Transcripts For CSPAN2 Key Capitol Hill Hearings 20140708 :

declared the winner of the primary runoff election by 6700 votes after finishing second in the first primary driven to his victory by courting support from african-american democratic voters. the house veterans affairs committee is holding a series of hearings looking at medical care problems at the va and tomorrow the committee will look at how they handled whistle blower complaints. that is like at 7:30 eastern. we invite you to join the converation about the va on facebook and twitter. from roll call, john boehner is moving to a late july vote to authorize the lawsuit against president obama as he tries to check executive power and stoke the republican base. committee staffers are discussing several executive actions boehner could target and widdle the list down to the fewest number of actions that will give the suit the best chance of being heard. again that news item from roll call today. now you can keep in touch with current events from the nation's capital with c-span radio. 202-266-8888 to hear the congressional coverage, public affairs forums and the washington journal. and you can hear audio of the five network sunday public affairs programs beginning sunday at noon eastern. call 202-626-8888. now with discussion on nsa surveillance, cyber security, and internet freedom we will hear from bruce who is the author and technologist. this event is >> hoshosted by the new america foundation. hi, and welcome to new america. we are dedicated to forming values in a time of change. i am the director of the tech policy and development wing of new america. we are focused on building a stronger and more open internet for a stronger and more open society. i want to thank you for all coming here and braving the heat or tuning in via the web cast or c-span for national insecurity agency and how the nsa surveyance programs undermine internet security. since the first snowden links all of the controversy over the nsa has been focused on the phone records under section 215 and monitoring the internet under section 702 and focused on the debate of how to reform those statutes. but the nsa is also engaged in what we feel is threatening the internet. incerting back doors into products, stock piling vulnerabilities in software we use rather than making sure the clauses get fixed, building a network of spy wear inserted in computers by inpersonating google and facebook and hacking into google's database as well. the house last month did vote to approve two bills that would defund the nsa's encryption and installing backdoors into the communication technology we rely on. they were backed by a broad bipartisan coalition. today after a brief prerecorded introduction from both of those lawmakers who are today flying back from their fourth of july celebrations we will focus on these issues when have been ignored mostly until today even though they were recommendations from the president's own review group in december. this discussion is focused on the cost of the nsa programs is a follow-up to the panel discussion earlier in the spring about the economic and foreign policy cost of the program overall and previews surveillance cost and the nsa's impact on the economy, information, security and internet freedom. with that, cue the representatives, please. >> i am congresswoman zoe a lot of and thank you for inviting me today. i regret i cannot be there with you. but on june 19th the house took a big step on shutting the backdoor on unwarranted government surveillance. 293-123 the house agreeed to an amendment that prohibited the government from serving communication and data without a warrant and requiring device manufactures create backdoors for surveillance purposes. as many of you know and are discussing today when an individual or organization builds a backdoor toassist with security they place the data of everyone at risk. if a backdoor is created for law enforcement purposes it is only a matter of time before a hacker exploits it. we have seen it happen on more than one occasion. in may of 2014 it was reported a major security flaw was fond found in software that allowed a hacker to listen to to any call recorded by the system. luckily the amendment passed by the house will make a difference but our work is not done. this amendment in june was the first time that congress had the opportunity to debate and vote on the distinct issues of the fourth amendment and the nsa. we need to keep pushing and send it to follow suit. when the house of representatives had the opportunity to finally vote on it the result was overwhelming. the house stood up for the american people and the constitution and that is something we can all celebrate. we set a strong signal that if the government wants to collect information on u.s. citizens get a warrant. thank you for your hard work on this issue and i look forward to working with each of you to keep pushing for a safer, more secure internet. >> all right. thank you congresswoman lofgren. and next up is alan graceland. >> thank you for inviting me to share this panel on the nsa and thank you for all of the good work you do to protect privacy and security in america and throughout the world. listen to me, if the chinese government had proposed to put in a backdoor into our computers and then paid a company $10 million to make that the standard we would be furious, angry, we would do something about it. but what about if it is our own government that does that? that is exactly what the nsa has become. the best hacker in the entire world. when they put in a weakness in the architecture of the software everyone uses they are making it a weakness for their benefit and that is a crying shame. we are entitled to privacy and many of our economic activities can't be done unless they are done with security and safety. and the protection that the nsa is report to provide to america is being undermined by the nsa itself. that has to end. that is why i am happy many of you joined be in passing two amendments that represented the first limits on the nsa's ability to put themselves into our software for improper purposes. one was the science and technology committee amendment saying we are no longer a short ordered cook for the nsa and the other was an amendment on the floor of the house that passed among democrats and republicans for the same purpose. these are the first steps of taking back our own security and freedom and privacy. this is one of the greatest endeavors of modern live to preserve it against the encroachments of big brother. i think congressman alan grayson and thank you. >> thank you for both representatives sataking the ti to tape that and start a too much delayed conversation about the nsa and i would like to invite the panelist to come on up. if you are wonding what representative grayson was talking about $10 million being paid to undermine security we will talk about it. >> joining me on the stage is joe hall who is the chief te techn techn technologist, and daniel kill, david leber, privacy council at google and we have the original reporting based on the snowden documents about the nsa's impact with security while working with the guardian. and then we will have amy on the end here. we will break up the conversation to talk about four sets of things the nsa has been up to along the lines of our upcoming paper and the handouts among those in the room. the crypt stands, the backdoor service, and the stockpiling of so softwear and the range of offenses and tactics the nsa is using taking advantage of those tools. after spending an hour on those issues we will spend time batting cleanup and talk about issues or policies we missed and turn it over to you guy for questions. so, starting with the issue of und undermining encryption tools and standards. there has been reporting talking about weakening the tools that we and businesses use online to keep your communication secure. representative grayson made reference to that and the president's review group in provision 29 talking about the importance of the encryption for the safety online and health of economy. i will start with amy to explain, i think, what the heck happened? what did the nsa do? who or what is missed and why does what they do matter? >> sure. so the nsa, many people don't know, have two different missions. the first is signals intelligence and this is the mission most are aware of and the mission which they conduct the operations you have been hearing about for the last year. however the second lesser known mission is information a assurae and they are supposed to make sure your communication stays secure. it is under this mission that the nsa communicates with the national institute of standards and technologies. nist for those in washington, d.c. who love aconyms set standards across the board. they set encryption standards for one thing. and under a law called the computer security act they co coordinate with the nsa. however the computer security act which was actually very well drafted and made after a lot of collaboration between security expert and the forming days of the internet was preempted by a hawaii passed in 2002 and that being a key date in laws because it was post-2011. the federal security management act came along and had language that wasn't as fine tuned as the security act and allows the nsa to come in and to undermine the encryption standards in a way they were not able to under the previous language. under this law, they are required to consult with the nsa on all encryption standards. the amendment that representative grayson eluded to was primarily an act that funds science and technology research. hasn't made it to the senate yet. but in the bill an amendment was added on saying nist is no longer required to consult. they are still able to. the nsa has a lot of smart people and they are no longer required to review this. later on as part of the defense appropations act, a second amendment actually is supposed to prevent any funding from being used by the nsa to undermine encryption standards. so nist will not be required to act but when they do the nsa can't act to make us more secure. >> perhaps you can talk about why these lawmakers are trying to reduce their responsibilities? >> it is actually surprisingly complicated. nsa does a lot of undermining of fundamental technology. mathematics, intercepting cisco items and installing chips. we are looking at as products are being built and encryption standards, implementation, software, and all of these we have examples of the nsa going in and deliberately weakening security of things that we use so they can eves drop on potential targets. we have one example of a mathematical random number generator that was a nist standard and modified by the nsa to put in a backdoor. this is a risky place to do it. it is likely to be discovered. it was discovered in 2006. we didn't know who did it. we had sususpicious thoughts but it wasn't until the snowden documents came out. more likely you will see them in places you can not see. you might imagine an operating system on your computer and phone and there is an encryption product that somehow modified and not as good as we think it s. it will be harder to find. harder to pin on who did it. we will find these sorts of bugs and they look like mistakes -- they could be mistakes or enemy action by the u.s. or somebody else. we don't know which programmer did what. this very active undermining not only undermines our security but undermines our trust in the things we use to achieve security. it is very toxic. >> it would seem the undermining of the standards undermine the trust where we achieve these standards. we are talking about the random number generator code that is a part of many products used widely across the internet boy suvileians by like -- by -- can someone talk about the role of the $10 million that representative grayson mentioned. >> this gets complicated as well but bear with us. >> the subtitle of the panel is it is complicated. >> the flaw in a random number generator -- they are important in encryption and encryption is complicated math and to make it unreadable you have to be able to generate big numbers no one else can generate. if you have a flaw in your random number generator someone might be able to predict the key and without much work decide this is the shape of the key to your house and go in and break it into your home. it was hard to tell what the extent of this could be at first. we knew it was used in a lot of poplar products and incorporated in a piece of software that other products in mass used. and one of the unfortunate things we found out -- and i am glad we know this, but it is scary, i am better for having known it now. we learned there was a contract signed between the company that makes this poplar piece of software -- rsa -- and the nsa paid them $10 million to make it to default choice. you can say the nsa was tired of conf configuring these but it is the default line across the whole line so anything would use this flawed number generator. now, i think, very few products out there on the wild, the ones you can measure by testing web surfers and things, use other sources of random number generators. from the point we learned about it until now -- if you don't know encryption you learn the people that do this are paranoid and many are moved in pass to change the technology they use away from ones that have this flaw in them to ones we at least don't believe have flews in them and stood the test of time against a lot of people banging away at them. >> i want to turn to david from google and talk about what you thing this activity by the nsa means from a company or user perspective and what you think it means about the government's perspective on the use of cripti encryption. >> i think what is surprising is the extent of the efforts to undermine encryption and maybe the fact the efforts were undertaking are less surprising given the mission. it is important to take a step back from a broader context and understand what the government's current view and intelligence committee view is about users use of encryption. they minimize procedures under section 702 and what those procedures say is not withstanding a requirement to destroy holy domestic communication that encrypted communication whether used by u.s. or non u.s. can be a obt obtin -- obtained and it shows that is use of encryption is flewed. that is not a positive movement for users or companies. it has the potential to bleed over into encryption and other security tools and i don't know if users tell the difference between encryption and other security tools. so ending encryption and tools might be difficult to use and hard for ordinary users there are other things companies do like dedications that are relatively easy to use and implement. if the perception is all of these tools are going to be undermined or exploy as a result of future security cyber inciden incidences there is the potential for greater harm if users paid attention to the issues and were more cautious about how they interact with products and services. >> so moving forward what are the policy options and prescriptions we have seen in dealing with the nsa encrypting standards. d dan -- danielle and amy? >> i can talk about this. maintaining this statutory requirement and the nsa being able to take havenadvantage of is very dangerous because the standards are used by developers and commercial products. it isn't just where they take a particular product and try to insert a backdoor into it. but it is the standards used in a variety of things and also a reputation as a standard setter which is something the united states has been a leader in for many years. i guess probably since the beginning of the internet. so part is making sure there is a requirement so they don't take advantage of this. nist needs to rebuilt their credibility and they have done that and started reviewing their own policies and guidelines and came they didn't know watt was happen in 2006 when this was issued but they are looking through things because they are facing a trust deficit and need to rebuild that so the united states can be a leader in standards and developers and ordinary users will trust what they say. >> bruce had something to say. >> the fundamental issue here and we will see it again and again is broad versus target. the issues isn't the nsa is spying on whoever the bad guy is they want to spy on. the issue is they are deliberately weakening the security of everybody else in the world in order to make that spying easier. so when we look at the solutions, the solutions are also going to be on the order of force the tarsted and not do the broad attack. the broad attack is what hurts everybody. as i think representative said once you build a weakened anything you cannot guarantee you are the only person taking advantage of it. once you do any broad surveillance or tact you suddenly start using control over what you are doing. it isn't the targets it the fact it is happening broadly. >> bruce, you mentioned you actually wrote about and i think we handed out at the front desk a piece about a policy solution to this issue where you had the break up the nsa, can you talk about what you mean? >> the nsa has two missions that are jammed into one agency. there is the attack them and the defend us. and those were pretty complimenitary issues through the cold war because you would the expertise to do both but their stuff was different. tapping an undersea cable had no effect on u.s. communications and you could keep two missions under one roof because they were separate from what they did. with the internet, everyone uses the same stuff. you cannot hack the soviet without affecting all of us. the missions slide now. and that is where the problem is. so when i view it as to how to go forward, i think we need a more formal breaking of the security mission. the information commission which protects communication and the united states of the world protects standards and makes us safer from all of the attackers out there from the targeted mission of going after the bad guys. the mission is now too complicated because it has two components as well. during the cold war it was simple. we would spy on enemy governor communication. agents of a foreign power we would eves drop on them. that changed after september 11th and now the surveillance is on everybody. everybody in the country. we get all of the telephone calls going in and out of bermuda. not just government ones. every agent. we get the phone calls meta data of every american. these broad surveillance measures, government on populati populations surveillance, i think are much more a law enforcement mechanisms. that government on government is a military issue. government on population surveillance is more of a law enforcement mission. and that is what i want to a line the regulations with. >> moving on as a transition to your next discussion about backdoors into products and services instead of encryption. i was hoping joe could take us on a brief history lesson. it seems we had this debate in the '90s. the government wanted to have a clipper chip in devices so the government could have access to the data encrypted and that didn't happen. could you talk about that? it seems like we won the wars and the nsa kept fighting them. >> for the longest time it used to be the purview of the u.s. military under the nsa. so one of the crazy things that happened in our history is people started to learn about it and there were independent discoveries of fundamental method that were discovered by a decade before of people working in the military and now you had academics discovering that we will have a computerized network future and might want privacy and security associated with that. so we need to have these kinds of methods outside of pure military control and in the hands of civilians. so there was a tension going on of what the administration at the time proposed with something called the clipper ship which is especially a chip that had a key and it was escrowed with the government. it cause charted and cut into two pieces and two parts of the u.s. government would have them. if you were doing something bad, or they suspected you were, they would get probably cause and get a warrant if they had evidence, and be able to listen in on your encry encrypted communication which would sound like white noise and they would go with this law order and get the key and because they then had the escrow key they canned -- they could -- get access to this. i believe key was on the group of experts, one is up here, wrote this compelling paper saying here are the problems with keeping copies of keys around when you think the government can only get access and the electronic commission built a crack key with the idea that through existence proof we were able to argue this isn't a good idea and there are ways to get access to this. and there is a book that talks about advocates of the mass and people that thought this was going to make the world a horrible place because bad guys will be able to hide stuff prom the u.s. government who has the duty to oversee the entire world. now what it turns out is we won the crypto wars on the escrow front but on the export front. the u.s. government wouldn't let you export very, very strong encryption technologies for many years. after a bunch of coders and deep thinkers put a bunch of very secure crypto code on news groups and if you don't know what a news group is you may have to look it up because it may be beyond your time, and put it on news groups that people around the world could get access to and when that happened there was no vision it would stay between the u.s. borders so that war stopped because one side stopped fighting and we were happy to move on to other battles. they decided to say we will fight it in a way they don't know it. we will intercept routers on the way to customers and put them in there so we are not messing with the mass you are messing with component and they have been doing massive amounts of things they don't describe at the level of details i would want to read. bruce has seen others and who knows. >> well, i mean it seems that in the arguments, when it comes to arguments against the clipper chip and for allowing export of strong crypto, there was a trust argument that if we are going to be transitions to these networks and want to have confidence in our transaction and grow the economy we need to to be secure. that is the same argument that many have been making in response to what we are learning about the nsa's exertion backdoors in a variety of services and i was hoping danielle can introduce us to watt we have been learning about those backdoors. >> and joe described the public attempt to insert it into and have the key to the private efforts. so they said let's figure out a way to develop relationships and product design to convince them to let the nsa get access and the idea was only the nsa would have access. what we learned in the past year is the nsa spends $250 million a year on a program called signal enabling and it is one of multiple programs that have been revealed, but they look to leverage these relationships with companies and develop relationships and i think the words are to shape the global technology market place and facilitate the collection. the idea they can convince the companies to make it easier for them to get access to their products. this is inserting backdoors into commercial it systems and into encryption and you know end user devices and 4-g technology. the goals of this product are wide ranging and getting access in as many different ways as possible. this is a private and sensitive way to get the companies on their tide side. we know they are doing that and one of the other things is it isn't with the knowledge of the company they are inserting backdoors. joe mentioned intercepting foreign bound network routers. we learned they are intercepting cisco routers and this is the tip of the iceberg that they need commercial products but these are the products we all use every day for our communications and various different activities online. they want to insert a backdoor only they compo know about so they can insert malware or whatever they want. >> there has been discussion in the past few years of expanding search for online products. can you talk about that debate and the arguments you and/ors had against that proposal? in other words why are backdoors bad? >> up until june 5th of last year, with the first snowden link was made public, the fbi was pushing strongly internally for the obama administration for this argument they made and they are going dark. the fbi is going dark. back in the day they had to get a warrant and use telephonic wire tapping. it used to be as easy as attaching a couple alligator clips and listening in. it got more complicated over the years. they passed a wire tap law that said any provider of services of telephone services must have a way to wiretap people and you must be able to respond to request to wiretap this stuff. the fbi is saying people are not using phones. they are using whats up. over about two years the fbi was arguing we need a fix and some way to make these things easier bright so they could get access to this stuff. and what surfaced was a proposal to wiretap all software and we never -- no one saw the proposal except a couple reporters that said the fbi could come to you as a maker of software with something called a wire tap assistance order and they would say we need to get access to this stuff, please do it. and if you would say the product isn't designed to do this it will take a while. and they would say make sure in the future with a knob you can turn on the capability of this. so it was putting you on notice you need to build a backdoor on the product. this got leaked to the press and leaked in a way where you get served with the order that you need to wiretap your users and if you don't you will get $10,000 a day and it will double every day. if you do basic math it gets to like all of the money in the world in three weeks. it is ridiculous. a group of experts were organized and wrote this paper called the risk of wire tapping end points and they made a compelling argument and i will shut up in a second. but the first was this is a bad idea and putting backdoors in products is undermining the structure of the universe if you think about it. everything you do online involves communication and if you want to know it hasn't changed you will use products that use encryption but it will not work because there are backdoors that no one with prove and it can be used by good guys but the random generator may give a run for its money, although. the most compelling argument is it will not work. thing of the fire fox browser or chrome, the source code is available, you can get it and build it yourself. if they put a backdoor on it it is easy to cut that code up and turn it into a piece of executable software without the backdoor. moreover, if you cannot do that in the u.s. all of the security programs will go to other countries and we will miss out on that. you cannot erect a treaty saying everyone needs to wire tap communications at all time. >> i am reminded of an example in the telecom context where in the mid-2000's like the u.s., greece had systems for intercepting phones system and they discovered some unknown advisary rumered to be the cia had been using the systems there to spy on the greek government including their prime minister and president. so a good object lesson in how the backdoors can backfire. other thoughts on the security implications on the backdoor? >> bruce has written an essay on everything we have talked about and they are great. >> should we compromise the security of everybody in order to access the data of the few. in order to believe that is a good idea you have to believe that one, only you, can use that comppromised path. the greek example was an example where that wasn't the case. there are lots of examples where this global compromise is used by other people than you expect to weaken security. and you also have to believe, and this is a good idea, that the value of this path to the view outweighs the security of the many. and you have to believe that. i think that security, in our communications and data, and information and the security is one way we protect ourselves. and the fbi and cia are saying our mission trumpts that. your security matters less. so this is how the nsa harms security. they harm security because they believe their need for access to the few trumps the need for security for everybody. that story from greece was a u.s. product and the greece didn't want the feature. the feature of the lawful access wasn't wanted. it came with the product. wasn't turned on. someone snuck it in and turned it on. here is the government having their government communications breached because of a backdoor they didn't want. that is what we have to worry about. we put in a backdoor, three years from now criminals are using it. i don't think this is a difficult trade off to make. the problem is the nsa isn't equipped to make it. this is why i like seeing the bills being proposed that have congress making these decisions because we have a chance of them recognizing that the security trumps surveillance. >> so we do have the president's review group and recommendation 29, i am nerd enough to have favorite recommendations and 29 and 30 are them. making it clear that a vendor or product doesn't have to change a product to undermine successfuls surveillan surveillance. and they said that nsa can't mandate or request that a product or service provider weaken their product. and that was supported by google amongst a number of other civil groups including my own. i was wondering if you would talk about why google supported that and backdoors in general. >> that amendment was addressed to backdoors. one with requiring companies to build vulnerabilities into the products and the second was the backdoor search loop hole that was overlooked by the u.s. freedom act that was introduces. and section 752 prohibits the communication department from targeting people in the united states. watt it doesn't speak is to what happens when the communication of u.s. people are collected on accident and we learned more about how extensive that collection is yesterday. it reinforces the importance of the amendment because under the current law they can turn a blind eye to the fact there is a lot cache that is being collected and being searched without the protection the fourth amendment would normally afford. and google has been staying there should be an iron clad for content requirement. that is something the supreme court hinted to in the riley opinion a couple weeks ago. >> that is the searching of cellphones. >> that is right. and you know, so we thought it was important and this was a welcome and unexpected opportunity to weigh in and support of the backdoor search loop hole xoept components and prohibit the use of funds to require companies to build these sorts of backdoors. maybe a year ago it seemed unnecessary but it is important to restore trust now that they are not being requested and required. it is a positive step and this is an appropriation bill and it sun clear if it will survive the process. >> i commend the story in the "washington post" and i think it will get them their next pulitzer on this topic. any other comments or thoughts before we move on to the stock piling vulnerabilities? >> we are talking about trust and let me tell you one thing about that. it isn't that we in the tech community trusted the products were security -- secured -- we know that vulnerabilities are everywhe everywhere. but we trusted that the security technologies and standards and products would rise and fall on their own merits. that they would be what they were advertised. not that there was a government hand sneaking in and twittling with the knobs. that is the failure of trust. it is a big one. and something we have to deal with dealling with overseas. companies are saying the nsa probably dinked with this. you are lying with me and have been forced to make changes and we are not allowed to talk about it. we know this happened with microsoft. we know they made unknown changes to skype to make it easier to eves drop. we don't know what they are, how they were done, but we know they happened. >> how is that going to play in an international market? germany kicked verizon out of a big contract because they didn't trust they were acting in their best interest and didn't trust the nsa was forcing them to lie. that is the betrayal. it and a big one because we like to believe technology rises and falls on its own merits >> and this is drilling back from the broad, broad targeting of everybody to the more targeted. so eliminating backdoors isn't going to get rid of the targeted surveillance they are trying to collect. we talked about many different ways the nsa has of conducting surveillance on legit targets and has been able to prove foreign intelligence information. this just eliminates their ability to spy on everybody. which is what we are trying to do. taking away from everybody to look at the real targets >> perhaps makes them fish with a pole rather than a net. spinning off of bruce's comment about we don't expect product to be perfectly security but just not intentionally insecure. most products do have a issues and what we learned in december, which some of us are starting to wonder if this came from a source other than snowden, we learned of nsa's massive catalog of vulnerabilities in a wide variety of widely used products and hardware and software and they can pick and chose and say the target has that. here is vulnerability for that. bruce, can you help us out? and what is a zero day? where can i buy one? >> let's talk about software. software is complicated everywhere and we as scientist/community/technologist don't know how to write security software. we do our best but all of them have bugs. you get updates and they are fixing bugs and closing vulnerabilities. they can be used to attack systems. earlier i talked about the nsa's dual missions of protection and attack. when vulnerabilities can be used for both. if you discover null vulnerability and microsoft fixes and we are safer. you call the criminal, say this is what i found and that vulnerability is being used to attack. we in the security community recognize the way to improve security is by continuingly researching finding and fixing vulnerabilities. now the nsa can play either end. they have two missions. they can play defense, use the vulnerabilities to make things more secure. or they can play offense and keep the vulnerabilities in their back pocket and use them to attack the systems. but targeted versus broad -- those vulnerabilities affect everybody. now we have the question of what should the nsa do. should they hoard them to attack the bad guys? use them to fire cyber wepb -- weapons -- we can come up with all kinds of reasons. should we fix them? you can fix the bad guys and good guys. had you hoard them you can attack the bad and good guys. that is the debate. the question is what is more important? security or surveillance. the surveillance of the few meet beating the others or the other way around? >> the alternative to this, or one of them, is disclosing them immediately, or something in between that. dani danielle, you have done research on this. what have you seen in terms of how should the nsa handle this? >> this comes up in the president's review group report but it has come up many times before and there is a great paper about the idea of lawful hacking by steven belvin and matt blaze and a couple other folks. and they talk about this challenge of the best and most ethical way to get access to communications for lawful purposes. one of the big challenges is zero days you will always find and vulnerabilities as well. and when there is tension between the defensive capabilities might be to stop them and say we might need all of these. and that ignores the fact since you will keep finding security holes you will continue to come up with an ever longer and growing list of these holes. so what they talk about is the what a responsible practice likes like and if you find a vulnerability you disclose it immediately unless you have a compelling and immediate need to use it. if you are looking for something specifically and it is high national security, you might be able to use that vulnerability and then once you used it, disclose it to the package so the ordinary users who are open to attack because of that can have their products patched. the other thing they point out is patching isn't immediate. so when you find a vulnerability you disclose it and exploit it for a short period of time until you run out and then you go look for another way to get in. it is a complicated issue because there is something strange about the idea of exploiting vulnerabilities to get access to information but it is the idea this is going to happen and we need to figure out a way to deal with the problem while recognizing there maybe legit law enforcement or security needs. the president's security group says the default should be disclosure of vulnerabilities. immediate and then only for a compelling reason following a senior review process the nsa might be able to withhold vulnerability. what they should not be doing is holding on to them and accumulating an arsenal and not letting the companies know because that means general security is weakened just in case the nsa might need that at some point for a target they have access to it. it is this all or nothing approach where there is no recognition of the fact it is bad for everyone that the holes are out there and the flaws are not being disclosed and not telling the company so they can patch it. and the companies are looking for those so they can patch them but it is saying we have this information and this came up in the vulnerabilities and the question is did the nsa know about this and if the nsa did why didn't they disclose it. was it because they have been looking for ways to exploit the protocol so they can get access to things? that is a serious allegations and challenge and they talked about disclosure process they have but didn't say much about the details. >> so there was this story that was denied that nsa new about heart bleed and it seems that is not true but in response the whitehouse said by the way, though, we actually do have an interagency process to decide when to disclose this and we have had it for rears years and we are in the midst of revising it. i am curious what do we know, amy, about the equity process? >> we know the nsa has a stockpile of vulnerabilities and we know the u.s. vulnerabilities is one of the main drivers of null vulnerabilities and raises the price of them because the u.s. is willing to pay good money for things they can exploit. heart bleed -- people think we knew about it what can we do. let's dust off this old thing we haven't been using and say this is going to be the process by which we figure out if we are going to reveal vulnerabilities so they can be patched. it was a multi level weighing process where they look at whether or not you are vulnerable versus their own security needs. coming back to the nsa's dual functions and we see over and over again whenever they weigh against surveillance this side wins. so it is very unclear how this process is going to play out. and one of the reasons is because there is no transparency built into it. i think one of the key things week talk about is the need for greater transparency and howt howthithowth howthi -- how things are applied -- they have not talked about who is going to be aware of vulnerabilities and how many days they keep things back. so these are core questions that need to be answered. things that can be made public and numbers that can be made public without great risk to national security, if any risk at all, and it isn't built into this process that is tilted in one direction because the nsa values their security mission so high. >> bruce? >> we have not touched on the international nature of this. there are lots of countries looking for vulnerabilities. the government of china is doing the same thing. there is a hacking team in italy that sells software to break into system with governments like kazakhstan and governments you don't want breaking into the communication of their citizens. so as we look at the vulnerabilities, find and fix them, we are not just making security better for us but making it better for people that need security to stay alive and out of jail. the international nature of this makes it very subtle. you will hear a lot of arguments that we have to hoard vulnerabilities because if we don't china will win. that is an arms race argument. it fails to recognize that ever vulnerability we allow to remain is a chink in our armor. and as long as we are connected and computerized and internet enabled society we are at a greater risk than the government of china is. the government of north korea as well. and that defense is important to us specifically because of this international nature. >> i wanted to add i think it is encouraging the administration is taking up the vulnerabilities equ equity process. this is one of my favorites. number one. there are differences and if nothing else talking about the meaning of what the intelligence community is saying based on the written word. and the review groups recommendation in this regard was to disclose unless there was an urgent national security interest. and the nation exploited the heart bleed they had said that there was a strong bias toward disclosure unless there was a clear national security or law enforcement interest. those are two different standards. so what would help to inspire confidence there is a strong bias of disclosure is having more transparency because this is quantifiable on being disclosed or temporarily stockpiled and used. there is a lot to be done on this front. it is encouraging the administration is under taking this vulnerabilities equity prosand did so before being accused of exploiting the heart bleed. butt at the same time there are a lot of questions that remain about what the standard means in practice. >> correct me if i am wrong, but the review group says they should be used rarely. that is the word they used. >> and immediate disclosure. >> do you know if google has received disclosures under the process? >> not that i know of but the sharing has been difficult. >> mark up tomorrow. senate intelligence committee of the cyber bill. bruce anticipated by closing question which was how do you counter the argument that this is like unileterally disarming but the answer is you blow up the bomb, you cannot use it again. you disclose the vulnerability and you get attacked and no one can use it. moving on to the catch all category. the nsa weakened encryption and has backdoors in the a variety of products and has a bunch of vulnerabilities into other products -- what are they doing with all of that? it seems they are building a large network of computers and networks that are compromised and they can use that to conduct surveillance. a big part of this seems to be called quantum and i didn't understand the quantum stuff and bruce has done a lot of reporting on this. but i didn't understand it until joe explained it. so i am hoping joe can explain what the quantum base is. >> i did my job well then because my number one job is explaining things to people so they can understand. quantum is this scary thing. it is scary and complicated so it is easy to be like i am going to fall asleep. quantum appears to be the u.s.-government can respond quicker than any website you go visit for example. your browser says i want to go to cnn.com they have stuff in the internet that can respond faster than cnn can. that is called a race where the nsa is trying to beat the response from the actual thing you want to get access to with their stuff. this is where surveillance gets strange. you thing of it as i am watching a bunch of stuff float by, i will jot down notes about what this person said. this is active surveillance. they are changing communication to do this. one example is if you use a tore browser and that is a tool you should all look into it. if you use it and you go some place they have stuff, and it is hard to know what the stuff is because the documents don't describe that because maybe that is too sensitive to write down, but if you use the browser that is an indication you maybe a bad guy and you maybe looking up contraception in a place that doesn't allow that -- >> but you are a bad guy. >> they can respond and poke a hole in the your browser. they have weaponized this category. it isn't just a database of vulnerabilities but they have established tools that can establish a beach head on your computer and do things right then or later. if you just happen to type the wrong thing in or have the wrong book report assignment you may get a hole poked into your system by this set of infrastructuretures the nsa has using the set of vulnerabilities in a clever awesome network technique. the internet is complicated. but in order to have this global reach into what people are doing -- and it isn't everything but it is a substantial chunk of what people are doing on the internet -- and that is remarkable. engineers think of this i am designing this thing to make your communications private between here and here, there maybe a bad guy listening, but we will design it with the bad guy in mind so we thwart him. but we don't think about the bad guy that has endless money and global insight into what is happening. >> so, let me try to sum this up. the nsa compromised a bunch of routers and isp and it is watching for targets whether it is someone using the torah browser or using a particular thing or particular isp or has a particular cookie and it jumps out in front of that person's communication, pretends to be the site they are looking for and uses that opportunity to inject malware into their computer. is that right? >> yeah. >> joe described this to me as crazy silo stuff. some of them are major companies. linked-in. facebook. they attempted to spoof google. how do you feel about that, david? >> it is one of these things that doesn't inspire confidence in the use of products and services. when people use a product like facebook or google or another service they expect that is going to be legitimate and these reports are baffleling and disconcerting. i think it came -- because it came in the sequencing of rev playi ilations i think they were no longer a surprise to people which shows how far we have come in terms of under standing about surveillance programs and how they work. ... that watches everything go by and when it sees something that triggers and it could be anything, they will use quantum to inject data into the stream. i think it's one example we are talking about it injects data in such a way it allows the nsa to take over the computer so it is a targeted attack made possible by this broad surveillance system. there are a good dozen different quantum programs that do different things but it's all, we are monitoring everything looking for specific things. now this is something the nsa can do because they have an agreement with at&t to put this computer between the user and google. and it doesn't always win but once in a while it can respond and fool the user. now this is not -- not the nsa can do this. we can't but actually we can. this is not a new trick. this is a hacker tool you can download. it's called air pond. you ask again get a privileged position but it's the exact same thing. this is a way hackers have of taking over your computer when you are on the wireless of this institution. so we have a choice here. we can build the internet to make this attack not work. we can do it. it isn't hard. we have to do it. it make so safe. hackers are criminals of a foreign government or anyone who might use this. or we can leave this massive vulnerability open and allow the nsa to use the surveillance to attack legitimate targets while at the same time leaving us more vulnerable. >> so it's this kind of behavior that has led a lot of u.s. internet industry representatives to express some concern and dismay and to be worried about especially the impact on the trust of consumers. you have marked zuckerberg personally calling president obama to complain and after meeting with the president complaining they are not doing enough to reform these process processes. microsoft likened to the nsa to an advanced persistent threat, a security term that's usually reserved for chinese military hackers or russian mafia. and then of course there was google for a couple of the engineers there after learning about how the nsa was attacking google specifically said and i don't think there's a delay on c-span so i won't say the word itself. he basically said f the nsa on goggle +. it wasn't an official google statement that they were ticked off. what were they ticked off about? >> e so this is the washington post reported they were tapping our data centers and i think we express our rate about it i think on this continuum of likely too unlikely in terms of this happening and they thought it was less likely. we have been working pretty seriously now to ensure that the traffic between our data centers is encrypted and i can say we are pretty much all the way there. you can never say you are 100% of the way there but we have been working pretty aggressively and i think the post article noted that even before the post reported that particular revelation that we were working to encrypt the trafficking between our data centers. but that was a particularly troubling and disconcerting revelation because there are mechanisms including those that congress authorized in the fisa amendments act of 2008 then enabled the intelligence community to seek information to the front door and to do so in ways that just work -- weren't countenanced by previous types of fisa surveillance. so to see the extent of their efforts to go and to tap the link between our data centers to obtain traffic in ways that wasn't targeted and swept up hundreds of millions of communications i think just sort of reinforced our responsibility to redouble our efforts and to do as much as we can on the security side notwithstanding anything congress might do to limit the ways the nsa can conduct surveillance. >> it seems beyond policy response is one of the other key responses is armoring out than trying to put the security of your services to counter these threats. amen know you have been working on a project in regard to that. can you tell us more about what we should expect companies to be doing at this point? >> sure, when i came to ask as we talked about transparency reporting in and how absolutely important transparency reporting is. one of the reasons for that is that we have now this window into the nsa's activities provided in large part by rick snowden but it's time-limited. we only know what we know from the documents he was able to provide to us while he was there. they're not going to know what's happening next month, next year, five years from now. we need ways in the future to keep it open as possible so we can continue to have this dialogue in this conversation about the extent of nsa authority. but that's not enough because transparency reporting actually really only provides you with numbers based on when the government goes to official judicial processes to get information. how many times they ask the court to provide them with information on their users or their accounts. so what we are looking at is all of the different times the government doesn't go through the initial process and actually taps into the fiber of the internet and tries to get communications that way. what needs to happen to make sure that all of your inner room all of your communications are protected. so we have put forth forth what we are calling the security action plan that has been signed by lot of forward thinkers, internet companies including twitter and we have a big announcement coming tomorrow, a teaser alert. it's also been signed by society society groups oti comest cvt the electronic computer foundation the liberty coalition and a broad range of groups saying that there are seven things companies can do if they are going to collect information on people on each of you in order to make sure that information is properly protected. unauthorized users foreign governments, the nsa bad actors criminals cannot get ahold a hold of it. so it includes things like encrypting data when it goes between data centers and when it's flowing over the internet. making sure your passwords are strong and that you are moving towards a mitigation system. really poor things, really common sense pieces and activities where companies across-the-board aren't engaging in and if we think if the seven things can become a floor on internet security that you can then start moving forward. here's the minimum, the bare minimum that was accepted. now protect people's information even brought more robustly and think of new ways to protect it. if you register that aimed at encrypt all the things.net is where we have listings located and we are trying to promulgate that and to keep it moving. >> so it seems there is a lot of things frankly that you need to encrypt if you actually want -- he need to encrypt all things though you need to do an encrypted between you and the web site and you and your e-mail server. you want e-mail servers to encrypt between each other which google released a report showing all the servers who are not doing that and turning that encryption on. there's also an stew and encryption and google recently put out a plug-in to enable and encryption for your e-mail webmail. bruce or -- and you talk more about putting aside what companies can be doing what we as users can or should be doing to protect our own privacy against the nsa or anyone else? >> again talking about bulk versus focus. if the nsa and fbi and the chinese military wants to get into your personal computer they are probably going to. almost certainly. we have security people cannot defend against a well-funded well targeted sophisticated attack on the system. we are not able to do that. that is really not what we are trying to do then begins here. what we are trying to defend against is both surveillance, is that canned the nsa, the chinese, the criminals get into everybody's computers? can they do a bulk and do it efficiently? can they do it on a broadscale? bears there's a lot we can do. we talked about encryption. that will protect your data as it's flowing from one place to another. there are going to be ways to get added if the fbi gets a lot more complicated than the normal case of both surveillance that doesn't happen. there's going to be if it's easy to grab and if it's not it won't. they're things you can do there. they're things you can do to protect anonymity. the issue is going to be that a lot of the data that is being collected is not able to be protected in this matter. it is what is being called edited. editing is stated that the system needs in order to operate. you can encrypt your e-mail but the tube line time of day in crippling you could have a secure voice conversation but who's talking? how long they are talking and when they are talking cannot be encrypted. your location and your cell phone tracking device. if we can secure that but then you can't receive phonecalls. the system has to know where you are so this data cannot be protected by actions we take. when i talk about what you do to protect yourself the single most important thing you can do is agitate for political change. there are a lot of tech solutions and we'll talk about them but they are fundamentally around the edges. this is a political issue and the solutions will be political. so that is the most important thing you can do and with that we can talk about the technology. >> i can't say enough. laws and policy move very slowly but it's a critical component of fixing this in the longer-term. standards, people who decide how your computers work and how things were coming internet is just a little bit faster than laws for something we are doing and aclu is doing as well as making sure we are present in the conversations and internet engineers are involved in saying look, it's not just a spoof thing. it's not just an not just in the industry think of something regular people have an interest in. but getting to the tax specifically i like to think of this in terms of hygiene. caring about it or whatever and you might be more sensitive to those kinds of social norms. it's a little different in the internet talking about digital hygiene. what things can you do to keep your your house and ordered your house in order that digital since? there are a variety of things that i will mention a few in passing. a vpn, three letters that stand for something more complicated but essentially if you have one of these pieces of software and turn it on all all the local stuff that's happening outside of your computer is sending signals that is encrypted. if you go coffee shop or airport you often see free wi-fi. it won't have a little lock next to it like you do at home which means even though you have to sort of click on some terms of service or pay a little bit of money or whatever all all the communications you send from your computer aren't encrypted. if you use a vpn at least all the communications i'll i'll write there locally or encrypted out to some other thing and it looks like it came from new york city or something like that. it protects you only from people that might be trying to subvert you in a local coffee shop or airport. some of these sound like they are maybe not nsa protections but they all sort of add it to making you less in your digital life so to speak and another is the password benefit. i have my now three passwords and i only need to know one that i have 1200. some of those i have is a many years but they are all completely randomly generated and i don't have to think about them. my password manager has a bunch of tools that manages that. the eff makes a handy plug-in called https. https everywhere. that means if you see the lock on your browser the url line will go from https to https and that s made secure. this plug-in from electronic -- is dynamic technology. make sure if there is an often if they know about it make sure there's an option to have an encrypted connection use the encrypted connection. there's a variety of fees and we can talk about them and i will show them. >> they are important things and we talked about a variety of technical solutions in a variety of policy solutions. i have one more policy and i will look to you guys for any closing thoughts and we will open it up for questions. one issue we didn't talk about is the policy sense for the hacking by the nsa. we are having an above board for the first time in years conversation about what should the rules for the rugby when the government has to hack into computer? right now we have a computer crime law that has a pretty broad carve out for lump or cement security and we are only now starting to see a few decisions about when is it okay for law enforcement to use full mobility to break into your computer remotely and we are starting to see a discussion on the advisory committee of the u.s. courts that discusses what warren should look like if you are going to use a warrant to break into computer but we haven't in the context of the nsa discussion had a debate about what the rules should be if the intelligence community wants to break into a computer. falling short of making a policy recommendation i would say that's a discussion that we need to have. it hasn't yet begun except in the law enforcement contacts. aclu amongst others has done great work on that issue. on that i will leave it to you guys if you have any other ideas, thoughts or policy recommendations for closing sentiments before we open it up to questions. >> thanks for coming and the fact that you came means you care. if you don't understand it asked as we will explain it. >> it's very complicated. >> questions and do we have someone with a mic? right there, front row. we know this guy. >> hi. i work with the aclu. a lot of a lot of the assistance for a lot of the surveillance you describe relies on the assistance of the companies and when companies are forced to use security of users. the quantum stuff that you describe describe for example supports our security but probably relies on a voluntary assistance of phone companies. it's tough to imagine a court order for at&t to install them on their network particularly they wouldn't be able to probe for specific targeted computers. they put them there and use them on an ongoing basis. the subversion security that troubles me the most is when companies support the user voluntarily. we have heard a lot about how companies have use security last year and google in particular is really beef things up. in some places you are providing voluntary assistance and weakening the security for users. the one example i want to highlight here is that please get a warrant and he sees a cell phone they can go to google and google will unlock that phone. to google's credit they insist on a warrant when other companies might do it with less but there's no law requiring you to have the ability to unlock phones or to circumvent the lock feature on the screen and i'm wondering a year after snowden if you are now thinking about whether that's a feature that should still exist or whether you should be taking it away. i think many of your users to enable that lock phone do so with the expectation that only they be able to remove that and the fact that the police can get a warrant to remove it may surprise and anger some users. >> my responses brief because i don't server in a compliance world but i actually hadn't heard about that before about having to take that back to law enforcement and asked that question. >> i would be happy to say i think this level of encryption is the key to technology in enabling this level of encryption into phones is the kind of thing that would make me very happy to see. absolutely. -somethings are encrypted and-somethings aren't. i know if there's practical problems it takes a long time to do certain things but it would be nice if you had to clean that off. i am not a product guy. i'm just a nerd. >> first of all a lot of really cool cloak and dagger stuff he here. thanks for that. i'm going to go and watch sneakers when i get home. with respect to what's going on joe you make a great point about the password managers and authentication. if a lot of people in the room and at home argues that type of stuff. what type of activities and steps have the companies themselves taken post-snowden revelations to make our communications more secure and i'd be remiss in not asking you for joe r. kevin to also discuss reform. after 180 days or electronic communication protection significantly decrease as well so is hoping you could address those two issues. >> i will say quickly certainly we have seen more encryption on the web. we are seeing what is called -- there has to be a better word for this thing. i don't want to use the nerd words or whatever so i will call it a femoral cryptography the idea being often when you're using encryption you use the same forever in some cases but web platforms have been moving and google is often the lead. they're using a model of encryption where you have one key per session so you come back tomorrow and start up in a web browser and encrypted stuff is not the same as the one yesterday. it requires a little bit more work on the side of the companies. as you may know carl but is worth it and is often not that more expensive than other kinds of stuff and i will shut up. >> the place to look is if they have a good scorecard of the major internet companies in seven or eight things they should be doing to encrypt the web to protect their users and who is doing what. that's the place to look. it's completely updated so you can see who's doing what and then you can look at the history read that's a good way to get a handle on what companies doing what things to check the security of their users. >> i would be remiss if i didn't add that a certain civil society technologists is offering personal incentives to types of organizations as they move to encryption by default in the ssl. >> it's a good incentive to do it. >> in response to reform very briefly because it is an important issue electronic communications privacy act in 1986 was our first digital privacy law but it's so broken at this point because it was based on a lot of assumptions about how technology works such that the e-mails that you have that are less than 180 days old require a warrant based on probable cause. but e-mails older than that require only a subpoena written off by a prosecutor and in fact under the doj's reading of the law they don't even need a warrant for your e-mail even if it's less than 180 days old if you have open or your drafts folder or your sent folder so the incredible take away from that under current law the most protected e-mail and your e-mail account is everything that it is spam because you have not open it. >> even stuff you have not read. don't read your e-mails. >> one practical tip of things to do. don't read your e-mail. glad we were here for this. >> so many of us lead the coalition effort called digital due process, it coalition of companies that have been trying to reform it starting with a clear world if you want somebody's content for e-mail content with a provider you need a warrant. we think this follows the brace -- basic principle in the digital age we think what you stored in a job box or gmail or whatever should receive the same protection as the files to keep at home. right now we are in a frustrating place where we have a bill in the house sponsored by mr. yoder and polis that has a majority of the house sponsored a bill of this point. whatever the magic number is 218 plus whatever and it's still not needed. we are in from my perspective someone who has been working on these issues in law enforcement for a long time in a weird bizarre world where it seems nsa has more heat than what should be a really uncontroversial fix to the long force not digital privacy law. the momentum is still building. at some point the leadership in the community leadership are going to have to move this bill because the tide is unstoppable, knock on wood. >> i think reform is the lowest hanging fruit on the surveillance jury and there's a reason why there's a majority of congress that supports the bill and it enjoys broad bipartisan support both from republicans and democrats. i will point again to the riley decision from a couple of weeks ago where there was a passage saying that some users aren't familiar with the date of the face door on their cell phone. it stored locally or remotely and they said it really doesn't make any difference for fourth amendment purposes. it was unanimous in the supreme court so you know it is a fait accompli but is not a fait accompli. the supreme court is sending signals to the extent that type of case comes affordable whole that, that there should be an ironclad warrant for content requirement. i think what we are singing a different context with debates around the limits that might be imposed on the nsa is that maybe that warrant requirement isn't so ironclad and maybe there are circumstances where the nsa should be allowed to search communications that they have are to collect it. if the data is lawfully collected the argument goes you shouldn't be restrictions on the ability to query it. that skips the step and analysis because it focuses on what happens the day after it's been collected. it's a significant and constitutional moment in the data collected. that's really important. one thing kevin i should mention in case my overseers are following me the plug that you referred to release source code which is going to be hopefully is going to be a browser extension for crumb that if it works right will enable end-to-end encryption using an open-ended pgp. we are not there will yet and we are kicking the tires and encouraging people. security researchers are discovering vulnerability problems with the source code. >> nsa pays -- [inaudible] >> one less thing to add is a lot of the things we have talked about today are security reasons people have known or suspected for a long time so i do things the things in the past year is that this is news coming out for meaningful public discourse which creates a much greater opportunity for what bruce highlighted which is political change. it's very clear now but a lot of these laws are outdated and is very clear that these are things that affect real users and as we keep getting more stories like the one on sunday there's a lot of collection happening that makes people uncomfortable and want change and they can talk about it in a well-informed way. that's very positive in the political process moving forward for seeing reform underway for the tissues. kevin has said this before, this is the beginning this year for all the many gears with the fights on a lot of these issues and that doesn't mean it will be easier but the changes are always going to be ones that people especially in the advocacy community loved. a lot of these conversations are happening. >> it's kind of like the tinfoil hat crowd. people around their cell phones nodding their heads. >> i come at this from experience of the volunteer foundation and whistleblower evidence from 2006 that the nsa was sitting on at&t's network and up everything in filtering the things out that they thought they wanted and being looked at like we were crazy. it's certainly been validating to have an all the papers of record and finally at this point admit that yes the nsa is sitting on our domestic backbone and we can do something about it. >> hi. first of all thank you so much for this. it's been very interesting. my name is katie mcauliffe and i'm what americans for tax reform. this is the week for ecpa. there are two other events one on the hill on thursday but i have a question for you that i have written down because it is indeed complicated. what i wanted to ask is how this nsa target bad actors and any kind of weakening or strengthening of security affects the entire world? it's been said that the nsa has the ability to target government espionage but it was also said we don't know which programmer is the underminer of encryption and then how do we question the nsa find foreigner criminal bad actors? does this also mean you don't know who is -- in our different browsers so really how does the nsa target and when i say how do we find out who is week? >> yes. let me ask a quick clarifying question. do you mean how do they do it now or how would they do it if we encrypted everything? >> so it would be great if we could do both of those. i guess what i'm curious is seawall said the nsa does have ways besides getting everyone's information to everything and i was wondering what those ways are to actually target bad actors and bad government actors? >> you break into a network and the criminals want to get appropriation and get credit card numbers. they break into network theory partner. they use standard hacking techniques and gather data and left. that is what the chinese government did a couple of months ago. we invited five chinese military officers to do exactly that same thing u.s. corporations dealing data from the u.s. government. this is something we believe the nsa does. if you want to target north korea give head into their computers. there's lots of targeting techniques for targeting targets that everyone uses and we can talk about the technology of those but that is what is done and that is what is differently than targeting and going after everybody. you ask what does the nsa do in nearest we can tell there's a series of filters. the nsa will put a computer on the internet backbone and this is not something, this is nothing the chinese don't two men on country. it's not nsa specific. don't think of this as magic nsa technology. this is what many well-funded governments are going to do in russia does the same thing. we will do a broad collection of everything and then very quickly based on names, based on keywords, based on topics called out that they don't care about. watching cat videos, you don't care, get rid of that to focus on things they are interested in. you are going to get things you don't care about in a loose things you care about but the hope is that you do pretty well. last weekend we had a very interesting story in the "washington post" and the end result of that entire final were reports given to nsa panelists. here are communications that have passed all of these filters and there on bad topics from bad people whatever. here it is. but we have learned is 90% of that stuff is about innocents including americans. the filters actually don't work all that well even with all of that filtering. not that answers the question but that's basically the process. [inaudible] >> we actually find targets. >> the way you look at our successes of law enforcement and terrorism they don't stem from looking around saying they're someone suspicious. they stem from following the leads, the kind of police and intelligence stuff you see in movies and on television. we are going to go after that guy. who is he talking to? what is he doing? the things you don't need broad surveillance board. normal investigative procedures that start with a target and figure out what's going on. we see this from review groups that have looked at these broad surveillance programs. actually isn't a lot of value from looking at everything, looking for someone saying the word and i just made this up. it's probably true. everyone is saying the word bomb and if you say the work i'm going to start watching you. that has extraordinary low value because random people say bomb all the time and people that -- things don't say bomb it all. these bulk systems don't work and they are incredibly costly. the big discussion here we didn't talk about ineffectiveness. what we talked about was the cost. the cost of securing for the rest of us to enable broad surveillance programs. no one is arguing here that there isn't a valid intelligence mission and a valid espionage mission a targeted warrant by the fbi isn't a great idea for what we want is transparency over accountability and presumption of innocence and for the ability of foss to protect ourselves from all threats. >> did i sum up well? >> i think so. i will just add a think in a way part of what we are debating and what bruce goes back to is the link used to live in a world of retail surveillance. he would pick a target based on some sorts this -- suspicion and then you would surveilled that target. now we have reversed it into wholesale surveillance where you collect on everybody and then you decide who you will target. ultimately that changed the law happened without us having a discussion about whether that shift in the way we investigate people made sense in terms of the trade-offs and it's the discussion we are finally starting to have now far too late. >> i'm a former member of the british parliament. we did abolish slavery more quickly than you did but i'm not going to talk about that norm i going to complain. please start paying tax united kingdom. we are in deep trouble and we would like you to pay actually tax towards this for all of the money you owe us for keeping out of the country. but the serious part i was on the defense committee for 30 years. i chaired it for eight years. i was moving up the hierarchy for a long long time. i learned morality and politics is important but not too important. what you have to do is to protect your society and if you are being confronted by evil people who are using every trick available to make life difficult for us, extorting money, putting us in danger, the idea of first bonding to that with an excess of morality seems to me as we would say in the u.k. stupid beyond words. it's difficult to say that. when i was on the defense committee we knew who the enemy was. they were plain nasty and if we didn't play nasty we would be absolutely pilloried and we did not do that. somebody does a perspective that's not a very nice perspective but it is a realistic perspective. you have had your pick and create what some of you think hasn't been good enough. you know that your intelligence services played 30 games. thank god they do because if they did not play dirty as the other side did it in a bigger problem you would have would be exploitation on the possibility of political and economic disaster. so if i do hear a little bit off message it's based on 30 years of experience. i had election observation missions for the os cd on 25 occasions. russia, evil countries, not evil people, evil countries and they knew first-hand 36 years in and three months in parliament it was fighting dangers of our country and our lives. i am glad to hear that we have a strong degree of realism. there should be a greater degree of realism. i'm not defending every nasty thing that your government has done. i'm certainly not defending your mr. snowden whose -- that great democracy in the world russia although i'd call a sovereign union. if we have to play 3030 don't admit it but we have to play dirty because i'm absolutely certain that consequence of playing decently as though your think football not that the english are good at that but that you are playing with the u.s. getting farther than we did which wasn't very difficult but frankly i have no doubt that if you have to play dirty then you have to do it. a question? alaki tolerated me for speaking so long first off? >> i did want to allow you to finish because one is not an uncommon perspective but also i wanted to hear it all so i could fully comprehend exactly why he withdrew a revolution. [laughter] but i do want to reflect on what you said about making arguments about morality. in fact i think much of this discussion and the discussion we have been having and which is the focus of our paper is stepping away from a moral argument or civil liberties argument even though it it's this civil libertarian as the one that most motivates me and to talk clearheaded linker sidedly about all of the various costs of these programs we are not talking about. the cost to our economy the cost to our foreign relations in other respects the cost to our internet freedom agenda around the world. there are a whole raft of reasons to be concerned about these programs completely separate from concerns about civil liberties are the moralities of those who are engaged in it. that's my answer to that question. >> that argument is fundamentally your argument and i can summarize it in one sentence. terrorist -- we must do all these awful things otherwise terrorists will kill your children. its enactment that shuts down debate and you are right it's an argument that went over every other possible argument. they can't be argued with. the problem here is that argument short circuits in a discussion of are the things we are doing actually effective? do they do any good? we are making an efficacy argument. we are making a cost argument. yes there is a threat. there's a threat that the bad guys in the bad guys don't play the rules and that's fine but what does that mean? there are many threats in society. we have been talking about the threat of government overreach. actually a very serious threat. in the united states uart 10 times more likely to be killed by -- than the terrorists. i can list dozens and dozens of threats and we are trying to balance that. we balance them by looking at cost benefits. up here we have talked about the cost. if the cost of broad surveillance are greater than the benefits we don't do that. even if the bad guys are bad guys. they aren't going to go away. the question is what is the best way to deal with them? >> arguments we are making is that there are more effective ways to deal with them. not that we are going to lose and they are going to win. that's and that makes no sense. if the question is what is the efficacy of the various tactics, what are the variety of threats and what are the best ways that we as a society can deal with that and in order to get this argument you have to -- because once someone says the terrorists will kill your children all the discussion goes away. no congressman will vote against something that someone says if you don't do this at terrorists will kill your children. there will be blood on your hands if you don't vote for this. that is never explained. it's never justified but as soon as it said the fear sets in. what i migrate worries right now but reformed is that if we ask congress to oversee the nsa we look at it more permissive set because right now congress is scared. not as scared of the terrorists, scared of being blamed if something happens. getting beyond the sphere is the single most important thing we can do to move society forward and honestly this might take a generation. you and i might have to die before more sensible people take over government. >> was simply can't be terrorized and that is exactly process explain. we have to be able to stand up to in some cases large political pressures in the case of low probability and you can argue soberly that that's not worth it. >> this gentleman right here has been raising his hand very highly for several moments. >> i am a correspondent for euro politics newspaper newspaper. i was just wondering has the issue of encryption and internet security aspect more than the surveillance because this appeared on the radar of other countries around the world like for example in europe which is considering its whole data privacy framework at the time and a follow-on to that it seems to me that the reason the nsa can do this look sensibly is because all of the companies involved their us-based. you know it does this create an incentive for more european companies to develop software that has encryption and it that cannot be hacked into by the nsa because they are not subject to u.s.? >> so i think first of all some of the stories we have talked about not just the u.s. intelligence agents but others including the british have been doing this but it's most certainly one thing we have learned and when you look at the economic cost to the united states we have seen a huge rise in the competitive advantage from foreign companies in europe and elsewhere claiming to have more secure products or they have products that haven't been tampered with and they are using this as a way to get to lure business which is incredibly profitable. i think the broader thing we talked today about the cost to internet security specifically and how and his attempt to protect security we are weakening security and we are also doing it to a cybercrime costs and the amount of money we are spending on these programs to weaken our security. also it's what we are doing to the american public and that's a serious from a purely u.s. focused problem because we are sort of driving customers away from the united states. that doesn't always mean we are driving them to more secure alternatives. we are just driving them to what we believe are more secure alternatives. just because it's not a u.s. product doesn't mean it's more secure but if you believe the u.s. government is interfering with u.s. products you may be more than likely to try it elsewhere. >> i think we have time for one more question right there. >> hi. matt soler with congressman grayson's office. a couple of weeks ago the eaa systems a representative went on cnbc and said there was a cyberattack on a hedge fund and their stock pots by roughly 2% and they formed, the fbi formed a partnership with the think tank called the center for financial stability and there was a lot of discussion about cyberattacks in the financial space. i think it was last week via ae system said that in fact they made a mistake, there was no cyberattack on a hedge fund. it was a training exercise which they confused and thought there had been an attack but essentially it was their own training exercise. >> it's complicated, we told you. >> that probably helped their business. i don't know what happened but there is a lot of money in saying cybersecurity is this big problem and if you don't know anything about technology and i don't really know that much about it, give now how much of the fear of the cyberattacks, how much of that is just profitable for entities to push for their own security businesses? how much of it is legitimate? how well is the nsa doing in terms of defending the country from this kind, these kinds of attacks and how do you measure these risks and these other risks, climate change, nuclear terrorism and so on and support so forth? i don't have a framework for how to think about this so when i'm thinking about political action and we are thinking about policy questions you can certainly say let's have war ends. that tends to be a good idea and has been ever since the magna carta but how do you think about these new really novel institutional tracks? >> in 30 seconds. go ahead. >> it's complicated. there's a lot going on. yes there's a lot of profit motive than a lot of profit-making and a lot of fear-mongering. we tend to overexaggerate the terrorist threat and under exaggerate the political effect so you will find discontinuities on both ends. cybercrime is enormously profitable and it's a great big deal and very big business. companies are not doing enough to defend themselves but on the other hand a lot of threats are overhyped. there is an anonymous security industrial complex supplying weapons to the u.s. military, the lobbying force for some of these merconium laws. at the same time there is real stuff that needs to be sold to real companies. an essay is not doing a lot to defend the country. that's not really their mission. their job is to defend military government networks. they have not been tasked with defending the broader internet. that's probably good things that we can't judge them on that. there's a lot going on here. how do we compare this with climate change? your guess is as good as mine. climate change is the single most catastrophic threat we are facing that is 100 years out. we as people cannot do fret analyses 100 years out. we can barely do it to the next harvest. we are not equipped as people to do that. that is why this is complicated. there's a lot going on. a lot of moving pieces and profit may king versus real threats. >> in 30 seconds. >> was enough and bring it full circle it's complicated. thank you everyone for coming today. i really appreciate it as does our panel. thank you panel. [applause] >> mr. secretary-general a sellout crowd. good afternoon. i'm fred kempe ceo of the atlantic council. secretary-general rasmussen at the huge privilege for us to welcome you let me say back to the atlantic council less than two months ahead of the nato summit in wales this september which in your own words quote will be one of the most important in nato's history unquote at a time when peace and stability are put to the task from eastern europe to north africa and the middle east. this is also secretary-general rasmussen's last major public visit to washington in his capacity as secretary-general before former prime minister stilton bird takes over the road -- roll this september. as many of you may recall the atlantic council hosted secretary-general rasmussen for his first major public address in the united states as secretary-general back in 2009 and while your tenure is not finished we are extremely honored to book and your highly successful distinguished tenure leading nato with this event today. back in 2009 it was then u.s. secretary -- excuse me national security adviser general jim jones who introduced the secretary-general and we are delighted that general jones has returned today in his capacity as chairman of the brent scowcroft center on the atlantic council to introduce the secretary-general. general jones who has prior to his position as national security adviser led nato's military operations and his capacity as commander of u.s. european command and supreme allied commander europe and leeds today much of the strategic thinking at the atlantic council. among his other roles of the council he has been a dedicated supporter of our young atlanta summit, summa switch up over the years become the primary public diplomacy of nato summit and it then that means to securing a next generation of support and leadership for the alliance. we are very grateful nato will partner with the atlantic council this year as well to think transatlantic power future leaders from nato member partner countries from the 2014th future future leader summit in wales and secretary-general rasmussen not only has been supportive of this initiative but has been very much an instigator and the visionary behind the effort to get more young voices and more young strategic thinkers into the conversation. before i turn the floor over to general jones let me say what one didn't have to say back in 2009 and that is if you want to delete use the hashtag future nato to do your tweeting. i think secretary-general rasmussen you are one of the groundbreakers and i think back then you are just starting your own twitter account. with that general jones the floor is yours. [applause] >> thank you fred and secretary-general welcome back to the atlantic council. ladies and gentlemen it's really a great pleasure for me to be able to introduce secretary-general rasmussen to this audience for his final major address in the united states. depending on world events. there could be others. i have had the privilege of introducing the secretary-general here at the atlantic council for his first public speech to the united states nearly fighters ago in september of 2009 while still national security adviser. i recall finally when the secretary-general rasmussen addressed the council in 2009 he also spoke to a packed crowd in the council's old headquarters across the street. they were so many people in the past remake of hardly turn around. very happy to notice the council is able to welcome him back this time to its new headquarters and while there may be more elbow room in these comfortable quarters i'm not surprised to see you still able to command an overflow crowd in washington. when the secretary-general spoke here in 2009 the obama administration was in the midst of a rigorous strategic review concerning the war in afghanistan a debate about how many additional troops would be necessary for the united states it's nato allies and isaf partners to achieve success. the administration invited the new secretary-general to visit washington for consultations about the ongoing u.s. review and to assess possible contributions of nato allies to the u.s. surge. it was a challenging time for nato and for the alliance and its allies including the united states who were becoming weary from their long commitment to a difficult conflict in a faraway land. despite these challenges on the secretary-general came to washington in september 2009 in spoke at the atlantic council the administration had great confidence in his ability to lead the alliance through this difficult phase and he is certainly lived up to that challenge. at the lisbon summit in 2010 nato's 28 members vowed to stick together through 2014 in afghanistan at which point responsibility for security would shift to afghan forces. under his leadership nato stood by its commitments taken at lisbon. the alliance is today concluding a combat mission transitioning responsibility to afghan forces and preparing to take on a post-2014 mission to train and advise afghan forces. secretary-general rasmussen will go down in history books as having led the largest and longest combat mission in nato history in afghanistan. as the secretary-general returns to the atlantic council in 2014 the strategic context is quite different than a mere five years ago when afghanistan was a dominant challenge for the alliance. to confront these evolving strategic realities secretary-general rasmussen appointed nato's group of experts ably chaired by former secretary madeleine albright to undertake a strategic review of nato that would inform a new alliance strategic concept. secretary-general led nato's response to not only the threat of extremism, civil war against civility on its southern flank but also precious challenge to the liberal post-cold war order in europe altering the greatest financial crisis since nato sounding in 1949. in libya in 2011 the secretary-general skillfully positioned airlines to respond to rapid events and to enforce u.n. security council resolution 1973. nato's quick action demonstrated the alliance's unique capability to act quickly in a crisis and to integrate regional partners to alliance operations. in the aftermath of russia's annexation of crimea at the stabilization and ukraine's secretary-general rasmussen has provided decisive leadership of nato in what is europe's most serious crisis since the end of the cold war. in doing so he has reminded our public that nato reminds an insurance policy for all members and remains relevant well into the 21st century. this september the 19th nato heads of state and government will convene for what secretary-general rasmussen himself is called one of the most important meetings in nato's history. it will be the secretary-general's last nato summit before former norwegian prime minister stilton bird takes over in november. while secretary-general rasmussen's tenure is not yet complete we can be competent he is left behind a rich legacy of accomplishment for which nato member nations over them a debt of gratitude. as many of you know the atlantic council recognizes secretary-general's rich accomplishments by the atlantic council's distinguished international leadership award in 2012 where he delivered a moving testimony about his own personal and desmond in the trans-atlantic link. delighted the atlantic council is able to welcome them once more to the stage on his visit to washington and perhaps his last as secretary-general. ladies and gentlemen please join me in welcoming the 12 secretary-general of the north atlantic treaty organization anders fogh rasmussen. thank you. [applause] >> thank you very much jim for that kind and very generous introduction. it is really wonderful to see you again and thank you for your remarkable service over the decades as a marine, a supreme commander of nato forces and his national security adviser. i remember with great pleasure our cooperation during your term as national security advisor. you know nato from the inside and you know what it takes to keep the alliance united and your commitment to the transatlantic relationship is firm and strong. thank you very much. i'll sell it big thank you to fred and damon and your dedicated team here at the atlantic council. i truly value your strong commitment and service to the transatlantic community and to nato. fred it is a great privilege and a pleasure to work with you. you have done an amazing job in making the atlantic council of such a differential form and international affairs in washington and work wise. the atlantic council shapes and forms an important debate. on the challenges we face and the opportunities we must grasp in a world that is more competitive, dynamic and disorderly. through your tireless work, you play a key role in keeping the bond between north america and europe strong. now and into the future. we recently marked the 70th anniversary of the d-day landings, a stark reminder of the horrors of the war but also of what is possible when our nations unite against tierney. since then, the nato alliance has underpinned freedom, peace and prosperity across europe and north america. protecting our values, individual liberty, democracy, human rights and the rule of l law. today those values and our way of life are once more under threat. we are surrounded by conflict, danger, disorder and autocratic regimes. an arc of instability from the middle east and north africa and the sahara. rising tensions and territorial dispute in the nation and a revisionist russia breaking international rules and undermining trust. but russia is not just trying to re-create a sphere of influence. it has dealt a dangerous blow to the international rules-based system we have built up over decades and it's illegal and illegitimate actions encourage other autocratic regimes to follow suit. the best way to say such threats is clear. we must be confident in our values, reinforce our readiness and strengthen the transatlantic bond that remains the bedrock of our international order. since world war ii, the solution to every strategic challenge has been transatlantic. be it the cold war, the balkans, afghanistan or the financial crisis. america and europe working together, training together and when necessary fighting togeth together. this is how we have protected our nations and promoted our values. even the most successful relationship needs work. we cannot take our transatlantic bond for granted. we must renew our commitment and continue to invest time, energy and resources to keep it strong. to me the challenges we face, we need a truly integrated transatlantic community, a truly integrated transatlantic community. and i believe there are three things we must do. reinforce our economic terms, deepen our personal and cultural links and strengthen our security. first the economy. trade encourages the creation of wealth. it discourages conflicts and conquests. it generates greater prosperity and this in turn leads to greater security as people do not want to put their prosperity at risk. so a healthy economy and sound security create a virtuous circle. in today's interconnected world, the link between economics and security and between peace and prosperity is stronger than ever and it is particularly strong in the relationship between europe and north america. together they represent the most powerful economic block the world has ever known. with a greater global competition may need to work harder to ensure our prosperity for the future. if transatlantic free trade area is a unique opportunity to reinforce our economic ties and to lengthen our prosperity. the trade deals currently being negotiated between north america and europe are the next step and the right step. the transatlantic trade and investment partnership will eliminate terrorists, red tape and open up new markets. it is the penegelley the biggest trade and investment deal in history. well, as a prime minister i know just how difficult trade negotiations can be. but we must look beyond the technical details to see the big gains within our reach and to move forward because this is an opportunity we cannot miss. to promote growth, create jobs and improve our quality of life. we also need a new focus on energy security. much of europe is now reliant on russia's oil and gas. we have so to speak to for her way into a position of dependence. as we see in ukraine, russia is quite capable of turning off the taps, putting an end to that dependency is not -- is now a bit is now a bit upmost or giga importance. european nations are already doing more to reduce this dependency. they are increasing their storage reserves, engineering pipelines to redirect energy to where it is needed and bringing in energy from other sources. we must also find new ways to generate and distribute energy. be that oil and gas or renewables and we need to open our markets to each other because if you have to depend on anyone it is better to depend on your friends. and those friendships must be fostered so this is my second . we have to deepen the personal and cultural ties that bind us so closely. 30 years ago i came to the united states as a guest of international leadership program. i can tell you a life-changing experience. it's helped me to know and appreciate this great country and its people. as many people as possible should have that same opportunity. i want to further strengthen the personal bonds across the atlantic. so i'm preparation for september i asked young emerging leaders from all nations of the alliance how they think we should do it. i would like to thank the atlantic council for facilitating this work. the results have been truly enlightening invaluable. one of the main recommendations of the emerging leaders is to enhance real entry understanding between the nations of the alliance through personal ties and i think they are right. we need to increase our transatlantic scholarships and exchange programs. to increase our scientific and cultural cooperation. to form those lifelong relationships that have bound our people together for so long. now, my third on everything we do is we need to strengthen our security. the english philosopher thomas hawks wrote of a word -- a world without rules, a world without security. he described this world is having no industry, and of movement no culture, no society. nothing but the continual fear of what violent deaths of a world where the life of man was nasty, brutal and short. security is necessary for us to live free from fear. security takes work and for 65 years that work has been led by the nato alliance. in today's dangerous world, nato must be ready to respond to whatever threats we face. ..

Related Keywords

Norway , New York , United States , Kazakhstan , Lisbon , Lisboa , Portugal , Germany , Afghanistan , Philadelphia , Pennsylvania , China , Whitehouse , District Of Columbia , Crimea , Krym , Avtonomna Respublika , Ukraine , Russia , Washington , Mississippi , United Kingdom , North Korea , Libya , Greece , Italy , Hawaii , Bermuda , Americans , America , Afghan , Norwegian , Chinese , Soviet , British , Russian , Greek , American , David Leber , Matt Soler , Alan Grayson , Madeleine Albright , Thad Cochrane , Anders Fogh Rasmussen , Rick Snowden , Daniel Danielle , Dan Danielle , Steven Belvin , Joe R Kevin , Joe Hall , Jim Jones , John Boehner , Fred Kempe , Katie Mcauliffe ,