Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  May 3, 2016 9:09am-11:10am EDT

9:09 am
and the private sector as well as some of the international issues. couldn't think of a better time to host this than, sunday was the fifth year anniversary of our successful raid on osama bin laden in abbottabad in pakistan. and, obviously, serves as a good time to sort of take stock in terms of where we are, how the threat has changed and what sorts of capabilities and capacities we need to be able to get ahead of the curve. our conference is titled securing our future, and it is meant to be a strategic set of issues that looks across our various portfolio issues. at me ask everyone to please put their phones in quiet mode, and we need to ask questions please identify yourself and allow time for a mic to find you. i'm going to very quickly introduce one of our board members, michael balboni, who
9:10 am
will moderate the first session this morning with the deputy secretary of dhs. mike balboni is a longtime friend, co-conspirator on a whole host of issues. he serves on our board and more importantly has served in numerous roles related to homeland security, including the homeland security adviser to two different governors in the state of new york, a former senator, state senator in new york who really picked up and defense of a lot of the homeland security issues from the status of the. also resides from my hometown, long island. he represented long island, as you can see i'm wearing the islanders color today. but without further ado it introduced mike balboni who is ceo of redland strategies. you see him a lot on our tv screens throughout the country. mike, the floor is yours. thank you.
9:11 am
[applause] >> good morning ladies and gentlemen. i don't know if you share my sense of enthusiasm that it's great when you come from the hinterlands of the state did you come to washington, d.c. and to get a chance to interact with people who are decision makers behind the scenes. he don't normally always get a chance to see them. that's our opportunity this morning. alejandro mayorkas is a very distinguishea verydistinguishedt you may never have spent a lot of time focusing on. and yet in 1998 he was appointed by then-president clinton to be one of the youngest u.s. attorneys out of central california. then he went to the private sector and when he went to the "national law journal" called in one of the 50 most influential attorneys in the nation. and then, of course, the president obama put him into dhs for the citizenship and immigration services, where he oversaw an organization of
9:12 am
18,000 individuals and $3 billion budget. and then he took a big step, and 2013 press obama didn't -- that's been said become the deputy secretary and a run today just as the although, $60 billion, 240,000 employees, and he's of the number two for this incredibly vast enterprise that has so many of the issues that relate to so much of our personal lives. so without further ado deputy secretary mayorkas. [applause] >> thank you. thank you very much your good morning, everyone. and i very much appreciate the opportunity to share some thoughts with you. i thought this morning i would really focus my comments on cybersecurity in particular. one of our greatest priorities and one of the greatest national security imperatives that we face.
9:13 am
one year ago today, i matter fact, one year ago, two men wearing body armor, carrying assault rifles, handguns and 1005 underground of ammunition stepped out of the vehicle and started shooting at the center in garland, texas. they did not achieve their objective. they were thwarted by valley and and brave law enforcement officers who were ready for the attack. and one of those valiant officers were shot in the ankle, was able to recover in a local hospital, but no one died. the curtis caldwell center was targeted because they had exhibited a cartoon show with respect to the prophet mohammed
9:14 am
in protest of the tragic "charlie hebdo" assault that had occurred a month earlier in paris, france. the attack was essentially thwarted successfully because of the fact in part the intelligence community had shared information with local on for the with respect to anticipated attacks on the center. and the prospect of just such an event. and we in this country are quite mature and involving the sharing of information into counterterrorism arena. not only within the intelligence community, the federal intelligence community, but very importantly and critically we are first responders to a network of fusion centers and other mechanisms, we share
9:15 am
information and as real-time as possible with state and local, tribal law enforcement. so that those individuals are equipped to protect the public whom they serve. that level of evolution and maturity does not yet exist in the realm of cybersecurity. and yet it is no less a security imperative. in fact, there is something unique about the cybersecurity realm that really underscores how imperative the sharing of information is in this realm. and that is the ease of accessibility of the replication of harm, the replication of an attack. when i was a federal prosecutor and handled at the outset of my career, i handled bank robberies. i remember seeing bank robbers
9:16 am
who had one bank and moved onto another. and the ability to execute their particular modus operandi and replicate one institution, the harm that it sought to inflict and another was actually quite difficult. and usually unsuccessful. here in the cybersecurity realm, as we all know all too well, it is just a click of a button away when one hits one institution, whether it be ran somewhere or whatever the harm one seeks to inflict, or one could easily get another institution in a matter of seconds, if not simultaneously. and that calls for the sharing of information in a way that is rather unprecedented in the law enforcement arena. very often in an investigation, information is not shared
9:17 am
because, number one, the investigation may be conducted and the conduct of a grand jury, but more important we the investigation is seeking to identify the perpetrator and achieve accountability. in the cybersecurity realm the perpetrator may be an ocean away, maybe and accessible to law enforcement and actually apprehending the perpetrator may not necessarily be asking for as in shoring up the victimization is, in fact, not replicated elsewhere. and so the paradigm that we are seeking to establish in the cybersecurity realm is a much more open and sharing of information paradigm that otherwise exists in traditional enforcement and security arenas. and what we are seeking to accomplish in the department of homeland security and across the
9:18 am
administration is to treat the cyberthreat indicator itself, this unique indicator of the perpetrator, to share that to no longer consider it a commodity for profit, but rather to share it as a public good. so that if, in fact, one institution is harmed, you should information as to the nature of the vulnerability, and more specifically the nature of exploitation, and enable others who may share that vulnerability to patch the vulnerability can protect themselves from suffering the very same harm. right now we have a number of obstacles in achieving that information sharing paradigm to which we aspire. i'm not worried about the obstacle of undercutting profit, because we know very well that
9:19 am
in the cybersecurity realm there are many avenues. in fact, they are exploding in growth, in number, many avenues of making a profit, and the cyberthreat indicator, the profit makers did not need to rely upon. it rather there are different obstacles. number one, i think there is a general sense of distrust between the technology community and government writ large. there is certainly a residue of distrust in the post-snowden environment, and that residue, quite frankly, has been built upon or sharpened a bit, quite frankly, and the dialogue around encryption and sometimes polarizing nature of that debate. and we have to work through our disagreements.
9:20 am
we have to work through a distinct policy positions around critical, important issues and find a level of trust that allows us to protect one another and, therefore, collectively protect the nation as a whole. number one. number two, there's this skepticism. is a skepticism and the private sector as to what is in it for us. we will share information with the government, but what will we receive in return? will we, in fact, only be the subject of an investigation? whether our cybersecurity protocols within our institution are adequate to protect our customers, our shareholders, our clients, our students, our patients, whatever the nature of the duty is. will we become the subject of
9:21 am
investigation? or otherwise we'll just be a one way street of sharing of information? and what we are building of the department of homeland security is a mechanism of, frankly, mutual benefit. our intention in receiving information from the private sector, stripped of the personally identifiable information so that we safeguard an individual or an institution's privacy interests, we are unique in the department of homeland security is having a statutorily created office of privacy and a statutorily created office of civil rights and civil liberties, but we will take that information and we will disseminate it. we will disseminate it in automated form, in real-time, not only across the government but, frankly, throughout the private sector. two of the information sharing and analysis organizations that the president created in his
9:22 am
november 2014 executive order. and the idea is that one institution shares with us information, that other institutions may not be privy to. we will publish that information in a form that is useful from a cybersecurity perspective, and not imposing, unduly imposing from a privacy perspective, throughout the participating private-sector entities so that they can understand what the harm suffered was, how it was achieved, and protect themselves from suffering the very same harm you. the sharing of information in the counterterrorism space took time. it took time for the government to develop the mechanisms of sharing and to develop the
9:23 am
muscle memory, to overcome to some extent provincialism that existed, still fighting. but we are in a place that is far, far stronger, far, far better than when we were in 2001 -- stove piping. we do not have the luxury of time in the cybersecurity arena to develop institutional mechanisms, to develop a culture of information sharing and to build the muscle memory that we now enjoy in the counterterrorism space. the cybersecurity realm, as we all know, is fast evolving. it is exploding. the head of israel's national sec fiber -- cyber described it as the third revolution but there was the agriculture, industrial revolution and others the cyber revolution.
9:24 am
there are more devices connected to the internet than there are people on the planet. and things are moving fast. and we need to move fast as well. not only as a government. we need to be far, far better in our go to innovate and we are currently if we're making strides in that regard but we have to be better as a community. and by that i mean as a public-private community together in battling the threat of cybersecurity. we believe in the department of homeland security that we are uniquely situated to be the point of this beer in building that community, that community of sharing of information and economies -- reasoned response to attack back and get one or all of us together. we've been the beneficiary of radical legislation this past year that affords the share of
9:25 am
information, liability protection. we are a civilian agency, so the department that weblog for the components. we are civilian in nature and has other to earlier, we have unique protections that afford the interests of the dissemination of information and the privacy of civil rights and civil liberties arena. we are working within the administration to publish critical documents to guide the private sector in the sharing of information. we look forward to rolling this out in the near future. we are enhancing our efforts not just domestically but certainly internationally. our office of science and technology just entered into an agreement in principle with the government of south korea. our office of science and technology has just entered into an agreement with the government
9:26 am
of israel to pool funding for research and development for the cybersecurity realm. this is a matter where the community is not only a public-private partnership domestically, but a public to public in a public private partnership around the world. i returned recently from berlin and united kingdom where i've participated in the biannual dialogue with our key partners in the national security space, and front and center in those dialogues was the subject of cybersecurity. of course, encryption or rose, the sharing of information and the development of institutional responses to a harm that we are all exposed to was uppermost in our minds and uppermost in our discussion. and so i hope that we will be able to work together to build a
9:27 am
cybersecurity infrastructure that parallels the success that we enjoy and to execute in the counterterrorism and broader national security structure, and i appreciate your time and i look forward to fielding your questions in the minutes ahead. thank you very much. [applause] >> permit the time they, deputy secretary, to pose two questions and then open it to the audience for questions. let me switch the counterterrorism perspective. supposed paris and brussels, what has become very evident is that there have been enclaves of isolated communities within, throughout europe but specifically brussels, that have permitted the radicalization on a community basis of some
9:28 am
members. certainly the ability to move in and out of these communities. given the level of rhetoric and his campaign and the concern we have seen growing throughout europe, what is it we can do in the department of homeland security's perspective to counter the narrative of radicalization? >> let me say this. i appreciate the question. it's a very important priority of ours, countering violent extremism nation. last year we were very focused on the foreign fighter phenomenon. phenomenon of individuals leaving the united states traveling to conflict zones, syria most notably and the concern that they became or already were radicalized with the intent of returning to the united states to do us harm. that, of course, remains a concern of ours, let increasingly we are concerned about the homegrown radicalized violent extremists.
9:29 am
and we had an effort that was under the rubric of countering violent extremism, but we granted that effort very importantly and created the office for community partnerships. ultimately, the owners of that effort must be the local communities themselves to be able to identify individuals who are on the path of radicalization and to intervene in the path. we in the federal government can facilitate and equip them to address this phenomenon. director james comey have spoken on a number of occasions about the fact that there are approximately 1000 individuals under investigation in the united states now. to our individuals in every single state of our union who are under investigation. -- there are individuals. they may well have not traveled to an area of conflict but
9:30 am
instead become radicalized in their own communities. we were given funding by congress to equip local and state, tribal law enforcement, and community organizations, whether they be nonprofit, religious or other types of organizations to build the lines of communication and to build the apparatus, to reach those individuals, their families, their friends come and equip them with the tools to intervene. we are also, of course, involved in transmitting the counter narrative. and one thing, or at least one characteristic that really distinguishes isil in the radicalizing effort is they are very sophisticated use of social media, and we in turn are using social media to reach the very same individuals to ensure that
9:31 am
the messages that they need to receive in order to thwart their path to radicalization is, in fact, communicated. so this is a community-based effort that we and the federal government very much support, facilitate and equip. >> i appreciate your remarks on efforts for cybersecurity, and one of the things that is so daunting to the private sector is this array of stovepipe regulation. the ftc, fcc, all sorts of real hard penalties associate with it. yet when you go to the federal government writ large, there is no love tells you how to be cybersecurity i think it's one of the things a lot of the coverage will struggle with. if you could speak to the private sector for a second. what is going to get the cybersecurity moving at the private level? what are the things? visit the care to come with a
9:32 am
stick, sharing of information? what do you think is the right recipe to engage oxygen of the private sector is 80% of the cyber assets so how do we truly engage in a national dialogue with the private sector to make it more cybersecurity? >> there is not a single standard for cybersecurity. in other words, this is the standard of care to which you must adhere. and if you fall below that you may be exposed to liability, and if you satisfy that standard, you are safe from liability. but isn't that standard because of the dynamism of the environment and how quickly that standard, quite frankly, would move here and the opposed to legislating a standard of care articulate precisely that. the standard of care may suit the current environment, but the day after tomorrow it may be obsolete because we have learned
9:33 am
so much. what we've done in the federal government is actually develop the framework that resides in the department of commerce which communicates the criteria that i private sector institution should look to in developing its cybersecurity ecosystem. and so if you are a big company come if you're a medium company, if you're a small company, depending on the nature of the jewels that you carry as institution, you look for the nist framework to understand the analytics architecture that you should follow in building your cybersecurity. i will say that this is my personal opinion as a participant in this arena, but also very much a student in this arena. when it was a prosecutor,
9:34 am
federal prosecutor, the standard of care was quite evident. and we did not pursue accountability as a means of defining the standard of care. because in the criminal arena that would be terribly unjust. i will say in this space, i do see federal lawsuits against companies for deficient cybersecurity. and i'm not sure that all of those lawsuits are just, given the fact that we have a lack of clarity, and what really is standard of care. there are cases where the deficiencies are readily apparent. they are pained and it is quite frankly the protocols are irresponsible. but if one doesn't have that frankly level of lack of care,
9:35 am
it starts to me to give her difficult to hold companies responsible. and i worry about the use of the stick to build a cybersecurity ecosystem, rather than means of come indication and the provision of tools to develop. >> thank you very much. now we will open up to the audience for questions. if you want to ask the question, please raise your hand and we will get you a microphone. down here in front, please. please identify yourself if you would. >> hi. rick weber, inside the cybersecurity. you mentioned critical document you're working on within the administration in the near future you will be publishing them. our day on sharing within the government or the private
9:36 am
sector, and how they relate to liability relief under the cybersecurity law? >> with respect to the question of liability, we already and the department of homeland security published a number of documents, and we, of course, i think '02 the public -- we owe to the public educational materials. i think that the documents that we're working on him and not to get too far out in front of the administration and the probably already have achieved that, but i think it really speaks to how we are organized within the government and how we will use our resources in the best service of the public interest. we have heard from the private sector who are we supposed to call if, in fact, we suffer a cyber event?
9:37 am
we, of course, want to provide clarity in response to that question. and in an ever increasing arena of change, we also have to be well organized and well coordinated within the federal government, and within its institutions and our respective roles and responsibilities. and it is on that point i think we are focused. >> up front. >> retired cia. was there anything in the to 15 david that had been pursued could of been used to head off the san bernardino attacks? >> so that's a question that pertains to an ongoing
9:38 am
investigation and an ongoing prosecution. so i will refrain from answering that question. and as a former cia official, you should will understand my response. [laughter] >> next. in the middle here. >> richard cooper, catalyst partners and a senior fellow at the gw center. have you been having conversations come to talk about engagement at the private sector. have you been talking with insurance companies asked the lessons learned come insights that they have come insurance companies seem to be a great arbiter of changing behaviors in lots of ways. tree is what insights dialogue you have had. >> that's a great question and a great point. the application of risk is a
9:39 am
phenomenal driver of behavior. we do dialogue considerably with the insurance industry. most importantly, to impart information so that we share what we know with industry so that they are equipped to understand really the dynamics that we face, not in terms of schooling, how they choose to allocate risks and build their models. but i do think that the insurance industry will be one of the key drivers of the cybersecurity standards. >> in the back. she's coming.
9:40 am
>> came the quarrels. further to the point insurance, to our insurance programs available, to your point, deputy secretary, of educating the private sector to coordinate with the insurance industry. the our products where notification becomes an element of what they are required t to . it is that sharon does occur in the notification process becomes part of the incident process and incident response. >> yes. and that's why i do think the maturation of the insurance industry in the cybersecurity realm will help drive behavior, and i think it will help define the standards of care that are somewhat elusive now, and seem to be developing through the crucible of the courtroom,
9:41 am
rather than the policymaking rooms. >> yes, down here in front. >> i'm interested in your vision with regard to the information sharing automated information sharing programs from dhs which is sort of a machine to machine level of ioc. as with agassi small and medium-size businesses, are you able to benefit from that that machine speed? >> so great question. so just for everyone's awareness, we committed to developing automated information sharing structure where we can
9:42 am
receive the cyberthreat indicators in a particular format in automated form, and in near real-time, essentially strip it of the personally identifiable information that, of course, carries with it very important privacy interests that are not germane, that are not material to the cybersecurity goal. and then to disseminate information in automated form throughout the private sector, something to which i alluded in my opening remarks. we have, in fact, a built on schedule the first level of that automated information sharing protocol. we have 24 companies already participating in it. and one of the questions is, as
9:43 am
i understand your question, how do we build it to we achieved success in building for all comt just the biggest addition the can't afford the investment? and that is something we are building towards and don't have just yet. and it's very new, and so we are working on it i think top priority. and this is one of the areas in which we need to innovate, quite frankly. we are hoping as a government to move from a -- model of development to a jacksonian model of development. and for all the who don't know, that to me is a literary reference. i'll give you the perfect example. the notion of embarking upon a 10 year contract for the development of a product which,
9:44 am
by the time we rolled out is obsolete, has to really disappear and we are now increasingly using the agile methods develop a, the waterfall development, the waterfall model of development where we move in six months or even shorter sprints, and produce product in that way. we brought income and this is really the president's leadership, digital services, people from companies like deloitte, other very cutting edge companies to really bring the most cutting-edge development models and thinking to the way we, not only acquire, but execute on contracts. so building the automated information sharing framework for the otherwise disenfranchised is something
9:45 am
that we are very focused on. >> up front. >> john, gw alumnus and former naval intelligence officer. following up on your last answer, sir, i wonder to what extent you could address the topic of red teaming? and particularly outside the intelligence community of the government, to what extent can you use the dedicated hacker community, or fraternity in some ways, to help you understand and counter vulnerabilities? >> so let me share with you an experience that i had that brought your question into my life. no, into my life as a deputy
9:46 am
secretary. i was speaking at defcon last year, which is a conference of hackers in las vegas, nevada. and there are about 20,000 attendees in the conference and i spoke to a group of maybe about 700 or so and that's actually the focus of my remarks was on the issue of distrust and how to bridge the divide. and i was not permitted to bring my personal or work phones into the hotel, whether on or off, for fear that they would be hacked. i actually mentioned at the outset of my remarks, and told the group of people that i have brought a phone with me and that if anyone made it rain during my
9:47 am
remarks i would pay them $1000. this was at the outset of my remarks, and all of a sudden everyone is opening their backpacks and briefcases. [laughter] and they're pulling out equipment and working on this rather stunning. they learn a few minutes later that i had brought with me a motorola flip phone from the '70s flashback so i was secure in my inability to afford paying anyone $1000. but i said do you know what we need to do? in the course of my remarks i said you know what we need to do? we need to actually bring some of you into the government. not just from a red teaming perspective which, frankly, we do already, we do in the department of defense, does as well. and secretary carter spoke of that publicly, but also so that they understand, they understand
9:48 am
what we do, how we do it, and why we do it. it's very easy to distrust from afar, but if you were sitting next to somebody and you actually observe them and the intentions of their efforts and the policies behind their efforts, and in my humble opinion, the nobility of their efforts in government service, that's the best way to eliminate the distrust. and so we red team in the department of homeland security. there are red teams outside the department of homeland security, specifically in the cyberspace. i think bringing in that community actually has other collateral benefits to which i refer. >> down front, please. >> we red team internally as well, by the way. >> deputy secretary, fred with
9:49 am
johns hopkins university and also a senior fellow at the gw center. would you take a moment to comment on your since for the maturity of the department's risk assessment process? particularly with respect to obviously bears a wide, scary, dynamic threat spectrum, much different than we've had in the past and there is a day-to-day necessity to make decisions about establishing programs, allocating resources and so on and then needs to be risk-averse and. would you offer your perspective on that? >> so that's a very, very good question. i would say, i would answer it in this way. in all candor. i think that we are more mature in our ability to assess risk with scientific rigor in some
9:50 am
areas more than in others. let me give as an example, let me harken back to the question that you post with respect to extremism. the radicalizing of individuals in the united states. in my visit in the uk, they have a very sophisticated architecture of intervention and developing and disseminating the counter narrative. and it is in. ally based -- them. ally-based. they have analyzed the risk and
9:51 am
the underpinnings of their efforts are scientifically-based. i think that that our development of that scientific foundation is not white as mature and we are working on it. frankly, our office of science and technology has funded incredibly important research projects but we need to do a better job of integrating those research projects into our operational workings. so i would say it depends in what area of our vast mission one is speaking of. we are better in some areas than others. we are very mature in the border
9:52 am
security arena. something that we've been quite dedicated to and, frankly, countering violent extremism is a relatively, relatively new phenomenon as compared to, for example, our border security. >> so with that i believe we have concluded this part of the session. deputy secretary, thank you very much for your remarks. >> thank you, and thank you all very much. thank you. [applause] [inaudible conversations]
9:53 am
[inaudible conversations] >> well, thank you and now we'll move into our panel on public private sector coordination on cybersecurity. i mean, we've got an amazing amg group represented a whole lot of different actors that have to be part of the solution set. i will just literally give titles and let come and if you want to expand during the q&a in terms of the backgrounds, that would be great but i want to maximize time. starting all the way to my right, i am really on the far left a starting all the way to my right is eric goldstein who's a senior advisor at the cyber division of the department of homeland security. next to him is an old friend of mine, general reynold hoover, major general of the national guard. and it's also very active in our active defense budget that we are doing here at the center.
9:54 am
kiersten todt who is leading the president's commission as the staff director for cybersecurity, so thought it would be really insightful to get a sense of what the commission plans to go. scott erickson who is at epi, and is -- eei edit than a ton of work on public-private partnership on rigidity, cybersecurity editing the sector as a whole is really raised its game in terms of cybersecurity. given the recent cyber attacks in the ukraine, think it could be some very convalescent in terms of the implications in the united states. at last and certainly not least is scott kaine who is that delta risk. he is newly appointed ceo, so congratulations on the. and also thank you for helping us respond to our event. what i thought i would do is jump right into questions. i want to make sure we save some time for the audience to engage in the q&a as well. but kiersten, i thought we would
9:55 am
start with you since the president recently concluded there was a need for a commission to examine cybersecurity issues. obviously, the scale and scope is quite broad, but what are the priorities that you guys are looking at? what is evil to accomplish? and what is the hope t to a cottage and a relatively short order of time? >> right. and so i think the short or the time as i.c.e. have said, i've said it the marathon within a spectrum this but within a marathon, i do what it is fast and it requires a lot of effort. but the end result is the report that's going to be delivered to the president on december 1, and the key here as the president outlined and as the commission has repeated as this is not intended to be a culminating document of president obama's administration. quite the opposite. it is intended to be a document that looks forward and that hopefully the new administration
9:56 am
that comes in can use as a transition document on cyber. and the general strategy approach to this commission is look at the digital economy. and its look at the role of the government as well as the private sector in the digital economy. how these two elements and entities work together, and what they can each do in order to look at creating a resilient, and secure digital economy three, five, 10 years down the road. at the way i would define specifically what we're looking to do is to set forth in december a series of short-term practical recommendations, one that as soon as that report is done, can actually be used and have limited immediately for ways that can help instill what we're trying to do, as well as long-term ambitious recommendations. so that we are ensuring that innovation is a part of this. i think women look at both of those and look at the different themes, that they're both possible. and how we do that is measured by taking best practices, lessons learned.
9:57 am
what we are working with right now is looking at what are the models for how we're going to draft the recommendations. it's a combination of what's already out there, best practices, lessons learned. it could provide an opportunity for things that are working but don't have a lot of visibility and to raise the platform and the visibility at the national level. and then not most importantly but i think very importantly is the innovation. being able to pull innovation around this country on these efforts in a way that he can put forth the digital economy that we look at three, five, 10 years down the road. >> eric, why do we go to you in terms of trying to get a sense of where we are, what's working, what's not? can you shed some light on where the nccic attended some of the public-private partnership initiatives? and they will turn to general hoover and then we'll here from the private sector. >> i should begin by noting cybersecurity india's government
9:58 am
is of course a team sport. law enforcement agency that has identified, interdict our adversaries to be -- military defending dod networks inc. about our adversaries in cyberspace. my agency dhs, our role is to protect. our role is to actively protect federal civilian agencies and help the private sector and help state and local tribal governments better protect themselves. so with that we are pushing forward very urgently on a fuel line effort. the first of which is congress was kind enough to pass the cyber skid act as this audience knows, last december. as part of that act, our national security and communications integration center, or the nccic was established as the information sharing have two exchanged cybersecurity threat information between government and the private sector. this past march our secretary certified that our capability to share information in real-time
9:59 am
is operational. but what we need to do now is build a base of companies and agencies participating in this activity. the act of last december really remove a lot of the disincentives that were stymieing sharing with government and the private sector, for example, civil liability, foia exceptions, et cetera. so we now feel that the disincentives have been wiped away by this new act. we at nccic now needed to get what are the positive incentives. how do we and the government shall added value from cybersecurity information sharing such that companies will see benefits to their security and to the bottom line to participate. i would also note holding off the point of the president's cybersecurity commission, we have a significant role in promulgating best practices across the nation and figuring out how should companies best
10:00 am
evaluate the relative cybersecurity posture and measure their progress. and, of course, our foundational document for that is a nist framework but we want to figure out a companies use the cybersecurity framework to invest in targeted measures that actually show measurable, quantifiable reductions in their cybersecurity risk. in nccic we are focusing on the private sector one increasing our capacities in the sticky areas. ..
10:01 am
10:02 am
and as we move forward in think about what is the future for cyberand how did we do that in partnership, the guard has unique capability to bring to the table. >> i want to pick up on a couple point in a little bit. how many companies went into
10:03 am
business think you may have to defend themselves foreign intelligence service coming nationstate threats. how do we translate the noun into the verbs. what is gei in the company represent to make this real? isn't about consequence, perpetrator, actor, >> we hear the word partnership over and over. we have the sector to your point won't do this alone. we have law enforcement and national security mandate, so there's a north-south partnership. government and industry working together. i'm privileged to serve as the secretary for cordoning council with 30 plus ceos together
10:04 am
with senior government officials could redo that three times a year not to pat each other on the back and do a great job ,-com,-com ma but to do things advancing the cause of security. and to put it colloquially, the government has been pretty cool toys. we want this on our systems. in proving sharing of information, making sure the right people get the right information at the right time. east west is incredibly important across the sectors also. we be a lecture effect or because everything went en masse are often looked at as the most critical of the critical. we don't have water. we don't move our fuel. there are a lot of ways to impact the electric grid, so finding the east-west partnerships. the last part with information sharing with response and recovery.
10:05 am
so much we can firewall her way out of this. though the high wall and they will build a higher latter. if the adversary build the latter and we understand security. and what can we be doing today to make sure that it's coming. how do we manage the risk? had we put the risk in a box and ensure that we have a short outage as opposed to some didn't work catastrophic. >> i don't want to belabor this point, but if everything is critical, if we have 16 designated critical infrastructures, does that and nothing is critical? how do we get to the point where we rack and stack, prioritize. obviously, the energy and electric -- i mean, it is the most critical because without the lights we wouldn't be able to be here today. how do we start thinking about that.
10:06 am
>> there's different terms of sectors, strategically valuable infrastructure sectors. the national infrastructure visor he national infrastructure by three council knocked it down to five. electricity, not energy broadly, transportation, water, finance, communications. there's a lot of wisdom in that recommendation. i will say it gets reset yours -- this is not a knock on any others that have become the most mature because they have been the subject of attacks for so long are going to be finance and communications. i can say because of counterparts that i haven't each of those sites are his, partnerships are developing at a really rapid rate to the benefit of the security of each of the sectors. document interdependencies as well. >> scott, looking at it from a private sector, by very definition you got to provide holistic responses. where do you see things playing
10:07 am
out today and where do you see your greatest focus in terms of making sure you meet your clients needs? >> for my personal perspective i've been on the private sector and public sector side to the real issue is in the mid-market. the midsize companies on down are needing help and don't have the resources and the assets. i companies privilege to work for the department of homeland security to monitor the program into vulnerability scanning for mid-to small sized companies that are important. and so what we typically find is my guys within four hours are in the kingdom. you hear the soft underbelly concept. but it's the truth, which is if you were to take a look at where the most risk is that exist out there, the big companies have the assets. they have the resources. they have the funding.
10:08 am
by and large i know eight of the top 10 things work effectively with the government, with the intel site are, department of defense for dhs. is also the issue with classified information went to be brought over the privacy earth and the issues of scrubbing and so on. the real issue as it relates to public private is the public site or is trying to up with monitoring with the risk associated with the midtier companies out there. the program we have is we work on behalf of dhs and we are not able to go after the list of all the banks and energy help you send dhs supervision to go support us in the field. whatever always thought this if you look at the overall risk where the public or can assist the yours in the midtier and instead of assuming the one individual from the government can supervise contractors and go
10:09 am
take care of their own, there needs to be some type of deputy station, meaning not enough folks with the talent needed in dhs to do the job of kind of keeping watch over those critical infrastructure companies. so if it's the national guard leveraging the assets are in the field, i think i would do a great service to this country and if you take a look at who you are going to attack, it doesn't take much to figure out you go after the easy ones plugged into the big ones. before you note with at a much bigger problem. >> we have seen incident after incident highlighted precisely that concern, even if i were to rack and stack the critical infrastructure common finance and banking us at and banking is that the top-tier >> absolutely pure those are the folks they control a lot of money. the bank of america, city, morgan, not everybody thinks they are. the community banks that own a lot of asset that manage billions of dollars on a daily
10:10 am
basis have basically no infrastructure in place and no support to do anything. while they worry about the audits, they are not adequately protect it. the program dhs has today is helpful. there's a lot more folks that need help it shows the resource issue gave calgary out there and i think if you are and ask me the one point i was hoping to make today from a public-private perspective, the big teams, dod, intel, dhs at a high level in high-level financial site or come energy sector do as good as job as you'd expect at this point in terms of information sharing. if someone has a problem there doesn't seem to be an issue at picking up the phone and calling their counterpart on the other side. but the midmarket, forget it. is a vulnerable exposure in this country and whether it's dhs, national guard, there needs to be an effort to support them and they are begging for it.
10:11 am
>> even the most critical of our sectors suspect allegedly had its compromised in bangladesh. it is getting down to the supply chain third party vendors as we know what target and many others. >> swift is as secure as they come. i've been in the industry for 20 years. it is a hard target to get them they've got it. at the end of the day if they want you, they look at you. that is what happened there. at the end of the day it was in a technology issue. it was someone making a phone call that didn't get received and went ahead without an approval because the whole mess. >> scott raises an interesting point lacuna cybersecurity initiative, we often think large companies. we often think where resources are. but any successful effort if you look at the framework and what intent is to look at the small, medium and large business.
10:12 am
when you talk about supply chain and were critical infrastructure resides, doesn't always reside at the large level. if you are a small water company in the middle of the country, and you are critical and arguably more than the big companies at that point, which is another reason we had a conversation earlier of either national guard as a resource to look at how it bridges the day job with the government and we have this access point here around education awareness and knowledge that we could probably be -- we could be utilized in the lap or effect of the one we talk about both in the public and are. >> i was going to add the other thing is not only dirt on the public to receive quite a bit on the small agency and department to need help as well. whether it is determined today in terms of certifying the private sector can support -- the security service model is very common in the air.
10:13 am
but it comes down to is instead of me hiring staff, i will outsource security. five years ago it was bad work. it's much more receptive to doing it. while there might be a private sector that could use the government help at a minimum to tell them where problems are. on the public site here, and what i've encountered personally as the need for the smaller agencies and departments within the government to consider the private sector to help manage security. clearly have to have certifying process and body to ensure that whoever the managed security service provider is can ensure they meet the standards necessary. but i think it is some in the feds ought to consider and the big tab they need in the smaller folks do if they can in the private sector might be helpful in that regard as well. >> not even the big folks have exactly what they need. >> i take all of your points and
10:14 am
i think there is another level that we are just missing that goes back to my opening comments about really what is cyber? whenever you see it as from -- when you think about the elephant, everybody has a different view to describe it. there is another segment out there in maybe many of you in the audience are just like me who lost your data from opm reach. cyberto the individual at home on their computer, working on their bank information got hacked or their private e-mail got hacked, it is an issue for them as well and that is why when you think about this cyberdefense or active cyberdefense, it has to be a partnership and it has to be a whole of government approach and it has to involve the private sector because we are all on this together and we are all facing the same things that we take it back to the guard. we have aired then and soldiers
10:15 am
who had their day jobs to cyberfor a living. when they go for their drill weekends, they put a uniform on. we think they are uniquely qualified to part her in the state status to support the governors, also support dod and army cyberand air cyberin the mission. but it is a huge hole of government partnership it down to the individual sitting at their computer at home whose online banking or using a smart appliance that all of a sudden starts talking to you on the cell phone when you walk into their house. think about that. that is what cyberis about the days. >> i think you raise an point and i want to touch on the threat because not all hacks are the same. not all intentions are the same and not all capabilities are the same. it doesn't, and a tall. comes in various shapes, sizes and forms. in terms of understanding threat actors, how would this group
10:16 am
prioritize where we have to be thinking from the capability standpoint and also from a likelihood stand point. and then a little bit on the ttp said the attack takes techniques and procedures. we seem to be chasing brand somewhere, distributed denial of service. issue seemed to come into flavor and out of flavor. but if we were to actually start looking at the threat actors and some of the ttp as they are engaged in, however brock in fact? >> from the point of view of dhs, one interesting characteristic of most of the major security breaches from opm all down over the past several years is those adversaries have actually exploited known vulnerabilities in very common ttp's in order to actually axle trade or degrade data. even ran somewhere, the way their brand somewhere is
10:17 am
infecting this computer is through the same kind of that are as we've been seeing now where deployed for years. at dhs, we are taking a generally threat after agnostic approach. what we have seen this evens sophisticated adversaries are still breaking in using the most simple and common issues. they are exploiting unpatched operating systems, users who click on spear phishing e-mails. they exploit privileges for privileged users and the dhs what we are trying to evangelize his organizations deal with the basic locking and tackling a cybersecurity double fours are sophisticated adversaries to an acid more complicated attacks and if we can develop human capital to combating sophisticated attacks to deal with the mess by basic cybersecurity hygiene, that will put us in a much better place.
10:18 am
>> i want to pull him out because think you're spot on. at the time of the region most cases you don't have the attribution of the smoking keyboard we are looking for. you don't know whether you're dealing with the nationstate or a criminal or disgruntled employee or an ax to grind of one sort or another. if we can get to the point where we can develop limited resources that the government has to the high-end threats that term, everything else before that we can probably calibrate the first batter. you see that happening anytime soon? >> concert at the direction we are trying to go win. first of all with the private sector we have been and continue focusing on the critical infrastructure that could lead to physical manifestation or significant degradation of national security or economy. we are trying to segregate the
10:19 am
systems that could lead to the most hilarious effects, but as scott noted the inherent interconnection within sight to make that very challenging. we need to go to the sad asset and subsystem level and what are the vulnerabilities internal that could lead to these effects. we are taking a new approach by how we prioritize interventions. in the past we've taken an agency by agency approach relatively equally. a new approach by the president cybersecurity action plan on the highest value dataset systems within government with the database is one example that is degraded would is degraded to delete to especially severe consequences. we are doing this because as
10:20 am
scott donna correctly the cybersecurity capacity of dhs doing a given organization is inherent to find. we have to focus on the most significant consequences first. in so doing we will reduce the likelihood of the most significant or catastrophic events. >> scott, this gets too many conversations we've had in the past in terms of actor consequence impact. let's use this as an opportunity to enlighten some folks on the lessons learned. no state actor will send the money footprint back to the kremlin, for example, that they use proxies to engage in the act committee. how should we think about it? >> a couple things because both eric and general hooper has some good points and is ready to govern an industry in the same stage effectively finishing each other's sentences. these are the kinds of issues --
10:21 am
you need to be more provocative, frank. general hoover talked about this. what does that look like. sure i care about business attacks. my company certainly do not like the reputational risk or what happens to their customers if credit card data or personal data is breach. what i am focusing on the coordinating council and just with my day job on behalf of the industry is looking at the operational technology. the elephant to me looks like those things that are cyberincident that physical implications. one of the conclusions we came to, although i'm glad to cyberhas gotten everybody's attention, the security of critical and the structure is important and can be done from a keyboard across the ocean. you are never going to have a cyberattack that doesn't have a
10:22 am
physical implication or physical implication. i look at it more holistic weekend and is 24, 72 hours like in ukraine, you may just not know. so much of what we have to do is understand implication response and how we respond to that. now to bring it into what happened in ukraine, look, people wanted to make the ukraine and today an eye-opening experience for the north american industry. it was not an eye-opening experience. we knew that this is the kind of incident that could have been had it been preparing for many years. that is not to say we are going to take the incident and learned good lessons from that, but it was not some apocryphal moment where he didn't know that could happen. we absolutely did and we been preparing accordingly. i think the biggest thing we
10:23 am
have learned out of that is ukraine had some benefits that we may want to start to apply here in the united states, but they've also got some drawbacks. they have a much different grid than we do here in the united states. we do have mandatory and enforceabenforceab le standards. to the point eric was making, the sort of nuisance attacks are the kinds of things the electric grid in the united states and north america is particularly good at. what they had in ukraine is the ability to operate annually. we had this rush to automation over the last 15 years or so. on some level blind to security risks we are creating. there is a paradox here. it is good we have automation and gives us better situational awareness but also increases the attack surface. are there things we can do to go back to my original point? are there things we can do to be
10:24 am
able to operate manually in the event of an incident, go to degraded state to keep the power running. those are the kinds of big decisions we are taken as a factor in partnership with the government to begin planning for those incidents that could have an impact for a longer term on the grade. the second thing we are doing and this is an experience that of ukraine. we have mutual assistancassistanc e all over the country. when there is a weather event, you've got bucket trucks and crews all over defending on the affected area. can we learn lessons from her and mutual assistance culture of the cyberspace and in fact does not a cybermutual assistance regime as a fact there, but we can't do it alone. this goes to the staffing issues. there's the national guard component to it. a dhs component to it. new-line first component to it.
10:25 am
or in the whole of community together for response to cyberincidents is a great lesson out of ukraine. >> two things i want to put a fine point on. the cyberconvergence of growing exponentially when we start talking about the internet of things and the internet of everything from a baking security into the design of architectures becomes that much more. secure coding and the like. i might note that one of the greatest deterrence and i've been an outspoken critic that we have a fully articulated a cyberdeterrence strategy. i think we have a massive way and the victim. we played entities rather than penalize them to pay the cost of the perpetrator. that is a longer conversation. may be one of the best deterrence is the ability to not only be resilient and that has become a bit of a buzz word, but to balance that quickly.
10:26 am
that is an area you are sector in particular has some lessons we can glean from it. >> of the adversary realizes the act is not going to be as catastrophic as they wanted to be, they will go someplace else. >> you wanted to poll about earlier. i'll try to disagree a little bit. [laughter] this idea of education and awareness, we have a think it still exists, which is a little bit of a false notion that the right to eligible prevent something and we are not looking at is effectively from a pyramid. at the base are the people. the people are then given policies that educate them on what to do when technology is brought in to help assist the policies and the people, but at the core it is the people. if you look at what happened to google, we were talking to
10:27 am
somebody related to the commission. facebook doesn't get breaches because they pulled out all the systems out of the wall when they found out for the vulnerability was. how many of those operating systems exist in major organizations today? i can tell you there's still a lot for the public and private sector that still carry the operating system that is known to have that vulnerability and in different ways as we look at things. the government has proposed an opportunity for the government to play a model in the public and private sector. what tony scott has proposed that the i.t. modernization fund is this approach theoretically make a lot of sense which is take the function shared across all the agencies that are not agency specific. h.r., payroll, e-mail provisions and create a share platform that is resilient into frank's point, what you try to do is you're not able to prevent everything. the idea that actors are more
10:28 am
sophisticated is really not affect it. they are more opportunistic. it's the capability argument. if you create an infrastructure that prevents what should be prevented, blocks the low-hanging fruit, there's the basic things we can do, but understanding you will not get ahead of every attack and how do we create the infrastructure that is strong to manage what happened to get our systems up and running as quickly as possible and that is an approach in the public and private sector the works effectively. at our core is what are we doing with the people. the point made earlier is a simple vulnerability that we are not doing enough to address. one of the elements we are looking not innovation in the government as well as the private sector is how do you ensure that it is very difficult to do the wrong thing and if you
10:29 am
do the wrong thing, it is contained and it doesn't spread to a system in a way that takes it down for a long period of time. we have to be looking at all of these elements. the people, policies and technologies and how they integrate together. >> this is a good segue. i think hairston hit it spot on. people, work for us as we mentioned earlier and they need to empower the workforce since how do we translate what is now arguably the weakest link into a strength. what are you advising on what should we be thinking about? at the end of the day the talent doesn't grow on trees but there are general cybersecurity awareness capabilities that can be brought to bear. >> for us so we look at this kind of two tiers. people with resources and people are and people that don't have
10:30 am
the resources and so you talk about bit differently with the technology support. for the big folks, you know, to take a stand here, i am not a big fan of the let's throw our hands up in the air. i'm a coach and girls soccer. i don't sit there and plan on the other team scores of figure out how we come back here that's a necessary part of the game. >> young kids soccer. >> we are playing the football role. so i guess my point is for larger enterprise the way we tackle it typically from the client side is be preventative. it's not a bad word. it doesn't mean you have to plug up every cap. but the classic don't be the slowest person the bears chasing. just do enough to get beyond that. every client is yes i don't want to be the last person, but i want to make sure not the last
10:31 am
person. the bigger piece on the preventative side you talk about the threat actors. at the end of the day it's not that difficult to see what's going on. i than previous life i worked at a bright intel company. you see what's going on. their social circles where you can take a look at threat at yours and they have patterns of attack. such and such companies are showing up in odd places on blogs and so on. not logs, but the message boards and so on. now i know such and such company is for this industry is about to be attacked. let's take a look at how they typically attack folks and make sure the cub and in that particular industry or the site groups in that industry are prepared. we know john and the bad guys typically operate this way surname had showed up in the next three weeks you'll be on
10:32 am
the target list, so get ready. that's not a very difficult concept. on the people side what we do in the large enterprises or exercises. using the soccer analogy you don't show up at game time and figure out what to do. most of the folks when you run them through scenarios, the boards, the i.t. folks on the development folks who do the code and bring them together, run them through scenarios that are relevant. most don't do very well. what ends up happening is to find the gaps in fix it. that is the way you get prepared if you're talking about people, they will do what they have to do. if you practice you obviously do better at game time. on the men's side, just let the experts do it. do the minimum things you need to do but you might want to consider having someone else come in because you don't want to hire three people. >> i would highly recommend
10:33 am
entities that don't have the capability to spend a lot of time. that's a pretty tough neighborhood. he's got a house of capabilities to engage in not and i think you're spot on. you make the big mistakes in the practice field, not industry u.s.a., not game day. i think you are starting to see a pretty big trend to the financial service sector where small medium-sized banks looking to their providers to provide security in the cloud, for example. aws are you name it, microsoft, asia, you name the various means. you will see a big trend that direction were entities that don't have capabilities, resources and efforts to throw at the problem. >> the industry will tell you where things are going good as the midmarket is looking more and more because it's easier, faster, better, stronger, the
10:34 am
threat comes with how i keep tabs on kids and i'm looking with. what is happening as it is becoming an, keeping tabs on that companies providing services. you will not get the big come today is to allow you to start rummaging through in making sure security protocol is in place, but there are ways to midsize companies kit is not that expensive technologies to work with hardware should. they expressed in the commercial world without question. >> i want to make sure we have a little bit of time or audience q&a. we have about seven, 10 minutes. please identify yourself and wait for a microphone. over here. >> general, you mentioned the active defense. i'm wondering if you could describe firsters cerda defense and get other panel comments about what i decided.
10:35 am
>> yeah, thanks. first of all, back in the early 80s were carried around brick cell phones about were the coolest cat on the block, who thought back then we would be watching tv on their cell phones? who thought that you actually wanted to watch tv on your cell phone. today, everybody is doing it. the speed of technology is changing so fast. is outpacing the roll call of the dems to cyberattacks. i know you will find this hard to believe. the government is rather slow. all of our policies and processes in things we are trying to do can't keep up with that and that is where the active defense comes in and where you need a layered approach to cyberdefense. it has to be risk-management days. you have to accept some risk. as i said at the outset, can't build the power law because it takes one person on your side of the wall to do some event will take down your system and if you
10:36 am
are in the private sector, you can't afford that. we have to all be in this together. when i think of act of defense, i think of the risk-management combined with a layered approach in this notion of the public-private partnership. we in the guard bureau partner at dhs, doj and we look forward to the presidents commission. nobody has a crystal ball of looking out to the future what is the threat that this cyberthing a cell phone game in the presidents commission has an opportunity to lay a foundation and a pathway forward for us that we can go collectively together to be in this act of defense. >> you are not suggesting to people to turn off their firewalls. you are suggesting the perimeter is insufficient. please don't turn off your firewall. at the end of the day, it is
10:37 am
insufficient and i don't know what's in sight and outside the network anymore since it all kind of learning. traditional ways of thinking of building higher walls and connect had it. the question is there is a lot of policy space between hack back and build higher walls. and that is the emphasis of this study we have fun go in as well. we have time for one more question. please in the back identify yourself. quick questions. >> and john come a student at the university of pittsburgh. i have a question for eric on the left or the previous speaker was talking about how important it is to share information with the turn public here. this year about vulnerabilities like target got hacked by state hacked by think their point-of-sale technology there's a bunch of vulnerabivulnerabi
10:38 am
lities that isn't even patched anymore. how do you know when enough is enough? are you afraid of sharing too much information and creating more sick days of attack? the >> affected will don not and what impediments are there illegally offending to be able to share some of this. >> this really comes down to the sophistication capacity of the recipients. for a large enterprise, a major corporation, a large federal agency approaches we should share as much as possible as fast as possible because the recipient should have the sophistication and automated tools to use the shared information to better their own security. i would differentiate between sharing information about vulnerabilities, incidents and threat indicators. our current focus right now in the automation spaces on sharing threat indicators as quickly as
10:39 am
possible. we believe cyberthreat indicator should be a commodity. companies should compete on their portfolio. threat indicator should be published and shared across the enterprise in real-time. when an adversary uses a single tcp, the first organization that detects that in their perimeter of their firewall capture that. they put it in a shareable format. they send it to her and kick his share to the world. the adversary can only use at a single time that spot everywhere else. >> we are nothing if not optimistic. it is only the case for some organizations have a hard time differentiating the noise or they will need additional help to figure out what is most. what indicators do they use first? we building the capacity to put in reputation for confidence
10:40 am
score in double tell the recipient when they receive a cyberthreat indicator how important is this to a nationstate adversary, something we have seen used elsewhere with significant consequences and that will help organizations that don't want to just take the pipeline is indicators are dhs is used at all to actually differentiate based on our confidence is actually significant. >> can i ask one point or was it one more questioning. looking at some of the bounty initiatives in a number of companies which i think is a great marketplace. it allows for the white hat hackers and maybe some of the gray hat hackers to share information as zero day exploits and i'm not exploits before they occurred. do you see a day where the government can help drive the marketplace of the dirt or no? >> in essence, it would be
10:41 am
providing incentives or no disincentives. >> the dod has launched thereafter where they are paid bounties would dod websites. certainly there is a model here. the traditional model has been we dhs, other agencies coordinate with white hat researchers to provide vulnerabilities and we then work with the developers to bring the vulnerability to resolution. obviously, there is a significant market now for the survey and if the government wants to receive vulnerabilities along with developers, certainly there is the model with the government sets up the legal framework where this is easier, simpler and lower risk and a model as shown by dod with the government is actually a participant in a financial market for vulnerabilities, particularly in government owned and operated networks and software which is where we will see it first.
10:42 am
>> we have time for one last quick question and quick answers. >> mark peters at the mitre corporation. national guard has many years of experience with physical response supporting states and disasters. you are gaining experience in assisting cyberresponse. have you given any thought see how you might think or act differentdifferent ly in either preparation of response when you have both of those domains involved in an instant simultaneously. >> that's a great question. part of our capability, whether it is supporting a domestic response as you said or a cyberevent is the value we bring as we are right there and we were able to set conditions for the governor in advance of other federal services or capabilities that fema might bring to the table. i think our response is to think about a cyberresponse is really to set conditions for other responders to come in.
10:43 am
but it is a great area of exploration in terms of how we continue to support state governors. >> i will second that. we just met 20 minutes ago. that is the wave of the future. from our company we've got 45 to 50 employees in the national guard air force and all of them are cyberfolks they are distributed all over the country. the limitation that dhs is because of certain physical locations. national guard is everywhere. basically the way team plays out as they work with us during the week and on the weekend they are cyberworriers. they are totally prepared to support the mission in the field all over the place. a bank in muskogee, national guard representation with folks supporting the mission.
10:44 am
the national guard seems to have the right organization because of the distribution coupled with the talent pool they are to have but because a lot of these folks are in the cybercommunity and the job becomes having more fun helping someone else out. >> thank you, scott. please join me in thanking our panel. this could have gone on so much longer. thank you. [applause] we will kick it off at the next panel in a little bit. thank you. [inaudible conversations]
10:45 am
sound that -- [inaudible conversations] >> this conference continues throughout the day today at george washington university with live coverage here on c-span 2. next come a panel discussing ways to prevent terrorists from being able to travel and they look at how to best organize the department of homeland security and later more on cybersecurity. while they are on a short break, we'll take a look back it reverts earlier today by the deputy secretary of the homeland security department. [inaudible conversations] >> thank you very much. good morning, everyone. i very much appreciate the opportunity to share some
10:46 am
thoughts with you. i thought this morning i would really focus my comments on cybersecurity in particular one of our greatest priority someone of the greatest national security imperatives that we face. one year ago today, as a matter of fact, one year ago, two men wearing body armor, carrying assault rifles, handguns and our 1500 rounds of ammunition stepped out of the vehicle and started shooting at the curtis colwell center in garland, texas. they did not achieve their days. they were awarded by valiant and brave law enforcement officers who were badly or the attack. one of those officers was shot
10:47 am
in the ankle, was able to recover in a local hospital, but no one died. the curtis colwell center was targeted because they had exhibited a cartoon show with respect to the prophet mohammed in protest of the tragic assault that had occurred a month earlier in paris, france. the attack was essentially a thwarted successfully because the facts in part that the intelligence community had shared information with local law enforcement to anticipated attacks on the center. the prospect of such an event. we in this country are quite mature and evolve sharing of
10:48 am
information in the counterterrorism arena. not only within the intelligence community, the federal intelligence community, the very openly and critically with first responders through a network of fusion centers and other mechanisms we share information in this real-time as possible with state and local tribal law enforcement so that those individuals are equipped to protect the public they serve. that level of evolution and the charity does not yet exist in the realm of cybersecurity. and yet, it is no less a security imperative. in fact, there is something unique about the cybersecurity realm that it really underscores imperative the sharing of them permission is in this realm. and that is the ease and
10:49 am
accessibility of replication of an attack. when i was a federal prosecutor at the outset of my career i handled bank robberies, i heard seed bank robbers who have wanted john to another. the ability to execute their particular modus operandi and replicated one institution behind the day sought to inflict is actually quite difficult. and usually unsuccessful. here in the realm as we all know all too well, it is just a click of a in a way when one hits one institution, whether it be ran somewhere or whatever the hiram 162 inflict, one can easily get another institution in a matter of seconds if not
10:50 am
simultaneously. and that calls for the sharing of information way that is rather unprecedented in the law enforcement arena. very often an investigation, information is not shared because number one the investigation may be it in the context of a grand jury, but more important late the investigation is seeking to identify the perpetrator to achieve accountability. in the cybersecurity realm, the perpetrator may be an ocean away, maybe an accessible to law enforcement and actually apprehending the perpetrator may not necessarily be as important as ensuring the victimization is not replicated elsewhere. and the paradigm we are seeking to establish in the
10:51 am
cybersecurity from is a much more open sharing of information paradigms and otherwise exist in the traditional wars meant and security arena. what we are seeking to accomplish across the administration is to treat the cyberthreat indicator itself, this unique indicator of the perpetrator to share that, to no longer consider it a commodity for profit, but rather to share it as a public good. so if in fact one institution is harmed, we share the information as to the nation of the vulnerability and more specific the exploitation and enable others who may share that vulnerability to patch the vulnerability and protect themselves from suffering the very same harm.
10:52 am
right now we have a number of obstacles in achieving the information sharing paradigm to which we aspire. i am not worried about the obstacle of undercutting profit because we know very well in the cybersecurity by, there are many avenues. in fact, they are exploding in growth in number, any avenues of making a profit in the cyberthreat indicator, the profit makers do not need to rely upon. but rather is there a different obstacles. number one, i think there is a general sense of distrust between the technology community and government writ large. their research they are residue of distrust in the post as
10:53 am
noted -- edwards noted environment. it has been built upon her sharpened debate quite frankly in the dialog around encryption and sometimes polarizing nature of that debate. we have to work through our disagreements. we have to work through the distinct policy positions around critical and important issues and find a level of trust that allows us to protect one another and therefore collectively to protect the nation as a whole number one. number two, there is a skepticism. there is a skepticism in the private sector as to what is in it for us. will share information with the government, but what will we receive in return? will we in fact only be the subject of an investigation,
10:54 am
whether a cybersecurity protocols within our institution are adequate to protect our customers, shareholders, clients, students, patients, whatever the nature of that duty is. what we become the subject of investigation or otherwise will it just be a one-way stream of sharing of information. what we are building and the department of homeland security is a mechanism of frank the mutual benefit. our intention in receiving information from the private sector script of personally identifiable information so that we safeguard individual or institution's privacy interests. we are unique as having a statutorily created office of privacy and a statutorily created office of civil rights and civil liberties. but we will take that information and we will
10:55 am
disseminate it. we will disseminate in real time, not only across the government, but frankly throughout the private sector. two of the information sharing and analysis organization that the president created in his november 2014 executive order. the idea is if one institution shares with us information, that other institutions may not be privy to, we will publish that information in a forum that is useful from a cybersecurity perspective and not imposing from a privacy do throughout the participating private-sector entities, so they can understand what the harm suffered was, how was achieved and protect themselves from suffering the very same harm.
10:56 am
the sharing of information in the counterterrorism space took time. it took time for the government to develop the mechanisms of sharing and to develop the muscle memory, too overcome to some extent provincialism that existed stove piping. but we are in a place now that is far, far stronger and far, far better than the way we were in 2001. we do not have the luxury of time in the cybersecurity arena to develop institutional mechanisms, to develop a culture of information sharing and build the muscle memory that we now enjoy in a counterterrorism space. the cybersecurity realm as we all know is fast evolving. it is exploding.
10:57 am
the head of israel's national cyberbureau described the cyberspace is the third revolution. it was the agriculture revolution, the industrial revolution and now there is the cyberrevolution. there are more devices connected to the internet than there are people on the planet and pigs are moving fast and we need to move fast as well. not only as a government, we need to be far, far better in our ability to innovate and we are currently and we are making strides in that regard, but we have to be better as a community. by that i mean as a public by that community together adelaide the threat of cybersecurity. we believe in the department of homeland security that we are uniquely situated to be the point of spirit building that community. that community of sharing of
10:58 am
information and a cohesive response to attacks that can have one or all of us together. we have been the beneficiary of critical legislation this past year, but of course the share of information, liability protection. we are a civilian agency, civilian department with law-enforcement departments. we are civilian and nature and as i have alluded to earlier, we have unique attractions that are for the interest of the dissemination of information on the privacy and civil rights of civil liberties arena. we are working within the administration to publish critical documents to guide private sector in the sharing of information. we look forward to rolling those out in the near future. we are enhancing our effort not just domestically, but certainly
10:59 am
internationally. our office of science and technology just entered into an agreement in principle with the government of south korea. our office of science and technology has just sent her to to an agreement with government of israel, so full funding for research and development and the cybersecurity realm. this is a matter where the community is not only a public private partnership domestically, but a public private partnership around the world. i returned from berlin and the united kingdom where he participated in the biannual dialogue with our key partners in the national security. >> if you can please take your seats will start the next panel.
11:00 am
[inaudible conversations] >> the conference getting back under way at george washington university. the coming panelists talking about ways to prevent terrorists from being able to travel. later on, a look at how to organize the department of homeland security. >> following the practice on the last panel, then briefly discuss the goals of the panel. to my immediate right, scott boyland, senior vice president for more footrest u.s.a. ..
11:01 am
>> a key element of their efforts in terms, in pursuit of carrying out attacks. you know, we will have a moderated discussion so i will jump right in and put the first question to set. if you look at the current terrorism threat that we have ices, very diffuse threat --
11:02 am
isis with al-qaeda, a variety of other groups. it's very different from the threat that existed when many of the u.s. government programs to prevent and disrupt terrorist travel were created 15 years ago, 10 years ago. so you very strong robust cases have been built up to detect individuals tried to fly, trying to cross borders, trying to exploit refugee and asylum systems. i think the key question for the panel which we will get to now but future questions, how agile and adaptive business system to the threat we face today? i guess turning to you first come if you want to provide some context on where we are today, how would you assess the threat cannot impact the work that dhs and other agencies within the federal government, your partners, are doing on the set of issues. >> sure. first off thank you for having me on the panel. it's terrific to be here at gw and to talk about these important issues.
11:03 am
certainly the threat is evolving and it is a complex challenge. i think the world we are facing now is certainly more complex and the terrorist travel into the world we were facing 15 years ago after 9/11. i think the remedies and sort of our strategies i think our sound and since i think a key part of the strategy i think a no one important piece of this is information and intelligence. you can say all you want about wall street things like that but fundamentally the most important piece of a strategy with regard to terrorism and terrorist travel is information. it's intelligence and its of the analytics among the organizations like the national targeting center, within department of homeland security and others of similar analytic
11:04 am
tip of those around the world. so that's number one. number two is sharing that information and bringing that information to the point of the end of us. with operators that need to make the decisions one way or the other as to whether to allow somebody to move through the travel system. the third key piece is partnerships. that united states can't do this alone and we shouldn't do this alone because this is a threat to all of us. we work very closely with partners around the world including one of our closest partners, france, to address the threat and also importantly the private sector such as we were close with the airlines, post with the express consignment history, a number of other entities to pull together and make sure all the information synthesized together in a way to address the threat. >> fundamentally i think that strategy, the key elements are
11:05 am
sound and where to make incredible progress along the way to address that. >> and in terms of current law and policy, you have two directives that were put in place under the bush administration that are still some of the foundational directives by the president on these decisions. are though still relevant, still current for the threat that we face and for the programs and capabilities that exist on these issues? >> i think they fundamentally are. hspd-6 i'll spend all a bit of time on. the over arching focus of that is the creation of a structure into united states at least for the terrorist watch list. you have to think about the issue of terrorist travel not just sort of solely focus on
11:06 am
issue of terrorist travel it's a. you have to think about in the context of the bounces we all have to draw between security but also privacy, so let us come economic competitiveness, humanitarian protection from all these other issues. the standard site for putting people on a watchlist of articulate and hspd 36, whether someone is a known or suspected terrorist. that's a racial suspicion that is trying to balance between the consequences between if someone is put on the list and our security. i think hspd-6 draws that right balance. we would think of hspd-6 there's a concept called hspd-6 ravenswood chart agreements with our foreign partners to share information on terrorist identities and are sort of peril senator byrd was called preventing and combating serious crime agreements of the launching of criminal history information with our partners. is a key part of the architecture of international
11:07 am
efforts against the movement of terrorists and other criminals through this travel system. >> france is one of the american strong as allies in fighting terrorism has been suffer the consequences of isis and don't try to directed terrorism within the last year and we were honored to host your interior minister earlier this year for a talk on these sets of issues, i can to provide a bit of perspective on france's perspective on the issue of preventing terrorist travel, both in the context of the u.s., french u.s.-european relationship and also look at it from an intra-european issue, particularly in light of some of the migration challenges that you have right now coming from iraq and syria come and tear is trying to exploit the refugee flow to get to western europe? >> yes, thank you very much. actually you pointed out to equation.
11:08 am
the first one on the tool for job, equally, to the need to be modernized and changed. and the second one more european focus. it's a fact that -- between immigration and terrorism needs and acquired a very strong answer from our european communities. it's not come it's not by chance we found syrian passport on terrorist attacks. there was maybe a way to underline this threat. so but to answer your first question very, very directly, actually france is trying to enforce most of the measures in
11:09 am
europe, most of the measures in terms of combating and controlling international travelers. actually we have had agreement that has been ratified just this year. we are sharing information a lot under diversity of agreements, even without agreements. for example, france has been very pushy to have on european level these of systematic chec checks, both foreign people and european people at the entrance come in and out of its own. this is something is already been done in the u.s. for years and that's something we're

3 Views

info Stream Only

Uploaded by TV Archive on