Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  October 28, 2014 12:30pm-2:31pm EDT

12:30 pm
while one at a time, they impact individuals, they impact companies collectively, they represent i feel potential threat to the country if they continue to build the way they're building and in particular if they become more orchestrated. imagine the top 10 retailers attacked at the same moment. the top 10 financial services companies attacked at the same moment. and impact on the confidence in our economy. and especially if the capabilities that today are pointed towards financial criminal activity turn toward destructive intent. that is a very sobering concern for us. now we each in the private sector have a range of controls and capabilities in terms of cyber protection and continue to invest. i estimate we spend more than $2 billion in the use across the financial sector in cyberdefenses to protecting the perimeter to protecting data loss to insider threats.
12:31 pm
we'll continue to invest in our capabilities but i look to use the fordnal as -- think after company as a fort, we have no know when we're under attack but at the same time it is incredibly valuable to know when a neighbor's fort is under attack or adversaries are marshaling their forces in the forest getting ready to attack. when they're back in the home country building weaponry to attack the fort. my view, the probably single-best control that any company could have is transparency around what's happening around us, with our sector, cross sectors and with the government. said another way, i believe that the lowest cost, highest value control is information sharing. that information sharing has the best roi of any investment any of us could make in the system of cyber protection. one company's detected moment
12:32 pm
can become an entire sector's defense or cross sector defense. and further, no one entity can stand alone. not a single business, not a sector, not law enforcement, not the intelligence community. each of us brings different and additive insights. i believe the whole is greater than sum of the parts. to protect individual, businesses customers, we have a work together. privacy avocats, law enforcement, homeland security working together to protect our customer's interest, business interests, critical national infrastructure and the country and further while i do actually believe information sharing is in the best interests for each of us in our businesses, i also believe that we have a moral obligation as socially responsible enterprises to try to share and not to consider our cyber insights as a source of competitive advantage that unfortunately some companies do look at it that way but
12:33 pm
effectively sharing cyber information actually is not easy at all. now there is a fair amount of information that does get shared. there is information sharing but it is slow, it's relationship and trust-based, it is very variable within and across industry and within the government and there are a range of obstacles. the first obstacle for the private sector is that we are simply in many cases unable to share cyber information due to the potential legal liabilities that may occur from that so think about, what if someone acts on information that we shared. we shared it in good faith but by acting they have caused some harm? or, on the flipside of that, if we share information but in good faith a company decide not to act on that information because they have a basis for not acting the liability in both instances is so substantial from a risk perspective it completely stands in the way of material information sharing. second, there are just too many
12:34 pm
vehicles for information sharing. it is very variable, it is well-intended, frankly a bit kay attic and it is hardly complete. so throw out some acronyms. isca, nsca, ecf, the physics, fusion centers and nkik, nci, j.t. f. fbi, treasury, homeland security, secret service, all of those occur in some moment, well-intended appreciated by the private center and sometimes conflictings sometimes very inconsistent and almost no information happens real time. the third obstacle i would say from the private sector perspective the government overclassifies. so what is shared at the secret level is very rarely actionable. and not enough private sector employees have clearances above the secret level where more of the actionable information tend to reside there. is an issue with government
12:35 pm
classification. i compare and contrast what we get in open source intelligence. think about the last two days. yesterday you would have seen some information about a new watering hole attack that has been out there called scan box. this open source data. get what we call indicators of compromise. we can act on those. last night overnight detail was released in an open source context about the new purported chinese apt attack called axiom. what comes with the open source is actionable intelligence, things we can do something about and that is an obstacle to what we hear and see from the government sector. so i will close with a bit of a call to action on the private sector. support for those from those of you pro the private sector as i am, support the legislation out there on information sharing. there are two bills out there. i would support either of them. they are really important to opening up the volume and seed and capability of sharing the
12:36 pm
that can go on. it is highest roi opportunity in the system of cyberdefense. i would call out two things. one is, there should be liability protection both for acting and not acting. i think that is important. two sides of the coin. second thing i would say, very clearly, information can and will be a nomizeed. we can address the privacy concerns i believe very effectively. for the private sector if you're not in one of the isacs, i will explain, if you're not you should join one. if you're in an iisac you should join one. there is uneven level of information among the isacs. we contribute very actively. i would call on you to do same. from the public sector call to action, from my perspective, pace the information sharing legislation. also we need a better process to get private sector clearances above secret or make shared intelligence more actionable at
12:37 pm
the secret level. more importantly what we really need is a systemized count for how information is -- construct how information is shared. actionable substance and close to real time as we can make it coordinated across homeland security law enforcement, intelligence agencies and the private sector. so that is a view from the private sector. i thought i would share. that it is now my privilege to introduced admiral rogers. in april of this year admiral rogers assumed the post of commander u.s. cyber command, director of the national security agency and chief of the central security service. you have his bio in his package but to summarize, prior to his current post he served as the commander of u.s. fleet cyber command and navy's u.s. 10th fleet. since becoming a flag officer in 2007 he also served as director for intelligence for both the joint chiefs of staff and u.s. pacific command with over 30 years of service, both ashore and afloat he has extensive experience in intelligence gathering, computer network
12:38 pm
defense, and information warfare. on a personal note. i shared this with the admiral as he was coming in, i actually met him in 2012 very briefly at a cybersecurity conference at west point and the theme of the conference was actually public/private collaboration and the role of each sector in defense of the nation and my impression of the then vice admiral was formed and we actually sat next to each other for maybe 30, 45 minutes the morning of that event and i thought back on the experience to try to convey the sense that i took away from that short moment. what i would tell you is this. after having not had at that time a lot of private sector experience he was very inquisitive about the private sector. he asked a lot of questions. he was a very active listener. he seemed to have to me a appetite to learn about the challenges faced in the private sector, and contemplate the
12:39 pm
opportunities for colab race. -- collaboration. he conveyed as you expect a purpose, sense of purpose, a belief in his mission and i think is a very calm sense of command. what was interesting though as i reflected is that what came way afrom me at that moment which will be refine,ed by what you have heard here today the admiral is actually very committed to public/private partnerships and a very strong advocate of information sharing with the private sector. so with that, please join me in welcoming admiral mike rogers. [applause] >> well, good afternoon. how is everybody today? you doing all right? i apologize but speak while you're eating but please keep eating. we got about 50 minutes or some what i will do, i will speak for 15 minutes or some give you a few thoughts from my perspective. but i'm really interested in an
12:40 pm
interchange, exchange with all of you because i am curious as to the perspective that you bring to this issue. so why is admiral rogers, some admiral in the department of defense, why is he talking to the chamber of commerce and to the private sector about the idea of cybersecurity? because as you heard from marc, one of my takeaways in the 10 years or so i have been involved within cyber within the department, that cyber is the ultimate team sport and if we're going to make this work it's about creating a true integrated team and a set of partnerships that are going to make this a reality. that there's no one single technology that will enable us to guaranty 100% of our security systems. there is no one single group or entity that has all the answers. nor is there one single group or entity capable of executing the solutions that we need to do. it takes all of us working
12:41 pm
together. now before i get into, so what do i think we need to do to work together, let me first start out by thanking the chamber very much, both for your kind invitation today but more importantly for the dialogue that over time you have been a part in helping to facilitate. because this is all about trying to talk to each other how we will figure the way ahead here. to marc, thank you very much for your kind words but more important to me as senior business leader i want to thank you for your openness to consider partnership, for your sense that cybersecurity is of direct impact and concern to the leadership of corporations. i will tell you i can always run, it doesn't matter if it's a military command within the department of defense, whether it's a private company i'm talking to, i can tell which organizations have leadership buy-in and those which do not. and when you don't have leadership buy-in you are fighting with one hand tied
12:42 pm
behind your back. so all of you here today with us who play a role of leadership within the business community, or in the government, i thank for your willingness to spend some time in your busy lives on an important topic. because as leaders, it is up to us to help drive the change that i think we need. this is much less about technology to me and much more about changing our culture. traditionally, in our nation, we have tended to view the private sector in one arena. the government in another, and the whole question of national security as something that is a part from that in some ways. my argument would be cyber blurs the line between those three groups, between those viewpoints. i view the cybersecurity challenges we're facing as a nation, i view them as a national security issue for us and how are we as a nation going to address the challenge that is
12:43 pm
not going to go away. if we think this is short-term phenomena either of short duration or of relatively minor impact over time, i would argue that we have missed the boat. i see this boat extending for a significant period of time and this will have greater and greater impact on us, both within the corporate sector, within the public sector. you know, as u.s. cyber command one of our jobs is to defend the department's networks, dod. and i will tell you, we're dealing with the same challenges with everyone of you are. every day there are groups, individuals, and nation states attempting to penetrate our dod networks. it is the same thing we're seeing in the corporate world. now you might ask yourself, so what is an admiral doing talking to us? i come here today really wearing two different hats, two different jobs, both related and both applicable to this idea of cybersecurity.
12:44 pm
the first is commander united states cyber command we have three missions. one of which is particularly applicable here. first mission is to defend the department's networks. second mission, is to generate the cyber mission force we call it, the cyber team, if you will that the department is going to use to execute missions over time. the third one, and one that really brings me here today is if directed by the president or the secretary, u.s. cyber command is tasked with providing protection and support to attacks against critical u.s. infrastructure. so i have to be ready, if i get an order, how are we going to partner with our teammates? if there is one thing you learn in the military, you do not wait until the day of the crisis to suddenly say to yourself, boy, i guess we better do some training with each other? i guess we better understand what our partners need and what they don't need and what's effective for them and what is not effective. so we're in the midst of working collaboratively, the department
12:45 pm
of homeland security, our fbi teammates, ourselves, other elements of the government depending on the sector. we're in the process of partnering how we'll work through the details on how we'll exercise and train with each other. so when we're in the middle of that crisis we can really make this work in a real time way. the second hat that wear, the national security agency, the one quite frankly got epen most attention over last 18 months has two primary missions. we talked about one of those missions, the foreign intelligence mission. in cyber arena, nsa uses foreign capabilities to attempt to understand what nation states, groups and individuals are doing in the cyber arena against the united states. the other mission set that nsa has, and is also critical here is information assurance. nsa is tasked under its information assurance mission with not only defending the department of defense systems and as well as helping to
12:46 pm
develop the standards for systems. we do it with the federal government and increasingly, we find ourselves called on by our dhs and fbi teammates to provide capability from our cyber expertise to support the private sector. that is not going to slow down. that is going to increase. you can pick up a newspaper. you can get on your favorite website. you can blog on whatever particularly interests you. you can go to whatever media outlet that you find as the best source of your news. and every day you will find something about a major cyber incident. this is not a short-term phenomena. later today, you will hear from senators feinstein and chambliss. and i think the role that they are playing in attempting to generate legislation to help the private sector deal with the very real and very legitimate concerns about legal liability, that's critical for us. because, if we don't help
12:47 pm
address that very legitimate concern, that i think for many of you, than i think many of you in the private sector, that's a real challenge for you, for timely information-sharing. as, director jim comey, director of the fbi, in a private life he was general counsel for the largest brokerage firm in the united states and general counsel for the largest defense contract for for the united states and i will often ask jim, jim, when you were a lawyer working up with the board and with the c-suite what was your recommendation? generally what kind of advice were you giving the leadership? he doesn't hide the fact, hey look, i would always tell them, be very mindful of liabilities here. that you have to be very careful, that if you're not careful, potentially we, the corporation are going to be setting ourselves up for major financial liability, potentially impact on market share and our business and our image. we have got do remove those very
12:48 pm
legitimate concerns and address them. in the end, what we've got to get to i believe, real-time, automated machine to machine interface. now, we need to clearly define in advance just what information are we going to share. putting on my nsa hat i do not want privacy information in this because quite frankly it creates challenges for me because under the law anytime i start dealing with privacy information for u.s. citizens i have very specific restrictions what i can do and can not do with it and very tight controls. so my input to this has been, we do not want privacy information here. that will slow us down. that is not what the focus of cybersecurity is. what we need to share with each other is, i need to be able to provide from the government standpoint, putting on my hat as a national security agency, what i ought to be able to provide is actionable information that you can use that gives you insights as to what is the malware you're
12:49 pm
going to see, how is it going to come at you, what are the indicators that you should be looking for in advance that would suggest to you, that activity of concern is coming, and i ought to help you identify so who is coming after you? what i need from all of you is, i am not in your systems and nor do you want us in. i need to understand what's the malware you're seeing. what have you done with your system configurations that worked, what didn't work? what did you anticipate and what did you not anticipate? collectively between us we need to share it, we need to share across the entire sector, what marc said i really agree with, insights of one can translate to the defense of many. that is a great value to us as a nation. we need to come up with a system that enables us to do this in a real-time way. the only way to do that in my mind is, the legislation that you will be talking about later today as well as sitting down in
12:50 pm
a partnership and walking through exactly what elements of information are you comfortable with sharing, what do you feel you need from us that, the government, likewise i would like to have the same conversation with you. here are elements of information that would help us. here's what we're comfortable with sharing. i have got to do, and i say this as an intelligence individual, i have got to do this in a way you can actually use it, and not, well, i will classify this as level that makes it unworkable for you. that is not going to help anybody. so we'll be working our way through that process, but the key to it is going to be dialogue. the sector construct if you will that has been developed over time, i think is very powerful. if you are not engaged, in the sector construct in whatever area of business you are in, i would urge you to consider doing that. that helps us from a governmental standpoint. now we've got a framework within a particular sector that we can
12:51 pm
deal with. we have tried at times, trying to simultaneously work across sectors. i would tell you that has proven to be complicated and what is many a cable and important in one area, quite frankly a different sector will look at us, hey, that is interesting but really doesn't apply to me. or i'm not particularly interested in that. that is not really how we're constructed. so the sector piece has been very powerful. i think one of the things we need to do on the government, we have got to simplify this. i am constantly, as a part of that, telling my peers at the senior levels, we have create ad structure that is in part so complex if you're outside the government it is incredibly cumbersome and difficult to understand it. if we're honest with ourselves. that is not because people aren't working hard and it is not because they're not motivated to do the right thing. because we have tended to do this incrementally over time. what i think we need to do is a fundamental look, how do we
12:52 pm
structure the government side in a comprehensive way, that makes your from the sector, makes it easier for you, and at the same time, makes it easier for us, because as you heard marc say, many times right now, this information is based on information sharing is based on personal relationships, personal knowledge. limited awareness. hey, i know this but i don't know what sells out there. that's true for all of us. we have got to try to simplify that. so that's one of the areas we'll be working on. with that, what i would really like to do, i tend to use questions as a way to try to make some broader points. i'm much more interested in what is on your mind. so, if you're ready we'll do the questions. >> have a moderated discussion. we have collected some questions earlier. >> can i steal one of the waters? >> absolutely.
12:53 pm
there you go, sir. we collected questions earlier from the audience. i will take a few of those so we'll go to the audience as well. so get your questions ready. we have mics that will come to you. if you could identify yourself and what company you're with before you ask your question, that would be great. so one of the things we've been talking a lot about, how do we punish bad actors stealing company's ip and committing crimes? some private companies are really becoming more vocal about the need to actively defend themselves against cyber attacks in the absence of state support. is this something the private sector should do or exclusively the responsibility of the government do you think? >> well, first, we have a legal framework and you've seen that. we've seenfied individuals from a nation-state indicted. we have a legal framework how we as a nation address criminal activity. you know i often get asked this question about, put another way, cyber mercenaries. well, should we go out, as the
12:54 pm
private sector should we go out and hire individuals individuals to conduct what we in the military call offensive operations, to try to stop through the use of tools, nation-states, groups or individuals from conducting these attacks against us? again that's something, it is a broader policy issue. so we'll work our way through it. my input for all of you, be very careful about going down that road. it really potentially opens you up for a whole range of complications. if you think you have legal liability concerns, from sharing, in part as a non-lawyer, i would tell you, wow, think about the legal implications of this. i'm not a lawyer so i would be first to admit i'm not the smartest one about it but in general i would urge be very careful to going down that road. >> how do we give attribution with these so-called bad actors. >> to me this partnership becomes very powerful. because that information sharing
12:55 pm
between us, so what is the attribution? based on our competence and knowledge of that, what are the options available to us that just, information sharing increased knowledge gives us a whole greater range of options to consider. >> another question was talking about definitions. we have different domains, air, space, water. one of the questions, does the defense department have definition what cans statutes use of force in cyberspace? will the definition be the same for activities in cyber face and as well with other nations as well? >> we have a legal definition under law of armed conflict and law of warfare what is a military act if you will. we're working our way through a broader policy debate so, what is the extent of those rules to the cyber arena? we have done, with very definitions for what is offensive versus what we call it, defensive responsive action and we have definitions for all
12:56 pm
of that. broader issue i think is a society, we're trying to come to grips with, so we see all the activity directed against corporate networks, governmental networks, us as private individuals. what's the right response? i think the broader issue behind the question really. so what's the right response to this? what i hope we can develop over time ask a set of norms and -- is a set of norms and rules to get us into area we have much better definition of what is acceptable and not acceptable and even into the idea of deterrents. right now, if you're a nation-state, if you are a group, if you are an individual my assessment is most come to the conclusion this is incredibly low risk. that there is little price to pay for the actions they're taking. i agree, most look at it, in light of that feel they can be
12:57 pm
pretty aggressive. that is not in our best interests in the long term as a nation, for others to have that perception. we need to try to change that over time. >> i have one more. folks, if you have a question, please raise your hand we'll bring a microphone to you. we have one right up here, tom kuen from eei. can someone bring him a microphone? >> [inaudible] >> i will ask mine first then. one of the things we were talking about, is the chinese, and russia as well, it was mcafee that conduct ad survey of cyber experts around the globe a few years ago when cyber command was first stood up and they asked americans who do you fear most? the americans said the chinese. they asked everyone around the globe and everyone around the globe said americans. wonder what your thoughts are? >> we have clearly articulated as a nation, like every nation
12:58 pm
in the world we use a broad range of tools to better attempt to understand the world around us. the biggest issue we raised, hey, in the cyber arena, we do not use power of nation-state to use cyber as a tool to insights and foreign competition to share with cyber sector to gain competitive advantage. we do not do that in the united states. many other nations in the world do. some publicly acknowledge it. many do not. and you can see we've been very vocal with our chinese counterparts this is of concern to us. that we view this as behavior that is fundamentally incompatable with the relationship we want with the chinese. and so, we continue to work from policy perspective. you've seen the legal action we've taken. we work our way through it. my only argument would be wow, i certainly understand it. as intelligence individual i will tell you we're more subject
12:59 pm
to more oversight and rightfully so because of the way we're structured. we have more oversight congressionally and legally than most of my counterparts around the world. that is not a complaint. that served us as a nation incredibly well. because as a nation we want to be comfortable with what we are doing and why we are doing it. so i view that as a strength for us. >> thank you. tom? >> admiral, tom kuhn from the electric power sector and former navy lieutenant. so great to see the navy in charge. >> i knew you were a good man. >> in the electric sector i think we do have a very -- ceo led effort going on with the department of energy and department of homeland security, with isac, with electric sector coordinating council and we're focusing on tools and technology and you're providing us some very good detection technologies. i think we have a lot of good information-sharing going on.
1:00 pm
hopefully technologies will help us get more machine to machine stuff going. >> light. >> and on response and recovery and on the latter ones since you are from the military, i think one thing we don't do that well maybe in the private sector, is the actual drilling of exercising of response and recovery plans. i wonder if you might give your thoughts about how we might be able to do that more often. obviously with the participation of our sister agencies in the government, very important part of that equation? >> so, if i could, i will do that in two parts. first, tom, not one you asked but just reminded me. one of the things i hear in the power sector, down in san antonio talking to nerc last week, as a matter of fact of fact. one of the challenges in the power segment and what i hear from corporate leaders is, hey, admiral, you need to understand
1:01 pm
some of the constraints we work under. we're a regulated industry. . . as well as the private sector individuals and organizations organizations i deal with. we have got to move from a focus where almost all the resources
1:02 pm
are stopping someone from penetrating the resources to the acknowledgment that there is a likelihood likelihood of death despite that despite the best efforts we are going to fail and therefore the mediation is really critical. and i have had to defend networks against the determinant opponent who got inside of the network. it's one of the best i had in my 33 years commissioned officer trying to anticipate what we were going to do to drive how we were going to respond and just try to drive them out. one of the takeaways i told our team was we have to learn how to continue to operate a network even as you are continuing to fight it as an intruder because often times what i hear is the answer is just shuts down and i'm like you have got to be kidding me. do you know what functions this executes from day to day on our ability to execute our mission
1:03 pm
i'm not going to take mission failure just by shutting down. that's not the answer in most cases. so, i think we need to shift the focus on every mediation medication. how do you fight through a network that has been compromised in one of the things i said in my comment is on a sector by sector basis, how can we look at doing that? one of the things i have said in peace tabletop exercises in the coordination it should not be done at my level. where we really generate value is at the level of the men and women who are doing the work. that is what we have to get to. it is not a self-taught cabinet heads, agency heads meeting with ceos. not that that's not a part of it, but we have to get to an actual level and so i'm always looking at the private sector how can we help with that and what's the right level for you.
1:04 pm
what does that mean? i know what that means in the department of defense and in the government but i don't know what that means. i would be curious what you think that means tom. >> on the hurricane response we also have a good mutual assistance program, so where the companies come to help each other and hurricane cindy we got together an army of 67,000 people from all around the country with the help to get that done so that level is important to have those and we've done them pretty well. during a cyber attack there's going to be a lot of things happening in the upper level in terms of coordination at the highest levels of government and in terms of media and
1:05 pm
congressional interest and governors that say there has to be a lot of coronation. so there is a couple of different tabletops that have to be done at the operating level lighting candles one that would've made the practice of coordinating some kind of those activities as well. >> i agree with you and i apologize if i came across not embracing that. it is a multifaceted problems that area there are so many different levels and and complexities we have to step back and look at this holistically. it's not just a technical piece and i see that so many people just want to focus on the technical pieces. we have to think much bigger than this. >> following up on that, more of a human component and we are talking about in 1994 they wrote a story about the internet and no one had heard. they put it on their cover and described what it was. if you think about the terms for
1:06 pm
twitter and youtube and tweeting what will be the next generation of threats? spinnaker will be the >> it will be the digital handheld device that becomes a major frontier both its application and use and increasingly look at other it's in the business, the military, us as individuals. look at the series of actions and steps that you're taking in your everyday life corporate or individual with the mobile handheld digital device. but increasingly it's just becoming the norm and back to that to me is the area that i like to as i look out five, ten years, that is what concerns me. we have tended to focus on the fixed networks, large corporate-based
1:07 pm
governmental-based. >> and the internet of things -- stomach i consider it all digital. >> question over here. wait and they will bring you a microphone. >> i hear the lights are pretty bright in your eyes. >> i guess my question in the energy sector we don't differentiate between physical threats and cyber threats and we actually drill in the assumption that they will do both at the same time in the sophisticated attack. to be quite frank the military response and its own protection seems to be focused in isolation as the tactics for dealing with the idea.
1:08 pm
and i wonder if you can talk to that a little bit because i think as tempting as the isolation is as a strategy for response, it also potentially makes security a lot more difficult if you have the little webs and individual graves all over the place. so i don't know if you can talk a little bit about the isolation. >> isolation works at a tactical level for the immediate short-term period. it's not in the long run the comprehensive sustainable strategy. it's not a bad thing at the tactical level if you look at it in the base and installation as opposed to the entire grid or sector of the construct. rather than isolation how do we do something in an integrated
1:09 pm
way isolation is difficult to sustain over time in the strategy particularly if you have the high power requirements the director of the nsa have the huge power requirements in the power i agree with your fundamental premise that challenge how can we starting from that sector perspective have a conversation about what is the right response strategy and are we comfortable with this idea that we want to go to this isolation. that is the best response in the long run. we have a baton handoff as some members have asked.
1:10 pm
and likewise the question about the tabletop exercises. the outstrips on their ability to keep pace we know that there are partnerships with the dhs and other agencies. when would the nsa step in and what is the policy thinking, what would that look like? >> the most likely scenario is the cyber command in the dod. our mission will be to attempt to interdict before it ever gets to that network entity for it ever gets to that company. that is our primary strategy and that is what the dod brings to this. a subset of our strategy is if
1:11 pm
we should fail in that regard we've also developed some defensive response capabilities we can deploy to partner with the dhs and fbi and private sector so how do you radiate and mitigate and if you fail how do you remediate and how do you mitigate that is a legal call again to be cast and that's what the president requested the secretary of defense to do. so there's a policy debate and legal debate and that is one of the reasons why in my initial comments comment i talked about this as a national security issue. when you have a national security issue within the capabilities of the dod and the application are very much keeping with our broader policy and legal structure as a nation. if we are going to view this as a private sector issue, then traditionally do you really want
1:12 pm
the dod or my extension of by extension of the government involving themselves in this? that's why it's very important and there will be a discussion about the refocused critical sectors is it any private entity for the federal government we had to find approximately 16 segments being the critical infrastructure that would have significant degradation without significant national security impact. so my training that we are developing the cyber command is be prepared to apply the capability in those segments if directed by the president and secretary. >> thank you. >> so october is cyber security awareness month according to the department of homeland security. the past few months they've been going around the country and as you can imagine very different
1:13 pm
audiences. i think a lot of the folks in washington are well-versed in the framework when we were in phoenix and chicago and so we are spreading the word with that working with the white house and the dhs and speedy with them. the question is that's great. we have a month designating the fall but what else do we need to do. when you look at the ice bucket challenging how quickly that went viral what can we do to jumpstart people paying attention to cybersecurity more? >> what is the tipping point? what does it take when it gets so bad that we finally see okay enough we have to get the legislation peace out here and put those partnerships in place. the status quo isn't working for us. for whatever reason it doesn't appear yet that we have reached that point. in no small part i think because
1:14 pm
for many of our citizens it hasn't reached h. roux pain threshold. so someone steals your account information or credit card data, charges on the card right now citizens if you report this to your bank, we are not paying a price. the corporate sector is assuming that liability covering it. the point i often think about is once this becomes something that really impacts a broad swath of our citizens is very real and impacts their daily life as their ability to do what they wanted when they want, then watch for a whole shift in the way that we are talking about this. my frustration is that it should not take a disaster so to speak to tell us that you can see this coming. everyone of us intellectually knows that this is a significant national security issue that is not going away and it is likely
1:15 pm
only to get worse. so, we can either deal with this now in a collaborative and professional way or wait until we get hit with a two by four across the head. they find that to be a painful experience. move from the dialog to the concrete steps of how we are going to make this real and how we can work comfortably high and the private sector, government and a broad swath of government. one of the comments i make right now is we are asking the private sector to withstand the efforts of nation states against them. but that is asking a lot of the private sector. and i think that you've seen this reflected. we've come to the conclusion that this is about partnerships and we have to be able to provide the government keeps the body and capacity to support the private sector and that likewise
1:16 pm
went into private sector to provide the capacity and capability to make this work. they ought to deal with this. they argue it is a governmental function they ought to deal with this. i think the reality is between the viewpoints. the intelligence and insight it takes a partnership and you have information i need and i have information that could be of value to you. >> you have not one of the toughest jobs but two of them as to have them as a cyber commander and the head of the nsa. what do you think your biggest challenge is and where do you go
1:17 pm
from here with the cyber command and working with the private sector? >> for the u.s. cyber command of my biggest challenge is creating a culture and building a framework for the future. so as a matter of fact on friday -- in the scheme of things and the department of defense for years is not a long time so there's a lot of organizations that have a longer history than we do. but to date predates that workforce, build the command and control how we are going to employee it and then exercise it with our partners in that apartment and out on how we are going to make this work on the execution level of the detail. what you need from us and we need from you, how we are going to share it and what generates the value because the answer to this problem is and while i'm just going to give you everything we have.
1:18 pm
i don't want that from you and i don't think you want that from us because we can bury each other with data. i'm always looking at putting on my intel hacked, but what i care about his insight and knowledge. i used the data use the data as a tool to get there but the data in and of itself is not the end-all and be-all. what we have to share its knowledge and insight. >> wait for the microphone to get to you please. >> i can't see through the lights. >> sure. my question is you talked about the importance of the information sharing and sharing of the legislation. the legislation. one of the big criticisms by some particularly is these bills allow you to get the information and they would like to have some
1:19 pm
use limitations. how do you get around that >> i don't want privacy information. it creates challenges. it slows me down. for this mission not a good thing for us. it's not what i'm interested in. what i would like to have is a discussion of what is the information that we want to share with each other. and what is the value that that information generates. but this idea that inherently you can't trust phil and the -- fill-in the blank that we don't trust each other so among the things we need to address as the controls and oversight mechanisms we need to make any place. what is the civil privacy and the role of the inspector general's we have is we have a inspector generals in the private sector and the public governmental sectors we have lots of mechanisms of the
1:20 pm
oversight and control of information and we need to make that a part of this. i'm not interested in anybody writing a check for the u.s. cyber command or the national security. and i bet you my partners were to tell you the same thing. remember dhs is the leader. in military jargon they are the commander and we are supporting them under your hat, cyber command or nsa. we partner with others in the federal government in addition to the vhs come fbi depending on the treasury, segment, that work in the energy segment, we partner with others. u.s. cyber command. we are not the lead in the agency. we partner with others. >> we have time for one last question. can you wait for the microphone to get to you?
1:21 pm
there have been some reports recently about the nsa working part-time. >> there've been reports recently about employees in the nsa working part-time and some former employees going on to the private sector. how is that affecting the morale in the nsa and is there any concern about that particular relationship and classified information sort of jumping from within the borders of the nsa. >> we have processes that must be applied when individuals are going to do something in addition. we do that consistently over time and window circumstances change, what was acceptable at one point we say it's not acceptable. to change the nature of the relationship is different so we
1:22 pm
do that in a recurring basis. with the language background of background they say look i want to use my language outside nsa on a contractor basis because i think that it will increase my skills and so we would say yes that makes sense and sometimes we don't. in terms of the flow of partnerships and information back and forth, i've been very public about saying for the national security agency i would like us to create a model where the members of our workforce don't necessarily spend 30 or 45 years working directly for us which has been made historic norm. it's amazing when i say tell me how long you've been with the nsa. 30, 35 years, 38 years. i said goodbye to an employee after 50 years. when i've talked about is particularly given the state of the technology, we have to create a world where evil from
1:23 pm
nsa can leave for life and work in the private sector provides also like to create a world where does private sector can come spend a little time with us because one of the challenges is the nation that we are dealing with and you have seen this play out over the last year or so in particular. we talk past each other a lot because we don't understand each other. the culture and experience isn't optimized to understand the concerns many of which are very valid from the it corporate partners and likewise many of the individuals that work in the corporate world don't have an understanding of us and i would like to see what we can do to change that because i think it will prove better outcomes for both of us and serve us better as a nation. so thank you very much. >> thank you for your time and all that you do. we look forward to working with your team and hope you will come back. >> let me conclude i thank you for taking the time from the
1:24 pm
very busy personal and professional lives to be part of a dialogue. it won't be just today, tomorrow, next month that being part of the dialogue to address and i would argue for our friends and partners all over the world cyber doesn't recognize geographic boundaries very well so the idea that we are going to deal with this in america for example i don't think that is a winning strategy it starts with a willingness to have a dialogue. and i'm starting from the position of you were in the private sector and all about money so i don't know that i can trust you like a military. or the private sector says you work for the government and i don't know that we can really trust you.
1:25 pm
that isn't going to get us where we need to be as a nation. that isn't going to provide the protection that our society whether the private sector, government or for us as private individuals that isn't going to generate the outcomes that we need. this is a team sport that will take all of us and it starts with an open relationship and a willingness to be open with each other. >> we are going to pause for a couple of minutes into start with the assistant attorney general. so please stay tuned.
1:26 pm
[inaudible conversations] [inaudible conversations]
1:27 pm
[inaudible conversations] a five-minute break in the cyber security summit hosted by the chamber of commerce taking place here in washington, d.c..
1:28 pm
we have more campaign 2014 debate coverage coming up for you. here's the lineup for tonight on the companion network c-span. at eight it is a debate between candidates for new jersey next senator. incumbent laurie booker up against jeff bell. at 9:00 we go to south carolina for another debate. it's that state and it's the republican who is the incumbent, senator scott being challenged by democrat joyce begins in. follow c-span for campaign 2014 as we bring more of the 100 deeds for the control of the congress. stay in touch with coverage and in gauge on c-span. you can like us at here's a number of debates that we also have. it is the debate for the tollhouse district candidate republican congressman seeking to be election against rick allen. at 8:30 is north to pennsylvania as we bring you candidates that
1:29 pm
represent the state's sixth district. then at 9:00 we will show a debate in the race for the second house district in maine and wrap things up at ten eastern with the new hampshire first district house debate. again, that is our coverage for the companion network c-span and here on c-span2.
1:30 pm
[inaudible conversations] [inaudible conversations] on the screen now is senator saxby chambliss the vice chair of the senate select committee on intelligence. he will sit on a panel with the senator dianne feinstein who is the chair of the select intelligence committee, and they will be talking about how congress will deal with cybersecurity legislation this year. whether or not they will approve it. that is one of the events coming up. we are also next going to hear a discussion on sharing cyber
1:31 pm
security threat information and combating cyber threats to national security. [inaudible] we are fortunate to have the next speaker with us. john is the assistant attorney general for national security at the department of justice. he most recently served as the principal principal deputy assistant principal deputy assistant attorney general chief of staff at the national security division. he provides a strategic legal advice to the senior doj leaders and coordinates national security missions across all of the government. he oversees and manages the spectrum of the divisions work. so how did he get to this this but the just position? a few things his college thesis was on shakespeare as a political philosopher which i thought was interesting. after graduation he spent a year as a program manager at an
1:32 pm
organization dedicated to the expansion of freedom around the world. he also ran a successful 1996 campaign for the new york city council and then he went to harvard law school and after that he joined the justice department as a part of the attorney general honors program which brings top law school graduates into the position that the doj. mr. cargill and served as the chief of staff and senior counsel to the fbi director where he spearheaded the high projects and advised the director. the career federal prosecutor, mr. karlin served as the national coordinator of the computer hacking and intellectual program. that program focused on cyber crime and intellectual cases and handle the complex issues arising from collecting digital evidence. he is also a five-time recipient of the department of justice award for special achievement. john has a reputation of trying to stay out of the spotlight and the news so we appreciate him being here today and we are
1:33 pm
pleased that he accepted our invitation. i'm sure you will find him to be very candid and thoughtful and we appreciate all that he's doing at the doj. please have a warm welcome to the assistant attorney general john carlin. [applause] >> thank you for your warm introductions and inviting me to the annual cyber security summit. we all benefit greatly from the leadership especially in promoting the chamber of commerce role in the national security. in establishing an annual gathering focused on cyber security challenges, the chamber of commerce continues to demonstrate its commitment to keeping the nation secure and lower the barriers for the the businesses to compete fairly in our global economy. the fact that this is your third annual cyber security summit is a testament to the growing magnitude of these threats and your commitment to make cybersecurity central to the business plans. this is an important business
1:34 pm
issue and one that i know the chamber has exercised as a part of its national cyber security awareness campaign which kicked off in may. in the campaign roundtable events that occurred throughout the country the chamber stressed the importance of the cyber risk management and reporting cyber incidents as to the law enforcement. i couldn't agree with these two recommendations more. today's event is our opportunity to discuss how we can take the steps and others to best protect ourselves and to the nation. cyber security threats affect us all and they affect our privacy for our, our safety command our economic vitality. they present collective risk and disrupting them is our collective responsibility. the attackers we face range and sophistication, and when it comes to the nation states and terrorists, it isn't fair to let the private sector face these threats alone. the government ought to help. we do and we need to do more.
1:35 pm
at the national security division we focus on tackling cyber threats to the national security. in other words those posed by terrorists and nationstates. i will talk a little bit later about how we have restructured the division to focus on bringing all tools to bear against these threats. likewise, chamber members have an important role to play in our strategy. you've are looking for the consequences living through the consequences with alarming frequency. according to brookings and 97% of the fortune 500 companies have been hacked. price water cooper house released a report that found the number of detected cyber attacks in 2014 increased 48% over 2013. as fbi director james comey noted there are two companies in america those that have been hacked and those that don't know that they have been hacked.
1:36 pm
so we are on notice and we are all targets. i would venture to say that everyone in this room has been affected by a cyber security breach. at best a minor inconvenience, reissued credit card, at worst a devastation to the company's reputation, loss of customer trust and injury to your bottom line. without taking proper steps it is a question of when and not if the public major breach will occur. with that will come questions about whether you did enough to protect your company, your customers and your information. have you thought ahead to the day when you will have to face your customers, employees, board and shareholders when you have to notify them that somebody has infiltrated your company installing your most valuable and private information? if that day was today could you
1:37 pm
tell them that you've done everything in your power to protect your company's future? had you warned them of the risk would you be able to say that you have minimized the damage? do you have a plan? it is a daunting scenarios that there is no surprise that surveys of the general counsel around the country identified the cybersecurity as the number one issue on their minds today at the surveys also show that over a quarter of the fortune 500 companies still don't have an established response to the cyber intrusions. this is a risky business and we know that we will never achieve the defenses that will remain vulnerable. but you can take step is to mitigate the risk, protect yourselves and companies and ultimately the cybersecurity of the united states. we've identified for each central components of the corporate cyber risk management.
1:38 pm
first, he quit and educate your self and make sure that you have a comprehensive cyber incident response plan and review it. i've spoken with many ceos and councils that have not reviewed or cannot decipher their companies plan. these are risk management decisions and we can't manage the corporate risk if we don't understand it. who is involved and who needs to be notified in a major breach and what will you disclose and when will you notify the client, while enforcement and the public? second, note that your contacts create risk. actors can exploit outside vendors no matter how easily and your defenses may be unique to worry about those outside the company that you do business with and consider guidelines to
1:39 pm
govern the access to your network and ensure that the the contracts require vendors to adopt appropriate cybersecurity practices. third, protect your bottom line. companies are increasingly considered on cyber insurance and you should consider how this may fit into your risk management strategy. cyber insurance may offer some financial protection and also incentivized companies to audit the defenses. finally do not go it alone. some of our attackers are linked to deep face military budgets and resources and when they are it is not a fair fight to take on the loud. we must work together so it can be one more complaint of the risk management strategy. as more breaches are acknowledged, the public will ask how quickly and effectively you responded and asked leaders will have to answer to the shareholders, board members, customers, the media and the public. you will want to say that you
1:40 pm
did everything you could to mitigate your financial loss and your reputation will depend on it and we can help. we may be able to take actions to disrupt and detour. you are on the frontline of the battles but we are with you. we are committed to working with you to protect the networks can identify the perpetrators, disrupt their efforts and hold them accountable. at the department of justice this is among our top priorities. at the national security division we recently appointed new senior leadership to strengthen our capacity to protect our national assets from cyber attacks and economic espionage. we created and trained the nationwide national security cyber specialist networks to focus on combating cyber threats to the national security. these are specially trained
1:41 pm
prosecutors and every attorney's office across the country. and as the doj we will follow the facts and evidence where they lead weather to a disgruntled employee or a loan hacker to a syndicate in russia or yes even a uniformed member of the chinese military. indictments and prosecutions are a public and powerful way to which we the people governed by the rule of law legitimizing to prove your allegations. as attorney general holder said it may enough is enough. we are aware of no nation that publicly states the information or commercial gain is acceptable and that's because it's not. nevertheless in the shadows so me and coverage and support corporate theft for the propagandist ate owned enterprises and we will continue to denounce those actions including by bringing criminal charges and we won't stop until
1:42 pm
the crimes stop. a core part of the response must be disruption and deterrence to raise the cost to people that commit these and to detour others from emulating their actions. of course we recognize that the justice system is just one tool in our toolbox and in addition to prosecution we are working in conjunction with partners to explore how to play the designations and other options to confront the challenges. these changes help us fulfill our responsibility and help us work with you because we rely on cooperation to bring the cases from identifying the malware and its functions to pinpointing the location of the servers come in demanding botnets and removing the malicious software from computers.
1:43 pm
take as one example last spring's takeover of that description a big success for our colleagues in the criminal division. this wouldn't have been possible without close cooperation. as the fbi put it, it was the largest fusion of law enforcement and industry partnerships ever undertaken in support of the fbi's cyber operation. across the international boundaries and affected hundreds of thousands of innocent users computers. we recognize one of the best ways to protect the nation is to support you in your efforts. that's why he and 2013 that federal agents involved over 3,000 companies that their computer systems were hacked and that they are working to provide the additional information as much as they can about the who and the how and every day the fbi works with companies targeted by the activity ranging
1:44 pm
from the low-tech denial of service to the sophisticated intrusions by state-sponsored military support units. we are not limited to helping in the aftermath of an intrusion nor do we see our role as only a collector of information we also share sensitive information with you so you can defend against the attacks and engage in the disruption efforts. in the past year alone the fbi presented over 3,000 -- three dozen specific briefings to companies like yours. the information we share may enhance your ability to detect future intrusions into your engagement with law enforcement can help connect the dots between your breach and a broader threat. we may be able to help identify what was stolen, locate the perpetrator of the attack and in certain cases mitigates the
1:45 pm
effect of the past intrusions. given the importance of the cooperation the department of justice is committed to lowering barrier of sharing information through extensive meetings which are in-house legal teams and learn what you perceive to be the hurdles to the cooperation and we are working to address them as we can. we clarified certain laws and antitrust statutes are not impediments to sharing information with the government. we understand trust on both sides is an essential predicate and about our work with you we've been striving to protect the sensitive data including trade secrets, detailed of the architecture and the personally identifiable information. the bottom line we can help you manage your risk and you can help us keep our nation safe. the commission concluded recently in its ten year
1:46 pm
anniversary report that we are at september 10 levels and preparedness and they warned that history may be repeating itself in the cyber realm. we must stand together to keep that from happening. we also prepare ourselves for data that we can see coming over the horizon. if we think about the tools for cyber criminals use, the intrusion software affecting millions of computers, botnets used by criminal actors the tools are generally used for financial gain but it doesn't take much imagination to imagine these tools can also be used to disrupt or destroy. terrorists have stated that they want to exploit the vulnerabilities to harm our way of life. al qaeda announced its intent to conduct civilian attacks in the
1:47 pm
financial system. in the department of homeland security, recently confirmed that the investigating the two dozen cybersecurity medical devices and hospital equipment that could be exploited to injure or kill a patient with a few strokes on a keyboard. the threats are real. we know the terrorists have the intent to acquire the cyber capabilities and that if they succeed in acquiring them that they won't hesitate to deploy them. it's a race against time and one with high-stakes consequences. if the department for also looking at the gaps. most were not written with cyberspace in mind and they don't contemplate the access of the extraterritorial crimes. they don't facilitate the multijurisdictional and they don't empower us to bring the authority to bear swiftly and effectively. we are committed to working with
1:48 pm
the relevant law or rule makers that support not a rising of the law. the cyber legislation in several areas including information sharing is needed. i want to conclude my remarks by discussing the perceptions of being hacked. among the consumers there is a growing understanding that companies are going to get breached but that doesn't mean we turn the other way. there is a downside to taking the approach to the cyber threat. consumers expect companies will adopt industry standards and when these intrusions happen as we see the consumers expect companies to respond promptly and acknowledge the intrusion publicly and cooperate with law enforcement to mitigate the damage. the chamber of commerce and its members are uniquely positioned to drive the corporate change to ensure that the companies and partners treat the cyber breach as much as technical problems
1:49 pm
come into recognize that security operations are not insulated from the business operations and to discuss to the boards and employees and industries the importance of cyber security risk management. as we face ever more threats in cyberspace which incorporate the public-private cooperation into the toolkit the threats are not but threats are not letting up and neither should we. thank you very much for inviting me. questions for mr. carlin? >> lefty rely on you. >> i had. >> i had a radio show at the national press club on climate change. in my radio show i deal with a lot of ngos that don't trust the government and when they see the
1:50 pm
government partnering in the private sector, they get really nervous. ideally there was a chamber of commerce that hired a number of offensive cyber firms to engage in the cyber attacks against some of these ngos. i don't know that the department of justice or anyone else in the federal investigated or prosecuted that. i'm not sure on the liability repercussions. and it is really thick among the community working on the climate change into a lot of other things when we consider the full weight of the government and the private sector standing on our backs. what i would like to know if have you considered that the federal government might reassure all americans that it's working to protect everyone and not protecting members of the chamber of commerce when things like this happen.
1:51 pm
>> at its private consumers, companies or nonprofit organizations, and in fact we have seen too often got they are targeted on the cyber attack b-day by the nationstate adversaries or criminal groups. and so i would encourage those who are -- who suffered a breach to come and work with law enforcement as the crying as they would have in any other circumstance. and we would be happy to work and are working on cases like that all across the country >> other questions on today's topic if you would please >> politico cybersecurity. you've spoken in the past on the indictment of the chinese
1:52 pm
officials and all of the government approach. the problem in those remarks it was promised that this is not the end, this is a new normal. what are the type of circumstances that will lead to more aggressive movements by the government against the nationstate what types of things are sort of the threshold to see more of the tools being deployed? i think for too long when it came to the nationstate actors there was a lot of good work being done on the intelligent side of the house to find out what was going on. but for too long on the criminal side of the house, we were not working day in and day out to see whether or not it involved the nationstate actor that we could bring appropriate criminal charges and that's why in 2012 we started the national security network and how the prosecutors trained all throughout the country on both have a handle on
1:53 pm
the one hand and the complexities of the electronic evidence and on the other hand how to deal with the sensitive choices and methods and expertise the prosecutors have been bringing to bear. now that people are looking at the cases in that manner and the fbi is regularly sharing intelligence with the specially trained prosecutors, the case will be brought and we proved that was the case by bringing the case against the members of the liberation army 6198 earlier this spring. the prosecutors and agents continue to work and we will see additional cases because the crime continues of stealing the economic information. at the same time, we need to look with our partners and our developing sentience from the department of treasury, commerce and to the designations bringing
1:54 pm
suit to make sure that we leave no tools in the toolbox grade we bring everything to bear to increase the cost so at the end of the day those that have information from hard-working american businesses and customers decided that it isn't worth the risk of getting caught >> john with american express thank you for coming today. can you shed a little bit of light on the impact of some of the latest takedowns? and in partnership with some of the private private sector community to affect that? >> once again, that is an example of a takedown where several things were happening at once. the unique action inside the united states in order to disrupt the command-and-control servers that keep them from sending the commands.
1:55 pm
you need the cooperation of the partners because many of the servers and the infrastructure so that they could simultaneously take action and to the extent that we could and we did, you need to find attribution of the bad actors responsible working with the countries to bring them to justice. that collaborative action that took place in the u.s. government, foreign government abroad into the private sector was able to the thousands of computers that had the malware on them and bringing to the individuals to justice. that is the type of action that cannot take place without the help of the private sector into the private private sector was essential in the speed with which you are able to remediate some of the damage to some people's computers and that is what i think bob anderson referred to in the future.
1:56 pm
can you go over some of the challenges that you have with the obtained digital evidence? i know in the metropolitan area there are a few organizations with the exception of the local fbi agency that has the ability to gather the information that is to maintain it and keep it secure. so what are some of the challenges that you have in the country? >> it is a challenge. we've proven to that they can't. there are cases where we can have attribution and we know that person involved.
1:57 pm
with that said it's a difficult case in part because the difficulties of gathering electronic evidence and that's true domestically let alone the challenges of gathering electronic evidence outside of the reach of our orders which require close cooperation with our foreign partners. and i think that we have come a long way in that regard proving we can bring some of these cases but we need to go further and continue to work on developing those relationships with our partners and making sure that they have parallel statutes on their books that allow us to acquire electronic evidence and further that criminal investigation. >> thank you very much for coming here today. we appreciate the good work of view and the team. >> thank you. i look forward to working with the chamber of commerce in the future and as i worked together
1:58 pm
on this joint threats. thank you. [applause] we have senator feinstein and senator chandler -- senator chambliss. [inaudible conversations]
1:59 pm
[inaudible conversations] ..
2:00 pm
to find some common sense solutions to the problems facing california and the nation. since her election to the senate in 92, she has worked in a bipartisan way to build a significant record of legislative accomplishments. which include helping to strengthen the nation's security both here and abroad, combating crime and violence, battling cancer and protecting resources in california and across the country. in the 111th congress, she assumed the chairmanship of the senate select committee on intelligence. where she oversees the nation's 16 intelligence agencies, and i should point she was the first female senator to hold that position. it is also my pleasure to introduce the honorable saxby
2:01 pm
chambliss. in 2008 saxby chambliss was elected to serve a second term in the united states center. georgia trends magazine which has been sizzling named him as one of the most influential georgians calls him a highly visible and well respected presence in washington. and it says he has a reputation as an affable but a straight talking lawmaker. georgia trend named senator chambliss as georgian of you. his leadership and expense of homeland security and intelligence matters during his tenure in the house of representatives earned him an appointment to the senate select committee on intelligence where he has served as vice chairman since 2011. he is a strong advocate for improved information sharing and human intelligence gathering capabilities and the topic will get into your. again, thank you both for joining us. i was sharing with the senator feinstein, which all have, our propaganda if you will.
2:02 pm
i thought we could start with that, why did she decide to push this legislation or why it did and what does it do. >> i'll begin, but let me just say to begin with, ann, first of all thank you. it's my understanding that the chamber is prepared to support this legislation, and that's very important. i think if i can speak for the vice chairman and myself to our whole committee. but on a personal level i just want to say to the gentleman on my left what a great pleasure it's been to work with you. we've put out now a number of intelligence authorization bills, the fisa bill, the cyber bill, and ladies and gentlemen, one of the things that i've learned certainly in about four years of public life back in a two party system if you want to get something done, compromise is not a bad word. and so if we sit down and try to share everything that i know with senator chambliss, either i had to give or he has to give,
2:03 pm
or we find a mutual road to go down. and we have found, i believe people second this, that's a very productive way of producing for the people of this country. i remember when we had -- before our intelligence committee, and to give us a classified briefing on what was happening in the united states with respect to cyberattacks. and then the director of the fbi said, you know, there's one thing that's comment about this. 90% even know they have been attacked, the other 10% may not but they have been attacked. and that virtually almost every big american company today has been attacked. the question is how serious and by whom and how much. and i think it's fair to estimate that the cost to the
2:04 pm
economy into business is estimated in the trillions of dollars. so it is very serious. we started on this with a different bill, and we put that bill together. it went to the floor and it got 56 votes. we needed 60 votes. it only got one republican vote. so the key was to go back and do a bipartisan bill, and that's essentially what the vice-chairman and i have done, ann. we put together a bipartisan bill. it was put out by the committee by a vote of 12-3, and it awaits action on the floor of the senate. there are a couple of groups that don't like this or don't like that. we've been prepared and look forward to receiving their comments. the staff has received and. david is here today, our staff
2:05 pm
director. and jack from the minority side as well, and so we are open but we do not want to produce something that cannot get a vote. what we've done is an entire voluntary system. it essentially moves to let companies do three things. to monitor their networks, to identify cyber indicators, to use countermeasures to protect against cyber threats, and third, to share and receive information with each other and with federal, state and local governments. companies who use the authority to monitor and share information are provided full liability protection for doing so. as long as they do so with, within the bills parameters. and those parameters are pretty clearly spelled out.
2:06 pm
the bill has a number of protections to make sure personal information is protected, and to make sure that government doesn't use information for any purpose other than cybersecurity. and, finally, the bill requires the director of national intelligence to put in place a process of sharing information on cyber threats in the governments hands with the private sector. so we believe we have a good bill. we are thankful for the support that your organization is provided. we understand the financial services network supports us, the telecom supports it. but let me say one thing. we will not have a bill. i tried to get this bill on the floor and so far have not had success. until communities like yourself take a good look at it, agree with it, come forward and say do it, and do it now, the stakes
2:07 pm
are too big to let this language any longer. >> thank you. senator chambliss. >> well, again, ann, thank you very much for having us here today. and thanks to the chamber on two accounts. number one, what i found as i've been around the country, literally around the world, but around the country and around my state, and i talk about cybersecurity, until six or eight months ago as i was under beaudry club and i said the most important we've got to deal with cybersecurity, everybody eyes glaze over. this is not what i as a lawyer referred to as -- you can't see what's happening out there. you can't really feel it, except that people are starting to understand that this is serious, that it has huge financial consequences, not just to the economy of the united states but to me personally.
2:08 pm
so what you are doing today is helping educate people about this, and i am very thankful for that. secondly, the support of the chamber is key. i ran into the former dni just last thursday, we had a cybersecurity conference in a gust of georgia and former director mike mcconnell was there and we were talking about the bill. and he said where does the chamber stand? i said, the chamber is absolute fully behind us. he said great, i think your chances just improved significantly. so to all of you, thanks for your willingness to let us have a chance to dialogue with you on this. i want to echo what diane said, number one, you would think this a mutual admiration society, and it is. she and i had a great working relationship, and it's proved that democrats and republicans can check their political hats at the door every now and then and do it in the best interest of the country. diane and i've done that on a number of issues when it comes
2:09 pm
to national security. and i am so glad to have her in the foxhole when we're fighting these battles, whether it's in the airwaves or on the ground come and she's been a great leader and a great friend in the process. as diane said we had a cybersecurity bill on the floor of the senate a couple of years ago. they were -- there were competing factions that didn't allow the bill to generate more than 56 votes, and what she and i did after that, we were involved in the process but actually we were kind of fighting each other on the bill. but we both knew the importance of the issue. so when that bill went down she and i sat down together and said look, this is foolish. we know how important the issue is, we've got to come up with a bill that the bipartisan that you and i can agree on and that we can get the majority of our committee to agree on. it's not easy, as she said come
2:10 pm
in these times on capitol hill seeing bipartisanship that is somewhat of an anomaly. but diane and i slugged it out. we did make the right kind of compromises on positions without compromising our principles to come together on this bill. it received a 12-3 will coming out of committee. you do see many 12-3 committees coming out of any committee on the senate side these days. that was going into the election too, by the way. what my priorities in this bill war was never want to make sure that we had a bill that was going to provide jon and i, our other law enforcement and our government agencies the tools that they need to make sure that they are able to detect intrusions on to any system be a public or private, and to make sure that they have the ability to share that information both from a public to private
2:11 pm
standpoint as well as private to private standpoint. because if we don't do that we are not publishing anything. and we wanted to do that in a voluntary system. if we banned it to the private sector you will do this -- if we mandate it to the private sector there will always be pushback from the private sector. and with the level of trust that exists today between the public sector and the private sector, we knew that our chances of success long-term were not going to be very good. so what we did was go to your companies, go to the private sector and said okay, we want your ideas. we want you to start, help us start on the ground floor and let's build this building called a cybersecurity bill. and we did that and we've been able to incorporate good ideas from the public sector, good ideas from the private sector, and i think we accomplished what we set out to do from a
2:12 pm
voluntary system. secondly, it's imperative that we incorporate strong privacy measures in this bill. we simply can't allow someone's personal information to be shared on a wholesale basis. we agreed on that and we think we've come up with good language to ensure that that does not happen. thirdly, it's important that we put language in this bill that allows flexibility. this is not a short-term project from our standpoint. this is long-term, and with the way that the technology changes in the world of cyber on virtually an hourly basis, not a daily basis, we want to make sure that 10 years from now that there is flexibly in legislative language that allows the public sector and the private sector to make industry changes to adjust to what technology comes forward in the intervening time frame. and then lastly, ma i'll say it
2:13 pm
again i know the key aspect of this if this is going to work is to ensure that there is liability protection given to the private sector. we think we've done that in the right way, and we think that the private sector, those folks who are involved in it as well as i hope as dianne said, i hope all of you will read the bill, i think we need to you will be like the folks in the private sector that we have involved in it. you will have some comfort in knowing that in the corporate boardroom people are going to say wow mike, if we share this information with our competitor, we are going to have protection and we're going to be able to do this in a way that lets us put the right kind of countermeasures in place without the fear of liability from outside sources. so i'm pleased about this bill. obviously, dianne has a lot more
2:14 pm
influence on senator reed than i do, but i have implored that if there is one piece of legislation that needs to be concluded between now and the end of the year, this is it. if we don't do it this year, i fear that it will be at least another year before it rises back to the level that it is now. and if we wait another year we are really risking the economy a united states come in my opinion. so i'm very hopeful that when we get back in a couple of weeks that senator reid is going to agree with us. we will have this bill on the floor. we will slug it out. dianne and i are joined at the hip on this. we are going to be together, and if somebody has an amendment that makes the bill better, we are okay. it's a bill that tries to send a political message of some sort, then we're going to work to beat it back. but i do hope we get the bill on
2:15 pm
the floor and we see the senate work in the way that the senate historical has worked, to provide good legislation. thank you. >> thank you, senator. i think you are saying all the right things we like to be. liability protection, flexibility. i will tell you admiral rogers was here. he's very big on the information sharing bill as will any said the same thing. he doesn't want personal identifiable information. he does want to get into the privacy issues. so i think that information sharing we talked to earlier, something we can talk about a decade or so now, and i guess i'd ask, to put you on the spot but what our chances this bill a lame-duck session, do you think we have a chance be? well, i do think we have a chance. i think it depends on people in this room and a lot of rooms like it throughout america. i look back three years and both saxby and i sat down in the chamber then when you had some concerns about the bill, and it
2:16 pm
was really useful. i think i weighed 23 or four big meetings and generally came to understand what those concerns were. i think those have been remedied in this bill. this bill is in the sun, the moon and the stars. it isn't a regulatory guideline how to. it's a voluntary bill. it allows the voluntary sharing of information with each other or the government, with immunity, from lawsuits essentially. and i think that's critical. it's a first step bill. it's the first thing we need to do. now, here's my worry. saxby, if we don't get this bill passed now with you retiring, i think you're right, we go back, we'll have all the arguments we've already had and disposed of but with a new cast of characters, and companies are going to continue to get hit.
2:17 pm
so you and i, because of what we see, share a big sense of a laxative that we need to get this thing done. we really need others to stand up and say yes, we are in support with this. we oppose the last bill, we are for this bill. let's get to it. let's pass it. >> one other thing that gives us the potential to get this build on, the white house came out with their executive order virtually a year ago. i was frankly very apprehensive when they said they're going to issue an executive order because i did no one is going to say, even though i have talked with both of us about it in advance but, frankly, the lay of the land that was put forward in that executive order is very positive in concert with what we have done in our bill. and some standards are being sent by nist.
2:18 pm
there are some other things that are being done there that i think lays the groundwork for some of, to solving some of the objections that were in the lieberman-collins bill. and we focus on information sharing which is the guts of it. if you don't have information sharing it's not going to work, but i think the white house needs to be commended for laying out the executive order the way they have. and i've commended nist publicly and i will continue to do so about the job they're doing. >> we at the chamber certainly agree with you. we have michael daniel, the white house cyber coordinate this morning when he first came out with executive order he was here at the chamber a couple of times which is unheard of to shop around an executive order like that. i think the extent they went to get to that, not buy-in but situational awareness from the private sector on the executive order was very helpful. i will tie you that the nist cyber friend to something the
2:19 pm
chamber fully supports. we're doing, socializing with small communes has country so we agree with you that the cybercrime and executive order was a step in the right direction. >> i think, ann, if i may, i think if we can get this up on the floor i believe we can pass it. you can't pass a bill that is a bipartisan, and this one is anything we can. and both saxby and i were closely with admiral rogers, the house chair, the vice chairman. and mike has said we are ready to go. if you get a bill, we will sit down, get it conference and we'll get it done right away. so you really don't wait, want to wait until the legislative bodies change on this. because then you got to go back to your dot and start all over again. that means in -- inordinate delay. i would hope we can get people
2:20 pm
to stand up, saxby and ann, and come forward and say you've got to do this and do it now. we are happy to make the bill language available. i think it is already. and are staffs are here. they're happy to sit down with you, or we can as well, but we really need the help to get it passed. >> and i will just say both of your us kids have been -- staffs have been terrific to work with. let's take a few questions from the floor. we are having a very hard time seeing you out there with these bright lights. so please wait for a microphone to come to you. tried to get to chamber members first, if you make. >> cory bennett with a hill but to discuss a lot of the ways that -- high, over. i could get the bill passed in the lame-duck session. what pressures on the things that might be a someone blog and might prevent from getting passed in this upcoming session. >> let me be candid.
2:21 pm
there were essentially two categories of people who have concerns. one trial lawyers. we think we've worked that out, and that there aren't problems are now, cross my fingers. the other is the privacy community, which is a big, broad nerdy. and i think we made another six changes that we've agreed to, but, you know, it's always more more more. now, we i think if the bill comes to the floor and, obviously, we have a set time and a number of amendments, we are willing to take amendments and do them on the floor. so that shouldn't stop it. but those are really the two groups that we have concerns about. and i think one of them will be settled, and with respect to the privacy community, you know,
2:22 pm
what i've heard is we want the old bill. well, the old bill, not exactly -- got exactly one republican vote on the floor. that's not a good message if you want to passed something. so you have to find a way to work together to get it done, and we believe we have done that. >> that wasn't my vote. this one will get my vote. [laughter] >> other questions, comments? over here. >> this morning coordinator michael daniel start but how he's working very closely with you on legislation but where is the white house stand on the bill today? do you think they are supported enough? >> well, i can quickly state as the chairman. what we have done is kept the white house advised. the staff has done this. they sat down. they have worked with the white house, and i think, in less
2:23 pm
there's something that's new that i don't know about, there's been a relatively close working relationship. >> this is, it's not been a one-sided conversation. i've had direct conversation with the president, even rode with him in a golf cart one day and we talked about in the golf cart as we were trying to focus on our game. we were more importantly focus on cybersecurity that day. but we face any number of conversations with the white house on it, and i'm not about to speak for them, but we have taken their original concerns into consideration and we know that the president has got to sign whatever bill comes out. and we are going to continue to dialogue. i'm hoping that by the time we get back and assume senator reid
2:24 pm
says yes, this is something we need to do, that the white house will come out and be a strong advocate with those. is it a perfect bill? i mean, all of us know, particularly those of you have been around the senate for a long time, nothing is ever perfect. and that's the way you get those and the way you get things done is to craft something that while it can always be improved, and as dianne said, this is the first step. who knows where we're going to be a year from now, but if we do nothing, shame on us. and i know the white house feels strongly about that aspect of it. >> and for those of you that may not be so in the we just we are, we are talking of 2588, cybersecurity information sharing act of 2014. a little summary that we put together, this represents a workable compromise among any stakeholders. it also safeguard privacy as you
2:25 pm
discussed. protect civil liberties because there is the role of civilian intelligence agencies and desensitizes sharing with a narrow liability protection. it would also help businesses achieve timely and actionable situational awareness, information sharing and real-time. so i just want to point out you have this in your folder. we've got 1 16 organizations alg with u.s. chamber of commerce now in support of this bill so very supportive. we have a question over here, matthew spent matthew with each other. senators, i wanted to thank you for your work on the bill and the work of your staff members have done a very big a job in terms of working with us on aspects of the bill. one thing that might not be well-known is the bill does mandate that this is sharing information with government have to remove personal information -- they have to remove pii. the bill says you must remove
2:26 pm
pii. i think it's when the eldest of the. we didn't originally agree with. primarily because we thought that small and midsize businesses that are not as sophisticated in terms of doing the removal might say instead of sharing the i'm going to sit this one out. we recognized that is a big issue and that one element of the bill that we find the messenger to compromise our ground. you might be interested to know we have been meeting with many offices in the senate to try to educate them about the bill. it is our number one cyber legislative priority. so i wanted to just think and say yes, ev do have a chance and women opportunity to pass the bill on the floor, please urge senator reid, put it on the floor. we think the bill deserves at least a shot at the. anyway, thank you. >> one thing we did to address early on privacy concerns is with regard to the definition of cyber indicator threats.
2:27 pm
and we narrowed the definition of it, and the focus is on really that serious issues of cyber threats. it's not able to be expanded from a privacy standpoint into non-cyber issues, which i understand from a privacy standpoint. so that was another big compromise that we came together on. dianne with me again. -- whipped. that's the way things get done. i empathize with the rational and the reasoning behind it. that's why we were able to make the changes that we are able to make on both sides. thank you for your input. when the chamber has input, you speak for a myriad of sectors of the economy as well as individual businesses, and that's critically important to
2:28 pm
us. >> thank you very much. >> he gave you a little inside information. didn't have to do that. >> any last questions, comments? one back there. >> to what extent is the debate of surveillance in the lame-duck going to put into the ability to pass this bill. you know, i've heard both that it is necessary to this bill would also be a death knell for this bill because they don't want them to get inextricably linked. how do you plan to navigate that in the lame-duck? >> well, i'll kick that off. you're talking about the fisa reform bill and how does it relate to the potential for discussion and debate on this bill. the thing about fisa reform is
2:29 pm
that we don't need between now and then the end of the year. we've got a bill. that bill expires the middle of next year. we do know who's going to control congress, but this has been a vigorous debate as to the changes that need to be made in fisa, and i think there's a lot of accord on that. but that's not something that urgently needs to be done between now and the end o end oe year, simply because we have laws on the books today that deal with that issue. cyber we don't. and there should not be any connection between the two, and i certainly hope that's not the debate we get into, or not the position that we get into when we get back into session. >> let me say this. you've hit on something, because i've heard this in roundabout ways, that fisa reform has to come first.
2:30 pm
and if i understand the current status, the house has passed a bill which was are difficult for the house to pass a bill. we have passed a bill on certain fisa reforms that went out of our committee i think 11-4. the president has a distinct view on this, and that is that he supports the house passed bill, and senator leahy, the chairman of the judiciary committee, is putting together a fisa bill that would essentially echo the house bill with a few changes in it. one having to do with the public advocate/amicus, and also with a couple of other things. here is the big problem, and the problem is how do we get something done


info Stream Only

Uploaded by TV Archive on