Welcome back. We have a few folks coming from lunch in a few minutes. So we wont make any noise until a few minutes in. Welcome to our conversation with facebook titled security versus security. Im dean of the Langston School university. And the head of counterterrorism at facebook. We were here last friday. There was a movie release called friend request. So were here to do a review of that movie. Because no news has broken since then in monicas orbit. When monica agreed or started thinking about it, our main focus was going to be on why when i post pictures no one ever says like or comments. But since then weve had a lot of things develop. So were going to get right into it. We will address some of the news of the day but i want to do that at the end because i want to make sure we spend a lot of time at the beginning talking about some of the really great incredible things that monica and facebook are doing in the counterterrorism space, which is the goal of this conference is to talk about those issues, particularly as it relates to different legal issues. So the frame that we wanted to lay out here is so often i know many of you have likely been to panels in which its titled security verses liberty, right . Security verses privacy. And its my view, i know shared by many others is thats sometimes an inappropriate lens by which to view this debate and i would submit it is sometime as poor frame work for two reasons. One, it implies sort of a mutually exclusive balance that in our football, our sports culture, that one has to be winning or losing. And that sets you up for the complicated things. I think well highlight that there are a lot of things industry is doing whether from a encryption standpoint, work in the security space thats equally important to what Law Enforcement might be doing to fulfill their obligations. By referring to it as some balance between privacy and liberty t can throw off the values of what our Great American companies are doing in the space and second is there are some really important things facebook is doing to preserve free speech and we heard our first panel talk about that and theres really complicated issues around that. Wanted to start with that lens because of time i wont and you have monicas bio but really incredible career both in public and private service. Federal prosecutor. Worked in thailand. Where else . Chicago, d. C. As a prosecutor. A lot of places. Came over in 2012 to lead facebooks efforts in this phase and is a real leader. So its griet have her here. So without anymore intro from me because you want to hear from monica. Lets talk about your title, head of product terrorism and policy. I think thats an industry first. It is. They said what . Facebook has a what . Tell us how it came to be and what you do on a day lae basis. Ive been the head of our product policies are more than four years at facebook and that entails over seeing our content standards, what people can advertise, how they can advertise and how they can target it, basically anything relating to how people can use our products. But about a year 1 2 ago when we were really trying to double down on terrorist content, propaganda and terrorists attempting to use social media. We felt as a company we needed one leader of those efforts because what you have are engineers working on technical tools and reviewers who have to be specialists recognizing terror propaganda. You have lawyers dealing with government requests and former Law Enforcement agents in the wake of an attack interacting with Law Enforcement. It wasnt a unified team. I became really interested in it and asked if i could do both and i now am leading both of those. So counterterrorism separately. So security versus security. Talk to us at the outset facebooks mission to make a world more open and connected and protect freedom of expression and privacy. How do you address or look at those issues . Sometimes those issues are intention as im sure has been discussed today and sometimes theyre not intention. We certainly see facebook was created to connect people and our ceo, Mark Zuckerberg, has talked about the value in bringing people together and trying to establish communities. Part of that means we have to make sure were protecting speech and the ability for people to express themselves how they want to and connect very freely with one another. Some of that will only happen if you have privacy. At the same time we know people wont come to facebook if they dont feel safe. So for us to achieve the mission of bringing people to a place where theyre going to speak openly with one another, you have to have both and privacy, means, the ability to control who sees your content and when. It also means facebook adhering to privacy laws, which are different in different parts of the world and making sure were only providing data, whether its organic content or ads. Security means making sure we dont have our site used for things like planning terror attacks or exploiting children and theres many other things that privacy and security bring to mind but those are areas where there is no tension. We can really strive to have both and those areas Work Together and finally mention encryption. Encryption is something that we use in a variety of different ways at facebook. It does not mean that we wont do our part to respond to valled Legal Process or Law Enforcement request. For instance if theres a crime or in the wake of a terror attack. We can and do provide data to Law Enforcement. There are reasons that also protects security. Whether its protecting Health Information or sensitive Financial Information or sensitive government information. So its privacy and security. I want to circle back on some of those points you made but i want to drill down in a little bit more detail about some of the more specific effort you are all are focussed on utilizing human moderator. How you utalize both of those and balance that in furthering your interest. The policy is hate speech, personal information, intellectual property misuse, the list goes on. When we enforce those policies, we use a mix of human viewers and automation. Or different types of technology. Sometimes artificial intelligence, sometimes rudementry. Theres always a mix. And ill give an example of where this works really well and an example of where it doesnt. If you think about terror propaganda or a child exploitation, child pornography, often this is image based. There are no images. Because thats technology that just martches an uploaded image to an image we already know about. And we can auto report it to the nationm center for missing and exploited children and it never misses the site. No one at facebook even has to see it. That can be a very good use of technology. Thinking about hate speech. Our policies around hate speech, which by the way are increasingly nuanced and have to be applied to more than 2 billion peoples posts from around the world with more than 80 of people on facebook from outside the United States. So a lot of different cultures, languages, ideas of whats okay to share. Our hate speech policy is aimed to remove any attack against a person or a group of people based on that persons protective characteristics, such as race, gender, gender identity and so forth. There are many ways you can use words that could be an attack and use them in a way that is not attacking anybody. You could say this morning on the subway somebody called me x. Or i think we need have a conversation in our society about the word x and how we can take it back from negative use. So we would want to take that word down if its used as an attack but leave it up if its used in the context i just mentioned. Thats where automation has a much harder time. You can use Machine Learning i love throwing these terms round like im an engineer. Im repeating what ive heard from the engineers. You can take a whole lot of data about good uses of this word and bad uses of this word and you feed it through this machine and the machine every time it looks at the data learns for umthat and get better at sorting. And after a while you can use that classifier to look at content and say this is likely good, this is likely bad. Maybe we send that to our human reviewers and they can look at it but we can cue up for them the stuff we think is likely good or bad but thats a much harder job for technology. And so right now when it comes to a lot of our policies, especially things like bully, harassment and hate speech, the context really matters and human review is very important. To that point, as of now you had about a 4500 member team of folks working on that and youve made a dmiemnt increase that to 7500, is that right . Thats right and to explain what that is. I get a little sometimes people will call our reviewers moderators which i think gives the impression these people are looking at everything posted on facebook. Thats not the case. The way that our process works is anytime you see something on facebook that you think shouldnt be there, you can report it to us, whether its a photo, a post, somebodys page, an ad, a profile. You can report any of that and if you do, its reviewed, sometimes using automation to help classify things. But often it goes right to a human reviewer and these are people who sit around the world in different locations. Theyre reviewing content seven day as week in dozens of languages and their job is to decide whether or not the content that has been reported or that our automative systems have flagged for review, whether that content violates our policies or not. If it does, take it down, in either case they send a message to the person who reported the content. Heres our decision. That team sat at a round 4,000 a year ago and we have now ramped that up by adding another 3,000 people. To put context on it, facebook has about 21,000 employees. Theres 2 billion facebook users. So thats a lot of coverage if people were expecting sort of a one for one review. I should also be clear. If a piece of content is reported to us, we will review it, using a combination of automation, often using human review but if a content is reported 500 times, we do not review the content 500 times. We will review it a couple of times and if it does not violate, it doesnt and well put a profectitection on it so dont continue to review it. But things like i like this sports team and my team won and youre angry about it. That sort of post gets reported a lot. So well review that a couple times, not 500 times. I do that quite a bit. Can you talk about the standards these reviewers are using to analyze this. I know theres a lot of criticism about them sometimes and the process. So more than 2 billion people, dozens of languages, most outside the United States. So the guidelines for reviewers have to be really objective. As lawyers were used to looking at criminal law and you say in any given case there will be a trier of fact who will look at things like intent and whether standards have been met. When youre talking about needing the decision to be the same on a specific piece of content, lets say a photo. Whether its viewed by somebody in the u. S. Or india or ireland, you have to get to the same answer, you have to try to take that persons,by bias, subjectivity out of it. So the review guidelines we write are intentionally very, very objective. If you look, for instance at our policies around nudity. In an ideal world, maybe the standard would be to say if its sexual nudity, well take it down but if its artistic nudity, we will leave it up. If you sit people in a room, even in this room and show them images and say is this artistic or sexual, people will not agree. So you cannot do that with reviewers. So you end up writing guidance very specific and wont necessarily reach the right result in every case. Theres always going to be edge cases where you look at a specific photo and say wow, our policies end up leaving that up . That happens. You will always have edge cases. But theres still a value in having this objective rule. So we write guidance for the reviewers and update it at least every week and sometimes more frequently. If theres something in the public were responding to, lets say an event and certain graphic imagery, we will make decisions and provide ongoing guidance to the reviewers. So most of facebook members are outside the u. S. , correct . More than 85 , yes. And youre talking about reviewers in every country. Youre also faced with a myriad of international laws. Talk about how you balance that, some of the challenges youre seeing from an International Perspective and how those run against u. S. Constitutional for that balance. This is a really interesting landscape and a challenging one. We have seen a number of countries either pass new laws or become more rigorous about online speech. And their standards are almost always tighter than u. S. First amendment standards. They restrict more and sometimes go beyond what we restrict. So you have First Amendment protections, then you have the Facebook Community standards, which is our content standards and those we do take down, like i said hate speech. We define that and remove it, even though its permiscible under u. S. Law. There are other things we remove that are not illegal under u. S. Law. Above those community standards, you often have laws internationally around hate speech or sharing of terror propaganda where its actually criminal speech and an example of a law weve seen recently is the german gd law that requires social Media Companies to delete from their Services Within 24 hours any manifestly illegal content and theres a list of german laws that we, as a company areinal forced on our site. It draws into attention the goal of having borderless community, meaning our friends around the world can see the same thing verses a more balconized set of standards where youre satisfying different cultures, maybe even individuals. Within a country. So you can have that more volconized system or this uniform global system. But you really cant have both. Weevl weve been trying to walk that line for years at facebook by saying were go having to one set of community standards. If a government tells us about a piece of content and say this is illegal, even though it doesnt violate your standards. We will have our legal team review it and see if its consistent with our laws. And whether or not we should comply with it. If we ultimately and theres a whole lot of factors that would go into that, including is this political speech against the government . How many people do we think would be effective. We do it only in that country and we publish that fact in the government request report. So thats a way were trying to straddle the line but its getting harder if you look at our government request report youll see increasing requested from a number of countries. So its getting difficult to straddle that line between a Global Community and maker sure were complying with the law we need to. I want to shift back to domestic Law Enforcement and your work there with government. I think post San Bernardino and the events that happened there. We saw a ramping up of this government versus industry in some ways. Id like you to talk about your partnership, your work with Law Enforcement. Because you do a lot in this space. We do. To really make an effort to be a good citizen and comply. So talk about those efforts and what youve done to ramp that up or how you balance it. Theres two primary ways we interact with Law Enforcement. The first is if we get a request. If we get valid Legal Process and when we will proactively provide to Law Enforcement. We have a mechanism through which Law Enforcement can request user data if they provide the appropriate Legal Process for their country. There are restrictions around what we can provide and under our terms, we only provide this user data when compelled to. So something that is requesting user content from a country outside the United States, often the appropriate avenue would be through the mutual Legal Assistance treaty process. So they can go through this portal. Sometimes they might have to go for content, they might have to actually go through u. S. Authorities to get that content from us. We have a team that responds to those requests. And that channel is much like our content review, manned 24 hours a day. Partly thats because we sometimes get emergency requests. So if there is a terror attack or something that is a crisis, theres missing person or somebody in danger or law if forcement submitts something to us, we know we need to respond right away and its always manned and literally a box to check if its emergency Legal Process and the Law Enforcement officials can explain why its an emergency and well respond right away. Sometimes we will become aware of an imminent threat of harm on facebook, even though we havent received Legal Process. For example somebody planning a terror attack, we can and do proactively refer to Law Enforcement authorities. Any rth eer other comment or thoughts on why in the end encryption, i know you dont have that at facebook, but why thats so critical in protecting privacy in your users. I think hopefully people in this room have some idea of incription and why its important for protecting peoples privacies. We hear about hacks all the time. But i guess what i hope will happen in the near future is that as people continue to discuss encryption, theyll become more knowledgeable about the different types and values and costs. Because its not as simple as an encryption is always good and theres no cost to it and its not as simple as saying any use of end to end encryption is bad for security, for the reasons i mentioned earlier. These are really nuanced topics and the thing i think we can all do as people who work in this field is get the word out there that there are really different types and uses of incription and there are pros and cons, especially end to end encryption with National Security. Facebooks been the subject of a commander and chief tweet this morning about the situation going on relative to news and the accuracy of news out there and propaganda and the influence of foreign powers in our election and last thursday, Mark Zuckerberg came out and released a video in which he highlighted nine steps that facebook was taking after releasing to both Robert Mueller and congress the 9,000 ads that were purchased 3,000. Sorry. 3,000 ads purchased by russianlirngrussian russianlinked entities. So lay out, to the extent you can, your efforts in this space. Sure and as josh just mentioned, our founder did post about this last thursday. Something thats a pretty short video to watch but something i think you might find i would encourage you all to go watch it. I think what youll come away with is we do, as a company, take this really seriously. We want facebook to be a place where theres political discourse, where candidates are free to discuss their views and their ideas and where people can challenge that and really engage in the sort of speech you should have around any election. We dont want our service to be exploited by people who are trying to manipulate it and thats why we did this initial investigation, which we undertook on our own to undercover any abuse of our service during the election. Its why we wrote a post back in april, our chief Security Officer put a post up about disinformation on facebook where he talked about the efforts we were undertaking to try and identify any abuse of the platform for the 2016 election and other elections and now weve come out and said heres what we found and i want to be clear. Were still looking. And mark said that in his video. Were going to keep looking at what has happened in the past and going forward. What are we doing . A cupople of the things he mark mentioned. We are cooperating with governmental authorities and that does mean disclosing the ads to special counsel and with the congressional inquiry. It also means were going to focus on transparency in our ads and i dont know if youve ever run ads on facebook. But ads on facebook are most often run from pages. So you create a facebook page. Your page is about your bakery and from your page, you can run ads on facebook where you dont necessarily link back to your page, but you can. What were going to start moving towards is improving our transparency so when you see an ad on facebook, you can see whos behind that ad, you can see that page and then go thopage and see the other ads that page is running. Thats part of it and were looking at ways to be more transparent there. Were also ramping up our engagement so we can understand the issues of what they might encounter and get ahead of the problem. And finally like you mentioned with our reviewers we have specialists at facebook who are working on Election Integrity and we have committed to doubling that number and hiring several hundred new people on to those teams that we can make sure were doing everything we can to prevent any abuse of our platform around elections. Can you talk a little bit about the actual process to purchase ads and how that works. Sure. We have millions of advertisers and most are self service, meaning most of you today can set up a page and say i want to promote this poster. Of course we do have checks in place on payments to make sure were compliant with all relevant laws. But you submit your Payment Information and pick to whom youd like to target your ad. Submit the creative and that ad, it goes live. It is reviewed before it goes live with a combination of Automated Systems and some manual review, for instance if you tried to upload an ad using the word cocaine, thats something that is going to trigger some review. But by and large the way they work on social media is theyre dynamic. So a lot of this is self service. These are very small advertiser, Small Businesses and thats an important landscape to understand and for us to protect. So when it comes to political ads which will be the subject of the increased transparency efforts i was mentioning earlier, anyone can run a political ad. But we want to make sure were being transparent. So in addition this might be our last one. Secretary chur dauf mentioned this morning we need to get at preventing the impersonation, the fake question. How do we deal with that authentication side, so not just transparency and laying out who folks are, but how do we authenticate they are who they say they are . We should think about from a facebook lens and then from a broader lens. Its unique in that we require people to use their real names. That means if you use mickey mouse for your name, we will try and detect that and if its are eported to us, well look to see if thats your real name. We may ask for identification and if we determine the accounts fake, we will just remove it, even if the content on the profile is completely fine, we will remove it just for being fake. The ads that weve been talking about the reason we remove those was because they were coming from inauthentic accounts. Thats a real powerful tool for us is requiring authentticity. Its pretty rare. So as we think as a is to, as a country about how to make sure were protecting the integrity of conversation around elections, thats something i think well have to talk about. I think its going to take a while to figure out and wed invite you to come back next year and give us progress on where your are aat. So please join me in thanking her. And were going to transition now to tom bosser and ken wanestein. Okay. Im going to let ken introduce our special guest but i do want to express our thanks to tom becauseert for taking to time to jien us today. Weve had a very good conversation so far and you will surtdenly be contributing to that. And youre literally in the eye of several storms at the moment. And so we really do appreciate it. I will leave you in moderately good hands. I think you and i have both had the experience of having to work for him and i will tell you i survived. It took 12 steps to recover and i suspengt youll probably have an easier time. But let me turn it over to ken to introduce our special guest. Thank you. Afternoon, everybody. Its great to be here and i did have the dubious distinction of trying to manage steve, which is a bit of a misnomer actually. But its a treat to be here with steve and a number of my old colleagues. But a particular treat and pleasure and honor to be here with my friend and colleague, tom bossert. He has deep experience in the Homeland Security area, dating back. I got to know him in 2008, i believe it was when i came on as Homeland Security advisor, the job he has now. I came in as a guy who knew something about Law Enforcement and counterterrorism intelligence operations. Had no idea what the stafford act was or resiliency and i looked around the Homeland Security counsel who i felt would be particularly helpful and could help me get up to speed on these things and tom was the first person i looked to and tom ultimately partway through my tenure became the deputy. It would be an understatement to say i relied on him. So its been a particular pleasure and for me to see tom, ascend to this position and do the fantastic job weve done so far. Let me echo steves thanks for being here, given the few things he on your plate right now. Its a plate thats always full. Its full of very diverse things, as i eluded to, everything from Law Enforcement to pandemic flu to Natural Disasters. But thats made particularly more difficult and complicated in hurricane season, especially when you have one like this, which is almost unprecedented in terms of the relentlessness of the hurricanes that have been hitting us. So thanks to tom for being here. So what i think well do is tee up some topics for you, tom. Thank you. Im still in the denial stage of my 12step recovery. Just a few introductory remarks. First, thank you very much for having me here. Its not your honor, its mine to be here to speak to this group and recognizing a lot of you here have taught me what it is i think i know, ill be very respectful of giving you my thoughts and opinions, knowing youll probably still know more than me and continue to but maybe a few light hearted remarks. Monica does a great job and i want to state here and now for the record on behalf of the administration that what they do to take terrorism related information off the open internet is breath taking, remarkable and kudose to them and the other social media sites that have led in this space. Monica and i took a picture intentionally of ourselves in front of a bar named isis. And we jokingly said we should post this and see if your algurhythm can take the isis material off the internet. Wevent tested it yet but i believe they could take it off and monicas examinations could bear later for a lot of accolades. Thanks for having me here. Our guest panel, thank you for listening to me and forgive me if i ramble its been a bit of a tiring week. Did you end up going the to the bar . No. So both you and she could probably use a drink . We could but we did not. One other anecdote for those of you that follow this. Yesterday was the 70th anniversary of the National Security counsel. Today we commemorated that inside the building with all hands, 250 person h. R. Mcmaster and i kind of led the conversation, a walk down history lane and it struck me that the National Security counsel and the staff structure has evolved quite a bit since its formation but its pretty interesting to note that since 2001 it has made more changes in the last 16 years than its collective prior 60 or 55. It now includes hurricanes, cyber threats, terrorism and its really an inspiration to watch that team and happy 70th anniversary to the National Security counsel. Lets start with something in the heart of your responsibilities. The nfl. I prefer to stand. There you go. Amen. So lets go straight to hurricanes. Its response nlts have changed dramatically, nowhere as much as the Natural DisasterResponse Recovery effort, so if you would, given your deep experience, dating back to katrina and hurricanes. If you had give us an idea of the particular challenges that have been presented to you all by each of these hurricanes and each one has been different. For some reason even with an eightyear break, i have been in a management responsible role for every major hurricane since 2003 to hit the states. It made me qualified to handle the response. Its an unprecedented storm season but by and large an unprecedented and unified effort in terms of response. We have a long road to go. Our path, not with puerto rico, so i dont want to do a victory lap. And the fact weve done it back to back to back and with the insular territorial island challenge and then two states at the same time, i couldnt be any prouder. So maybe the bigger observational answer is this. The nsc structure has always been staff organized around regions and when you and i have look at the lihistory we see a asia desk or middle east desk and those regional governments tend to pose the biggest National Security threat. And after 9 11, we realized we needed a functional organizational model and the concept ended up with a counterterrorism director and a Cyber Security director and a resilience now director. But they move across any area or region of the globe. So they now include as well this all hazards concept where a number of things can be large and consequential enough that they literally threaten the National Security and so the big challenge for me in the white house, instead of getting into the operations of fema is to contain the effects from going into a spiral from loctoal to regional to national. And we came really close to losing that handle. The regional problem of Power Outages almost led to the loss of the two big pipe loons that supply the east coast and that cascaded into an International Supply and demand model. So you try to contain first and make sure theres a competent coordinated federal government effort underway to support the state and the traction ive gotten on just repeating the basics is reassuring. Bless you. The idea of supporting the governor and not doing the governors job is paramount for me to stress and we have now had governor abbott, scott who have done a bang up job. But now weve got two governors that could have easily folded from the pressure and they didnt. So i flew down to see him monday. Hes showing every leadership instinct out of a big state governor and hes on a small island fairly remote and removed. And hes marshaling the resources of 12 navy ships and all the aircraft support youd expect a threestar general to marshal. And hes doing it effortlessly and the same for the governor of puerto rico and hes dealing with problems that are unique. Ill tell you what weve done with puerto rico. We havent lost control but weve adjusted our business model. Not because theyre incompetent. Theyre not. And not because they lack skill or leadership quality but because theyve lost capacity. So if it you look that Energy Restoration workers that live there, and the emergency staff, 80 of them have lost their homes or in some ways their families have but theyve nevertheless suffered. So theyre augmenting the capacity. We help them pull resources and helping push them the way we traditionally do it. Thats something we learned after katrina and i know you experienced that. Were doing well. The governors are doing well. The puerto rico people are showing the same resilience and compassion we saw the people of texas show and i think thats a real testament. And maybe one defensive point. I saw people were criticizing the administration for not waving the jones act. So ill get technical on you. The particular law that prohibits nonu. S. Flag vessels from moving between domestic ports. Whether you agree with the merits of that law, its been in place for a long time and we often wave it when we need excess cutapacity to allow foren flag vessels to bring needed commodities, usually oil into the effected area. We did it in texas and particular with florida because the entire peninsula requires shipping by ship. It doesnt have a pipeline structure like the rest of the east coast. We did not do it for puerto rico and there are people asserting for political purposes were doing Something Different and therefore less supportive of the puerto rico people. Not true. Ill stand by this decision every day. The problem is requirement. We have plenty of u. S. Flag vessels and plenty of capacity to exceed the requirement. You only wave what is in your way. The problem is wunls you got the refined product to the island, you have to distribute it. But it has not been getting the product to the ilened. The message is we have american supplies being shipped to help american citizens and puerto rican citizens are american citizens. This is a good news story. Okay. Fair enough. Why dont you take a couple minutes if you would and give people the sense of the role and the life cycle of a disaster. Im not sure people really understand the sen centrality of the role. Counterterrorism, which global concern or cyber, which is a transnational or global concern. In the domestic context, its not just domestic. We had an earthquake that hit while we inner in ugna. And i was doing meetings and there was a hurricane. You balance this. And there has been some evolution in the last 70 years. But the idea of the National SecurityCouncil Staff, and were all staff. The president has been elected. Hes got authorities. The cabinet has authorities and money. The rest of us support this effort. The idea for success to kind of get over this policy making hill. So we articulate options for the president. And make recommendations for the president. Two different things. They have to be feasible options. And they have to be well informed recommendations. And we have to coordinate the cabinet and all their support staff with all their expertise. And then we have to help the president once he makes a decision on the other side of the hill track implementation. And thats where you can get into trouble. Tracking implementation and staying on top of it can be done properly, and we can have a sustainable number of meetings and have metrics of trust or have metrics of distrust and micromanagement and meet too often and irresponsibly and get in the way of their implementation schedules and hold them accountable in a way that ends up holding the reins too tightly and putting us in charge of operations. Every once in a while you have a staffer that decides they can actually direct operations out of the white house. When they get away with it, its just annoying and that 12,000 mile screwdriver we talked about. When we do it, there is no authority to support or worse, we end up with our allegations and so forth. The trick is to coordinate my level. I coordinate the cabinet. My deputys level, the deputy secretaries. And below that, the assistant secretaries or under secretaries. And you coordinate them and note all their positions and faithfully serve your role as coordinator, then youre doing the president a service. You f you wait until the last moment to explain to the president , and i can tell you that Ken Wainstein excelled at this. Often president s get, i dont know, a little cranky, right . Ive worked for two that are impatient at times because of the demands of their schedule. And they want to know what should i do, whats your opinion . And ken was pretty good. And he taught me this. Really good. Dont tell the president what he wants to hear. Dont engage in confirmation bias. And most importantly, start by telling the president the opinions of his cabinet members. Otherwise theyre going to resent you for being there close to all the time and it breeds all sorts of contempt and its bad. Your secretary of defense believes you should go straight ahead and your other three secretaries think you should turn right or maybe sit still for a little while. And at the on the other hand of that, you know, sometimes frustrating process, hell say gray, what do you think . And only then is it appropriate for i or general mcmaster, general kelly to give the president our personal views that will generally sum up what we do for a living. But there is a whole lot that goes into it. And i learned today that two staffers in the early creation of the National SecurityCouncil Staff actually worked to death. They worked to death . They worked to death. So im sure there was some other causality for those approximate cause analyzers out there. But there were two people that actually worked so hard that they died in the job. And i can tell you that the staff work 18 hours a day, and they cant afford to make a mistake. One of the young staff came up to me and said were sharing stories. He said i on my first day had an opportunity to go in and brief the president. I didnt know where i was or what was going on there a s a long story to it. And i ulterred a sentence. Thinking it was innocuous. And ten seconds later the president was on the phone with putin uttering that sentence. I said you have to realize the power you have around here and be careful not to say things that are glib or wrong or not factchecked. So its a high stress environment. And you have to constantly be on top of what youre thinking and doing because its a great honor. Its what we do. I can see the next allhands meeting tom has. I know you guys have tough work conditions, but youre not working yourselves to death. Thats right. Yeah. Back in the old days, they worked themselves to death. At least one of you. So look, at the risk of being to inside baseball edition, too geeky, but i cant help it. Im a geek. We talked about the changes to the National Security council. We had the nsc. The president bush and then congress established the Homeland Security council. You had Homeland Security adviser, now security adviser. And president obama game in and commissioned john brennan to do a review of the structure, make a recommendation. They recommended folding the two basically into each other. Homeland security adviser teamed up with the National Security adviser. And this administration has made some tweaks to that. That is sort of going through the history. How do you think it is playing out now . Because obviously there are a number of different concerns at play. One is there is a whole constituency of that is sort of the Homeland Security consistency that came the fore after katrina, and that we hear from. And there is always been a concern registered by them that maybe Homeland Security concerns, as sort of generally understood, might be subordinated to National Security concerns, the more traditional ones. How do you think its playing out . Do you think its a real concern . No, its a real concern. Its a good question. I can give you a short answer. We went from too hot, to too cold to just right. Where we are now i believe is just right. I believe that in my heart. Too hot meaning we had a separate staff coordinating the same cabinet by and large. We were constantly functional here and regional here for the most part in some form of separate cooperation. It was frustrating at the staff level. Am i the only person that held every job . The director, senior director, the staff, Deputy Assistant and then ap, which is kind of the triple in the cycle if you will. So what the obama team did i think understandably and rightly was to combine the two staff structures into one unified Staff Support model. But what they chose to do is take the position you and i held, or you held before and subordinate to it a degree. But they played a little bit of a trick there they had john brennan and lisa monaco i think this year be a deputy to the National Security adviser, but retain the same rank title and open door access to the president so as to avoid the concern that counterterrorism would take a back seat to lets say peace this the middle east. And so other people have opined that that was the case. I think you can just as easily attribute any policy decisions that were made in the last eight years to the president s preferences and not the organizational structure he adopted. But personals make a difference, and work structures do sometimes matter. What President Trump decided to do, i think wisely, and i spent quite a bit of time talking to him about this in transition was to take my current position and reelevate it to the position you held and that townsend held before you. And at some degree tom ridge and general gordon. So what weve got is a matrixized combined hscnsc staff under the name of the National SecurityCouncil Staff now, which is good. And its got that historic, honorable name and position. But its led by two people. Now h. R. Mcmaster, the National Security adviser, takes a special role and prominence here. And if there is any particular disagreement between he and i, especially if there is an International Flavor or component to it, ill awn see his judgment as he sees the world and the interaction as. But generally not. The president wants to know my view and his. And generally, he and i speak pretty much the same language, and were able the take different positions without being argumentative in any way. Whats neat about that is this matrix staff has a place to go. So if you end up feeling like maybe my point of view will be dismissed routinely because one of the two principles tends to not agree with my point of view, well, youve got two principles. And for the most part now, President Trump has become very comfortable with that. In the very beginning, just like president bush we had to constantly remind me, sir, i dont handle north korea. And hr says i dont handle cyberand hurricanes. So once he got that in the first couple of weeks, i think we demonstrated that this is the just right model. Id advocate it for the future, but personalities can dictate that. All right. You just mentioned cyber. And you are, i think, by all accounts, claim to be an expert in cyber matters. Youve been working with them for years. I remember you banging that drum with me when i first came in, the need to be a little bit more aggressive against the cyberthreat. Yep. I know you worked on cybermatters quite a bit in your eight years outside. Just give me sort of an open ended question. Where do you see the state of cybersecurity . Obviously the government is not the only player here by any means. But in terms of where the government is going and what plans you might have for firming up cybersecurity going forth. The easy part of that question is how do i see the cyberthreat . I see it as a trend line going in the wrong direction in a bigtime way. It is a shared responsibility between government, private actors. International and domestic. And individual accountability, which sometimes gets lost in this conversation. But the trend line on cyberthreats is going in the wrong direction. And the capabilities of the bad guys at this point are matriculating out into what we would have considered before a smaller or lesser threat. There is no such thing anymore. Weve got very advanced cyberadversaries that would be operating in what would be very small countries or nonnation state criminal organizations. These are things i think you already know. Weve talked about this quite a bit. There is a six or seven pages worth of dozens and dozens of recommendations i think youll see coming from us, the administration in the form of upcoming strategy, in the form of a nist framework update and there are a number of things youll see us do. But at the strategic level let me see if i can answer the second part of your question. I think its time, and i think this president will lead in this fashion, to articulate a better and different vision. So instead of putting forth a strategy that simply knits together our current capabilities in a way that address the problem, i think its time for us to start having a conversation as a country about what it is we can tolerate our government doing. Because our government needs to be more involved, i think, and i believe the president believes in protecting a broader set of national interests. Weve got certain Critical Infrastructures that are so critical to the functioning and survival of our country and its economy that we have to do more to protect them from foreign adversaries online. And i think its also probably a time for us now to concede that there is a low level, low intensity constant conflict going on online at this point every day there is no way around that there is no clear malefactor. There are thousands of malefactors all with their own interests. At this point we have to take the rhetoric of increased defenses and elaborate. Increased defense is going to impose a cost on the bad guy, on the malefactor in this case, whether he is a criminal or nation state actor. But its also going to do something a little bit different. Its going to impose costs. And that serves as a deterrent. But its going to protect news a baseline way that doesnt make us the most vulnerable country on earth. Right now this country, the United States is great for a lot of reasons. And one of them is we invented the internet, and we used it to great purpose. And weve created lots of different conveniences for ourselves. But in so doing weve also put ourselves in a vulnerable position that i think dictates and requires that we act a little bit more together. And maybe i can articulate to this audience something that i kind of hold in my world view. And i say that because youre mostly lawyers, i think. The idea here is that the analogies to war manual for those that federal good. Ill come back to that. But from my perspective, weve lost a little bit of the civil liability calculus here there is a Property Analysis here. At this point, weve talked about it as a crime or an act of war. But remember, too, that weve got the ability to exclude others from using our property. Not just the right to use our property or transfer without third party intervention. This is a fundamental part of the bundle of Property Rights that lead to capitalism itself. I think that ability to trade and use property as we deem fit without hurting those around us and excluding others from using it is a useful way of thinking about the role of government. We never in this country object to civil courts enforcing contracts and promises between two businessmen or women. We never think of that as get out of our lives, government. In other words, weve intentionally designed our government to separate it from religion. But weve intentionally designed our government structures to support our socioeconomic preference of capitalism. Because of that, i think we should recognize it and embrace it. And in lots of ways, rely on our government. I went to israel and announced our first u. S. Bilateral cybersecurity agreement with the israelis. And in their country, if there is a cyberhack, almost every one of their citizens says immediately well, where is the government . Its a fundamentally different point of view. They have a trust and a different view of their governments role in protecting them. Ive now been out on the record calling what they do a virtual iron dome, if you will there is a lot of benefit there. But theyve got a small country and the capacity to do that. We cant, even if we wanted to, and i dont advocate it, protect every network and system inside our country. But i think we can take some lessons from what the israelis have done. And i think the british have led the way on this. Theyve tailored that approach with their needs and their sensibilities of privacy, and they extended some governmentled defensive measures to those very critical components of their society that require some extra defenses in the name of National Security. I think that we should contemplating doing the same. So thats half of the deterrence model. Weve had an executive order that President Trump put thought the beginning of his tenure to also concede that we have to practice what we preach and start at home. And ill preach this to each of you. Ill come back to personal accountability. Protect your own systems. And if youre running a company, protect your Company Systems instead of worrying about what everybody else is doing. Often i see people that are cyberexperts preaching what everyone else should do, and theyre sitting on top of poorly secured networks and bad systems and antiquated software. Hardware because they dont want to put the money and time in patching and updating. And thats the kind of hypocrisy that doesnt set right with me. And so we started here with the federal government and decided that we needed to improve the security of the federal networks. And thats an effort that is under way right now. And it started with a very clear minded, cleareyed call that we need to stop supporting Antiquated Technology and immediately begin the procurement process reform of buying shared services and getting on with the fact that you cant replicate an Adequate Security model in every department and agency given the Budget Constraints and the jurisdictions and the expertise that we have resident in 190 difficult federal departments and agencies. And so President Trump put out pretty aggressive executive order that says from this point forward, shared service, cloud service, shared Security Services and modernize the i. T. Networks. Im really thrilled that people with a lot of business background like Jared Kushner and others have run that down to the ground and to handle the implementation coordination i talked about that. So weve put that in place. And hopefully we get a little bit better there. Just as anecdote, you remember the opm breach. Had we had defensible hardware and software, which we did not, we would have been able to prevent that breach. And i think that breach was one of the most costly in terms of the loss of probably a lot of your clearance backgrounds. I know mine and kens were affected. And then ill end with where i started in this shared responsibility model. And thats the second part of the three parts of our executive order. That is how are we going to handle the Critical Infrastructure owners and operators and the way were going to do it is bolster the fbis Critical Role and the secret service Critical Role. Partnering with our Intelligence Community when appropriate. But were going to further narrow what is critical from the list of Critical Infrastructure. And joe is here. He know how he started with the critical key sources. There were so many numbers in each sector that it became everybody becoming eligible. Weve narrowed it down to that very small group of what we call section ninth entities. I think thats where were going to end up focusing a lot of our initial efforts. And thats it. Thats the road map of where i think were going to end up. What i left out was the other half of the coin on deterrence. So thats the hard part. You can deter with defense. But you can deter by taking a kinetic or a punitive step. In trade practices or sanction. And when thats merited, i think we should reserve the right to act unilaterally. I know we will. I would explore acting in a bilateral way in between now and that great future day when we can have a croup of multilateral thinkers or shared allies, right. So weve got different ways of referring to it. The gge in the u. N. Is a great multilateral body. Theyve done a lot to get us to a place where we have agreed upon norms in the likeminded. I think thats great. Should it be commended. My experience is multilateral organizations arent very good at enforcing when there is a violation. If you take the u. N. Security council as a model, there are always other considerations that tend to prevent a group body from reaching a consensus to punish one of its members. I think what well do is reserve the right to act unilaterally in rare cases where punitive measures are necessary, prepare to act bilaterally to assure the public there was some degree of adequate evidence, attribution and proportionality in the force that we use or the sanction that we impose. But were not quite ready yet. And i think we would never publish our playbook. But i think its my sense and its the cabinets sense that we have to start doing and developing a record of conduct to examine, as opposed to thinking. Otherwise well never settle in on a subjective perfect sweet spot. Im not suggesting that we will dabble or play jazz music in an irresponsible way, so to speak. What i am suggesting that on occasion when its necessary to smack somebody in nose for doing something that is clearly wrong, that well do so. So thats it on cyber. Just that . That would be how i would have briefed you. And i honestly its probably the first time ive articulated that in public. So i really do respect this groups view on it. I know youve met for the last few days to think through all the thorny legal challenges that a company at a cavalier high level articulation where id like us to go. So i would encourage each of you to keep looking at what were doing. Because the number of interlocking laws and like its and considerations and motivations from the private sector tend to create bad and odd, weird unanticipated second and third tier effects. And thats what we always fear in policy making, that we do something that makes sense and it turns out to be a bad idea. That was a great sort of overview in a feast of food for thought on so many different respects. But i guess, let me just follow up on one of the last points you made about International Body that would have enforcement teeth to deal with cyberoffenses, especially by other nation states. Do you see that as being a real possibility . Do you see there being any movement in that direction . I agree with the circumstances. It just seems like the natural sort of way to address this ultimately. I know that there are some company, and i agree with a lot of what they say that advocate for this kind of Geneva Convention type of model. And i know there is brad is a friend. And i know that there is some attractiveness to it. But when you look into the implementation and you think about some of our friends and enemies who come out and say with great indignity, i cant believe you wont share with us all the information and all the data and intelligence that youve used to determine that somebody did something wrong. Its almost galling to see people on how easily they can lie to you with a straight face. So i think what you have to balance is our own national and selfinterests with the appealing but problematic notion of Group Consensus in an international forum. And in the cyberarena, i dont think that its right for international and kind of consensusbased enforcement right now. But thats the objective. Okay. Let me pivot over to counterterrorism for a minute. We had heard some very interesting insightful remarks from monika earlier today about where things are in terms of counterterrorism effort or the terrorism threat generally. And then also the effort to meet that threat, focused on the fact that isis has a shrinking base now, and thats causing it to change its mode of operations. As to that particular issue, where do you see isis going . Where do you see its threat manifesting itself . And then where do you see the broader areas of threat and how were trying to meet it both strategically and tactically . We are taking quite literally President Trumps guidance to annihilate isis from the face of the earth. And i know that sounds maybe shocking. But the idea here is that has two implications. An annihilation strategy quite literally in a military context is the difference between what we have as a country done previously which is to approach them and drive them out of a city, to now surrounding them and killing them. I know that sounds gruesome, but its absolutely merited. And that is how weve cleared mosul. And i believe thats how our partners approach the strategy with our u. S. Military is going to drive isis from raqqah. Now that said, we have still a significant land mass of middle east governed by isis socalled physical caliphate. Its going take some time to continue to operate in a way that shrinks their control over physical space. But the way i see it shifting, monika was here for a good reason. Because theyre going shift from physical space to virtual space. And were going to have to accommodate that. And were going to have to decide where our social sensibilities are in terms of what is and what is not viable online speech, but also from my perspective, i dont think there is any such thing as a First Amendment problem here. Terrorism speech just flatout something that should be removed. And generally speaking, a lot of it is so easy that its not worth the debate. Taking the video of a beheading off is easy peasy in my view. Were also going to have the take into account this diaspora account. Ive stayed in touch with lisa. Some people call it a snowball. You squeeze it tight enough and you see it squirt out there. Are going to be isis movers that are resilient. Theyve demonstrated the same resilience unfortunately as other previous advocacies in our history. And they find east different places to operator, different safe havens. What weve seen to respond to your first real principle there, theyve expanded into and this is not meant to be alarmist. But weve got now a terrorist presence both isis as they spread and return home from certain combat operations, but also al qaeda and affiliated groups, boko haram into 18 different nation states that are in various degree of instability or civil unrest or loss of government control. So at this point, id say its a co comparative analysis problem. We were conducting against two groups that we had kind of our hands around so to speak in our view. And i came back into Government Service and was blown away that we now have terrorists in a significant concentration head across north africa and all throughout the middle east. And now were tracking quite closely Ongoing Operations to take isis fighters out of the philippines. And youre seeing operations in ma where theyre fighting block by block. This is a truly alarming trend line of the global jihadi threat. And i think that weve decided to take a constant and applied pressure strategy here. And so this is not too complicated a strategy. But it is an increase in pressure. Its an increase in sustained applied pressure. And instead of just taking out high value target here and there, this administration is pursuing networks and their support. And those how i think were going to take it back from a spreading lawn into a more controllable and addressable threat. Now that said, we cant just win this thing militarilmilitarily. Were going to need the support of other nation states who have to care about their own safety just as much as we do care about their safety, if not more. And theyre going to have to contribute to it instead of just picking up the phone and calling us and say can you give us more help. The americans need schools in brooklyn as much as we need to defeat a terrorist in mosul. That said, though, were demonstrating some leadership. People werent sure President Trump would be able to do that. I can tell you he knocked it out of the park in unga last week. I was with him for all the meetings. The foreign partners that we engage with, and many were thrilled. We spent time between the president of the United States and small countries in africa and large leaders in europe. And i think it was absolutely masterful stroke. The speech aside, which i thought was good. But the speech got all analysis. What people didnt analyze is the fact he spent the entire week there meeting all day, all night with foreign leaders on real assistance. I think he showed some leadership there. And to get a unanimous vote out of the u. S. Security council against and with the same purpose in mind the behaviors of the North Koreans i think is also laudable. Its terrorism. But he is demonstrating kind of a consistency that people can get behind and defeating isis, everybody is on board. So there is more money there is a 68, maybe 70member coalition because weve added interpol and other members. And its breathtaking in its collaboration. Okay. At the risk of getting the hub because of time constraints, were going to pitch in. Express thought. Jointly held pet issue which is 702, which is shorthand for the amendment passed in 2008 and the authority within the faz amendment which allows the Intelligence Community to surveil nonu. S. Persons overseas for counterterrorism and other National Security purposes. And all the more important given the situation that youre diagnosing now where you have isis sort of metastasizing and spreading out. And you have a particular need then for surveillance to be nimble and to be able to move from one target to the next as National Security imperatives involve. Without having to go back to the fisa court to get an order from the fisa court every time you do that. Where do you see the debate right now . Where do you see the 702 reauthorization going between now and the end of the year . And what can we do to make sure that it gets passed . The administrations position, and im very serious with this, is a clean and permanent reauthorization. Period. Now im sitting next to and youre looking at the guy that is probably the worlds expert on this. So you want later to ask a lot of question, audit his court. You taught me this. You were behind this. You were the voice on the radio of the administration then, and fortunately not tv. But you were there is a reason i was on radio. You were behind the scenes. You were in front of the effort. And quite seriously on behalf of the nation we should be very thankful to you for getting that modernization put through. Now an understandable sunset provision causes that authority to expire at the end of this year. And the authority is for this. This is the laymans translation. It is the authority that allows us to surveil foreign legitimately argued the foreign National Security targets, right. Foreign ers on foreign land. This is not about surveilling americans. And were not aloud, in fact prohibited under this authority from targeting a foreigner here in the United States or a u. S. Person in the United States or a u. S. Person in a foreign land. All those things are prohibited. This is about foreign threats in foreign land. And if you understand it that way and start explaining it to those that are in decisionmaking cycle, i think youll help the cause of at least eliminating intentional confusion or conflation between other titles under the fisa law titles 1 and 3 tend to be where people focus. Some of the news of the day tends to focus us there. But this is about simply not just a warrant by warrant situation. This is about a certificate in a way that allows us to use actually, back up. Not use. The reason this exists is because the United States is very good and led the way in the internet. And now it cant be used against us that a foreign terrorist in a foreign land chooses to u. S. Internet provider or u. S. Software. Just because were good and they choose to use g mail doesnt mean we should handicap ourselves from being able to surveil that person in a foreign land that is trying to do something bad to us. I believe that the senate will end up demonstrating the leadership to put into place a clean and hopefully permanent reauthorization of the law, and that we then have to go out and educate as many house reps as possible to ameliorate their concerns that we might mistreat unintentionally target americans or mistreat the information that gets unintentionally collected on an american. And let me just address that very directly. Most of you know the wiretap history of this country. And you know that there are practices in place to mitigate the handling of information of innocent third parties. So if youve got a wiretap on a mobster, and the grandmother down the street calls and asks to take the trash out, there are mitigation in place to not record that type of information on that innocent grandmother. We have the same prohibitions and mitigation practices in place for incidentally collecting on a Third Party American that might be in email communication with a legitimate foreign terrorist, prince, target in foreign planned. So if we can explain that and you can get yourself to the point where you can believe my assertion, i think you will. If you look into it, you can help us educate the lawmakers who have to reauthorize this authority and encourage them not to think about a secondary kind of requirement where they say you have to get another warrant to search the data you have already collected. Go out and do your laurie job of educating those who feel that way to understand we have already collected it lawfully there is no reason to have a separate authority here to make us do what we have already done lawfully a second time. So thats where i assess it. Okay. Do you agree . Youre the expert. I completely agree, ditto on that. So let me just say this. Thanks to tom for taking the time for joining us. Thank you to all of you for having us. And also, i mean, sincerely thanks to tom for his service. We always thank people for the Government Service. But there is a cadre of people who are real professionals who step into the toughest jobs that come along in government at sometimes the toughest times. And tom is the example of that. I think we all owe him a debt of gratitude. [ applause ] okay. Ask you not to go anywhere. Were going to go straight into our next panel. Were running just a touch behind. You will not regret staying. This is going to be a great group. Tom bossert, thank you very much. Really appreciate it. Ken, thank you very much. Great job, guys. Tomorrow morning here on cspan3, the Senate Banking committee holds a hearing on the effectiveness of sanctions against north korea. Officials with the pressurery and state departments will testify about sanctions and diplomatic actions as the u. S. And its allies seek to deter north Koreas Nuclear weapons and ballistic mills programs. That getsin way at 9 30 a. M. Eastern live here on cspan3. Tomorrow, were live in richmond, virginia for the next stop on the cspan bus 50 States Capital tour. Former Virginia Governor doug wilder is our guest on the bus during washington journal at 7 30 a. M. Eastern. Join us as he takes calls and questions about Current Events and state issues. And join us tomorrow for the entire washington journal, starting at 7 00 a. M. Eastern on cspan. This weekend on American History tv on cspan3, saturday at 8 00 p. M. Eastern on lectures in history, university of virginia professor Gary Gallagher on the legacy of the civil war. The loyal white citizenry and African Americans and former confederates had very different takes on the war as they went forward after appomattox. They embraced versions of the war that suited their purposes. And sunday at 10 00 a. M. , president bill clinton marking the 60th anniversary of the integration of little rock central high school. Well, i wanted to say you did 60 years. Take a victory lap. Put on your dancing shoes. Have a good time. But instead i have to say you got to put on your marching boots. And lead us again. Then at 7 00 p. M. Eastern, on oral histories, we continue our series on photojournalists with an interview with darryl heikes. You always try to be any place, we did when we were working, especially the white house, to have the optimum lens in your hand and the maximum amount of film whenever something happens