 Thanks so much everybody. Thank you. I don't appreciate now privilege pleasure to have the time to grill you front of so many people We have the the benefit today of some news which I know you love to talk about story on the front page of the New York Times about Iran and Iran finding out in advance about or just for discovering a US effort to continue to attack its its system and And then responding with its own retaliation beginning in August of 2012 including these attacks on on US banks for a first question. I would ask is how much of a Alarm how much alarm to you that Iran was able to discover this Well, my first time I be I honestly have not read what we're talking about. Okay, so I'm not in a good position Well, it's an NSA. So it's an NSA document If if well, let me summarize for you because it's an NSA document Assuming it's true and you can also say it's a you have no knowledge of it but the document saying and it was written by your predecessor, but saying that Iran Discovered a program by the US following the Stuxnet virus a couple years later to Infiltrate its computer networks and it in part in response to that US effort That Iran then carried out its own wave of retaliatory attacks three waves of attacks beginning in August 2012 including attacks that targeted the US banking system I suppose the first question then is that does that sound accurate to you? Again, I don't want to comment if I haven't seen the specifics now in broad terms So if I could if you want to have a broader discussion about so do the actions that nations takes takes in cyber lead to responses and others like Certainly understand that You know I the United States like many nations around the world clearly We have capabilities in cyber the key for us to is ensure that they are employed in a very lawful very formulated very regimented Manor I think you saw that in the president's direction to us in terms of ppd 28 presidential policy directive 28 in which he laid out About a year ago. So in the conduct of signals intelligence Here's the specific framework that I want to make sure you use these are the principles that I want you to be mindful of and This is the legal kind of basis that will continue you so that all remains Well, let me approach it differently and in more general terms because it because the the point that this Story raises and we'll separate ourselves just from the specifics of the story is a danger that a number have mentioned Including yourself the idea of making cyberattacks more costly in order to deter them The follow-on danger is if you're making those attacks more costly by carrying out your own attacks are you starting a vicious cycle of attack and retaliation and Do we see that? With for instance a country such as Iran and that of course goes back even further when we look at the studs virus So my comment would be escalation is not something that's unique to the domain of cyber So just as we have developed frameworks over time to help us address the issue of escalation in the more kinetic more traditional world I think cyber is in the same kind of arena. Do you believe that you have? addressed it sufficiently and For instance this event are there others that give you concern That it leads us down a dangerous path that everybody is looking for ways to deter We've certainly seen the damage and God knows not just Iran countries such as China that these attacks can cause So you do want to raise the cost, but you also see the danger of a follow-on sort of cycle Are you comfortable that we have a handle on how to? Deter America's adversaries from cyber attacks without creating a further problem I think clearly the concepts of deterrence in the cyber domain are still relatively immature We clearly are not I think where we need to be where I think we want collectively to be This is still the early stages of cyber in many ways So we're gonna have to work our way through this and it's one of the reasons why quite frankly I'm interested in Forms like this because I'm interested in a broad set of perspectives many of which are gonna be different You know from what I bring to the table, but I'm interested. How do we collectively as A nation come to grips with some fundamental concepts like deterrence in the cyber arena How are we gonna do this because you look at what you see is happening in the world around us and the threats We're facing in cyber continue to grow. Hmm. No question. Well, let's look at the bigger threat You have Iran where there's clearly history back and forth You have Russia source of frequent attacks on the US both in the private sector in the government sector And you have China I spent a couple years in China dealing with this every day where you have enormous costs to the business community and the billions the tens of billions of dollars plus as we know they target government institutions and Apparently have had some success stealing secrets people talk about the coming cyber war but when I look at that Just as an observer and as a reporter It looks to me like we're already at war to some degree a low-level war But with these countries these are attacks with real consequences real capabilities Clearly I would argue that history has shown us to date that you can name any crisis you can name Almost any confrontation we've seen of the last several years and there's a cyber dimension to it whether it's what we saw in Georgia whether what we saw in the Ukraine Iraq the challenges associated with ISIL. This is not Something isolated and I think our among our challenges as we move forward is so if cyber is going to be a fundamental Component of the world we're living in and the crisis isn't the challenges. We're trying to deal with So how are we going to work our way through that what we're trying to argue is Over time if we can get to the idea of norms of behavior if we can develop concepts of deterrence That lead us to collectively to get a sense for so just how far can you go? What's aggressive? What's not aggressive what starts to trip response thresholds, you know, those are all Questions of great interest I would argue for all it sounds like you say we're not there that we haven't even defined the concepts of Dissurance it sounds like you're saying we've got a long way to go No, well, I think I use the word we're not mature and are clearly not where we need to be I mean, I don't think there's any doubt about that. I Want to ask you Leon Panetta used a phrase which I'm sure you've heard He fears a cyber Pearl Harbor What does a cyber Pearl Harbor look like? The way I phrase is my concern is an action directed against In my case is a you know member of the United States military an action directed against Infrastructure with the United States that leads to significant impact Whether that's economic whether that's in our ability to execute our day-to-day functions as a society is a nation You know, that's what concerns me and you've seen some you look at what happened with Sony You look at what we've seen nation-states attempting to do against us financial websites for some number of years now You know, those are all things that were they Take that financial piece were it successful were our ability to actually as private citizens access our funds If that were ever really contested think about the implications for us as a nation as individuals how we would try to deal with Which states today are capable of carrying out such an attack like that? Well, we've clearly previously talked about You know the big players in Cyber if you will nations that we see active. It's a matter of record. We have talked about our concerns With China and what they're doing in cyber clearly the Russians and others have capabilities You know, we're mindful of that In general, you won't see me going into a well Here's my assessment of every nation in the world around us. No, I understand but that's too right there China and Russia Already capable of carrying out such an attack. That's concerning because we see them Do you find that they are in some of these smaller scale attacks? I mean there was even one that went into the White House computer system not the sensitive system, but still do you find that they are Well on the one side kind of showing off their ability a little bit and on the other side testing finding the weak points I'm I think nation states in great engage in actions in penetrating of systems in the cyber arena For a whole host of regions To that you've identified whether it be the theft of intellectual property I think depending on the source you want to use as a nation we lose anywhere I've seen between a hundred billion to something upwards of approaching four hundred billion dollars a year and the theft of intellectual properties Certainly in in the Department of Defense. It's an issue that's been of great concern to us for some time as we watch nation states Penetrate some of our key defense contractors steal the enabling technology if you will that gives us operational advantage as a military If I can we've got a cyber audience here And I want to go to the cyber audience and give everybody a fair amount of time So if I could touch on a couple other topics just out of sight outside of cyber although related to first on Patriot Patriot Act with the AXP of 215 on June 1st. I want to set aside just for a moment the privacy concerns, which as you know are are Severe for some from some quarters, but I would comment and very legitimate Those are very legitimate concerns for us as a nation as we try to figure out So how are we gonna strike that competing requirement for security and acknowledging at the same time our rights as citizens is Foundational to our very structure as a nation. It goes to who we are and what we are Do well, let me ask you since you since you brought that up. Do you think that the current for instance? Metadata collection does that get that balance, right? I think that number one the metadata collection generates value for the nation. I honestly believe that That it does generate value for the nation now Is it a silver bullet that in and of itself? Guarantees that there will never be another 9-11 or there won't be a successful terrorist attack my common be no If that's the criterion you want to use I would be the first to acknowledge it Is not a silver bullet it is one component of a broader strategy Designed to help enhance our security at the same time. We also realize that in executing that Phone record access that we need to do it in a way that engenders a measure of confidence in our citizens And it's being done in a lawful basis With a specific framework and that there are measures in sight in place To ensure that NSA or others aren't abusing their access to that data and that is fair and right for us as a nation Let me ask a question because I'd like you to quantify the value that it has generated for the nation early on when the program was revealed I was reporting this heavily at the time the administration bandied about a figure 50 plots thwarted Then over time that that figure was whittled down by among others senator Patrick Leahy To a far smaller number where where the metadata even down he would argue to zero where the metadata itself was necessary Where other programs could not have accomplished the same thing. Can you identify a? Specific plot that without the bulk collection We wouldn't have been able to have identified stuff in a large and classified form. I'm not gonna do that It does one exist, but I will say this I I base my assessment on the fact that I truly do believe that it has generated value for us now If you want to define value as in and of itself Can you prove to me that without this you wouldn't have forestalled an attack? If you didn't have this you wouldn't have been able to forestall an attack The criterion I would argue is if you use that then it would argue things like well Why do we maintain fingerprints as a government if you couldn't prove to me that? Collecting fingerprints in and of itself would forestall criminal activity. Why would you do it? Well, we don't I would just argue that that's not the criteria to use but don't you think there's a higher standard for this because we don't Fingerprint everybody in this room you fingerprint when you have a reason to fingerprint in this case It's the data collected regardless if you look for example the amount of fingerprint information Retained for under a very legal and global entry Well, let me ask you this then because the reason I started the question by saying set aside the privacy concerns for a moment because it is others its officials from inside the national security not industry but but institutions of government FBI and others who are concerned that They will lose tools that they find extremely useful, you know the tangible ability to go after tangible things hotel records Etc in the battle to maintain phone metadata collection Which they and I'm speaking, you know quoting FBI officials rather than myself say see as less important To be honest, I've never heard that argument nor is that a conversation that Jim Comey the director of the FBI? I've ever had a we talk regularly okay, so you don't you don't and other issues You don't think that the meta the fight over metadata could hold up Particularly when we speak in the renewal or extension of two one five other more useful tools and fighting terror Is it possible? Yes, my comma would be The value of this effort and the legal framework to continue it is a conversation We need to have in and of itself So what do we think and does the program as currently with the amendments that were directed by the president? Or and changes that Congress may elect because remember this is all derived from a law Passed by Congress the Patriot specifically section 215 of the act and should Congress decide as they look at Because if no action is taken the authority expires on the 31st of May 2015 in which case on the 1st of June We would no longer be able to access this data and trying to generate insights and connections between activity overseas That potentially activity in the United States. Let's remember that's what drove this in the first place in the aftermath of the 9-11 attack If you read the 9-11 investigative report one of the comments made on the report was hey look You had and at least one instance phone connectivity between one of the plotters who was in the United States and back overseas Hey, you guys should have had access to this. You should have connected the dots You should have realized that there was an ongoing plot in the United States with a foreign connection That was the genesis of the idea of how can we create a legal framework that would enable us to make a connection? Between known activity overseas tied to a nation-state group or set of individuals How could we try to then take that overseas data and see if there's a connection in the United States? And how could we try to do it in a way that protects the broad rights of our citizens? That was the whole idea behind it So I would urge us in the debate on this and it's important that we have a debate Not to forget what led us to do it in the first place. What are the prospects for? Renewal extension to 1.5 specifically To be honest, this is where I'm glad to be a serving military officer. You can defer No idea this is just beyond my Expertise and I realize it's a complicated issue if you lose it Do it will that greatly hammer hamper your ability the NSA's ability to to thwart terror attacks? Do I think that if we lose it it makes our job harder? Yes And on the other hand we respond to the legal framework that is created for us We at the National Security Agency do not do not create the legal framework reuse That is the role of the legislative branch and then our course as they interpret the legality of those laws Now whatever framework is developed We will ensure that it was executed within the appropriate legal framework. That's what I owe is the director of NSA Want to turn if I can to counter terror another issue at the top of the agenda a lot of talk when I speak to intelligence officials They will acknowledge that Terror groups have altered the way they communicate post-snowden And that's made a difference. I just wonder if you could quantify or just describe how much that's hurt your capability Um, I would say that it has had a material impact in our ability to generate insights as to what counter-terrorism Or what terrorist groups around the world are doing if I'd rather not get into the specifics Because I don't want them to have any doubt in their minds. We are aggressively out hunting and looking for them And they should be concerned about that and I want them to be concerned quite frankly because I'm concerned about the security of our nation I'm concerned about the security of the our allies and their citizens So anyone who thinks this has not had an impact. I would say doesn't know what they're talking about Do you have new blind spots that you didn't have prior to the revelation? Have I lost capability that we had prior to the revelations? Yes Hmm How much does that concern you it concerns me a lot? Yeah Given the mission of the national security agency, you know given our footprint around the world I mean us as a nation you know when I think about our ability to provide insights to help Protect citizens wherever they are whether they be Out there Doing good things to try to help the world whether they be tourists whether they be serving at an embassy somewhere Where they'd be wearing a uniform and they find themselves in the battlefield in Afghanistan or Iraq today? Clearly, I'm very concerned as well as our key allies and friends. So how do you respond to that? Do you develop new cabinet? It sounds like an obvious question But if you found yourself forced to just to develop new capabilities to make up for the lost capability, right? So, you know to be successful. We have to be an adaptive learning organization and as the profile of our targets change We have to change with it. I Wonder if I could turn again once again because I do want to give time to the audience But but this time back to intelligence reform to some degree So recommendation recommendations 24 and 25 and we haven't talked about it friend There's a big there's a big news a year and a couple months ago But it's sort of been as you know as often happens in Washington. I haven't memorized Neither of I I just happened to remember I just have another 24 25 But one was splitting civilian splitting cyber command military leadership civilian leader the NSA of course we have you right? Think that's a problem Now I would argue we're a US cyber command in particular. So the specific point is as many of you may be aware I Am both the commander of the United States cyber command So an operational organization within the Department of Defense as Charged with defending the Department's networks as well as if directed defending critical infrastructure in the United States That's my US cyber command role in addition I'm also the director of the National Security Agency in that role two primary missions one is foreign intelligence And the second is information assurance and as given the cyber dynamics that we're seeing in the world around us today That information assurance mission becoming of more and more critical importance. So discussion in the past about a year ago Now a little bit longer about So should you separate these two jobs should you have an operational kind of individual running US cyber command? And then have an intelligence kind of individual running NSA and should you cab the two apart the decision was made at the time which I fully supported and when I was asked as you Know being interviewed for potentially to fulfill these jobs My comment was given where US cyber command is in its maturity in its journey right now It needs the capabilities of the National Security Agency to execute its mission to defend critical US Infrastructure and to defend at the Department's networks that in combining both intelligence and operations in the same way We have seen in the lessons of the wars of the last decade that integrating these Almost seamlessly generates a better outcomes. That's the case here in my mind and the president Obviously has come to that has come to that conclusion. Do you think the pressure is off to some degree? I mean you remember the pressure and this is this is when your predecessor was still in the hot seat But this was an enormous focus from inside and outside Washington But people don't talk about a lot and we know we have this deadline coming up June 1st But it's not the same tenor do you feel that the pressure is off The worst fears and concerns have either been a laid or forgotten. I wouldn't say forgotten I think we've gotten to a place where people say okay, so now we have seen this work under two different individuals We seem to be comfortable that the construct is workable that the construct is generating value better outcomes if you will But if that were to change we clearly have to relook at it Thank you very much I'm still gonna ask you questions, but I want to give folks to folks a chance to answer as well to ask some questions Well, I know we have a microphone going around. I also know that we have Questions coming in via social media. I'll wait for those Why don't we start with the crowd since you guys have taken the trouble of coming here today? If I can well just right here in the center of the audience and she's coming right behind you Thank you by the way. It's great Yes, Admiral. Thank you for coming. We heard we were talking about the Sony attack earlier and we heard that Justice Department investigating is a criminal matter and We've seen sanctions from the Treasury Department. What exactly is your role in this you? Not just identifying this, but do you see any action that you Intend to take or have taken in response to this Well, I'm not gonna get into the specifics of what as a member of the Department of Defense Defense putting out my US cyber command role if you will what we may or may not do I think the president's comments about We're gonna start with the economic piece and then we will look at over time the potential of additional Options or different applications and capabilities that the positive side. I think is the immediate actions Remember the hack the destructive piece occurred in late November on the positive side several months have passed now We haven't seen a repeat of the behavior, which is that I think in part was part of the entire intention to say look this is unacceptable and That we don't want this to happen again that seems to have had at least in the near term The desired effect although I would be the first to admit as I had said coincidentally Just a couple weeks before I'd been testifying in the house. I had said look I think it's only a matter of time before we see destructive offensive actions taking against Taken against critical US infrastructure that I fully expected Sadly in some ways that in my time as the commander of United States cyber command the Department of Defense would be tasked with attempting to defend the nation against those kinds of tax I didn't realize that it would go against a motion picture to be honest If I could just follow on that during this One phenomenon under the way and with regards to North Korea's that China has to some degree come around on Being alarmed by some events inside the political structure there How much help did you get from China if at all knowing that? Internet is routed via North Korea's Internet is writing through China. Did they help out? I mean we reached out to the Chinese counterparts We say hey look this is of concern to us and it should be of concern to you that in the long run this kind of Destruction destructive behavior directed against a private entity purely on the basis of freedom of expression Is not in anyone's best interest that this is not good? And so that you know they were well into listen We'll see how this plays out over time and the positive side We're able to have a conversation which we're grateful for was the US behind the retaliatory attack on North Korea Let's make some headlines Not gonna go there not gonna go there did China offer any material help other than listening I'll be honest. I didn't work that specific aspect of the problem set So my knowledge of the specifics of the PRC's response. It's just not high It just wasn't the area that I worked. Okay Be over here Where the microphone? Oh, sorry. There's one of since the microphones there will go there We'll try to get to the other side of the room Good morning. It's David Sanger from the New York Times. Good to see you again. David. How are you doing today? Yeah, and I apologize. I did not read the New York Times You know only only my mother reads me that early in the morning My question do you go to the question of encryption something that has Come up here recently. You saw in the fall when Apple turned out a new operating system for the iPhone 6 They basically put all the encryption keys into the hands of the users and said if they get a Request either a legal request from law enforcement or one from you all they could really hand over From the phone itself would be gibberish. You'd have to go break the code They've made it pretty clear in recent times Even when the president was out in California last week that they plan to extend that encryption Eventually up into the cloud and so forth and we've heard the FBI director James Comey Say that this is creating a Dark hole that is going to get in the way of their investigations We haven't heard very much from the intelligence community on this and I wonder if you would talk a little bit about this whole phenomenon of Basically handing the keys to users how it would affect your own abilities Whether or not the computing capability you're building up now is designed to be able to try to break that and what other solutions you might have So broadly I share director Comey's concern and I'm a little Proplexes the wrong word but the most of the debate that I've seen has been it's all or nothing It's either total encryption or no encryption at all and part of me goes can't we come up with a legal framework? that enables us within some Formalized process a process that I would argue but neither NSA or the FBI would control To address within a legal framework valid concerns about if I have indications to believe That this phone that this path is being used for criminal or in my case Foreign intelligence national security issues can't there be a legal framework for how we access that now? We do that in some ways already if you look at for example We have come to the conclusion as a nation that the exploitation of children is both illegal and Something that is not within the norms of our society. So we've created both a legal framework that deals with things out there that would Passage of photography and imagery that reflects The imagery of the exploitation of children We've also told companies for example and you can screen content for that if that's unacceptable Unacceptable excuse me that it violates and not just the law but a norm for us as society so from my perspective we have shown in other areas that through both Technology a legal framework and a social compact that we have been able to take on tough issues And I think we can do the same thing here, and I hope we can get past This well, it's either all encryption or nothing that we've got to find So what are the love levers that we could create that would give us the opportunity to recognize both the very legitimate Concerns of privacy which I share as a citizen as well as I think the very valid security concerns about a look at these are the paths That criminals foreign actors terrorists are going to use to communicate How do we access this? We've got to work our way through that I Walk around to the other side of the room so I get the microphone this time. Oh, thank you there have been reports from cyber security analysts and from The Snowden documents that the United States is engaged in spyware for purposes of surveillance How significant is spyware to the NSA surveillance capabilities? Well clearly I'm not going to get in the specifics of allegations the point I would make is We fully comply with the law PPD 28 provides a very specific framework for us about what is acceptable And what is not acceptable and what are the guiding principles that we have to keep in mind when we're conducting our foreign intelligence mission? And we do that for an intelligence mission operating within that frame That's the command method. You know I make is the director. Hey, we got a legal framework and we will follow it We will not deviate from it Sorry, oh, hey, he's taking the microphone Bruce Schneider we haven't met hi Wait, it's the answer. Yes very significant and to the other your other question. It's not the legal framework That's hard is the technical framework. That's what makes that problem hard. That's why I was talking about nothing my questions are also about encryption It's a perception and a reality question We're now living in a world where everybody attacks everybody else's systems. We attack We attack systems China attack systems and I'm having trouble with companies not wanting to use US encryption because of the fear that NSA FBI different types of legal legal and surreptitious access is Is making us less likely to use those products? What can we do? What can the intelligence community do to convince people that US products are secure that you're not stealing? Every single key right that you can so first of all we don't number two My point would be that's the benefit to me of that legal framework approach that hey look We have specific measures of it control that are put in place to forestall that ability Because I think it's a very valid concern to say hey look are we losing us market segment here? You know, what's the economic impact of this? I? Certainly acknowledge that's it's a valid concern. I just think between a combination of technology Legality and policy we can get to a better place than we are now realizing that we are not in a great place right now You know on that point. It's not just encryption, but but you speak to high-tech executives They talk about tens of billions of dollars in business loss whether you're talking in social media cloud computing etc should that not be part of the Cost-benefit analysis of something like phone metadata collection. It's et cetera and that's not frankly It's not really a question for you a policy question, but I'm gonna ask it to you anyway Sounds like you're acknowledging that that broader impact those broader costs have to be made part of the decision I certainly think we need to acknowledge that there is an impact here, but I would also say look let's not kid ourselves There are entities out here taking advantage of all this to make a better business case for themselves There are entities out there using this to create jobs and economic advantage for them Let's not forget that dimension or all this even as we acknowledge that it is a dimension to this problem Just to move the microphone around maybe do we have a question from my back Do we have a social media question at all or do you want to wait? Let's move it with my tune Thanks Patrick Tucker with defense one a couple of reports come out in recent weeks about Isis using the dark web to raise money through Bitcoin the dark web Basically a bunch of anonymous computers a bunch of anonymous users that are still able to find each other Can you speak a little bit to that problem in terms of intelligence collection of the dark web? What does it mean to you and and how are you? Going about finding a solution to some of these These really big problems of how to find people using that that don't want to be found But are effectively using it for fundraising in particular Isis Well clearly I'm not going to get in the specifics, but let me just say this we spent a lot of time Looking for people who don't want to be found That is the nature in some ways of our business Particularly when we're talking about terrorists or we're talking about individuals Engaged in espionage or other activity against our nation or that of our allies and friends In terms of what are we trying to do? Broadly I mean first I would acknowledge clearly it's a concern Isis ability to generate resources to generate funding is something that we're paying attention to It's something of concern to us because it talks about their ability to sustain themselves over time. It talks about their ability To empower the activity that we're watching on the ground in Iraq and Syria Libya other places So it's something that we're paying attention to it's something that we're also doing more broadly than just the United States This is a clearly an issue of concern to all hosts of nations out there I won't get in the specifics of exactly what we're doing other than to say this is an area that we are focusing attention on As we move across here just to follow on that question regarding Isis because When we speak to counterterror officials they talk about Isis supporters here in the US and you know different Level of the problem than you have in Europe for instance and certainly in the Middle East Since the web is the principal form of radicalization for a lot of these particularly lone wolves right the folks who don't travel It must be pretty easy to track. Is it not if it's happening on the web, etc Can you identify pretty quickly and easily someone who is going down that path? I mean, it's not quick and easy to remember as the national security agents We are a foreign intelligence organization a foreign intelligence Organization not a domestic US law enforcement or surveillance Organization so when it comes to the homegrown kind of in the US That's really not our focus. Our focus is on the foreign intelligence side attempting to find the connections Overseas and then quite frankly partnering with FBI and others to say, okay, so if we've generated insights about activity We're seeing overseas. Hey, how does this tie into activity that we may or not be able to detect in the United States? And that's why partnerships open are so important to us because we are a foreign intelligence I suppose I mean, it's one of those folks here make contact with folks over there. That's what I'm saying Is that I? Imagine it's not as easy as it sounds, but it's not easy But it's something that we pay attention to it's something we track It's where we partner closely with the FBI as we say, okay, so we've seen this there may be a US connection here Hey, this now becomes a law enforcement issue vice for an intelligence issue understood. I think right here Hi, Ethan Chao Hi as director of NSA and United States cyber Do you think we're positioned? Effectively to address the new cyberspace as a new domain of war fighting and how does that? Differ from land air and sea and do you think we need improvements and in what aspects so do I? Do I think we're where we ought to be? No Now part of that is just my culture my culture is a military guy always is about you are striving for the best You are striving to achieve objectives you push yourself I would say we're in a better position in many ways than the majority of our counterparts around the world We've put a lot of thought into this as a department US. I recommend for example, we'll celebrate our fifth anniversary this year So this is a topic that the department has been thinking about for some time in terms of well, what makes it challenging what makes it difficult is Let's look at this from a defensive standpoint and one of the points I like to make is So we're trying to defend an infrastructure that has been built over decades literally and most of which was created at a time When there really was no cyber threat that we're trying to defend infrastructure in which redundancy resiliency and Accessibility were never design characteristics It was all about build me a network that connects me in the most efficient and effective way With a host of people and lets me do my job. So you didn't worry about well We're people going to attempt to pin when we design most of these Concerns about people's ability to penetrate those networks to manipulate data to steal data Really wasn't a primary factor So there's also a component in that apartment as we're looking to change our network structure that's just something that Those were really core design characteristics So that's a challenge and then clearly we're trying to work our way on the offensive side through So and it kind of goes to one of the questions Jim that you had previously asked How do we do this within a broader structure that jives with the law of arm conflict because remember When you're looking at the application of cyber is an offensive tool It must fit within a broader legal framework that legal framework the law of arm conflict International law the norms that we have come to take for granted in some ways in the application of kinetic force dropping bombs We've got to do the same thing in the offensive world and we're clearly not there yet Where's the thing just gentlemen's been patient over here Admiral my name is Hugh Macklerath. I'm a retired Navy Cryptologic Officer among other things a fine man And I was remarking with another colleague who may still be here We were having the same discussions 20 years ago. Now there there has been progress. There's cyber command. There's the NSD FBI But why is it taking us so long to grapple with this compared to say the advent of nuclear weapons and we have The National Security Act of 1947 well my first comment would be And a guy who was a cryptologist a few 20 years ago. I sure don't remember having those conversations In terms of can you say the the last part about it again? You were talking about duration. Why is it taking so long, right? I do not want to minimize the progress and and your position I view as progress But it is taking us a long time if it's not 20 years then it's 15 and that compared to a much more compressed timescale for other Cataclysmic changes in national security in the middle of the last century Well, I take for example the nuclear example you use You know we take for granted today The nuclear piece is something with various established norms of behavior well established principles of deterrence My comment was you know how long it took to develop we take him for granted now because we look at over almost 70 years Since the actual development of the capability we take it for granted now But if you go back in the first 10 20 years, we were still debating about well What are the fundamental concepts of deterrence this whole idea of mutually assured destruction that didn't develop in the first five years for example? All of that has taken time. Cyber is no different. I think among the things that complicate this is the fact that Cyber Really is unsettling in terms of the way we often look at problems. So if you look at the military We often will use geography to define problems. It's why we have a central command It's why we have a European command. It's why we have a southern command for example Cyber doesn't recognize geography if you look at the topology of that attack from North Korea against Sony picture entertainment It literally bounced all over the world before it got to California infrastructure located in multiple on multiple continents in multiple different geographic regions and Cyber also doesn't refer it doesn't really recognize this clear delineation that we as a nation have generally created over time about What's the function of the private sector? What's the function of the government and? How does this whole national security piece cyber tends to blur? that because the reality is for example if I go to work and I'm using at work literally the exact same software the same devices. I'm using at home and my personal systems It just has blurred the line. So that makes it very very complicated, but I share your frustration in the sense that It's not as fast as I wish it were but it isn't from a lack of effort and it's not from a lack of recognition That makes sense. I Think you that oh Let's go and we'll go cyber Thank you admiral for coming. My name is Alex Thomas. I'm the CISO at Yahoo So it sounds like you agree with director Comey that we should be building Defects into the encryption in our products so that the US government can can decrypt So that would be your characterization. I think I think I think Bruce Schneier and Ed Felton and all of the Best public cryptographers in the world would agree that the kind you can't really build back doors into crypto That it's like drilling a hole in a windshield I've got a lot of world-class cryptographers at the National Security Agency and I've talked to some of those folks I think some of them agree to but so we agree that we don't accept each other's premise So you so okay there you go. We'll agree disagree on that so If if we're going to build defects back doors or golden master keys for the US government Do you believe we should do so we have about 1.3 billion users around the world? Should we do so for the Chinese government the Russian government the Saudi Arabian government the Israeli government the French government? Which of those countries should we give back doors? So I'm not gonna I mean the way you frame the question is designed to elicit a response I mean, do you do you believe we should go back doors for other countries? Um, my position is hey look I think number one that this is technically feasible Now it needs to be done within a framework on the first to acknowledge that you don't want the FBI and you don't want the NSA You're laterally deciding. So what are we gonna access and what are we not gonna access? That shouldn't be for us. I just believe that this is achievable And we'll have to work our way through it and I've been the first to acknowledge there's international implications to this I think we can work our way through this So you you do believe that then we should build those for other countries if they pass laws I said I think we can work our way through this So I'm sure the Chinese and Russians are gonna have the same opinion. So I said I think we can work our way through this Okay, nice to meet you. Thanks Thank you for asking the question. I mean there's gonna be some areas where you know We're gonna have different perspectives that doesn't Bother me at all one of the reasons why quite frankly I believe in doing things like this and when I do that I say look There are no restrictions on questions. You can ask me anything because we have got to be willing as a nation to have a dialogue This simplistic characterization of one side is good and one side is bad is a terrible place for us to be as a nation We have got to come to grips with some really hard fundamental questions I'm watching risk and threat do this while trust has done that No matter what your view on the issue is or issues My only comment to be that's a terrible place for us to be as a country We've got to figure out how we're gonna change that for the last Technologically knowledgeable which would describe only me in this room today. Just so we're clear. You're saying it's your position that in Encryption programs there should be a backdoor to allow within a legal framework presumably Approved by whether it be Congress or some civilian body the ability to go in a back So backdoor is not the context I would you because when I let when I hear the word phrase backdoor, I think well, this is kind of shady Why wouldn't you want to go in the front door be very public again? My view is look we can create a legal framework for how we do this. It isn't something That we have to hide per se. You don't want us You know laterally making that decision again. I'm the first to acknowledge that but I think we can do this We want that ability. You want that capability? I do want to get to the back But do we have a social media question? Fantastic, why don't we do we had 13 minutes ago? Why don't we do a couple and then I do I see you in the back So we're gonna get there as well. Well first I would just note that according to the internet and some of our high profile Twitter users in here We are now trending so new am cyber is actually trending so you should continue to tweet throughout the conference Where are we in relation to Birdman? Oh Okay, so here is a selection based on the previous comment about backdoors for Russia and China Christopher Sagoian see Sagoian by the way. I may pronounce half of these things incorrectly The question is our foreign government spying on cell phones in Washington, DC Are our phones secure and if so what could be done? Did you say I apologize? I didn't hear the beginning Our foreign government spying on our cell phones in Washington, DC are our phones secure or what should be done? Do I think there are nation-states around the world that are attempting to generate insights as to what we are doing as individuals? I think the answer to that is yes The second question was do I think what do you think we should do about it? Well, I one thing we always do in the department. I remind people is don't don't assume that You know, there's a reason why we have unclassified system in the Department of Defense The reason why we have classified systems and unclassified systems and so for DoD users always remind them Hey, look, we're potential targets So make sure you're using your cell phone for example in an appropriate way just as I make sure that I use mine I mean otherwise, you know, it's where the standards of encryption of encryption that we've talked about again I'm not arguing that encryption is a bad thing nor will you hear me say that security is a bad thing Hey, I'm a US person. I'm a US citizen. I use a cell phone. I use a laptop I want those systems to be every bit of secure for myself and my children as you do I'm just trying to figure out. So how do we create a construct that lets us work between these two very important Viewpoints, okay, so that question I'm sure came partially out of the concept of encryption of commercial cell phones So on that point from Russell Thomas or Mr. Merit ology What can be done? Institutionally to make collaboration between the private sector and the government marginally better on cyber security I mean, I think clearly I would second the thought I mean, I think clearly this is an area of significant improvement I think on the government side, we've got to simplify things one thing I constantly tell my counterparts is look, let's be honest If you were on the outside looking in at the US government in the area of cyber security We can be very complex. We have got to simplify this We've got to make this easy for our citizens for the private sector and for us to interact with each other to ultimately get ourselves to a position where we can share information real-time in an automated machine-in-machine way because given the speed and complexity of the challenges We're talking about in cyber. That's where we've got to get and we've got to work our way through How are we going to do that in the US government homeland security the Department of Homeland Security? Clearly plays essential role here as both the director of NSA and the commander of US cyber command Our capabilities support them and other US government partners in our attempts to do that on that topic as a journalist I've asked the NSA whether my cell phone communications have been monitored in any ways. I submitted through proper channels I got a response. We appealed Why and we got a stock response which others have gotten I'm a journalist. I lived overseas for a long time as part of my work I spoke to people who I would imagine you might want to listen to so some in the terror community, etc Why as an American and a law-abiding American? Why won't the NSA tell me if they've looked at my phone communications? Well, first time if you're asking me directly, I don't know the specifics for you But it's a policy because they've told others the same thing So what I would say is look it is a matter of law to do focus collection against a US person. I Must get a court order. I have to show a valid basis For why we are doing that. Is there a connection with a foreign nation? I eat that US person is acting as an agent as a foreign government and yes, that does happen out there is That US person part of a group in this case. Let's say ISIL is an example Who is attempting to do harm? You know, I have to show a court a legal basis for the why and it can't just be Well, we don't like journalists what I wouldn't say like it. That's not a valid legal reason So if it were to happen you would have had to have a court order But that's something you wouldn't tell the person who was involved. No Okay, I have one more topic one more than we'll go to the back. That's possible So from John LaPriese The question is based on last week's announcement or research that Kaspersky has announced that there were There was news of firmware hacking has the firmware of core network routers or repeaters been similarly hacked and if so Would this compromise the architecture of the internet? technical question Jack my quick answer would be no but in terms of I'd go to the first part You know, I'm aware of the allegations that are out there. I'm not gonna comment about them But in terms of based on what I've read does that mean lead me to believe that the internet has somehow been compromised? No Thank you very much back of the room on the left I'm Mike Nelson. I'm a professor of internet studies at Georgetown And I just recently starting working for Cloudflare which protects about a million websites around the world from DDoS attacks Provides SSL encryption. I was at the cyber summit the White House did week and a half ago And one of the topics that you kept hearing in the hallways Was about how American companies are very uncomfortable sharing information with the US government If they can't share that same information with dozens of other governments I'd be curious to know how we're supposed to decide which governments are okay to share with And how we deal with the fact that the Belgians and the French and the Turks and everyone else wants to know what we're sharing with you And our customers want to know that too, right? So again, it's another reason why I think that legal framework becomes very important here And now I'll be honest now you're getting the specifics of an area that isn't you know my personal Focus I certainly understand the concerns. Don't get me wrong But my common would be that idea is not unique to cyber for example There's you name the business segment and just because we share something internally within the United States doesn't mean we do so automatically Everywhere in the globe So I would argue cyber is not exactly unique in this regard nor is the challenge that it presents And it is a challenge I acknowledge that to the private sector you need to cyber Do we have time for a couple more maybe way in the back here to just another area we haven't to be geographically fair Listening to the conversation today One thing that's fairly clear and you mentioned it We need to decide what the social norms are around which we build the policy and legal frameworks But clearly listening to bruce schnayer and alex demos and you the social norms aren't worked out yet So what's the process by which we get the dialogue going so we can figure out what those norms are Which has to proceed figuring out what the Policy and legal frameworks are so I think interactions like this are part of it I think the interaction with our elected representatives. Hey, look, they are the ones who create the legal framework That we use so I encourage all of you all of us as citizens To articulate our viewpoint to help them understand the complexity of this issue and to help them understand Just what our viewpoints are as we're trying to work our way Through this the other thing that I've at least for me I'm trying to do outreach as well In the academic world because one of the things that I'm struck by is and it goes back to your question Really started talking about the nuclear piece If you go back and look at some of the foundational work that was done on nuclear deterrence theory, for example Much of that back in the 40s in the 50s was done in an academic arena You read much of the initial writings You know Kissinger and Harvard others There was a strong academic focus on so how are we going to understand this new thing We call the new the atom bomb or the new hydrogen bomb And so I'm trying to see is there a place in the academic world for the same kind of discussion Hey, how do we get to this whole idea of the social norms and what are we comfortable with? One more just to the way back here You are so close Thank you. Leandra Bernstein Sputnik international news Question about Liam. Was it Liam? Did you say Leandra Leandra? I apologize. Can you I couldn't hear you after your your voice? Trailed off. I apologize. Oh I'm with Sputnik international news Sputnik Russian press. Okay. Uh, so you've Addressa Kaspersky Reports that you wouldn't comment. There was another report on the nsa gchq Hacking encryption keys in a sim card sim card provider Can you respond to that? I mean you've you've said that we need to have a discussion a public discussion so How would you get that started by addressing these These allegations so the first comment I'd be I would listen to these allegations for some period of time. This isn't Something unique per se and again My challenge as an intelligence leader Is even as we try to have this dialogue, which I acknowledge we need How do I try to strike the right balance? between engaging in that broad dialogue and realizing that Compromising the specifics of what we do and how we do it provides insight to those that we're trying to generate knowledge of Who would do harm for us as a nation? And so it's a general matter of policy I have just said hey look I'm not in public unclassified forms getting into the specifics of what does in terms of the the very specific things like you've referenced I am not going to chase every allegation out there I just I don't have the time that we need to focus on doing our mission But making sure we do it within that legal and authority and policy framework But that's the promise that I make to all of you that is what we do When private companies make these allegations against you, what's can you address that impact generally? I'm not going to get into the specifics We get time for one more since there's a cyber conference and we're trending. Do we have another one on the web? All right fair enough You are ruthlessly efficient I think it's going to take us out of trending you're about right here in the front probably our last one Thank you. Joe marks from politico. I'm not going to ask you about encryption Wanted to ask about standing up cybercom You said earlier that you think that at this point cybercom and nsa still need to be dual-hatted A lot of people in the services have said that a lot of the process of building up cybercom has been Sort of shifting people who already are working in this field over to cyber mission forces Are you concerned that you aren't bringing enough new people new cyber? Experts into the military and that you're taking away some native capability that ought to be in the services The short answer is no and I say that remember in the job before this I was also in my previous job before these two I was the navy guy. So I was a service guy responsible for developing the neighbors the navy's cyber force So I've lived in that service world about how you man-train and equip how you create a force And now I find myself as the joint commander with overall responsibility across the department If I go back to when I started in in cyber in the department about 10 years ago boy our ability to recruit retain and Train and educate a cyber workforce over time I was really concerned about what this fit within the traditional dod model about how we develop people how we promote them How we retain them over time Fast forward a decade later, and I have been plettin knock on wood pleasantly surprised by our ability to do that And so for right now my quick answer would be no I'm comfortable that we've been able to gain access to the people that we need That in so doing I haven't had to strip massive amounts of capability from other very valid You know similar requirements within the department. We'll have to watch this closely over time though to see if that if that changes There's no doubt about that Since times up final thoughts None other than I thank you for your willingness to engage in a discourse And I think it's a positive for us. Look clearly these are important issues to us And yet we're able to do this today Without yelling and screaming at each other We're pointing at each other and making acquisition Acquisitions against each other. We have got as a nation to come to grips with What's the balance here? And there's going to be a lot of different perspectives out there. I understand that I'm constantly reminding our force our workforce be grateful that you live in a nation that's willing to have this kind of dialogue That's a good thing for us And are there tensions along the way? Yeah It's not unique to cyber and it's not the first time in the history of our nation We've had challenges like this and it won't be the last But if we really are willing to sit down and have a conversation We can move where we need to be and with that. I thank you very much for your time hammer watches. Thanks very much Really enjoyed it