Good morning, good afternoon. One bit of healt housekeeping information. Tom is doing calls. He is responding to the devastating affects importer rico and since his job is to be head of homeland security, cyber, counterterrorism, he is kind of running in a million directions, but we are truly fortunate to have rob in his place. For those of you who dont know rob, rob is the cyber lead at the National Security council. Hes the socalled cyber czar, the correlator for all things cyber. He comes to the white house from the National Security agency where, among other roles, he iran tao which i think has gotten a little more notice in recent years. There is a time we can even mention that but rob comes to this job with true professionalism. He has worked these issues from a collector and operators perspective and he has a natural ability to translate those ideas into policy and the like. Thank you for doing this, especially the last minute. I thought we would start with a general question, the executive order that was promulgated in may. I know a lot of homework items were due early september, late august. Can you give us a sense of where we stand, i dont expect you to break all news in exactly what was provided, but tell me where things have been and in particular, just because its been a common theme overall event, the cyber deterrent language in particular. Thanks for the opportunity to be here. Tom did send his deep regrets. He is in the middle of the white house response to the hurricane, both as the devastation hit texas, florida and puerto rico and sister islands. He asked me to step in and i appreciate the opportunity tos talk in the space. Let me give a brief thumbnail to those not familiar with what it covers and then well talk about the reports that come in under it. For big areas, the first is protection of our government network, those networks are the ones that transact government business but also hold the information of the american people. When you look back at things like the obm breach, its not hard to understand why we had to put effort into making sure those are secure and modern. I think anybody who has acted with government it or currently in the government knows that not everyplace in the government is at the same level of protection and security. Probably not the case that Everybody Needs to be, but we need to make sure the most Important Information and National Security information and privacy implicating information is protected. The eo was tasking the modernization of the federal networks and thinking about how we do Cyber Security to scale, and looking ahead, the recommendations were things like shared services, the idea of moving the modern cloud based services, the concepts of getting connected, when youve got the bureau of Land Management overseeing important things like hydroelectric power production, they are probably not going to compete with dhs, nsa and dod in re cruising Cyber Security specialist, but you want those Networks Just to secure as the other places we have in the federal government. Thinking about how we can do some shared services, even insecurity operation, thats area one, federal network. Area two is Critical Infrastructure. In the area we are talking about the 17 Critical Infrastructure structures, things like power, energy, communications, water, transportation, all of those sectors were often those are run and operated by the commercial Industry Partners but have implications to the safety and National Security of our country. That is a collaboration between those sectors in the u. S. Government as to how we improve security. This year the trendline continues that advantages going to offense and thats a scary thing when you think of Critical Infrastructure. We can have our power grid being held at risk. We can have questions as to whether the Financial Sector can stay free from intrusion. What that means is we have to have both security as well as resiliency. Do you see a day where they can be with it defender or will always be with the attacker. I think people have to flow through, the phrase i use with others is that it takes a thief to catch a thief. In both of those jobs i thought differently about the way we needed to move forward because of the experience of the other. Which job did you think trump the other, not in terms of more fun. I would say my tao job was easier and the Information Assurance cut me up at night. Critical infrastructure, resiliency is important. We cant assume offense wont get through the defense that we put up. At that point youve got have capabilities to uncover intrusions as fast as you can and minimize and localize the impacts from those intrusions and three, when you do have an impact, how do you recover and recover quickly . It only takes the devastation that we are seeing from some of these hurricane impacts to know that when these services are down, it has tremendous implications to health and safety and welfare. Part of its ability to bounce back which minimizes the reason they might turn to those. Absolutely. You asked about our deterrence strategy. One piece of that will be demonstrating resiliency. If you have a . Whether they can hold someone at risk. [inaudible] [inaudible] the base of that pyramid is the power sector. If you look at when the power goes down, things cascade from there. It can only run so long on generators. The communication sector goes down, the banking and finance sector isnt going to be able to transact so there is this cascading effect. We are working on the exercise that will come up. Were trying to make the banking and communication sector to look at some of those affects and make it realistic into how society would react. Even from a defensive, clearly the Financial Services sector is very far along. I dont remember if it was nyack but they did a report calling out the four Critical Infrastructures. Does that unfairly put forth, i dont think we will create a super sector but will create time between sectors and making sure all the dependencies in one art piece through and the threads are pulled. Than that gets a sort of the concept, we have unlimited vulnerability and resources, its not like security is an end state, its a continuous process. The process there begins in that prioritization, anything new coming out of the executive orders that you think . Weve all heard publicprivate partners. Ive been known to say long on nouns and short on verbs. Its not to suggest there arent solutions because the industrial ace, the industry sector, weve just heard from them in Financial Services sector, they are doing phenomenal work. It still comes to the policy without resources rhetoric so where do we kind of see that coming down . I think its a joint activity for both of us. Private industry has invested, government has invested, i dont know that the gears are mashing. If one of the calls we often get is that we need more sharing of the government knowledge and information that you have, in the classified arena, thats hard. To push everything the government has, there implicated in some of that. What we been talking about is, instead of the push model, send us everything youve got, find ways to integrate a fee to of the key analysts with Sector Knowledge into the areas where they can then look for their equity, identify information that then needs to be pushed out for action. , vice versa where government can spend more time in some of these Critical Infrastructure area. We think is important not only for the connection but also for the development of the government expertise in the relationship. Awesome. I think the most impactful step we will have is bringing more into the analytic sectors from the commercial side so they can have expansive access but in a controlled way where the data isnt as at risk and we can keep track of what is pushed out and shared. Coming to your role as sort of a primary producer of information and customer of other bits of information, but largely a provider, what did you find coming into a white house kind of role . This is more of a personal question. What did you think made sense, what did it . All these executive orders that we have all put a lot of blood, sweat and tears in in this room and of course you guys, but what really works . Do we have the ability to know in the event of an incident what would trigger an escalation, what a significant incident is, what will you be able to get your war room together to manage the consequences of an incident. Are all of those sort of we will know it when we see it . Weve got a process, in the end it will come down to expertise. Its really good to there, by the way. We have a wide array of folks distributed across the community. [inaudible] it takes the reporting from across the Intel Community to include open source and partner information and tries to summarize. They are at the front line of sensing a warning in the Intel Community and commercial entities. We all drink from these fire hoses of information strains, but what we rely on is the expertise and judgment of a bunch of different people and things get elevated quickly. We have routine interactions where i host the interagency once a week. In that we talk about Threat Landscape and other things, but with the daily information flows, we have a process when information is breaking to call an ad hoc session and then theres a policy on when we turn to a very formal Coordination Group and is led at the dhs level. They can trigger some very formal processes, communications, interactions with the commercial entities and even has a Lessons Learned process at the end so every incident we get a little better. Can you give us a sense of what sort of incident would potentially trigger that . If there were an attack on the grid, as you mentioned, we saw on the ukraine that would probably trigger it. Absolutely would. A great example is something that had the health sector. Was it hitting in the u. S. , but we watch the impact it was having at the uk and that kicked off significant interagency processes. What about iot. How big, youve got a vast universe when we talk about prioritization that im sure keeps you up at night. I used to say i get up, i sleep like a baby, wake up every few hours crying. In all sincerity, where is iot. The fact that our attacks are growing exponentially, the real time to get solution is at the design phase. [inaudible] iot, at the same time is a huge opportunity and huge threa threat. They want to make lives easier. The train is moving and we are going in that direction. We are not going to slow down and stop it. We saw poorly designed iot and thats a real threat to infrastructure and capability and National Security. There have been various calls, everything from the Underwriters Lab and certifies security all the way down to let Market Forces drive. We are in the middle. We would like to see great articulation of standards. What is bac best practices. We would like to encourage the Industry Groups to follow those standards. Theres some really simple things that every iot does device ought to have. It starts with, it needs to be updatable. The idea that when vulnerabilities are found that it can be updated. You would like to have the ability to make sure it doesnt have default credentials and passwords, and beyond that, the curve starts going out. Ideally, its update process is cryptographically secure, they thought about doing an update underneath encryption so it cant be smoothed. Those are easy and simple things, their well understood how too do, market pressures arent always driving the companies to do that right stuff from the beginning, and thats where i think the government and Industry Groups can push and help, its our desire not to see that pendulum swing all the way to regulation which is why in the executive order we kicked off some studies and other things that really go back to iot roots and some of the same root causes. One other thought, since he brought up crypto, the going to our dilemma and challenge, obviously it stymied Law Enforcement intelligence, the flipside is without throwing strong encryption, whoever the perpetrator is will potentially exploit that information. How can we think about that and then we got very key provisions at the end of december. Is there call for congress, whats the call there if there is a call to action, and help me think through the going dark phenomena. Let me start with the 702. Fisa 702 statute, it is just a critical tool in the terrorism, and even in Cyber Defense realm. It is a tool that helps us understand threats. It is a lawful tool under close supervision. Its even based on some of the reporting out there, you can see as well monitor cap theres oversight from multiple levels both inside those agencies and with independent verification. Its really important that we get a reauthorization. You can get a little of toms information. If the tool we cant afford for our organization to let sunset. I think congress is well focused on it. When you ask about going dark, i think the first message i want everyone to understand is strong encryption is good for the nation. Theres no blackandwhite about that. , we needed for our protections. That being said theres an important part of her rule of law. What we would like to see is responsible corporations consider how they can be responsive to judicial order. The government shouldnt have a place in saying how thats done. The design considerations upfront should consider that we as a society need to do investigations. Theres a reason that all of us look to Law Enforcement and the government to provide basic components for society. That includes the ability for a judge to say i need access to information. Berries strong proponents of encryption print strong encryption needs to be capability we have smart and amazing tech companies. Many of them are able to provide that encryption and security but when theres a need for wanted access, they cancan provide it. Im in as sort of an unfair question. I mean, quantum computing and chinese satellite being launched ahead of state from russia talking about the importance of Artificial Intelligence to dominate the world, what does that mean . Are we in the midst, do we know theres even a race going on, and what does it mean for our tail . We need to make sure we have the capability to ensure our dominance in the space. These are big news story that kinda get buried. The really big from a policy standpoint. What are our thoughts on that. Does that cause you to take notice . Other policymakers . Certainly, when you look at technology, there is a history in this country that Technical Innovation has underpinned our society and its also really given rise to the amazing lifestyles that we have here in the u. S. The good news is, we have such a healthy set of industries, research labs, academia, there is nobody that doubts we are the leader in technology. But we cant take it for granted. We cannot. Thats why we continue to invest in that. The white house kicking off stem educational programs, weve got to continue investing in that next generation both for the people in the technology, and i would argue in the end, if we do the people right, the technology will follow. The people are the secret and the key to our innovation. Even from a threat perspective, technology always changes but human nature is pretty consistent. Good, bad or indifferent, that has to be factored in. That gets into the whole human collection versus technical mean. Im really glad you raise that. What can you share in terms of what the agency has put forward and what youre trying to articulate. By the way, in fairness, i dont mean to lead with these questions, i dont think you articulate, i think you articulate actors from crossing lines, but what are we thinking about that . Do you see a day where we will have a genuine cyber deterrence strategy. I do think we will have a genuine deterrence strategy. So i tipped you to a couple things better in there. One is demonstrating resilience will be a cornerstone to deterrence. Weve got to have the assurances that weve done the right things to plan for eventualities that sometimes are heinous to consider. Weve got to do that planning. Then we got to exercise. We have to practice like we play and so that element is really important for resilience. The second element is kind of what i hear you alluding to which is the imposition of cost. We can have norms. Norms are great, but without an imposition of cost for the people who are outside those norms, the norms dont mean anything. And the bad guys have to know that we mean business when certain things are crossed. Right now they dont know. At times. I would say one of the things weve used is lawenforcement. Even at times we can bring people to justice, we know after a public indictment that they are going to stay put in the government is not going to give them up but its a powerful diplomatic message, its a powerful signal to send to others were considering it. The retired and cant travel so that has a cost too. We are also using field indictments. In the back of the mind of people who participate in these activities, that should make them wonder, as they travel internationally, it doesnt need to be to the u. S. , but other places, thats one element. Another element is the art of diplomacy. The ability to shape other countries actions. Sanctions, the ability to do primary and even secondary sanctions. Weve used that time first cyber topic spread we will use that again and more. Then theres other elements. We will respond to cyber with cyber. Most of the time you cant solve cyber was cyber, that is one of the arrows in the quiver. It really is this whole of government but for us its the will to impose costs. We found that Big International consortiums are often slow to move or reluctant to move to impose those costs. For us its often going to be bilateral, finding the right partner for the right problem moving forward and bringing coalitions along but not waiting for the coalition to be large and grand. This came up in our conversations with congressman and the other panels as well. Do we need new alliances . Any thoughts on the state Department Reorganization that is ongoing . I think part of it is the whole story hasnt been told. Its not as if theyre getting rid of everything state related, but anything on new alliances . When i look at the strongest alliances in nato, all of which are absolutely backbones for the United States, and need to be, but then youve got allies like israel and japan and south korea, in very tough neighborhoods with actors that quite honestly concern us because whatever they are seeing, its coming our way soon. Stay tuned is sort of, those are the practice fields. We are the main stage. I would be curious what your thoughts are in terms of alliances, specific to cyber. We try to integrate the cyber issues into every existing treaty, policy, organization or do we need something new which in part is the challenge with cyber. How do we put about around this . Or is there not a vote to put around. We need alliances. I just returned from a trip to singapore which is in a tough neighborhood as well with some exceptional technology, strong focus on becoming both the Digital Economy leader as well as a security leader in the region. That also afforded not only the chance to talk to singapore, but we huddled on Cyber Security. That whole region of the world is thinking about what they need to do to improve their digital economies and their own security. Cyber is a topic that comes up with every country we interact with. For us its about priorities and resources. We have to pick and choose the relationships to grow. I think the ones we will emphasize are those ones we are willing to enter into deterrence aspects and have capacity. We have to start their. Awesome. Last question and then open it up for a few minutes. Any comment on dhs decision. It was the right decision, it wasnt one we entered into lightly, but the idea that we have something pervasive with that system that pushes information overseas to a country that has laws that require these companies to submit to the intel services, that data, thats just a risk that we cannot have on our government network. We recently hosted greg clark and russia is now urging, or requiring providers to turn over their source code and fortunately, in their case, they took security over sales. Im not sure thats a big issue. China as well. China has a huge market. I hope u. S. Companies think about the security implications prior to doing that on the flipside. We have a couple minutes for questions. Please identify yourself. We will go here and then here and then there and then who i cant see back there. Thanks for joining us. Senior fellow at the center as well as ceo of a security group. Questions around active Cyber Defense. I dont mean hacking back. You nice share some similar background, when i talk about hacking back, thats not in context. Cyber defense for across the federal government, not dod, not dhs, what are your thoughts on that as well as what that means for the commercial round. Theres been talk for many years about companies hacking back in the legal issues around that. Perspective and how that plays into the deterrence aspects. Its great to be resilient and prepared with defenses but at some point you have to gather intel and weigh your means. Just curious about your thoughts. Im still not understand your definition of active Cyber Defense. You went to both places which is i dont mean hacking back but i mean gathering intelligence. For me, i dont understand if youre doing active in gathering intelligence, it sounds like hacking back. Versus intent. So i have a very strong belief that the offense of Cyber Operations where you are compromising a box that you dont own needs to be in inherently governmental operation. So if you are talking about going out, compromising a box and deleting the data they stole from you, or imposing punitive, so they feel some pain and dont want go after you again, i really think thats a bad idea for the cascade of things that can occur in that space. If you are talking about compromising a box to go gather intelligence, that still is some pretty risky space because we are, as you heard, going to start imposing costs for the intrusions that are coming at the u. S. That puts us in a delicate policy space when youre out there pushing them hard to respond to intrusion, and if they are seeing our companies doing intrusion in their space, whether its gray space or red space, they will have a legitimate asked to us to make it stop. If youre talking other definitions of Cyber Defense were you are changing your network, you are manipulating the data thats coming in and putting it into places where the adversary may be talking to something that your gathering more intelligence about, where they are manipulating things in the data they get back has been changed so that its unuseful or unhelpful or causes them to question their tactics and techniques, im a huge fan of that activity, and i think theres some really Creative Things being done in the marketplace and across the community. And more can be done. Anything inside your own network is fair game. Or even collaboration where something sits at a higher level inside the network, i think theres room for ifps are partners to do unique things. Like the Cyber Threat Alliance and some that can do this right now. So there is a difference between cowboy and theres a difference between a Publicprivate Partnership for you then turn over evidence or information that others can act upon. That i think is part of that gray area but i dont think it should be so great. Otherwise we continue to blame the victim and were never going to build high enough walls, big enough locks were deep enough motes. Its doomed for failure. There has to be sort of like a football game, you need a linebacker. You cant just have defense tackle. I dont know. I want go too far on that. Dustin you had a question. And then well go there. Sorry. Right there. Dustin, theres been some rising concern among lawmakers on capitol hill and the threat posed by foreign adversaries, facebook and twitter, to discord domestically and interfere in elections and so forth. Im just wondering, where do you stand on that issue. Should the companies be doing more to sort of get a grapple , get a grip on this issue of foreign interference. I thought you give me a real easy question. Where do i stand. Go ahead. Should the company be doing more in this space to get, to be more transparent and monitor this issue more closely and how substantial a threat do you consider this information propaganda. I do think theres more that companies can be doing. Im seeing that they are waking up to the threat and putting effort into it. I commend facebook, for example, the research they did, these Companies Know their platform better than anybody. They understand who is interacting on the platform and whats normal, and i think that using their platforms and technologies to understand when they are being misused is the best solution to some of this. When you asked about is a problem, absolutely, is a growing problem yes, and i think anything that would be turned to try to subvert our democratic processes is something that we need to understand better and put some checks and balances in. Again, it is tradecraft from what weve seen in the physical world for years. The old rumor that agency was behind hivaids. Now its just on steroids with no cost. The other thing i point out, every election is an Information Warfare campaign. Its just moved beyond the two participants were candidates. We got a question back here and then we will have one more here and thats it. Mike levine from abc news. Going back, would you say your concerns are based on what the russian government could do or was part of the concern what you know the government has done. All i will say is we made a really, we weighed a really thorough investigation and we made a prudent risk decision and im confident we got to the right answer. Well said. Question over here. Eric keller from politico. This morning bloomberg reported that investigators look into the apple fax breach believe theres some evidence it couldve been nationstate activity. I wont say if thats true but i will ask you what can you in the Trump Administration do to mitigate the damage from these kinds of breaches if it is nationstate activity like we saw with opm where the counterintelligence purpose. Theyre trying to find information to use for blackmail as opposed to social keep security or fraud. One of the steps the administration can take to limit the damage from that incident. Great question. Its clear we cant let other nations hold us at risk for cyber. If this is a nationstate, im not saying it is, but if it is, that amount of data has huge value to intel services, Information Operation and other things. You cant make it go away. Once its been stolen and operationalize, its out there. What we can do is look at the things that make it useful and valuable. Our companies doing the right things to defend personal information . Do we have the proper breach notification so when there is an incident that gets discussed in a timely fashion and responded too. Then weve even got a think about the underlying components that put us at risk. I would offer that the Social Security numbers are pretty antiquated. The idea that every time i want to use my Social Security number i put it at risk by sharing it for legitimate use, i think thats unacceptable and i think theres good opportunities to use modern Technology Two factor authentication, public, private to give us a way that we can modernize and use that in a way that i dont have to put at risk by using it, and when there is a compromise that theres an easy revocable way. Show of hands, how many people have changed their Social Security number knowing that its compromised. I personally know, for instances where mine has been compromised. I think everyone here, has everyone here, if there were a show of hands that you think your Social Security number. So that to me is the need to think about how we define information, how we use it, what we put at risk, and limit the knock on consequences of using it for information. We might have time for one more. Rob, let me ask you, i dont want specifics on this, by any means, but can you give us some assurances that everything we are doing to address the crisis, north korea, also includes a cyber dimension to that . Ultimately, cyber again is an instrument, it may be the first volley. Are you part of those discussions. North korea is a huge discussion. Theyve chosen to use cyber in the past and so we are making sure that we are attentive to the probability, we are worried that if there cornered or even not corner that they will use cyber and malicious way. How are they thinking about refining that process. We are taking a look at how we can defined section nine. There is a set of criteria that get you inside the infrastructure designation. It talks about critical and for structure and section nine of the executive order talked about the most critical of Critical Infrastructure, if you go through that list. People scratch their head and say why are they on their. Weve got to consider the infrastructure and the idea of what a major Banking Institution relies on, what a major Power Institution relies on, those are dependencies that arent often considered in that previous structure, and so we are looking at bats. Rob, on behalf of everyone, let me thank you, not only for joining us today, but for your public service, for fighting the good fight, fighting it well, and thank you for joining us. I appreciate it. [applause] [applause] [inaudible conversations] think you. No rest for the weary. We are going right into our next keynote discussion with George Barnes who is, as everyone knows, Deputy Director of the National Security agency. Again, of all the agencies that have been doing cyber long before it was cool, the National Security agency is at the very top of the list. George i has arguably the most important job at the agency. I disagree. I think youve got all the headaches and youve got all the opportunities. Were really thrilled you can join us today. They continue to evaluate self,s mission, authority and ability to be a provider of intelligence. In the last year we have undergone a reorganization. The whole rationale for that was an evaluation of where we were, where were going, and where we want to be a successful as we had been ten or 15 years from now. While we were successful, there were certain things with their structure, is about 15 years old, the last time restructured was before 9 11. We had learned a lot and adjusted a lot through the campaigns but we realize that for several reasons we are not for purpose on the structural perspective. That comes to play looking at the two authorities we had. We have her Information Assurance authority under National Security director 42. Traditionally nsa has been organized along that authority that. That was good at the time that over time we realized it created a weakness. Thats what they pointed out to, it takes a hunter to know how theyre being hunted. One of the things we are not able to do was to get it at all levels of the career to move back and forth across all sides. It was a physical move. The clusters of people in this organization were geographically distant different from each other. We looked at that continuous pool to provide those Mission Outcomes and also what Cyber Security represents is a challenge and what could we do better to meet that challenge. The way we found we could do better was to organize based on the functions we perform, operations, and other things like that. We found that through the cultivation of talent like rob and his peers where they went from being on the intelligence side to the insurance side, they didnt have all the insight when they arrive. A lot of the intelligence stream they condition to receive was routinely should shut off. We had not done a good job in making sure the Information Assurance components were fully enriched by the insights we are getting. And the expertise we had people have built careers on one side or the other and they didnt mix. So with major cultural change and shift to bring these people together in new and different ways. Were realizing the benefits of that. Were taking people and brought them closer together. There authorities and the associated boundaries but making sure they enrich each other cognizant of what is good for our networks. Whether its protecting networks or gaining insights for foreign Intelligence Mission to make sure that were protecting those networks. The structure allows us to do that in ways we had before. That is a key point. All the things rob talked about were condition ourselves to evolve, emergent to find a way. We have years of expertise but we have ideas, technology, trying to work with our Mission Partners and with our Industrial Partners to understand what has worked, what has not, how do we evolve together, there is something to the fact that we cannot just scaler old model to the new problem. So having a continual across the public and private sectors critical in bringing in academia. We have a country were not putting out technical degrees at the pace we need to. Its a National Security issue. Perhaps the biggest. If you look at the others in the world that we find yourselves comparing ourselves to such as china. Theyre graduating scientists, engineers, math petitions at a higher rate than we are. We as a nation and democracy rely on innovation. As the core that has made our country what it is is in jeopardy if we dont attend to the cultivation of our children. Thats a security thing i focus on what has made nsa what it has been for decades. Weve had dramatic support from intercity industry but have hired talent and cultivated them they have pioneered new ways of doing business. We need to continue to do that so we remain viable to use insights to help our partners find a way. Thank you, thats a wonderful way to start us out. Very consistent with the things we have been discussing earlier in the day as well. This is a little off the beaten path, but do you see a day were even as the National Security agency where everyone from a promotion standpoint, we all know that promotion is the way to build skill or anyone who is on the breaker versus maker, but, do you see a day where to get promoted they will have to fit in different roles, not just bring their entities closer but were individuals will have to know . We have not gone to that point in but weve looked at what we can and should do for the expertise, and how do we understand what is pulling on our people. We are lucky in that we have dramatic numbers of people across the u. S. That want to work with us. That is something despite the money its a sense of purpose brings people in droves to us from an aspiration perspective. It has been a great mystery and continues. [inaudible] these functions when i started 30 years ago what i did was very unique. Now, what i do in my peers do, their logs in the industry we have talent and insight the discussion you have had today points to the fact that the imbalance is causing us to readjust. That comes into cultivating pursuing technical degrees so they can increase supply. Its healthy that a lot of people come in and spend five or ten years yet, its hard we have to continue to bring people behind him and sometimes is traumatic to lose good people but at the same time that knowledge and expertise back to the rest of our network of people enrich us more broadly. That is part of our survival. One think the National Security agency doesnt get enough credit for his you have strong relationships with the university. And that is a way to bring talent in and out. I hope you double down on the. We had many Programs Centers of excellence and partners with agency and we have a program that we started years ago where he worked with 50 universities across the country to help the university put on summer camps for children to learn about Cyber Security. There nothing to do with an essay, i dont care whether any of them come to an essay when they come out of college, its nice, but i want them to be interested in the domain and pursue College Degrees in the fields that help our country. So those things were finding were getting the kids interested. Go online and do a search on cyber and youll see great example of where those seeds are being sown and havent an effect. Another theme today was looking at the role of u. S. Cyber connection. The president recently elevated this to a full combat command getting it out of the shadow of a subordinate command role, no decision made yet on the role with the National Security agency, but inevitable at some point. Probably what we think what we should be thinking, how does it affect the legacy issues and relationships, what is that mean . So decisions have yet to be made about the nature of a split. But its not about splitting the partnership. Its about whether or not one person should have both rose as director of nsa. Whether not it happens it doesnt change the fact that in 2010 it was created under the premise that to be by viable theres a lot of expertise and knowledge and technology has been developed over the years in the National Security agency that can help to celebrate cyber con into being a bibles service. Always find we are an intelligence machine. We will never separate, that is why Cyber Command has been physically and substantially on the campus. All the services are part of it. Army, navy, air force marines, coast guard theyll have cyber components and part of the formula. The distributed physically as are we. We have a presence across the United States and the cyber components kate. That partnership is tight, growing and maturing and were demonstrating that by bringing in Service Members into our world, it accelerates their ability to be productive and to apply those skills when they have cyber roles. Also an issue not compromising. Thats another key thing. The equity space is extremely fragile and needs to be managed in the fact that we are co resident together we develop a culture thats informed one side or the other and help the discussion so are not doing things as though we didnt relate to each other. So, Cyber Commands Going Forward will have a tight and growing partnership. [inaudible] the physical proximity is also just as important as the organizational partnership. So thinking about just because you had some leadership from dhs im glad that rob brought up as it seems to be people seem to forget the significant role it plays, but give us thoughts on that. Cyber is everyones mission. We tend to ask whos in charge how does that look with your relationship . Its critical if you look at all the things that you looked at the organization that connects with Critical Infrastructure and key resources, theyre the ones that when a companys penetrating that the knock on the door and deliver the message that the have a problem. Were not that entity. We provide that function for the department of defense the National Security system but not the rest of the government. So all partnership with chs and its unfortunate, weve had things that have happened over the past year where there were events in those have given us every time theres an event its an opportunity for learning. We exercise our system and find out words week and we figure out how to finetune it. And it gets better with time. Do you have a formal process . Do you have a process where. We have one with nsa, we dont have a formalized one is such, we have various levels with the interagency. Im on the Deputies Committee and they all come together then we have subordinate layers that come together and tease out issues and problems and strategies. So, thats an area where there were partnerships that were exercise between us, the the dod, dhs, and others. We learned, we tweet, and theres rich, fluid discourse. And how about the bureau . The fbi has been a partner for decades. So thats just natural. The natural relationship evolved with the application, its always been the National Security apparatus, taught cyber is just an extension of the. Good, and how about our allies, what are we thinking here . In addition to the collection capabilities, the ultimate provider of defense capabilities, how does that look from an allied perspective . Do we need to look at it a source of alliances and what is it mean for combined operations physical, kinetic . If you take the Cyber Security layer of mission, that can ride on top of previously established partnerships. Some are more quick for purpose than others based on the sophistication they bring and how they can relate to ours. Most people know about the five eyes and its obvious, we have a tie partnership, they are each had different places in the evolution of their operating authority. , the one that was our first with the united kingdom, that partnership is extremely rich and writes on the backbone of our Information Security partnership, or foreign Intelligence Partnership in our duty partnership. So there across all agencies so makes a natural for us to link up and learn from each other. We had different scopes and skills so it works for them might not work for us. But by working looking at what they do is great to have somebody else who has your challenges and you can bounce things off each other and learn. In the u. K. , the way theyve organize and structure with their national Cyber Security that comes out largely out of but, it has an interagency role. I think they came to conclude what many here would say, they had the capability but not all the authority. I think you figure that out. And the u. K. Is a Smaller Government than the u. S. So it became more efficient for them to build out of this their operating authorities were different than what we have in the United States. For their authority, the position and size its the right model. The other thing theyve been proactive in doing this how to bring industry in. We have ten minutes for questions committee you have questions freezer hand and identify yourself. Theres a trend here. Two questions, on the issue of social Media Companies having to get pressures from lawmakers to deal with foreign information, curious if the nsa is helping them survey their networks to provide intelligence that might be effective weve heard about section seven oh two, the less somewhere in situation with the patriot act in mid may or june of 2015 they came out said they have to start winding it down earlier than the deadline because of the solicitation of the program. As a similar situation will exist for section seven oh two or might you lose some of your authority prior to . First yes if were collaborating with respect to is happening, we are not. That is purposeful. We do not, theyre very sophisticated, a lot of people who come but based on our operating authorities and focus, we do not collaborate on helping them look at who is in their networks. Be outside of our purview. We are encouraged that when theyre taken it upon themselves to understand whats normal from their Customer Base and look for operations and what the significance of that is. Over to your seven oh two question. I think this is the public, the vast majority of information or intelligence provided to the president and his daily brief comes from similar capabilities that could be blacked out or eroded for faa, section seven oh two there is a large productivity peace their and it does influence much of what the president s daily brief. Any other sources as well, the key one that we talk about and is still extremely critical is counterterrorism. Its extremely critical to us. The big difference between what happened was section 215 which became the freedom act in seven oh two is billing records from u. S. Companies in the u. S. Section seven oh two is foreign entities outside of the United States. They get conflated, theres different technologies. Different authorities and focus areas. 702 is 100 foreign individuals outside the United States. When they come there treated as a u. S. Person with all the rights. We have checks and balances to ensure that when anybody comes if they happen to be an entity they would be dropped. So those assurances are core to the foundation of 702. By the end of the year to your point we would have to be looking to work with our Mission Partners in the government government as well as companies to go down in advance. Lastly we want to do is conduct an operation that goes all the way through the companies, so we would have to work the dates backward to make sure wooden cross that line. My question is with north koreas capability, its been reported for them to be responsible, im wondering they have such capability or not, you talk about if we are on record to say that we have not definitively time the want to cry to that we have not definitively 100 of that back to north korea. Other nationstates have, theres been different news out there but whether not north korea is or is not responsible, attribution is very tough. The challenge was Cyber Security. We talked about providing pressure back on that perpetuates cyber action. The attribution is tough and we take it seriously. Repercussions but we have not definitively attributed the want to cry virus or malware back to north korea. That said, north korea has a track record of conducting Cyber Operations for all kinds of outcomes. Many know about what happened to the corporation in the United States several years ago. And because they are Close Society under physical duress, theyre looking to have ways to generate revenue. Random where is one of the ways that could be done. That leads to the hypothesis that perhaps there behind that. Of the social media question, twitter said that they have identified 200 twitter accounts and close them down after linking them to russians for the purpose of pushing fake media. Where does that number stand . I have no idea. We have no idea into that for structure. Says operator they had the best view in assessing whos connected and what kind of profile they might have especially using advanced analytics to really assess what the profile and Due Diligence to look down deeper as its tied to something thats bigger. We have no insight into that. We are about out of time, i would argue and please disagree with this premise that we discussed earlier that the role of private sector providing attribution of statesponsored attack has made the governments release here but theyre all over the place. Starting to hear from some that they may not be as forward leaning. Because it doesnt help. So their businesses to unravel the things for the customer. So how public you are in the are pros and cons. Only they can assess taste on the aftermath. Once that happens it draws attention to them which may complicate what theyre there to do. Thats a challenge was Cyber Security. Most entities that are penetrated dont want to advertise the fact that there penetrated because it creates a magnet to draw more attention for those who are interested or other bad actors can be drawn to what they see as a vulnerable weakness. A lot of things happen and are not reported say dont get the full picture of whats going on. And not to be snarky, but where do we stand on the Insider Threat issue . I know youve done some humans work of late,. Its been a tough road from 2013 to this past year, weve had a series of losses. That didnt just happen all at once, we started after the 2013 we started to evaluate our security practices, that initial start was in the it System Administration room because thats when the loss started so we started to evaluate how we did that but, top of that we learned that we had to have a multifaceted strategy that hits all aspects of technology, personal security, physical security but we have a Robust Program and spends a lot of money trying to actually revolutionize the architecture we have to enhance security, to all of us who have accounts on the National Security system. Every time you log in you have a monitoring banner. That has to mean something. We have to be able to understand what was happening honor systems, what are the normal things people do based on their functions. I should not be going into some database were analysts are working traffic. I have the ability to do that but its not my job. So typically im on email working actions and moving people around. So we had to become more sophisticated and had to look at the vulnerabilities inherent in the fact that we hire people whose job it is to tear pat systems whether we can better secure them for a nation. Understanding the needs we had to change our mindset culture as well as architecture and process procedures. Its been a long road, but we are much stronger than we were. Weve used on a lot of what we have done has influenced what were doing more brother in government. It also gets to what were talking about in the Cyber Security space in general. We make it easy to go in the back door thats where people go. We can mechanisms in place but we have to have Network Hygiene and multifactor defense. I not only thank you for taking time out of your busy schedule, thank you for your leadership and all youre doing for the men and women that you lead and more importantly for the men and women they serve. The mission is imperative, they are in good hands with you at the helm. Thank you. [applause] we have an awesome partner, thank you for joining us and thank you to the team. [applause] [inaudible] [inaudible] [inaudible] [inaudible] coming up tomorrow, the march for Racial Justice takes place in washington, d. C. Participants will march from capitol hill past the Justice Department and hear from a series of speakers on the national mall. Live coverage starts saturday at 2 30 p. M. Eastern. And monday, isis and their recruitment strategy chair the focus of a discussion. That is live at 12 15 p. M. Eastern on cspan2. Congress returns a multitude busy week. We talked to a report on capitol hill to get a look at what is on their plate. Jennifers appropriations and budget reporter for cq roll call. Steve scalise returns to the u. S. House and he has his works cut out county roads next week. The house takes up the republican budget. They passed it out of the Budget Committee over the summer. What took them so long to get to the