Frameworks over time to help us address the issue of escalation in the more kinetic traditional role, cyber is in a different arena. Do you think you addressed sufficiently and for instance this event, are there others that give you concern that it leads us down a dangerous path, that everybodys looking for ways to deter, weve seen dangers, these attacks can cause, but you do want to raise the cost but you want to see the followon sort of cycle, are you comfortable we have a handle on how to deter americas adversaries from cyberattacks without creating a further problem . I think clearly the concepts of deterrence in the cyber domain are relatively immature. I dont think we are where we need to be, where we collectively need to be. This is still the early stages of cyber in many ways. So were going to have to work our way through this. Its one of the reasons why quite frankly im interested in forums like this because im interested in a broad set of perspectives, many of which are going to be different from what i bring to the table. Im interested how do we collectively as a nation come to grips with some fundamental concepts like deterrence in the cyber arena, how are we going to do this . You look at the threats were facing in cyber continue to grow. No question. Lets look at the bigger threat. You have iran where there is history back and forth. You have russia, frequent attacks in the private sector and government sector. And china, i have been in china where you have enormous costs to the business communities and the tens of billions of dollars plus, as we know, they target government institutions and pay leernt apparently have success stealing secrets. P. J. Talk about the coming cyberwar, it looks to me we are already to lowlevel war. These have real capabilities. Clearly i would argue that history has shown us to date you can name any crisis, you can name almost any confrontation weve seen over the last several years there is a cyber dimension to it. Whether, we saw in georgia, where what we saw in the ukraine, iraq, the challenges associated with isil. This is not something isolated. I think among our challenges as we move forward is, so if cyber is going to be a fundamental component of the world were living in and the crisis and the challenges were trying to do with, how are we going to work our way through that . What were trying to argue is, over time if we can get to the idea of norms of behavior, if we can develop concepts of deterrence that lead us to collectively to get a sense of how far can you go, whats aggressive, whats not aggressive, what starts to trip response thresholds, those are all questions of great interest i would argue, for all of us. It sounds like were not there, we have not developed concepts of deterrence we have a long way to go. I think i used the word immature. We are not where we need to be. No doubt about that. I want to ask you leon panetta used a phrase which im sure youve heard cyberpearl harbor. What does a cyberpearl harbor look like . My concern is an action directed against in my case as a member of the United States military, an action directed against infrastructure with the United States that leads to significant impact, whether thats economic, whether thats in our ability to execute our daytoday functions as a society, as a nation thats what concerns me. And youve seen some you look what happened with sony, you look at what weve seen nation states, something against u. S. Financial websites for some number of years now, those are all things were they take that financial piece, were that successful, where our ability to access funds, if that were really contested, think of the implications of us as a nation,s a individuals how to deal with that. Which states are capable of carrying out such an attack like that . Well, we previously talked about, you know, the big players in cyber, if you will, nations that we see active. Its a matter of matter weve talked about china and what theyre doing in cyber. Clearly the russians and others have capabilities. You know, were mindful of that. In general you wont see me going through a well, heres my assessment of every nation around us. No, i understand. Thats two right there, china and russia, already capable of carrying out such an attack. Thats concerning. Do you find in some of these smaller scale attacks there was one that went to the white house computer system, not the Defense System but still, do you find on the one side kind of showing off their ability a little bit and on the other side testing finding the weak points . I think nation states engage in actions in penetrating of systems in the cyberarena for a whole host of reasons. Among the two you identified. Whether it be the theft of intellectual property. I think depending on the source you use as nation, you lose somewhere between 100 billion to somewhere approaching 400 billion in the theft of intellectual properties. Certainly in the department of defense, its an issue thats been of great concern to us for sometime as we watch nation states penetrate some of our key defense contractors steal the enabling technology, if you will, that gives Us Operational advantage as a military. If i can we have a cyber audience here and i want to go to the cyber audience and give everybody a fair amount of time, but if i could touch on a couple other topics related to the patriot act expiration of 215 on june 1, i want to set aside the Privacy Concerns which are severe from some quarters. I would comment very legitimate. Those are very legitimate concerns for us as a nation as we try to figure out how we strike that competing requirement for security and acknowledging at the same time our rights as citizens as foundational to our very structure as a nation. It goes to who we are and what we are. Do well, let me ask you since you brought that up do you think that current for instance metadata collection, do they get that balance right . I think number one the metadata collection collects does generate value for the nation. Is it a Silver Bullet that in and of itself guarantees there will be another 9 11 or there wont be a successful terrorist attack and my comment would be no. If thats the criteria you want to use, i would be the first to acknowledge its not the Silver Bullet. Its the one component of a broader strategy designed to help enhance our security. At the same time we also realize that in executing that phone record access that we need to do it in a way that engenders a measure of confidence in our citizens, that its being done in a lawful basis, with a specific framework and that there are measures in sight, in place tone sure that n. S. A. Or others arent abusing their access to metadata and thats fair and right for us as a nation. Let me ask you a question because id like you to quantify the value that is generated for the nation. Early on when the program was revealed, i was reporting this heavily at the time, the administration banded about a figure 50plus thwarted. Over time that figure was windled down by among others, whittled down among others senator Patrick Leahy the metadata, even down, he would argue, to zero, where the metadata itself was necessary where other programs could not have accomplished the same thing. Can you identify a specific plot that without the bulk collection we wouldnt have been able to have identified . In large and classified forum, im not going to do that. Does one exist . But i will say this, i base my assessment on the fact that i truly do believe it has generated value for us. Can you prove to me without this you wouldnt have forestalled an attack, if you didnt have this you wouldnt have been able to forestall an attack, the criteria i would argue, if you use that then it would argue things like, well, why do we maintain fingerprints . If you dont prove to me collecting fingerprints would forestall criminal activity, why do it . I would argue thats not the criteria to use. Dont you think theres a higher standard for this because we dont fingerprint everybody in this room, you fingerprint when you have a reason to fingerprint . If you look at the amount of frint information. Global entry. Set aside the Privacy Concern for a moment, because it is others its officials from inside the National Security not industry but institutions of government, f. B. I. And others who are concerned that they will lose tools that they find extremely useful go after tangible things, Hotel Records etc. , in the collecting phone metadata information, quoting f. B. I. Officials than myself, see as less important . To be honest, i never heard that argument. Nor is it a conversation that the director of the f. B. I. And i have. We talk regularly. You dont and other issues. You dont think the fight over metadata could hold up, particularly when we speak of the renewable or extension of 215, other tools in fighting . Yes. The value of this effort and the Legal Framework to continue it is a conversation we need to have in an of itself. So what do we think . And does the program as currently with the amendments that were directed by the president or changes that congress may remember this is all derived from a law passed by congress, patriot act, specifically section 215 of the act. And should congress decide as at the look at because no action is taken, the authority expires on the 31st of may 2015, in that case the first of june we will no longer be able to access this data and generate activities overseas and potentially activities in the United States. Remember thats what drove this in the first place. In the aftermath of the 9 11 attack, if you read the 9 11 investigative report, one of the comments made in the report was, hey look, you had in at least one instance phone kecktift between one of the plotters who connectivity between one of the plotters who was in the United States to those back overseas. Guys, you should have had access to this you should have connected the dots. You should have realized there was an ongoing plot in the United States. That was the genesis of the idea of how can we create a Legal Framework that wean able us to make a connection between known activity overseas tied to a nation state group, a set of individuals, how could we try to take that overseas data and see if there is a connection in the United States and how could we try to do it in a way that protects the broad rights of our citizens . That was the whole idea behind it. So i would urge us in the debate on this, and its important that we have a debate, not to forget what led to us do it in the first place. What are the prospects for renewable extension, 215 specifically . To be honest, this is where im glad to be a serving military officer. I have no idea. This is just beyond my expertise. I realize its a complicated issue. If you lose that will that greater hamper your ability, the n. S. A. s ability to thwart terror attacks . Do i think if we lose it makes our job harder, yes. On the other hand, we respond to the Legal Framework that is created for us. We at the National Security agency do not, do not create the Legal Framework we use. That is the role of the legislative branch and we as we interpret the legalities of the law that whatever framework thats developed well ensure it was executed within the appropriate Legal Framework. Thats what i know as director of the n. S. A. Let me turn to counterterror. A lot of talk when i speak to intelligence officials they will acknowledge that terror groups have altered the way they communicate, post note. And thats made a difference. I wonder if you could quantify or describe how much thats hurt your capability . I would say that it has had a Material Impact in our ability to generate insight as to what terrorist groups around the world are doing. Id rather not get into the specifics because i dont want them to have any doubt in their minds, we are aggressively out hunting and looking for them and they should be concerned about that. I want them to be concerned, quite frankly. Im concerned with the security of our nation. Im concerned about the security of our allies and their citizens. So anyone who thinks this has not had an impact i would say dont have dont know what theyre talking about. Have i lost capability that we had prior to the revelations yes. How much does that concern you . It concerns me a lot. Given the mission of the National Security agency, given our footprint around the world, i mean, us as a nation. When i think of our ability to provide insights to help protect citizens wherever they are, whether they be out there doing good things to try to help the world, whether they be tourists whether they be serving in an embassy somewhere, whether they be wearing a uniform and find themselves in the battlefields of afghanistan and iraq today, clirle im very concerned clearly im very concerned. As well as our key allies. Do you develop new have you found yourself force to develop new capabilities to make up for the lost capabilities . Right. To be successful we have to be an adaptive, learning organization. As the profile of our targets change, we have to change with it. I wonder if i could turn to i want to give time to the audience this time back to intelligence reform to some degree. So recommendations 24 and 25. We havent talked about it. This was big news a year and couple months ago. As often happens in washington i have not memorized it. Neither have i. I just happen to know it was 24 and 25. One was splitting cybercommand, military leadership, civilian leadership to the n. S. A. Of course we have you. Right. Do you think thats a problem . No. I would argue where u. S. Sign remember command as many of you may be aware, i am both the commander of the United States cybercommand. So an Operational Organization within the department of defense. As charged with defending the departments networks as well as if directed defending Critical Infrastructure in the United States. Thats my u. S. Cybercommand role. In addition im also the director of the National Security agency. In that role two primary missions. One is foreign intelligence. And the second is Information Assurance. Given the cyberdynamics were seeing in the world around us today that Information Assurance mission becoming more and more critical importance. So discussion in the past about a year ago now little bit longer, about so should you separate these two jobs . Should you have an operational kind of individual running u. S. Cybercommand and then have an intelligence kind of individual running n. S. A. . The decision was made at the time which i fully supported it when i was asked as being interviewed for potentially to fulfill these jobs, my comment was given where u. S. Cyber command is in its maturity and journey it needs the capabilities of the National Security agency to defend u. S. Infrastructure and defend the departments networks. Combining both intelligence and operations in the same way we have seen and the lessons of the wars in the last decade that integrating these almost seamlessly generates better outcomes. Thats the case here in my mind. And the president obviously has come to that conclusion. Has come to that conclusion. Do you think the pressure is off to some degree . You remember this pressure. This is when your predecessor was still in the hot seat. This was enormous focus from inside, outside washington. I know we have this deadline coming up june 1, but its not the same tenor. Do you feel the pressure is off, that worst fears and concerns have either been forgotten . I wouldnt say forgotten. People would say, ok, now weve seen this work under two different individuals. We seem to be comfortable that the construct is generating better value if that were to change we would have to clearly relook at it. Thank you very much. Im still going to ask you questions. I want folks to ask some questions as well. I know we have a microphone going on. I know we have questions coming in via social media ill wait for those. Why dont we start with the crowd since you took the trouble coming here today if i could right here in the center of the audience and shes coming right behind you. Yes admiral, thank you for coming. We were talking about the sony attack earlier and we heard the Justice Department is investigating it as a criminal matter and weve seen sanctions. What is exactly your role in this . Not just identifying this, but do you see any action that you intend to take or have taken in response to this . Well, im not going to get into specifics what, as a member of department of defense, putting on my u. S. Cyber command role, if you will, what we may or may not do. I think the president s comments about were going to start with economic peace and then we will look at over time the potential of additional options or different applications capabilities. That the Positive Side i think is the immediate actions. Remember, the hack the destructive piece occurred in late november. On the Positive Side several months have past and we have not seen a repeat. I think it was part of the entire intention, look, this is sun acceptable. We dont want this to this is unacceptable. We dont want this to happen again. In the near term it has had a desired effect. As i said coincidentally, i was testifying in the house. I said, look, its only a matter of time we see this destructive offensive actions taken against critical u. S. Infrastructure. I fully expected, sadly in some ways my time as commander of the United StatesCyber Command the department of defense will be tasked with attempting to defend the nation against those kinds of attacks. I didnt realize it would go against the Motion Picture company, to be honest. If i could just follow on that. During this one phenomen