Skip to main content

tv   US Senate  CSPAN  October 6, 2016 10:00am-12:01pm EDT

10:00 am
getting dhs the authorities, this bill we're trying to move through our committee moved back in june and we are working out to get to the house floor that we are basically restructure, streamline, organize the can more effectively carry out the authorities we just gave. ..
10:01 am
so do you think of various bills we are trying to get an act to do nothing doubt. we will see pa >> host: would've gotten a couple questions from twitter. isn't the u.s. involved in cyberespionage as well? discussion seemed to suggest u.s. and american that are innocent victims. >> innocent victims. i think everybody, large countries and even emerging economies are seeking the power of cyberand how the world has about today and the internet permeates every way of life. and so, it is how you execute the national object is within that perspective domain. some countries might be to bolster their economy did others might be to go after terrorists.
10:02 am
others may seek to undermine an election. it really just depends on their days. as to who is a good guy and a bad guy and the motives behind leveraging that domain to enable that respect to the nation. >> the next questions and a little bit like a plot. we talked about international attacks it is very a chance to see hacks between parties? michael, and a comment that one? >> i think and hope everyone is working on supporting their candidates through winning the election. is it possible for there to be another water -- watergate like reagan. hopefully people are smarter than that now. >> absolutely. i know our video team has a clip cued up from the last presidential debate.
10:03 am
clinton and trump comments on cyber. there weren't very many of them. we might take a look at that and lead into our next question here. video if we've got that. thank you. >> waiting to make it very clear whether it's russia, china, iran or anybody else. the united states has much greater capacity and we are not going to sit idly by and permit may not yours to go after her information. we don't want to use the kinds of tools that we have here we don't want to engage in a different kind of warfare. though we will defend the citizens of this country and russians need to understand not to i was shocked when donald publicly invited putin to hack into america appeared in makassar cyberi read. we should be better than anybody else and perhaps were not. i don't think anybody knows it's russia that broke into the the.
10:04 am
she's saying russia, russia, russia. it could be russia. it could also be china or somebody sitting on their bed that weighs 400 pounds. >> if we could go down the pan all, i would be curious what questions you can presidential candidates should be able to answer about cyberin this day and age and what do voters need to know most about the topic in order to evaluate candidates? >> they need to take it. sleep. they need to understand the seriousness of the consequences. one of the most difficult things about it or in retaliation of the consequences of that retaliation and keeping in mind and i'm sure the presidential candidates are aware of this that our economy, our internet
10:05 am
economy, internet life is very fragile. so go into cyberwar with a big country like russia or a smaller sophisticated country could result in grave consequences to our economy and critical infrastructures to the difficult and because it hasn't been that kind of large-scale com like to have that waged before. there's a lot of thinking and a lot of caution going into what the next steps should be. >> if you look over the last several years and how we have worked in the congress on a bipartisan basis to get important foundational cybersecurity legislation through going back to the fabulously past and 14, the big one we passed the cybersecurity act, those are bipartisan efforts to address a threat to national security, economic security issue in going into the next administration, it important we realize this is the
10:06 am
number one we've heard that this is now the number one threat we are facing a nation. i think in the next administration, investment ever security, there's a lot that needs to be done to beef up and make stronger our national cyberdefense strategy. we need to do more to show adversaries that there will be consequences on cyberattacks take place. anyway, i think that would answer the question. >> i would answer it to full good one of the best ways -- is my microphone not working? can you hear me now? how about now? i am speaking, speaking, speaking. no? well, i will try to speak loudly. two of the best things that can
10:07 am
be done is on the frontline is basically to have additional poll workers. so basically having additional poll workers so that they can see what is actually the best way to see the administration elections from the end i appeared becoming a poll worker allows you to do that. the other thing i would add is that both president roche and president obama added millions and billions of dollars for the administration of elections. i would hope whoever becomes president looks at elections not just in terms of november coming out, but as we go on because elections happen every two years and stayed than locals are at their wits end in terms of funding for schools, roads, military and so forth. we all know that those things are important but our democracy is also important and we have to make sure we have investment into it. >> rich, do you want to close us out here?
10:08 am
i will go and alive here. you know, i think our next leader and/or any new world leader is going to see and understand how important the internet really is again to everything from our economies to elections. it is really a new domain that we open a lot of power and i think it needs to be respect it and understood. it is certainly complex into these asymmetric threats that to wield it, you know, there needs to be norms that are established if there needs to be greater understanding what the art of the possible is. it is certainly interesting time that we can see the effects that the internet holds not only here in the state, that maybe the
10:09 am
world writ large. >> rate. >> rate. help me thank our panel. [applause] >> there is actually a long history of the russians tried to interfere with the war and influence elections going back to the heyday of the cold war. there have been several documented cases of previous elections where it appeared that they were trying to somehow -- there is actually a long history of the russian trying to -- [inaudible] is actually a long history of the russian trying to interfere or influence elections going back to the 60s in the heyday of the cold war appeared several
10:10 am
documented previous elections that we are trying to somehow influence the election. there's a history history of tradition and russia of interfering with elections. so i shouldn't come as a big shot two people. it is more dramatic because now they have cybertools that they can bring to bear in the same effort. you know, this is still going on. i will say that it's probably not real clear whether there is influence in terms of outcome or what i worry about morphing me it's just sewing these out where doubt is cast on the whole that that -- process.
10:11 am
>> rate timber, national technology reporter at the "washington post." we are here to talk about cyberwar. this is a minute or two to your questions and comments using hash tag wp cyber. i'm not going to run the audience like phil donahue. immediately to my last or maybe a read if you're watching on tv is one july day, chairman and cofounder of the financial integrity now for a deputy assistant to the national security adviser for combating terrorism under president george w. bush. richarda lake is achieved strategist at fire i appeared he was previously director for general electric who started the officer in the air force. on the fireside over there is frank salute though, the associate vice president at a redirect the center for cyberin homeland security.
10:12 am
let me start with a general issue that is a journalist i wrestle with all the time which is what we mean when we talk about cyberwarfare? a lot of folks read about in the press and some of us write about espionage. what is cyberwarfare? frank on the end. we make thank you, great. a lot of the coverage of cybersecurity today reminds me of kids soccer. everyone is swarming the ball, chasing the shiny egg. we need to recognize not all hacks are the same nor are all half yours. their intentions very. there capabilities scary. if you were to staff the threat environment, obviously you've got nationstates at the top of the list. those at the top of that list are those integrating computer network attack and exploit into their war fighting strategy and doctrine. this terrorist organization, but not all hacks are the same. they are very different.
10:13 am
countries that are marshaling to mobilize income of cybercapabilities into their war fighting strategy and doctrine are the countries that get the very top of the list. from the u.s. national security is, obviously russia and china are the very tops about this in terms of capability. a lot of what we've seen is espionage but with most than intelligence preparation of the battlefield and integrated cyberinto their war fighting strategy as we saw in crimea. doesn't be the very top. you've got other countries that may lack a capability of russia and china but what they lack the capability they make up for with intent. this is where you put north korea iran more likely to turn to a disruptive or distract his cyberattack. they've got fewer constraints in those capabilities. not all hacks are the same. on the nationstates are the same.
10:14 am
and the medley and hinges around intent. in other words, if you can ask why, you can attack. the wine is very thin and is now upon the intent of the perpetrator. >> richard, do things need to blow up or break for it to be cyberwarfare in your mind? >> my answer to cyberwarfare if you want people to pay attention to it. either called cyberword to be sure to get a month attention. my definition of cyberwar is the imposition of will using a digital means. there are two schools of thought. one school of thought which is the school of thought of my phd advisor for rhoda both called cyberwar will not take lives. the reason he called the book bad is because he believes war equals violence and if you don't have violent you don't have war. he believes cybercannot be used to impose violence there for cyberwill not take place.
10:15 am
there is one school of thought there. another school of thought says that much more expensive and this is for the russians and chinese tend to think about it. they believe war is not just violent. work can be any means by which you are trying to get your way. in fact, they tend to come from a tradition, especially the chinese that they are much better off not writing. so i tend to take the position if you are well using a digital means, that could mean why. you step a little bit further. we may be in a situation by the army 10, 15 years where it is so integrated to every aspect of life even more so than it is now. and as 35, is that a cyberweapon? an f-22 could be considered a cyberweapon because the benefits it has this network with others fighters throughout the
10:16 am
battlefield is that we tend to think about it. >> of iran, for example, if he is cybertools to attack a big u.s. tank, is that an act of war? >> and a bit more forgiving. i think we are in time to uncharted territory because you have a blend of fact there is state and nonstate in attempting to acquire data and destroy systems. you have this change of concept of what warfare even means. the notion of russian warfare in terms of cybercapabilities becomes interesting. currently as we think of it, we don't think of the cyberwarfare tools until there's an element of destruction. something that is demonstrable.
10:17 am
part of the reason we haven't had as much awareness around these issues as we've seen nationstates and nonstate engage in cyberespionage and data execration. to answer your question specifically, the fact we do have nationstates are private act to us. you have entities attacking western banks as part of a denial of service set of attacks not to start to come and is certainly to send a message. you've had north korea attacked south korea banks as well as sony. you got other state actors like russia attacked her systems government and non-government. when you have a play is an open field in the cyberdomain were actors are feeling a balance of what is permissible. one of the great challenges is how do we define the boundaries of what is except the ball or not. how do we respond and that puts
10:18 am
great stress on things like how do we attribute attacks? and frankly how do we respond in a proportional commensurate way without a machine unleashing another force is a rather warfare. it is part of the reason you have it been officials wanting to be too open about russian hacks despite what we said above our heads. there has been a reticence to do that because it raises fundamental questions about the endgame here and that is not well-defined. >> can i pick up on a couple quick points here. all forms of conflict today and tomorrow, almost 100% unanimously have a cyberdimension component to it. to pick up on some of the points of my esteemed colleagues raised cyberis its own domain, but those who are integrating attack tools into the other domains, air, land, sea, space. that is where cyberis not its
10:19 am
own entity but it enhanced his lethality of conventional weapons in different domains, enhances the ability to seize territory. i think it is important to recognize that the battlefield today has been extended to incorporate all societies and companies are on the front nine. that is what this makes us different is the targets are not merely government and government targets or the like. but the financial services sector. the recent attack to me is one of those incidents that rises above the poll not because the central bank of bangladesh bus $82 million. as we know it could have been $900. that we can absorb. a day for banking customers. the global economy could absorb it. but it did recognize it's a systemic risk. the service that is dependent upon switching is a hack through sweat billions of dollars of transactions had been settled
10:20 am
daily. these are the different targets and ukrainian hackers a big deal. not because they're losing power for a couple days wearing a cyberwhat didn't have economic physical effect that took empowered. >> to sum up a little bit if there is a kinetic physical effect that is clearly cyberwar and it sounds like cyberwar is actually going to be part of in the united states would get into in the foreseeable future. if we are actually at war with someone, we are going to be sending them back at us and then capacity. i want to pick up either attribution problem. this is one of the things we think about about when we hear someone on the record, sometimes not on the record is silent so attacked so with though. yahoo! said it was a state concert actor. it's hard for us as to find out if that's true. it is solved a hard for the
10:21 am
technical ex-earth to even find his true and this creates enormous problems. in the old kind of work they shoot at us and we should do. that sort of fits into a kind of strategic moral framework that makes a to all of us. i want to start with you, richard. are we ever going to know who is shooting at us well enough that we feel comfortable shooting at? i'm talking in a nationstate level. >> absolutely. we know all the time. >> how do you know? >> by 2013 mandate report, there were indictments that were levied based on that. there were certain elements that they would not even believe if there were a camera on a person typing on a keyboard, hiking into an american bank. they would say that is that the
10:22 am
cia created as a plot. because they didn't land on the moon apparently. let's remember it astounds me that people doubt the ability of the u.s. government to do attribution after the snowden revolution. if the attack was on his own you've got to believe that. the fbi may not have been the best vehicle and what they release will not satisfy the community which i totally agree with. for example, looking strategically at the policy level, president about ms. not looking for a fight. to come out and say it was the north koreans did introduce a whole level of complexity he really doesn't want to address. >> president obama will be president for a few months. depending on your point of view whether it's hillary clinton or donald trump, maybe your comfort may go up or down. as someone who sometimes as a journalist lives on the out side
10:23 am
of these things, let's talk about the attack which reciprocated the u.s. move in a much more forceful way. that turned out to be basically not true. we all reported investor at the time because we didn't know better. even if the u.s. government could now, how could the public he reassured to any extent that it is worth engaging in hostile action that it may involve weaponry and death and distraction if we just have to kind of the leave the nsa or the president. >> it's a fascinating and important question because i think there has to resolution. the technology has really danced in ways that are credible in terms of cyberforensics, not to mention overall cyberintelligence assessment that the government can bring to bear with manchester and the guidelines above but everything else they have at their command.
10:24 am
the problem is to your point there is a sense in the public and internationally of how do you prove it. much of this is migrated to the public that her. companies like fire i argued that they are too close to the government that there are private sector entities serving as an external validator's. you have companies doing this work internally. this isn't being left to just the u.s. government. the challenge the u.s. government has faced is twofold. how do you prove this in a way that doesn't demonstrator reveals her since i met dave that will make it more difficult in the future. that is the first barrier. that was a criticism in the sony had. in fact one of my colleagues at harvard law race question as to whether we could believe the fbi to your point. the second problem, which is
10:25 am
okay, but they would you attribute the attack as we do with north korea, what then? what is the right response? should it be cyber, should it be sanctions, should it be something else? again, we haven't figured out the stock trades. you're absolutely right that a key element is how do you prove it. either way, adversaries know that. china and russia, the first question publicly and diplomatically every time is per day. how can you prove that we've done this? not to mention a moral equivalency argument everyone does it. >> these sites are almost inevitably going to end up being asymmetrical. we may have the best weapons in the world but i presume we are not down north korea's electric or degrade. so if we got any real kind of shooting war where we are sending cyberweapons across the
10:26 am
internet to damage people we believe have damaged as, how does that go when anybody with a computer can potentially disable a water plant or change the way the water is going to a nuclear plant. isn't this like -- doesn't this get very messy very quickly? >> absolutely it is complex. attributions improve x eventually in the past few years but it is by no means 100% i peered at the end of the day knowing who is behind the clickety-clack in finding the smoking keyboard is not easy to do. especially because most of the actors that are very capable are going to be using proxies or surrogate to do their bidding anyway. they'll try to send the muddy footprints anywhere back to their doorstep. that said, there is a difference between having the cyberequivalent of a drive-by shooting capability where you can have loan at yours cause
10:27 am
disruptive harm to a particular target in a sustained attack capability. so yes, any kid 400 pounds or less can actually sit in their basement and attack someone. but that is not the same as a nation state. ultimately here is the other thing. don't think that the only means we have fractured nation of cybermeans. we've got other intelligence capabilities. that is why we don't mean go forward because we would be compromising other potential sources and methods. it is a complex set of issues. if your entire attribution is based on cyberfor a next come of the best actors are going to run circles around you. but if you have other means in addition to that historical trend to see what their ttp, tack ticks, techniques and procedures, you can put that together. be not having eliminated the
10:28 am
reasons this is a complex matter for the u.s. government and cyber command, what about the private sector? if you can't hack, and you know who it is, is it ever okay is that after hacking back against the nationstate? >> absolutely. i've written a paper in arguing for a cyberprivate bottle. keep in mind in our constitution section one, article they that congress has the right -- letters of market reprisal, which was in the context of a maritime security domain that was not controlled by state actors privateers another actors that had the ability to influence maritime security. we are in a similar context for over 80% of the cyberinterest rapture is held in private that your hand or the internet of
10:29 am
things is becoming more and more predominant and frankly the capabilities to understand vulnerabilities in real-time so that the private sector. we have to think differently about what our model of defense looks like. we have to do these things. attributions shaped the international norms and landscape. he got to create redundancy and resilient than take some systems offline. but you also have to think creatively about how we work public and private with each other to create a model that allows act of defense, that doesn't wait for the proof of concept. the prove to be indicted in court to be able to react in real time. i think the private sector -- >> will take a break here for a brief senate is the u.s. session. they will quickly train to him and then act out as no u.s.
10:30 am
the presiding officer: the senate will come to order. the clerk will read a communication to the senate. the clerk: washington, d.c., thursday, october 6, 2016. to the senate: under the provisions of rule 1, paragraph 3, of the standing rules of the senate, i hereby appoint the honorable bill cassidy, a senator from the state of louisiana, to perform the duties of the chair. signed: orrin g. hatch, president pro tempore. the presiding officer: under the previous order, the senate stands adjourned until 2:00 p.m. on friday, october 7, 2016. october 7, 2016.
10:31 am
>> comic goldilocks, too hot, too cold. in all sincerity and i have rarely had an unspoken thought, so i will try to be brief. we are releasing a major study at the end of this month on the 31st, of october. i think that there is much more to the active defense set of issues that right now are gray areas, short of hack back, long of higher walls and motes. at the unit of the day we will not fire while our way of this problem. we can simply defend, build
10:32 am
firewalls, deeper motes protected by bigger lot that's like every time we have our homes robbed we call the locksmith. cybercrime is literally the only crime i know that we still blame the victim, not the perpetrator. we have to get to the fore to have-- point of a deterrent and impact on the actor and that does include taking more proactive steps, but i would say short of hack back intended to be retribution, but there are things technically, so the question is what is your network now. the perimeter is totally blurred i don't know in the cloud what outside your perimeter is today, but there things you can do in terms of beacons, honeypots and all sorts of things that are technically capable, but legally questionable. our laws are still stuck in 1986, literally before the world
10:33 am
wide web is what it is today, so we have to question some of these things. >> we are going to do like a lightning around here. we will start with you on the end, frank. what would you say to her he clinton and donald trump about cyber war as they prepared to potentially become commander-in-chief. >> they better get comfortable with the issues and get comfortable with the fact that you are not going to get the smoking keyboard all the time. there will be ambiguity just like in the counterterrorism environment all the time. cycling, rules of engagement. we need to define what our rules are engagement are per computer attacks and thirdly, we need to articulate and more importantly demonstrate a cyber deterrent capability where we put pain on the bad guys. >> richard. >> it is a myth that an individual can have a strategic effect on cyberspace. the stuff that really matters will take place over days,
10:34 am
weeks, months and possibly years and require teams of individuals who are working against hopefully teams who are trying to defend, so we need to have that longer-term campaign model and the ultimate answers generally lie outside of cyberspace. >> i would say you have to think differently and come up with slightly different models for how we deal with this issues. models for how we shape the environment and i agree with frank that that area of deterrence is not well defined as we were in the nuclear weapons age where we would have too defined doctrines, responsibilities and deterrence. we will have to find a new model for public-private engagement, and that rebuilds trust in the post's noted area and maybe come up with elements of active defense and third, we have to think about new forms of resilience that may actually mean pulling key systems off-line and running against the market trend of putting things on the internet and connecting them.
10:35 am
>> thank you all for being here today and thank you for listening. if we could give a round of applause to our panelists. [applause]. >> look at that. that was pretty good. so, the next panel will be run by my colleague at the washington post and i think they are headed in here in the minutes. thank you all for being here. i hope that was worth everyone's time to listen in. thanks again. >> good morning. you guys have it been a very patient audience and you have stuck with us all morning and so thanks for coming to work a quick reminder again, you can tweet your questions, which will show up on my ipad here.
10:36 am
without further ado, dreamy this morning we have got three really awesome guests. to my left is brett leatherman who is the assistant section's chief of the cyber operational investigation at the fbi and previously served as a supervisory special agent for the fbi engaged in threat management over cyber national security. to brett's left we have michelle , the senior managing director and career consulting group where she leads the geopolitical advisory practice and finally we have michael wagner who is the senior director of information security at johnson & johnson where he specializes in digital asset risk management, so thank you for joining me. i thought it would start, one of my jobs is explaining to people what critical of the structure is and why it matters and how we are vulnerable, but it kind of occurs to me that critical of
10:37 am
the structure is not a very accessible term and a lot of the companies that are in the space try to convince to get on board defending themselves. we were just talking about the movement there about how hard it is sometimes to get companies when it's a lower priority for them. its 2016, why have we not come up with a medical-- better term for critical infrastructure? >> well, from the government standpoint there are presidential policy doctor 21 which defines critical in the structure with 16 sections and the us government is at large and responsible for helping the private sector in that regard, hopefully prevent, detect and mitigate threats to critical of the structure within those we are looking at those corporations that contribute to the stability economically from a national security sampling as well as health, life and safety
10:38 am
to the mayor can people, so from a government standpoint we have defined critical infrastructure and some of the companies who supported and the fbi, department of justice and department of homeland security work very closely also with those sector specific agencies. i know you serve on the board who is also bringing together public-private partnerships to help defend networks within critical in this structure. >> first off, thank you for having us. it's a pleasure to be here. the national-- one of those information sharing and analysis centers where healthcare industry comes together. we share resources. we share threat information we provide services to medium and small and large businesses as well. we are johnson & johnson, the largest most comprehensive health care company in the world. we have significant resources, but we have realized that we
10:39 am
need to give the back and help the little guys out with providing services. brett has spoken at a few of our summits recently and it's a great organization where we are able to protect and defend the national health portion of the critical infrastructure. >> i think in the commercial sector we are getting better, but part of the reason why we haven't defined critical infrastructure is because we it's a work in progress. we are sort of still building the bridge as we walk on and firms that provide enterprise risk management-- management consulting services have to help their clients understand what they're critical risks are and i think the more we do that ended the longer the sort of identifying those risks and what the critical in the structure consists of, the better the definition will become in the former he will be. >> how does our-- how does the needs to understand critical-- critical infrastructure need to
10:40 am
change as we learn better with the landscape of the capabilities, threats and risks are out there? >> i think generally speaking if you take critical infrastructure and boiler down to a corporate perspective, you know, we look at it through three phases of business with the commercial sales part of the business, the supply chain part of the business and we had the research and development part of the business and in each of those the threat and risk in-- is different in each of those areas and protection is there that needs to be different. for instance, supply is really about availability. you are dealing with risk such as technology am a lifecycle management issues where the business is trying to squeeze every penny out of that technology platform to make a pillar medical device or design and build that drug. so, there is certain risk of there and r&d is very collaborative space, so we are
10:41 am
dealing with multi--- multinationals, educational institutions, so protecting them this structure that's research and development arrives on is a much different more agile more flexible approach. similar to commercial sales, you know, the financial data making sure that we are falling in line with financial controls. these are all critical areas of our business that we make sure we are looking at when assessing and building our secure program. >> can i follow up on that and can you tell us a bit about how those three areas of the business for nate-- coordinate their cyber defenses back is there much coronation or is it more comes from the top and spread out? >> we have a very centralized viewpoints from a security strategy and the design. we have a baseline of working
10:42 am
with different types of frameworks such as isotope frameworks for security control that we apply, so there's a base set of controls that we put in place, but there is also, again, unique needs of those areas required, so coordination is done through the various different business groups with a centralized security staff that is driving, building that strategy consisting of the people of the process and the technology to secure the enterprise. >> what is fascinating to me is that johnson-- you guys probably have very robust interaction between your various teams, but what we see in our incident response from élan enforcement perspective is that many copies don't have the interaction. network defense don't engage in fraud prevention teams or put engage the general counsel office. in one case we responded to what
10:43 am
turned out to be at large cyber compromise and when our team showed up they started working with the chief information security officer and his team to engage the threat and hopefully help quickly mitigate what was happening while also allowing us to pursue the threat actors and a few hours into that the general counsel learned this was happening and came down and likely so said let's stop right now what we are doing. we have a government agency in here sharing information and we haven't yet determined what information we want to share with the government from a law enforcement perspective, so they sent the fbi came home and continued to work within their environment to try to determine what they could share. five daily-- over five days later they invited the fbi team back and by that time they had communicated on compromised if the structure that the fbi team is here, what we want to share and unfortunately, i think, a lot of organizations right now don't bring into their incident response plans general counsel, executives, physical security folks, five-- fraud prevention
10:44 am
to prepare for an incident in what that information sharing plan might be with the us government stephen michelle, when you are advising companies on stuff like this, is there something they can do, organizationally, structurally speaking to help ease this? >> absolutely. what we like to do when we worked with firms and i will take that i have seen these plans vary widely. even some of the larger firms we work with don't have very good plans in place and they kind of wait until it's almost too late before they have a plan we try to help them first identify where they might be for the role , what things could be a threat or at risk and and we sort of after they identify those things we sort of help them prioritize, but this again is a problem because not all companies are at the same stage in their life cycles, so companies that are smaller, but more technical, they have higher
10:45 am
risk, but lower revenue stream, so sometimes they are a bit lower to put resources towards his eventual event because it is up and eventually that. it will happen at some point. it's just went and hopefully it will be at a time in their life cycle where they have been able to plan. we do try to get them to incorporate as many parts of the organization as possible, but some of them don't even have their own general counsel. some just contract that out when they need or, again, it really depends on how mature they are in their business a cycle. >> we have a really great question here from twitter and it ties to lead to a question that i went to to ask. i'm just going to ask the twitter question, considering how much nationstates depend on satellites for acquittal in the structure has any official international policy been put in place and in europe-- opinion what is the best apps you take in order to protect satellites from being involved in spoofing,
10:46 am
d doss or hijacking? >> are not aware-- i'm not part of the policy teams out there in the us government. on part of the law enforcement intelligence committee, but satellites of any form of the structure utilize for comedic nation and it environment are susceptible suit-- to some sort of nefarious activity. satellites are an asset that we have to look at and like any form of risk we had to build controls around those. i know within the usg's been addressed with some of our partner agencies to build control around that risk associated with the satellite medications. >> to what extent should we think about things like election assistance as critical infrastructure or e-mail systems as critical infrastructure? we have had a number of reports about russia potentially having hacked, you know, our political
10:47 am
actions and people are clearly worried about the impact that other nation states may take in the cyberspace to affect the way that we live here and how can you sort of address the e-mail and election question? >> in terms of the e-mail, i think, it's just part of our daily lives. i think i was reading an article coming down on the train last night that half of our time over a thousand hours a year is spent reading and doing e-mails. of course as part of our infrastructure and there are several established in great technology in place to secure medications around e-mail with encryption. you know, it's-- there's a lot of different ways with messaging that goes back and forth from application of the structure to secure that, so i think-- and there's a lot of options out
10:48 am
there to secure as was said, depending on your resources what technology is right for you, i think, largely depends on how many resources you have available feedback from an intelligence is perspective i think it goes back to what i learned in the army is no yourself know your enemy. when it comes to e-mail, no what your information you are sharing over e-mail and know who might want to exploit the information and once you have a pretty good understanding of your environment and your threat environment i think it helps you to be safer with e-mail, with any communication or with any means that could be hacked or anything that is for verbal chemicals for any type of company, corporation, industry sector stephen of course, e-mail remains one of the top compromise for any business and i know i don't want to beat a dead horse because i know it's been mentioned many times and i would like to say there is a night football game on tonight
10:49 am
and i will use multi- authentication on my fantasy football team and if i can do that on my regard i hope businesses would do that, but on the issue of it should reconsider e-mail critical infrastructure, the election system critical infrastructure, that goes back to our initial question about what is critical infrastructure because the lines are becoming a bit blurred. while we have these defined sectors of critical infrastructure, what we have to look at is more and more entities within critical infrastructure reliant third parties to engage in day-to-day operations weather is called based environment, a mom-and-pop shop who has to connect to the healthcare system for billing purposes for local doctor's office and although major organizations might spend millions of dollars on network defense and cyber security, if there is a small mom-and-pop shop that has trusted access to the network environment and their critical data that threat actors have shown a propensity to utilize the business to come
10:50 am
from as those networks and right try to force her way into a very robust detected network when you can go after some small business who has trusted access and we have seen that in the government phase, healthcare, finance sector, so what is convenient for us is whether it's a third-party or connecting internet of a device to our trusted network, what's convenient for us is convenient for the adversaries, so we have to look and reevaluate how we had a trusted access internetworks. >> this may be a bit of a sensitive question with a member of law enforcement here, but would you say that's, you know, our critical infrastructure is compromised when we learned of the backdoor essentially that even yahoo's chief information to secure the officer did not know about? >> i will defer my comments to these folks first. happy to talk about that. [laughter]
10:51 am
>> so, you know, i can't, specifically on that yahoo is that, but what we strive to do it fbi cyber division is recognized that private sector companies are equal in the plane environment. in the marmot you see something you say something is kind of the extent of what we do with private sector with our law enforcement role in criminal capacity, meeting with victims and witnesses and use that to prosecute criminal activity. under the us law we work with private sector partners to see the adversary on the network before we do and law enforcement on a rig the basis to see as the adversary changes tactic technique and pursue your-- procedure targeting sector businesses we have to be able to engage private sector and get that information quickly because it changes so quickly and likewise, we have a certain optic to the adversary that private sector doesn't have been with you that information out there to protect private sector,
10:52 am
so not withstanding recent media reporting we do have robust relationships with private sector, but they will always be governed by the u.s. constitution and the legal framework. >> back to the discussion we were having earlier in the green worm-- room about how much more important is to detect quickly that it is to prevent. i think if we help companies and firms to put in place detection mechanisms and know what to look for, i think, that makes a response that brings that response time cycle much smaller and i think that's what we need to focus resources and assets because we will never be able to prevent even yahoo's and linkedin's and these really big corporations are vulnerable and again, goes back to no yourself and know your enemy. know what those that would seek to harm you, what they want and then you can help to prioritize and put a plan it's place the protection and the detection. or causes and surveillance of
10:53 am
the will of your network to know where to put those resources. >> i think a critical word stated earlier which should be talked about his resilience. good business continuity plan and testing of that continuity plan is essential. at johnson & johnson we are all over the world. there is a hurricane bearing down on the southeast right now and we are going through different procedures and protocols that were tested in the past and we will be successful in kind of sidestepping at risk because we have practice before. we have a solid program set up across all the business lines, across the nations we do business into, to either have a tabletop test exercise or some type of true disaster reach out-- type exercise. these are part of common security frameworks that help us to be more resilient, to test our protocols and her standards
10:54 am
and practices and allow us to remain available because if we are not available we will not be able to do our job and also it increases the security as well. we see where improvements need to be made and then we can focus our efforts on improving those. >> we have talked a lot about how us businesses and us critical infrastructure is in some ways and secure. often, in those types of environments there's a lot of kind of-rhetoric flying about. fear and paranoia. can you threat-- cut through that and give us a big picture where us stands in relation to other countries? >> i think we stand in pretty good shape. i have served in the air force now for over 20 years, so i had that governments perspective. i'm a part of the national health board of directors, so i understand the healthcare sector
10:55 am
and how we are working across companies within the us and also been a part of several different industries in healthcare, finance and technology. i think there are great partnerships, public-private partnerships that are in the us and actually i see expanding internationally that i have been a part of it had that experience to share best practices and attack signatures and gullibility information with these partners. it may seem subtle to say, you just need to communicate, but the what is one thing, but how you going about doing it is a completely different dynamic. there are great organizations such as the critical infrastructure and for god, several great organizations where their mission, really is to increase the resilience of
10:56 am
these us critical infrastructure and companies associated with them, both-- and bring together that public-private partnership that is essential for making sure that we are secure. >> i think the us is actually much better primarily because we are better resourced to do that and he goes back to that same, you know, problem we had when you have country struggling to feed their populations and to keep social unrest that they. they don't put resources towards securing critical of the structure, which we advise a lot of our companies that are multinational and global that this is a problem. if you're looking to expand your operations overseas, it is something you need to take into consideration in your risk management plans, but if you like the united states is definitely ahead of their peer competitors, but only for so long. i think that some of our peer competitors will catch up to us
10:57 am
soon and we can only hope that that will pull afraid to some of the other places that we have critical infrastructure or that we have businesses that rely on critical infrastructure of those countries. >> can you give a concrete example into what extent does the lack of readiness of other countries provide quote unquote opportunity for american cyber warriors? >> so, i think that some examples would be places where we rely on electric and a sort of data grids and countries maybe like-- there are so many of them especially africa, i mean, like we have companies that do mining and extraction in the several african countries and they don't have the resources to put towards protecting their electrical grids or any of their other
10:58 am
creek of the structure, water supplies, any of the things that these companies need to conduct business and some of them if you shut them down for a day they will lose millions of dollars to bring things back on my. some other examples would be like we were talking to potential investors looking at potential opportunities in cuba and cube is another country that has excellent cyber capabilities, but they don't feel that they are a target, so they don't spend a lot of resources on protecting the creek oh infrastructure, so if the businesses and investors wanted to invest in cuba we would say this is a risk. >> i wonder if we can talk a good about your work in public-private partnerships and tell us a bit about public-private partnerships is kind of a buzzword and often describes an ideal aspiration, but what does it actually look like?
10:59 am
what are the nuts and bolts of making network and to succeed? >> in cyber if a willingness to step out early and step out often on the part of private sector and the us government. what we've learned over the last five years is that sherry threat indicators, for example, two weeks after we see them is no longer acceptable. if you look at the advanced persistent threat environment where adversaries are to gain a foothold in a corporate network and quickly enumerate the holding that network, that is significant and can happen in two weeks, so the fbi in partnership with the nsa and our partners are rapidly declassifying sensitive indicators and getting those out to private sectors, but we also had to get that information from private sector because cyber is a bit of a puzzle in being able to see malware on networks, extract that, analyze it quickly is key to protecting kriegel of the structure, fortune 100 companies, small and medium businesses.
11:00 am
cyber division has developed a cyber operational divisions section and our job is charged with operationalizing the private sector and we also have an effort art program. great program and i would encourage you if you are a small to medium business and if you're not getting information from the government to check it out. its fbi partnership with private sector nationally across the board to be able to share information quickly and rapidly. criminals are partnering all the time. we see that with ransom ware. we see the partnership in if we don't party together we will continue to lose that battle as opposed to gain a foothill. >> you have a database that salutes it-- solicits information. >> ic is our national reporting mechanisms. i would have to get back to you on the number. we get tens of thousands if not 100,000 within a week.
11:01 am
we get that information rapidly, but we don't enough, so cyber reporting is underreported and we hope to get a better optic into some of these trends whether its business, mice, rats and where, some of those other trends. >> seems like a great place to wrap up. thank you so much for joining me. i will now be joined by my colleague on stage and thank you so much. [applause]. >> good morning and thank you for being here. i am ellen of the "washington
11:02 am
post" and with me on stage is lisa monaco, assistant to the president's for homeland security and counterterrorism. good morning. she is responsible for policy cord nation in crisis management on issues ranging from terrorist attacks to cyber security to national disasters like hurricane matthew that is heading our way now. the president likes to call her doctor doom. [laughter] >> prior to going to the white house she spent 15 years at the department of justice and the fbi where she helped to shift the fbi's focus after 911 to preventing terrorist attacks on the united states and at the department of justice she started the cyber prosecutors program. lisa, thank you for being here. >> thanks so much. >> a reminder to the audience to tweak your questions to us here #wp cyber and i will get to your questions at the end, i think,
11:03 am
of our discussion here. lisa, you briefed president obama every morning on national security threats. how have they involved with the past three and half years? are you seeing more threats in the cyber domain now than terrorism? >> will, i certainly am seeing a lot more cyber information of cyber threats that are figuring prominently in everything, so as you mentioned every morning the president to receive something called the president's daily brief, which is a briefing delivered to him from the director of national intelligence, giving an overview of what's happened in the world overnight, what are the strategic issues we are concerned about from the intelligence committee prospective and what are the biggest of threats and concerns to our security that we are facing. i participate in that meeting along with the national security advisers, vice president, that via national security advisor and a few others and we meets every morning with the presidents and we go through
11:04 am
this set of concerns and we also have an opportunity in that meeting to raise to the president the things that are on our own mind and things i think he needs to know and be concerned about. what i have found in the three and a half years that i have been in this position is that the cyber threats have consumed a greater and greater portion of the peace of the greece-- briefing that i do and at the issues i'm raising the president. absolutely there will always be terrorist attacks at home or abroad in our interest abroad, issues like ebola, pandemic concerns, hurricanes, but increasingly over time and over the three and a half years i find myself almost on a daily basis talking to him about some cyber threat issue. and the fact what i've noticed is i have been struck by the threats we are facing, certainly against us government, against
11:05 am
the private sector. the range of actors that we are concerned about from, of course, nationstates like russia, iran, china, north korea to nonstate actors, to hack to this in your garden variety criminal actors and the other thing that is featured prominently in this briefing and cyber threats in general has been the range of tactics that we are seeing. so, gone are the days-- not completely gone, but added to issues like service attacks has been that increasing willingness of aggressive actors to use destructive attacks in the cyber realm, like we saw with the north korean attack on sony pictures to something that is of great concern to me and to others who are focused on this issue, which is actually be certain of the integrity of the data that we hold and are
11:06 am
responsible for. increasingly, i think, that will be both the near and midterm and long-term concert. >> integrity of data such as for instance the data flowing through our election machines. is that high on your list right now? >> certainly. we are obviously focused on and you have heard myself and others talk about this in the last several weeks. we are always going to be concerned about cyber threats to our systems, are critical systems, cricket will-- could go in the structure and we have seen in efforts at state election systems in the state election infrastructure. what people need to know about this, though, is that our voting infrastructure, our election of the structure is really quite resilient. now, what, i mean, by that? it is owned, operated, administered and minister--
11:07 am
managed by states, by localities down to the county and municipal level. it's not a federal government entity. is incredibly diversified, so that's a good thing from a cyber security perspective because there is no one single point of failure. there is also a tremendous amount of resilience and it checks and balances in our system. of the oversight from the state officials, from the media when it comes time to elections etc., so there's a great deal of resilience in our election system and the people i think should be quite confident in it. that said, we exist in a wired world and we know there are actors out there trying to breach our defenses across the board, so what we have been doing is along with the department of homeland security and others in the government has been trying to make available to state officials and to election officials expertise, resources
11:08 am
to bolster their defenses for their voting machines, their voter roll and i was very pleased to see that last week we had a bipartisan letter from the congressional leadership in congress from the majority and minority leaders in both chambers of the senate and the house who wrote a letter to the governor's and to state election officials indicating that we need to be vigilant and that the federal government in the form of harlot-- all that security can provide the system appeared to be clear, have you seen any efforts by any actor in particular nationstates such as russia to manipulate data going through the voter registration system or other systems tied to the elections? >> i think what director call me has provided is an obviously my former colleagues at the fbi are focused on responding to and assisting states with investigations when they do experience of breaches or other
11:09 am
intrusions director colby has said we have seen a lot of probing and efforts to get at information, but have not seen indications of manipulation. >> but, do you see, are you looking at, do you think there has been, is there an effort by another nation the stages-- state such as russia to cast doubt on the legitimacy of our election process? >> look, i think we will be concerned when we are talking about cyber threats on critical systems, whether it's a power grid, on our election system or our financial system. we saw the cogs of the justice department not too long and-- not too long ago indict iranian actors for cyber attacks on the financial sector. so, we have got to be concerned about nation estate, nonstate actors trying to breach our critical systems, whether to
11:10 am
generate insights for their use later or whether to develop a greater intelligence to use in the future or whether to send out competence in our system and my message is weak but to be cognizant of our election system, frankly our democracy both in the form of its systems and those literal systems that we have in place and in our greater democratic system at large is much struck her that any one of these actors. >> your background is in counterterrorism. let's talk a bit about how you try to take the lessons learned from that and apply them to the cyber state, which you have done in the last few years. >> great question. this is an area that i have been very focused on her as you noted, i spent my career largely
11:11 am
as a prosecutor in the justice department and then the fbi focusing on national security issues. what we have learned both as a country-- country i would argue any government after 911 is we needed to shift our focus and our imagination and our prioritization of terrorism threats out i think we did that quite effectively and we needed to both reorganize ourselves and integrate our information and our unity of effort around making sure our law-enforcement and intelligent services had the same information and have a greater picture of the threat and that we have the ability to respond weekly and actually and effectively to terrorist threats and i would argue to the great work of some incredible professionals across two administrations, we have done that quite effectively. so, we are applying those lessons the cyber realm. how are we doing that? one, by prioritizing and recognizing the threats that
11:12 am
malicious cyber activity poses. at the beginning of the present administration he labeled the cyber threats one of the greatest national security and economic security threats that we face. so, naming eight and prioritizing it administration. in terms of integrating our information on the we did something about two years ago in applying one of the great lessons we learned in the counterterrorism realm to cyber. we created after 911, something called national counterterrorism center. one place where terrorism professionals and analysts and intelligence came together under one roof to share their information so we has policymakers all had the same picture, the same but everyone refers to pre-911 to understand what are the greatest threats we
11:13 am
face, so at the president's daily briefing i mentioned a few minutes ago, everyone who is critical in the president's national security team is seeing the same information every morning about terrorism threats. >> how is that helping you, though? that help to make faster decisions on who is responsible or maybe what to do about it? >> what we did until two years ago we did not have one place in the government that did the same thing for cyber threats. so, we created something called the cyber threat intelligence integration center and we brought together all of the analysts and experts into one place that could use the information we had about cyber threats so policymakers like myself and others have one critical picture and what that does to your question: is it says what we understand to be the greatest threat, how should we understand it, what are the options for policymakers to
11:14 am
disrupt those threats and the other lesson we have applied is, in the terrorism realm we applied all tools. what is the best tool we can use at our disposal to disrupt a particular threat? is a prosecution, military action, intelligence operation, diplomatic overture? we are doing the same thing in the cyber realm and yet seen him play out. >> in fact, i would like to talk about that because at the almost in the administration and clearly this administration has dealt with incredible evolution of the cyber threat coming at you every day and there are critics who say that obama administration just doesn't have a coherent deterrent framework for all of these threats coming out as with opm, sony, now russian hacking of the dnc. so, how do you respond to them when they say there is no deterrent framework?
11:15 am
in fact, do you think maybe you are doing it more on a case-by-case basis where you have an event such as chinese cyber economic espionage and maybe you respond with indictments against sony respond with sanctions. are you in fact building a de facto redline a framework of deterrence? >> comes as no surprise to you or to your audience that i disagree with the critics that we don't a strategy or a deterrence policy. its fifth, number one we believe very strongly that there needs to be a set of norms around cyber behavior and what you have seen is the president working very hard, very carefully over those last several years to build a set of norms and build international support pre--- fort norms. things like countries should not attack another country critical
11:16 am
infrastructure with the cyber means. another country should not engage in cyber enabled economic espionage of intellectual property for theft and for commercial gains. so, what-- the country that should not engage in cyber operations for the purpose of suppressing defense, so that they set of norms that we have worked very hard to put in place. so, when countries violate to those norms, date have isolation that country. there is an agreement that you can impose sanctions, maybe there is a consideration that there is an act of aggression if of those norms are violated, so there is a framework their. but, in terms of specific responses to specific activity, you talked about a few cases and i would argue we are very much putting in place a framework and you have seen it action it's on the cases you mentioned.
11:17 am
we take a whole of government approach to a particular malicious cyber incident. you see it in the case of north korean attacks on sony pictures. what we did there is we gather together all of the information we could, whether it's from law-enforcement or the intelligence community, combined that, understand it, reach a level of confidence that yes, this was the north korean government that did this and then determine what can we say publicly about that activity that's not going to hurt our ability in terms of violating or exposing the sources and methods so we can use that in the future and if we reach a level of confidence, we can talk about it publicly in a way that does not damage our national security and to make that tradition public is in our national interest. we will do so and we will respond. we will respond in a time and place and manner of our choosing
11:18 am
and when we do so we will consider a full range of tools, economic, diplomatic, criminal, law-enforcement, military and to some of those responses may be public and some may not be. we did the same thing in the chinese case you mentioned-- >> before you won't go on, explain a bit about what you mean by some of these responses may not be public. >> there is a whole range of tools one could use and you see it in the connecticut space. in other words, the non- cyber realm as well as the cyber realm , so there could be diplomatic responses that are private messaging. there could be intelligence operations, so covertly hacking into north korea or iran or russian systems and what? >> i like ellen's imagination. [laughter] >> there's a whole set of things one could do, but not have to talk about it or announce and my point is that is true in
11:19 am
response to cyber activity, but that's true in response to intelligence operations from another country, military operations of another country and we apply that same framework and law enforcement is also a tool. >> let me get back to the covert , let's say you do something secretly, but you want to let your adversary no otherwise there is no point to it. so, you put in some code that may be just disrupt their system enough so they know you have capabilities and the notes you, but if the wider world does not know another countries don't know, where's the public deterrent effectively? what's the strategic impact? how are you upholding that norm? >> this is the kind of discussion you can imagine policymakers having around a situation at the table. what is in our interest to do? is it in our interest to publicly attribute that activity
11:20 am
to name and shame, if you will? to isolate that actor on the world stage, to garner international support to sanction or imposed diplomatic costs. is it in our interest to publicly indict and use our criminal justice process as we did with the chinese case? we began that case against the five members of the pla when i was the head of the national security division at the justice department. you reference a program we started, national security cyber specialist program, a set of prosecutors around the country focused on bringing cyber prosecutions for national security cases. this is another lesson from the terrorism world. we built on a set of terrorism prosecutors that we established across the country, post 911, working with the joint terrorism task forces that the fbi has across the country, so say might in the cyber realm and we
11:21 am
brought this case against these five members of the pla. the point there is you are calling out that activity. you are identifying its. you are naming its. you are showing that you can attribute that, identify it, identified as actors, pictures of these chinese military members at their keyboard and even if you don't ultimately physically get your hands on those actors and bring them into a court, they aren't going to be able to travel because otherwise that warranty will be out for them. you have identified and called out this activity and i would argue it strengthens our hand on the diplomatic realm. you sought a diplomatic agreement reached with president she almost exactly a year ago, a little over a year ago when he visited washington and signing up to a set of agreements that we are monitoring quite vigorously. so, these things feeding to each other. in fact,-- >> you second imus on the five pla members and then you are
11:22 am
about to impose economic sanctions-- >> i believe someone reported we were. >> it was the first use of this new tool, cyber tool crated by president obama last year, which you still haven't used i might note. are you going to use it, by the way? >> i'm eager to have all the tools at our disposal, which is one of the reasons we set up that sanction. that's another tool. >> you did the indictments. you are going to do the sanctions and as you noted the present came to the table and crated this agreement. how effective has all of these moves than? are you seen any change of behavior at this point? >> so, i would characterize this that we have seen a diminishment in that behavior. however, i think this is something we have to be continually vigilant on and be very clear as we have been with the chinese, that we expect
11:23 am
adherence to the commitments, that we will continue to be watching for adherence to the commitments and that we reserve the right to impose cost if we see that commitment has not been honored. >> and you might impose those sanctions after all. so, you seem to have had success with china. what about russia? i mean, russia has been in the news of late. all you here and maybe the 400-pound person, but in any case there is strong evidence that the democratic national committee, the intelligence committee is looking into whether or not they are-- how intent they are on maybe doing an influence operation into the united states around the election. why haven't you taken any public action so far against russia? >> i will go back to the framework that i was laid out,
11:24 am
which is to say and as you noted that investigation and understanding of that activity is ongoing between the fbi, intelligence community and we are applying the same framework i laid out a few minutes ago that we did with respect to sony, with perspective china. gathering that information in a professional-- it won't surprise you to know that i will get ahead of that here on this stage it gathered the information, understanding, reach a level of confidence and importantly, look at it and decide in the intelligence professionals have to do that and what can be said about that activity that does not compromise sources and methods and our ultimate ability to use those tools in the future and then decide is it in our interest to describe that activity? again, this is the broader framework we apply as we did in china, as we had done with iran, as we had done in other cases and then, again, response tools on the table and some may be
11:25 am
public, some man not be. >> talk about the considerations that must be going through your mind about i am sure there are diplomatic issues, perhaps, with russia and syria, political concerns. , jamaican threat is as we get closer and closer to the election taking any action being so public with any public attribution seen as politicizing? >> what i would say is that the concerns i laid out as we have this framework will be the same in terms of general categories. is it in our interest to act? we will act responsibly, proportionately and do so in a time and place of our choosing. now, questions about are there other interests, i think what you have seen in cases that we did with iran, china etc., those with north korea that the
11:26 am
primary guiding and overarching focus in those discussions is about what is in the national security interest of the united states. that is the north star for those discussions. >> i think last week he mentioned no actor gets a free pass. >> that's right spirit, rissman ship has said if the us doesn't hold actors accountable and in this case rush it will only embolden them. what is your response? >> i think that i understand that comment and what i would say is and what i think we have been discussing is there is a whole range of tools at our disposal to apply to hold the malicious actors to account. you have seen us demonstrate that using military intelligence, law enforcement, diplomatic, economic sanctions. all of those are on the table and all does get considered when
11:27 am
we are talking about particular responses with respect to malicious actors generally not getting ahead of this particular case. >> time is winding down. i would be remiss if i did not ask the question that i am sure is on the mind of many reporters here, which is we have had chelsea manning in 2010 and now comes the news of another rift with nsa contractor and this comes after the obama administration has taken steps to tighten control, to prevent the occurrence of such theft of sensitive classified information what happened here and do you need to do more and if so what more? what can you do to tighten controls? >> so, you are referencing the criminal complaint that was unsealed yesterday with regard to an nsa contractor.
11:28 am
i'm not going to comment on the specific case, but criminal charges are in the public domain and your readers in the audience can look at those and that investigators and criminal process will go on and i'm sure we will learn more about that. what i will say, though, is this is the type of activity we take exceptionally seriously. the protection of national security and consummate information. i would also say because as you mentioned, these cases have been involved government employees whether it is contractors or otherwise, the vast, vast, vast majority of the professionals serving in the intelligence community are patriots who have foregone, i think, lucrative salaries and other areas to work very hard to protect this country and do so i think folks should remember that. that said, there is what this case and others have pointed out is we can't completely guarantee
11:29 am
that we can eliminate a determined, the threat of a determined insider who's determined to steal information. that's a very hard challenge, but as you noted what the president has been crystal clear about is the need to constantly review and learn from some of these instances, so that's why he saw the establishment of an insider threat task force happen after the chelsea manning and wikileaks case and that's why we have seen just last week the establishment of something called the national background investigation bureau, setting up a set of standards and monetization and strengthening of our background checks and so we have got to constantly apply lessons learned, vigorous security measures. we are in a wired world and it's going to get harder and harder. we are only as strong as our weakest link and we had to constantly be reviewing and understanding your technology that we can apply.
11:30 am
are there new steps we can take? that presidents and the other leaders of the administration national security realm take it seriously and are constantly looking at what more we can do. >> this contractor is suspected up perhaps also having stolen hacking tools used by the nsa to gather intelligence, very potentially significant action. how concerned are you that-- about the potential damage to national security or righty-- arriving from this case? >> without getting into specifics i think there is more we need to learn about that. ..
11:31 am
>> so for reasons not going to speculate on that. one of which is, one of the things i do when it occupies my windowless office in the basement of the west wing is not get into politics. i think i will continue that in this relatively windowless room as well. >> with that i'm going to have to wrap it up, but thank you so much for being here. thank you to her audience, and
11:32 am
we will have lips from the program posted later. thank you. -- clips. [inaudible conversations] >> a quick reminder if you missed any of this discussion on cybersecurity invited online indices the individual library where you can also view, click enter all of her program. go to as hurricane matthew hits the southeast coast of you as the presidential candidates are responding in different ways.
11:33 am
political story rita donald trump anne heller plan art risk of being elbowed out of the news cycle by powerful rotating threaten to barrel into two of the most important battlegrounds, florida and north carolina by the clinton camp is refusing to be completely shut out of the conversation. they're buying airtime on the weather channel with a slew of major florida markets. donald trump's property sits among the highest risk zones for the hurricanes impact with forecast going for some the most extreme winds up all. you can read more on this that members of congress are tweeting about the hurricane. georgia congressman buddy carter, warnings continue to change so please stay prepared for hurricane matthew your country. also kentucky senator rand paul, praying for florida in everyone's safety today.
11:34 am
a short time ago white house spokesman josh earnest reminder reports of a president obama's message to those in the path of the hurricane. >> the president was updated once again on the preparation under which you prepare for the likely landfall of hurricane matthew. the weather forecasters at the national hurricane center now anticipate that the impact of the storm and the united states is likely to be quite significant. we strongly encourage people who live in the areas that are likely to be affected to heed the warnings and instructions of local officials, including evacuation orders. the instructions that are being offered by local officials are informed by information they're
11:35 am
receiving from scientists and from federal officials, those instructions are geared toward protecting people. we believe it's important for people to listen to those instructions. we also encourage people to stay up-to-date on the weather forecast. those of you been covering this story now that the forecast track of the storm has changed multiple times just this week so it is not up to the role of possibility that it could change once again. we want to encourage people to up-to-date on that. but what we did were overnight is that it's likely the storm could strengthen further before making landfall, and, obviously, that is deeply concerned. we want people to be prepared. the last thing i will say about this is about there are those who doubt the intensity or severity of the storm. they need only look at the images that are coming back from haiti. had a significant impact in haiti.
11:36 am
and that is pretty good evidence of what people in the southeast could be facing. for those americans that are interested in offering of assistance to haiti we encourage people to visit cid i got bored or you can get more information -- a dozen other resource like we do entity with such a significant storm. this is a pivotal day. people need to be making preparations and following orders today. the storm is likely to be ending this evening. sort of the course of the day those of us who don't live in potentially affected areas we will be sending our prayers to those who are potentially in harm's way, but people should take confidence from that federal officials have been working very effectively with the face of the state and local
11:37 am
a will to prepare in advance of the storm. we have developed an expertise and we intend to use our resources and expertise to protect the american people, and that will be put to the test in the next few days. >> every weekend otb brings you 48 hours of nonfiction books and authors. you are some of our programs this weekend.
11:38 am
>> i think leaks are going to be part of government life, and the speed at which and a multiplicity of which we communicate with each other now not only in long cables, but short e-mails, texts, social media, tweets. all that is going to be part of the body politic. >> go to for the complete weekend schedule. >> the second presidential debate this sunday at washington university in st. louis, missouri. watch live coverage at 7:30 p.m. eastern for preview and then at 8:30 p.m. eastern the predebate briefing for the audience.
11:39 am
at 9 p.m. live coverage of the debate itself followed by a viewer reaction with your calls, tweets and comes. the second presidential debate, watch live on c-span, watch live on time anytime at and listen live on the free c-span radio app. >> a panel of state insurance commissioners to appear before senate committee to discuss how health insurance markets have been effected by the federal health care law. they discuss rising health care premiums, a number of consumers receiving coverage and reduction of consumer choice because of the consolidation of insurance companies. entering led by senator ron johnson who is the chairman. [inaudible conversations] >> this committee will come to
11:40 am
order. the subject of an today is the state of health insurance markets. i want to thank all of our witnesses for your thoughtful testimony for traveling here. you brought beautiful weather by the way. it's not quite as hot and humid as a normal is. i really do appreciate you coming on a very important subject. truth of the matter is the reason i decide to run for the senate was because of health care law. i come from the private sector. i understand the market places. i understand what works, what doesn't work and i was very concerned about the very harmful effect on real people, the patient protection affordable care act would result in. it's coming true. the problem certainly all of us have had in evaluating the patient protection affordable care act is the complexity of the data. there's not just one overall metric that you can point to and say hey, it's not working. there are some metrics. i think some pretty powerful ones.
11:41 am
so absent that very simplistic type of metric to evaluate the success or failure, i think probably the best way of doing it is the way you evaluate any other product or program. i come from the private sector. you do the capital expenditure reviews and miniatures is a this is what we expect if we do this kind of money. may be the best way to take a look to start a parent with that opens in which is what al-qaeda written opening statement i like of it it into the record. i will into yours, too, if you want me to. is literally to take a look at what the promises were made and how those promises com, were the promises fulfilled or not? there were three primary promises made when people were considering debating, discussing and finally passing the patient protection affordable care act. the first one was pretty famous. and i'll quote. this was from president obama
11:42 am
invictus promised 31 times. if you like your health care plan you'll be able to keep your health care plan, period. well, there are all kinds of figures again, how many millions actually lost their health care plan. iceni's maybe 8 million, but let's be conservative and go to the urban institute. their most recent study says about 2.6 million americans lost their health insurance plan. in wisconsin certainly we have something called the high-risk pool. everybody that wrote them anybody involved in the writing of the patient protection affordable care plan new high-risk buyers are going to be eliminated. more than 40,000 wisconsinites that were on the high-risk pool, and again the authors of obamacare, august are calling it obamacare, then you those individuals were going to lose their health insurance plans. i had a couple early on, right,
11:43 am
this was in the fall of 2008, call me anything. his wife at stage four lung cancer. he was suffering and being treated for prostate cancer. they were losing their high-risk pool plan. they're paying about $700 a month, $767 per month for insurance in the high-risk pool which was very competitive. that was a program that actually works very well in wisconsin. they tried to on almost 40 times and couldn't. because that was a disaster when it first tried to be initiated. finally, called out office seeking help. we did guided into a couple of the entrance countries that were acquitted on this exchange. the cheapest i think if i was $1400. but again that couple lost their health care plan, contrary to president obama's repeated promise that would not happen. the second guarantee, if you
11:44 am
like, that means he can quote president obama. that means no matter how we reform health care, we will keep this promise to the american public, american people, this promised. if you like your doctor you will be able to keep your doctor, period. i don't anybody would stand up and say that that's been true. people lost their doctors to we have a couple in marinette who obviously have lost their doctor. i just want to read a quick quote. the only plan they could afford it obamacare met elusive the doctor they had for over 15 years and the quote was now i have to see a physician i have never even met. broken promise number two. i think the third most famous promise was as a candidate, president obama repeated in an obama administration we will lower premiums by up to $2500
11:45 am
for a typical family per year. the truth is back into the snake when he is running as a candidate according to the kaiser foundation, the average gun is being about 12,006 or $80 per year. the latest figure, an average family is paying $18,142 per year. that's a $5462 increase since president obama made that promise or you can look year by year and that's the largest increase. but even from 2013, the implementation, the year before implementation of obamacare it was 16,351. today it is 18,142. still an increase. the average family has not seen a $2500 per year reduction in the health care. i've got some specific examples.
11:46 am
janice from spooner, wisconsin, wrote is set prior to obamacare she was paying $276 per month for health care. parlayed his quote was $787 per month. that's 185% increase. we had a woman, a young woman, a young mother she was a nurse, her husband operated in the hvac industry. they both were working to give up their jobs because of the increase in premiums, they went from about $500 a month to $1200 per month. a $700 increase, a 140% increase. the only way they could afford insurance, they were not getting through their employer, the only way they could afford insurance is if she quit her job so the income was lowered far enough so they could qualify for the subsidy. broken promise number three. the really sad part about this is this was known.
11:47 am
the authors, the people who support it obamacare had to know that those promises could never be kept. i just want to quote a number of quotes i jonathan gruber who was one of the individuals involved in the offering of obamacare. politifact called in an architect. one of the architects of obamacare paid almost $400,000 by the message to console. he was talking about the cadillac tax and here's his quote. he said egregious attacks insurance companies, they pass on higher prices at that offset the tax break and into being the same thing. here's a really the important quote. it's a very clever, you know, basic exploitation of a lack of economic understanding of the american voter. he went on to talk about the cadillac tax and he said, quote, this is jonathan gruber one of the architects of obamacare, someone who knew what he is doing, said quote, americans
11:48 am
were too stupid to understand the difference. he also said the lack of transparency is a huge political advantage and basically called the stupidity of the american voter by whatever but basically that really was really, really critical to getting the thing passed. that's a pretty sad state of affairs but that's the truth. that's what happened. now, i just wonder, just have ask the question, we got some agencies in the federal government, one set up under dodd-frank called the consumer financial protection bureau. we also have the ftc to take a look at consumer fraud, tried to protect consumers. i just wonder, just kind of wondering, i wonder what they would do the kind of enforcement action to take against insurance companies who sold a product,
11:49 am
and insurance for dissent once you buy this thing, you will be able to renew this forever. if you like this plan you can keep it. and then in the fine print, that's not true. in addition said hey, this insurance plan allows you to keep your doctor, you did come you can keep your doctor but in the fine print it said not to the doctor is in part of the network that we are going to cover. and three, if you buy this health care plan, whatever you were paying last year, your premium is going to go down by $2500 extend your premium is going to go up $1700 or $5000. i just wonder what these federal regulatory agencies would do to an insurance company that engaged. let me be clear what this administration did. it was a massive consumer fraud. that's what it was. obamacare is a massive consumer fraud. we will be taking a look at that today. i propublica asking the deputy commissioner insurance
11:50 am
commissioner from wisconsin on his thoughts how he would handle that very my question. i can my question. again i want to thank the witnesses are coming. they should be very interesting to me. it's a very important hearing because this obamacare law is costing american taxpayers a whole lot of money. we all want, we all want people to become by health care. we all want people to access, to be able to get high quality insurance. but we didn't have two completely remake the insurance and health care markets to try and fill the gap. and help those individuals who we all want to know. i think we are going to see this is that working, those promises were not lived up to. and so again i want to thank the witnesses and now turned over our ranking member, senator carper. >> thanks. thanks that much, mr. chairman. welcome to one and all. who is from all? ima ohio state graduate. i used to think delaware was a
11:51 am
little town north of columbus. i think that it was a whole state. and then moved of state. and i moved there and a but maybe the carcass the, treasurer, governor. tell your governor i said hello. he's an old friend. give him my best. a little after noon today a handful of senators, democrats and republicans believe that will gather in a room not far from the senate floor, something we do almost every thursday that we're in session. for maybe a half hour or so but take part in a bible study led by the guy who used to be ever advocate in the navy, his name is eric black. he is our senate chaplain today. they're democrats and republicans and basically sit there and read in the same room, we read the script, i together, share things with each other and talk of all kinds of things. and ably during those chaplain black will ask us how our faith should guide us, almost every, how should our faith guide us in the work we do here and at home.
11:52 am
it's a good question. it's a real good question. almost every week, he reminds us of one of the two greatest commandments, to love our neighbors as ourselves, treating others as we'd want to be treated. chaplain black often evokes matthew 25 as well, we may not recognize that will let you go will and the second because matthew 25 calls on us to focus on the least of these, the least of these in our communiticommuniti es. i'm going to paraphrase a today. when i was hungry, did you feed me? when i was naked the to clothe me? when i was thirsty did you give me a drink? when i was sick, did you visit me? when i was a stranger in your land, did you take me in? matthew 25 doesn't say, when my only source of health care was a crowded emergency room, did you help me? it doesn't say, when i turned 22
11:53 am
and could no longer be covered by my parents health care plan, were you there for me? it doesn't say when i can no longer and health care coverage because of a preexisting condition, did you do anything about it. it doesn't say when he couldn't afford the medicine governed of me to hold down a job or be the kind of parent my children needed, e.g. lend a helping hand? or it doesn't say when i was tonight health insurance because i happened to be a woman maybe of childbearing age are charged an arm and a leg for the coverage, did you go to bat for me? most of the people of faith, different faiths, i believe we all agree one thing i that is e have an obligation to treat of the people of the way we want to be treated. we also have an obligation to the least of these who live among us. i believe that. i think my colleagues believe that advocate most of the people in the completed and i like to think most of the people in our country believe that. and because our nation's budget
11:54 am
deficit while greatly reduced is still too large, we need to find ways to meet that moral responsibility in fiscally sustainable ways. just about every american president since harry truman has sought to find ways to do just that. they believed in their hearts that when people in this country are sick or in need of health care, they ought to be able to see a doctor or nurse or both within a reasonable period of time. i am certain that most, it not all, of our colleagues believe that, too, and i'm sure that most americans believe it, as well. so why has it proved so hard to do? they revise and what my mom dad used to say, hardest things to do are the things most worth been. this is a hard thing to do. this is a really hard thing to do. for another, just about anything meaningful, our efforts can be turned into a 30-second
11:55 am
commercial use as political weapons against president or members of carcass who try to do what we all know in our hearts is right thing to do. i will be the first to acknowledge that the affordable care act is not perfect. i am not perfect. none of us are. i've never written the perfect law and i -- my guess is tricky though, need as much college. this can be improved when the election is over we need to go to work to do just that. stop harping about it. just go to work. having said that, the affordable care act has sought to better ensure access to health care for all americans. i just want to mention a couple of ways how. in part by great state-based health insurance market places where people who may have never before have had access to health care that the opportunity to choose a plan that helps him get healthy and stay that way. how? by purchasing -- my perspective large purchasing pools not unlike the ones that there was a participate in for decades. individual mandate is well to
11:56 am
consider that helps these market places grow and thrive so the insurance companies are not left with a pool of people to ensure that a larger and older, sicker and more expensive to insure. in this room today their witnesses and members of congress who represent among others the state of delaware, washington, ohio, iowa, wisconsin and more. the rate of people with insurance in our states on average has fallen by almost half since our respective market places open. for the delawareans, washingtonians, ohioans, i was and wisconsinites who may not take their child to the doctor, this is not a life-changing but it's also life-saving. these are not affect on in our state. today, because of the affordable care act, 20 million more americans have health insurance. the uninsured rate is less than 9%, an all-time low. americans now have access to free preventive services like cancer screenings and yearly checkups. and the vast majority of people in the marketplaces buy their health insurance for less than $100 per month.
11:57 am
less than $100 per month. and, this progress has been realized while extending at the same time the life of the medicare trust fund by 11 years. i find it more than a little ironic that we have been deadlocked in partisan fighting for years over a law that is unknown to most cars built on a couple of sound republican ideas, health insurance market places and the individual mandate. to my friends on the other side of the aisle, your willingness to walk away from the policies you once championed is dumbfounding, especially when those very same policies are enabling us to begin making a positive difference in the quality of life for so many americans. a quick refresher for those who don't remember, republican presidential nominee, governor mitt romney, revolutionized health care in massachusetts by creating an insurance marketplace and requiring residents to obtain coverage. in fact, these ideas go back even further. in 1993, republican senator john chafee introduced legislation
11:58 am
that proposed an individual mandate and the establishment of insurance purchasing pools. that bill looked a heck of a lot like the affordable care act we are discussing in this hearing. in fact, it had 20 republican cosponsors in the senate, some of whom still serve here today. fast forward to 2009, my first year as a member of the finance and the first year of a new administration. our new president called on democrats and republicans to try anew to achieve what previous presidents talked about doing for more than a half-century. but, instead of coming to the table and pursuing a productive discussion about how we could expand access to health care for millions of americans, in the end senate republicans chose not to engage. but, the president and the rest of us soldiered on and finally passed this historic law that all of us acknowledged was imperfect. like any major new federal program, adjustments are going to need to be made as it is implemented. unfortunately, we've had a hard time finding many willing partners in this effort.
11:59 am
to use the time republicans and democrats would come together to make bipartisan health care reforms. some of us were here when we did just that. we created medicare part d, the prescription drug program. we made it better. we created medicare advantage. there was a lot of blowback on that. what did we do? we fixed it. we made it better. we did that together. that's not what we've done with respect to the affordable care act. time and again our republican friends, and they our friends, havelock funding and commonsense improvements. republican got a state legislatures in 19 states have refused to expand medicaid, not john kasich, tell them i said that, leaving millions of americans without coverage and increasing marketplace premiums for millions more. it's a sad state of affairs would seem sometimes failed health care both we're about to make of the ones to repeal the affordable trek completely, leaving nothing in its place everything america's with
12:00 pm
nowhere to turn beside hospital emergency room. i'll close with these words. in a couple of months, americans will go to the polls to elect a new president and members of congress. i talk almost every day with delawareans who await with anticipation for that day to arrive. some of my colleagues feel that way, too. once that day has arrived of the adding of congress as well as the new president have taken their oaths, we need good work to make a good idea even better. like we did with part d, like we did with medicare advantage. we can do that. ..


info Stream Only

Uploaded by TV Archive on