Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  November 4, 2014 2:30pm-4:31pm EST

2:30 pm
are doing business in markets were some the attacks may be coming from, even if you can have that high level of fidelity and to to getting attacks. i think the law of unintended consequences is it something that needs to be fought -- thought through very carefully to understand authorities and certain entities conduct certain types of activities that may be considered more active and how that might actually work and what the private sector's role is. i think this is a conversation that needs to be done very carefully. >> i think just to pick up on think just to pick up on a point shot me a few moments ago which is the changing the algorithm on cost. i think it remains true that most cyber incidents are attacks of opportunities. there are software programs that scan the web to find servers that are directly connected. so if you have a server that is not directly connected you are not going to be a target of that opportunity. it remains true that many of the
2:31 pm
incidents, even the very high profile ones, start with a spear phishing campaign, start with an enough it shouldn't have been clicked on. i think in that sense some of the very simple things that any company can do in terms of training their employees, knowing what their program looks like actually going to default security measures instead of no secret he measures can make a big difference. and i think from the perspective changing the cost for any given firm, making sure that if there are targets of opportunity that you deny them the simple opportunity to attack you. >> any thoughts on your part? >> from our perspective all of these conversations go into building resilience. using the framework coming taking the partnership, using collaboration. what i like to refer to is killing the profit model on this opportunistic sense that are adversaries have. all of that goes into making it
2:32 pm
less worth it for the anniversary. but even more important making us resilient. even if all that were to work we would still get attacked, something will still happen in question is how hard is it for them to me take you out. it would keep me up at night, the destructive attacks versus some of the more noisy or nuisance types of attacks. as we build through the collaboration, the framework, through this exchange of information and intelligence, looking at how we make and build systems from the bottom up, hire the best and brightest, how we change the culture of security to make our critical infrastructure bounce right back. and at that point i think the opportunity goes away. your profit model goes way. that's our goal. >> david and then kelly, any those? >> we are very much focused on defense but i think if you think about what we are, critical infrastructure, most attacks are likely to come from i was actors were interested in totally
2:33 pm
terrorist motivation for something like that. and we know what our capabilities are, what our strengths are and it's not to be taking on organizations like that. that we really are focused on i will say defending our perimeter doing will begin to understand before the attacks of what he might come from and how we can do that. as for reaching out that's not something we are focused on. >> i would just say as a non-technologist by someone who is involved in this, it's building to the point where we have active defense what you think is a great term, is very complicated, very hard and it's going to require a lot of effort that all of us are engaged in that effort. but to take it to another step in starting to turn into an offensive in the price i think is that a whole level of complexity for which there's no roadmap? i think that will be something that we would have to look at,
2:34 pm
that the people would have to look at very, very carefully before they ever engaged in th that. >> i think we are about finished. i just want to thank all our panelists for doing this. this has been good. i guess you guys have an open invitation to join the next time we go down to capitol hill to push. meanwhile, a 20 thank you all for taking the time, to our sponsors, dell, american express, pepco, thank them to make sure to stop and see them and say hello. thank you. we can't do these events without their support, so let's give these folks a round of applause, and thanks for joining us. thank you. [applause] >> great. thanks everybody. gifford a lot of good information about the cyber framework, the department of homeland security voluntary program as well as a host of other things i just want to point to you in and out as you
2:35 pm
proceed there's a whole list of resources there where you can find more information and links to both the framework and the cq programs so please check that out. thank you came to our panelists. appreciate your time. we're going to take a break until 11:15 and then come back and talk about global cybersecurity policy. thank you. [inaudible conversations] >> throughout campaign 2014, c-span has brought you more than 130 candidate debates from across the country in races that will determine control of the next congress. and cannot watch c-span's life election night coverage to see who wins, loses and which party will control the house and senate. coverage begins at 8 p.m. eastern with results and analysis. you also see candidate victory and concession speeches and so most closely watched senate races across the country. throughout the night and into the morning we want to hear from you with recalls, facebook
2:36 pm
comments in tweet. campaign 2014 election night coverage on c-span. >> one of the top of races we've been following this campaign season with the louisiana where incumbent senator mary landry face a republican challenger bill cassidy. bill cassidy voted early last week. he is at the state archives in baton rouge and then senator landrieu voted earlier today. she tweeted is with the caption i voted as one sunday continue to deliver for louisiana. find your polling place to make sure you don't miss your chance to vote today to check out c-span's map of polling places with closing times. across the country, you can find on twitter at c-span. join us tonight for coverage starting at 8:00 eastern to keeping watch as they went to
2:37 pm
melissa which party will control congress and engage with us on election results by phone, on twitter at c-span and also on >> here's a few of the comments we've recently received our viewers. >> calling to comment on the debate i saw between bruce vaughan and a man named john regarding the declaration of war and the war powers act. quite interesting to watch the debate, and it also demonstrated some of the ineptitude of the neocons proposition that is the beginning of anywhere the ultimate has the ultimate hearsay of the countries ability to go to war. >> i would like to commend c-span2 for airing the information from the writers on
2:38 pm
greece and the military. it was excellent information that gave debt level interaction and dynamic and nuances, and a reality, for instance, that post-traumatic stress disorder can climb up, can be resolved if you continue to try various interventions. >> i think, on c-span is one of the best programs. i wish we could do it more than once a week. >> continue to list of what you think both programs are watching. call as the (202) 626-3400, e-mail us at
2:39 pm
or send us a tweet at c-span hashtag comments or join the season conversation, like us on facebook, follow us on twitter. >> back now to the chamber of commerce cybersecurity summit for a global perspective on policy, partnerships in innovation. this is 45 minutes. >> okay. once again welcome back to the u.s. chamber of commerce cybersecurity summit. we've got a great panel for you but i'm going to turn things over to adam sedgewick addressing information technology policy advisor at this going to move on this panel on the global issues and international issues running cybersecurity policy it happened after that we are going to take a little break. i will take more about that and transitiotransitio n into lunch but while you're sitting there thinking, please write down any questions you have for our keynote speaker at broke rogers. we will do a q&a with them but
2:40 pm
i'm sitting but it does look you want to write it down and bring them up to me, feel free to do so will take care of that during the q&a. with that let me take that adam sedgewick has been leading the framework developed and partnership process for nist. is that a terrific job however happy to hear today. thank you, adam. >> thank you, ann, think about me today. this bill is going to cover some international issues. that title is the international dynamic global approaches, cybersecurity policy, partnerships and innovation. those are all topics would like to cover. how do we develop policies that are protective of industry but also think about the global dynamic, and how do we keep the policies that also encourage innovation and efficiency and economic prosperity. to join me today we have tom dukes from the department of state, franck journoud from oracle, angela mckay for microsoft, urzula mojkowska on the european parliament,
2:41 pm
baroness pauline neville-jones who is former minister of state for security and counterterrorism at the home office in the uk government, and then haiyan song who is with us from splunk. to start things off on go to take a similar approach that matt did with the last panel, and i'm going to ask each of the panelists going from left to right just to say a few words about themselves and their background, their role in their organization come into specifically how it relates to cybersecurity and international aspects. start with you, tom. >> thanks, added. i'm tom dukes, deputy coroner for cyber issues at the state department, part of a relatively new office that was stood up in 2011, the same time basically that the white house put out the u.s. international strategy for cybersecurity. our office was greater to essentially have a core of cyber focus diplomats, policymakers that would both help develop and
2:42 pm
execute the u.s. priorities, strategies and diplomatic engagements across the full range of cyber issues. document everything from cybersecurity to internet freedom, economic developer, cybercrime, international security, internet governance. we've grown from a core group of five, met up to basically 20 people. we focus on a wide range of things but particularly for this panel on helping spread the message on the boards of creating a culture of cybersecurity around the world. this is something that was highlighted in the president international strategy. it really is to focus stays on recognizing and carrying out their responsibility to secure their critical infrastructure that is used for cyber. we do a lot of things in furtherance to that but i can come back to later, but there is a robust international diplomatic effort that the u.s.
2:43 pm
state department leads in cooperation with industry, civil society and many of our international partners to try to create the right kind of fire but in things like the nist framework or some of the key products that we're trying to the rest of the world see the benefit of adopting and incorporating. >> thanks, tom. >> thank you for having me and thank you to the chamber for the wonderful work you are doing to of cybersecurity. i had the sophistry policy and a few other issues at oracle in government affairs office, and i focus really not just on the u.s. but a lot of the international markets for sort of a simple reason, i'm sure it would in her nose how global cybersecurity is but from the perspective of the company like oracle, so we are what you call a global commercial off the shelf technology company. meaning that the database, the service, the cloud solutions
2:44 pm
that we sell, the same solutions we sell to the government agency of the u.s., to a german bank, to a japanese carmaker. you know, we build ones and then we sell globally. so having cyber state policies requirements or mandates standards, you name it that are different from country to country and public to private sector is at best a problem, at worst an impossibility, or contradict fundamentally. not just our business model that we think of cybersecurity as something where we bring a lot of innovation to a lot of r&d, $5 million r&d every year with a huge return investment in r&d from the security perspective, people can precisely leverage that economies of scale itself around the world. and so when we look at the
2:45 pm
cybersecurity framework, the fact that it is in its, naturally international because precisely where a global company under customers are global, but also the nature of the framework, the condit is based on international standards and best practices, you know, is just the right approach can not just our business model but also cybersecurity is best managed. >> thanks, franck. angel? >> like my colleagues i would like to say thank you to the chamber for hosting us and to anyone in the oddest for joining for this panel. my name is angel angela mckay, m directive subsidy policy and strategy at microsoft. in that role i laid across a variety of issues, critical infrastructure protection, supply chain risk management, all the way up to international security and stability issues. at microsoft we run our cybersecurity policy work out of
2:46 pm
security engineering so that we can actually bridge security expertise and experiences that we have and help them manifest in the policy environment, really taking demonstrable or practices that have demonstrable results and helping to manifest them in a policy environment. prior to leaving our u.s. work i led our emerging, self and emerging markets. and in that role i traveled quite frequently to asia and europe, i talked quite a bit about critical infrastructure of cybersecurity issues. one of the things and one of the reasons we think the framework is really important is an example of leveraging a book private partnerships to help create policy that can be applicable and useful in this environment and in other once. that's a little bit of what i'll be talking about today. >> thanks, angela. let's now go to urzula. >> my name is urzula mojkowska,
2:47 pm
i'm an office of european parliament washington, d.c., liaison office. our washington, d.c. office is the own office a salvaged by the european parliament outside the eu. now, i would like to thank first of all to the american chamber of commerce for inviting me to speak at this panel. i would like to say a few words about the european parliament for those who might not be aware of what our organization is. our organization is a legislative for the european union. we legislate together with the council, which are the representatives of government of our member states. and i think our legislative role when compared to the u.s. system could be compared to the house of representatives. the committee in the european parliament which has jurisdiction over cybersecurity is the internal market committee.
2:48 pm
it's because achieving high level of cybersecurity is important to the completion of what we call a digital single market. by way of footnote, i wanted to add as well that the legislation process in european union is different slighty from the american one in the sense that all legislation is proposed by our executive body. that is, the european commission. i will be talking to date a little bit about those legislative and nonlisted initiatives. >> i have a background in government service and private sector, then at the ministerial government -- level in government. since i left the home office i've been active mainly in cybersecurity. i also had a background in
2:49 pm
political military affairs but cybersecurity has taken my interest. i am currently chairman to an advisory council to the bank of england which gets me empty regulatory world. the bank has been extremely active recently in the city of london, including the national institutions through the paces with regard of contesting. i'm also -- in testing also budget to the national grid which is an advisor in uk which has interest to this country. we get into the issues of national resilience. it's their important, if the lights go out nothing happens. i'm also -- cybersecurity challenge which is a charitable organization which doesn't receive a certain amount of government support, which is engaged in encouraging young
2:50 pm
people to going to cybersecurity as a career. we took a lot of our initial inspiration from this country, very helpful to us. the other end of the educational sphere, i'm a member of the engineering and physical sciences research council which is one council of the group of uk research councils to allocate money for centrally important research activity in the uk, and a certain amount has gone into cyber and into the creation of training courses among other things to increase what certainly we regard in the uk as being a really serious skills gap we possess in this area. and, finally, just one other thing which i've gotten involved in a personal basis. uk is very london focused, and one of the things we need to do
2:51 pm
is spread the message around the rest of the country. i happened to come from yorkshire and, indeed, the single largest health database in the world exists, developed there, the nhs bureaucracy there. but it provides the most extraordinary opportunity for the development in an important area based on analytics. and so one of the things i've been trying to do is to ensure that as the city underpins this activity and creates frankly new industry, that we do cybersecurity i design and that we actually from the outset create a system which is molded to put mary and where all the good shooters actually are on the same base and talking the same language. >> that's great. >> my name is haiyan song. i'm the senior vp for the security markets for splunk.
2:52 pm
so we asked the what this blog do? let me give you a quick introduction. splunk focuses on machine data, focus on getting value and accessibility, usability out of machine data. a simpler way for me to explain that concept is, everybody knows google is a company. it's also a verb people used to go find information on the internet. and splunk is also accompanied but it can be used as a word to also go find information in machine data. machine had otherwise that's generated from your devices and from your applications, from network servers and so on and so forth. i think with this crowd it's easy to understand the value that machine data logs and events bring into security visibility and risk management, and that's what we are set out to do. and one of the things i think the framework has brought to the
2:53 pm
industry is brought the common language. so we can explain the approach, explain the methodology and we can explain how the solutions we develop fit into the framework. so with that context what we did is really give you the ability to protect, to monitor all the aspects you have, and most importantly we shine in the areas of helping you detect anomalies and unknowns and also give you the accessibility of the data information so you can drastically reduce them on a time you need to respond to incidents. and from all perspectives it's a global for multiple reasons. that threat landscape is global and its not having borders or boundaries to their coming from all different angles. and the customers we serve our very global as well. they have multinational sort of
2:54 pm
characteristics, and we facilitate the application of the security program in a way that we also need to support the regulations and requirements from a different region, like europe has certainly more strict regulations on privacy. and so in a way that what we do truly has a global nature, and we work with a lot of customers as an ecosystem that we work with, partners from the previous panel as well because they bring a lot of insight and intelligence into the battle that we have against adversaries. and we truly believe it takes a village to do this, and our role is to better facilitate that ecosystem coming together to do a good job, getting visibility and high that with the understanding of how it relates to your business, your vision of
2:55 pm
the agency. that's a whole risk based approach and something we firmly believe in. >> great. i think as another level study question, i would be interested to hear panelists reactions to what they think the international reaction to the framework has been, not only in the eight months since the final framework was released, but also throughout the development of the framework. is their general international awareness of the framework and similar policy, similar public-private partnerships? and do we have a sense of what the initial reaction has been? i will start with angela and go to franck. >> certainly. i do think there's a fairly high degree of awareness of the framework on an international basis but as i said earlier i spend time meeting with the government customers and enterprise customers in different places around the world.
2:56 pm
most recently have been to india, korea and japan, and in each one of those environments, both enterprises, critical infrastructure, small businesses, innovators and government policymakers are aware of the framework. i think there is, there are some misperceptions, these were people may not necessarily really understand what the framework is a and i wanted to highlight two of those that think a really relevant for having this conversation. one is the discussion of who developed the framework, right? is a lot, in the trade, industry led but in some people call the framework that nist cybersecurity framework. so internationally there's some confusion about how is this developed? is it become a thing or an industry thing? and in each case many of those questions actually are concerned because the other entity wasn't involved. so one of the things i like to highlight is it wasn't even just a traditional public-private
2:57 pm
partnership that was used to develop this, but a truly multistate colder approach. you had government entities from the u.s. you had tried to sector from the u.s. your government and industry from other countries engaged. you have some of the hacker and security community and fall. and even civil society has moved into the privacy can put. that's one of the misperceptions. the other one that i think is what important is it will tend to confuse the general risk management approach of the framework from the implementing mechanism that had been outlined in the executive order. so one of the things i really try to just make sure that those are clearly differentiated from each other. in the risk management approach that are controlled based approach and outcomes based approach. we take and outcomes based approach, has more demonstrable results to the ecosystem and that's what the framework does. on the implementing mechanism side is a voluntary implementing
2:58 pm
mechanism and then regulatory implementing mechanism but i think it's important to separate those two because it is unrealistic to expect that every country around the world is going to take the same kind of approach to implementing mechanism. they have different market tribes, different ownership models. but in the risk management approach to the degree to which we can foster more outcome based risk management, that creates, raises the boat is secured and privacy across the board, and also to create that in permit that franck mentioned about being able to work across geographic boundaries. >> do you have anything to add to that? >> just quickly. i think i would agree with pretty much everything angela just sent. there's a very strong interest in the framework with how it was developed and the content of the framework. also a lot of misunderstanding of both actually. they look at the world, it's a government agency so the framework is a regulator in the
2:59 pm
premise of it's a regulatory mandate. and so there's been a lot of additional effort put in by a lot of people, nist and a lot of companies, to dispel those myths. but you understand sort of how you were running against regulatory political and policy cultures that are just very different. we just have some natural tendency in the u.s. to put more trust and we have more experience with public-private partnerships. there isn't a kind of comfort level and experience and a lot of foreign countries, and, which is unfortunate because really obviously the security policy is one where these public-private partnerships are most apt to be effective. >> great. urzula, do you may want to give us some perspectives on what you're seeing in the eu and also
3:00 pm
how that relates to our policies here in the u.s.? >> sure. the eu is come we decided to regulate certain things at the eu level and actually the important thing is to highlight that the regulation that we have launched, it is not yet complete. .. probably consultations prior to this, and actually over 66% of stakeholders were in favor of certain type of security matters being regulated, and over i think over 84% of the respondents were in favor of those matters being regulated at the eu level. so i think there was a very different culture in the eu in general in terms of regulation. that's the first important thing to highlight. so we have two main instruments
3:01 pm
of the cybersecurity strategy which we put in place in 2013, and the first one is a proposal for the nist directive come at this directive is right now being debated between the european parliament and the council. so the european parliament has adopted its position already, and we are now going through negotiations. and then there is, there is a public-private platform, the nist platform. so they're two separate things, like angela, you mentioned it's important to differentiate between the two approaches, and they have also very different scope. the nist directive which is by definition the directive is a legal act which is addressed to the member states, not directly to the stakeholders but to the member states.
3:02 pm
to the member states like the establishing national authorities and computer teams that would react to the incident. it also establishes the obligation between the member states which is a very important thing because we need to remember that we are working here with 28 different systems. it also establishes establishes certain obligations from the market operators. the definition of the market operator is to be understood at the beginning of the proposal in the executive branch proposal as it is comprised. for the emmy voters and public administrations and critical infrastructure of the operators. the parliament is now proposing
3:03 pm
to limit the definition of the market operator and an hands the number of entities they will apply to the critical infrastructure and public administrations. so those market operators will eventually find the way they will be obliged to report the incidents as the number of safeguards to make sure that there is no insecurity among the market operators as to what needs to be reported. and then there is the platform that as a mentioned as a public-private platform for the discussions and developing the voluntary standards and there's been a lot of participation
3:04 pm
across the sectors. we have over 200 organizations that are participating in confronting the security platform. so the research academia and from the industry. at the end of november and the platform is also good for the international stakeholders to get involved. so also the u.s. stakeholders. >> i am pleased to say we have representatives from the european commission at the job in tampa the next couple of days and also looking at doing a targeted meeting in brussels to talk about similarities between the platform approach that we took developing the
3:05 pm
cybersecurity framework. do you want to talk a little bit about what you are saying in the uk links it is unique in that they are the only other country that hosted the workshop for developing the framework and i'm happy to say that they actually will also be participating this week. can you give us a sense of what software is over there and what they are looking at in terms of the global cybersecurity post? >> the level of awareness in the framework there certainly is in the uk not least because the multinational nature of the companies particularly across the uk and the u.s. so people are aware and interested in how the policy is going to develop here. one of our preoccupations is to
3:06 pm
try to ensure that there is a great divergence for that companies face the prospect of not only different but possibly conflicting policy requirements. so we do follow and i think we talked to each other about that we are not going to the regulatory purge and we don't the regulatory approach. they are on the hole in whole in the united states. and so, the approach has emphasis on the public-private partnership and it's very important in that. so if i look at the framework and then i compare it with what has happened in the uk, though the written material is
3:07 pm
differently presented and you can take to documents which is the advice to the companies none of this i say is mandatory it is highly incentivized and why? because there is a second option off the cyber essentials and that takes you to the various stages that are identified in the framework. if we are making the essentials that are mandatory for doing business and government. so, the minimum platform is being sent on the performance. we are facing more issues having to put in place a framework that is getting implemented. that is the big job around the
3:08 pm
country. i do not myself believe the attack is relating to the size of your cooperation that is likely to be related to the value of the assets. and in this game and a big way some of them are the most innovative parts of our industrial and commercial structure. we have a country that pays particular attention to enabling affordable security to become available so quite a lot has gone into the practical of how you actually get affordable security. the security offers advice.
3:09 pm
at the center that is information sharing. and you might have thought about that in more detail we want increasingly to see. we have a background in the uk and a lesson delete codeless inhibiting competition law framework so it is possible in the uk to share information both between the companies and with the government without falling afoul of the competition and the ability to overcome some of the problem is that there are here but we regard that as being absolutely crucial and we have
3:10 pm
now put the information sharing partnerships inside of the uk for just the mechanism for the detection response and recovery from so that we try to create a one-stop shop. i would say that we've gotten to the stage of creating the structures that we need. are they working perfectly yet, no. are they extended enough and have we found the ability to cascade down the system fast enough by getting there because we are not very entirely? i would say that we've gone from awareness to the mobilization. i wouldn't want to exaggerate how far we've gotten that to the perception of the country that this is an important business enabler one last thing that i would say it's you can tell there's quite a lot of
3:11 pm
difference between what i said and what others have said the uk has to pass one of the member states that wanted to see the initial scope of the regulations and directives contract. we can live with this now particularly as it concerns the national infrastructure with regards to the certain degree of the standard as necessary. where we are in disagreement and remain in disagreement in the whole nature on the breach reporting is an active business issue, clearly issue is the extent to which shareholders and in particular private individuals have the need to know and the right to know when the dates have been breached though we we wouldn't oppose it but we are concerned about not requiring the breach reporting
3:12 pm
that actually inhibits and enhances the initial recovery. >> we talked a little bit about some of the complexities in terms of the legal regime's and the cultures and regulatory burdens. you have to manage all of this, so when you provide advice to the countries countries about this mark cybersecurity policies or when you're communicating about what the policies are, what are the lessons learned from those experiences and what are you hearing about what other governments are doing in this area? >> that brings a lot of ground and i will try to focus on a few things. so, what we see is if you look at where the rest of the world is in tackling these issues you've got roughly 25 or 30 countries that have gotten to the same place that the u.s. has in terms of if you focus on what
3:13 pm
we did starting in 2009 with a comprehensive policy review that then lead to a number of things including the international strategy in 2011, the u.s. went through this very involved process of getting our arms around. it's carried through into things such as the presidents executive order which led to the development of the framework. taking a lot of steps in with the european union has been doing to tackle this. there are probably 25 or so developing countries that are deep in the process of developing national strategies and most of these are very much focused on.
3:14 pm
if the need it's the need for the strategy and developing the purchase. that is when the cybersecurity strategy is useful because it provides something that we can offer to other governments and regional groups around the world like the african union as the organization of the states as an example of how they can go about doing this. one thing that we do increasingly is a real growing interest by essentially every country that we have diplomatic relationships with and discussing cyber cooperation.
3:15 pm
it is the latest example this week of every time we have a biological discussion in the country whether it is in terms of the political military affairs, security, economic development, there is a desire to talk about the role of cybersecurity development. there is a huge interest out there. one of the things we've done in that department is the focus a lot on our internal capacity building. so, training our diplomats to be able to engage on these issues and to understand particularly with a focus on the economic development aspect of this, that taking the approach that we think is right and that we advocate in terms of the cybersecurity is really going to be a critical step that needs to be taken to get you to the point that you can really benefit from all of the economic and social benefits that we believe flow
3:16 pm
from embracing the digital society and really getting serious about leveraging dict and the internet to help carry out the future development. those are some of the things we were doing. i will say one that is we have to keep in mind is a reality of where we are in the united states is unlike the european union. we have a very comprehensive approach to this. the security framework helps enable of ways that answers one piece but without comprehensive legislation that addresses a whole host of issues come information sharing, liability. we don't have a complete system yet and so we like to point to what we have and it would be great if we had a much more comprehensive approach in place so that we could help the countries learn from our holistic experience. not at all in an unapologetic
3:17 pm
way but with a smile and tell the other countries there are certain things we think that you can learn and there are certain things that we would like very much to look at like the framework that the u.s. has a unique experience of getting where we got. going through the process of developing and conferencing the national strategy that includes significant input from the industry and civil society is really just a foundation of what has to be done if the government isn't able to go through that, then they are never going to be able to get to the harbor steps heart of steps of tackling these more specific issues on cybersecurity and other policy issues. >> the government to government conversations and also the
3:18 pm
developing policies and formed by informed by the industry input into the documents like the framework as we think about kind of moving forward in the next steps. three of the talked about international standards that's one form but you think about the right way to continue this dialogue where should we be looking? >> one way to answer a question like that is to also know where not to start. and since they were for the next three weeks i would say don't start there.
3:19 pm
they would they would have the impressive legacies of helping to develop the communication infrastructure around the world. but i don't think that the technology issues in particular are their strength. i think that it's pretty far outside of their expertise and where they would be able to contribute effectively for both the policy and for the technical perspective and also because it is industry participation and that also is fighting something that holds them back and i think that they would be duplicating and a weakening and distracted away from other forms that are addressing the issue.
3:20 pm
i guess it depends on what aspect of this flavor that we are looking at. if you talk about the product assurance, there are some forms including. we talk about the management which is the framework that addresses it depends on florida when we will have the framework over time whether it is an effort that continues to be coordinated and nurtured and take a life of its own with a new sort of institutional house. >> i was going to kick it over to angela. [laughter] >> certainly the thought that it would have on that is the
3:21 pm
framework. was developed as a result of the executive order from the government of the united states. it is inherently an international effort. the framework is international and so finding the framework that enables it to continue both in its substance and in its use is continues to be international so that is essential. >> thanks for the participants today.
3:22 pm
>> thanks to the panelists. appreciate your time. [applause] >> we are going to take a 15 minute break that we would suggest if you put things on your chairs and serve the meals then you can go next door for a little bit and join 12:15 for the keynote speaker c-span is
3:23 pm
asking what you think about voting. on facebook we posted the question do you vote and why or why not. bob writes i i got every election. it's an opportunity to express my dissatisfaction with those that serve the wealthy only. and he says yes but it's an exercise in its utility. if the voting really mattered they wouldn't let us do it. see what others are saying and share your thoughts with here are a few of the comments
3:24 pm
we have received from our viewers. >> i want to comment on a debate that i saw between bruce fein and a man named john yoo on the declaration of war and the war powers act. it was quite interesting to watch the debate and it also demonstrated some of the ineptitude of the neocon proposition that in the beginning of any war the president has the ultimate hearsay of the country's ability to go to war. >> i would like to commend c-span2 for airing the information from the writers on greece into the military. it was excellent information that gave levels of interaction
3:25 pm
and dynamics and nuances and the reality for instance that post traumatic stress disorder can climb up and can be resulted to continue to try various interventions. >> on american history tv on c-span is one of the best programs available. i wish that we could enjoy it more than once a week. >> continue to let us know what he what you do the programs. (202)626-3400, e-mail or you can send a message at the c-span comment. back for more from this
3:26 pm
years cyber security summit hosted by the chamber of commerce held last week in washington, d.c.. the discussion includes american express chief information officer mark gordon and the nsa director mike rogers. they talked about information sharing and efforts to encourage public-private partnerships to combat cyber security threats. in an hour we will look at ongoing efforts to draft and pass the cybersecurity information security act with the senate intelligence committee chair dianne feinstein and vice chair saxby chambliss. in about an hour and a half cyber experts focus on information sharing and cooperation between the private sector industries faced with cyber security threats. >> thank you very much. i want to thank you and the chamber. you're proactive leadership on this topic i think is second to none and you are doing a great service for the global community
3:27 pm
than what you are doing. what i want to do is very briefly provide a private sector view on the environment, the importance of information sharing in particular and the obstacles that we face and a little difficult to action before introducing the admiral. the range of attacks we experience in the private sector is unprecedented and is getting worse by the day. the volume and sophistication of attacks is only showing signs of acceleration and every published success simply encourages the new entrants and bold moves. thread actors from social activists, cyber criminals for states to your one and tier two with a range of objectives from disruption, intellectual property theft, financial crime and the one i'm most concerned about is the intent.
3:28 pm
cyber criminal activities in particular have simply excluded. and while one at a time of the impact individuals and companies collectively, they represent a potential threat to the country if they continue to build up the way they are building and in particular they become more orchestrated. imagine the top ten retailers attacked at the same moment the top companies of attacks at the same moment and the impact on confidence in our economy. and especially if the capabilities that today are pointed towards financial criminal activity starts to turn towards distracted intent is a very sobering concern for us. now, legion of private sector have a range of controls and capabilities in terms of cyber protection. i estimate we spend more than $2 billion in the u.s. across the financial sector in the cyber defenses from protecting
3:29 pm
the perimeter to protecting the data lost in the threats and we will continue to invest in the capabilities. but we would like to use the florida energy on the information sharing so you think of it and of course we have to know when we are under attack. but at the same time it's incredibly valuable to know when the neighbor is under attack when the adversaries are on their forces getting ready to attack or when they are back in the home country building within reach of attack. the single best control that any company could have as a transparency around what is happening around us with our sector and the government is another way i believe the list cost and highest value control is information sharing. it's the best investment that
3:30 pm
anyone could make an investment of cyber protection. one companies detected moment could become an entire sectors defense or cross sector defense. and further, no entity can stand alone as a single business. each of us bring a different insight and ideally for the whole is greater than the parts and that to protect individuals and businesses into the country we have to work together. the privacy advocates, law-enforcement, intelligent samanta security working together to protect the customers interested the business interest into the national infrastructure in the country. and finally,, why you like to be that information sharing is in the best interest for each of us in our businesses, i also believe that we have a moral obligation and socially responsible enterprises to try to share. ann to consider it and not to consider it as a competitive advantage that some companies
3:31 pm
look at it that way. but effectively sharing the cyber information is not easy at all. there is a fair amount that does get a shared. there is information sharing but it's a slow and the relationship is trust the standard is very variable across the industries. the first obstacle for the private sector. we are able to share cyber information due to the liabilities that occurred. if you think about what if someone acts on the information that we shared and we shared it in good faith by acting it caused harm or on the flipside if they decided not to act on that information because they have a basis for not acting, the liability of both instances stand from the race perspective and stands in the way of the
3:32 pm
material information sharing. second, there are too many vehicles for information sharing. its variable, well intended, frankly it is a bit chaotic and it is hardly complete. to throw out some acronyms, the ecf, the physics of the fusion centers, company to company come fbi, treasury, homeland security secret service, all of those occur in one moment or another and they are well intended and very appreciated in the private sector. but sometimes they are conflicting and sometimes very inconsistent and no information sharing happens in real time. the third obstacle that i would say the private sector is a government over classifies. so, what is shared at the secret level is very rarely actionable and not enough have clearances about the secret level before
3:33 pm
the actionable information tends to reside so there is an issue in the government classification. i compare and contrast what they we get in the open source intelligence and yesterday you would have seen some information about the new attack that's been out there with the open-source data we get the indicators of compromise that we can act. the detail was released to get an open-source context about the new purported chinese att attack called axiom that what comes at the open source is actionable intelligence that we can do something about and that is not still relative to what we hear and see from the government sector. so i will close on the difficult action. on the private sector for those of you from the private sector as i am, support the legislation is out there on the information sharing. there are two bills out there and i would support either of
3:34 pm
them. they are important to opening up the volume and speeding up the capability of the sharing that can go on and it is the highest opportunity in the system of the cyber defense. i would call out two things. there should be liability protection for acting and not acting and that is important. the second thing that i would say is very clearly information can and will be a non- allies. there is no reason not to. we can address the policy concerns i believe very effectively. also for the private sector if you are not in one of the isa you should join one and you should be very active. there is a very uneven level interims of information sharing. we need to contribute very actively and i would call on you to do the same. for the public sector the call to action from my perspective is again coming pass the information sharing legislation and also we need a better process to get the private sector clearances either about
3:35 pm
secret or to make shared intelligence more actionable at the secret level. more importantly, what we need is a system construct for how information is shared. it's as close to real-time as we can make it and coordinated in the law-enforcement intelligence agencies and private sector so that i thought i would share that. it's now my privilege to introduce the admiral. in april of this year admiral rogers assumed the post of the commander of the u.s. cyber command director of national security agency chief. you have his biography in the package but to summarize prior to the current post he served as the commander of the fleet of cyber command and the navy's template. he also served as the director for intelligence for both the joint chiefs of staff and the pacific command with over 30 years of service both he has
3:36 pm
extensive experience in intelligence gathering and information warfare and on a personal note and i shared this with the admiral as he was coming in i actually met him in 2012 very briefly at a cyber security conference at west point. the theme of the conference was actually public-private collaboration and the role of each sector in the defense of the nation. my impression of the vice admiral is one that we actually sat next to each other for maybe 30 to 45 minutes and i tried to convey the sense i took away from that moment what they would tell you is having not had a lot of private sector experience was very inquisitive and asked a lot of questions. he was a very active listener. he seemed to have an appetite to
3:37 pm
learn about the challenges faced in the private sector and to contemplate the opportunities for the collaboration. he also conveyed the purpose and the belief in his mission and what i would think of as a very consensus demand. what was interesting though@reflex does what came away for me in that moment which i think will be reinforced by what you have heard and what you will hear today is the admiral is actually very committed to public-private partnerships and is a very strong advocate of information sharing as part of the private sector. so thank you and join me in welcoming admiral mike rogers. [applause] >> good afternoon. how is everybody today i apologize, please keep eating while i speak. we have 50 minutes or so. i will speak for 15 minutes or
3:38 pm
so and give you a few thoughts from my perspective that i'm really interested in the interchange and exchange with all of you because i'm curious as to the perspective that you bring to this issue. why is the admiral in the department of defense, why is he talking to the chamber of commerce into the private sector got the idea of the cyber security? because as you heard one of my takeaways and ten years in the ten years or so that i've been involved in a cyber department is that cyber is the ultimate support and if we are going to make this work it is about creating a true integrated team in a set of partnerships that will be to may could save reality. that there is no one single technology that will enable us to guarantee 100% security of the systems. there is no one single group or entity that has all the answers nor is there one single group or entity capable of executing the
3:39 pm
solutions we need to do. it takes all of us working together. before i get into but i think we need to do to work together what they we think the chamber very much for your kind invitation today but more importantly, for the dialogue that over time you've been a part in helping to facilitate. because this is all about trying to talk to each other about how we are going to figure out the way ahead. thank you for your kind words. as a senior business leader senior business leader i want to thank you for your openness for your partnership and for your sins but cybersecurity is of a direct impact and concern to the leadership of the corporations. i will tell you i can always run it doesn't matter if it is a military command in the department of defense or whether it is a private company that i'm talking to. i can tell which organizations have leadership, and those which
3:40 pm
do not. and when you do not have leadership you are fighting with one hand tied behind your back. all of you here with us to play a role of leadership in the business community or in the government, i think you for your willingness to spend some time in your busy lives on an important topic. because as the leaders it is to us to drive up to us to drive the change i think we need. it is much less about the technology and much more about changing our culture. traditionally in a nature we tend to view the private sector in one arena and it's something that is a part of that in some ways. i've do the cyber security challenges that we are facing as a nation. i do them as a national security
3:41 pm
issue. how are we as a nation going to address the challenge that isn't going to go away if we think that this is a short-term phenomena either a short duration or relatively minor impact over time i would argue that we have this vote. i see this for an extended period of time coming and it will have greater and greater impact both in the corporate sector within the public sector and as the u.s. cyber command one of our jobs is to defend the department that works and i will tell you we are dealing with the same challenges every one of you are. every day there are individuals and nationstates [inaudible] different jobs and both related
3:42 pm
and both applicable to this idea of cybersecurity. the first is the commander of the united states cyber command, we have three missions one of which is particularly applicable. first is to defend the department networks. the second mission is to generate the cyber mission force that we call the cyber team if he will. but the department is going to use to execute its missions over time. the third one coming out of the one that really brings me here today is that if directed by the president or the secretary of the u.s. cyber command is tasked with providing protection and support to attack against critical u.s. infrastructure. so i have to be ready if i get an order how are we going to partner with our teammates because if there is one thing that you learn in the military, you do not wait until the day of the crisis to suddenly say to yourself i guess we better do some training with each other. or i guess we better understand what our partners need and what they don't need or what is
3:43 pm
effective for them and what is not effective. so, we are in the midst of working collaboratively. the department of homeland security, the fbi teammates, other elements of the government, depending on the sector. we are in the process of partnering on how we are going to work to get the details about how we are going to exercise and training with each other so that when we are in the middle of that this crisis, we can make this work in a real-time way. the second half of the highway or the national security agency, the one that quite friendly i've got the most attention on the last 18 months or so has two primary missions. we talked about one of those missions, the foreign intelligence chin. now come in a cyber arena could be used for in intelligence capabilities to attempt to understand what the nationstates , groups and individuals are giving in the cyber arena against the united states. the other missions that are also critical here is the information assurance. they are tasked under the information assurance mission
3:44 pm
with not only defending the department of defense systems as well as helping to develop the standards for systems. we do it with the federal government and increasingly we find ourselves called on by aberdeen hs and teammates to provide capability from our cyber expertise to support the private sector. that isn't going to slow down. it's going to increase. you can pick up a newspaper. you can get on your favorite website and you can blog on whatever particular interest and whatever media outlet that you find is the best source and every day you will find something in a major cyber incident. this is not a short-term phenomena. later today you hear from senators feinstein and chambliss and i think the role that they are playing in attempting to generate the legislation to help the private sector deal with the very real and very legitimate concerns about the legal liability is critical for us.
3:45 pm
because if we do not hope to address the very legitimate concern but i think for many of you and i come and i think that many of you in the private sector that's a challenge for the timely information sharing. and as the director of the fbi in the private wiki was the general counsel for the largest brokerage firm in the united states and the general counsel for the defense contractor of the united states and i will often ask jim when you were a lawyer working with the board what was your condition and what kind of advice were you getting the leadership and she said i would always told them very mindful you have to be very carefully if you are not careful, potentially, the corporation will be setting up for major financial liability. and potentially impact the market share and business and
3:46 pm
image. we have to help move those legitimate concerns and address them because of the end, in the end, but we have to get to my belief is real-time automated machine interfaces. we have to define in advance just what information are we going to share. putting on my head i do not want privacy information in this. because quite frankly it creates challenges for me because under the law any time i deal with privacy information of the citizens i have very specific restrictions they can do and cannot do and very tight controls. so my input has been that we do not want the privacy information here. that will slow us down and that is not the focus of cybersecurity is. what we need to share with each other is i need to be able to provide from the government standpoint of putting on my hat as a national security agency i got to be able to provide actionable information that you
3:47 pm
can use that gives you insight as to what you are going to see how them how it is going to come after you, what are the indicators you should be looking for in advance that would suggest to you that activity of concern is coming, and i have to help you identify who is coming after you. what i need from all of you i'm not in your systems and you don't want us there creates a whiny to understand what have you done with your system configurations, what worked and what didn't work and what did you anticipate and what did you not anticipate and then collectively between us, we need to share this and we need to share it goes across the entire sector, the insights of one can translate to the defense of many we need to come up with a system that enables us to do this in a
3:48 pm
real-time way and the only way to do that in my mind is the legislation that he will be talking about later today as well as sitting down in a partnership and walking through exactly what elements of information are you comfortable with sharing, what do you feel that you need from us, the government can and like wise i would like to have the same conversation with you. here's the element of information that can help us and here's what we are comfortable with sharing. and i've got to do this and i see this as an intelligence individual i have to do this in a way that you can actually use. not i'm going to classify this in a way that makes it unlovable for you. that isn't going to help anybody. so, we will be working our way through that process. but the key to it is going to be dialogue. the sector construct if you will that has been developed over time i think is very powerful. if you are not engaged in the sector construct in whatever area of business business you are in i've would urge you to
3:49 pm
consider doing that. it helps us from the governmental standpoint because we have a framework within the particular sector that we can deal with. i would tell you it has proven to be complicated and what is important in one area they would say that's interesting but it doesn't apply to me or i'm not particularly interested enough that isn't how they are constructed. so the sector piece has been very possible. one of the things we need to defend the government is the have to simplify this. i am telling my peers at the senior level we've created a structure that is so complex that if you are outside of the government it is incredibly cumbersome and difficult to understand if we are honest with ourselves. it's not because people aren't working hard, it's because we've tended to do this incrementally
3:50 pm
over time. what i think we need to do is a fundamental look at how do we structure the government side and a comprehensive way that makes it easier for you and at the same time makes it easier for us. this information is based on personal relationships, personal knowledge, limited awareness. i knew this but i didn't know what else was out there. we have to try to simplify that. that's one of the areas that we will be working on. i am much more interested about what is on your mind. to have a moderated discussion we collected questions earlier. >> can i steal one of the
3:51 pm
waters? been absolute we. >> we collected questions earlier in i've will take a few would take a few of those and then we will go to the audience as well. so get your questions ready. we have microphones that will come to you and if you can just identify yourself and what company you are with before you ask your question that would be great. one of the things we've been talking about is how do we punish the bad actors that are stealing the company's and kennedy and crying as? some are becoming more vocal to defend themselves in the absence of the state support. is this something the private sector should do or is this exclusively the response ability of the government do you think? >> we have a legal framework as you have seen five individuals in the nationstate and indicted. i often get asked this question
3:52 pm
to so put another way the cyber mercenaries. should we go out as a private sector and higher individuals to conduct what we call in the military offensive operations to try to stop through the use of the tools, nationstates, groups, individuals from conducting these attacks against us that is a broad policy issues that we will work our way through and my input to all of you would be very careful about going down that road. i would only tell you think about the legal implication of this. but again i'm not a lawyer so i would be the first to admit i would urge that you be very careful about that. >> how do we get the attribution to the so-called bad actors as well it becomes very powerful
3:53 pm
because the information sharing between us about what is the attribution is based on the confidence and the knowledge that are the options that are available to us information sharing and increased knowledge gives a greater range of options to consider. >> another question was talking about the definitions. we have a different domain. does the defense department have a definition for what constitutes the use of the force in cyberspace and while that definition be the same for the activities in cyberspace and other nations as well? >> under the rule of the law as to what is in a literary activity well we are working our way through a broad policy debate of what is the extension of the rule to the cyber arena area we have definition for what is offensive or pursues what we
3:54 pm
call the defensive responsive action and we have definitions for all of that. the broad issue you i think as a society that we are trying to come to grips with is we see all of this activity directed in the corporate networks, governmental networks, private individuals and what is the right response. i think the broad issue is what is the right response to this. what we can develop over time is a set of norms and rules that get us into an area that we have a much better definition of what is acceptable and what is not acceptable and even in the idea of deterrence. because right now if you were a nationstate, if you were a group or an individual, most come to the conclusion that there is an incredibly low risk and there is little price to pay so the actions that they are taking. i'm not saying that i necessarily agree with that, but
3:55 pm
i would agree that most look at it in light of that, feel that they could be pretty aggressive. that's not in it's not in our best interest in the long-term as a nation. for the others to have that perception we need to try to change that over time. >> please raise your hand and we will bring a microphone to you. first we have one right up here. can someone bring him a microphone. >> one of the things we were talking about is china and russia as well and mcafee conducted an expert of the cyber experts around the globe when the cyber command was first tested up and they asked americans who do you care most and they asked everyone around the globe and every other countries that americans. so just wondering what your
3:56 pm
thoughts are on that. >> what we have articulated as a nation is like every nation in the world. we use a broad range of tools to attempt to better understand the world around us. the issue that we have raised is in the cyber it in the cyber arena we do not use the power of the nationstate to use the cyber as a tool to gain insight to then share with the private sector in the un to gain the competitive advantage. we do not do that in the united states. many other nations in the world to do. some acknowledge it and many do not. you can see we have been very vocal with our chinese counterparts that this is of concern to us. we view this as a behavior that is fundamentally incompatible in the relationship that we want with the chinese. so we continue to work in the policy perspective to see the legal action that we have taken and we work our way through it.
3:57 pm
i certainly understand it as an intelligent individual. we are intelligent rightly so because of how we are structured. we have more oversight congressional e. and legally than most of the counterparts around the world. it is not a complaint. that served as a nation incredibly well. because as a nation we want to be comfortable with what we are doing and why we are doing it. so, i would've used that as strange for us. >> it's great to see the navy. >> i knew that you were a good man. [laughter] in the sector i think that we do have a very ceo led effort going on in the department of energy and homeland security and the metric system coordinating council and we are focusing on the tools and technologies that you are providing the technology
3:58 pm
detection i think we have a bout lot of good information sharing going on. hopefully we will get the machines going. and on the response to the recovery but on the latter since you are from the military, and i think the one thing that we do not do all that well baby and the private sector is the actual drilling of the exercising of response from the recovery plans. i wonder if you might give your thoughts to that how you might be able to do that more and with the participation from the sister agencies and the government is a very important part of the dictation. >> if i could i'm going to do that in two parts. it's not not one that you ask but it just reminded me one of the things i hear in the power sector, and i was in san antonio talking to nerc as a matter of fact. one of the challenges in the power segment you need to
3:59 pm
understand the constraints that we work under. in order for us to generate income to make some of the changes we need to do we have to go to the regulatory body and make an argument. the citizens are interested to address the cyber security and regulatory bodies they share those concerns. so, my thanks to the power structure in those constraints try to push those as hard as we can because i have some concerns in this arena. in terms of the kind of idea about how to be training and practice with each other, one of the things i've said both internally and the department of defense as well as the private sector individuals and organizations i deal with we have to work on the focus where all of the resources are focused
4:00 pm
on penetrating the networks to the acknowledgment that there is a likelihood that despite the best efforts we are going to fail and therefore the remediation starts to get really critical. i've had to defend the networks against determining the the heart of god inside of the network. it's one of the best fight i ever had in my 33 years as a commissioned officer. it really was each of us trying to anticipate what we were going to do and how we were going to drive them out. one of the takeaways i tell our team and the department is we have to learn how to you continue to operate a network even as you are fighting to defend it with an intruder because often times what i will hear but i will here is the answer is to just shut down. and i'm like you caught to be kidding me do you know what functions does execute day-to-day, do you know what
4:01 pm
this does to the ability to execute permission? i'm not going to take the mission failure or delay self-imposed mission failure justify shutting down. that is in the answer in this case is. so, we need to shift the focus on the remediation and litigation and how do you fight through a network that has been compromised and one of the things we are trying to do as i said in my comment is how can we look at doing that? ..e really generate value is at the level of the men and women who are doing the work. that is what we have to get to. it is not a self-taught cabinet heads, agency heads meeting with ceos. not that that's not a part of it, but we have to get to an actual level and so i'm always looking at the private sector
4:02 pm
how can we help with that and what's the right level for you. what does that mean? i know what that means in the department of defense and in the government but i don't know what that means. i would be curious what you think that means tom. >> on the hurricane response we also have a good mutual assistance program, so where the companies come to help each other and hurricane cindy we got together an army of 67,000 people from all around the country with the help to get that done so that level is important to have those and we've done them pretty well. during a cyber attack there's going to be a lot of things happening in the upper level in terms of coordination at the highest levels of government and in terms of media and
4:03 pm
congressional interest and governors that say there has to be a lot of coronation. so there is a couple of different tabletops that have to be done at the operating level lighting candles one that would've made the practice of coordinating some kind of those activities as well. >> i agree with you and i apologize if i came across not embracing that. it istifad there's so many different levels ask complexities to this, we've really got to step back and look at this holistically. it's not just a technical piece, and i see so many people that just want to focus on the technical piece of this. and we are much bigger than this. >> so following up on that, more of a human component. we are talking about even back in 1994, "time" magazine wrote a story about the internet, and no one had heard about the internet. they had to describe what it was. if you think about the terms
4:04 pm
that have come into our vernacular now, twitter and youtube and blogging and tweeting, what will be the next generation of cyber threats that we will face, do you think? >> i think clearly the next big arena is going to be the digital hand held device both because it's exploding in its application and use. increasingly look at the set whether it's from business or the military, whether it's us as individuals, look at the series of actions and steps that you're taking in your everyday life -- corporate, government or individual -- with the mobile handheld digital device. that increasingly is just becoming the normal. and that, to me, is the area i look to as i look out five, ten years, that's where, that's what concerns me. we've tended to focus on fixed networks, large, you know,
4:05 pm
corporate-based, government-based. those aren't going to go away. >> and the internet of things, the wearables, that kind of thing. >> right. and i consider the internet of things all part of that digital. >> a question right over here. just wait, they'll bring you a microphone. >> and i apologize, with the lights i can't see you so well. >> i hear the lights are pretty bright in your eyes. i'm susan moore with pepco holdings here in washington, d.c.. >> hey, susan. >> i guess my question, you know, in the energy sector we don't differentiate between physical threats and cyber threats, and we actually drill with the assumption that they'll probably do both at the same time if it's a sophisticated attack. and to be quite frank, the mill mill -- military's response in its own protection seems to be focused on isolation as the tactic for dealing with the idea of the grid going down.
4:06 pm
and i wonder if you could talk to that a little bit, because i think, you know, as tempting as isolation is as a strategy for response, it also attempts, you know, potentially makes security a lot more difficult if you have little webs and individual grids all over the place. so i don't know, if you could take maybe about isolation versus integration. >> so isolation works at a tactical level for a very immediate, short-term period. it's in -- not in the long run a come comprehensive, sustainable strategy. i'll just shut down, that's how i'll make them go away, i'll just shut the network down. it's not that it's a bad thing at the tactical level, so to speak, a base, an installation as opposed to an entire grid construct, but in the long run i think the right answer for us is going to be, again, rather than isolation how do we do something in a more integrated way.
4:07 pm
isolation, to me, is also very difficult to sustain over time as a strategy. particularly if you have high power requirements, and the director of nsa, we have huge power requirements. so this is something i, for me, pay a lot of attention to because power is a big concern for us because we're a huge consumer of electrical power. but i agree with your fundamental premise. i think the challenge then becomes how can we, starting from that sector perspective, have a conversation about what's the right response strategy here, and are we really comfortable with this idea we want to go to this isolation kind of way to do business as a broader strategy? i don't think that's the best response in the long run. thank you, ms. susan. >> [inaudible] >> thank you. admiral, got a question about kind of the baton handoff as i've heard some members kind of ask. so likewise with the response
4:08 pm
and tom's question about table-top exercises, you know, say a business is sharing information, they're using a framework tool or a risk management tool like the framework, and they're dealing with an adversary that outstrips their abilities to keep pace. we know that there are partnerships with dhs, other agencies and departments. when would nsa step in, and what's the policy thinking there? what would that look like? >> first, i would argue the most likely scenario is probably u.s. cyber command and the dod, the national security agency. one of our three missions is when directed by the president or the secretary to provide capability to defend a critical u.s. infrastructure. now, our role to do that will, quite frankly, our mission will be to attempt to interdict the activity before it ever gets to that u.s. network, that u.s. company. that's our primary strategy, and that's what dod brings to this. a subset of our strategy is if
4:09 pm
we should fail in that regard, we have also developed some defensive response capability that we can deploy to partner with dhs, the fbi and the private sector about. so it goes to tom's question about, so, how do you remediate, how do you mitigate? if you've failed and they've breached, so to speak, how do you remediate and mitigate? that's the u.s. cyber command side. that's a legal call because, again, you have to be tasked, and that's what the president, you know, requests the secretary of defense to do. so there's a policy debate there, a legal debate there. it's one of the reasons why in my initial comments to you i talked about this is a national security issue to me. when viewed as a national security issue, then the capabilities of dod and their application, you know, are very much in keeping with our broad policy and legal structure as a nation. if we're going to view this as purely a private sector issue, then traditionally we have, well, hey, do you really want
4:10 pm
dod or, by extension, the broader government involving themselves in this? i think looking at this from a national security perspective is very important. and there will be a discussion about do we focus on critical sectors? is it any private entity? for the federal government, we have defined approximately 16 segments as being critical infrastructure whose loss would have significant or degradation can would have significant national security impact. so my training, what we're developing at u.s. cyber command so be prepared to apply capability in those 16 segments if directed by the president or the secretary. >> thank you. and secretary. >> thank you. >> so october is cyber security awareness month according to the department of homeland security. the past few months they've been going around the country and as
4:11 pm
you can imagine very different audiences. i think a lot of the folks in washington are well-versed in the framework when we were in phoenix and chicago and so we are spreading the word with that working with the white house and the dhs and speedy with them. the question is that's great. we have a month designating the fall but what else do we need to do. when you look at the ice bucket challenging how quickly that went viral what can we do to jumpstart people paying attention to cybersecurity more? >> what is the tipping point? what does it take when it gets so bad that we finally see okay enough we have to get the legislation peace out here and put those partnerships in place. the status quo isn't working for us. for whatever reason it doesn't appear yet that we have reached that point.
4:12 pm
in no small part i think because for many of our citizens it hasn't reached h. roux pain threshold. so someone steals your account information or credit card data, charges on the card right now citizens if you report this to your bank, we are not paying a price. the corporate sector is assuming that liability covering it. the point i often think about is once this becomes something that really impacts a broad swath of our citizens is very real and impacts their daily life as their ability to do what they wanted when they want, then watch for a whole shift in the way that we are talking about this. my frustration is that it should not take a disaster so to speak to tell us that you can see this coming. everyone of us intellectually knows that this is a significant
4:13 pm
national security issue that is not going away and it is likely only to get worse. so, we can either deal with this now in a collaborative and professional way or wait until we get hit with a two by four across the head. they find that to be a painful experience. move from the dialog to the concrete steps of how we are going to make this real and how we can work comfortably high and the private sector, government and a broad swath of government. one of the comments i make right now is we are asking the private sector to withstand the efforts of nation states against them. but that is asking a lot of the private sector. and i think that you've seen this reflected. we've come to the conclusion that this is about partnerships and we have to be able to provide the government keeps the body and capacity to support the private sector and that likewise
4:14 pm
went into private sector to provide the capacity and capability to make this work. they ought to deal with this. they argue it is a governmental function they ought to deal with this. i think the reality is between the viewpoints. the intelligence and insight it takes a partnership and you have information i need and i have information that could be of value to you. >> you have not one of the toughest jobs but two of them as to have them as a cyber commander and the head of the nsa. what do you think your biggest challenge is and where do you go
4:15 pm
from here with the cyber command and working with the private sector? >> for the u.s. cyber command of my biggest challenge is creating a culture and building a framework for the future. so as a matter of fact on friday -- in the scheme of things and the department of defense for years is not a long time so there's a lot of organizations that have a longer history than we do. but to date predates that workforce, build the command and control how we are going to employee it and then exercise it with our partners in that apartment and out on how we are going to make this work on the execution level of the detail. what you need from us and we need from you, how we are going to share it and what generates the value because the answer to this problem is and while i'm just going to give you
4:16 pm
everything we have. i don't want that from you and i don't think you want that from us because we can bury each other with data. i'm always looking at putting on my intel hacked, but what i care about his insight and knowledge. i used the data use the data as a tool to get there but the data in and of itself is not the end-all and be-all. what we have to share its knowledge and insight. >> wait for the microphone to get to you please. >> i can't see through the lights. >> sure. my question is you talked about the importance of the information sharing and sharing of the legislation. the legislation. one of the big criticisms by some particularly is these bills allow you to get the information
4:17 pm
and they would like to have some use limitations. how do you get around that >> i don't want privacy information. it creates challenges. it slows me down. for this mission not a good thing for us. it's not what i'm interested in. what i would like to have is a discussion of what is the information that we want to share with each other. and what is the value that that information generates. but this idea that inherently you can't trust phil and the -- fill-in the blank that we don't trust each other so among the things we need to address as the controls and oversight mechanisms we need to make any place. what is the civil privacy and the role of the inspector general's we have is we have a inspector generals in the private sector and the public governmental sectors we have
4:18 pm
lots of mechanisms of the oversight and control of information and we need to make that a part of this. i'm not interested in anybody writing a check for the u.s. cyber command or the national security. and i bet you my partners were to tell you the same thing. remember dhs is the leader. in military jargon they are the commander and we are supporting them under your hat, cyber command or nsa. we partner with others in the federal government in addition to the vhs come fbi depending on the treasury, segment, that work in the energy segment, we partner with others. u.s. cyber command. we are not the lead in the agency. we partner with others. >> we have time for one last question. can you wait for the microphone
4:19 pm
to get to you? there have been some reports recently about the nsa working part-time. >> there've been reports recently about employees in the nsa working part-time and some former employees going on to the private sector. how is that affecting the morale in the nsa and is there any concern about that prla >> first, we have a formal set of processes that must be applied when individuals are going to do something in addition to their nsa duties. we review that consistently over time, and when circumstances change, what was acceptable at one point we'll say, hey, the circumstances have changed, the nature of the relationship between the outside is different, so we do that on a recurring basis.
4:20 pm
for some it's as simple, for example, as someone with a language background says, look, i want to use my language outside nsa on a contractor basis because it'll increase my skills. sometimes we'll say yes, sometimes we won't. in terms of, you know, the flow of partnerships and the information back and forth, i have been very public about saying for the or national security or agency i would like us to create a model where members of our work force don't necessarily spend 30 or 35 years working directly for us. which right now is, has been the historic norm. it is amazing, the employees i will talk to when i say tell me how long you've been with nsa, 30, 35 years, 38 years. i just said good-bye to an employee after 50 years. what i've talked about is particularly given the state of technology, we have got to create a world where people from nsa can leave us for a while and go work in the private sector, and you would also like to
4:21 pm
create a world where the private sector can come spend a little time with us. one of the challenges, i think, as a nation that we're dealing with -- and you've seen this play out over the last year or so in particular -- we've talked past each other a lot because we don't understand each other. the nsa culture and experience isn't necessarily optimized to understand, you know, concerns, many of which are very valid from our i.t., corporate partners, likewise, many of the individuals we'll work with in the corporate world don't really have an understanding of us. and be i'd like to see what we can do to try the change that, because i think it'll produce better outcomes for both of us, and it'll serve us better as a nation. thank you very much, ma'am. >> thank you, sir. thank you for your time. thank you for all that you do. the u.s. chamber of commerce looks forward to working with you and your team, and we hope you'll come back, and we hope it won't be next october. >> i thank you for taking time from very busy personal and professional lives to be part of
4:22 pm
a dialogue -- won't be just today, won't be just tomorrow, next week, next month -- but being part of a dialogue about what have we got to do to address a really foundational challenge for us as a nation and, i would argue, for our friends and partners all over the world. cyber does not recognize geographic boundaries very well. so the idea that we're just going to deal with this in america, for example, i don't think that's a winning strategy for us. we can learn great insights both internally with each other, but also from our partners overseas as well. but it all starts with a willingness to have a dialogue with each other and a willingness to be open with each other. and not starting from a position of, gee, you know, you're in the private sector, and you're all about money. so i don't know i can trust you as a military. or the private sector saying, hey, you work for the government, and i don't know that we can really trust you. that is not going to get us where we need to be as a nation. that's not going to provide the
4:23 pm
protection that our society -- whether you do it in the private sector, government or, for us, it's private -- that is not going to generate the outcomes that collectively we need. this is a team sport that will take all of us. and it starts with a collaborative, open relationship and a willingness to be transparent and open with each other. so i thank you very much for that. have a great day. >> thank you. [applause] great. >> this election night here on c-span2, booktv is in prime time with eric schmidt's book, "how google works." steve ammon almond and jeff easter brook, and books by robert trotta and anna harvey. booktv in prime time begins at 8 p.m. eastern. and join us on c-span for live campaign 2014 election night coverage. see who wins, who loses and which party will control congress, and engage with us by
4:24 pm
phone, on twitter @c-span, or at leading up to tonight's election results, c-span's asking what you think about voting on facebook. do you vote and why or why not? marsha writes: yes, we're blessed with the right to vote. i vote to honor them and have a voice in the process. and jason says: no, it's a waste of time, and it accomplishes nothing. the system is rigged to prevent any real changes, so your vote is meaningless. you can see what others are saying and share your thoughts at >> the 2015 c-span student cam video competition is underway, open to all middle and high school students to create a 5-7 minute documentary on the theme, "the three branches and you," showing how a policy, law or action by the executive, legislative or the judicial branch of the federal government has affected you or your community. there's 200 cash prizes for
4:25 pm
students and teachers totaling $100,000. for the list of rules and how to get started, go to c-span2, providing live coverage of the u.s. senate floor proceedings and key public policy events. and every weekend, booktv. now for 15 years the only television network devoted to nonfiction books and authors. c-span2, created by the cable tv industry and brought to you as a public service by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter. >> back to the u.s. chamber of commerce cybersecurity summit. senate intelligence committee chair dianne feinstein and vice chair saxby chambliss discuss ongoing efforts in congress to draft and pass a cybersecurity information security act. this is 35 minutes. >> okay. can everyone hear me okay now?
4:26 pm
very good. well, again, welcome to the chamber's third annual cybersecurity summit. thank you both for joining us. i thought what i'd do is introduce you both, and then we can talk a little bit about the bill itself and prospects and why it needed to go from there and perhaps take some questions from the audience too. let me introduce our two speakers. we're so glad to have you here. as you all know, as california's senior senator, dianne feinstein has built a reputation as an independent voice working with both democrats and republicans. we love to hear that these days to find some common sense solutions to the problems facing california and the nation. since her election to the senate in '92, senator feinstein has worked in a bipartisan way to build a significant record of legislative accomplishments which include helping to strengthen the nation's security both here and abroad, combating crime and violence, battling cancer and protecting natural resources, again, in california and across the country.
4:27 pm
in the 111th congress, senator feinstein assumed the chairmanship of the senate select committee on intelligence where she oversees the nation's 16 intelligence agencies, and i should point out she was the first female senator to hold that position. it is also my pleasure to introduce the honorable saxby chambliss. in 2008 saxby chambliss was elected to serve a second term in the united states senate. georgia trends magazine, which has consistently named him as one of its most influential georgia gans, called him a highly visible, well respected presence in washington, and it says he has a reputation of an affable but a straight-talking lawmaker. they also named him georgian of the year. his leadership and experience on homeland security and intelligence matters during his tenure in the house of representatives earned him an appointment to the senate select committee on intelligence where he has served as vice chairman since 2011.
4:28 pm
he's a strong advocate for improved information sharing and human intelligence-swath gathering capabilities, and that's a topic that we're going to get into here. again, thank you both for joining us. i was just sharing with senator feinstein what you all have at your desks are pro-cifa propaganda. why the two of you decided to put this legislation forward, why it's needed, what does it do? >> well, i'll begin, but let me just say to begin with, ann, first of all, thank you. it's my understanding that the chamber's prepared to support this legislation. and that's very important, i think if i can speak for the vice chairman and myself, to our whole committee. but on a personal level, i just want to say to the gentleman on my left what a great pleasure it has been to work with you. we've put out now a number of intelligence authorization bills, the fisa bill, the cyber bill, and, ladies and gentlemen, one of the things that i have
4:29 pm
learned, certainly, in about 40 years of public life, that in a two-party system if you want to get something done, compromise is not a bad word. and so if we sit down -- and i tried to share everything that i know with senator chambliss -- either i have to give, or he has to give, or we find a mutual road to go down. and we have found, i believe he will second this, that to be a very productive way of producing for the people of this country. i remember when we had mr. mend mr. mendia before our intelligence committee, and he gave us a classified briefing on what was happening in the united states with respect to cyber attacks. and then the director of the fbi said, you know, there's one thing that's common about this: 90% either know they've been
4:30 pm
attacked, the other 10% may not, but they have been attacked. and that virtually almost every big american company today has been attacked. the question is how serious and by whom and how much. and i think it's fair to estimate that the cost to the economy and to business is estimated in the trillions of dollars. so it is very serious. we started on this with a different bill, and we put that bill together. it went to the floor, and it got 56 votes. we needed 60 votes. it only got one republican vote. so the key was to go back and do a bipartisan bill. and that's, essentially, what the vice chairman and i have done, ann. we've put together a bipartisan bill. it was put out by the committee by a vote


info Stream Only

Uploaded by TV Archive on