 We're also joined by General Michael Hayden, who is to Mr. Churdoff's left. General Hayden, of course, is also a principal of the Churdoff Group. Prior to that position, he was the director of the Central Intelligence Agency. He was responsible for overseeing the collection of information concerning the plans and intentions and capabilities of America and its adversaries around the world. At the Churdoff Group, he uses his knowledge and expertise to consult with and provide strategic advice to business and governmental entities. Before running the CIA, he was the principal deputy director of National Intelligence. Prior to that, he was the commander of Air Intelligence Agency, director of the Joint Command and Control Warfare Center, director of the National Security Agency and chief of the Central Security Service. And then finally, we're joined by Jim Lewis, who I think most of you, all of you probably know. Jim is a senior fellow and director of technology and public policy program here at CSIS. In this role, he writes around technology and security and international economic issues. He's had a prolific career as an author and writer. He's published over 90 publications since joining CSIS, including a series exploring the relationship between technology and innovation and national power. And he's also an internationally recognized expert on cybersecurity, whose work includes a bestselling, securing cyberspace for the 44th presidency publication published in 2008. He's had a long-running dialogue on cybersecurity with the China Institute of Contemporary International Relations, and he's a faculty member at Johns Hopkins and previously had a number of other universities in the local area. Let's jump right into it. We have a small amount of time and a lot to cover, and I want to start by asking Chairman Rogers a question. And of course, he's been a stellar leader when it comes to the SISPA bill in the House and the concept of information sharing and getting the laws and the constructs in that regard more modern, more practical, more usable while protecting privacy rights. But Chairman Rogers, that legislation at least in the Senate seems to be stalled. I know there's still hope that legislation around improved information sharing could come forward, but I think the observers are saying it's stalled. Can you give us some hope or at least an assessment? Well, a couple of things. I think clearly the recent round of leaks by a former NSA contractor have damaged the perception about how we move forward on the information sharing bill. That being said, and I know folks have said it's dead. Folks have said it's not going to move. The sheer determination, I think, of Dianne Feinstein and Saxby Chambliss and myself and Dutch Rupersberger are that despite those setbacks, despite the fact that we've got misperceptions on what the bill does and what its intention is and what actually information it touches, we think that there is some hope that we can continue to move this particular piece of legislation. So we have been engaged even in the last few weeks on changes we think we can make that people will, we call them confidence builders, that can build confidence in the American people and people who are skeptics of what this bill's intentions are to make sure that they understand, A, what the threat is and B, that there is oversight and C, that there is privacy protection and civil liberties protection in the bill. I think we can get there. It's not going to be easy. Obviously, if it were, we'd have had the thing out of the Senate already. But I do think that there's a path forward on this and I don't believe we can walk away from what is this most serious national security threat facing the United States that we are not prepared to handle. Mainly because the private sector is the most exposed. You know, the government networks are in pretty decent shape. When it comes to intelligence and military side, it's the 80% of the private sectors are so exposed out there which presents a kind of a new dynamic in this century of threat to American enterprise. So it's not over yet. I think the articles claiming it is dead are way too early for that. It's a little ill, but it is certainly the system of bill is not dead yet. So I really do believe there's some hope for boom forward on this. I just want to be for General Hayden. General, the industry including the financial service industry has faced something called DDoS attacks, which is Distributed Denial of Service Attacks. And while they are annoying and frustrate consumer experience and can be troubling, they have been managed in a loose sense. But people are worried about what comes next. What do you see as the next evolution or phase or degree of seriousness in terms of the cyberattacks facing not just the financial service sector but American interest more broadly? Sure. The way I parse it is I talk about cyber sins and cyber centers. So let me just rack up the sins. There's the most prominent one out there and that's just raw stealing your stuff. It's cyber espionage. It's done for state purposes. It's done for commercial purposes. It's done for criminal purposes. And then there's cyber activity to disrupt your network, to actually not just steal your material but actually make it more difficult to use your own infrastructure for whatever purposes you've built it. And then finally, and this has been rare to date, but it's going to become more common, it's to use a weapon comprised of ones and zeros to control someone else's network to then use that control to create not cyber damage but to create physical damage. The poster child for that obviously is Stuxnet in the destruction of what Iran can only describe as their critical infrastructure. So those are the sins. The sinners are state actors, criminal gangs, and then a third group, it's very hard for me to define, fairly amorphous, the disaffected, all right, those with perhaps difficult to understand and even more difficult to satisfy demands. And blessedly, if you look at this taxonomy of sinners, the most competent are up here at the state level and then criminals and then this third group and that's good. I mean states can behave badly but states have to be aware of consequences and criminal gangs can behave badly but that's essentially a symbiotic relationship. They're a parasite and it's an odd parasite in nature that gets a kick out of killing the host. It's the third group that's least capable now but may actually be potentially more destructive and what I fear is as the tide comes in in terms of cyber capability, this third group begins to acquire capacities that in a period of time it's not long, not measured in decades but perhaps in a few years, begins to acquire capacities that we now only associate with criminal gangs or nation states. And then you've got the financial services institutions. Can you imagine a more iconic target in terms of capitalism and things that we believe in than those groups? Right now, I think the high-water mark is what you described Governor and that's what my mind is a state-sponsored distributed denial of service attacks, series of attacks against American banks to degrade their networks and my money is it's the Iranians, it's the Iranians attempt to prove that there are consequences in the cyber domain and that they can exact some punishment so they've conducted massive distributed denial of service attacks against financial institutions that have been severe, that have been costly, that haven't quite broken the threshold of nuisance yet but the worst is yet to come. That's a good transition to the next kind of question which I'll direct to Jim Lewis initially and that is Jim, there's a lot of thought historically that China and Russia were engaged in the types of if not state-sponsored, at least state-tolerated activities that the general just described but there were at least some unspoken rules of the road about how far they would go and the scope of their activities, namely espionage for commercial purposes but not destruction, data destruction or physical destruction for terroristic or warfare-like activities but now that we see the entrance of many other either state-sponsored or state-tolerated actors is there a wild card element that didn't exist 10 years ago, 5 years ago that is even more perplexing, more problematic and what might that look like? Yeah, it's been an interesting couple of years and I think the biggest surprise for people in some ways was Iran which a few years ago you wouldn't have thought of as having a lot of capability and they certainly have the willingness and some would say the expertise to do real damage the incident that you'd want to look at is of course their activities against Saudi Aramco which were very damaging and which they have at least before the new president came in looked at the US as a potential target we've also seen the North Koreans move along they've focused all their attention on South Korea so far hopefully that will continue although it's unfortunate for the South Koreans particularly looking at banks and media centers to echo something that General Hayden said though I was talking to a member of a European intelligence service a couple weeks ago who said that in their view there are 20 or 30 somewhere between 20 and 30 high end criminal groups that have the capabilities of a nation state when it comes to cyber activities and that these groups most of them live in a country that begins with the letter R it's not Romania that these groups are focused heavily on the financial sector and they're looking for ways to get money and that we're seeing this diffusion of capabilities the commoditization of cyber attack so that people are going to be able to go online and buy tools that will let them go after targets that we might have thought were safe a year or two ago so there's been some progress certainly in the last few years there would be more progress so we could pass the darn bill in the house but while they're at the senate oh sorry I'm sorry the senate we don't work in the house I'd like to see your bill become law that would be a plus but while there's been improvement on the defensive side the improvements on the offensive side the improvements among our opponents has grown at an even faster rate let's get Secretary Chertoff to join the discussion and we'll get him the microphone there because I know they're having a hard time hearing I guess in the back or on the audio so if you could lean into that that would be appreciated Secretary you've been heard many times in many of these contexts talking about hardening targets, resiliency preparation, coordination and the like the assessment of industry in the sectors including the financial service sector seems to vary wildly could you give us kind of a current state assessment from your perspective about the state of preparedness of American industry and then you mentioned something recently about insider threats that I think is worth touching on and very important so if you do that as well a couple points I think Governor it is correct to say that there is a real variation in the degree of preparedness my experience is generally speaking the financial services community the electric industry do focus on this and are reasonably sophisticated although again if you look at the differences between the large Tier 1 operators and the less capitalized operators there is obviously some variation the ones that are at the top of capitalization tend to have more to invest and be more sophisticated if you have attacks excuse me that work their way further down you're going to wind up with maybe less capability there are other parts of the economy frankly maybe they don't view themselves as being targets that are less skilled and one of the challenges we have is we're very interdependent and a failure in one area tends to have a tasking effect so if there's a problem for example with traffic lights and someone gets into a system transportation system and is able to shut down or tamper with traffic lights that's going to have an impact across an entire city so we have to recognize this is a case where the weakest link really brings the entire chain down the second challenge I think is there's still a little bit of a tendency to look at the solution set here a magic tool or a magic device you buy you put it on your network and your work is done it's a little bit in the mindset of what some people describe as the M&M theory of cyber defense hard candy outside soft center the reality is it doesn't taste as good and the problem often begins inside one of the challenges is to recognize that the attacks come in a lot of different forms as people imagine over the network with somebody coming up with a new exploit but a lot of times what they're doing is they are tricking people inside the network to invite in the malware or the exploit or to surrender their credentials or you have insiders who either through negligence or malice and Snowden's a classic example of this open up the network to outsiders coming in so part of the challenge is to recognize that you have to have a holistic approach to security and it's one in which in particular although the government has a role to play and I echo the call to see the senate act on Chairman Rogers effort here but it's still at the end of the day a battle that is fought largely in private networks and so it's not going to be enough to say the government's got to protect us you've got to build the capability within and coordinate with the government to make the value of being able to defend yourself coordinating with the government leads to another interesting topic which is the buzzword in a lot of these discussions is information sharing a desire by industry and the private sector to get the benefit of knowledge and expertise that the government has in early warning also government agency to government agency cooperation business sector to business sector cooperation all of which bumps up against some legal constraints I know Chairman Rogers you tried to address some of this in the bill but as we talk about the buzzword information sharing could you kind of just illuminate the hurdles that you see that would allow more information sharing between businesses but also business to government and at what point is there a tipping point or an inflection point around privacy rights that of course people are concerned about this information sharing going too far and revealing information that unsettles individuals from a privacy standpoint so put a little meat on those bones for us you bet and first of all there is information sharing in the cyberspace today and it is very robust it's entrepreneurial the problem is the only real robust information sharing to enable those 20 organized crime based cyber threats comes from government agencies intel services both giving and selling information on the black market that empowers those groups to improve their capability to where now as Mr. Lewis pointed out our nation state capable and so we've seen the next level of that in China even on the economic espionage imagine this individuals who work during the day for military and civilian intelligence agencies and they are provided lists of companies that they are to target during the day well that list is pretty long and they want intellectual property for the purposes of taking it back to repurpose it with Chinese industry so that they can compete I would argue illegally in the world market so what they're very clever so they've gotten a new way to share as well they are selling their services at night and on weekends for cash money to people who are way down on the list so now you've doubled your threat just about overnight with these folks doing it and they've added their own bit of sharing that I would argue is dangerous so what we're trying to accomplish is this about 80% of the threat roughly is something that private sector can absolutely handle we can handle through education you know the Freddy the firewall PSA is coming to you you know real soon about how you can protect your own network and what what is computer hygiene and what is being safe the basic education we have one particular CIO will tell you of a very reputable cybersecurity company he has a 7% rule and that 7% rule is on spear fishing which by the way is when you talk about Chinese threat is the number one threat and other agencies as well but they are the most dominant in this space 7% of your employees will click on anything I mean anything that you send them right one of the examples was given they had a great spear fishing campaign where they email you and say hey your health care is kind of screwed up and we need to go into your file and you need to help us change it don't give any personal information but you need to re-contact us it's a UK it's a dot UK domain name right if the British are asking about your health care and your system here we would in the FBI would call that a clue right don't click on it but guess what 7% click on it anyway right this is a cultural problem we have to educate our way through and that's not going to happen anytime soon that last 20% that really tough stuff the very sophisticated stuff that's where government to business business to government business to business sharing can help us tackle that top 20% in this particular problem so what did we decide to do is say listen we it's our job to encourage our intelligence agencies who do an exceptionally good job of going overseas and trying to find out what is the threat to the United States of America right and now currently they'll bring back that threat and protect government networks our argument was shouldn't we take what information we have these are zeros and ones this is malicious source code and if you can share this in real time in a classified setting as far upstream as you can get in networks why wouldn't we do that why would we not provide the private sector the ability to defend themselves against something that we know is a threat currently under the current system you get something in your system and the only way you know if you're out in Iowa and you're a third tier supplier for a major defense companies you get a knock on the door by the FBI saying oh guess what you've been penetrated boy really sorry about that they've been there for X amount of years wouldn't it be great if you could prevent this from happening in the first place that's the whole goal of what we are trying to do in cyber sharing it has to happen in real time this is going to work because the threats are morphing and changing constantly and this is about zeros and ones at light speed so you'll be talking about real time sharing at hundreds of millions of times a second with no personal identifiable information being exchanged and we can do that that's the most frustrating thing about this we can actually do that today it is not an insurmountable task so I think it was General Hayden kicked this off about the defense industrial base project I think that was under your tenure when you guys were formulating that and putting it out so we said hey does can this work can you really do this in real time and protect those networks and what we found with the 17 primarily defense contractors because they had a classified relationship with the United States government can you do it in a way at real time speed that actually protects information and allows your defenses defense companies to get better oh and by the way contrary to popular belief the US government is not monitoring US networks well if you give us what you're getting hit by or what has scooted into our systems we can be we can be equally as helpful by going overseas trying to figure out where it's coming from right this is a mutually beneficial defense we can act if you will and so what we found in the 17 is absolutely it works we identified a whole bunch of vulnerabilities not necessarily in those companies because these tend to be the biggest most robust most advanced in cyber protection but supply chains and it really identified where our weaknesses were across the country so we know we can do it we have the ability to do it the only thing we're lacking now is the misperception that somehow this is going to be the NSA now if we can have a technical conversation that people can understand this thing would be done in a heartbeat you're they're not reading your emails there is no personal identifying information it is malicious threat code zeros and ones flying by machine to machine talking and basically filtering if you will as far upstream as you can get and it stops at least a good chunk I've heard as high as 90% of that top 20% I talked about the hardest problem imagine if we could take 90% of that problem off the table today what that would mean and then then our real fight would be how do you get that last really sophisticated nation state generated Stutz net kind of a a virus or malicious code out there and so that's what we tried to do there are you know the bill was not very long it was 13 pages when we started I think it's 28 now with amendments and we thought people won't take it serious we're going to have an amendment of 400 pages said really nothing just to make people know hey this is big it's serious and there is more things in that bill that says what you can't do than what you can do so we built in tons of protection bringing in privacy groups and we brought in everybody all the stakeholders and we said hey if you can get Palo Alto in New York City the financial network guys and you can get this the Silicon Valley on the same bill agreeing that this is the right approach with the light touch of government and only a sharing framework we would get somewhere and guess what it happened you don't find that in this town very often they did it because they see the threat and they understand this is a very light touch there's no mandate it's all voluntary to the one problem that we have that why they have to have a piece of legislation is liability protection if we don't protect them from sharing honestly they won't do it they can't do it you know they got boards of directors who have fiduciary responsibility to say don't expose my company unnecessarily right and so we built that in the bill again the biggest problem we had was not the technical aspects of it it was the perception of what it was and when you think of this threat that we are going to allow our private sector the next generation of innovation the next generation of the great economy here built on innovation to fly out the back door because we have a misperception about what we're trying to do in defense shame on us if you realize how the the Soviet Union collapsed it's because they realized they could not sustain spending on defense matters right think about what's happening in the United States today right we are losing our next generation of economic growth because they're stealing it from us tell me what the difference is between the collapse of the Soviet Union because they couldn't keep up on defense spending and this notion that we are losing the next generation of innovation and economy in the United States of America I would argue there isn't and we better shake ourselves out of this very soon or we are going to pay a price and we're going to hand the next generation a broken economy because somebody else stole it while we watched them do it I think this is as serious and as big a problem as we better get our hands around we are pretty close I think we're finally getting people to understand what the threat is three years ago there had been three people in this room and most of them would have been here because they were in the wrong place I didn't feel like they could get up and leave without being rude finally we're starting to talk about it in a way that you brought some of the great intellects in this stuff in the room talking about it again I do think that this sharing piece is critically important and it's a small piece it won't be the only thing you ever have to do on cyber but it helps us take such a big bite out of this problem by doing something pretty simple that we have the technical capability to do and protect your civil liberties so not that I'm worked up about this at all we appreciate that General Hayden one piece of this is security clearances and of course even within a company you might have a situation where a CIO was previously cleared but as you battle against these things even at a DDoS level you might have a situation where the general council needs to know the CEO needs to go he or she might be in Singapore when the matter comes up and it would be helpful to have your COO to know and so you open the door to the need for perhaps even in one company numerous people to have proper security clearances and while the executive order aspirationally says we're going to try to make that easier to have not occurred could you talk a little bit about whether that's a legitimate goal and how far you'd go with it and what could be done to strike the right balance and get more security clearances so the types of information sharing could be even better and quicker and appropriate yes and let me explain put an exclamation point on why that's important and it's tied back to some themes you've already put on the table Governor one is information sharing and the other is the role of the private sector let me offer you a view when we issue an operational order in the Department of Defense we identify who the support head command is alright who's the main effort and then we identify the supporting commands if you read Civil War orders you will conform your movements to the movement of the main body I would suggest to you in the cyber domain very unlike let's take airspace we expect the government to control and defend our airspace that's a governmental function and therefore I think the government is the supported entity here and other things feed into making the government capable I don't think that's true or at least it's not as true in the cyber domain I actually think the private sector is the support head command the private sector at the end of the day is the main body and therefore the government has to organize its activities to conform to the movement of the main body or perhaps better put in this domain to enable the movement of the main body and so that it takes on if you think of that in the background I think it really highlights and underscores the requirement for information sharing and so on so now you get to the specific question of who should be cleared well the answer is the private sector if you accept that theory that they're the main effort the private sector really needs to have clearances and it can't be stingily metered out by ones and twos from a government who believes or is acting kind of on the assumption that this is fundamentally their stuff and they're making an additional effort in order to share it with others and look American cyber power at least as far as the government's concerned has been generated by the American intelligence community its ancestral roots are part of the American government that most classify stuff and most things practically everything ought to be secret and so we're running uphill here in trying to make information more readily available because it's coming from a cultural schema that generally classifies and classifies too much and then at the fundamental level Governor I would put it this way every one of those should I, should I not clear this guy at the operational specific tactical level is probably defensible in fact I made a bunch of those decisions while I was in government with the cumulative strategic effect of perhaps these individually defensible if not correct decisions is strategically we have harmed the ability of the main body to do what it is they need to defend us and so I think we really do need to lean very hard on the executive order on the direction that the president is given and should not view this as just let's accelerate the one-off transactional granting of clearances to specific individuals who have pointed out an absolute crying need but we need fundamentally a different approach as to where the line is between secret and not so secret Secretary Trev, another part of this information sharing is coordination within the government itself you've had probably the most experience in this dealing with a brand new organization when you were I guess the second leader of it homeland security but as you think today has a piece of it Department of Defense has a piece of it Homeland Security has a piece of it industries have a particular portal that they're associated with in our case the financial services sector where many of our members are directed towards the treasury the ability to have that portal and yet have some sort of interagency coordination is elusive in many instances and let's just say it's suboptimal what can the government do to provide this service but in many cases they're under resourced mildly equipped what can the government do to better streamline this government to government coordination which would then in turn help government to industry coordination well not surprisingly this remains a challenge back in 2008 we actually had the conception that you would create almost in a single location physically a combination of government and major industry sector representatives that in real time would be in an operation center and would have visibility into what was going on in the network because as chairman rogers points out you know when you're dealing with network speed attacks you can't respond by sending letters using the post office you've got to move at a comparable speed that vision was not realized but I think we can get there if a few things happen first I think the government has to finally once and for all resolve the issue of roles and responsibilities there has been disagreement sometimes within the government about who plays what role I think general Hayden is exactly right in using the model of supporting commands and supported commands in the physical world when we deal with domestic emergencies DOD is a supporting element to DHS which goes out and is basically the authority which operates with emergency management at the federal level and that works as a very smooth relationship because it's been fully baked and people have written the plans if we could get final resolution I think we're getting there but I'm not sure quite there yet about that relationship in the cyber realm that would alleviate one element of the problem but then the next element is you've got to bring in the private sector and you've got to do it in a way that allows rapid transmission and the problem may almost be that we have a proliferation of different mechanisms you have information sharing groups called ISACs you have sector coordinating councils and the problem is that nobody knows exactly where to look so once the government has finally baked what the roles and responsibilities are I do think there needs to be one physical place at least in one virtual space the ability to connect in real time with the major sectors of the economy some of that can be built within the private sector itself on a voluntary basis with information sharing platforms but some of it will require interface with the government that goes to the point again of clearances that's been an obstacle sometimes and one other suggestion I would make is this typically people don't understand there are two elements to the clearance process one is you've got to pass your background check but the second is it's got to be in the government's interest that you have the clearance typically the way you get a clearance in the private sector is by being a contractor doing contract work for the government I think one great change would be to have security officials in critical infrastructure be considered in the category of people who need to have clearances if they pass their background check so that's also part of what you have to do in order to complete this architecture let's go to Jim Lewis and we'll wrap up with this round and then come to the audience for questions so if you have questions please let us know that right after this round and we'll get to you just in a minute Jim as we think about Chairman Rodgers challenge and call for action it has to be in the context of what we're working against and there are always planning and the coordination around what we know in the current state and the challenges we've seen to date but what do you see as a potentially game changing or highly disruptive not evolution but dramatic unfolding of an event that could change this whole discussion that perhaps people aren't thinking about or maybe stated another way give us a couple of worst case scenarios that would perhaps motivate policymakers and interested parties to be more aggressive or more engaged or more action oriented in this debate that's a great question and it's funnily enough something I've been thinking about recently because I was doing some research on what the benefits are of the programs Snowden has revealed and one of the thoughts I had was in reading some of this research was remember there is an and don't take this as this little to exaggerate don't take this the wrong way remember in 1998 or so a bunch of Algerian jihadis hijacked an aircraft and we're intending to fly it into the Eiffel Tower and I remember reading that at the time and thinking hmm that's interesting I wonder what's going on in Serbia right I'm skipped right over it and I think a lot of people did that and then you might remember in 1998 Osama bin Laden declared war on the United States and at the time I thought the nerve of that guy onto the next because we're so big and we're so powerful we don't have to worry about these people out there and one of the things that I don't think has come across to the American public is two or three times in the last few years we've teetered right up to the edge of something really bad happening it happened in the last six months with Iran looking at critical infrastructure in the U.S. it happened with some activities involving the domain name system that would have crippled the global internet it happened with some activities directed against Wall Street right up to the edge of that big event and we're kind of where we were in 1998 regarding terrorism hmm this is really interesting I've heard of this before let's move on where it's not time to move on so how do we get that sense of urgency looking at I don't know if you saw there was a picture in the story in the Times I think the other day about how the Chinese arms industry is coming along go back and look at the picture of the Chinese drone right it looks really familiar right it looks like the predator now it doesn't mean they could have just taken a picture and maybe copied it it's like how many warning signs do we need right and are we going to make the same mistake it won't be another 9-11 I hate cyber 9-11 I hate Pearl Harbor I hate cyber digital Dunkirk I hate all those things they're exaggerations but we're in the same pattern we can see the iceberg coming towards the ship and we're saying ah it's really interesting look at that big white thing so how do we change that and that would be really interesting to hear from people I think all of us here on the panel feel a sense of urgency and some of us have felt that sense of urgency for a long time how do we get the American public to feel that way and get people to realize we can't continue to just sort of count on good luck to protect us how do we change that and I don't want to think that it will take this is a discussion I've had with one of your predecessors Mike McConnell his view is the only thing that will get the American people to take attention is when we're finally hit over the head with a 2x4 I hope he's wrong he's maybe a little more right than I am how do we get ahead of the curve it's coming what do we do one prominent person in this debate has been thinking about future scenarios articulated this one hackers or other mischievous individuals or entities use their skills to get into a modest sized financial institution then use that as a portal to get into the treasury system which then uses that to get into a series work basis and in a very short amount of time a matter of seconds not a few million dollars is gone in stored value but say 50 billion and by the time you wake up tomorrow morning 50 billion dollars is gone and not only is it gone but it's re-spent dozens of times in seconds around the world so it's irretrievable and you think about the implications of something like that would have on consumer confidence on markets on investors on people's ability to reduce the stored value at these institutions in cyberspace it would have a devastating effect for all of those reasons let's go to questions now and sir if you would just state your question microphones coming and if you have it directed towards a particular panelist that would be great to know otherwise you can make a general Hugh grind stuff my question is with the reason it is Bradley slash Chelsea Manning Snowden and the Navy are shooter those are signs of where our guys were given security clearances but there were certain parts of their life that weren't really investigated are we tightening up on the security clearances because I think something like 800,000 people plus have either a top secret clearance I can take that we're putting together a package now of how we change from a 1950's style is candidate A a good American which is really we've never really changed from that that style of background check and candidly in today's world it's completely not completely but it has very diminished impact on our ability to tell what is going on with somebody who has access to sensitive information so we are going through a package that will have a more dynamic review for individuals as they seek a US government security clearance many times we had to shake ourselves out of this is that people once they get a clearance think it's theirs they own this clearance this is my clearance wrong it's not your clearance you are permitted to have access for purposes of protecting and national security of the United States a clearance that you don't get to own you don't automatically have the right to it and so what we've got to do is shake ourselves out of that old model the interview doing door to door in a neighborhood of which most people now with the moving if you know your neighbors you're in the minority we're changing out of that we're coming into this new thing hopefully in the next authorization bill where we'll go to a more dynamic review of all the information that you can find on an individual who is seeking to get a security clearance that we think and by the way on an ongoing basis meaning you know that if somebody on a social site is saying who has a top secret SCI clearance is saying something inappropriate about what they might do with that information versus finding out when they show up in say Russia with thumb drives that we might catch them much earlier so we we think that we we think we can do that we think it's not a huge change it's a bit of a cultural change but we have the capability and the technology to do it now so we we're hoping to move to that very very soon sir yes sir I'm Terry Murphy I'm with CSIS I go back with into the long forest with Jim Lewis I'm also from upper Michigan congressman you per I'm a you per but but I'd like to follow up on the intelligence back and forth and it goes both ways a few years ago three or four I was in a group of maybe 10 maybe 15 private sector people and including senior people of the United States intelligence services and foreign friendly intelligence services who came over for specifically this reason to talk to industry and they said we need we the friendly intelligence services came and talked to us industry and said please please please is an export control tech transfer please tell your government when you see things that don't add up because the Brits do it the Germans do it other people do do it and this is specifically for you congressman and industry didn't want to do it because they were they immediately they get the export enforcement people after them so the government was resistant to hearing from industry which frankly had the information they knew when somebody came in and said I quite like to buy something that is totally unsuitable for my claims needs to run a pizza oven literally but it would be quite nice for making atom bombs so the Brits tell their intelligence services the Germans tell their intelligence services the Americans are afraid to tell their intelligence services because the enforcement people will come after them that's a cultural issue to congressman and I think I just throw that to whoever would like to comment on it but I was one of 10 sector people in 4 US intelligence service people at that luncheon all day meeting a couple of things when you talk about technology transfer it was one of the first cases I worked as a young FBI agent by the way an illegal technology transfer at that time to the Soviet Union they're hard cases they're complicated cases especially in dual use technology all of those things are issues that we constantly wrestle with but I will do you one step further now you have the problem of nations buying industries companies sectors or sectors of businesses in the United States that have technology that is very concerning if it transfers so there's two ways to go about it I can either sell it to you or you can come here and buy the company and take it yourself and candidly the law is not configured today in a way that adequately addresses the second part of it because for so long we never had that problem well now we do there are nation states who are concerning that have military intelligence military and intelligence services who are actively pursuing business pursuits based on their ability to take technology that's just the ability of the world we live in today and so what we're doing now is going under it's called SIFIAS we are and this is not an easy process I've decided that we are going to review this and we are going to change it to meet current threat levels and so we are going through the process on SIFIAS to change it to adapt to the fact that if you have clearly a nation state driven purchase of a technology in the United States it's fairly clear that the intent is to take that technology we better have the law reflect our ability to do something about it and on the other side we constantly review what at what level does a pizza oven cause us trouble versus what we're really trying to get at is technology that we know can be a game changer but here's the one thing I want to caution you on this review if you sometimes the very fact that we are 10 years, 5 years 8 years ahead in technology is in the national security interests of the United States so you don't want to allow somebody to say oh that's old technology we don't need to worry about that what you allow a nation state to do is catch up just about overnight that's where the problem happens and that's where we're not good at that subtlety of making that determination please know we have working groups now put together to try to get through these really difficult issues and it's not going to we'd like to have it we're hoping to have it done by the end of this year it looks like maybe next spring we'll have a working group recommendation on how we move forward legislatively to fix this very very brief additional thought reinforcing the chairman's point when you talk to the folks at NSA they say the sweet spot in which they operate is when they can harmonize technology the activity of the adversary and U.S. law and policy those three things are the major factors in determining what it is we do they all change technology adversary activity U.S. law and policy they all change at dramatically different rates and that creates the dilemma that the chairman just pointed out so it's a permanent condition and it's just something we're just going to have to work harder at to close but not eliminate the time gaps great question in the back who'd like to take a swing at that secretary I doubt that the controversy is going to be helpful and I do think there's a quality of the movie Casablanca where the police inspector comes in and says I'm shocked there's gambling here obviously almost every major country has an intelligence service and the purpose of that is to collect information so it shouldn't be surprising that that activity occurs I think the real challenge in international norms on cybersecurity is the issue of trust and that's a function of the difficulty of attributing where an attack comes from as many of you know the launch point of an attack may be very different from the place that is the proximate cause of the attack you can move the electrons around the world multiple times so it's always difficult to prove where something comes from and I say prove because it may be the case in many instances that we actually know where it came from but we're not in a position to prove it in a court of law or go to the UN and that does create an issue along the lines of what President Reagan used to say you may trust but how do you verify I think the answer here because I do think we need to look at some of these issues globally is to try to build trust in a series of measurable steps in areas where there is likely to be some agreement for example there's been some work done in the area of anti-spam involving multiple nations I think with respect to outright criminal activity stealing credit card numbers and money you could probably get the major countries in the world to have some kind of a consensus with respect to outlawing that and taking steps to prevent it at the other extreme I think you actually might make some progress on what the laws of war are as applied to cyberspace presumably we should all agree that causing commercial airliners to fall out of the sky are out of bounds as a method of cyber warfare just as it would be if it wasn't proper to start shooting them down using missiles and aircraft where it gets difficult and we have to be realistic is in areas where there is not a congruence of approach we in the US and for example don't use our intelligence community as an enabler for individual businesses in order to help a particular company get a competitive edge as Chairman Rogers pointed out in other parts of the world and where there is that disagreement it's going to be very very difficult to reach an accommodation I think this is something we need to work on we need to build measurable verifiable steps of trust using areas of common interest but I think we have to be realistic in understanding that this is going to be in many ways much harder than the kinds of arms control discussions we had going back in the Cold War Chairman and then Jim I just also want to point we also have to be realistic I have met with the EU Parliament members who deal with this issue and who are very concerned obviously they have political concerns on the privacy issue and what's happening and again I remind my European Parliament members that they may want to pull their intelligence services in and actually have some oversight and ask them some really hard questions about what they may or may not be participating in some notion that Europe is feigned that something like this would happen it's a bit shocking to me but here's the real part of this that we have got to get our arms around when we're talking about arms control I can see it, I can see where the missile takes off I can see its trajectory I can plan for defenses for appropriate dealing with that particular missile we can have negotiations on the sheer number size capability because that's in the world's interest it's certainly in the US national security interests think of the 20 organized crime groups and I believe there are more who now have elevated themselves to nation state capability when it comes to cyber they use French networks they use US networks they have no boundaries they don't care about borders or treaties they don't care about the EU Parliament in the European Union they don't care about any of it they are actively today pursuing their efforts and they will use any and every network that they can find on the face of the earth to do their work I think it would be irresponsible for our intelligence services not to pursue them where they work sometimes it's in France sometimes it's in Britain sometimes it's in China sometimes it's in Russia it's wrong and by the way, oddly enough we make sure that by huge laws reviews, oversight that they don't do it here in the US networks but they better find it where they're coming after us and they will use any and all of those networks so some notion that this is somehow unseemly and wrong is inaccurate it's absolutely inaccurate and it's wrong and we got to get this perception thing that it's not right again, there is with the internet we are all connected now and we're really the only intelligence service in the world that self limits the way the United States does nobody has this much oversight especially by a third party as the general can tell you how much real operational oversight Congress engages in on a daily basis to make sure they comport with the law that doesn't happen in the parliamentary systems even where they have security parliament committees that review the intelligence they're limited in what they can get and so we got to shake ourselves out of it that somehow because we're really good our intelligence services are really good at what they do that somehow is some bad thing it's a good thing it helps us stay safe and guess what, at some point in those French networks bad people are trolling around and again, I would argue that there is wrong for us not to find them where they're operating and I don't care if it is France or Russia or China or the eastern block I just want to add a quick footnote I know Jim has a more extensive comment but what the chairman just said in terms of oversight there is now kind of a roiling debate here about the FISA court and the fact that the FISA court is secret let me tell you what's unusual about the FISA court American intelligence goes to a court that doesn't happen in other mature western democracies these warrants are handled within the executive branch so it just again suggests the degree to which this is overseen here and even in what we all know are very strong traditional democracies they do in no way have the degree of oversight that American intelligence has from two other branches of government sorry if you want to have some fun there's one of the best selling Brazilian movies is I think it's called Special Police Squad or something like that and if you watch the second one there's a scene where they authorize a wiretapping domestic surveillance and the way they authorize it is the colonel walks into the room and says to the technical guys hey could you put a tap on this number that's what they do that was realistic but that is what I was going to say I just thought if you want a movie it's a good movie it's a good movie it would never happen here in most places so a lot of things have happened this year they're worth paying attention to and maybe the biggest one that hasn't gotten enough attention in the US is there was an agreement in the UN that has now gone to the general assembly it came from the secretary general that said that international law applies to cyberspace the laws of armed conflict the commitments that states have that's sort of a landmark agreement and Russia, China the US, our European allies Egypt, Indonesia India, lots of big countries were responsible for coming up with this and that's changed the political landscape the other thing that's changed the political landscape of course is Snowden and I think in the US we tend to underestimate the effect this is having politically, yeah the European services know they do this too yeah the European political leaders know but the European public and European elites in their opinion is really affected in a way that damages US influence and could damage US companies so this is something we have to get in front of and I was at a conference in Korea where they had 90 countries and a lot of ministers and I got to talk to them and I said what do you think we should do about Snowden and they said well the first thing you should do is you should stop underestimating it it's not going to go away evolve naturally it will not evolve in a way good for the US but there are some things we could do that would reduce the damage that would begin to rebuild trust and we might want to think about what are the norms for cyberspace we might want to think about where you could afford to be more transparent right you might want to think of political commitments one of the things I said to the Brazilians was when I see your president embracing Vladimir Putin it doesn't fill me with sympathy right and the fourth thing we might want to think about is reciprocity and oddly enough nobody liked that one I'm going to open the kimono for you guys will you do it in return we're not so sure about that this is going to be a difficult negotiation but I think the place where you will see it work out is not in our usual discussions this is strange when the Europeans think about this when the South Americans think about this when countries in Africa and Asia think about this they think about this as an issue of internet governance how do we govern the internet how do we change how the internet is governed and so that's where you're going to see the debate over Snowden come to a head in the next couple of years and we as a country will have to work out some very difficult issues how much are we willing to tell how much will we want from the other guys and what sort of constraints might we accept don't know if we have good answers to them right now I think that's probably a good note to wrap up our discussion on today I want to again thank CSIS for co-hosting this with the financial services round table we have a group within our organization called BITS that's a cyber security group that is one of the leading groups in this space for the financial services industry I also want to thank our stellar panel these are individuals that are in high demand and the fact that they would take time out of their busy schedules to be here with us this morning is greatly appreciated and a round of applause to our panelists for their great work and thank you all for coming we appreciate it and hope we can continue the dialogue thanks