After Snowden: the Road Ahead for Cybersecurity

AMERICAN ENTERPRISE INSTITUTE

AFTER SNOWDEN: THE ROAD AHEAD FOR CYBERSECURITY

INTRODUCTION: JEFFREY EISENACH, AEI

CONVERSATION: GENERAL MICHAEL HAYDEN (RET.), CHERTOFF GROUP

REP. MIKE ROGERS (R-MI), CHAIRMAN, HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE

MODERATOR: MIKE DANIELS, AEI

PANEL: PROTECTING INDIVIDUALS AND INFRASTRUCTURE IN CYBERSPACE

PANELISTS: ROBERT DIX, VICE PRESIDENT, JUNIPER NETWORKS

MAUREEN OHLHAUSEN, COMMISSIONER, FEDERAL TRADE COMMISSION

CHRISTOPHER PAINTER, COORDINATOR FOR CYBER ISSUES, U.S. DEPARTMENT OF STATE

JEREMY A. RABKIN, AEI AND GEORGE MASON UNIVERSITY SCHOOL OF LAW

MODERATOR: SHANE TEWS, AEI

KEYNOTE ADDRESS: TOM WHEELER, CHAIRMAN, FEDERAL COMMUNICATIONS COMMISSION

LUNCHEON ADDRESS: GENERAL KEITH ALEXANDER (RET.), FORMER DIRECTOR OF THE NATIONAL SECURITY AGENCY

8:45 AM – 1:15 PM THURSDAY, JUNE 12, 2014

Rush transcript. This copy may not be in its final form and may be updated.

EVENT PAGE: http://www.aei.org/events/2014/06/12/after-snowden-the-road- ahead-for-cybersecurity/

TRANSCRIPT PROVIDED BY: DC Transcription – www.dctmr.com

JEFFREY EISENACH: Well, welcome everyone. My name is Jeff Eisenach. I’m the director for AEI’s Center for Internet Communications and Technology Policy and a visiting scholar here at AEI. I want to welcome everyone here to the beginning for us, the kickoff of what we expect to be a long-run effort to contribute to the debate and the discussion about how best to ensure security and freedom on the Internet.

I want to start with just a couple of opening remarks about our center, what we’re up to and what our goals are, particularly in this arena. And then I’m going to describe the program and turn the floor over to Mike Daniels in just a couple of minutes.

But, first of all, we created the Center for Internet Communications and Technology policy in September of last year to focus on a number of issues – communications policy issues, privacy issues, intellectual property issues, and cybersecurity issues, all of which are implicated in the discussions that we’re going to be having today and the array of issues that make up cybersecurity.

Why did we do that? Why did we start the center? Because the Internet has become such an important component of everything that we do of all of our lives: 2.4 billion people use the Internet worldwide. It’s literally redefining everything that we do, from smartphones that we carry around, the way we get our music, communicate, Facebook, Google, Amazon, eBay, Pandora, Netflix, all daily elements of our daily lives, but also, increasingly woven into the fabric of our society. It’s changing the way we work, the way we entertain ourselves, shop, conduct elections, police crime, and combat terrorism. The Internet is as much a part of our lives as the air that we breathe, the water that we drink, and that’s only going to increase over the course of the coming decades, over the rest of our lives. Cyberspace is part of the world in which we live and more and more is defining the world in which we live.

It’s important, I think, to mention that the Internet is very much a free market success story and very much in important respects an American success story. And I don’t mean that in a jingoistic way or in a nationalistic way but in the sense that American values have very much governed the way the Internet have functioned over its first 20 years. Yes, the Internet started as a government project at the Defense Advanced Research Projects Agency, DARPA, but since then, beginning in the 1990s, when it was privatized by the Clinton administration, the Internet has been a remarkably regulation- free zone. It’s been a free market success story and it’s also helped to bring freedom of expression, political freedom to people throughout the world. It has given everyone the ability to walk around with access to all of the knowledge in the universe in their pockets every day. That’s a remarkable thing.

The Internet is under duress today from a variety of threats, all of which relate back to this issue of cybersecurity, or if you like, system integrity. Senator Stevens once famously referred to the Internet as a series of pipes, and was sort of ridiculed for saying that, the implication being he didn’t really – he didn’t really get it, but to take that metaphor no further than it goes, if that’s true, it’s a series of leaky pipes. There’s stuff getting out that we’d like to keep in and there’s stuff getting in that we’d like to keep out. At the end of the day, our discussion here is about how to fix that, how to fix the plumbing, if you will. I’m going to put that metaphor aside now. It won’t be back.

What are our goals? Let’s start with that: protecting property, surely, and with that, the tremendous capacity that the Internet has displayed to create prosperity; protecting security, personal, national; and protecting and promoting freedom – all of those objectives, important, sometimes tensions between them.

What are our methods? Technology, surely, the way we design the networks; the law that we put in place to regulate them; to the extent that international forces come into play, and the Internet is first and foremost a world without borders, diplomacy, and when diplomacy fails, force, kinetic or otherwise, not as a first choice but as a last choice.

So we have a set of goals, we have a set of tools. We have the Internet under duress. And we have an objective here at AEI to, over the course of the coming years, contribute to a debate and a discussion about how we can bring our goals and our methods together to create an Internet that protects personal security, that protects our national security, that promotes our prosperity, that ensures our freedom and our liberty not just in America, but everywhere in the world.

So, hopefully, we’ll have that solved by the end of the day and we can get on to other things. But it is a long-run project. It’s a project that’s going to go on for all of the rest of our lives as the Internet continues to evolve. And I want to thank everyone for being here today to join us as we – as we launch this effort.

I’m going to be introducing our speakers as we go through the day and I won’t introduce them all now. I will tell you we’ve got a great line up, including General Hayden; General Alexander will be here later; FCC Chairman Tom Wheeler and others who are going to help us think through these issues and offer their thoughts about how to address them.

Our first session this morning is led by Mike Daniels. Mike’s been a friend of mine for many years actually, going back to the days when he was chairman of a little company called Network Solutions. He is now a visiting fellow at the American Enterprise Institute’s Center for Internet Communications and Technology Policy and serves as the chair of the National Advisory Council for our cybersecurity and Internet governance activities. He is chairman of the Logistics Management Institute and Invincea, serves on a number of boards. He sat as chairman or on the board of directors of too many companies to name. He was chairman and CEO of Network Solutions from 1995 through 2000 and has served previously in senior policy positions at the White House, National Security Council, Defense Advanced Projects Agency, and elsewhere. It was a good day at the American Enterprise Institute when I looked Mike in the eye and said, does that mean yes? And he said, yes, it does. So we are delighted to have him involved in our efforts.

Before bringing him to the podium, I will point out that he is the coauthor of a new book with Robert Beyster, “Names, Numbers and Network Solutions: The Monetization of the Internet.” And for those who are interested in how we kind of got where we are and the role in particular that markets and the private sector played in getting where we are, this is a book that I would recommend to everyone.

So, with that, let me turn the podium over to Mike Daniels. (Applause.)

MIKE DANIELS: Good morning, everybody. On behalf of the American Enterprise Institute, I want to add my welcome, as Jeff said, to each and every one of you. We think this is a great undertaking.

Since the Defense Advanced Research Projects Agency, at that time, ARPA, the Advanced Research Projects Agency, put the very first dollars into something called the ARPANET, which was in 1962, we’ve come quite a ways. That’s been over 50 years. The commercialization of the Internet did not really begin until those of us who were in the private sector started to take companies public during what was then called the dot com boom days, from 1995 until 2000. That was the start of the real commercialization of a technology that had been developed in the United States through the Department of Defense, found its way to the National Science Foundation, and, ultimately, to the U.S. Department of Commerce.

It’s been an interesting journey for everybody involved in it. I can tell you from being there as chairman and CEO of Network Solutions when we took that company public in 1997 that there was not a single person who ran a commercial company who ever could have envisioned what the Internet has been today. Those were days that we heady days. We have heady days again in Silicon Valley at this point in time.

What we really want to do in this center, as Jeff said, is we want to try to get, hopefully, to the real larger issues that are at play here. All of us know what those issues are. Those issues are everything that run the gamut from what’s the right balance between national security and privacy and security; what’s the right balance between commercialization of the Internet and things that aren’t so commercial on the Internet; what’s the politics of this; what’s the economic global competitive impact of this; what’s the social effect across the globe of this technology which many of us believe is the greatest invention of certainly the last 100 years. So we hope to shed light on that and we want all of you to help us.

We think that part of this debate that is going on in this country and elsewhere is really a piecemeal type of debate. There’s a larger framework, a larger fabric and a larger mosaic that underlines and underlies what is happening here if you just take the Internet, our cybersecurity as discrete elements or pieces.

So our first panel today, we are very, very pleased to have two individuals who are central to these activities and are both Americans who have served their country long and well. So I’m going to introduce both and then we’ll take a seat and we’ll start the discussion. And we’re going to ask a number of questions, but we’re going to leave plenty of time for Q&A because we have a lot of people in this audience who come from the public, private and government sector, and I know a lot of you have some very interesting questions for our two distinguished panelists.

So let me first introduce Mike Rogers. It’s a real pleasure to introduce U.S. Representative Mike Rogers, who, as most of you know, is the chairman of the House Intelligence Committee. This is the House’s primary panel responsible for authorizing the funding for and overseeing the execution of the intelligence activities of the United States government.

Mike is really the kind of leader who believes that national security issues should be bipartisan or even non-partisan. In fact, our own “Washington Post” has called his leadership of the House Intelligence Committee a rare example of bipartisanship. Along with his ranking Democratic colleague Dutch Ruppersberger, Mike has worked to get three intelligence authorization bills signed into law with strong bipartisan support.

Chairman Rogers has also taken lead on critical cybersecurity issues, getting an information sharing bill passed in the House with an overwhelming bipartisan vote. He is pushing for stronger U.S. posture against Russia, given their recent aggression in the Ukraine. Additionally, he continues to focus attention on China’s emergence as a competitor to U.S. national interests and threats posed by terrorist organizations such as al Qaeda and rogue nations such as Iran and North Korea.

Mike was a commissioned officer in the United States Army. He continued to serve his country as an FBI special agent in Chicago, where he fought organized crime and public corruption. After being elected to the Michigan Senate in 1995, he was elected to Congress in 2000 in Michigan’s eighth congressional district. For all of us who have known him over many years, he really is a true friend who believes in a strong national security policy and that it’s critically important for America’s future.

Let me introduce our next very distinguished guest. This is a person who served the United States of America in many capacities in a great leadership and a great role in this country. This is General Mike Hayden, retired. Mike served as director of the National Security Agency from 1999 to 2005. He was principal deputy director of National Intelligence from 2000 to 2006, director of the Central Intelligence Agency from 2006 to 2009. He is a retired four star U.S. Air Force general having retired from the Air Force in 2008 and currently as a principal at the Chertoff Group, a security consultancy. During his long years of service, General Hayden served as commander of the Air Force Intelligence Agency, director of the Joint Command and Control Warfare Center. He also served in several senior positions at the Pentagon, the National Security Council, the Embassy of the United States in Sofia, Bulgaria, and as deputy chief of staff for United Nations Command and U.S. Forces, Korea. He is currently also a visiting professor at George Mason University.

So let’s give a warm welcome to our first two panelists today, Chairman Rogers and General Hayden. (Applause.)

Again, Mike and Mike, nice to be with us, just the three Mikes this morning. So let’s start our conversation – I’d like to spend a minute having both of your reflect on what you’ve seen in your careers to get us to this current moment. Then we’ll talk about current issues. You both have long, illustrious careers. You’ve been around these issues in national security, defense intelligence for a long, long time in different ways, shapes and forms. Reflect for us a few minutes in how you view how we’ve gotten to this particular point, what’s happened, what have been key moments? Talk to us a little bit about that.

REPRESENTATIVE MIKE ROGERS (R-MI) [Chairman of the House Intelligence Committee]: Well – and, first of all, thank you for doing these things, for putting this together. This is going to be a very important effort that is going to be a challenging problem for the United States and our allies for years to come. So I appreciate it.

And I’m always honored and humbled to share a stage with the good general. We have – I got to know him well during the – my committee days and have admired his work for years. He’s certainly a true patriot.

You know, when I first took a briefing on cybersecurity and the threats of cybersecurity, it really was one of those deals – and this was even in the early 2000s – don’t worry about it. You know, we kind of got this covered. We see a little bit of a problem, we see some challenges in cybersecurity, but we think that we’ve – we can handle what’s coming at us. In year end and year end, it exponentially got worse. And the threat matrix changed by the month, and then by the week, and now by the day. It is – it’s been an unbelievable path of watching how vulnerable we are. And it all corresponded with the very fact of how we engaged in commerce with the Internet.

So think about how we’re connected today. And I also want to welcome our Chinese and Russian Intelligence Services who are in your pockets and purses today, who are eager to find out what – what you’re doing each and every day. So we saw this threat change and then we saw something very interesting. So we saw them work into this economic espionage that we said, oh, we’ve got a big problem; we’d better – we’d better figure this out. Then we saw these destructive attack scenarios start to develop, rudimentary at best, DDOS attacks, very low level, but then we saw, and our intelligence agency started tracking overseas malicious source code that is scary nasty, bring down banks nasty, bring down electric grids nasty.

And what we found in the course of this debate, and certainly since my time as chairman, is that in America, we haven’t come to the grips yet that this is probably the most serious national security problem we face, that we are not even close to being able to handle from a policy perspective of the United States government. We’re caught in these series of debates that you have to have either privacy or security. I believe you have to have both and you can’t have both.

And so we watched this pendulum swing. We watched all the developments. Now you have non-nation-state actors with nation-state capability. And now is our time. We’re either going to fix this now or we’re going to pay a horrible price in the months and years ahead.

GENERAL MICHAEL HAYDEN (RET.): Now, I’ll double down on what the chairman just outlined and also thank him for the time. You know, it’s not often you get a really good relationship with the member of your oversight committee. And this is an example of that. We occasionally agreed while I was in government.

As big a problem as the chairman just pointed out in terms of we haven’t hugged the question of cybersecurity yet, I’d suggest that that issue is actually a part of a larger question. And that’s that we have not yet hugged the how very disruptive this whole creation has been to every aspect of human life. I mean, we know it’s important. We treat it as important.

I was in Las Vegas three or four summers ago talking to Black Hat and there I am, you know, 3,500 claiming to be reformed hackers and the former director of the National Security Agency. And I said, you know, I think this cyber thing is catching on. And I got a giggle or two. And I said, no. And I don’t think we – you included – appreciate how big a deal this is.

And I’m a history major so I use historical examples. I said, this is as disruptive an event or process as the European discovery of the Western Hemisphere and beyond in the 15th, 16th and 17th centuries. And I have a long soliloquy here. I won’t bore you with it, but think of all the things that that changed. By the way, that was the last great era of globalization in which things were jammed together in ways we had not experience before, shoving the good and the bad and the strong and weak into a kind of proximity that hadn’t existed before the great age of sail. And I point out – and that was proximity based upon movement at 12 knots per hour with a favoring wind. And we’re now doing it at 186,000 miles a second.

So I had all done with that talk at Vegas and I’m walking out. And an older gentleman comes out to me and says, nice speech but you low-balled how important this is. (Laughter.) I said, okay, smart guy. What do you think it is? He actually said, it’s like the human development of language, that my example said that this is changing our external world. He actually thinks it’s changing human cognition. It’s changing how – not how the brain is structured but how the brain fires. And, frankly, if you – if you look at what passes for research today, if you’re teaching on a college campus, it really does change how we intellectually approach problems.

And so I guess my first point is, yes, we’ve underestimated how big a deal the security issue is. But I think we also underestimated how big a deal this is, period. And what’s happened is all the great big technological ideas are now way out in front of the broader policy, political, legal, ethical ideas.

And so we have not yet – I’ll narrow it down to an American context and then reflect directly your issue. In terms of cybersecurity in the United States, we’re hung up because not just the chairman and his colleagues but you and I have not yet determined what it is we want the government to do to keep us safe in this new domain and we certainly haven’t decided what it is we’re going to let the government do to keep us safe in this domain. That’s how fundamental these tectonic shifts really are.

REP. ROGERS: And I think we all just earned three credits at George Mason University.

GEN. HAYDEN: You did. (Laughter.)

MR. DANIELS: Well, that’s a – that’s a great segue into specific questions because I think as we’ve talked about this at AEI and certainly in the tech industry for many years, General, it’s been – what is this? This is a massive wave of some type that is having political, social, economic, global competitiveness impact. So what you say, I certainly hear and understand.

So let’s get down to – let’s turn to 9/11. And the reason I turn there is because I recently watched one of our videos where you talked about sitting in your office as I recall in Fort Meade. Was that really the start of a very different kind of situation for the United States of America with programs work that were put into place that have turned into some controversial – this growing discussion between the public and private sector? Take us back to that. And then I’d like to turn to some of the Hill things.

GEN. HAYDEN: Sure. Yeah. Mike, thank you for asking the question in that way because it gives me a chance to reinforce a point. This cyber thing isn’t the only issue coming out of this new era of globalization. Now, the net is one of the things that really pushes us together. This is not just cyberespionage or cybertheft or cyberattack. We’ve got a whole series of problems out there, terrorism, transnational crime, piracy, and cyberthreats that are simply different faces of the same issue I tried to suggest before, jamming things together in ways they have never been jammed together, the good, the bad, the strong, and weak.

I mean, a lot I use in another one of my speeches is, hey, look, I can remember the day where I never lost any sleep over a religious fanatic living in a cave in the Hindu Kush. But all lose sleep over that now. Why? What’s changed? The religious fanatic? No. The fact that we are now so interconnected that he actually can do great harm.

And I’ll double down on something I think the chairman suggested. Not only is he now so interconnected to us that he can do harm, that because of the way we’ve interconnected, we can now anticipate state-like harm being thrown at us by non-state actors. In other words, this interconnectivity has empowered, you bet. I love the part where I can get my money without going inside the building, okay, and just use the card and the numbers. We are all empowered to do great things now because of this new connectivity. But we’ve pushed that power down to those who would will us harm as well and now they’re all empowered to do us great harm.

So the cyber question is part of a larger question in terms of cybersecurity of how it is we used the organs of state power, which is all we are allowed to play with, how do we use the organs of state power, which were hardwired in this country in 1947 to deal with threats emanating from powerful ill-willed nation-states and now use those organs of state power to defend us against threat vectors that do not come from nation-states and, in fact, come from the absence or failure of nation-states. This is all really a big deal and it’s all really interconnected.

And I’m sorry. I have really made this problem too big for this discussion but you see how it’s kind of all of a piece.

MR. DANIELS: And, Chairman Rogers, you’re out talking to your constituents and you see everything that goes on Capitol Hill and you live in that world every day. Do you think that the American people really understand or grasp what this problem is, the magnitude of it? Do you think they see bits and pieces? How is that reflected on Capitol Hill and the kind of legislative discussions and in-depth thinking, if there is such a thing, on this issue on Capitol Hill currently?

REP. ROGERS: Yeah. And, first of all, it’s a very difficult issue to get your arms around. So it takes – you’ve spent a lot of time trying to learn the problem set before you can learn how to talk about the problem set. And so not every member is engaged at that level and some for reasons of classification, some for reasons of – you know, they’re dealing with agriculture issues and that’s where they’re at, and that’s why they’re here, and they’re doing great things in that. And sometimes it just has a hard time bleeding over.

And that’s the same with your constituents. When you go home and have chats with them, some have a very crystal clear understanding of where we’re at and what’s coming, but a lot don’t because it’s not something you think about every day. And now, technology is about, how does this make my life convenient?

And so when you start talking about security and others – you know, we have the ability now with certain devices out there to have very secure e-mail communication. But, you know what? Still inconvenient to do it. You’ve got to have an encryption on one end and a decrypter on the other and vice versa. That’s a – it’s inconvenient. It takes time. You have to plug it in. You have to go through a series of protocols to get where you need to go, so most people aren’t interested in that. They’re interested in can I pay my grocery bill by throwing my phone on the – on the scanner? Can I pay my parking by using my phone – all of those things that happen that make our lives much more convenient.

And I don’t believe there’s a good understanding about what the threat is. They don’t – I think people really don’t understand in a general way that you are – when you turn that on, you are sitting in a room full of intelligence officers from all over the world, from terrorists who are sitting right next to you in your house, in your living room, on your phone, when you’re driving the car, when you’re not supposed to be using it. Oh, come on, people. You know half of this room has done that at least once. You’re actually now in the same communication networks with the very people that would seek to do us harm in a whole multitude of different ways.

I think that part is lost. I think that because I’m in my living room talking to Aunt Mae in Texas or, fill in the blank, that I’m fine. This is just my little world. The problem is once you’re on that Internet, you are invited in to a whole cast of characters and I think the general alluded to that, that at the capabilities of even organized crime or international crime organizations is so much better than it was before. And it’s hard to get your arms wrapped around it because you don’t see that in your computer.

My credit cards got ripped off at Target; still hard to get my arms around that. What does that mean? Did I lose anything? Did I not? Isn’t that somebody else’s problem? I really did hope that the Target example would kind of shock Americans to understanding, as great as an opportunity as the Internet is, it also presents a whole new level of danger that we need to try to deal with.

We just – I don’t think our psyche has gotten there yet. I don’t believe the average American understands what’s at risk, how much trouble is out there on the Internet today, and what that can mean for us if we don’t have some way to try to at least push back on this growing capability to do us harm by using the Internet.

MR. DANIELS: Could you talk to us for a minute about – you came to Congress in 2000. The progression of this from your vantage point in terms of legislation, how hard that’s been to do, the education factor, talk to us about that, give us a tutorial for a few minutes on what you’re dealing with on the Hill.

REP. ROGERS: Well, it was difficult before the NSA leaker got engaged in the debate here. It was hard then. It is darn near impossible now. I think we’ve kind of turned a corner with our Foreign Intelligence Surveillance Act that we’ve got a bipartisan 300 votes a couple of weeks ago. I just had some great meetings with the Senate. My Senate counterparts yesterday, my ranking member Dutch Ruppersberger and I have spent some – more time in the Senate than we ever thought we would. And it’s been delightful, just to let you know. And I think we’ve made some very real progress.

But part of the problem is perception. We end up fighting more perception than we fight reality. And let me give you a great example.

Right after the leaks about the domestic surveillance program of the NSA, which, by the way, there is no domestic surveillance program of the NSA but I challenge you to find a headline in the last year that doesn’t say or an article that doesn’t say domestic surveillance or rogue surveillance or illegal surveillance, all of which is wrong, but it is motivating a population that is probably not going to try to find out that second part of that equation. That has been the most difficult thing that certainly I have had to encounter. We ended up fighting back on the perception of what was completely wrong more often than we were trying to just explain actually what is happening, very, very difficult.

Let me give you two – a couple of quick examples. One, and if you recall, a few years ago or a few months ago, this great hue and cry that the United States, the NSA was listening to 80 million in one month, 80 million French phone calls. Remember this? Do any of you remember seeing this? And it was a hue and cry. Of course, the Europeans were going crazy and saying how out of control the NSA is, and out of control the United States is and, boy, we’re going to fix them, and we’re going to go – we’re going to beat on these. And, of course, I had to go Brussels about two weeks later. That’s a lot of fun.

And so we get and we start peeling it back so people were outraged. Well, think – first of all, just think of the logistics of it. You know how many people that speak fluent French at the NSA that could actually listen to 80 million phone calls in 30 days? I mean, the logistics of it are just – it’s not even possible. It’s not even realistic. Well, then you find out it’s not really that they were listening to 80 million phone calls. As a matter of fact, they weren’t listening to any of those phone calls.

The French Intelligence Service collected this information in the battlefield zone, in a combat zone for force protection. And they said, you know, there are some Americans just up the road. Wouldn’t it be beneficial if we took this collection and gave it to the Americans so that they might use it to protect their soldiers in combat zones? Pretty good idea.

So it wasn’t – the NSA didn’t even collect it, number one. The Americans had nothing to do with it. It wasn’t French citizens at all, not even one. But do you think that we could push back and get that story right? Nobody was interested in getting the story right. It didn’t fit the narrative.

So, for a month, we ended up dealing with the Europeans about how terrible the USA is in its espionage activities, when, in fact, we had nothing to do with it, but they didn’t want to hear that part. And the worst part of all is the French government came out right away and said, those terrible Americans, how could they have done that? They’re the ones that gave it to us and they didn’t want to come out and admit that they had cooperated with the United States Intelligence Services.

And about the second time I was in Brussels – and this is the second part of this that gets to my frustration of how difficult it is to try to agree on the same side of data points.

When we were in Brussels getting our fannies chewed by the Germans and the Spaniards and the French and everybody in the EU about how terrible the United States was by collecting intelligence to keep America safe, the French voted to make it easier, meaning they would have no legal instrument involved in getting data at rest on French servers. Now, we would go – and I would never support that. I think that’s a terrible policy, an awful policy. But they did it while we were in Brussels.

And so this famed outrage has worked against us coming to a good conclusion about what is right and what is appropriate in the debate about security and privacy. I think we found it in the NSA program in the umpteen reviews, nothing illegal, no rogue agency. None of these groups found any of this. It wasn’t unconstitutional. What we found is Americans didn’t like it. Okay. That’s fair. That’s a fair debate to have. But it wasn’t illegal. It wasn’t rogue. There wasn’t any domestic surveillance program.

And, because of that, I think we lost probably a year in the debate of, we’d better do something to protect our networks because we are getting killed. Instead, we’re still having that debate about facts that aren’t even relevant to the conversation that we’re having.

I think we turned a little bit with this FISA bill a couple of weeks ago. I think that was an appropriate agreement. It’s not my most favorite bill. I think it does – you know, we have to understand that when we slow down our ability to analyze information, it mean that we are a little more at risk. We made that tradeoff in that bill. Again, I voted for it, I supported it, I helped negotiate it; not my favorite, but I figured if we didn’t get this done, we were not going to have the confidence – Americans’ confidence in our intelligence services that you absolutely have to have if they’re going to function in a democracy like ours.

So I think we can get there. I don’t think we’re even close to getting over the anger portion of it. Every day there’s a new article that isn’t exactly right in the newspaper about leaks that are coming out from the NSA.

And imagine if you – if I gave you 1,000 slides to look at with information on it, which is, by the way, how the French thing got so screwed up and you took that and you looked at it, you don’t understand what the inputs were, you don’t understand how that slide was developed but you look at key words on that slide and you come to a conclusion that the United States and the NSA has a domestic spy program, right? I’m going to pretty much guarantee you you’re going to be wrong. And guess what’s happened? They have people who have no experience looking at these slides coming to absolutely the wrong conclusions. As a matter of fact, in this French slide – and then I’ll stop talking. This got my blood pressure up and it’s only 9:30 a.m. Thanks a lot.

It had the chart of these 80 million calls on it so it had a graph chart, and then it had French – or France up in the corner. And then it had a code word associated with it. So by those three data points, they decided that the United States, the National Security Agency was listening to 80 million phone calls. And the newspapers went out and told all of you the NSA is listening to 80 million French citizens’ phone calls. And, boy, we ate that up as Americans. We went, oh, my God, this is one more example of just how terrible we really are, right? It is the craziest thing I have ever seen in my life.

And you’re going to see more of it, right? Folks are – this is – this is like candy. This is just absolutely candy for those who want to make sure they work against our ability to collect intelligence overseas, and that has been our biggest challenge, not the issue, not working out the legislation, getting it right on privacy, protection of Fourth Amendment. We can do all of that. It’s the misperception of the information that is really difficult to push back on. I don’t feel very strongly about this at all.

MR. DANIELS: Well, what’s the current status of the bill and what’s the probability of you getting that done?

REP. ROGERS: And the bill you’re referring to is the cyber sharing bill so just quickly that about 85 percent of the networks out there are private sector networks. And contrary to popular belief, the NSA, even when the general was there, was not – it does not listen or monitor our domestic networks. It’s against the law for them to do that.

So the only time that they’re going to catch a threat is if they see it overseas coming in to an American network or a company network. And so what we said is, wow, these guys are really good, really good at going overseas and finding some really nasty stuff. Some has been in use, some hasn’t been in use. Wouldn’t it be great if we could have them share that really nasty stuff in a classified way, zeros and ones in a configuration that’s going to ruin your day?

And share with the private sectors high upstream as you can get in a classified way so the bad guys don’t know what we know, and we can still allow the private sector to protect their own networks, not the government protecting their networks but they get to protect their own networks seems pretty simple to me, right?

When I was an FBI agent, if I got a call that said – I had a source in Chicago that said there’s going to be a home invasion at 123 Main Street tomorrow at 2:00 p.m., I would hope that you all would expect me to be morally obligates and legally obligated to try to stop that, to do something about it, not to wait until it happens and then go into the house and say, boy, that was terrible. You know, somebody got killed today, pretty awful, right? We want to prevent it. This is what the whole purpose of this bill was, how can we prevent some of these things?

Passed the House not once but twice, huge bipartisan numbers, and the reason we got there is we brought members down in classified spaces in the NSA, and the Intelligence Committee was fantastic. It just took a lot of their time to educate people on what exactly it is and what it is not, what people say it is that’s wrong, and what people say it is that’s right, we got that right. I think that’s why we got some great numbers.

So the good news here, Mike, is yesterday I – Dutch, my ranking member again – Dutch and I sat down with Dianne Feinstein and Saxby Chambliss in the Senate. That was one of the most productive meetings I felt we had this year on this issue, and now I am being back to – extremely optimistic that we’re going to get a cyber sharing bill this year, extremely optimistic. And I was losing hope there. I am very, very encouraged by this meeting yesterday.

MR. DANIELS: General Hayden, this would be a great time – there’s so much in the press, just as Chairman Rogers said. The American people get this, that piecemeal. It’s hard to get a picture of this. Would you spend a few minutes talking to everybody about the programs that have – were set up after 9/11, the intent of those, what they’re able to do to help the country, defend the country, that kind of part of the story? And then, a question after that would be so what’s really been the impact of somebody like Snowden upon collection, the whole situation, the problems that’s created for the country?

GEN. HAYDEN: Okay. The first point I’d make is remember what the chairman said about the 215 program, the metadata, the phone bills, legal constitutional, no abuse; oh, you didn’t like it? Oh, all right. Well, maybe we have to think about it again. All right? It’s that – but what we are really talking about here though is at the “oh, you didn’t like it level.” We’re not talking about lawfulness or constitutionality. And, oh, you didn’t like it is actually a big deal in a democracy. We get that, all right? But it’s not the same as the accusations that are just thrown mindlessly about that, you know, illegal, unauthorized and so on.

There are four things that happen, have nothing to do with what the Congress wants or NSA does. Four things happen in the real world. And your security services, if they’re going to fulfill the contract you expect them to fulfill, which is to protect you, how to relate, accommodate to these four changes. I’ll be very brief.

Number one, the volume of modern communications – I mean, think of your own communications life and compare it to your communications life 20 years ago. I am old enough to still remember waiting until Sunday night at 6:00 p.m. to make a long-distance phone call, remember? All right? Now, Jeanine and I were in London yesterday. We’re just on the phone back here. So, number one, volume, right?

We were being overwhelmed by volume at NSA pre-2001. How do you deal with volume? Well, we were treating volume as our enemy because it always has been our enemy, because we wanted to get underneath the volume, to get to the specific, to get to the needle, not the haystack. Throw the hay away. I want – I want the needle.

By 2000 – important date, pre-9/11, okay – by 2000, we decided, we can’t fight volume. We’ve got to make volume our friend. We can’t be sitting on there on the beach like this with a tsunami coming in and expecting that this stance was a really profitable way to go, okay? And so what we decided to do metaphorically was to turn around and swim, and go with the volume, make volume your friends, create intelligence out of the volume. There’s a word we use for that: bulk collection, okay? You can’t be a modern signals intelligence agency without doing bulk collection, period.

Second thing, there isn’t a civil libertarian alive who gave a damn about my old agency intercepting Soviet strategic rocket forces’ microwave communications out of Moscow going to Soviet ICBM fields in the Far East. You know, we were on those networks looking for what I like to call words of interests like launch, okay, isolated network, dedicated enemy, known and identifiable. The 21st century equivalent of that SRF microwave shot across the Urals are proliferators, terrorist, narco-trafficker, money launderer, e-mails coexisting with your e-mails on a single integrated global grid. And so if you want your signals intelligence agency to do for you in the 21st century what it did for you in the last half of the 20th, it’s got to be over here. It’s got to be on the net, where your stuff is getting by. There is no other way, period.

Third great change: the enemy was inside the walls. And this is a 9/11 event, am I right? And the chairman’s committee, after 9/11, formed up with the Senate to do something called the Joint Inquiry Commission, okay? House and Senate intel iconic picture – at least iconic in the Hayden family of me, George Tenet and Bob Mueller like this, okay, in front of this – in front of this commission. One of the key criticisms of NSA from this Joint Inquiry Commission from your representatives in Congress was simply NSA had proven far too cautious in dealing with terrorist related communications, one end of which was in the United States.

So how do you think we’re going to do that? Well, maybe we’ll get the metadata and see if this bad number in Yemen is actually calling that number in the Bronx, okay? I mean, look, you may disagree with any of this. But what I’m telling you is it’s all a logical response to external forces. The fourth external force is even when the enemy wasn’t inside the walls, all of his e-mails were. We are the center of the Internet universe. The e-mail provider of choice for terrorists worldwide are American e-mail services, okay? And so I’ve got an e-mail from a very bad man in Waziristan to another equally bad man in Yemen, all right? And he’s using Gmail, as they often do. That thing’s sitting on a server on the West Coast of the United States. The only thing American about that e- mail is it’s sitting on an American server. Prior to the changes we developed after 9/11, that e-mail, because it was on that server, enjoyed the protection of the Fourth Amendment to the United States Constitution.

REP. ROGERS: As a U.S. person.

GEN. HAYDEN: As a U.S. person. Okay. That’s – (inaudible). And, oh, by the way, that’s the 702 program. So these are all logical responses to external, very powerful external forces. We can all huddle up and say, yeah, I see why you’re doing it. I can see why that’s logical. Still don’t like it. Still don’t want you doing it, okay? But the line I used in public audiences now, there was never a scene at NSA when all these things were happening where this director or his predecessor or my successor said, bulk data? Excellent. (Laughter.)

We did it to keep you safe and it’s all perfectly logical. It’s all perfectly legal. Now, you just have to tell us whether you want us to continue to do it. And if don’t, hey, got it. Make the box smaller. We’ll just play inside your new – wait, I’m sorry. One more deal. We’re going to have to shake hands if you take these away from us, we’ll be less capable of keeping us safe, but if that’s a price you want to pay to be more comfortable, just let them know. He’ll pass a law.

MR. DANIELS: Let me ask you the question about the impact that you see from Snowden and the revelations of Snowden, but –

GEN. HAYDEN: You know, we don’t say Snowden at NSA.

MR. DANIELS: I understand you don’t.

GEN. HAYDEN: They use the phrase he who will not be named.

MR. DANIELS: I understand that so talk to us about what you see the impact. Obviously, when we have these things happen, there are all kinds of impacts inside the system.

REP. ROGERS: Where do we begin? It’s really important to understand this. The Defense Intelligence Agency did a pretty thorough examination of the loss. And it is in their words, you know, a grave damage to our national security, mainly because well over 90 percent of all the material that he stole – and he stole it, that he had access to sometimes by hoodwinking people to give them passwords, and we think he found a way around some systems inside the system – had nothing to do with the NSA or the 215 program. It was all related to military tactical and strategic valued information. So our Army, Navy, Air Force, and Marines have been significantly damaged by the material he has stolen.

And the best way to know that is, okay. Well, some say, well, you don’t know exactly what he took and we should think of him as a hero because now we have this national debate. If your son or daughter is on the battlefield in Afghanistan and we know that we took a very valuable IED, improvised explosive device countermeasure material, I’m not so sure you’d be quick in a hurry to look somebody who lost their leg in the last six months if in fact he’s a hero or not. And we need to put it the way it is. He’s a traitor to his country how has caused grave damage to our military readiness around the world.

Have there been changes and certain things that – activities that we would see if we know they had it, yes. Which means the bad guys got some of this information. To what degree did they get all of it, a little bit of it, we don’t know. But we know that we’ve seen changes. That means they are benefiting and as he – you know, in the two bastions of Internet freedom, China and Russia, we know he’s now in the loving arms of the FSB. We know that for a fact. That’s not even disputed. I, I think like some others, keep questioning there’s certain activities we see leading up to his departure that have huge question marks we haven’t been able to answer. So any conclusion that we don’t know that he was working for the Russians anytime before that, we can’t answer that question, yes or no. But as an old FBI guy, when you look at the totality of evidence, it certainly makes me crinkle my eyebrow about certain activities leading up to it.

So let’s – now, we’ve established who he is, and what he’s done, and the damage he’s done. So now you have a whole another layer of it. So the European Union has seized on this. And I had an interesting meeting there. I told you about two of those, where in one meeting, I said – I went to our counterparts in the EU and the EU Commission, which is their version of the presidency in the EU.

I said, before you beat you on us, let’s do this. You go back to your intelligence services and ask them what they’re doing, get briefings, go from stem to stern. Are they engaged in signals intelligence? Do they recruit sources? Do they protect their methods? Are they spying on, say, Americans? Dead silence, absolute dead silence. And I said, well, shouldn’t we agree on that? And the EU says, well, we don’t have access to that information; we can’t get access to that information. And I said, well, how do we have a debate about the United States Intelligence Services if you have no clue what your intelligence services are doing? It doesn’t seem like a very smart debate to me. And they said, well, listen. We can’t – by our EU constitution, we can’t regulate our nation-state intelligence services but we can regulate yours. Now, that’s what the EU told me.

And so this isn’t about they’re offended by privacy. I think we all know that is just a crock of fill in the blank. Right? We know that that’s just not even rational. We know their intelligence services are doing things that we would all in the light of day feign that we’re horrified that they would do. But the reality is they want to protect their businesses.

So what they’re trying to do is say, Google, Microsoft, Amazon.com, they’re bad. They’re tainted by those horrible American intelligence services. So you should use ours, right here in Germany, right here in France. And that’s what this – that’s one of the most significant, serious, other than the actual intelligence loss in the estimated $3 billion of mitigation costs we’re going to have to go through to try to protect systems and communication gear that he stole, the understanding of that communication that he stole that will impact our ability to continue to guarantee their safety and security so you have that problem. And now you have this whole problem that the EU is using to try to push American businesses off the shore of Europe based on this issue. And you also have Russia and China now saying, see, we’ve been telling you for years we should control the Internet, right? How many feel safe that China and Russia will be controlling your Internet? All right. One guy. One guy. See me after.

I mean, it is really a bad idea. So now we’re fighting all of this, all at the same time. So it has had a significant impact on us. It certainly has slowed down our legislative debate. I mean, it’s really I think hindered that. You have this EU problem where they’re now trying to capitalize and make this a pro-EU business model so they can compete against the Amazon and Google and great American companies.

It is serious and significant for somebody who decided all on their own, took advantage of none of the opportunities to come forward so I have some concerns – who, by the way, didn’t even understand the programs which he stole. Some notion that he is some kind of guru intelligence expert is laughable. He is your IT guy, right? And does your IT guy understand the business end of your business? Probably not. He understands how to move information. I always equate it to the guy that figured out how to rob the bank and we decide we’re going to make him the person who discusses high finance in the global spectrum because he figured out how to steal $10,000 from a bank. I mean, it’s really just kind of a laughable frustrating experience that we find ourselves in for a guy who, you know, as I said in the loving arms of an FSB agent in Moscow.

MR. DANIELS: General.

REP. ROGERS: I don’t feel strongly about that either.

MR. DANIELS: General, what’s your response to the hating and the damage and the situation we find ourselves in?

GEN. HAYDEN: Greatest hemorrhaging of legitimate American secrets in the history of the republic, period. Nothing else is in the same area code. It hurt us on three levels. Already discussed operationally, okay? We’re less capable. Look, signals – all intelligence but signals intelligence especially. It’s a race, all right? All advantage is transient. You get ahead, they catch up. You’ve broken into a network, you’re really good. They decide to go from 2.0 to 2.1 for their operating system, not because they want to be secured, just most convenient. You lose coverage, you’ve got to recover it, all right? So it’s always that way.

But what Snowden has done is taken the advantage we currently enjoy and collapsed it. So now we have a donut here or a bathtub in collection, okay? We’ll recover – $10 billion was the number, all right? Ten billion to recover. But it will be harder to recover. It will take longer and it may not be as complete because now our target is just better informed, all right? So operational costs.

Second is – and I look at the ambassador here – the second is in our relationship with foreign countries. And here, I would tell you the core harm to our relationship to foreign countries is not the political tumult up here in the morning paper. It’s bad enough, and it hurts things, and it makes it more difficult for foreign countries to do things they really want to do with us because of the political cost back at home. I’m not really talking about that.

I’m talking about the relationships that matter over the long term, the intelligence relationships between likeminded democracies, okay? Why would anyone enter into a sensitive relationship with an American intelligence service to do something that was – that was politically edgy, in which the success would be dependent upon American discretion? I mean, the conclusion they’ve got to draw is you guys can’t keep anything secret. Why would I cooperate with you? So you’ve got the operational impact on us.

You’ve got the operational impact on our intelligence relationships to then finally – and the chairman just suggested this, the finally the great impact on American companies who have done nothing for the National Security Agency than other companies operating in other countries do willingly for those their host governments when they are compelled to do so by host country law. It’s no different. Ours are just the ones that have been dimed out.

One more point and I think the chairman will agree. The Snowden leaks have been fundamentally targeted against three signals intelligence organizations: the American NSA, the British GCHQ, and the Australian Signals Directorate, all right? ASD, GCHQ, and NSA, those are the ones that have been dimed out. Those are the three signals intelligence services in the world who are most transparent and most responsible to – most responsive to parliamentary and congressional oversight. It’s a tremendous irony.

Fourth damage from Snowden, and the chairman alluded to it. There’s an organization called the ITU, International and Telecommunications Union. At their conference in Dubai last December, December 2012, the people who opposed the Internet because of the nature of the Internet, the free movement of ideas and people and thoughts and commerce, China or Russia, Iran, Saudi Arabia made a run at Internet governance to take it away from the whole – the American dominated coalition of the willing and organization like ICANN and give it to the ITU, in other words, to take the kinds of barriers we’ve become accustomed to in physical space, things called borders and visas and passports, and transfer them up into cyberspace, into this borderless domain.

Eric Schmidt of Google wrote a book two or three years ago called “The New Digital Age,” in which he predicted digital passports and digital visas. And I don’t mean going online to get a visa from your next country of visit, I mean requiring a visa to go to dot.ch or, more critically, requiring a visa to leave dot.ch and going into the – and if you don’t think this is true, we are already – you’ve suggested it, we are already beginning to see digital residency requirements. In other words, if you’re my cloud service provider, you can’t keep my ones and zeroes anywhere other than my sovereign space. That actually, because the Snowden revelations will allow those kinds of people to say, you see, the Americans weren’t interested in Internet freedom and freedom of speech. The American just wanted a free fire zone for their espionage. And that’s going to put wind in the sales of the Russians, the Chinese, the Iranians, the Syrians, the Saudis and others. They’re meeting again in Pusan in the fall, okay? Remember the Internet as you know it now? Well, remember it because it could go away.

MR. DANIELS: Up next –

REP. ROGERS: There will be drinks served in just a few moments to get you through your day.

MR. DANIELS: That’s next up on our agenda for the center is Internet governance so great point. Okay. We’ve got a few more minutes. We could talk forever. This has been wonderful. But let’s open it up for a couple of questions. We do need to close up at 10:00 a.m. So identify yourself, your organization, please. Do we have questions? In the back.

Q: (Off mic.) I have a question on the – (off mic) – at the Senate Select Committees here and last week, there seem to be some pretty significant pushback from the representative of Verizon regarding holding on to records. For Mr. Rogers, are you concerned about putting some potentially burdensome new regulation in forms of potential requirements on telecommunications companies? And for General Hayden, can you tell us a little bit about what a 215 program would look like? Pardon me?

GEN. HAYDEN: Going forward?

Q: Yeah. Going forward under that legislation where you had to go to individual telecoms potentially several times to do those two or three ops.

REP. ROGERS: One of the things we discussed yesterday in our meeting was that – one of those very issues was – or one of the many issues was this notion, do we have to – does the government have to require the companies to keep the information? Under the current way that they practice business, they keep those business records for their – for their own benefit. But, over time, that model will change. We don’t build by – you know, Mike Rogers calling Mike Hayden. Those days are long past us.

And so we think over time that they’re going to try to change the way that they provide or would even store information related to one call to another call. And, again, it’s important to remember that all of that information is anonymized. So there is no name and no address even when the NSA had the information, which was another point that was just significantly lost in the whole –

GEN. HAYDEN: Nor was it geo-located.

REP. ROGERS: Yeah. Exactly. So you could find or where they are driving through – all of that was wrong, just absolutely wrong. So we’re looking at it. I think the Senate is in a different place. The bill that passed the House did not have those requirements. I think we ought to leave it as it is. I can see the Senate’s perspective that they want to put in some requirements. So we’re going to have to work through that the next, you know, couple of weeks to see what that would look like.

I’m very worried about putting an extra-burden on the companies. Right now, the way they do it, it wouldn’t be a burden. They keep it for their own purposes and own benefit. But, moving forward, it could be a burden because they don’t need to necessarily keep it in that form and function.

GEN. HAYDEN: Operationally – we put aside the comfort level thing and so on. Operationally, I like the bill. All right? Let me tell you why. When we first started this after 9/11, first of all, it was never exhaustive, all right? And there’s operational security so you don’t go out there at every mom and pop who’s providing phone service and begin this relationship with regard to metadata because you’re just tempting fate that it becomes public, and, thereby, known to the enemy, which is really what you’re trying to prevent. So it’s never exhaustive.

But in 2002, 2003, 2004, more of your phone calls than now were land lined and were build the way the chairman said they were built. As timeline forward, more and more of us are just using cell phones. And NSA wasn’t getting the cell phone stuff. The companies just – as the chairman says, companies just weren’t set up to record that as business records. And this is what these were, business records.

So by the time of the Snowden link, NSA was probably in the 30 percent range of American phone activity on any given day, that it brought in and put in its own repository. No. And your own repository is kind of cool. You don’t have to go to three or four. You don’t have to hop across companies. You can do it immediately. I mean, there’s operational agility. We are giving up a lot of the operational agility because you’ve got to go to the companies. You’ve got to chain it across the companies and so on. And in return though, we get access, not possession, but we get access to a data pool that’s exhaustive.

And so when the query is now made, it’s no longer a sampling, which is really kind of where it was with 30 percent of the data. It’s far more – far more confirmatory as to whether you got a positive or a negative here. So, again, operationally, you lose time, you lose agility, more comprehensive. I’ll take it.

MR. DANIELS: We’ve got time for one more question. Yes, ma’am.

Q: Thank you. Lia Liu (ph) from Voice of America. We know that the U.S. Justice Department has indicted five PLA officers for cyberhacking. We also know the Chinese have retaliated. They have taken actions. Ever since you mentioned – (inaudible) – which identified the PLA unit that’s been doing all these things, we also have reports that came out recently that say they haven’t stopped the activities.

So I’m just wondering, just to make one point. I think former NSA – no, former National Security Adviser Stephen Hadley recently said – in a panel saying that he doesn’t believe that indicting this PLA officers is the best way to deal with this problem. So I’m just wondering if you can share with us what do you think it’s the best to deal with this, what the U.S. will do and should do?

REP. ROGERS: A couple of things. First of all, as a broader plan, indictments, visa restrictions, financial sanctions on individuals determined I think can work, but it can’t work if you don’t have a good defense first. So for those of us who have looked at a whole series of ways of trying to get at this problem, including duties on products known to be stolen or developed on stolen intellectual property coming back into the marketplace, there was a whole host of things that we came up with, one of which was this notion that why don’t we indict some of these individuals to try to get the Chinese government to back off on their problem.

And the reason this was getting so critical is because capitalism was alive and well into the military intelligence services in China. We had individuals who were during the day working for the government and they would get lists of what companies to go steal their intellectual property from. That was their job. They’d go out and do it. They realized, and very cleverly figured out, you know, there’s some people way down on that list that we’re not going to get to for a while. What if I call them and say, you know what? I’m free from, whatever – 7:00 p.m. to 6:00 a.m. and I have my weekends off. You pay me cash, I’ll go work on that problem for you. And so we had this huge surge of economic espionage in a way that we hadn’t seen in the past. So it was a problem.

You know, this is a double-edge sword. I’m glad they did something, the administration. I’m happy to see them take it serious enough to do this. The problem was it’s you have to either approach it holistically or we’re in trouble. The first people who are going to experience trouble from this – and, by the way, this hasn’t slowed the Chinese military services and intelligence services down a fraction of a second and not even a little bit because it’s so valuable and there’s no real price to pay for it.

We needed to have something to defend our networks. That’s why I argued, put your defenses in. You know, I always say, if you’re going to go punch your neighbor in the nose, best to hit the weight room first a little bit because you know you’re going to get punched back. And what happened – what we’re seeing now is we’re getting punched back and our private sector is absolutely vulnerable to what this is a huge and increasing threat level.

And so, again, it had to be done. It was great. I think it made a great headline. The problem was it wasn’t holistic in its approach. It has to be – if we’re going to get after this problem, it has to be holistic.

And, by the way, we also need our international partners to start putting pressure on China in any bilateral agreement, I don’t care what we’re talking about. Human rights is absolutely important, completely agree. But the first three ought to be economic espionage, economic espionage, economic espionage. Then, let’s have the next conversation. If we don’t do that in a unified way for any economy in the world that has intellectual property or an innovative economy as its way forward, we are going to lose thousands of jobs, thousands of opportunities, and, candidly, we’ll put America in an economic disadvantage in the next generation. That I don’t think we can stand for.

MR. DANIELS: General.

GEN. HAYDEN: Yeah, very briefly. I strongly agree that the indictments are great as long as they’re not a one-off. They’ve got to be part of an entire package. It’s visas; it’s licenses; it gets to trade and dollars; it gets – who gets to be listed on the New York Stock Exchange; it’s how many Chinese students get to go to what universities for what degrees.

Chinese cyber behavior I believe is now the core element of the Sino-American relationship. It has the potential to poison the entire relationship. And so we have got to signal for the Chinese – and this is a signal, – signal to the Chinese how very important we view this to be. Now, look, I ran NSA for six years. We spy too. We’re actually better at it than they are, okay? But we spy to keep you free and keep you safe. We do not spy to make you rich, and the Chinese are off the chart in the spying to make you rich category. And it has done for raw economic advantage, not for anything that you and I would consider to be legitimate national security.

And so I do think left unrestricted, there will be horrible consequences for both us and the Chinese because the relationship will tank. And so I support the indictments as long as it’s the first of many like steps going forward.

MR. DANIELS: Let’s thank this morning’s panelists, General Hayden and Chairman Mike Rogers. (Applause.)

GEN. HAYDEN: Thank you.

(Break.)

MR. EISENACH: And let me ask folks to kind of move back in the direction of their seats here. We’ve got a full program and we’re going to try to stay more or less on time.

I will say on a – first of all, I want to thank our prior panel – Chairman Rogers and General Alexander, Mike Daniels – did a fabulous job kind of setting the stage for us. One of the things that Mike Rogers said, you know, I think it’s something that is of concern to everybody involved in this debate and that is it just seems hard to get kind of the average person on the street to pay attention to the scope and the depth and the real significance of the cybersecurity problem.

But I just came across something on the Internet that suggests to me that that problem may soon be solved. This is a headline from Bloomberg yesterday. The headline is “Even Toilets Aren’t Safe as Hackers Target Home Devices.” So I just want people to be aware of this concern. Those watching at home should know that Trustwave, a Chicago company, according to Bloomberg, that helps corporate clients fight cybercrime, hijacked a Bluetooth connection that controls toilets made by Japan’s Lixil group that could allow hackers to open or close the lid and even squirt a stream of water at the users behind. So if that doesn’t bring the cybersecurity problem home to everybody, I don’t know what will. So with that light interlude, we can get back to serious business and introduce our next panel.

Shane Tews is a visiting fellow with AEI’s Center for Internet Communications and Technology Policy. She is known, I think, to many people in this room and watching online, anyone who has been involved in the set of issues that we’re talking about today. Shane directs our Cybersecurity and Internet Governance Initiative. She also serves as chief policy officer at 463 Communications, vice chair of the board of directors of the Internet Education Foundation. She served on a number of boards of directors of organizations like the European-American Business Council and the TechNet Public Policy Committee, which she chaired. And for many years served as vice president of global public policy and government relations for Verizon, which, of course, is the heart of the Internet. We are very, very pleased to have Shane working with AEI on our efforts in this arena. And I am delighted to introduce her to moderate our next panel. Shane. (Applause.)

SHANE TEWS: Thank you. I’m official now. Just, I know you had some time to grab coffee. All the generals are currently out of the room if you want to take your jacket off for a minute and feel free. You know, that talk was really educational and it freaked me out a little bit so let’s just keep in mind that while we usually use the Internet for watching cat videos, and I’d like the Chinese to be sending us like – they’re watching more Siamese. The tabbies are going down. I’m sure that would make me feel a lot better about some of this stuff.

So, seriously, thank you for spending your morning with us on this very serious topic. As Jeff mentioned, we’re doing cybersecurity and Internet governance. Both are very near and dear to my heart because you really can’t have one without the other. And the other key element to that is privacy. And, you know, we’re also going to be doing some work in the privacy area. But as many of us in this space are always prone to say, you really can’t have privacy without security. So that’s going to be part of the discussion that we’re going to be having with this panel this morning.

You know, I’m a huge believer on the sharing economy. I Uber-ed (sp) home last night, while I was sitting here, I checked my Nest to make sure that I was away and not spending more money on energy than I had to. I listened to a podcast as I walked to work this morning. I watched a news report when I got home because I didn’t get to see the news because I was with, you know, a group for dinner. This morning, I’ve Tweeted, Facebooked– (inaudible) – and Instagrammed, so, you know, it’s one of those things where we do share a lot of information, and you need to understand that, you know, we need to educate all users. I’m a very educated user but we need to keep the Internet a secure place so in 2020 we’re not saying, remember when the Internet was cool? We used to get to do all this stuff and I used to bank on it and I used to use Amazon for everything?

So part of what our challenge is is to make sure that we’re keeping it secure by teaching each other how to use it wisely at every level, the enterprise level. The government is doing their best to educate people, as well as from individual user level, and, you know, of the information that you’re sharing whenever you’re transacting, communicating and shopping online.

So this is meant to be an open dialogue. I’m going to introduce our panelists with some brief introductions. And then I want you guys to be thinking about what you want to talk to them about after this.

So I’m going to start with Robert Dix. Bob is the vice president of government affairs and critical infrastructure protection for Juniper Networks. He has served as the chair of the Partnership for Critical Infrastructure Security since 2011. Before that, he served as chair of the Information Technology Sector Coordinating Council from 2008 to 2010. And his résumé goes on from there. So we’re very happy to have you, Bob, and I’m going to have you open here just in a second when I introduce everyone else.

Chris Painter – thanks for joining us, Chris – is the U.S. Secretary of State’s first coordinator for cyber issues. In his role, he coordinates and leads the U.S. diplomacy efforts to advance the open and reliable Internet and protect the information infrastructure. He works with the components across government agencies, private sector and civil society to implement the president’s international strategy for cyberspace.

Commissioner Ohlhausen, thank you so much for joining us this morning. She was sworn in as the commissioner for the Federal Trade Commission in April of 2002. She has extensive experience working in privacy, data protection, and cybersecurity. And she worked for the FTC for 11 years before her appointment as a commissioner. So I’m very comforted in knowing that she knows what’s important there and how to get it done.

Jeremy Rabkin is an adjunct scholar at the American Enterprise Institute and a member of AEI’s Council of Academic Advisers. He is a professor of law at George Mason University, and before this joined the George Mason faculty. He was at Cornell University for 27 years. Mr. Rabkin is a renounced scholar in international law and a member of the board of directors for the United States Institute of Peace and Center for Individual Rights.

So this is our panel that we’re going to have a discussion and a dialogue with this morning. Bob, if you have any opening comments, and we’ll go from there.

ROBERT DIX: Well, thank you. First, thanks for inviting me and thanks to each of you for joining us for this discussion and dialogue. I think this is a key and critical part of how we try and move the needle on some of these discussions. So I’m just going to take a couple of minutes and identify a couple of issues and then a couple of solutions that will hopefully tee up some of our conversation throughout the course of the day.

So, first of all, let’s understand that cybersecurity and critical infrastructure protection is about risk management. It’s global, and the threat environment is continuing to grow. We have a responsibility to equip users of all levels of sophistication with knowledge to make informed risk management decisions. It’s essential to improve our national and global risk profile.

Secondly, I would make the statement that I believe in many cases we’re having the wrong conversations in this town. There are significant gaps that will help inform this process that are absent in our national conversation today, both at the – at the government and administration level and, in many cases, in Congress.

And here are those two issues: economics, the economics of cybersecurity. We are confronted with a different dynamic today. I’ve made this argument before that never before in our history has there been an expectation from the government that companies and industry are responsible for fighting against nation-states and terrorist organizations who are attacking their organizations. Think about that for a minute. And that’s what we’re confronted with today. So there’s a certain amount of risk management that in my company I need to invest in to meet my requirements but there’s a national security part of that risk that no one is having a conversation about or the responsibility for.

The second is companies and organizations make their risk management decisions based on two critical items. One is cost – that’s the economics I just talked about – and the second is knowledge of threat. And I’ll argue that that’s true in physical security as well. People make decisions about putting in cameras, putting security guards, putting bollards out front, make those kinds of decisions based on knowledge of threat and how to protect their assets. The same thing applies in cyber and, as the previous panel talked about, we have a long way to go to share relevant timely, reliable, and actionable threat intelligence with the user community to make informed risk management decisions.

So, quickly, a couple of things we could be doing tomorrow. One, I think all of us in this room would agree that nobody wants to have their identity stolen. No small business wants to have their website defaced. No large enterprise wants their business disrupted. A lot of people want to do the right thing but a lot of people don’t know what that right thing is. And with limited resources, we have a duty and responsibility, I believe, to help educate the stakeholder community on steps they can take to better protect themselves in cyberspace, a national education awareness campaign that would include government, that would include the private sector, the academic community, the non-profit community, and we can talk about that a little bit more later about how we might put something like that together.

The second thing we need to do differently is, as we sit here today, we do not have an effective joint, integrated, public-private operational capability around cybersecurity to improve our ability to detect, prevent, mitigate. I characterize it as the equivalent of a national weather service or a center for disease control for cyber, where we have data feeds with the appropriate analysis and collaboration to be able to identify patterns and trends of bad behavior, to issue alerts, and warnings, and recommended protective measures. We’ve gotten better through the use of technology at predicting hurricanes, and giving people a heads up, and issuing alerts and warnings. We ought to be able to do the same thing around cybersecurity so that we improve our ability to detect, prevent and mitigate as opposed to spending most of our time and resources, like we do today, in response and recovery. I look forward to the conversation.

MS. TEWS: Thanks, Bob.

Chris?

CHRISTOPHER PAINTER: So I’m from the State Department so I’m going to concentrate a little bit on the international angle. But I should also say that I’ve been involved in this, in cyber issues in some way for about 22 years now, and I started as a prosecutor, a prosecuting – federal prosecutor prosecuting cybercrime cases. I worked on what’s called the Comprehensive National Cyber Initiative that happened in the early 2000s – or late 2000s. And then, I was at the White House, where we worked on the international strategy and also our cyber policy and our cyber review, prompted in part because President Obama’s campaign, among others, had been hacked into so he was keenly aware of some of the issues involved. And now I’m at the State Department concentrating on our international issues.

And I’d say that, you know, that perspective has shown me a couple of things. First, you know, obviously – and you’ve heard this from the panel before – that the threat is clearly increasing and the threat is increasing from a number of different actors, the technical threat, whether it’s denial of service attacks that you see against our financial institutions, our intrusions that steal intellectual property or the specter of attacks against critical infrastructure, which though hasn’t really happened yet, it’s something we’re concerned about. That’s certainly increasing. The number of actors are not just the cybercriminals but nation-states and others and it’s a variety of threats on the technical side out there and there’s a number of responses that we’ve been working on to try to meet those.

But we’re also looking at a number of policy threats internationally. So, you know, you said, and I completely agree with you, that the idea of Internet governance and cybersecurity and cybercrime, fighting cybercrime and even Internet freedom and all these issues are very, very closely bound up. They’re not separate silos and you really can’t look at them that way, especially when you’re trying to do these policies internationally.

And some of the challenges we’ve seen internationally are, one – you know, some states, more repressive states, who have a whole different view of the Internet, who want to draw boundaries around it and who want to, in the name sometimes of cybersecurity, control the content that’s happening on their space, which has vast economic dimensions as well as social dimensions. You have those who want to have – you know, when they talk about cybersecurity, they’re really talking about information security, again, controlling the information.

But you also have some of the challenges of working with countries around the world, particularly the developing world to develop good policies, to develop good institutions, much like we’ve been doing in the United States. So you have that range of policy choices and challenges.

And what we’ve been focusing on in my group at the State Department, which is relatively new now, we’re about three years old – is focusing on all those different aspects, all these different buckets, including Internet freedom issues, including Internet governance issues, but also, very importantly, cybersecurity – what we call cybersecurity due diligence issues. This is building institutions, national strategies, cooperative networks among countries, which helps us because it also helps us respond to threats that are coming from around the world. And then, cybercrime, trying to fight that by building better legal structures, working with countries to do that, building cooperative networks.

And then, finally, this area of international security which also has an effect on protecting all of us because it’s trying to avoid, you know, what many people talk about, cyber conflict, by having some rules of the road. Actually, we came to this conclusion recently that – we were able to come to the conclusion with countries like China, Russia and 15 others in this U.N. group of government experts that international law applies in cyberspace just like it does in the physical world. And that actually makes a big difference. It sets some rules, some boundaries and has a more stabilizing effect. And we’ve been working on what’s called confidence building measures, something you can from the nuclear era, but, you know, transparency and confidence building measures to try to build these more cooperative networks.

A good example is when we had the denial of service attacks that were hitting our financial institutions, we reached out through our USR (ph) colleagues, our technical colleagues, but we also reached out diplomatically to get countries in the game, to get them to understand the importance of these issues and to try to build this norm of collaboration against common threats.

I will also say just on the domestic side, something I’ve seen that’s been real transformative is that it used to be this was a very boutique niche issue where you talked to people and if you’re talking to a senior policymaker, and, with few exceptions, who actually understood these issues, people’s eyes will roll back into their heads, they’d run screaming from the room. They just didn’t understand it. There was a technical issue. They said, well, I’ll let the technologists deal with it. And that’s really not the answer.

These are really major economic policy issues, national security policy issues, and social policy issues, and human rights issues. And, increasingly, particularly in the U.S., over the last few years, that has really hit home. And senior policymakers both on the government side and the business side I think are now – and it’s not perfect yet but certainly I think this is now seen as a very major policy issue, which is evidenced by things like the international strategy that was put out a couple of years ago and really a lot more resources and attention being devoted to this.

I’m not as skeptical as Bob is on these issues. I do think we’ve come a long way domestically in building things at DHS, like the National Cyber Integration Center that does have industry working with the government. We had dealt more with situational awareness. Clearly, there’s further work to do. But I think we’re on the right glide path and I think both internationally and domestically, there’s a lot of effort in our realm. So, with that, I’ll stop and save more for questions.

MS. TEWS: Great. Thanks, Chris.

Commissioner?

MAUREEN OHLHAUSEN: Well, thank you everyone for coming and to the American Enterprise Institute for having me. I’m delighted to speak on these topics. But I should mention my views are just my own, not necessarily those of the commission.

And regarding the FTC’s role in cybersecurity, just to be clear, our jurisdiction is over commercial entities and their privacy and data security practices, not other parts of the U.S. government. But as the nation’s consumer protection agency, we’ve played a long and active role in protecting consumers’ privacy and data security online. Shane mentioned my long history at the FTC. I actually worked for a commissioner back when we brought the first – the FTC brought the first online privacy case against GeoCities for not – can anyone remember GeoCities? Anyway, back in the day, right? Dan, you worked with me then.

So, anyway, so our approach is twofold under our FTC authority. The first is companies that make promises regarding their privacy practices, what information they collect, how they use it, with whom they share it are held to those promises so the FTC can bring an enforcement action if they make a promise and they don’t adhere to it. And then, secondly, we have unfairness authority, which doesn’t look at whether there was a promise to a consumer but rather whether the practice, the company is causing substantial harm. And under that authority, we’ve brought about 50 cases so far.

And our standard is that companies need to take reasonable precautions to protect the consumer, the sensitive or personal data that they hold through consumers, information that if reached could lead to identity theft, that could lead to people getting information about people’s medical conditions, things like that.

And so we’re primarily a law enforcement agency. We’ve brought over 100 cases in the deception – privacy deception area and about 50 cases in data security. But we try to use all of our tools. We really have – we’re fortunate now. We have sort of a large toolbox as an agency. And so we often do a lot of policy work, research. We have – we hold public workshops. We get information from academics, from consumer groups, and we try to use this to educate ourselves as a commission and also to do a little bit of education of other policymakers.

And so we try to maximize our impact also by giving guidance to business, because, really, we’re all better off if a business starts to understand what some of the – what some of the obligations are, what are some of the steps they can take to better protect consumers’ information. And they take those steps so they’re better off. They’re not getting in trouble. Consumers are better off, and certainly the FTC is better off because it preserves our limited resources.

And then we also engage a lot in consumer education so that consumers can take the steps to try to better protect their privacy, their data security so they don’t make themselves vulnerable. So we’ve got a lot of tips out there across a wide variety of things. You know, if you’re in a – you’re using public WiFi, what kind of steps should you take as a consumer? What you should do – we provide a lot of information for consumers, if they’ve been victims of identity theft or they fear they might be a victim of identity theft, what kind of steps should they take to remedy that?

And then, finally, the FTC is also very actively engaged on the international front. We talk to countries all around the world involving privacy and data security. We’re very actively engaged with the Europeans, talking about the safe harbor that we have between the U.S. and Europe for sharing data. I was recently in China a couple of weeks ago. I was meeting with them to talk about consumer privacy issues which they’re just starting to pay attention to. We’re actively engaged in (APEC ?) and their privacy framework.

Then one last thing that I wanted to mention: while privacy and security in a lot of ways overlap – there’s an important overlap. If you provide security for consumers’ information, you help protect their privacy. But also, in some ways, they can be in tension with each other. And we addressed this a little bit recently in our data brokers report that the commission issues because one of the things that helps protect consumers’ security is authentication. Are you really who you say you are? Are you the person who’s supposed to get access to this data? And so, for some of that, consumers needs to share a little bit more of their information to make sure that whoever is getting access to that service, to that deeper pot of information is who they say they are. So this one thing I like to keep in mind that often they overlap, but, occasionally, you know, there’s this balancing and we need to consider that as draw the policy lines in the right place.

MS. TEWS: Thank you, Commissioner.

Jeremy?

JEREMY RABKIN: Well, I guess – I think of it now that I’m here to push back on the State Department.

We’ve had in the 21st century this new arrangement, Cyber Command, and that was recognizing that cyber is a domain of conflict. I think the first thing we ought to think about is what is it like, and it’s pretty obviously it’s not like the land conflict. I don’t think it’s really like bombing with the Air Force or with missiles. But it has a lot in common with the Navy.

And I bring that up because, historically, this was one of our most important international commitments to preserve freedom of the seas. This is a complaint we have right at the beginning of the “Declaration of Independence,” after our gaining independence; our first foreign conflict as a naval war with France to protect American shipping; interventions against the Barbary pirates to protect American shipping. In 1812 and in 1917, we go to war and the main reason we give is interference with freedom of the seas.

This has historically been something very important. It is very analogous to cyber in the sense of what we were trying to protect was access to open commerce, using this open domain of the high seas. International law is very relevant to that. I agree.

But if you think about how we’ve done this historically, we haven’t just said, we want access to the sea, and we want everyone to have access to the sea, and we’re just going to keep repeating that. When really we felt this was challenged, we were prepared to use force.

I think there are two things about cyber that I want to just briefly put on the table and give some emphasis to.

The first is you can say whatever you want about apocalyptic scenarios in which cyber is used to shut down our electric grid. If you look up this phrase, “cyber Pearl Harbor,” you get – I don’t know – 800,000 hits. Everyone loves that phrase, “cyber Pearl Harbor,” we’ll be incapacitated by this strategic cyberstrike.

Well, put that aside. Historically, what bothered us about attacks on the seas was not that you knock out the American fleet at Pearl Harbor. That happened once. What we were generally concerned about was interference with private commerce. And that threat is not speculative. It’s not remote. It’s here now. General Hayden said this morning, this is the largest transfer of wealth in world history from theft of intellectual property, from attacks on American business. This is a huge problem. It is with us now. Why aren’t we responding more?

And I just want to emphasize two things about the history of how we’ve used force on the seas. One is we were prepared to hit back. And one of the reasons why Navies have been thought to be a good investment is it’s a way of deploying force without actually invading and occupying another country. With that lower level conflict with the Navy, cyber gives you that opportunity. We should be thinking more about retaliating I think or at least threatening to retaliate on countries that are sponsoring all these attacks on American business.

And the second thing we should be thinking about is private participation. Historically, we authorized private ship captains to raid enemy commerce and that was a way of saying we want to have more force than just our official Navy. In the world wars, we authorized merchant ships to arm themselves and to use radar to help find U-boats. And that was a way of saying, we realize you’re vulnerable out there. We can’t fully protect you with our Navy. You have to do more to protect yourselves. And when there is a specific threat, we’re authorizing you to retaliate against the specific threat, not to make a whole world your own but to protect your ship and ships in a convoy with you.

We really don’t talk about this at all. And to the extent that it’s talked about, there’s now a whole body of literature, no, no, no, international law doesn’t allow this. I think people need to think more about the context in which cyber presents these issues to us. If you think of them more as like historic challenges on the seas, international law hasn’t stood in the way of dealing with pirates on the seas. International law hasn’t stood in the way of dealing with threats out on the seas. The cyber domain is much more like that I think than it is like land conflict.

But before I leave, let me just remind you – probably many of you know this: 18 U.S.C. 1030(a) makes it a crime to, quote, “intentionally access a computer without authorization, and, thereby, obtain information from any protect computer.” Protected is all private computers. So the current U.S. code says even if a private company just tries to do a little bit of probing who is attacking us, that is a crime. So we ought to be finding ways to make it easier for ordinary private companies but for certainly specialized researchers to do more probing of who is out there and where in China does this start, or Russia or whatever it may be.

And I think that’s a simple and easy way of getting ourselves going in this to make it easier for at least the private sector to start gathering information which then maybe the government can use in more effective – I used the word pushback before but now I’m talking about hit back. Maybe the State Department won’t like it but it’s worth thinking about it.

MS. TEWS: Thanks, Jeremy. So would Twitter be our auxiliary Coast Guard? I mean, is that where we go to tell people that there’s an attack? I mean, like I’m going with the law of the sea here. I’m just thinking maybe Twitter is our auxiliary Coast Guard. That’s where you as a citizen can go to let people know that things are going on, just a thought for the group.

MR. RABKIN: This is not a joke, right?

MS. TEWS: I’m kind of serious. Yeah.

MR. RABKIN: Yeah.

MS. TEWS: So it gets actually more to what I want to talk about is information sharing, which is how do we, as people that use the medium, and there’s obviously multiple layers to the network and how it’s processed and how we need to protect it.

And, Bob, picking up on something that you talked about, about the need for analytics on data feeds, similar to the CDC or the weather, and I think we probably all know more about the weather now than we did when we just had to experience the weather. Like the weather just – you know, in D.C., I’m still amazed that like when it snows or rains, people freak out like it’s never happened before but the – you know, it’s how do we as a community of Internet users that want to keep the Internet healthy, what are the toolsets and what can we do as both the enterprise, the government, and individual consumers to help keep this medium healthy as – I mean, using the idea of your analytics. Do you have some ideas on that?

MR. DIX: I always have ideas on this topical area. So let me first give a couple of examples that follows on to what you described. And look, I don’t want to sound skeptical. I want to be realistic, okay? And while I think there are a lot of good and decent men and women working in the Department of Homeland Security and other agencies of the government, the complete lack of coordination that exists today is doing damage to our country. And we need to cure that. We need to cure it today. And it requires leadership and it needs to – we need to move away from this stove piped approach that we have had and continue to have. And we need to move away from this need to know mentality to more of a duty to share and responsibility to share ideas.

So let me give you an example of what I’m talking about. Good and decent people are trying to do the right thing but heading in the wrong direction. So the United States Department of Homeland Security has this NCCIC that Chris referred to, the National Cybersecurity and Communications Integration Center. The people in that organization are doing good work, go around town making speeches about the fact that they have issued 400,000 alerts or threat indicators over the last 18 months. That’s the metric.

Somebody needs to take those 400,000 threat indicators and do some analysis around those and figure out what are the top four or five threat vectors that are being utilized by the adversary, and what are the protective measures had they been in place would have either reduced the impact or prevented the event in the first place. But the metric is how many indicators did we push out not what’s the actionable outcome that’s derived from the analysis that’s attached to that. That’s a huge gap, in my opinion, ladies and gentlemen. And we should be able to do better.

Now, in the private sector, because there are so many barriers to this bi- directional information sharing capability – and, by the way, the end game isn’t sharing the information. The end game is to create timely, reliable and actionable situational awareness to inform risk management decision making. You know, some people think if we just share information, that’s the end of it. It’s not. The analysis and collaboration has to go along with it.

So in a private sector, we have taken a lot of steps all the way back to the issue, until Presidential Decision Directive 63 in 1998 that precipitated the creation of information sharing and analysis centers, industry self-organized information sharing and analysis capabilities across the critical infrastructure owner and operator community. Now, some are more mature than others but there’s great work that’s being done there to get ahead of the curve, to improve detection, prevention and mitigation.

I’ll take one more second because I like to use examples because I – you can’t make this stuff up, right? You just can’t. So five years ago, five years ago, the White House asked the president’s NSTAC to take a look at the need for feasibility of and impediments to this notion of a joint integrated public-private operational capability around cyber. We did that. We provided a report to the White House and we demonstrated a three-phased approach to create what is supposed to be the NCCIC today but is not.

But in the course of that, we decided to do a pilot project to prove how it could work in the private sector. So four sectors: information technology, communications, financial services, and the defense industrial base created a capability using a relational database with anonymized data to draw information from each of the sectors into a central location with an analyst that looked at that to try and detect patterns and trends of anomalous or abnormal behavior, and when detected, to issue alerts and warnings to the stakeholder community across those sectors. It won’t surprise you just by virtue that I’m using the example that we were empirically able to demonstrate the ability to derive information that may have originated in the defense sector that may have an impact in the financial services sector.

Ladies and gentlemen, that’s the kind of capability we need to have in this country today instead of spending all of our resources in responding and recovering once we’ve been hacked. We need to get ahead of this curve. We need to change the economic model for the bad guys. And we can do it. We can do it. We need some leadership and we need some greater coordination than what we have out there today. And the private sector is happy to be a part of the solution. I think most of our government partners are as well but we need a better model of coordination that gets us all headed in the right direction, and we need it today.

MS. TEWS: Chris, you have a few comments?

MR. PAINTER: So a couple of things. You know, again, I think what I’ve seen is far better coordination among government agencies than I’ve ever seen in my career before. And that’s really been in the last few years, and both at the high level and the lower level. And I do think there’s been a lot of things, including – you know, I agree that the metric is not how many warnings you send out but there’s more targeted outreach to industry with respect to certain threats that has been done both at – you know, at various different levels in the government. There has been work through something called the Defense Industrial Base Project to actually work with sectors of industry to help them protect themselves better.

These are all evolving things, and they’re going to continue to evolve because when we talk about the threats that are out there, it’s not just, you know, hitting back. It is actually doing a hell of a lot better job at defense. And that’s not just a government issue. That is a private sector issue too, because as the private sector says all the time – and it’s true – they control most of the infrastructure.

So I do agree there’s more to be done in this area. There’s more to make those warnings to prioritize those warnings and say which ones matter. And there’s been some good work being done by, for instance, Jane Lute who’s out now talking about the five things you need to do, the minimal things, and we get rid of 80 percent of the problems. I think there’s a lot more work and a lot more research that need to be put in there. But I do see a lot more coordination than ever before.

One some of the points about – you know, first, the problem with analogies is they suck. Analogies don’t apply. And trying to apply a physical world analogy to cyberspace – I’ve heard this for like 15 years. They never work. There are so many differences in terms of who owns the infrastructure, where the infrastructure is, the fact – you know, trying to compare to the physical world and say, you don’t get a launch – (inaudible) – when there’s a cyberattack. You don’t have the attribution that you can normally do.

So I think, first – you know, I wasn’t saying – what I was saying about international law, there are countries who believe that no international law applied, period, full stop. So it meant that, you know, if you got to that very high threshold of cyberconflict, which is admittedly high, that things like distinction, proportionality and the things that have guided us in the physical world for the 20th century wouldn’t apply to cyberspace, which means they have freedom of action to do whatever the hell they want. And that’s dangerous. And getting an agreement that that applies is a constraining thing, not an enabling thing. So I think that’s helpful.

On the hitting back issue though, the problem with that is that, what are you hitting back again? The problem with cyberspace – if you’re a smart attacker, you’re going to route your attacks through innocent third parties. You know, a lot of these denial of service attacks, these are compromised computers that are all over the world. So you end up hitting those in Germany, France, Canada wherever and you don’t actually get back to the attacker. So it does require both better defense and work to ameliorate the threat.

And you have to use all the tools that you have. Some of them are diplomatic. Some of them are economic. Some of them are law enforcement, as we’ve seen recently. And then, as a last resort, we even said this in an international strategy, you would use even military tools when the threat is great now. So you have to look at that range of tools. And the U.S. is in fact looking at those.

So, you know, I think – and then, finally, back on information sharing, it’s not just domestic information sharing. We have to be good at sharing threats internationally because we’re not self-contained. The attacks are – you know, we’re dealing with not just our close allies but with countries around the world. So it becomes even a harder problem because we need to share information, sometimes information that’s very sensitive because when you share it, you’re then advertising what the vulnerabilities are.

But one I think important change that was announced by the White House recently is this idea of a vulnerabilities equities process, which is – there always have been the sense that when you had vulnerabilities that we discovered that they would be – you know, there was a lot of competing equities, you know, how do you roll those out, do you roll those out? Are there intel reasons? Are there operational reasons? But now, it’s clear, and it’s been clear for a while that the tilt is to do network defense, to work to get those vulnerabilities out and to actually try to protect against them. Again, I’d agree with Bob. This is an evolving thing. We’re not there yet. But I’d say we’ve made tremendous progress.

MS. TEWS: Jeremy, do you have a comment on that?

MR. RABKIN: I just – let’s be clear. The point of this is not – it’s exactly this analogy or that analogy. You don’t like analogies, fine.

MR. PAINTER: But when you throw analogies in, it always clouds the issue because it’s so inaccurate. It’s like – you know –

MR. RABKIN: I don’t think so because I think – look, so I’m not attached to any particular analogy. But just in the history of the world, we’ve never had an effective response to real serious security challenges that didn’t involve some kind of retaliation. And there is no retaliation on the table now. And I think when we start thinking through retaliation, we ought to at least include in the mix some kind of cyberretaliation. I mean, there’s a lot of other things we can do, but we are now almost entirely talking about let’s build better locks and let’s talk to our friends about the kind of locks that they are building so I just kind of (bounce about ?).

MR. PAINTER: And I would just – I would dispute that anyway. I think that that’s one part of it but as – you know, if you look at the documents that are out there, we say, we’ll look at the full range of capabilities we have not and not just in cyber. And that’s something – I’m not going to get more into that.

MR. RABKIN: Look, let’s just be precise. What price has China paid for sponsoring looting on this scale? Any?

MR. PAINTER: So two things I’d say. One is – up to a few years ago, when it became clear it is an economic issue, it wasn’t raised with China. And now it’s been raised very directly by the president and others. Two – two – two – let me finish please.

MR. RABKIN: Wait. Wait. So the first cause, did the president – (inaudible)? That’s a big policy.

MR. PAINTER: So, two, there’s been – now, look, harm – you know, reputational harm and other harm is there. There are serious concerns about the economic issue and it affects the economic relationship. And then, recently, you’ve had these indictments that came out of DOJ. You know, I think, again, this is like any other threat that’s out there. You have to try to meet it. You have to look at all the various tools you have and you also have to be cognizant of the rest of the relationship.

MS. TEWS: Commissioner Ohlhausen, did you want to get into this?

MS. OHLHAUSEN: Excuse me. Just getting back to the issue of the information threat sharing and trying to remove some of the barriers and the many different pieces that need to work together, on a smaller scale than maybe some of the things that state and the private have been doing, the FTC and the Department of Justice did recently issue a policy statement on sharing cybersecurity data because some companies expressed concerns that would they be subject to antitrust laws, was there some kind of violation where they’re sharing a kind of information that we would find could raise any competitive concerns.

So we laid out a framework to say most of this kind of information is technical data, it’s not the kind of sensitive competitive information that we would be concerned about. So it’s just a small piece of the puzzle but just to give the idea that we are trying to work kind of holistically to remove some of the barriers to achieving some of these things which I think could have great benefits.

MS. TEWS: So following upon that point – Bob, I think you’re going to get to this – is there a toolset that we’re missing? And what is keeping us from sharing the right level of information with the right group of people?

MR. DIX: So at least in my – thank you for that. I think we need to build on that and do more with that. So right now, again, one of the greatest impediments is our legal framework. Most of the laws that we have today – and I see Stewart Baker came in the room, he can be a part of this discussion at some point too – but the laws we operate under today were largely written in the past when we lived in a mostly analogue world. So they haven’t been updated to reflect the requirements of a digital world.

So there still are concerns, notwithstanding the issuance of the guidance about antitrust rules. There are liability issues. There are a number of things that Chairman Rogers tried to address in his CISPA bill and some of which are being addressed in Senator Feinstein’s bill on this whole thing.

But, again, understand this. For us – for those of us in the private sector that are trying to make informed risk management decisions, the hang-up oftentimes is this whole need to know thing that we’re worried about classification and so forth.

What we care about is tactics, techniques and procedures, right? The sources and methods aren’t as relevant to us. We care about understanding the tactics, techniques and procedures. And this goes back to the analysis around the indicators. What can we learn from past experience that we can share broadly across the stakeholder community?

So I would argue the biggest impediment is cultural. The second biggest impediment is the legal framework that we operate within today. And then, third, I think the lack of leadership around – notwithstanding comments about we’ve made progress. You know, the bad guys are getting better faster than the good guys are getting better, and we need to get beyond making – not that anybody was making excuses but we need to actually move the measuring outcomes based on actionable outcomes, not just how many meetings did we have and how many people came to the meetings, right? What are the actionable outcomes that we can actually take steps to make this country safer and more secure and improve our ability to be competitive in a global environment?

MS. TEWS: So you all have been very patient. And, obviously, if I let this panel keep going, they will. Questions to the audience. Is there anybody who wants to get in on this dialogue? You guys have been very good this morning. No? All right. Over here. Do we have – do we have a microphone? The microphone is coming your way. Hold on a second. Right behind you. Right. Right there.

Q: Hi. Dominic Bellone, American University. What can the average consumer do to protect his or herself? It seems like we’re having this discussion at a very high level. But, at the end of the day, it’s like – what kind of software can we trust to buy that protects us or do we have to use the Internet less? Do we have to be very careful about how we – I mean, obviously, we have to be careful but what concrete steps or anything –

MS. OHLHAUSEN: So the FTC does try to focus a lot on informing consumers about the steps they can take to protect themselves. So we’ve got tips and brochures and a lot of online resources. But it’s often simple things like, you know, making sure, you know, your computer has a firewall and that you follow, you know, the updates to things but also being careful about now clicking on links that, you know, seem to be coming from somebody and you don’t really know who they are. And so some very basic precautions like that can be helpful.

And you know, sometimes it’s the most basic kinds of things. One of the things we hear a lot about is fishing attacks, right, so people can get – use little bits of data that they’ve collected through data breaches or social engineering and then call up and say, oh, I’m from your bank. We need to reset your password. There’s been, you know, a data breach and give us your password, things like that, to try to educate consumers about protecting themselves and not fall for those kinds of things.

MR. PAINTER: And some of these – some of these things are not new. I remember prosecuting cases in the 1990s where, you know, that bad buy would call and ask for your password and people gave it to them, and, you know, sophisticated good people too, and you get in the system very easily that way. And the FTC has done a lot of good work around this. So it’s a lot of work also in terms of trying to raise user awareness. There’s something called Cybersecurity Awareness Month in October, but, you know, it’s not just an October. It’s all through the year.

The problem is this: it’s hard for end users to really – you know, yes, they should be – there’s some basic things they should be doing and using the Internet less is not one of them, but I think really making sure that they have the right protections in place.

But, ultimately, and speaking for myself – you know, I think ultimately the way this is going to evolve is that you have to move some of the security back from the end user so that it’s being done at different levels. And that’s happening. At lot of the ISPs are providing some of these services and I think that’s important too.

So, you know, this is – this is a real challenge. We’ve been talking about awareness in this issue for as long as I’ve been involved. And the awareness is greater now but it’s not mainstream for a lot of people. And I think it helps when they see reports of big data breaches and they pay attention, but it has to be more systemic.

And that’s not, again, just a U.S. issue. That’s an issue around the world. Part of it is awareness raising; part of it is having the right tools in place. There are also a number of things that come out. I mentioned Jane Lute but others have, you know, the four, or sometimes the 10 things that people should do that are not hard to do and that gets rid of 80, 85 percent of the problems. And that’s true for businesses and users.

MR. DIX: The problem is I would bet most people even in this room, if they were honest, didn’t know the FTC had that available. I can promise you most average citizens don’t, okay? So while that’s all good work, nobody knows about it. So what good is it really in the broad scale? So to Chris’ point, listen. Empirically – I mean, that’s not meant to be a negative thing except that we’ve got to do a better job educating people.

MS. TEWS: And Chris Windle (ph) did try to do Dewie the Turtle. It didn’t really pan out.

MR. DIX: Yeah. Well, right. Eighty percent of this cybersecurity problem is the result of poor or no cyberhygiene. To your question, the basic things that people could do, to the commissioner’s response about passwords and firewalls and updating your anti-virus settings and the basic fundamental things that most people don’t even know because they’re not IT people, right? So where can they go to get that information?

So what’s interesting to me is if you all remember, there was a lot of attention around the president’s “Cyberspace Policy Review.” I think you had a little something to do with that, released in the East Room in May of 2009; included in that report was 10 near-term action items. Guess what number six was: to create a national education and awareness campaign around cyber. Well, it’s five years later, right? And we need to take the agencies like the FTC, the FCC, the Small Business Administration, the IRS, the Postal Service to have interaction with regular citizens on a day-to-day basis, bring the academic community – we need to teach young people about cybersecurity and cyberethics. It needs to be built into our academic curriculum. We need to bring the private sector and trade associations around the country and the world into this.

And I’ll be real quick. History is a great teacher. A few years ago, when this country was threatened by the risk of the H1N1 virus – everybody remember that – there was a huge campaign to teach people how to change their behavior. Do you remember that? We were told to cough into our sleeves, not our hands. Hand sanitizers began showing up everyplace we were; posters on the grocery store window telling people how to protect themselves from being infected by the H1N1 virus.

That’s the kind of comprehensive and sustained national education awareness campaign we have to have for cyber and leverage the great work that the FTC has done to get that information out to a broader community. These are things we could be doing today. And if you raised that 80 percent number by 10 or 20 percent, it disrupts the business model and the tactics of the bad guys. That’s part of deterrence. That moves the needle in a positive direction. We should do it today.

MS. TEWS: And $100 to the first person who comes up with a better phrase than cyberhygiene. Other questions? I think we’ve got one in the back over here.

Q: Hi. I’m Russ Reid (sp) with the International Security Observer. I have a question regarding offensive versus defensive capabilities when it comes to cybersecurity. An analogy that I’ve seen in my research that I like to use is between a gun and a bulletproof vest in that we’ll always develop a gun that will defeat that bulletproof vest. In the same regard, strictly maintaining this defensive posture, is this not going to be the same thing. We can educate. We can make defensive networks. We can improve ourselves upon that. But there’s constantly evolving hacking out there. There’s threats that are constantly evolving on a daily basis.

Is maintaining this defensive posture not inevitably going to be futile? That’s just a general question for the entire panel I might add.

MR. RABKIN: Well, let me just say I totally agree with you. And just to put it in perspective, 10 years ago you could have said this is a thing we’re a little bit concerned about but we’ve got a lot of other things that we’re working on with Russia and China and so we want to maintain our good relations with them. Well, one, we don’t have good relations with them anyway. And, two, this really should have risen up on our priority scale. This is a very, very serious threat.

And there is just I think something preposterous about saying, well, yeah. If we spend on bulletproof vests and get better locks and we’re going to get hunkered down, then we can talk to the Chinese about – I don’t know. What is it you talk to them about? This should be our – this should be probably our single highest priority. General Hayden said it and I think that was totally right. This is central to our relationship.

MR. PAINTER: So, again, defense is only part of this. It’s part of the puzzle. It’s not the sole thing that the U.S. government or the private sector is doing. But if you don’t actually have good defense – I mean, that’s a predicate, right? That’s foundational for anything else you’re doing, but we will look – and we have looked at, generally, all the tools that we have as we respond to various threats out there, and what the threat is, and how best to focus on it.

But you also have to figure out how that plays in, what are the escalatory aspects? How do you make sure that – just like you do with any other area of endeavor, how do you make sure that you’re actually addressing the threat without creating larger threats? And I think that is being done. And I think we do have policies with respect to that.

And, you know, I think that, you know, one of the reasons we’re honing our defensive tools but at the same time – and, you know, you’ve heard the DOD talk about this. You know, we are going to – you know, we have capabilities. We’re going to develop those capabilities and make sure they’re integrated with the rest of our national capabilities and they’re governed by the policies that govern everything else in the U.S. So I think these are all piece parts of a large puzzle. And we’re not just focusing on one, but defensive has to be a part of it. I mean, if you have no defenses and people are coming in and taking your stuff, you know, shame on you. I mean, you have to do that as a foundational part.

MS. TEWS: We have a question up here upfront.

Q: I’m Brian Crone. I’m in the Office of Congressman Ben Ray Lujan. I guess what I’m wondering –

MS. TEWS: We’ve got a microphone coming for you here. Okay.

Q: I’m Brian Crone. I’m in the Office of Congressman Ben Ray Lujan. I guess one of my questions is when you start talking about offense and defense, when you take the historical analogy and you look at military, our defense and our offense were the same entity that share information and so now is – how much of an issue is it that our offense is something on one side of the world and our defense is something in another and they’re not sharing information so that – I’ll just leave it at that.

MR. PAINTER: So I won’t – I can’t get to a lot of details but I would say that it is true probably a number of years ago that the various agencies in the U.S. government, DHS and DOD weren’t perhaps collaborating as close as they should. I think that’s changes dramatically. And that’s one change I’ve seen dramatically in the last few years where there’s very close collaboration and understanding on how they work together on issues, particularly because also DOD has a defensive mission in defending the GIG and the other parts of the DOD network.

The other thing that’s important is there is – and, again, I can’t go into a lot of detail, there is a presidential directive that talks about defensive and offensive cyberoperations, and how those work in the larger context, and how agencies are involved and – which is, you know, a real doctrine – you know, it’s doctrinal. It talks about how that fits in with the overall policies and overall capabilities. So I don’t think it’s as disjointed as many it once was. I think it’s much more integrated now. And, again, there’s only a limited amount I can say here.

MR. DIX: So I guess I would have a slightly different view. I don’t think it’s coordinated. And I think that part of the problem is, is that most of the information about threat resides in government. And so the ability of companies like mine and many in the room to actually make the informed decisions about how to invest in protecting our own assets is not available to us because we still live in this need-to-know mentality. And, again, the excuse given is it’s classified.

Don’t care about sources and methods. I want to know about tactics, techniques and procedures. And I think that that here’s the example of where we still have a problem.

In this country today, we do not have an agreement on where the handoff is between homeland security and national security. We don’t have a clear understanding of where the Department of Homeland Security and the Department of Defense hand off if an event takes place that rises and escalates to the level of a national event.

The evidence of that is the fact that, under presidential directive, there was an attempt to create a national cyber incident response plan. That would identify the roles and responsibilities of industry, government, the various levels of government, the various organizations in government. That program – that effort started in August of 2008. A draft of the NCIRP has been sitting at the White House for three years, okay?

So even as we sit here today, if the event escalates, we do not have clarity around authorities, we don’t have clarity around responsibilities, and so, again, there’s an expectation that if a nation-state is launching a distributed denial of service attack against the financial sector that the banks and lending institutions are responsible for defending against that. Again, there’s a disconnect around homeland security, national security, and the responsibility of the private sector in investing and managing risk in this cyber domain.

MR. PAINTER: So I hate to disagree with my good friend, Bob, whom I know for many years.

MR. DIX: Feel free. Feel free.

MR. PAINTER: But the National Cyber Incident Response Plan was in fact drafted and tested in a national level exercise involving cyber. The first it was ever a national level exercise. The reason it’s still in draft form is because it continually evolves. The idea was this cannot be finalized. So it’s not this dead document no one is using.

MR. DIX: Yes, it is.

MR. PAINTER: No. I would –

MR. DIX: Yes, it is.

MR. PAINTER: I would totally – and, Bob, I would totally disagree. I mean, you and I have, you know, different views of this. I see it in action. You know, last – you know, I’m part of it because on the international aspect, but it’s much more handled by our operational people.

And I tell you that DHS and DOD, in terms of looking at these threats and responding to these threats – in fact, DHS, DOD, and FBI now work very closely together to respond to domestic threats, to go together. It used to be someone would come in, and depending on what agency they’d get to, they would get different levels of service, but now – and this is, again, a dramatic change in my own experience, those agencies are working together to respond to some of the major threats that we’ve seen in the U.S.

So, you know, Bob I think paints a very bleak picture. And I have to take exception with that. I do think that there’s more work to be done, absolutely. But I don’t –

MR. DIX: So where you might persuade me was if we had a version 1.0 of an NCIRP that is continuing to evolve. And we’re working on version 2.0 based on changing events. We still have a draft that we begun in 2008. And I won’t take the time here because we don’t have enough time but I would love to have a conversation about NLE 2012 and what that really was and was not. We don’t have time today.

MS. TEWS: On that note – I’m sorry. We have to go onto our next speaker. So I just want to thank you for a very healthy dialogue between our panelists. (Applause.) And remind you that this can continue to go on at techpolicydaily.com. So thank you all very much.

(Break.)

MR. EISENACH: If I could ask folks to take conversations outside if they need to continue and otherwise, go ahead and take your seats, we’ll get started here in just a minute.

Garland, that means you. Garland, Garland McCoy, that means you. I love picking on Garland, I haven’t done that in a long time.

It’s a real honor for me to introduce our next speaker. Tom Wheeler, who was sworn in as 31st chairman of the Federal Communications Commission on November 4th, 2013. He’s been involved in telecommunications, networks and services and issues for more than three decades. He’s the only person to have been selected to both the Cable Television Hall of Fame and the wireless hall of fame. He’s served as the chairman of the Cellular Telecommunications and Internet Association, as well as leading the National Cable Television Association. Most recently, though, he spent a decade, I guess, as a venture capitalist investing in startup firms organized around the IP protocol in product based companies.

He’s an author and a historian. His most recent book is “Mr. Lincoln’s T-Mails: The Untold Story of How Abraham Lincoln Used the Telegraph to Win the Civil War.” I think there was a cybersecurity issue there too. Probably early days.

Tom has come to the Federal Communications Commission at a time of tremendous upheaval and transformation. He has just a few modest items facing him when he arrived that are on his plate, little things like transition from an analogue to a digital telecommunications infrastructure, the so-called IP transition, the effort to move 120 megahertz of spectrum out of the broadcasting environment into the mobile wireless. Echo system through an unprecedented incentive auction effort and then this little matter that probably no one’s heard of, net neutrality that has been hanging around.

So he has got a lot on his plate and we are especially honored that he’s with us here today. I do want to say that Tom has been a personal friend for many years. We have had the pleasure of working with him on a number of things since he has been chairman of the commission. On September 10th and 12th, AEI, along with University of Nebraska Law School, will be sponsoring a conference in – cosponsoring a conference with the Federal Communications Commission on regulating the evolving broadband ecosystem. And we’ve just issued a call for papers for participants at that conference, which will be held at FCC headquarters in the three days or so before the TPRC conference. So many people coming for it, so we’re grateful for that opportunity.

So with those preliminaries, I am delighted to introduce the Chairman of the Federal Communications Commission Tom Wheeler. And just to make a procedural note, Tom has a lunch immediately following and he’s not going to be able to take questions, but we are looking very much forward to his remarks. (Applause.)

TOM WHEELER: You know, I was actually looking forward to turning this around. And then I could say that I’d actually accomplished something today in my visit. It’s great to be here. Thank you, Jeff, and thank you to AEI for hosting this important conference.

Yes, Jeff and I have known each other for longer than either one of us would like to admit. We have been on the same side of some issues and we have been on opposite sides of other issues. I would rather be on the same side of an issue knowing Jeff’s prodigious capabilities. But I do appreciate this opportunity. I’m honored to be part of such an incredible line up – General Hayden, General Alexander, Chairman Rogers, Chris Painter, Commissioner Ohlhausen, and so many others that are here. And I really appreciate the opportunity.

Since this is the first day of the World Cup taking place in Brazil, I’ve decided to deliver my remarks in Portuguese. (Laughter.) But while I don’t pretend to be an expert on national security, especially relative to the other speakers who you have had here, I do suspect that the reason that you were kind enough to invite me today is because I do, at least, pretend to know a little bit about networks.

And our cybersecurity challenge is network based. And since the FCC is the nation’s network agency, I thought it might be appropriate to reflect on what I envision is the FCC’s role in addressing network security for the telecommunications sector in the Internet age. In particular, I would like to address how stakeholders in the communications sector, the sector to which all aspects of the digital economy depend, must create a new paradigm for cyber readiness.

This begins with private sector leadership to recognize how easily cyberthreats cross corporate and international boundaries. And because of this reality, the network ecosystem must step up to assume new responsibility and market accountability for managing cyberrisks.

The challenge is that the private sector led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country. The new paradigm for the communications sector must be real and meaningful and it must work. The Commission’s commitment to market accountability will help ensure that it does work. And while I am confident that it will work, we must be ready with alternatives if it doesn’t.

Now, let me pause right there, before headline writers rush to interpret this as FCC wants to regulate cyber. We need to put these statements or that statement I just made in the context of a broader philosophy that we’ve been practicing on a wide scale at the FCC.

We believe in a new regulatory paradigm where the commission relies on industry and the market first while preserving other options if that approach is unsuccessful. The purpose of these remarks today is to explain that concept as it applies to cyber. And it basically boils down to this: identify public goals, work with the affected stakeholders in the communications industry to achieve those goals, and let that experience inform whether there’s any need for next steps.

What makes this topic so important is that our new networks are the new economy. Jeff referenced I’m a history buffoon. You look at the earlier networks of history and what they did was to enable other activities. They were ancillary to the key economic activities that they enable. But our growth industries today are based on the exchange and use of digital information. And as such, information networks aren’t ancillary, they are core. They are integral to what our new economy is all about. And their security is vital.

For all the ways that the Internet has already transformed our lives, today’s network revolution is constantly creating enormous new opportunities to grow our economy, to enhance U.S. competitiveness, and to improve the lives of the American people. Yet, these changes also raise new security challenges, challenges that must be addressed if we hope to seize the opportunities.

Consider the Internet of Things, for instance. Every second, 100 new things attach to the Internet and most of them are inanimate, are not people. Soon, we’ll have refrigerators talking to milk cartons and sending you a message on your iPone to pick up a quart on the way home.

Cisco forecasts that by 2020 – and you know, 2020 sounds like a long way off, that’s less than half a dozen years away – Cisco forecasts that by 2020, over 50 billion, with a B, inanimate devices will be interconnected. And expressed another way, in keeping with the theme of this meeting, that means 50 billion new attack vectors.

Similar threats continue to grow with mobile apps, social networks, and the other realities – excuse me – of our rapidly evolving networked world. And it’s not as if cybersecurity weren’t already complicated enough. Our cyber adversaries do not fit into a particular profile. They run the gamut from those working on behalf of governments to steal trade secrets and intellectual property, to ideological non-governmental groups with malicious intent to harm critical infrastructure, to criminal organizations intent on wreaking havoc and making a profit, to individual hackers trying to steal private information.

The unfortunate reality is that our cyber adversaries worldwide are right at our virtual doors. They’re ready to break in the moment they sense the opportunity to steal our valuable information, including personal information, and damage the networks on which we rely.

Everybody in this room understands that tackling the challenges of cybersecurity will require a joint effort. That means collaboration within the federal government; collaboration between federal, state and local governments, collaboration between the U.S. and foreign governments, collaboration between government and the private sector; and even inter and intra-industry collaboration. So what, exactly, is the FCC’s role in this obviously shared endeavor?

The FCC’s responsibility to promote public safety and network security is fundamental. Our mandate is codified in the Communications Act, which tells us that the FCC was established for the purpose of, among other things, promoting the national defense and the safety of life and property.

Allow me to get wonky for a second. Our telecom law was last updated in 1996, early in the life of the new Internet protocol world. I was there. I know that what we take for granted today wasn’t even imagined at the time. Yet, the beautiful thing about our communications law is the ability that Congress has given to this agency to face new circumstances. The drafters of the statute spoke wisely in terms of effects such as the public interest, convenience and necessity. While there are many proscriptive parts of the statute, it maintains at its core an effects-based orientation.

The challenge of the FCC is to deliver on the national security and public safety effects mandate as the networks that enable those effects evolve from analog to digital. The FCC cannot abdicate its responsibilities simply because the threats to national security and life and safety have begun to arrive via new technologies. If a call for help doesn’t go through, if an emergency alert is hijacked, if our core network infrastructure goes down, are we really going to say, well, that threat came through packet-switched IP- based network, not circuit-switched network, so it’s not our job? I don’t think so.

We have unique, indispensable expertise and responsibilities when it comes to the communications sector. So long as I am chairman, we will work diligently and strategically with all stakeholders to leverage that expertise and fulfill these responsibilities. Let me describe how I hope that we will be able to build a new paradigm of proactive, accountable cyber risk management for the communications sector.

First, the FCC must build upon past federal and private sector work in cybersecurity. Following President Obama’s Cyberspace Policy Review, in early 2009, a robust national dialogue helped create a new consensus for cybersecurity. Our nation chose proactive private sector cyber risk management and all the corporate responsibility and accountability that goes along with that over a traditional regulatory approach of proscriptive government regulation.

In February 2013, with the encouragement of many of the legislators who had fought in the trenches of those debates on Capitol Hill, President Obama issued an executive order, which brought structure to a private sector-driven cybersecurity standard process that was facilitated by NIST.

NIST’s Framework for Improving Critical Infrastructure Cybersecurity prompted a depth of private sector management and trust that had not previously existed. The issuance of the framework earlier this year has created a tremendous opportunity to make major, meaningful strides in cybersecurity.

The framework is a flexible. It is an adaptable approach to risk management that can be applied by companies of all types and sizes across all sectors. It is not a static checklist. The framework’s success will rely on proactive risk management, not reactive compliance with a cybersecurity to-do list. We have our work cut out for us, but there is now a deep and broad consensus that this approach is the only workable strategy for securing commercial networks. Growing cyberthreats will test this proposition, so we must together seize the opportunity that the new consensus presents.

So how do we, as a regulator, ensure that the communications sector steps up to this challenge? I come from the technology entrepreneur and investment world, as Jeff indicated, and I take a business and technology oriented perspective to this policy question. I firmly believe that we are not as smart, we are not as fast, and we are not as innovative as the Internet. The pace of innovation on the Internet is much, much faster than the pace of a notice and comment rulemaking. Now, there is a true statement. (Laughter.)

We live – (laughs) – we live in an age when a few smart 20-year-olds in somebody’s garage can render standard technology obsolete within months. And the same is true for the pace of threat technology. We cannot hope to keep up if we adopt a proscriptive regulatory approach. We must harness the dynamism and innovation of competitive markets to fulfill our policy and develop solutions.

We are therefore challenging private sector stakeholders to create new regulatory paradigm of business driven cybersecurity risk management. This new paradigm must be based on private sector innovation, and the alignment of private interests in profit and return on investment with the public interests like public safety and national security.

It needs to be more dynamic than rules, and this is a key point, it needs to be more demonstrably effective than blindly trusting the market. Demonstrably effective will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas. It has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve our cyberreadiness. It’s a big task, but it is an essential responsibility.

We’re really fortunate at the agency that we’ll be guided by a top notch team, led by the chief of our Public Safety and Homeland Security Bureau, Admiral Dave Simpson, who’s here somewhere – right down here. We’ve also created new position of chief counsel for cybersecurity to help Admiral Simpson navigate the legal and strategic considerations, and Senate Intelligence Committee veteran Clete Johnson is filling that role. Rounding out the Admiral’s leadership team is Jeff Goldthorp, who has worked on these issues at the commission for more than a decade.

Agency-wide, our bureau chiefs and office heads are working with the Admiral to bake cyber into the DNA of the agency. Our activities going forward need to consider vulnerabilities and impacts from cyber early on and throughout the FCC process.

Okay, so we have a new consensus. We have a new regulatory paradigm, and we have a new team. What does this mean in real terms? Our work on cybersecurity in the communications sector will be guided by a set of principles. First and foremost is a commitment to preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression. That means we cannot sacrifice the freedom and openness of the Internet in the name of enhanced security.

Second is our commitment to privacy, which is essential to consumer confidence in the Internet. We believe that when done right, cybersecurity enables digital privacy, personal control of one’s data and networks.

Third is a commitment to cross-sector coordination. We cannot address these threats in one-sector or one-agency silos. Particularly among regulatory agencies, we must coordinate our activities and our engagement with our sector stakeholders.

Fourth, we continue to support the multi-stakeholder approach to global Internet governance that has successfully guided its evolution and we will oppose any efforts by international groups to impose Internet regulations that could restrict the free flow of – (inaudible) – our cyber activities around some central pillars.

First, information sharing and situational awareness. We are examining the legal and practical barriers to effective sharing of information about cyberthreats and vulnerabilities in the communications sector. In order to protect companies and consumers against malicious cyberattacks and intrusions, companies large and small within the communications sector must implement privacy protective mechanisms to report cyberthreats to each other, and where necessary, to government authorities.

And for cyberattacks that cause degradations of service or outages, the FCC and communications providers must develop efficient methods to communicate and address these risks. We’ve witnessed great innovation and progress on these issues in the financial sector, for instance, where institutions of all sizes have worked together to develop groundbreaking practices for sharing cyberthreat information to combat threats in real time. Such approaches can be a model for the communications sector to span the large risk and awareness gap between large and small, urban and rural providers.

We’re actively engaged with private sector information sharing and analysis organizations, and with our federal partners, particularly DHS and the FBI, to increase the efficiency of threat information sharing and to improve situational awareness. To be clear, we seek only to assist and support, not to replace or duplicate, existing private or public information sharing activities.

Second, cybersecurity risk management and best practices. Excuse me. In 2011, our primary federal advisory committee on these issues, the Communications Security, Reliability and Interoperability Council or CSRIC completed voluntary industry best practices pertaining to domain name security, Internet route hijacking, and an anti-botnet code of conduct. It was important foundational work.

These standards, if implemented broadly, could harden our nation’s communications backbone against cyberthreats with potentially wide scale industry implications. In the coming weeks we will be seeking information to measure the implementation and the impact of these industry defined best practices. You know, in business school, I learned if you can measure it, you can manage it. And I look forward to learning more through these inquiries as to whether the private sector is taking this issue as seriously as it must.

Building on these efforts, CSRIC is presently hard at work to develop risk management processes to tailor the NIST cybersecurity framework for the communications sector. This particular effort, which features the active participation of over 100 experts from throughout the communications sector, is a landmark initiative, the central proving ground for whether our attempt to create a new paradigm will be successful.

We are asking communications providers to work with us in setting the course for years to come regarding how companies in this sector communicate and manage risk internally, with their customers, with their business partners, and with the government. This will require a degree of transparency and assurance to give customers – consumers, fellow providers, the market, and the FCC confidence that internal efforts are proactively addressing the threats to broader public interests.

Third, investment in innovation and professional development. I have chartered the commission’s Technological Advisory Council to explore specific opportunities where R&D activity, beyond the activity of a single company, might result in positive cybersecurity benefit for the entire industry.

In collaboration with academia and communications technology stakeholders, we will identify incentives, impediments, and opportunities for security innovation in the market for communications hardware, firmware and software. We also must work with academia and NIST to evaluate the maturation of our nation’s cybersecurity workforce. Cybersecurity professionals are among our nation’s most talented, educated, and dedicated workers. And so we seek to understand the current state of professional standards and accountability and with our partners understand where the FCC might positively contribute towards further professionalization of the workforce.

So how will we measure success or failure of this new paradigm? This is the toughest and most important question that our stakeholders have to answer. We cannot continue on a path that lets individual networks put other networks, American businesses and consumers at risk. We need to develop market accountability that doesn’t currently exist.

And unlike financial risk, for which we have several centuries of quantified data on which to draw, quantitative cyber risk factors are relatively immature. But that doesn’t mean we just throw up our hands and give up.

I’ve directed FCC staff to work with our partners in the federal government and the private sector to gather input on how to measure, assess, and manage cyber risk in the communications sector. Some common success factors are already emerging from that dialogue.

First, companies conduct thorough inventories of their exposure to various cyber risks, internally and with their partners. Second, they conduct quantitative – I’m sorry – qualitative assessments of their management of these identified cyber risks. And third, they seek data from those quantitative assessments – I get this right – they seek data from those qualitative assessments to develop quantitative measurements, quantitative metrics pertinent to their own internal needs. And fourth, they invest to close cyber readiness gaps making conscious, measured choices to mitigate risk.

In short, identify the cyber risk universe, develop internal controls, assess implementation, and monitor effects. This sounds a lot like how enterprise risk management has always been done across all risks. Applying it to cyber risk would then seem to be a no-brainer.

Companies must have the capacity to assure themselves, their shareholders and boards, and their nation of the sufficiency of their own cyber risk management practices. These risk assessment approaches will undoubtedly differ from company by company. But regardless of the specific approach a company might choose, it is crucial that companies develop methodologies that give them a meaningful understanding of their risk exposure and risk management posture that can be communicated internally and externally. This is what we are asking our stakeholders to do.

Once individual companies have an understanding of their own risk posture, then we can answer follow on questions about the appropriate way to communicate this risk to business partners, customers, and the public. We expect this to prompt a virtuous cycle of security, privacy and innovation, in which the market continually drives to improve these mutually reinforcing values. So that ISPs, ISP now stands for innovation, security, and privacy.

One last point. Solving the technological challenge for cybersecurity is, for all its difficulties, the easy part. The hard part’s changing behavior.

According to one study, 90 percent of the breaches in a recent year could have been prevented with basic or intermediate security measures. People recognize that cybersecurity is a problem that must be addressed, but too few people are acting on that information. From consumers who may not know exactly why they need to update their passwords, to C-suite executives who don’t yet fully grasp the threat that cyberattacks pose to their companies’ viability, nor how they can match the risk with investment in cyberdefenses. We believe our work can help change behavior, and we expect that stakeholders will rise to this challenge.

The communications sector is at a crucial juncture. We know there are threats to the communications networks upon which we all rely. We know those threats are growing. And we have agreed that industry-based solutions are the right approach. The question is will this approach work? We are not Pollyannas. We will implement this approach and measure results. And it is those results that will tell us what, if any, next steps must be taken.

Thank you very much for the opportunity to be here and thank you for your attention. (Applause.)

MR. EISENACH: Tom, before you step away, we have a small token of appreciation, which I’m assured it fits within whatever gift limits may apply. As –

(Cross talk.)

MR. EISENACH: This is Mike Daniels’ book as an historian and investor in early stage Internet companies, the chairman of our national advisory council was the early stage investor in a little company called Network Solutions. And that’s the story about how that all came about. We thought you’d enjoy that. So Tom, thank you for being with us. Everybody, let’s get one more round of applause for Tom Wheeler. (Applause.)

We are going to take about a 15-minute break, and that is by design, in order to give everyone an opportunity to get lunch, which is being served in the anteroom right behind me here. Please go to the buffet, grab some lunch, and at about 12:15, we’ll have General Keith Alexander.

(Break.)

MR. EISENACH: If I can ask folks to move in the direction of their seats. We’ll get our last section of our program underway here.

We’ve had a full program today, but we’re going to cap it off with I really think what’s going to be the high point. If there’s a single leading expert, someone who has lived through more and knows more and is in a position to contribute more to the topics that we’re discussing today above all others, it is our next speaker, General Keith Alexander, who’s served as director of the National Security Agency, chief of the Central Security Service from 2005 to 2014, as well as commander of U.S. Cyber Command from 2010 to 2014.

He is a retired four-star general in the U.S. Army and has served his country at length and with great distinction, for which we should all and are all grateful. He has extensive experience, as I said, in national and foreign intelligence, combat support, U.S. national security, and information system protection. He was deputy chief of staff for Army headquarters in Washington, D.C., commanding general of the U.S. Army Intelligence and Security Command in Virginia, director of intelligence for the U.S. Central Command. Since stepping down from his post at the NSA in March of this year, he has indicated that he is in the process of launching a consulting firm for financial institutions looking to address cybersecurity threats. I would think that would be something he knows a good bit about and there might be some interest in that.

So General Alexander, we appreciate your being here today and look forward to your remarks and the opportunity to ask some questions after.

General Keith Alexander. (Applause.)

GENERAL KEITH ALEXANDER: That’s pretty good. You know, and that was one of the jobs I actually trained for – to turn these around – but I didn’t do it right. And so he got the job, so I’m left trying to start a company.

I’ll tell you, one, it’s great to be here. I’m going to talk about – oh, you wanted cybersecurity, I had quantum physics and I had some of the other things. I think that would be of interest. Actually, there are, you know, we live in amazing times. I want to talk about that because from where I now stand and from what I had the opportunity to look at, this is some of the biggest transformation going on in history – what’s going on in the data world, what’s going on in computing. I’ve had a chance to work with a number of you that are here. And it brings in some risk and stuff. And I think we need to talk about it. And then, that’s the first two hours. And then, the third hour – (laughter) – I’m going to go in to see who’s still awake.

No, I’m going to mention he-who-should-not-be-mentioned-in-public, but we’re going to talk about that a little bit and give you some of my thoughts briefly. And then, I’ll open it up for questions. Bur first, data, you know, it is – almost everybody in this room – I think everybody in this room probably has an iPhone on them. How many here have an iPhone or Samsung Galaxy on them? Just raise – okay, please turn those off during the speech. (Laughter.) No, no, oh, yeah, I should. Yeah, that’s right, thank you.

When you think about it, think about how wired we are. Think about the amount of data that’s coming our way. Think about what we have access to. There’re some great videos out there if you go online, one called 2014 - “Did You Know 2014?” And the statistics in there help tell a story that we’ve lived, but we really don’t realize what’s happening, the wonder that’s going on around us. And let me give you some of that wonder.

This year, the amount of unique data that will be created worldwide is 3.5 zettabytes – zettabytes. You know, I wanted to name my company Zetta-something and somebody already took that one. But it’s 3.5 zettabytes. That’s 10 to the 21st power unique information worldwide. That’s more information than was created in the last 5,000 years combined. More information than was created in the last 5,000 years combined. That’s incredible. Think about that. Think about what that means for education. Think about what that means for the medical community. Think of what’s coming our way.

Now, add to that, new technology is doubling about every two years. I think Kaki and others, Juniper, you guys deal with this, right? What does that mean? That means that kids like me, who are in their freshman year at college – okay, I might have missed that a little bit – the best four years of my life. That was a joke. I go slower? I know. (Laughter.) You know, so I want to put some jokes in there. It’s okay to laugh with me preferably, not at me. But that happens. Remember, I have 16 grandchildren that didn’t come out. We’re going to talk about some of them because they are mean people. These are little people that can be mean to you. (Laughter.)

This is televised, right? I meant that they’re really nice and I love them. They’re wonderful. (Laughter.)

New technology doubling, that means by the time you get to your junior year, half of what you learn is outdated. Think about that. Half of what you learn is outdated. The top 10 in-demand jobs in 2013 did not exist in 2004. Did not exist. We are currently preparing students for jobs that don’t yet exist, using technologies that haven’t been invented in order to solve problems we don’t even know are problems. That’s where we are right now. Think about that. It’s amazing. It is. It’s absolutely amazing.

And the other part, the first time we’ve had four generations working side-by-side – traditionalists, Jeff, boomers, gen X – that’s Danny and I – okay, maybe I’m off a little bit on that – and the Millennials. That’s the write me, call me, email me, tweet me. All working side-by-side, think about that. Write me, call me – that’s where we are.

We have over 2.4 billion people on the Internet today. And there 100 billion searches in Google a month. Where did those go before Google? Who did those searches? And you know, the best Jeopardy player is no longer a human. It’s a machine built by IBM – Watson.

In fact, you know, it’s interesting. I was at an engagement yesterday with IBM and they showed what they’re doing on cancer research with the genome folks out of New York City. It’s amazing. This is incredible what this big data is going to do for us.

Another part, in 2049, I’ll be 60 at that time, 61 maybe – (laughter) – a $1,000 computer will exceed the computational capabilities of the entire human race if it keeps going at the rate it’s going. The entire human race. If Facebook were a country, it’d be the third largest in the world.

Here are some interesting things. And this is, you know, many of you are going to go home to your spouse and start saying, hmm, okay, what’s going on? One out of six married couples in the United States last year met online. That’s amazing.

Here’s the other one. This is why you’re going to go home. That’s what I did. I went home and said, okay, what are you up to? One in five divorces are blamed on Facebook. So I went immediately home. Honey, do you have a Facebook account? Yes, I do. I said, hmm, should we have that? I mean, do we really need those things? (Laughter.)

Fifty billion devices will be connected to the Internet by 2020. And here’s something that I think you’ll find incredible. Any person with access to Google today has better access to information than the president of the United States had in 1990. Think about that. Think about where this is going. And these changes, they’re stunning.

It’s going to change – you know, you look at the nanotechnology. So if you go online, google – that’ll be another search, it’ll be 101 billion plus one or two or three, however many you go – google that 2014. There’s that, and then they have a section on medical, where it’s going with the nanotechnology. And this is incredible. Big data is going to change it.

This is really good. I mean, I think in the next decade we’ll solve much of what we know about cancer. We’re going to solve much about what’s going on with our environment. There’re some great technologies that are coming our way. Big data is going to help us significantly.

But there’re some issues. Security, right? So tremendous opportunities and tremendous vulnerabilities. So what I want to talk about a little bit is the cyber threats that face us because we ought not to slow down just because we haven’t fixed this. We don’t want to create vulnerabilities that will hurt our country. I think we can solve those. But the opportunities are too great. You know, just solving cancer alone – and almost everybody in this room knows somebody who has cancer or has had cancer that we should help. Solve that. Let’s get that done. And if big data will help us, then we’ll carry the risk with it. But we can do both, I think.

So as the commander of U.S. Cyber Command, it’s interesting to see how you get a job. Now, other than create your own company and appoint yourself CEO. I thought that was a good move. Somebody said, what are you doing? And I said, well, I’m retired. They said, you don’t do anything. I thought, well that’s not going to solve much, isn’t it? So if I create a company – nobody’s going to hire me, so if I create a company, I can create one. I can call myself CEO or CEO and president. I like that. (Laughter.)

MR. : (Off mic.)

GEN. ALEXANDER: That’s right. That’s right. Next thing I got to do is get people so that they can do the work. I learned that as a general. So let’s look at the cyber threats. (Laughter.) Yeah, you got to have the people. Somebody’s got to do the work and some other things. Yeah, I won’t go into that.

May 2007, the Tallinn, the statue there, the Russian statue. Remember that, the distributed denial of service attack? That kind of if we put a little asterisk on the timeline, that’s where you start to see these disruptive distributed denial of service attacks and that had significant impact on Estonia. Think about it. If you talk to President Ilves and anybody in Estonia, this was a huge change. It really was. They are probably one of the most connected societies in the world, only 1.4 million people, but they vote online. They do everything online. They bank online. So getting hit with a distributed denial of service attack was significant for them.

Two thousand eight, Georgia, ironically, the hackers uniquely timed their disruptive attacks against the Georgian banks and government at the same time that Russian military crossed into Georgia. I’m sure that that was circumstantial and great luck, but it poses some issues for the future.

Now, what I really want to get to is so how do these things impact all of us? So we thought we saw anomalous activity coming out of the Office of the Secretary of Defense networks. Now, here’s something that you’ll find interesting. NSA was not authorized to look in the DOD networks without being invited in. You find that ironic, right? Think about that.

We couldn’t look at those networks unless somebody invited us in. So we had to get – we said, you know, something looks wrong here. We need – we got it, we got it, we got it. Okay, you come in. So after a week or so of debating, they brought us in, our guys. So I’m in my office, 24 October, 16:30, 2008. That’s a Friday, right? All bad things happen on a Friday afternoon. Because – and you know, I was there for eight and a half years and over 400 times, Friday, right, and you’re just waiting, you know, with one eye watching the door. Friday afternoon, here they come. Dick Schaffer comes in. Sir, we got a problem. I knew it. I knew it. And he said, we were allowed to look at the OSD network and we found over 1,000 pieces of malicious software in there. We think it’s nation-state sponsored. And I said, that can’t be good. And he said, that’s why you’re the director. (Laughter.) That sharp mind, you’re right there and grasp with that. We really like you. Let’s get on with the solution.

So we did. We actually talked about that. And you know, I’ll tell you, fascinating people. Some of the best technology people in the world are up there at NSA, doing great things for our country and our allies. And they said, well, we think we can solve this problem. We can build a system, put it on the network, and we can do that that takes care of all the stuff and do it and have it done by – so we’re negotiating over time. And many of you may know that I’m not a very patient person. And when you’re a four-star general you can do that. It doesn’t always work, but you try it. And they had it done by 2:30, Saturday. Built the system, up and running, still running today. And it solved that problem.

Now, the reason I brought that out – you know, one of the things that I never thought about, but the consequence of that, if you read some of the Gates book – Bob Gates’ book, you know, he talks about Cyber Command. And I have about a four-word thing in there. He wanted to keep me around a little bit for the humor. And that – that issue was one of the key issues that he saw that NSA had the technical capabilities that United States Cyber Command needed to leverage.

You could try to recreate it or you could leverage it. And it doesn’t make sense to try to recreate it, so we’ll put it there. We’ll dual-hat you and he came up with that approach. So I owe probably the fourth star in that command to those bad guys that broke into that network. Thank you very much. Don’t – that’s not being recorded. I’m just kidding.

So now, let’s jump forward, 2012. We had disruptive attacks. Now, in 2012, it goes to destructive. It goes from a nuisance to destroying data on networks, Saudi Aramco. The data on over 30,000 systems was destroyed, the systems wiped clean, and the consequence – that network was shut down and had – all the systems had to be rebuilt.

Think about the issue of that. About a week later, RasGas in Qatar was hit. And then, in this spring, March timeframe of 2013, this was with the wiper virus, and in the June time period, South Korea’s hit twice. In South Korea, the bank, the hit on the bank cost around $180 million damage.

And then, if you look at what was going on against Wall Street, there were about 350 distributed denial of service attacks against Wall Street. So if we now take that timeline and we start statistically putting this together, what we will see is it’s growing and it’s getting worse. So when you hear me talk about cyber legislation, that’s why. We need cyber legislation, so that we can help defend the nation from a – old people back there can – and we have to have a way of sharing information. And yes, we’ve got to address the civil liberties and privacy, so everybody knows we’re doing it right. But at the end of the day, we can’t allow some of these things to hit the financial sector.

So one of the reasons, Jeff, the reason that I’m taking this on, trying to do that is I believe we have technical solutions. So we’re actually going to build some technical solutions to help address that and work with other people in industry to help get that out there. We’ve got to protect it.

But I think it requires government and industry to work together. And we can do that. We’ve got to do this. And I think it’s not just our country, but we’ve got to work with others.

You know, and so some of the issues, when you start to look at it, so how do we cope with these threats? I don’t know. No, I’m just kidding. (Laughter.) Okay, okay, so I’ll knock off the humor. I know that that’s not working for you guys. Okay. Probably because some of you ate too much – no, I didn’t eat too much. I know. Please, don’t tell my wife that I had lunch here because she’d say, that was your second lunch. (Laughter.)

So one of the things that – what Secretary Gates did is kind of interesting. So 24 October, we solved that problem. The next week, everybody comes in, Monday morning, and the rest of the Defense Department is going around saying what do we do, what do we do, what do we do? We’re on to the next problem. That’s solved. We figure, okay, that’s done, check, little green thing, check, we’re on to the next problem. And the issue that came up was we’ve got to move out. We’ve got to go on. So what he did is he said, well, you guys solved this. You’re responsible.

At that time, I had the joint Functional Component Command Net Warfare in NSA. And he said, well, since you’re not fully occupied and you’ve got spare time, I see you are sleeping at night, right? Yeah, I am. Okay, so there’re some hours. We can work on this. We’re going to give you the Joint Task Force Global Networks Ops. So now you have both the offense and defense working together.

And what an amazing time that was. Because as soon as you get that, you think, I think you’re giving this to us for a reason. And when you look at it, the first thing that you recognize, the Defense Department’s got big networks – big networks, 15,000 enclaves, 15,000 sets of networks that are all interconnected with system administrators and something. And if you put that on the table, you say, so this means that when you’re doing patches and you’re going after these networks and you’re fixing them, everybody has to do it. If one leaves it open, you have a vulnerability.

And so what do you think statistically the chances are of somebody screwing up every time you go to do something? I think it’s almost one, 100 percent probability that they’re going to mess it up. It’s going to take longer than you wanted, somebody’s going to mess it up, and we have an architecture that in my opinion – so what I told them, I said, look, what we have is an indefensible architecture. You want to put this stuff – this is like putting money on a park bench in New York City with a little sign at night that says, please don’t steal it. (Laughter.) And then, you come in the next morning and you find your money gone and you immediately conclude that the people of New York City can’t read. (Laughter.) That’s a joke.

And so you wouldn’t leave your money on a park bench. So why do we leave our networks like this? Why do we have that? Well, that’s the way we started and that’s where we are. But that’s not where we need to be.

So when you think about it, if you want to create a defensible architecture and we are to start from scratch, you know, just put it on the table, you’d start with 10 virtual cloud, and that’s what we got to do.

Now, why? Well, one, you can defend the data better in a cloud. Now, everybody says, doesn’t that point give you one area that they can attack? Yeah, it’s like a bank. Think of this as a bank. We put all our money in a bank. We don’t spread it out through all the park benches in New York City and say they won’t get it all. They’ll just get some. Well, that’s what they’re doing. They’re getting some and then they can transit to other and they get the rest.

We can secure the data better in the cloud than we can in the architecture that we have today. Of that, I am convinced. And we can make the cloud securable. But here’s the reason, the other reason we have to move to the cloud: mobile users. And there’s two sets of mobile users. The most important is our tactical forces. When you think about the tactical forces out there, when we talk about network security, everybody’s talking about the Pentagon and all our administrative networks, right? And they’re not thinking about the poor guys who are out there, because they’re going to be the ones that in the next war are targeted. How do you defend them in cyberspace?

Well, actually our cyber folks are over here defending the administrative networks. Who’s defending the tactical networks and how do you do that? And the answer is, well, that’s our job. We’ve got to do that. And two, they’ve got to be mobile. They’re not going to sit in one place, put wires down. So they need mobility. So we have to secure the mobile devices. And we had great conversations on securing – Bob and a whole series of folks – we can build into these mobile devices and you’ll see the people who create them, they’ll go to a hardware root of trust, which means that you can secure the data on it and be highly, highly sure that that data is secure. So you’ve got the mobility part that is essential and the cloud and that will be the keys for that future architecture.

We call that the intel community IT environment and the joint information environment. Think of that JIE and ICIT. Those are the two things that we’re moving towards. But if I were to offer one thing, it’s the same thing for industry. We’ve got to do the same thing in industry. It makes sense. This is the wave of the future. It will really help give us defensible architectures.

Now, there were four other things that we – when we built Cyber Command that we said we needed to do. The second thing was training. If you think about the way we train our defensive force, we train them over here. We train the offensive guys over here. And you think, would you ever train a football team and never let them work together? No, you – don’t you want them – what we did at NSA that I thought was spectacular is we made guys who were on the defense go to the offense, guys who were on the offense go to the defense. Why? Not as punishment, although they thought that, but actually because you learn more. You see it more holistically. You can see both sides of this and you do your job better. But even more importantly, the standards, what standard do we train people to? How do you certify them? So for all the specialty skills in cyber, the intent is to have a training program that’s significant and a set of certification processes that you can assure that your people are trained to that standard. And that includes civil liberties and privacy.

So we can do that. So create a defensible architecture, train our folks. Here’s a great question. You know, I loved asking this question and I know the people that were in at the NSA Threat Operations Center got very tired of it, as did the Joint Ops Center in Cyber Command. So when an event happened, you know, and they start talking about X happened at this facility or this industry group got hit with this, you’d say can you draw me a picture of that? Explain how that actually worked. And, you know, now it’s kind of fuzzy math. You know, it’s almost like quantum computing. They say, well, these things happen. They’re entangled, and because they’re entangled – you know, and gets up and explains it. So how do you explain how the attack went? And then, given that that’s how it went or the exploit, whichever it was, how are you going to defend it?

And you know, the common thing is forensically determine how they got in, go clean it up, and then ensure that that one never happens again, which means that the adversary, whoever’s on the offense, always wins. They figure out a way to get in. They get in. They sit there for a while. They take whatever they need. And then, when they’re done and they’re caught, they throw that away and they go on to their next tool.

We need a common operational picture to show what’s going on and a way to defend it. And I think there’s a lot more we can do in this area with modeling and all the things. And so that’s some of the stuff that we’re taking on. I think the most – one of the most important things that we can do – cyber legislation. You had Mike Rogers here today – wonderful, great chairman. I’ll just tell you. He and Dutch Ruppersberger, the things they’ve done on that committee are – make them the poster children for how to run committees in Congress. I think it’s absolutely superb the way they get both parties to work together for the good of the nation. I was truly impressed.

Now, I’ve been going to that committee for 12 years. It was not always that way, trust me. I can remember Mike McConnell going, why did I give up my civilian job to be in here. He was just rubbing his head at one of these hearings. All the way to now where you got Rogers and Ruppersberger in there and they’re helping solve problems. So I’ll tell you. That’s a great thing.

We need cyber legislation. We need to push that through. We have to have the ability for government to share with industry and industry to share with government the types of malicious activity that’s out there. I’m not talking personally identifiable information. I’m talking malicious activity. We have a way of doing that. And if the government tells industry, please block this traffic and it makes a mistake, then industry should have some form of liability protection if the government makes a mistake. It shouldn’t be on them. So those are kind of things if I were to dumb it down to those two, that’s what I think we need in cyber legislation.

And then, the last thing that we needed and that we did was we set up a command and control structure, and we’ve built the teams. You’ve got to have some way of creating command and control and going after this. So this was – it was a wonderful time and, you know, a real privilege to work with some of the great people all around. One of those, Secretary Leon Panetta. At the time when I got the Joint Task Force Global Network Ops, you may recall that their mission was to defend the Defense Department.

And so they transmitted their mission to Cyber Command and said, your mission is to defend the Defense Department. And so I’m thinking, how is this going to play out when an attack wipes out Wall Street and we say, we’re okay, but Wall Street got hammered? So I had this conversation with Secretary Panetta, and I said, so here’s the deal: A missile coming into Colorado, Northern Command is going to stop it. They don’t say, is this going to hit a military base? Nope? Let it go. They don’t do that, right? They stop it for the good of the nation. It’s the Defense Department. It’s our Defense Department.

And so my comment was, so why would we let cyber go through unless it’s going to a DOD? You don’t want Cyber Command to defend DOD. You want Cyber Command to defend the nation. And then you saw, up in New York City, he actually gave that speech where that mission actually was put on the table. And I think that was absolutely the right thing.

So we actually are setting up teams that can defend the nation in cyberspace, but you can’t do it if you don’t have visibility and the ability to work with industry. So we’ve got to create those.

I do want to hit a few other things. I wanted to hit a little bit on terrorism, if I could – just a few minutes – because one of the things that I am really concerned about is these leaks – the leaks by Snowden and others are going to result in terrorist attacks against you because we won’t be able to stop them. They’re learning. That’s my concern.

And I wanted to give you – so why am I concerned? You know, I’m out now. I can sit down and wish my team the best of luck, but the reality is there is a lot going on in this area. Now, we were talking to Danny. Just look at what’s going on in Iraq today. Okay? Look at Syria. Look at Iraq. Look at Afghanistan, Pakistan. Look at Somalia. There’s a group in Somalia. Threats to other countries. Saw a threat this morning to Djibouti by shish-kabob. (Laughter.) Al-Shabaab, I’m sorry. I get them mixed up. One of them is good. Just kidding. I can go slower and work this out.

You know, it is kind of interesting. I was going to tell you a story here, so, you know, on cybersecurity I have 16 grandchildren and I have – I have four daughters, and everybody’s, oh, you’ve got four daughters. You poor guy. There’s cameras. And the first six grandchildren were granddaughters, and we got a grandson – number seven. Lucky. And at two years old, he was downstairs, my daughter was upstairs. They were in Dallas. My wife’s in – up here in the Baltimore area. He grabs that iPad, opens it up, hits the Skype thing and skypes my wife and starts talking to her. Two years old. Two years old and he’s walking around downstairs, my daughter is upstairs. And then finally, my wife goes, where’s your mom? Oh, she’s upstairs. So he’s walking up the stairs. You know how little kids walk up the stairs. My wife’s getting seasick. And who does that?

So not to be outdone – I have to tell the rest of the story – my granddaughter grabs my iPad. She’s one, almost two, but younger. They point this out. And she gets on the Disney Channel, gets her cartoon, sits down to watch it and you can’t talk because she can’t carry on a conversation, but she can get on an iPad. Think of how great that is. Think about where this is. Think about where this technology is going.

And, now, going back to terrorism, I bring in the grandchildren because, as a grandparent, as a father, I am really concerned about the health and welfare of our kids, here and around the world. If you look at the number of terrorist attacks that occurred in 2012, it was 6,771, with over 11,000 deaths. Now, the University of Maryland’s Start Program actually tracks that, so these aren’t my figures. These are their figures and they use those and those are blessed by State Department.

In 2013, it went from 6,700 to 10,300 attacks and over 20,000 people killed. Over 20,000 people killed by terrorist acts.

Look at what’s going on in Syria. Look at what’s going on in Iraq. Now think, how great our life is here. And the same thing in Europe. We’re in the Maslow Need Hierarchy of self-actualization. We can talk about things. You go to Iraq, they want to survive. And it’s not by luck that we have this great capability. It’s because we have a lot of great people in our military, our intelligence community – including NSA – state and local officials and law enforcement that are keeping our country and our allies safe. And it takes tools to do that.

This isn’t the Johnny Carson great karma thing is where’s the terrorist? Right there. It takes a lot of work. And so when you look at that, when you think about that, that’s what concerns me about many of these leaks. And I’ll tell you that I believe that given the amount that we’re seeing, that they’re going to get through. Some of them will get through. Most probably into Europe. We’ll do everything we can to stop them. I know the team back there, they’re going to work overtime to do it. But now that the bad guys know how we do it, they can change the way they look and this is going to cause a problem. And it’s the same thing in cyberspace.

We have to solve these issues. And I think it has to start with the facts on the table for things like the media leaks. You know, it’s interesting – media leaks. Think about this. For one year we have wire-brushed NSA and the people that work there. We have had review groups, inspector generals, Congress, the courts, everybody look at them. And what have they found that NSA has done wrong? Nothing. Not one thing that they hadn’t already reported. What the review group found is they were doing exactly what we asked them to do.

And, you know, it’s really interesting – you know, learning to read as an Army officer was interesting, and you can – I found out with reading you can actually get quotes from people. So in December 2013, responding to a suit filed by the American Civil Liberties Union, U.S. District Judge William Pawley (ph) ruled that the National Security Agency’s bulk collection program is legal, representing the government’s counterpunch to go after terrorist networks by revealing and connecting fragments of perishable communications. Noting also the oversight of the program – and we’ll talk about that in a minute – from all three branches of the government, Judge Pawley wrote, “there is no evidence that the government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks,” period.

What’s in the papers and what’s come out is what could be used for, but not one thing has been found out that has been used wrong. It could be, and everybody says, well, they could be. You know, I was seven once, a few years back, and my brothers – a little bit older than me – and their friends took us out one night into the field with paper bags snipe hunting. Some of you may have been indoctrinated the same way. And I was convinced they were collecting snipes because you could hear them going – bam! – into their bag. I got one, I got one! And I never saw one. And you’re thinking, man, how come I’m not seeing them? What’s going on? This is snipe hunting.

That’s what the media is doing on this. Not one thing did the review group found. I’ll give you another part. Even the president came out in January and said the same thing: We have not found one thing that they’ve done wrong and were doing what we asked. Now, if we have a complaint about where the line is set, remember that line is set by the administration, by Congress, and by the courts. NSA executes that based on judicial findings of 16 judges 37 times looking at it. The reality – I think it’s legal. Justice thinks it’s legal. Some of you can say, there is no justice. That’s a joke. I’m sorry. I can go slower.

So when you think about this and what you think about is going on, I think here is where you can help because I think the future of our country depends on getting this right. I agree we need civil liberties and privacy. Don’t get me wrong. Did you know – Wellenda (ph) – did you know that we train everybody at NSA who’s going to touch data of their responsibilities for handling U.S. persons’ data – for how to handle these databases and all that, and that that training takes about 400 hours and that the people at NSA have to pass a test to be able to touch that data? And if they make a mistake, they have to go back through training. And nobody was found doing anything wrong in all those investigations that we hadn’t already reported.

If you look at any other country in the world that handles personal data, none of them have the same standard that we, the United States, have. If we were to say something, I think it would start with that. We do it better than anyone else. I think it’s absolute bullshit – I can say that now that I’m retired – that this is the story that’s in the media and not the one of, look, they’ve stopped terrorist attacks. They’ve done everything right. We’ve done what we’ve asked. Now, if we want to have a debate, let’s have a debate, but let’s have a debate based on all the facts that we put on the table. And those facts start with terrorist attacks are doubling from 2012 to 2013 – the deaths.

We can’t take tools off the table and assume we will be just as safe. We have to be sure. And from where I stand, when I had a chance to talk to the president, I told him I was not willing to make that. And guess what. Neither was he. And I think it was the right thing for our country.

So let me just wrap up and we’ll take a few questions. First, big data. There are some tremendous things that we’re going to do with big data. There are tremendous things that we do today. I think when we put the capabilities on the table, we can put in there the appropriate compliance and oversight things so that our personal data is protected, so our nation is protected from terrorism and from cybersecurity. And we’ve got to make those moves. We’ve got to secure our networks. We’ve got to fix these things. We cannot sit back and we can’t let snipe hunting drive this debate. It has to be facts. It has to be the facts. And no one has found anybody doing anything wrong with it. It seems to me that the real facts is, so what happened?

And I’ll leave you one thing to think about. Do you think that Snowden would go to Hong Kong and then to Moscow if he wasn’t led there for some purpose? Inquiring minds want to know.

So with that, let me open it up to questions. (Applause.) Make them easy.

Go ahead. Go ahead.

Q: I have a question about willful misconduct. The ODNI released a letter that said – gave the instances, I think it was 12, which is a commendably low number, of willful abuse of I believe it was the 702 program. When you read that letter, in about half of the cases –

GEN. ALEXANDER: No, actually it wasn’t the 702 program.

Q: I apologize. Willful misconduct nonetheless and you find out, you know, people losing jobs and losing clearances, which is the right thing to do. In about half of those cases, that actual misconduct was not – if I read the letter correctly – not discovered until someone’s clearance was being reinvestigated, which is to say that that abuse was not detected for, in some cases, several years after the fact.

Is there a way that the NSA is looking for ways to change that so that misconduct is found out so that people don’t – you know, to shorten that timeline?

GEN. ALEXANDER: Great. Great question. Let me just give you the rest of the facts because it will help put this in the right context. All those were outside these programs. Okay, so those were – let’s say you’re dealing under Executive Order 12333 Foreign Intelligence Collection. Actually, more than half of those dealt with foreign intelligence collection, so people might be in an overseas location, have a girlfriend or boyfriend, and they are checking up on them. That’s wrong. That’s a misuse of the system. And it’s interesting that we hold them accountable no matter if they misuse it against U.S. persons or foreign. They misuse it, it’s wrong.

Now, we have ways on the U.S. side to see that automatically, and that can stop it. So actually one of those was on a – somebody did a search on a U.S. person inappropriately. Actually, it’s kind of interesting. There are some great things you can do. You can have the machine flash red. You can have – there’s so many jokes you can play on people, but the reality is, as soon as they do that, they’re caught – done.

Q: (Off mike.)

GEN. ALEXANDER: Well, there’s a couple of ones. It’s not quite that simple, but doing something like that, or searching on their own family just to see how it worked is wrong. And you’re right – zero tolerance. So in those cases we can set it up. U.S. persons is easier than global, but we’re working on both, and I think they’ve solved the U.S. person one. They now have a check on the foreign. And so those, I think, help, but the reality is – well, shoot, you could – I mean, they’re going to be able to get around it some, but the track record for catching them is really good. They know that. They know they’re going to go through and that’s going to be a question.

Way back.

Q: Hi, Claude Barfield with the American Enterprise Institute. I’d like to go back to the – I guess you haven’t – you’ve only talked about it in passing, the indictment of the Chinese officials a couple of weeks ago. The defense the administration seems to be, or the United States seems to be making is that while we do economic espionage, the difference between us and the Chinese or maybe even other nations is that we do not pass the information on to individual U.S. companies – to a Microsoft or a GE.

And yet isn’t it – if you look at the indictment of the more complicated – putting aside intellectual property for the moment, because there wasn’t a lot of intellectual property cited in the indictment as being stolen, we do – it’s public record and admitted and even boasted about by the security officials – trade negotiations and trade cases. We have even gotten into the antitrust division of the European Commission. We take that as, you know, just par for the course. We can do that.

Do you think we’ll be able to convince the rest of the world that our assertion that trade negotiations, trade cases, even antitrust cases that we need to know more information about going against U.S. firms is somehow greatly different?

And most of the indictment in terms of Chinese hacking relates to cases that are actually trade cases. They’re not trade secrets in the normal sense.

GEN. ALEXANDER: Well, not to put me on the hot seat, there’s a lot that I can’t talk about, a lot in part because I’m not 100 percent – remember, I’ve been out for two and a half months.

Let me take it this way, if I could. First, I do think there’s a difference between what we do. I think it’s the greatest transfer of wealth in history – the intellectual property –

Q: (Off mike.)

GEN. ALEXANDER: So let me just keep going. I think that’s one of the key things and we’ve got to set a red line. But if you were to ask me personally how I would do this, I think we have to sit down and have an engagement, a discussion. And I think it starts with a discussion. And I think that’s where we’ve got to do and we’ve got to push that issue and we’ve got to make this a discussion and bring the Chinese and the U.S. key people to the table – and others, and others. And I think that’s where I would start.

Now, I don’t know all the stuff that led up to the indictment. That’s on the law enforcement and judicial side, so I don’t know the answer to many of the questions that you posed and what was there. I actually just kind of left that one out, so I haven’t really read any of it. I heard five. I said, okay, good, the less I know, the less I can answer. And that’s a great place to be, but if you want to solve this I think that we need to get the two sides together. We need to talk about what the norms are, what the rules of the roads are, and we’ve got to solve that problem. That’s part one.

And two, we can’t leave our intellectual property and other stuff on the park bench. We’ve got to secure it, and that’s what we’re doing.