in at least one instance phone kecktift between one of the plotters who -- connectivity between one of the plotters who was in the united states to those back overseas. guys, you should have had access to this you should have connected the dots. you should have realized there was an ongoing plot in the united states. that was the genesis of the idea of how can we create a legal framework that wean able us to make a connection between known activity overseas tied to a nation state group, a set of individuals, how could we try to take that overseas data and see if there is a connection in the united states and how could we try to do it in a way that protects the broad rights of our citizens? that was the whole idea behind

it. so i would urge us in the debate on this, and it's important that we have a debate, not to forget what led to us do it in the first place. >> what are the prospects for renewable extension, 215 specifically? >> to be honest, this is where i'm glad to be a serving military officer. i have no idea. this is just beyond my expertise. i realize it's a complicated issue. >> if you lose that will that greater hamper your ability, the n.s.a.'s ability to thwart terror attacks? >> do i think if we lose it makes our job harder, yes. on the other hand, we respond to the legal framework that is created for us. we at the national security agency do not, do not create the legal framework we use. that is the role of the legislative branch and we as we interpret the legalities of the law that whatever framework that's developed we'll ensure it was executed within the appropriate legal framework. that's what i know as director

of the n.s.a. >> let me turn to counterterror. a lot of talk when i speak to intelligence officials they will acknowledge that terror groups have altered the way they communicate, post note. and that's made a difference. i wonder if you could quantify or describe how much that's hurt your capability? >> i would say that it has had a material impact in our ability to generate insight as to what terrorist groups around the world are doing. i'd rather not get into the specifics because i don't want them to have any doubt in their minds, we are aggressively out hunting and looking for them and they should be concerned about that. i want them to be concerned, quite frankly. i'm concerned with the security of our nation. i'm concerned about the security of our allies and their citizens. so anyone who thinks this has not had an impact i would say don't have -- don't know what

they're talking about. have i lost capability that we had prior to the revelations yes. >> how much does that concern you? >> it concerns me a lot. given the mission of the national security agency, given our footprint around the world, i mean, us as a nation. when i think of our ability to provide insights to help protect citizens wherever they are, whether they be out there doing good things to try to help the world, whether they be tourists whether they be serving in an embassy somewhere, whether they be wearing a uniform and find themselves in the battlefields of afghanistan and iraq today, clirle i'm very concerned -- clearly i'm very concerned. as well as our key allies. >> do you develop new -- have you found yourself force to develop new capabilities to make up for the lost capabilities? >> right. to be successful we have to be an adaptive, learning organization. as the profile of our targets change, we have to change with

it. >> i wonder if i could turn to -- i want to give time to the audience -- this time back to intelligence reform to some degree. so recommendations 24 and 25. we haven't talked about it. this was big news a year and couple months ago. as often happens in washington -- >> i have not memorized it. >> neither have i. i just happen to know it was 24 and 25. one was splitting cybercommand, military leadership, civilian leadership to the n.s.a. of course we have you. >> right. >> do you think that's a problem? >> no. i would argue where u.s. sign remember command -- as many of you may be aware, i am both the commander of the united states cybercommand. so an operational organization within the department of defense. as charged with defending the department's networks as well as if directed defending critical infrastructure in the united states. that's my u.s. cybercommand role. in addition i'm also the director of the national security agency. in that role two primary

missions. one is foreign intelligence. and the second is information assurance. given the cyberdynamics we're seeing in the world around us today that information assurance mission becoming more and more critical importance. so discussion in the past about a year ago now little bit longer, about so should you separate these two jobs? should you have an operational kind of individual running u.s. cybercommand and then have an intelligence kind of individual running n.s.a.? the decision was made at the time which i fully supported it when i was asked as being interviewed for potentially to fulfill these jobs, my comment was given where u.s. cyber command is in its maturity and journey it needs the capabilities of the national security agency to defend u.s. infrastructure and defend the department's networks. combining both intelligence and operations in the same way we have seen and the lessons of the wars in the last decade that integrating these almost seamlessly generates better

outcomes. that's the case here in my mind. >> and the president obviously -- >> has come to that conclusion. >> has come to that conclusion. do you think the pressure is off to some degree? you remember this pressure. this is when your predecessor was still in the hot seat. this was enormous focus from inside, outside washington. i know we have this deadline coming up june 1, but it's not the same tenor. do you feel the pressure is off, that worst fears and concerns have either been forgotten? >> i wouldn't say forgotten. people would say, ok, now we've seen this work under two different individuals. we seem to be comfortable that the construct is generating better value if that were to change we would have to clearly relook at it. >> thank you very much. i'm still going to ask you questions. i want folks to ask some questions as well. i know we have a microphone going on. i know we have questions coming in via social media i'll wait for those.

why don't we start with the crowd since you took the trouble coming here today if i could -- right here in the center of the audience and she's coming right behind you. >> yes admiral, thank you for coming. we were talking about the sony attack earlier and we heard the justice department is investigating it as a criminal matter and we've seen sanctions . what is exactly your role in this? not just identifying this, but do you see any action that you intend to take or have taken in response to this? >> well, i'm not going to get into specifics what, as a member of department of defense, putting on my u.s. cyber command role, if you will, what we may or may not do. i think the president's comments about we're going to start with economic peace and then we will look at over time the potential of additional options or different applications capabilities. that the positive side i think

is the immediate actions. remember, the hack the destructive piece occurred in late november. on the positive side several months have past and we have not seen a repeat. i think it was part of the entire intention, look, this is sun acceptable. we don't want this to -- this is unacceptable. we don't want this to happen again. in the near term it has had a desired effect. as i said coincidentally, i was testifying in the house. i said, look, it's only a matter of time we see this destructive offensive actions taken against critical u.s. infrastructure. i fully expected, sadly in some ways my time as commander of the united states cyber command the department of defense will be tasked with attempting to defend the nation against those kinds of attacks. i didn't realize it would go against the motion picture company, to be honest. >> if i could just follow on that. during this one phenomenon in a

way in regards to north korea, china has come around on being alarmed by some events inside the political structure there. how much help did you get from china, if at all, knowing internet is routed -- north korea's internet is routed through china. >> we reached out to our chinese counterparts. this is a concern to us and it should be concerned to you that in the long run this kind of destructive behavior directed against a private entity purely on the basis of freesmed expression is not in anyone's best interest, that this is not good. and so they were willing to listen. we'll see how this plays out over time. on the positive side we were able to have a conversation which we were grateful for. >> was the u.s. behind the retaliatory attack on north korea? [laughter] >> let's make some headlines. >> not going to go there? >> not going to go there. >> did china offer any material

help other than listening? >> i'll be honest. i didn't work that specific aspect of the problem. my knowledge of the specifics of the p.r.c.'s response -- it wasn't an area that i worked. >> ok. over here. sore eye. microphone is over there we'll try to get to the other side of the room. >> good morning. david sanger from "the new york times." good to see you today. >> david, how are you doing? i apologize, i did not read "the new york times." >> only my mother reads me early in the morning. my question to you goes to the question of encryption something that has come up here recently. you saw in the fall when apple turned out a new operating system for the iphone 6 it basically put all the encryption keys into the hands of the users and said if they get a request either a legal request from law enforcement or

one from you, all they could really hand over from the phone itself would be jibberish. you'd have to go break the code. they made it pretty clear in recent times, even when the president was out in california last week, that they planned to extend that encryption eventually up into the cloud and so forth. and we've heard the f.b.i. director say this is creating a dark hole that's going to get in the way of their investigations. we haven't heard very much from the intelligence community on this. i wonder if you'd talk a little bit about this whole phenomenon of basically handing the keys to users how it would affect your own abilities, whether or not the computing capability you're building up now is designed to be able to try to break that and what other solutions you might have. >> broadly i share the director's concerns and i'm a little -- perplexed is the

wrong word -- the debate i've seen is it's all other nothing. total encryption or noin encryption at all. part of me is, can we come up with a legal framework that enables us within some formalized process a process that neither n.s.a. or the f.b.i. would control to address within a legal framework valid concerns about? if i have indications to believe that this phone, that this path is being used for criminal or in my case foreign intelligence, national security issues, can't there be a legal framework for how we access that? now, we do that in some ways already if you look at, for example, we've come to a conclusion as a nation that exploitation of children is both illegal and something that is not within the norms of our society. so we created both a legal framework that deals with things out there that would pass as photography and imagey,

that reflects the imagery of the exploitation of children, we've told companies for example, that you can screen content, that's unacceptable. that it violates not just the law but a norm for us as society. so from my perspective we have shown in other areas that through both technology, a legal framework and a social compact that we have been able to take on tough issues. i think we can do the same thing here. i hope we can get past this, well it's all encryption or nothing. that we got to find -- what are the levers we can create that would give us the opportunity to recognize both the very legit mate concern as privacy which i share as a citizen and the very valid concerns of, look this is the path that criminals, foreign terrorists are going to communicate, how do we access this? we have to work our way through that.

>> i walked to the other side of the room so i can get the microphone. thank you. there's been reports by cybersecurity analysts and the snowden documents that united states is engaged in spyware for purposes of surveillance. how significant is spyware to the n.s.a.'s surveillance capabilities? >> well, clearly i'm not going to get into specific of allegations. the point i would make is we fully comply with the law. ppd-28 provides a very specific framework for us about what is acceptable and what is not acceptable and what are the guiding principles that we have to keep in mind when we're conducting our foreign intelligence mission. and we do that foreign intelligence mission operating within that framework. that's the commitment that i make as the director. we got a legal framework and we will follow it. we will not deviate from it. >> he's taking the microphone.

>> bruce schneider, we haven't met. answer is yes, very significant. and your own question, it's not the legal framework that's hard, it's the technical framework. my question is also about encryption. it's a perception and a reality quefment we're now living in a world where everybody attacks everybody else's systems. we attack -- we attack systems. china attacks systems. and i'm having trouble with companies not wanting to use u.s. encryption because of the fear that n.s.a., f.b.i., different types of legal and sarpetishes access is making us -- what can we do to convince people that u.s. products are secure, that you're not stealing every single key that you can? >> so first of all we don't. number two my point would be that's the benefit to me of

that legal framework approach. hey, look, we have measures of control that are put in place to forestall that. i think it's a very valid concern to say, hey look, are we losing u.s. market segment here? what's the economic impact of this? i certainly acknowledge that it's a valid concern. i just think between the combination of technology, legality and policy, we can get to a better place than we are now. realizing we are not in a great place right now. >> on that point it's not just encryption but you speak to high-tech executives. they speak about tens of billions of dollars in loss, cloud computing, etc. should that not be part of the cost-benefit analysis of something like phone metadata collection, etc.? frankly, it's not really a question for you. it's a policy question. but i'm asking you anyway. you're recognizing those broader impact costs should be part of the decision.

>> i think we certainly need to acknowledge there is impact here. i say, look, let's not kid ourselves. there are entities out here taking advantage of all this to make a better business case for themselves. there are entities out there using this to create jobs and economic advantage for them. let's not forget that dimension at all, even as we acknowledge that it is a dimension to this problem. >> just to move the microphone around. do we have question from somebody in the -- do we have a social media at all? fine. we'll wait for a little bit. let's move the -- ok. >> thanks. patrick tucker with defense one. couple reports have come out in recent weeks about isis using the dark web to raise money through bit coin, a dark web, basically a bunch of anonymous computers and people that are able to find each other. can you speak a little bit to that problem in terms of

intelligence collection of the dark web, what does it mean to you, and how are you going about finding a solution to some of these really big problems of how to find people using that that don't want to be found but are effectively using it for fundraising particularly isis? >> well, clearly i'm not going to get in the specifics but let me just say this. we spent a lot of time looking for people who don't want to be found, that that is the nation in some ways of our business. particularly when we're talking about terrorists, we're talking about individuals engaged in espionage or anybody against our nation or our allies and friends. in terms of what we're trying to do broadly, i mean, first, i would acknowledge clearly it's a concern. isil's ability to generate resources, to generate funding is something we're paying attention to. it's something of concern to us. it talks about their ability to sustain themselves over time. it talks about their ability to empower the activity that we're watching on the ground in iraq,

in syria libya, other places. so it's something that we're paying attention to. it's something that we're also doing more broadly than just the united states. this is clearly an issue of concern to a host of nations out there. i won't get in the specifics of exactly what we're doing other than to say, hey, this is an area we're know cussing our attention on. >> as we move across here, just to follow on that question regarding isis. because when we speak to counterterror officials they talk about isis supporters here in the u.s. different level of the problem than you have in europe, for instance, and certainly the middle east. since the web is the principal form of radicalization for a lot of these -- particularly lone wolves, right folks that travel, it must be pretty easy to track is it not? if it's happening on the web, etc. can you identify pretty quickly and easily someone who is going down that path?

>> i mean, it's not quick and easy. remember, as the national security agency, we are a foreign intelligence organization. a foreign intelligence agencies. not a domestic law enforcement or surveillance organization. so when it comes to the homegrown kind of in the u.s., that's really not our focus. our focus is on the foreign intelligence side, attempting to find the connections overseas and then quite frankly partnering with f.b.i. and others to say, ok if we generate insights of activities we're seeing overseas hey, how does this tie into activity we may or may not be able to detect in the united states? and that's why partnerships are so important to us because we're a foreign intelligence organization. >> folks here that make contacts with folks over there, that's my -- it's not as easy as it sounds. >> it's not easy but something we pay attention to, something we track. it's something we partner with the f.b.i. and say, ok we've seen this. there may be a u.s. connection

here. hey, this now becomes a law enforcement problem. >> ethan chow. >> hey ethan. >> as director of n.s.a. and united states cyber command, do you think we're positioned effectively to address the new cyberspace as a new domain of war fighting? and how does that differ from land air and sea and do you think we need improvements and in what aspects? >> so do i -- do i think we're where we ought to be? no. no. part of that is just by culture. as a military guy, you are striving for the best. you are striving to achieve objectives. you push yourself. i would say we're in a better position in many ways than the majority of our counterparts around the world. we put a lot of thought into this as a department. u.s. sign ber command, for example, will celebrate our fifth anniversary this year. so this is a topic that the department has been thinking about for some time. in terms of what makes it

challenging, what makes it difficult is let's look at this from a defensive standpoint. one of the points i like to make is, so we're trying to defend an infrastructure that has been built over decades literally and most of which was created at a time when there really was no cyberthreat, that we're trying to defend infrastructure in which redundancyy resiliencey and defensibility were never design characteristics. it was all about build me a network that connects me in the most efficient and effective way with a host of people and lets me do my job. when we designed most of these concerns about people's ability to penetrate those networks, to manipulate data, to steal data really wasn't a primary factor. so there's also a component in the department as we're looking to change our network structure to something that those were really core design characteristics. so that's a challenge. and clearly we're trying to

work our way on the offensive side through -- it kind of goes to one of the questions, jim, that you had previously asked. how do we do this within a broader structure that jives with the law of conflict. when you look at the application as cyber as an offensive tool, it must fit within a broader legal framework, the conflict, international law, the norms that we have come to take for granted in some ways in the application of kinetic force dropping bombs. we got to do the same thing in the offensive world and we're clearly not there yet. >> the gentleman has been patient over here. >> admiral, my name is hugh retired naval cryptologic officer. i was confering with another colleague, who may be here, that we were having the same discussions 20 years ago.

there has been progress. there's n.s.d., f.b.i. but why is it taking us so long to grapple with this as compared to the advent of nuclear weapons and we have the national security act of 1947? >> well, my first comment would be, a guy who was a crypt tolks 20 years ago, i sure don't remember having those conversations. can you say the last part about it again? you were talking about duration, why is it taking so long? >> i do not want to minimize the progress and your position i view as progress but it is taking us a long time. if it's not 20 years then it's 15. and that compared to a much more compressed time scale for other cataclysmic changes in national security in the middle of the last century. >> well, take, for example, the nuclear example you used.

we take for granted today the nuclear piece is something with very established norms of behavior, well established principles of deterrence. my comment was you know how long it took to develop -- we take for granted now because we look at over almost 70 years since the actual development of the capability. we take it for granted now, but if you go back in the first 10, 20 years we were still debating about, what are the fundamental concepts of deterrence? this whole idea of mutually assured destruction, that didn't develop in the first five years, for example. all of that has taken time. cyber is no different. i think among the things that complicate this is the fact that cyber really is unsettling in terms of the way we often look at problems. so if you look at the military, we often will use geography to define problems. it's why we have a central command. it's why we have a european command. it's why we have a southern command, for example. cyber doesn't recognize

geography. if you look at the attack from north korea against sony picture entertainment, it literally bounced all over the world before it got to california. infrastructure located in -- on multiple continents, in multiple geographic regions. cyber doesn't really recognize this clear delineation we as a nation have generated over time what's the function of the private sector, what's the function of the government and how does this whole national security piece? cyber tends to blur that because the reality is for example, if i go to work and i'm using at work literally the exact same software, that same devices i'm using at home on my personal system, it just has blurred the lines so that makes it very, very complicated. i share your frustration in the sense it's not as fast as i wish it were, but it isn't from

a lack of effort and it's not from a lack of recognition, if that makes sense. >> oh, you got one. >> i thank you, for coming. alex thomas, c.s.o. at yahoo!. it sounds like you agree with the f.b.i. director that we should be building defects of encryption into our products so the government -- >> that would be your characterization. [laughter] >> i think bruce schneider and ed felton and all of the best public cryptographers, it's like drilling a hole in a windshield. >> i have world-class guys at the agency. >> i talked to some of the folks. >> we don't accept this premise. >> we'll agree to disagree on this. [laughter] >> if we're going to build golden master keys for the u.s.

government, we have about 1.3 billion users around the world, should we do so for the chinese government, the russian government the saudi arabian governments? >> i'm not going to -- the way you frame the question is designed -- >> do you believe we should build back doors to other countries? >> my position is hey, look, i think number one that this is technically feasible. now it needs to be done with in a framework. i'm the first to acknowledge, you don't want the f.b.i. and you don't want the n.s.a. unilaterally deciding. what are we going to access and what are we not going to access, that shouldn't be for us. i believe that this is achievable and we have to work our way through it. i'm the first to acknowledge there is international implications to this. i believe we can work our way through this. >> so you do believe that then we should build those for other countries if they pass laws -- >> i say we can work our way through this. >> i'm sure the chinese and russians will have the same opinion, sir. >> i believe we can work our

way through this. >> ok. nice to meet you. thanks. [laughter] >> thank you for asking the question. i mean there's going to be some areas where we'll have different perspectives. it doesn't bother me at all. why i believe in doing things like this, when do i that i say, look, there are no restrictions on questions. you can ask me anything. because we have got to be willing as a nation to have dialogue. this simplistic characterization of one side is good and one side is bad is a terrible place for us to be as a nation. we have got to come to grips with some really hard fundamental questions. i'm watching risk and threat do this while trust has done that. no matter what your view on the issue is or issues, my only comment would be that's a terrible place for us to be as a country. we've got to figure out how we're going to change that. >> for the last technologically knowledgeable, which will describe only me in this room today, just so we're clear, you're saying it's your

position that encryption programs there should be a back door to allow within a legal framework, presumably approved by -- whether it be congress or some civilian body -- the ability to go in the back door? >> back door is not the context i would use. when i hear the phrase back door, it sounds shady. why not go in the front door? it would be public. we need to create a legal framework to do this. this shouldn't be something we should hide, per se. downtown want us unilaterally making the decision. i think i'm the first to acknowledge it. >> the capability. i do want to get to the back. but do we have a social media question? >> we have a selection. >> fantastic. we have 13 minutes to go. why don't we do a couple? i see you in the back so i'll get to you as well. >> i would note, according to the internet and some of our five profile twitter users in here we are now trending. so newamcyber , you should

continue to tweet. >> where are we in relation to birdman? >> ok. here is the selection based on the previous comment about back doors for russia and china. christopher c. segoyan, i may pronounce this incorrectly -- are our phones secure and if so -- >> i apologize. >> are foreign governments spying on our cell phones in washington, d.c.? are our phones secure or what should be done? >> do i think there are nation states around the world that are attempting to jen right insight as to what we're doing as individuals, i think the answer to that is yes. the second question is do i -- >> what do you think we should do about it? >> well, one thing i remind people don't assume -- there's a reason why we have unclassified system at the

department of defense. the reason why we have classified systems and unclassified systems and so for d.o.d. users, i always remind them hey, look, we're potential targets. make sure you're using your cell phone in an appropriate way. just why i use mine. the standard of encryption we talked about. i'm not arguing that encryption is a bad thing neither where i say security is a bad thing. i'm a u.s. person, i'm a u.s. citizen. i use a cell phone. i use a laptop. i want those systems to be every bit as secure for me and my children as do you. i'm just trying to figure out, how do we create a construct that works us between those very different viewpoints. >> i'm sure that question came out of the concept of encryption of commercial cell phones. so on that point from russell thomas what can be done institutionally to make collaboration between the private sector and the government marginally better on cybersecurity? >> i mean, i think clearly i

would second the thought. i think clearly this is an area of significant improvement. i think on the government side we got to simplify things. one thing i constantly tell my counterparts is, look, let's be honest. if you were on the outside looking in at the u.s. government in the area of cybersecurity, we can be very complex. we got to simplify this. we've got to make this easy for our citizens for the private sector and for us to interact with each other, to ultimately get ourselves to a position where we can share information real time and in an automated and machine way. given the speed and complexity of the changes we have in cyber, that's where we got to get. we got to work our way to how are we going to do that and the u.s. government, homeland security the department of homeland security clearly plays a central role here as both the director of n.s.a. and the commander of u.s. cyber command, our capabilities support them and other u.s. government partners in our attempts to do that. >> on that topic, as a journalist, i asked the n.s.a.

whether my cell phone communications have been monitored in any way? as i submitted through proper channels, i got a response, we appealed. why -- and we got a stock response which others have gotten. i'm a journalist, i lived overseas for a long time. as part of my work i spoke to people who i would imagine you might want to listen to. some in the terror community, etc. why as an american -- a law-abiding american why won't the n.s.a. tell me if they looked at my phone communications? >> well, first if you're asking me directly, i don't know the specifics for you. >> but it's a policy because they told others the same thing. >> the thing i would say, look it's a matter of law to do focus collection against a u.s. person -- i must get a court order. i have to show a valid basis for why we are doing that. is there a connection with a foreign nation? i.e., that person is acting as an agent of a foreign government? and yes, that does happen out there. is that u.s. person part of a

group, in this case, let's say, isil as an example who is attempting to do harm? i have to show a court, a legal basis for the why and it can't just be, well, we don't like journalists. what? that's not a valid legal reason. >> so if it were to happen you would have to have a court order. but that's something you wouldn't tell the person who was involved? >> no. >> ok. all right. >> ok. i have one more topic. >> one more and we'll go to the back. >> ok. so from john the question is based on last week's announcement or research that one announced there were -- there was news of firmware hacking. has the firmware, repeaters been similarly hacked and if so would this compromise the architecture of the internet? technical question. >> my quick answer would be no. in terms of -- i'd go to the first part. i'm aware of the allegationes that are out there. i'm not going to comment about

them. but in terms of based on what i have read, does that mean -- lead me to believe that internet has somehow been compromised? no. >> thanks very much. >> back to the room on the left. >> mike nelson professor of internet studies at georgetown and recently work for cloud flair which protects attacks, sells encryption. i was at the summit the white house did a week and a half ago and one of the topics you kept hearing in the hallways was about how american companies are very uncomfortable sharing information with the u.s. government if they can't share that same information with dozens of other governments. i'd be curious to know how we're supposed to decide which governments are ok to share with and how we deal with the fact that belgians and the french and the turks and everyone else wants to know what we're sharing with you and our customers want to know that

too. >> again, this is another reason why that legal framework becomes very important here. to be honest, now you're getting into specifics that isn't my personal focus. i certainly understand the concerns don't get me wrong. but my comment would be that idea is not unique to cyber for example. there's -- you name the business segment and just because we share something internally within the united states doesn't mean we do so automatically everywhere in the globe. so i would argue cyber's not exactly unique in this regard, nor is the challenge it presents and it's a challenge, i acknowledge that, unique to cyber. >> we got time for a couple more. way in the back. another area we haven't -- to be geographically fair. >> listening to the conversation today, one thing that's fairly clear and you mentioned it we need to decide

what the social norms which we build the policy and legal frameworks, but clearly listening to bruce schneider and alex stamos and you, the social norms aren't worked out yet. what's the process by which we get the dialogue going to figure out what these norms are to see what the policy and legal frameworks are? >> think interactions like this interactions with our elected representatives. hey, they are the ones that create the legal frameworks we use. i encourage all of us as citizens to articulate our viewpoint, to help them understand the complexity of this issue and help them understand just what our viewpoints are as we're trying to work our way through this. the other thing, at least for me, i'm trying to do outreaches well in the academic world because one of the things i'm struck by is -- and it goes back to your question, sir. if you go back and look at some of the foundational work that was done on nuclear deterrence

theory for example much of that back in the 1940's and 1950's, was done in the academic arena. you read much of the original writings kissinger and others, there was a strong academic focus. so how are we going to understand this new thing called the adam bomb or nuclear hydrogen bomb. i'm trying to see if there is a place in the academic world for this discussion. how do we get to this whole idea of the social norms and what are we comfortable with? >> way back here. >> all the way in the back. >> you are so close. >> thank you. leandra bernsteen sputnik international news. >> was it -- >> leandra. >> i couldn't hear you. your voice trailed you have. apologize. >> sputnik international news,

russian press. so you've addressed the kirsprsky and there was another report on the n.s.a., gqs -- hacking in a sim card provider. can you respond to that? you said we need to have a discussion a public discussion. so how do -- would you get that harded by addressing these allegations. >> the first one is listen to these allegations for some period of time. this is something unique, per se. and, again, my challenge as an intelligence leader as even as we try to have this dialogue, which i acknowledge we need, how do i try to strike the right balance between engaging in that broad dialogue and realizing that compromising the

specifics of what we do and how we do it provides insight to those that we are trying to generate knowledge of, who would do harm for us as a nation? so as a general matter of policy i have just said, hey i'm not in unclassified forums getting in the specifics in the very specific questions you asked. i'm not going to chase it. i don't have the time. we need to focus on doing our mission but making sure window it within the legal and authority and policy framework. that's the promise that i make to all of you. that's what we do. >> when private companies make these allegations against you, can you address that impact generally? >> i'm not going to get in the specifics. >> we got time for one more since it's a cyberconference and we're trending. do we have another one on the web? >> [inaudible] >> ok. fair enough. you are ruthlessly efficient.

how about right here in the front? probably be our last one. >> thank you. jim marx from "politico." i want to talk to you about cyber com and n.s.a. can be duo hadded. one of the process of building up cyber comm is moving them over to cybermission forces. are you afraid you're not bringing up new people, new cyberexperts into the military and you're taking away some native capability that ought to be in the services? >> the short answer is no. i say that remember, in the job before this, i was also in my previous job before these two i was the navy guy. i was a service guy, responsible for developing the navy's cyberforce. i lived in that service worm about how you man train

equip, how you train a force. now i find myself as joint commander with responsibility across the whole department. if i go back to when i started in cyber, in the department 10 years ago, our ability to recruit, retain and train and educate a cyberwork force over time i was really concerned, would this fit within the traditional d.o.d. model about how we develop people, how we promote them? how we retain them over time. fast forward a decade later and i have been -- mock on wood -- pleasantly surprised by our ability to do that. so for now my quick answer is no. we've been able to gain access to the people we need that in so doing i haven't been able to strip massive amounts of capability from other valid similar requirements within the department. we'll have to watch this closely over time, though to see if that changes. there's no doubt about that. >> since time's up final thoughts? >> none other than i thank you

for your willingness to engage in a discourse. and i think it's positive. clearly these are important issues for us and yet we're able to do this today without yelling and screaming at each other or pointing at each other and making accusations against each other. we have got as a nation to come to grips with what's the balance here and there's going to be a lot of different perspectives out there. i understand that. i'm constantly reminding our force, our work force, be grateful that you live in a nation that's willing to have this kind of dialogue. that's a good thing for us. and are there tensions along the way? yeah. it's not unique to cyber and it's not the first time in the history of our nation where we had challenges like this and it won't be the last. if we really are willing to sit down and have a conversation, we can move where we need to be. with that i thank you very much for your time. >> admiral, thanks very much. really enjoyed it. [applause]

[captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> while in los angeles, engaging a homeless individual to determine his veteran status, i asked the man where he served in the military released in a statement late monday night. he responded he served in special forces. i incorrectly stated i had been in special forces. that was inaccurate and i apologize to anyone that was offended by my statement. well, secretary mcdonald is expected to hold a briefing with reporters this afternoon. we're unsure about what he's going to say but going to get under way at 3:00 p.m. eastern. we expect to bring it to you live at 3:00. and senator mitch mcconnell tweeted out, today america's new congress sent the bipartisan keystone x.l. infrastructure jobs bill to the

president. and the a.p. reports that president will veto that republican bill that would have approved construction of the keystone x.l. oil pipeline. it arrived at the white house from congress this morning. the white house says the president will veto it by the end of the day. it's the third veto of his presidency. also on capitol hill, secretary of state john kerry will go before the senate foreign relations committee this afternoon. he's going to explain the state department's budget request for the next fiscal year. that plan includes $50 billion for states and for the u.s. international development agency. c-span3 will have live coverage of that. it gets under way at 2:30 eastern. the c-span cities tour takes "book tv" and "american history tv" on the road traveling to u.s. cities to learn about their history and literary life. next weekend we partnered with comcast with a visit to galveston, texas.

>> with the opening of the suez canal in 1869 sailing ships were really almost dealt a death blow. with theeping of the canal, coal-fired ships had a shorter route to the far east to india, to all of those markets. so sailing ships really needed to find a way to make their own living so instead of high-value cargo they started careowing lower-valued cargos, coal, oil cotton etc. so they found her niche carrying any kind of cargo that did not require getting to market at a very fast pace. elissa's connection to galveston is really unique in that she sailed and arrived here in galveston probably about 100 yards from where we're standing right now back in 1883 with a cargo full of bananas and she came, again a second time later on in the

1880's and 1886 and it was real important for galveston historical foundation to find a vessel that had a connection and the fact she was a sailing vessel was all the more important. >> watch all of our events from galveston saturday, march 7 "book tv" and sunday, march 8, on "american history tv" on c-span3. and now live to the floor of the u.s. house for brief speeches. the speaker pro tempore: the house will be in order. the prayer will be offered by our chaplain father conroy. chaplain conroy: let us pray. loving god, we give you thanks for giving us another day. as we meditate on all the blessings of life, we especially pray for the blessing of peace if our lives and in our world. our fervent pray