Which may be a couple of minutes because of the importance of this event in that it is the launch of what will be an Important New Initiative of the Aspen Institute. The launchingks of a new policy program of the institute that we are calling Cyber Security and technology. Obviously, a talk at that, unless you have been on a Desert Island the last six months, which actually sounds pretty good, you realize it will remain on the front pages and at the front of the National Debate for some time. Seeing some of the reporters in the room today, another sign of the centrality of this issue. We think that 2016 will likely be remembered the year in which Cyber Security really broke through the national consciousness, the coming not just a wonky i. T. Issue where we get reminders about the importance of our Computer Security to something that could actually be a threat to the american way of life. Cyber security, it turns out, is central to almost everything we do. It involves the way we bank, shop, learn, travel, and increasingly it will involve and relate to how we drive, how we heat our homes, and how we vote. Protecting Digital Security is no longer just a matter of preserving family photos that we have digitized, but it is really central to the National Debate and so many critical issues. As we have seen over the last few years, how much government and business has struggled to keep up with the attacks and new defenses and new attacks and new defenses. We thought it was an honestly important, and this is a great personal interest of walter isaacson, who is very sorry he could not be here today, that it is essential to add this as a proponent of the institute. Our goal with the program is to recognize that while the world is obviously in a much better place with the rapid advance of Tech Knowledge he, that we need stronger and Faster Solutions to keep pace with the everchanging landscape of digital threats. Aheadrogram in the months will offer educational resources, as well, as always with aspen, a nonpartisan and Interdisciplinary Forum to discuss challenges and officer policy solutions. Chairing this program will be todays moderator. Sure isat i am familiar to everyone in distribute we could not be more pleased to attract john carlin to attract him. He recently stepped down as assistant attorney general for National Security. In that position, the top legal officer in the Justice Department for all aspects of National Security. He was responsible for more than lawyers dealing with issues across the National Security landskate. We have been listening and reading about it over the last six months in earlier of whether the indictment of five Chinese Military officials, whether it was iranian hacking involving a power plant, and most recently dnc andian hacks of the also sony and many other things as well. John is going to be chair of this program. Is going to be directing that program with john being primarily at his offer. There are friends of the institute that i want to make clear. This program will overlap with our existing programs and i think it will strengthen all of them. For example, the Homeland Security program. It is central to that effort. And, our Communications Society program will continue to look at digital issues. Charlie firestone heads that program. The aston Strategy Program headed by nick burns will continue to have this critical element of the agenda. We are thrilled to welcome to the Aspen Institute john carlin. [applause] john thank you, elliott. Lets jump in with a quick introduction of our distinguished guest. We have with us lisa monaco, the president s chief adviser on Homeland Security matters, everything ranging from terrorism to Cyber Security to pandemics to hurricanes. It is the true disaster portfolio and we are glad she has time to appear with us today and hope she gets a welldeserved break her background has been a longtime from the district of columbia, where we first met. She has done everything from street crime to federal crime, a member of the Enron Task Force and a chief of staff fbi director bob mueller, the top official in the department of justices leadership and assistant to the attorney general for National Security, and finally to her most recent post ms. Monaco sound familiar . Mr. Carlin i left out the part in my career of having all disasters. Please join me in welcoming lisa today. [applause] ms. Monaco thank you. Mr. Carlin lets jump right in. The president elect team issuing a statement yesterday that said communicationsn and Technology Moving with unparalleled speed, that the necessary defenses against that threat have lagged. The is why the input from private sector makes the united six more secure. They made that in the context that Rudy Giuliani will be leading a team advising the president. I think you be the First Administration official to comment on that statement. Let me know your thoughts. Mr. Carlin ms. Monaco that description of the problem you read, i completely agree. In fact, it overlaps. I was hearing echoes of it in the description of the program you are about to share. I think the recognition of the continue this needs to to be the top priority for the next administration is something i welcome. The evolution of the threat across threat actors, across threat vectors, across tactics and procedures has expanded so exponentially that, and the defenses have lagged behind. We have made tremendous progress with this administration and to set up a framework, there is absolutely more to do and i welcome the statement from the Transition Team that they are going to give this issue the attention that it deserves. Early back when doing the transition from the prior administration, Bush Administration to the obama administration, at that point in drive toe had been a create a comprehensive cyber initiative. Are there any Lessons Learned from the attempts to adopt that initiative to the new administration that you could pass on to the next administration to make sure they keep focus on this issue . Ms. Monaco there are a few things. The need for one, prioritization which we just talked about. When president Obama Took Office in 2009, he was the first president to a knowledge that Cyber Security and the cyber threat is one of the greatest National Security and Economic Security threats that we face. I hope the new team keeps that frame as well. We are treating these two things as integrated and i think that is extremely important. The prioritization and putting the resources and attention to it. And doing so across the cabinet. One of the legacies i think of this administration will be that , theery cabinet engagement president will have on a quarterly basis his cabinetlevel, the secretaries of each cabinetlevel department. Cyber security was at the top of the agenda. It was precisely so that secretary, that administrator did not think of Cyber Security as just the i. T. s guy problem. He or she recognized the enterprise risk that Cyber Security poses to that cabinet, just like it poses to the ceo of every company in this nation. Prioritization and recognizing csuite level of attention needs to be driven down through the organization. Beenarlin they have spending a long time try to get the csuite to think about this issue and make sure is an area where people who are not cyber experts in charge of it and say they are the ones that know what the value is. One of you share with us a little bit, because i remember a story. There were a few meetings that were meant to be convened at a principal or secretary, cabinet secretary level and there was a little bit of difficulty in getting cabinet secretaries to show up instead of sending their chief cyber expert. Can you tell us a little bit about that story, how you were able to corral them, and what the lesson could be for the private sector . Ms. Monaco you are right. Often times we would try to bring departments and agencies together to address other Cyber Security issues and the reluctance of those at the senior level to really grapple with this issue was quite evident. Mcdonough and i convened the cabinet to say this is top priority. It had better be your top priority for you were going to see your agency, your department be a tremendous risk. That was borne out in what we saw in opm. Mr. Carlin i hope this isnt a state secret, which i dont think it is, but that email was rather sternly phrased and essentially ordered people to come. They said Cyber Security is your responsibility. It is one of the only times i can remember that in a meeting. I want to talk a little bit about having such a diverse portfolio. Ive heard you think before. He wrote an interesting book. ,he health care pandemic terrorism threat, and Cyber Security and cyber threat have in common. Mr. Carlin ms. Monaco it is something i have become intimately familiar with in this role. The threat is the borderless nature of this threat. You cannot create or direct an artificial, domestic, and International Device when addressing those. You need a whole of government. You have to apply every tool, every instrument of National Power that we have as a government to address every one of those issues. One of the things i found during transition time and i have been reflecting on what will be useful to my successor, what was useful to me coming into this job, and having now spent 20plus years in government, i have seen a number of transitions from different angles. What i am struck by is this evolution of the threats that we face and those that flow to the very top of the agenda for somebody in my job. When i think back on prior transitions, in the clinton transition from president bush to president clinton, obviously terrorism was front of mind. Bush, bush too obama transition, terrorism and cyber were exceptionally front. I already referenced what president obama did in 2009 to elevate priority for Cyber Security. What i am talking to my successor about is absolutely terrorist threats, absolutely Cyber Security, i just talked about that, but i am also making a point that emerging Infectious Diseases are a threat that i think this new team will face in the way that we, and in the prior administration, encountered both terrorism and cyber threats. I view emerging Infectious Diseases almost as the cyber of this administrations transition, in addition to Cyber Security. Mr. Carlin i think you mentioned. Met the president elect in the bushher, administration. Have you met . Mr. Carlin yes. We have set down a number of times and will do so until january 20. As i said, i will be as helpful as i can be Going Forward. My predecessor in this job, john brennan, has been exceptionally helpful to me as i have tried to carry out these duties. Tom, as you noted, he served as deputy to this position at the end of the Bush Administration. We have had a number of very good conversations and are working through the long list of my very long National Security and Homeland Security to do list. Mr. Carlin there has been some talk in prior administrations, there was two separate councils. The National Security council and Homeland Security council. Obama in ministration, it has been one National Security council with dual leadership, a National Security advisor and homeland advisor. Talking with tom wasser, to you know what the structure will be . Ms. Monaco i dont. I think they are working through that. What i think is critically important and what has been signaled in the naming of tom as the assistant to the president of Homeland Security and counterterrorism, what i think is critically important is that this rule, and something i have benefited from tremendously, this role has to have two things. One, direct and immediate access to the president. I have about 50 paces from my office to the oval office that i use far too often, the president would say, because it is always about some disaster, some issue, some problem when im coming to see him. And in addition to me being with him every morning as part of the National Security and president s daily brief. Direct and immediate access to the president and clear leadership and accountability and resources to drive the policy process on Homeland Security and counterterrorism issues, which is what i have had, and the ability to clearly convene both deputies and principles of the cabinet agencies on those issues. Case in point, i will convene deputies meetings on counterterrorism policies that expand the globe. Literally span the globe. On Homeland Security issues, i convene the cabinet as i did in the afternoon of the Boston Marathon bombing. Three weeks into the job, i might add. I convened the principles on that. Apparently, Homeland Security issue at the time although we did not know what we had at the time. Having direct and immediate access to the president and the accountability and resources to drive across the process. Those are the two ingredients and i hope that they will continue. Proved to be a critical element of what i have been able to do. In other words, these threats that we are talking about, they dont have a divide. You cannot define what is solely an International Event and domestic issue. They cross. Integrating staff reflects that and i think is important in order to get good policy options and recommendations to the president. Mr. Carlin lets talk about some of those crossborder nature, especially of the cyber threat. It has been a hallmark of a change in approach in this ministration, really starting in 2014 with the indictment of the five members of the peoples to try to impose costs are consequences, even on nation state actors, for infiltrating inside the United States. Whenever you do an action that causes pain to an adversary, it is obviously can raise issues in the Foreign Policy wing. There can be tension between the National Security counciltype perspective and the homeland andritytype approach whether it is taking action against china for cyber intrusion, against iranian ofors, there is a host Foreign Policy. More recently, russia. Could you walk it through a little bit . What are the factors that would lead you to take action even though it will cause a reaction from the foreign power, and what was the debate like as you tried to free up the use of these tools . Ms. Monaco the conversation, one, you have to make sure happens. You have to make sure you are bringing those issues into the room. It is usually the situation room. Have all of those. , i guessof the factors what i would say is there are principles that we try to apply. One is that all the tools that we have are going to be on the table. Actionr words, a cyber taken by an adversary does not necessarily have to be met only with a cyber response. There is another tool on the table. Lets look at all the tools we have. Law enforcement tools. Intelligence, military, sanctions, financial tools. Both public and private messaging. A whole host of things. They all need to be on the table. We need to bring those and developing options to get to the president across all of those. Is what are the considerations . There are going to be the foreignpolicy considerations of what will be the reaction what is in the longterm National Interest for the United States with,vis our relationship if it is a nationstate we are talking about, what is the potential for escalation . Right . You want to make sure that we are not going into an escort tory cyclee escala that is not necessarily in our National Interest to we want to make sure the retaliation we could face, just in the cyber realm, we are far more connected and reliant on the internet then, say, i dont know, north korea. Reaction,at actionreaction cycle . All of those things need to go into the mix. Our guideposts have to be one, willing to impose consequences, and i think this administration has shown we are willing and indeed believe there need to be consequences for a full set of malicious cyber activities. We need to deploy all tools and have all on the table in order to enforce those consequences, and we need to make sure that in doing so our guideposts is our National Security interest over the longterm. Mr. Carlin lets talk about the development of some of those tools. I know a frustration for you is when it came to deterring cyber behavior, unlike terrorism, unlike those who proliferate weapons of mass destruction, there was not a full range of deterrent tools on the books already. When we had the sony case, i remember sitting around the situation room table with you and we were lucky in some respects that it was a rogue nation state and we were able to sanction a. The thought that it might not be available if it was someone else led to a new executive order that allowed you to sanction individuals for cyber behavior. Taken to calling it the april fools executive order. There is kathy. Until april 1, 2015, december 29 of this year it had never been used. It is also true that when it was first passed, it was the last session of using against those who would steal economic information or intellectual property and it had not been used for that part. In fact, it required a change in the executive order for some of the sanctions that were used on december 29. So knowing that you were always completely open about your thinking, do you think it should have been used earlier . Ms. Monaco look, i think that [laughter] ms. Monaco it was excellent advice from john negroponte, as usual. I think it is incredibly important to have that tool in the toolbox. It is an executive order. I hope that the new team keeps inin place because as we saw our response, as you noted, to the sony attack, that we had a sanctions tool to use in the counter proliferation realm, but that may not have been the case in respect to other aspects. Very important to have the tool, as you and i discussed at the time. Adding that as an arrow in our quiver is essential. I think there is a lot to be said for having it. The messaging out there. Bringing our International Partners and allies along in recognizing the need for this tool. It wasnt always the case that everyone believes or has unanimity of you of what the stand unanimity of view of what the standard should be. We had the bar prei think that is a good thing the bar pretty high. I think that as a good thing. Having that out there as a signal not just to malicious cyber actors, but other nationstates as where as where we are trying to set the bar, which is important. Also somewhat of a deterrent in the messaging about the threats. You mentioned china. We have made quite clear throughout this ministration our shouldat nationstates not be stealing our intellectual property for their own commercial gain. We have message that right up to the highest levels and every engagement that president obama has had with president xi. That has been a very important part of our discussions with china. The threat of those sanctions, one could argue, is what brought , in to the table when september of 2015, president xi and president obama announced a set of agreements on malicious cyber activity, and frankly advanced the ball on International Cyber work. You have the chinese president standing in the rogue regard signing up to include ip theft. That, i think, is a significant step. Andave seen a reduction diminishment in chinese activity , which is what we were concerned about. What i say is we have to be very clear about our intolerance of that type of malicious activity, that there that weconsequences, are willing to impose them, and that we will continue to make that a point of discussion with every nationstate and other actors who are abusing the cyber realm. Mr. Carlin let me follow on the executive order. You talked about a High Standard for the use of executive order on sanctions. I want to tease that out. There is a legal predicate. What could you do under the law to use the executive order and then there is a policy decision. Weve met the legal threshold. Are we going to use the executive order . As we go into a transition, do you believe there are instances where you could meet the legal predicate on the executive order and it will be up to the new team as a policy matter as to whether or not to use it and if you do, what are the type of factors you think they should consider when making that policy . Ms. Monaco there inevitably will be instances where you can meet the legal threshold and then youll have the policy discussion as we have had as to whether or not to also impose sanctions. I would say the same is true in the terrorism realm, which has been part of our experience. You may be able to meet the legal threshold for indicting a terrorist actor, but then a question about whether or not you also impose a sanction. The types of factors ought to be, is it going to advance our National Interest . Is it going to create a productive area of discussion, whether were talking about a nation state . Is it going to drive a reaction thats counterproductive . Even if we think and theres no such thing as perfect information in this regard. Even if we think it might prompt a reaction, is that worthwhile in order to send a signal not only to the malicious cyber actor whose activity youre trying to address, but to the other malicious cyber actors out there . I think those are the type of debates that the next team will have as we have had and thats important, but if you dont have the tool in the first place to prop that debate, then youre not even going to get it out literally on to the table. Mr. Carlin and let me follow up on that a little bit with i remember theres two different ways to think about it and its not so clear that it will always be one or the other. But what are your views on, there are some who view each deterrent action in cyber when its a nation state, whether its north korea, iran, china, or now russia, will our response affect the behavior of this one country . How will it affect our bilateral relationship . And then there was another school, ill call it more of the Homeland Securitytype way of thinking which would say you need to do it with each actor, even if it may not be effective in this case because youre trying to set a norm or a rule the same way you would in any other violation of criminal law. What are your thoughts on the tensions between those two ways of looking at it . Ms. Monaco i do think that there is a tendency or there can be a tendency to look at everything through the lens of what is going to be the consequence for the bilateral relationship. We shouldnt minimize those discussions. We need to air those and get those out on the table. But when we are talking about setting norms and this is something i think weve advanced the discussion on this both in this country and most importantly, internationally, since we have raised advanced cyber norms in every Multilateral Forum in every nation which we participate. If youre talking about setting norms, then you have to, a, show youre willing to impose consequences because the only incentive here is the potential to isolate bad actors, whether its in the counterproliferation realm or terrorism realm or the cyber realm. So yes, you have to show that there will be that isolation, and thats, then you start creating the discussion in the adversarys capitals. In other words, is it worth us deploying our standard tool set, standard malicious cyber activity toolset or be more worried about what follows from that versus isolation whether its financial or the international domain. So i think it is critical to not have these discussions when were talking about cyber sanctions get swallowed up in solely the bilateral relationship lens. It is an important factor and you have got to get that out on the table but thats why the situation room table has many, many chairs. Mr. Carlin when it comes to theft of trade secrets and intellectual property, you said something earlier about this administration treating Economic Security as a matter of National Security. The statute used to pass the executive order required you to run a process where the president said exactly that, that were facing an economic, a National Security emergency because of economic espionage. The president elect has talked about changing approach towards china and in particular, focused on this set of issues. Talk to me a little bit. If this is a National Security issue, does that mean that the committee on Foreign Investment inside the United States could consider as National Security matter, theft of intellectual property and economic espionage . Ms. Monaco in the context of a particular transaction . Mr. Carlin yes. Now that this president obama has already declared theres an emergency situation, what role should it play when considering whether or not a transaction affects our National Security . Ms. Monaco i think weve got to factor that in because to do otherwise would be to put blinders on as to the evolution and the extremely rapid evolution of technology and what it means for our entire supply chain, which is often the subject of transactions. So we cannot be looking at these types of transactions that may have an impact on our Cyber Security, on communications security. In a realm that doesnt account for the evolution of the threat. That just wouldnt make any sense. The process needs to advance along with the rest of it. Mr. Carlin moving back, same theme to the executive order, does the president elect and his team have a loaded gun . Are there sanctions that where the legal predicate has met which they could start to impose from day one if they made the policy choice . Ms. Monaco i think that there are a number of tools that i would put in that same space and absolutely, the Cyber Security executive order is in some sense a loaded gun and its one that needs to be, i would argue, kept in place, looked at as a critical tool in the arsenal that we have to combat the expanding cyber threat. Mr. Carlin theres been discussion. You talked about using cyber as a deterrent tool against cyber and why in some instances, you would not. What are your thoughts on when you would and when you would do so publicly . Ms. Monaco so thats obviously a complicated question because depending on what the tools are, the adversary is that youre going against, you want to retain the capability of the president. Im a Firm Believer that you dont want to take tools off the president s plate when youre talking either covert or overt action. In a regime where you talk about every cyber action youre taking is that you diminish or take away some of the president s options in using some other tools. Again, i come back to the first principles. Weve got to ensure that we are not selfregulating off the table certain tools. So cyber needs to be amongst them, along with the rest of our instruments of National Power and weve got to be, have our eye on the long game. What is going to be in the longterm National Interest . So Cyber Operations need to continue to be part of the tool set. Frankly, we have to do more and get better at developing those options and developing them quickly and being nimble about it and being able to serve them up to the president to make some decisions. Mr. Carlin im going to ask one more question and then open up to questions from the audience. You talked about needing to be, to continue to get quicker and more nimble. Given that the threat right now outstrips our ability to defend it when it comes to cyber Cyber Security, what are your top three recommendations to the new team . If you view us in a race against time with a threat thats bigger than our ability to defend, what should be focused on the ability to respond . A number of these thickngs were covered in the president s report of the commissioned presented on december 1st and presented last january because the threat is outstripping our defenses and we need to make sure that we are doing everything to position ourselves to get ahead of it, so he commissioned a Bipartisan Group to present recommendations not only to him, but specifically for the new team. So a number of those things are, i would argue, continuing the application of something we have tried hard to do which is taking some of the lessons that we have learned in the counterterrorism space and applying them to how we are fighting the cyber threat. Weve taken a number of those steps, both structurally, legally, putting new tools in place like sanctions and putting in place things like the Cyber IntelligenceIntegration Center and nctc and had not existed where Cyber Threat Intelligence comes together and gets integrated and then gets presented every morning to me, to the president so that we can enable policy makers to know how are we viewing the threat and that informs what choices we make to combat it. So continuing that approach of applying the counterterrorism tools to the cyber threat so that we can ensure we are as nimble and prepared as possible. The other recommendation out of the Commission Report is doing a lot more work with the private sector to switch our orientation to one of secure by design. This is an issue particularly as we confront the internet of things which is expanding for malicious cyber attackers out there and is going to make us more vulnerable. So weve got to change the orientation and this has got to come from the private sector where we are across the supply chain. Hardware, software, you name it. Secure by design rather than this kos tantconstant after the fact approach. These are things that the new team has got to really attack head on, very, very quickly in the new administration. Because while we have made tremendous progress, given the expansion of the threat, we are not where we need to be. I think theyre bringing you a mike again. Thank you both for your exceptional service. Im jane harmon and in addition to heading the wilson center, i coach here an aspen group that advises the Homeland Security on issues and in that connection, we met earlier this week and discussed the vulnerability of Voting Machines and voting systems. There are ace reporters in this room and i think it was underreported that last week, i believe, the Homeland Department or you designated voting systems, not just machines, but databases as Critical Infrastructure and im not sure every state love that because they think its their right to the time and manner of elections and what are the implications of that and so far i know, most or maybe all Voting Machines in this country are older than the earliest version of cell phones that any sane person would use . Well, jane, thank you for your service and thank you very much for that question. Because i think im really glad that you brought that up. Last week, youre right. Jay johnson designated and informed through the outreach hes gone, hes done tremendous outreach on this issue, electrical infrastructure across the country as part of Critical Infrastructure. He did that pursuant to a process thats laid out in the executive order after consultation with me and more importantly and more importantly, after consultation with state and local secretaries of state who themselves administer and organize and manage the voting process. Whats really important about this designation is to understand both what it is, what it does, and what it does not do. What it does not do is put the federal government in any way, shape, or form in any oversight or any directing capacity for the election process. In our democracy, elections are run at the state and local level and this does not change that one bit, anymore than the designation of the electric grid as Critical Infrastructure puts the federal government in any management rule for the electricity infrastructure which is 85 in private hands. So it doesnt change the relationship. What it does do is prioritize the sharing of certain and critical information from the federal government, from intelligence that we integrate and pushing that out to Critical Infrastructure across the board whether its water, power, now the election infrastructure. It also puts election infrastructure in that same category that we talk about in the International Cyber norms. Pretty important norm to make sure that everybody is on board with and i would argue what weve seen over the last several months that we want to be clear that our electoral process. Hopefully on a bipartisan basis any foreign intervention into. What this does and doesnt do is important and i hope its something that will improve our ability and state and local governments in preparation for this years election to raise their collective cyber defenses as we all need to do. Something in janes question was the age and the the ability of ukraine to recover from the attack on their electric grid and the ability to respond quickly in part because it was 30yearold technology they still knew how to work with their hands or the attack on the bowman by the iraq because it was down for maintenance at the time. All the way when it comes to information that the president elect saying hi doesnt use email. Some of the best mitigation is not connecting to the internet or not modernizing . Its an interesting twist on Cyber Security, but sure. Thats true. One of the things i firmly believe and a number of us talked about in the leadup to the election, makes our voting infrastructure so resilient and inlslated from the Voting Machines themselves are not by and large hooked up to the grid. However, voting databases or obviously a critical element of making sure that our democratic process is run with integrity and the process happens and everyone is able to have their voices heard in the election. And not encrypted as we found with state and local officials. So in one sense, the incredible and the Voting Machines themselves and the voting process is an insulation against and a guard against and the voting process to understand what must be the kbrakt. Electronic privacy information center. Thank you lisa and john for your willingness to meet with privacy groups and Technology Experts over the last few years. We think this is a very important dialogue and in fact, during the past year, we launched launched a growing Public Policy issue and much of the debate as you know is largely between government and the private sector. And the data thats oftentimes at issue is actually the data of american consumers, american voters, american citizens, federal employees and my question to you is how do we ensure Going Forward with the new administration that as they think about Cyber Security, it is not solely a dialogue between government and private sector but represents the interests of the people and independent Technology Experts . I think that one of the ways is to, as i said in the beginning, prioritizing as an Economic Security matter and consumer Cyber Security. Not solely looking at it from the standpoint of what are the state secrets that we need to protect but what about your credit card data, et cetera. And a number of things and Consumer Privacy and it was entirely about Consumer Privacy and not solely as a traditional National Security matter but putting it across the board as a priority for Economic Security, i think, is a pretty important signal o send and then groups like yours continuing to push the government to have this discussion is going to be critically important Going Forward. David sanger, i know you had a question. Ill put in a plug on the new Aspen Institute because its designed for exactly that, to provide a space. And Civil Liberties for a constructive dialogue and. Two points of the conversation and go further on it. You talked about the need for a nimble response. And yet, i think when you look at whats been written so far, in the times elsewhere about the russia hack, nimble would not necessarily be the first word that would come to mind. The fbi first got on to this in the fall of 2015 and youve read the stories about how long it took the dnc to respond, how long it took the fbi to escalate the issue and so forth. So im wondering if you could sort of give us, and im sure after a number of months of detox, from this job, youll probably have more thoughts on this but give us a sense of what you think went wrong in the response part there. Why the timeline was so great and whether or not there are things in retrospect you think you had done earlier and the norm setting you describe. You described it on the defense side, but an administration has always had a hard time discussing cyber offense and the norm setting that comes out of that and in the United States, people say the United States has engaged in, so im wondering whether or not you think that needed a more public dialogue. Two questions. I think what we experience with cyber is not unlike the evolution weve had on the Counter Terrorism realm. Weve developed a whole set of tools that we have, over time, been more transparent about in the counterterrorism realm and obviously, this president , president obama has been very clear about the importance of, a, having a legal policy framework laid down and that is one that enables a repeatable process we can discuss with allies and partners and use to great effect with counterterrorism, against terrorism letthreats and we have also, hes made very clear of being increasingly transparent about that. Why do i dwell on the counterterrorism analogy here . Because the same tension exists in the sense of, it is important to be transparent for the legitimacy of our actions in the counterterrorism realm. As i would argue, in the cyber realm. But in the same, with respect to both challenges, we face the balance that we have to strike between being transparent about our actions and enabling our adversaries to counter those actions. So i think were going to continue to confront that tension. I think its important to continue to press, as i know youll do, david, for my successors and others. But were developing a framework. Were developing a tool set. Were developing kind of a set of repeatable processes in the cyber realm that i think is very important and so im going to link to the first part of your question on nimbleness. Just as weve done in the counterterrorism realm, weve gotten more better and nimble in our operations whether theyre kinetic or Law Enforcement, look, there was a day in the not too distant past when the notion of integrating our intelligence operations into our Law Enforcement actions was unheard of or certainly a lot more creeky process, if you will. A lot more difficult of a process than it is today. And thats because we have set up the structures, put people sitting side by side and pushed to integrate the operations and to bring those options forward for policy makers. So weve got to do the same thing in the cyber realm. Weve got to push to have repeatable processes, a framework i would argue we applied in the cyber realm. We applied that same framework in the case of a russian hacking that we did in respect to china, iran, and north korea which is to say and tell us what it is that we can say about that malicious cyber activity that is going to be in our National Interest. In other words, it is not, by saying so, by calling out this activity and by documenting it and proving the case, so to speak, we are not going to hinder our ability through the disclosure of sources to use the same tools in the future and then call out that activity, as we did with respect to iran and the bowman case and with respect to russia, china, and north korea and make clear youre going to impose consequences. Will there always be discussions and critiques on whether we should have acted sooner or done other things in addition to the costs that we impose . Absolutely, there will be. And thats good. We ought to continue to have that dialogue and we have to make sure we continue to try and strike the balance of imposing costs and doing so in a way that is going to be in our longterm National Security interests. We have a whole row. Michael stewart, ellen, and then go back to, yeah. Thank you, mike kov with yahoo news. On the question john was asking you about, i want to ask you specific questions about the december 29th sanctions, which some have said was not sufficiently robust given the provocation. You sanctioned the sfb and gbu as entities and you sanctioned, i think, four top gru officials. None of whom actually come to the United States and none have assets. And long time associated. And some in 2015. Can you give us some insight into why you would, if you really wanted to send a message to putin, you would not put on the list and also the thinking about having invited him to the summit in 2015 and in retrospect, did you send the wrong signal . So you and the rest of the reporters in the room, not going to talk about what sanctions made and what might be made in the future. Theres always a tension though and its been prevalent in the entire discussion of imposing sanctions and in particular, when were talking about nation states and also keeping open, doing so in a way that keeps open enough dialogue with the country or those actors that is going to be in our National Interest. So we need to continue to have dialogue with a whole host of nation states that we have many issues with when it comes to counterterrorism cooperation, right . Our intelligence agencies need to share critical information about threats against us, us sharing information about threats against them because thats in our National Security interest, so how do we ensure that were able to do that and not act against our National Security interest. Humor in the face of criticism. But the using the kind of exploits now possible is increasing creativity. The russians and the chinese were probably in our campaign infrastructures in 2008 and 2012 and wasnt until 2016 they got the candidates but im struck in the last three months, we have seen numerous reports about really serious Cyber Security failings involving cardiac implants and that raises the possibility that the next hack doesnt put peoples risotto recipes at risk but their jobs and lives. My question for you is what would you suggest the next administration do to think about this threat . Its the issue that i mentioned earlier. This is where the threat is going. I would argue this is where the threat is now. And so recognizing that, first and foremost, applying the prioritization and focus with that as i argue we have done and continuing that is going to be absolutely and maybe this is inherently the intention but putting protections and building in to the technology and going to be a challenge across the commercial sector, across our innovation landscape in the United States to ensure that our companies are both protected and continue to be competitive. Thats a tension thats going to continue into the future. Time for two more questions. Thank you for trying to normalize cyber as part of the National Security debate and to bring it to the larger public. Lisa, thank you for speaking at the washington post, for instance, to help our audience understand this. So youve kind of expressed how you arent going to really say whether or not you think you could have acted sooner and in perhaps punishing russia for its actions, but theres also the debate now ongoing about whether your actions were, in fact, aggressive or Strong Enough. Some critics say that, in fact, they were pebbles and want to throw rocks. Your actions could be stronger. Can you talk a little bit more about how and why you didnt take anything sarongtronger and do you think it might have adverse effects or maybe a stronger reaction might have the theeffect you want and the Larger Global Community about norms or changing russias behavior . Let me return to this question about, should we have acted sooner or been stronger. I would question the premise of both. But i would also acknowledge that this is an absolutely important discussion to have. I understand that criticism. I think its healthy and important to engage in. Why . Because these are areas that are going to continue to require us to balance. On the question of sooner, we acted, took a number of steps over the summer, well before the october 7th statement, before the december 29th sanctions, including in messaging to putin and other levels of government about this activity. We took a number of steps and prioritized, quite frankly, providing assistance to the 50 states who are going to be engaging in the election rossprocess because our top priority was ensuring the integrity of the election. We pushed out a level of assistance that i think was unprecedented by the department of Homeland Security to 48 of the 50 states who agreed to take us up on our offer of assistance. I think that in and of itself set an important baseline about how to go about providing assistance to structural holders and the unprecedented with the Homeland Security with intrusion into the election system. And then the discussion of the sanctions and other steps that we took to impose consequences and costs against russia on december 29th. There will be, i think, legitimate questions about speed and about how to strike the balance of imposing consequences against our adversaries from malicious cyber activity. We need to continue to have those discussions but the guide posts, i would argue, theedneed to be sure and we will impose konls kwens consequences and debate whether theyre Strong Enough or soon enough but have to continue to impose consequences against these actors and then getting into a discussion and continuing to have the debate about what consequences are going to strike the balance between our longterm National Security interests. Thats going to be a debate thats going to have to continue but we first have to be very clear, this activity will not stand and it will not go unresponded to and there will not be a tree pass for ma, free pass for malicious cyber activity. Last question. Last question. Eric gal. Im with the Emergency Services critical sector. Do you see stem as with visa holders for computing sectors. I think there needs to be, i think this administration has shown a lot more work in the stem area. A lot more, a much greater pipeline for those skills. What i would also say, and ill return and give one more plug for both this group and for the new team to look at the report of the president s commission on Cyber Security and that is the need for greater resources and focus on developing a Cyber Security workforce. Certainly in the federal government but across the board. That is another priority area. You asked me on the leethree things i would talk to the new team but this would be putting resources toward that and a development pipeline. Its something that we made a budget request for that often went unanswered but thats got to be a big point of focus for the next team. Please join me in thanking the team that put this together. [a