Protecting privacy of american citizens while doing cybersecurity and promoting information sharing. Host so how has the focus changed over the last couple years when it comes to cybersecurity and protecting against cyber attack . Guest well, especially after a lot of the incidents that weve seen, for example be, the sony incident and the incident against opm in the federal government, theres been a a lot of focus on making sure that we have areas protected and parts of the economy protects that arent necessarily in the critical infrastructure, arent necessarily the major federal agencies, making sure that we have a lot more coverage, more broad coverage across a wide range of different entities. Everyone is at risk of having a cyber incident, and how do you go about making sure that you have the resources that those institutions need that traditionally have not gotten the direct funds or the direct information that they need in order to protect themselves. Host in your personal view, whats our biggest vulnerability . Guest right now i think its just that we have a lot of old systems in place, and the newer systems are better equipped to, in order to protect us, we need to be able to update those systems based on the known threats we have and Building Security into the networks themselves. So as the networks begin to grow, how do you go about building in security into those systems. You have to be able to upgrade some of the Old Technology that we have. Host and when you talk about the old systems and the new systems, specifically what are you referring guest well, the best example is, again, the office of Personnel Management case is where you have a system that was 25, 3035 years old depending on which pieces youre talking about, and youre trying to protect it today, and you dont really have the resources to do that. So you have to be able to upgrade some of those systems. You cant expect an 80s mainframe to be able to hold the kind of Sensitive Data that weve been, that we have in the past, over the past 30 years. We need to be able to upgrade to i new systems in order to do that. Host joining our conversation this week is Corey Bennett, cybersecurity reporter for the hill newspaper. Thank you so much. Obviously, related to a lot of the issues you mentioned, congress is trying to move a cybersecurity bill that would encourage information sharing between the private and public sectors. Tell us what benefits you think that bill could bring. The white house has been onboard mostly for this bill. Guest yeah. I dont want to overstate the importance of information sharing. I think that it is one key point. Obviously, i worked on it, and i do think that it is important. The key point here is as we begin to upgrade those systems as i was talking about earlier, those systems that have the ability to receive information and to automate this process of knowing when a threat comes in, you get that information can then be automated, get to the edges of the network, and we can build protection faster. So as we learn about a threat, we can get it immediately out to the edge of the Network Rather than it taking days, months or sometimes years to get where it needs to be to patch systems. So thats really the main goal here, is to create the ability to automate and to give people incentive to share that information that we need in order to find the threats faster. You mentioned you dont want to oversell it to a layperson whos watching this and might think, you know, how would this stop the breaches ive seen at target, home depot, etc. Would it stop those breaches . Guest well, again, if you can get to the point of having upgraded systems even at some commercial institutions, you get to the point of having upgraded systems that then can take in that information. So then it happens at one store, and all the information goes to other stores. Both of those incidents were malware that had been known out there that the systems just were not fully protected at the edges of the network. Its hard to get to that point today. But we can update those systems, get the information to where it needs to be and have them protect themselves, were going to be in better situations. Again, its not the only means you need to protect yourself. You need to do the regular patching, you need to be able to have hardened systems in the first place and make sure that you have the right, the right protections in place and look for the right things, have the training and staff that can do this in the first place, stop the incidents from happening in the first place is the best protection. So, but then, obviously, this is an added piece that can help us to move it forward. Host ari schwartz, whats the purpose of a cyber attack . Guest so theres a range of Different Reasons for Cyber Attacks. We usually in National SecurityCouncil Reserve the word attack for something that is really damaging, something where hinges are breaking, where Computer Systems go down, where computers are broken and cannot be used again. So youll hear me refer more to incidents in this case. Because when information is taken, it obviously causes a lot of harm, but were not talking necessarily an attack. It could be a crime, it could be espionage. We want to make sure we keep the language of when were talking about things like when the electric grid goes down or computers break and systems go down and we cant use them. To be able to separate out that language. You have these different purposes, depending, you know, espionage or industrial espionage in some cases or could just be crime, right . Or it could be many some cases people just want to make a point, and they use the means, the internet as a means to make their point, denying service to people, etc. That happens quite a bit as well. Host are these individual players who are creating these incidents . Be are they state actors . Guest were definitely seeing an increase of state actors in this space. We see a lot of countries now ramping up their abilities in this area, and it makes it a lot harder for folks to defend themselves. I want to say its growing exponentially, but it is definitely we are seeing growth. It seems exponential to the public because we have new tools now that we didnt have in the past, and that has given us this insight to the kinds of threats the incidents, the attacks that we may not have seen before. And now were seeing a lot more of it. So what has become public is certainly a lot larger than it was before. But it is growing at some rate as we and who are those countries that youre talking about . Those nationstate actors who are kind of the primary adversaries in cyberspace, and what do they want with u. S. Data . Theoretically china with opm data . Guest obviously, china, russia, iran has become an increasing player, north korea in the sony case, right . They were identified as the actor in that case. They want Different Things for different purposes. Clearly from an intelligence point of view, it makes sense to want to gather data, try to figure out who individuals are, try to pull many that information pull in that information and make decisions about it based on the information that you have from that point of view. Thats the main reason, but weve seen other instances where they just want to take down a particular company or service of some kind that they feel is in their national interests. And all theres a wide range of companies that have been targeted that you would not think should be, would be on the list of companies that a nationstate would be interested in. So it is something that almost every company in the u. S. And organization in the u. S. Needs to think about. A casino was supposedly targeted by iranian hackers because of Sheldon Sheldon adelo youre right. You wouldnt think of them as a natural target. Im interested in understanding exactly, you explained the difference between a cyber attack and signer espionage. A lot of the work we see from nationstates is cyber espionage. People warn that it is very possible. Congress is moving legislation on this. We havent seen it though. Why havent we seen it if were so vulnerable, and will we potentially see it because of the vulnerabilities that we have on our power grid currently . Guest its taking things up a level to do that, and so a nationstate would really need to want to take down the power grid and make a statement in order to do that. I think the power grilled grilled isnt, some have said its an imminent threat. Im not quite sure its imminent in that way, but it is a major concern. The electric sector has done quite a bit to build up its resiliency and to work in this area. Theyre improving, but theres still a big risk out there that things can be planted in advance and then used by a nationstate when they want to use it. And thats really the concern, are these companies scanning their networks regularly looking for things that we know are out there or things that we might not know are out there, things that look strange, and how do we go about finding those in advance considering its going to be to see things in advance and use it when they need it. Not to try and implant it and then put the attack at the same time. And there has been evidence that russian hackers, for example, are kind of sitting on networks, the power grid networks, just flushing out vulnerabilities. Guest i mean, nationstates are pinging each others utilities in general, and ill leave it at that. Sure. Guest you know, that is just a fact. Host ari schwartz, whats the responsibility, in your view, of the isps many preventing these Cyber Attacks . Guest youyou know, its interesting because we want the isps to play a role in security. As consumers, we expect them to looking out for our interest, as companies, but theres a question of how much you want them to look into your traffic. We have privacy questions about that. What kind of role do they play as, you know, a gatekeeper for the network, and what kind of role do they play just delivering the communications and making sure the information gets to where it wants to go. You know, the internet has grown the way that it has because we have had these open networks, and we want to be able to keep that going. At the same time, we want to be able to build in protections. The telecommunications folks and the isps are doing a lot more to try and figure out how to balance the two and get to the right place so that they are keeping the Networks Open at the same time building in more protections. Sometimes that means that they charge for those services, and sometimes that means that they provide them as a baseline service, and theres an ongoing debate on that issue. Host and given what happened in San Bernardino and the use of the telecoms, or the telecommunications infrastructure, is the pendulum swinging away from privacy again . Guest you know, its an ongoing back and forth, and the key really is to try to do both at the same time. I dont ive always been one, i worked on privacy issues before i came into the government. I was in the government for five years mostly working on Security Issues, but working on some privacy issues too. And, you know, we keep having this kind of ongoing discussion as though we have to have one or the other. You can either only have privacy or only have security. My view is they are both written into the constitution, especially from the government, the side of the government doing this kind of protection. We have to be able to do both at the same time. Thats what the American People expect. We should, we should do our best to do both at the same time and not take the excuse, basically, that we can only have one. Where should we draw that line, though . Senator dianne feinstein, for example, has introduced a bill that would require social media platforms twitter, facebook to report suspicious terrorist activity on their networks. Is that crossing the line . Is that too much of an infringement on privacy . Privacy advocates have said so. Is that crossing the line . Guest well, the social Media Community does that today. They do a lot of this voluntarily, and theyre improving their ability to do it and theyre investing more in doing it voluntarily. I guess theres a question of what more would you expect them to do if you mandated it versus what they plan to do in the future voluntarily. I dont understand in some ways i worry about capping that as well, putting it in legislation. Thats all theyre going to do as opposed to this push to say, you know, where are the lines here and how do we go about promoting it in a way that encourages hem to do a lot more them to do a lot more voluntarily and invest in and protect their users as much as protecting us as well. How do we get them to understand and to continue to invest in this space. Speaking of the pendulum swinging, encryption has been another issue that has come into the conversation in the wake of paris and San Bernardino. What is your opinion on encryption being part of this conversation and people using these attacks to kind of promote the fact that we might need an entry point into encrypted devices, we might need a back door potentially . Guest well, i mean, theres two sides to this. We often talk about this as a Security Risk versus privacy debate, and in real estate its for in reality in order to secure systems all the things you need to do to proactively secure systems rely on encryption. The greater use of encryption actually ends up protecting systems better. The question comes when something happens behind the scenes and Law Enforcement needs information. If you have layers of encryption on top of it, Law Enforcement cant get access to that to do the investigation. How much has that impacted Law Enforcement . Guest well, so far theres actually not that much evidence of cases where it has impacted Law Enforcement, but we are seeing this greater endtoend, push for endtoend encryption. I think it will end up securing the networks better. This is exactly the type of thing we want to see. I was talking at the beginning about moving to new technologies, and one of the benefits of new technologies is you can build in a lot more layers of encryption if theyre faster technologies without an impact on the performance, right . So thats what we want to do, is really build in greater levels of encryption into the system, right, so that its harder to attack, harder to penetrate. Those are positives. But when that happens, and it is going to be harder for Law Enforcement to get access to that information. So we have to figure out other ways to go about getting Law Enforcement the information that they need to do their job, and thats where the tension comes in in this discussion. How do we do that though . What type of alternatives are available . Michael mccaul has called for a commission on technology and Law Enforcement to, obviously, look into. Some people say there arent, there is not an alternative, there is not a way for Law Enforcement to get at that encrypted data. Is there an alternative . How do we get there . How do we find it . Guest well, i think there are a lot of alternatives out there, but when it comes to certain kinds of encryption, right . When youre talking about endtoend, theres less choices there, and thats where a lot of the debate is over kind of picking off wiretapping information in transit. But when youre talking about information actually being on a cell phone, you know, there are ways to store that information and get it even in this case the San Bernardino case, the information was on a cell phone. They tried to destroy their cell phones, it seems as though theyre still from what im hear anything the press stories, seems as though theyre still getting information off these cell phones even though the folks tried to destroy it. The same would be true i dont know what kinds of cell phones they were, but the same would be true depending on what type of, if it was encrypted or not, and actually that was the case in the french incident as well where someone was using a cell phone that had some encryption on it in terms of the trends thats natural, but Law Enforcement had access to that immediately. The full device was not encrypted, in other words. Guest right. But it was being backed up where they could get access to it, when they had the device itself, they could get information from it as well. So Law Enforcement was not hampered necessarily by that. But in that, even though there was some encryption involved in that case. You have to figure out what exactly information they need and how we can get it to them best depending on the type of encryption youre talking about and the tool youre talking about which makes it a lot more complicated of a discussion. Host ari schwartz, the move to the cloud, has it made it easier for Law Enforcement to get that information . Guest you know, its different in different instances. So, obviously, as you have more information in the cloud, if its not being stored encrypted, in an encrypted way or if its being stored in a way that the provider can get access to it if for some reason they need to, that could give Law Enforcement more, greater ability to access that under existing law. And existing understanding of law. But if its encrypted and there are stronger protections around it, it could eventually mean that theyll get less access to it. So in the short term, it probably means they have had greater ability to get access to information. In the long term, that might continue to be the case. Host to put it really simply, and i hate to nary row it down this simply, but Hillary Clinton has called for facebook and other social Media Outlets to get rid of these sites that are being used by terrorists. Is that, is that realistic . Guest well, i think what they can do, and this is what i was referring to earlier, is take down things as they pop up and monitor host but isnt that whackamole . Guest it is somewhat whackamole, but they have been able to automate a lot of that, and i think they can go further in that regard, and they from what ive spoken to them, they plan to do that. There is, you know, efforts to make it easier to do that, and i think we can take advantage of technology in order to be in our favor in this realm as well as when it works against us. Some of this speaks to as well the governments ability to conduct digital surveillance. We, obviously, this year just finished a big debate about a phone Metadata Program known as section 215. The usa freedom act was passed, we got rid of that. Were now going to have the battle coming up on internet surveillance, on section 702. What do you think there has not been as much of a unanimous push to eliminate that program the same way there was to eliminate the phone metadata protection program. Do you think that should be altered, changed, eliminated . What do you thinks going to happen moving forward . Or is it being proven that we need that in light of the recent terrorist attacks . Guest i think theres a difference in the way those two programs have been seen by advocates, but in particular by the commissions that have looked into this. Can you explain that . Guest privacy and Civil LibertiesOversight Board which is a Bipartisan Commission that was created by, Advisory Board that was created by congress that gives Public Comment on this type of activity, they especially as it relates to terrorism, they said that 702, there were some tweaks to it that could be made, but it generally was a good idea and explain exactly what 702 does for someone who may not understand the contours of it. I know its kind of big. Guest yeah. It allows information it allows Law Enforcement and intelligence to get more information from folks working with Companies Directly to get communication information under Certain Court supervision, i think is probably the fasters nonlawyer [laughter] of what 702 does. The issue, i think, has been and the other review that went with on was the president called for review after the nsa disclosures came out, and that board made very clear they thought 215 was a big concern, and they had a lot less concern with 702. Again, some tweaks to it they suggested, but i think that those two different groups making those kind of recommendations on this front changed the way that a lot of people are talking or changed the way when people were lumping those two together. Again, this doesnt mean there cant be changes to it, but were talking about it much differently than were talking about the telephone Metadata Program. What do you say to pryce add slow privacy advocates . This plays not only into 702 but also into the current debate about the cyber bill. The privacy concerns there have been its just another way to shuttle private data on americans to intelligence agencies such as the nsa, to the fbi . What do you say, the white house initially had concerns about that provision and has since come around as some of the language has moved forward. Explain your concerns and why, perhaps guest i think the white house is still concerned about it, right . Even in the statements of Administration Policy that theyve written on all the bills, they continue to raise privacy concerns there. But theyre supportive of the general bill overall. Again, the point being that we can do both at the same time. The question is what information is coming into the government, what is the government doing about it, and what is the oversight that you can put over it. One of the keys that the white house had when i was there and continues to be a concern is that to make sure this goes through a civilian portal. When information comes in to the government, you have some civilian entity looking over it. And the reason thats important is because that allows for public oversight. If its all going through nsa, through the Defense Department or through intelligence, the Intelligence Community, it is much more difficult to do the kind of public oversight that you need to make sure that the privacy controls are put in place that we must have. So that has been a key point for the white house. Privacy groups, obviously, feel as if thats not alone enough. Theyre concerned about how the informations shared afterward. So that becomes a key question about how you go about looking at these issues. Host arkansas key schwartz, were ari schwartz, would we be having this conversation were it not for Edward Snowden . Guest i think we would. You have to remember on this particular bill there was an earlier version of it that happened before the snowden revelations where the white house actually threatened a veto of it with this exact same point in mind, right . That said nsa is if this information goes straight to nsa as the original bill wanted, cispa it was called, then we would have no oversight over it, and it would be a major problem. And that was before the snowden revelation came out which often gets lost. The president has said this was something he cared about beforehand. That is one thing i really point to all the time to people to say this is proof that he actually meant that. He really there has been concern in the white house of the kind of oversight that you can do of the Intelligence Community publicly and how to go about addressing some of those privacy issues. That will continue to be the case even in the future as, you know, as we start to raise some of the concerns on the Security Issues that weve seen in recent months. Host is this an area overall of cooperation between the administration and the congress . Guest yeah, this is an area, i think cybersecurity has been an area where we have had a lot of bipartisan work and a lot of work between the administration and congress. And youve actually seen that starting from where we started with that bill that, where the administration threatened to veto. Weve seen a move toward the center here, and thats the reason i think on the part of congress the ability to come up with Bipartisan Solutions in this space has made the white house change its point of view which gets at your questions, your comments as well about, you know, how to why did the white house change its viewpoint. It has to do with the fact that there was this kind of coming together on Good Solutions that address the privacy issues, that show transparency in the space but still protect security and do a better job of getting information where it needs to be. What does congress, you mentioned that congress and the white house have worked together on this. Obviously, the white house would hike to see other things from congress. What else should they be doing on cybersecurity, what else could they be doing . Be. Guest yeah. Im not speaking on behalf of the administration. Guest my view has been that there is, that weve seen a number of cases where the agencies and entities that are being hit are ones that we would normally not expect that to be the case. Wed not expect that to be the case. And it turns out almost every time those entities dont have the technology that they need. We need to really think about how were investing in these agencies and these technologies. Traditionally, when it comes to terrorism, we give our money to fbi, dhs, nsa, the Intelligence Community, right . Those entities are the ones are seen as protecting us. Thats not enough host and finally, were almost out of time. I apologize. Youve moved on to a Company Called venable which is what . Guest its actually a law firm. Im not a lawyer. Were building a consultancy thats going to work with companies to try to help to protect hem, figure out ways to protect them in these different areas and build the protections up in ways that work with existing law, that can happen where people dont have to be afraid to look because hay know that they have they know that they have the ability to do things under the protection of Attorney Client privilege and at the same time use the new technology to search and find the concerns that are out there in the cyber area, cyber threats. Host ari schwartz is formerly the former senior director for cybersecurity at the National Security council, and Corey Bennett is with the hill newspaper. Thank you, yes men. Guest thank you. Cspan, created by americas Cable Companies 35 years ago and brought to you as a Public Service by your local cable or satellite provider. Today the Potomac Institute for policy studies hosts a discussion on the escalating violence in jerusalem and whats needed to create stability in the middle east. Scholars and experts from the region will be part of the conversation. Thats live at noon eastern on cspan. Special representative for afghanistan and pakistan Richard Olson testified to the House Foreign Affairs committee. He said pakistans becoming a more constructive partner in the region but more needs to be done to target terrorist groups operating there. Other topics included Pakistans Nuclear arsenal and u. S. Foreign sanction to pakistan. This is two hours. [inaudible conversations] this hearing will come to order, and there is a vote in progress, so my intention here is to begin the hearing, and then we will, we will suspend for the duration of the votes and allow the other members of the committee to come forward. But in this fashion myself and congressman poe can make our opening statements, and maybe some of the other members will be able to as well. So this hearing is on the future of u. S. pakistan relations. The committee has repeatedly urged pakistan to take meaningful action against key islamist terrorist groups operating within its territory. Unfortunately, pakistan which is now home to the worlds Fastest GrowingNuclear Weapons program has remained a fount of radical islamist thought. It was so surprise that one of the San Bernardino attackers, tashfeen malik, studied at a Pakistani School spreading a