Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  October 30, 2015 11:00pm-12:01am EDT

11:00 pm
so i think it's something that has fed on itself in a very kind of positive way. and i think, again, the, the sight, the tableau which was stunning to people seeing the president and president xi standing up really got this off to a got foot. >> thank you for that answer, and mr. stern, you've overseen this process since 2009. could you contrast the current scale of the pre-cop pledges to previous meetings. in particular, how does the number and scale of pre-paris pledges, my understanding 150 so far, compare with the level of effort in past agreements. so look, looking past and present. >> right, well, if you look back at copenhagen, there really weren't any pledges that were made before copenhagen because
11:01 pm
we hadn't set fort and secured agreement for this kind of structure then. you did have a number of countries, but a quite small number of countries who had essentially put out press releases saying this is what we're planning to do, but i think you could have counted those on one hand. that was not a large number of countries who did that, so it's a completely different, it's a kpleeptsly different ball game now. and it started with the durbin mandate for this negotiation. which we were instrumental in developing at the end of 2011, where the whole theory of the agreement was that it was going to be applicable to all. it was going to be the not-kyoto. it was going to be everybody. that was the huge, that was the starting point. and then we, as i said, we've worked through these different structural features along the
11:02 pm
way. and so fort. a and the impact of the china announcement was significant. >> the 1997 bird/hagel resolution asserted that the united states should not join an international climate agreement that a, only imposes obligations on developed countries, and b, would result in serious harm to the economy of the united states. how would you square the current dialog with those requirements? >> well, i think we've met the bird/hagel requirements, frankly, this was, i, people have referenced how i learned the lessons from kyoto. it helps when you're actually there. i was in kyoto. i learned those lessons. but i remember a famous ad of scissors taking a map of the world and cutting out all the developing countries. this was in 1997 with regard to kyoto, cutting out all the developing countries because they weren't going to have any obligations, so, and that was exactly what the bird/hagel,
11:03 pm
that first element of the bird/hagel resolution was talking about. so we have just exactly the opposite now. we have 152 indcs, 110-plus developing countries, so it's a completely different ball game, including all the big ones. with respect to the economy, the fact -- two things, the fact that this is nationally determined means that something is not getting imposed on us or anybody else. so it's not the case that we should be in a posture, and we're not in a posture where what we're talking about would hurt the u.s. economy, and then there has also been all sorts of detailed, voluminous analysis done with respect to the core elements of ar target. the clean power plan be the most recent one and the analysis that epa did shows significant costs to be sure, but netted out against the benefits i think epa's estimate was somewhere in the $26 billion to $45 billion
11:04 pm
estimate. so this is not going to hurt our economy, and it is going to include all other countries. >> thank you. >> thank you, senator markey? >> thank you, mr. chairman, very much. so i think it's important for us to make clear that we've begun to break this link between increase in gross domestic product and a reduction in greenhouse gases. so, in massachusetts, we have reduced our greenhouse gases by 40% since 1990. and our gross domestic product has gone up by 70%. so it wasn't inconsistent. our unemployment rate right now is 4.5%. in fact, one of the things that has happened in massachusetts is that having set ourselves out on this course, we now have 100,000 people in massachusetts employed in the clean energy sector.
11:05 pm
it's now one of the top ten employers of the state. so this disconnect between increasing gross domestic product and reduction in greenhouse gases is accelerating in massachusetts, and it's happening across the planet as well. in 2014, for the first time ever, the world experienced global economic growth without a global carbon pollution increase, according to the international energy agency. so business will be critical to extending and building on that achievement, so what's the signal that you want to send to businesses across the planet coming out of paris, mr. stern? >> your point, senator, is exactly right. that's the iron link that had to be broken, and it's starting to be broken. hundred to have economic growth
11:06 pm
up and emissions down. that's name of the game. and i think the signal is, again, long-term, we're moving long-term in a direction to grapple with and successfully tackle climate change. and it's a start. it's not a finish, but if you have all countries of the world on board to do this, the leaders of the country of the world committing to do that, then, again, you send a signal that this is the long-term trajectory and businesses should get essentially on the right side of history. not just to be on the right side of history but to be on the right side of their balance sheet. >> so, going back to 2009, when the waxman/markey bill was passed through the house of representatives and died here in the senate, but for a while there, people thought my first name was waxman, as part of the waxman/markey bill, but it was going to reduce greenhouse gases by 80% by 2050 and 70% by 2020.
11:07 pm
those were the goals. and it was a radical group of people who signed onto it. i mean, a completely radical group. general electric. general motors. chrysler. ford. the edison electric institute endorsed the bill. the nuclear energy institute endorsed the bill. company after company, all across the country, endorsed the bill. when you have the big three auto manufacturers and the edison electric institute endorsing a bill to reduce greenhouse gases by 80% by 2050, you're no longer in the radical extreme. it's those who oppose it who are in the radical extreme. you have the world's scientists all saying that there is a great danger. and john holdren is now saying
11:08 pm
that there is a destabilization in the west antarctic icecap. and there's 1,000 miles long and 300 miles wide, and pretty much two empire state buildings high. that that would add another 7 feet to the sea levels of our planet. so the radicals are those who say don't worry. but you can't get a more conservative group than intel and dupont and dow and pepsi cola, that was 2009. the number of companies that has signed on has now doubled since then. because the science is even more
11:09 pm
clear, and they know they have a fid usualariy responsibility. can you tell us a little bit about chinese business men, is that your experience now, that that's been embraced across the business community as an epic that they believe that they can achieve simultaneously? >> i think that that's right, senator. the, so we have this group of 81 companies that have signed onto the pledge that we put forth. the french are also putting forth a pledge internationally for countries to sign on. i don't know what the numbers are yet, if they have the totals that they've calculated yet, but i think you're going to see a broad business support all over the world for the same kinds of things that you're seeing here. >> can i say, can i just add
11:10 pm
this as well? this is triggering a big technological revolution. in 1993 in the united states, if you had a cell phone, it was the size of a brick. it cost 50 cents a minute. and gordon gecko had one in wall street. that was it. but in 1993, i was the chairman of telecommunications. i moved over 200 megahertz a spectrum. by the year 1996, everyone had this flip phone in their pocket. it was under 10 cents a minute. you didn't have one in 1993. you had one in 1996. and then a really smart guy came up with a smartphone, built seven or eight years later, because we had begun the innovation, a computer in a pocket. but first you had to begin this revolution. and that's where we are now in
11:11 pm
the energy sector. when you go from 70 megawatts of solar in 2005 to 7,000 megawatts being installed in 2014, 20,000 megawatts installed in 2015 and '16 combined, another 20,000 megawatts of wind being installed in 2014, 2015, and 2016, the revolution just accelerates. and by the way, when we developed the technologies, you wind up with 600 million people in africa today with these devices in their pockets. they didn't have any of them ten years ago. we innovated. we led, we showed that we could put in place the business incentives to move this technology in a way that could solve a problem, and we're going to wind up with villages in africa that have solar panels on their roofs so that they can plug in their wireless smartphones, and that will have been a made-in-the-usa as our
11:12 pm
promise to the rest of the world that we would be the leader. and of all of us, you are the leader, mr. stern, we thank you so much. >> mr. stern, we appreciate you being here today. i just want to point out it was the ranking member of the full committee who blocked the effort to hold the joint hearing, despite a long-standing precedent of joint hearings with epw and the senate foreign relations committee. i think it would have been productive and nice to have them all. and i have a list of times when we were able to do that. i did have one final question, and it has to do with references to a treaty. during senate deliberations on the u.n. framework on climate change in 1992, because we talked about previous activities. george herbert walker bush in his administration, officials testified that in the view of the administration, the degree of congressional involvement in u.s. adoption of any future
11:13 pm
protocols to the u.n. framework convention in climate change would depend on the nature of those agreements, and the administration also declared that any future agreement containing specific greenhouse gas emission targets likely would need to take the form of a treaty and be submitted to the senate for advice and consent to ratification, and i can give you everything that was stated. but, looking at that, does the administration intend to respect the commitment made by the executive branch in 1992? i know a different administration, to submit any future protocols negotiated under this u.n. framework convention on climate change that contains emission targets and timetables to the senate for advice and consent? >> thank you, mr. chairman. we've looked at that very carefully. and the notion of of targets and
11:14 pm
timetables as that term was used in 1992, that was understood by everybody on both sides of the aisle, by everybody in the international community as being legally binding targets and timetables. that was the nature of what that phrase meant. and that was not included for precisely that reason in the framework convention. so, if we, if we were to go forward with legally-binding targets and timetables, i think that the answer would be yes, we agree with you. if what we do is non-legally binding targets, i think that we see, i think we read that differently, because we do not believe, based on, based on a good deal of study and consultation with people who were part of those negotiations that that was what was meant. what was meant was legally-binding targets and timetables.
11:15 pm
>> thank u tyou. the hearing's concluded. i'm going to leave the record open until the close of business october 23rd for any member to submit additional comments or questions. i appreciate you being here. the hearing is adjourned. >> thank you, mr. chairman. texas congressman kevin brady wants to be the next chair
11:16 pm
of the ways and means committee now that the former chair, has been elected as speaker of the house. he joins us to talk about new republican leadership sunday at 10:00 and 6:00 eastern. and the two-year budget deal passed by congress this week increases spending by $80 billion, equally divided between domestic and military programs, and it extends the debt ceiling until march 2017, two months after president obama leaves office. you can read the bill on our website, all persons having business before the honorable, the supreme court of the united states are admonished to draw near and give their attention. >> this week on c-span's land mark cases we'll discuss the historic supreme court case of
11:17 pm
schenck versus the united states. in 1917. >> the united states entered world war i. patriotism was high. and some statements against the government were a federal offense. of schenck handed out leaflets against the draft. >> this was the flier that was produced in 1917. 15,000 copies of this were produced. and the point was to encourage men who were liable for the draft not to register. the language in this flyer is particularly fiery. it equates conscription with slavery and calls on every citizen of the united states to resist the conscription laws. >> he was arrested, tried and found guilty under the espionage act. he appealed, and the case went directly to the supreme court. find out how the court ruled, weighing the issues of clear and present danger and freedom of speech. our guests include thomas
11:18 pm
goldstein, co-founder of scotus blog. and beverly gage. that's coming up live monday at 9:00 eastern on c-span, c-span 3 and c-span radio. for background on each case while you watch, order your cop ief the "landmark cases" book. the pentagon's chief information officer sat down with reporters earlier this week at a breakfast hosted by the christian science monitor. much of it focussed on the military. okay, i think we're set. thanks for coming, everyone, i'm dave cook from the monitor. our guest today is terry halvorsen for the defense department. he oversees the role of the
11:19 pm
largest computer network. he is accompanied by larry bailey whose role is deputy chief officer for the defense department. he holds a master's in educational technology from the university of west florida. he served as an army intelligence officer and later as a civilian. he was deputy commander of navy cyber forces and then became the navy's chief information officer. he's been in his current role as pentagon's chief information officer since this last march. ms. bailey has a bachelor of science degree from the university of maryland and a master's from the industrial college of the armed forces. she's been a member of the national security work force since 1984. thus ends the biographical portion of the program, now on to the riveting mechanical details. first, thanks to our underwriter, northrup grummond.
11:20 pm
we are live and on the record here. no live blogging or tweeting. in short, no filing of any kind as the breakfast is under way to give us time to actually listen to what our guests say. there is no embargo when the session ends at 10:00 sharp. to help you curb that relentless selfie urge, we will e-mail several pictures of the session to all the reporters here as soon as the breakfast ends. as regular attendees know, if you would like to ask a question, please do the traditional thing and send me a subtle, non-threatening signal and i'll happily call on one and all. we're going to start with our guests to have the opportunity of opening comments and we'll head around the table. with that, your breakfast is over. sorry about that, sir. thanks for coming. thank you. i'd like to thank all of you for taking time. i looked at the list, a pretty big list, i figured breakfast must be pretty good. that's why everybody is here. as the introduction mentioned,
11:21 pm
d.o.d. is the largest private network. i think it gets to our scale. if d.o.d. was a fortune 500 company, we would be fortune 0 everybody starts with us. in terms of how you want to measure it, forms of cash, defense. we are very, very large. we are also attacked more than anything else. one of the reasons i brought maryann with me today, mary ann is my deputy for cyber security, and i thought maybe there might be some interest in cyber security questions given some things that are going on in the world today. i'm going to focus my opening comments very quickly on three components, that while they are focused around cybersecurity actually apply more broadly than that. i get a question all the time, what keeps me awake, and i think most people expect me to answer it's security or it's dollars.
11:22 pm
it's neither of those things, it's culture. we're in the midst of having to make some major culture changes, and i want to say d.o.d., but i think we'll have to make some culture changes. one of the things we have to do in d.o.d. is establish a culture of seeker discipline. when the internet started -- and we should take a minute and say happy birthday to the internet. the internet's birthday is today. it was the first arponet connection across today, and i would mention it was a d.o.d. arponet connection when it first started, it was a research connection built to share information. it continued that way and people got to be that it was a trusted area, and frankly, it wasn't until it more matured that we started to see a series of bad actors on the internet, but they are out there today.
11:23 pm
but they're not visible like they are in the physical world. so i think it's easy for people to forget that there are bad actors out there. it's certainly easy for parts of our work force to do that, so we are really trying right now to make sure that people understand you got to go to the internet. it is an important part of our business and important part of our culture, but you have to go there with the right rules and right understandings, so you will see a lot of information on that. we have jufrs just signed out our plan. the chairman and secretary signed out the cyber culture work piece that talks about what we're trying to do. it talks about leadership accountability and transparency. because we face so many different threats, there is just different answers. the other part we have to do is move to the right side of cyber economics which is another cultural change because it means you have to understand economics much better in cyber than i
11:24 pm
think you do in other areas. as a military area, cyber is one of the first big warfare areas where frankly in phase zero and phase one, we have to worry about non-military targets being attacked, and they can be attacked in areas that don't look like they would be attacked. because we get much more advantage from the way we use cyber and high technology, it's of course going to make us somewhat vulnerable to those types of attacks, and you want to think about some of the things that could cause us issues in a cyber world. just look at what would happen if someone disrupted wall street for the day and we're now talking about a trillion dollars. a trillion dollars becomes strategic money. you could interrupt potentially the power grid. there are lots of things that you could do that would cause us great economic differences. the other problem we have today in this area is that it is much less expensive for someone to attack us than it is for us to
11:25 pm
defend, and we've got to turn that around. today we are really on the wrong side of that piece. part of moving to the right side is we need to operate our security as much we can. to go past automation, we want to get to economist tools that actually self-learn and can start taking actions on a network either to stop-quarantine the attack so it doesn't get lateral movement. and maybe the biggest thing we have to do in d.o.d. is develop an enterprise culture. cyber is forcing us to think differently about that. unlike other areas, cyber truly is enterprise because it's connected. you can't help it. it's going to be a connected piece. and we have to get much better at that at d.o.d. we need to think about what it means to be an enterprise, where we're going to act as an enterprise, under what circumstances we need to act as an enterprise.
11:26 pm
that gets us to security and cost effectiveness. without that balance we won't achieve cost effectiveness in security. it means we have to look at economic tools much closer than we have in the past. it also means we need to partner with industry, and i mean truly partner. i'm a history major. i actually in college couldn't decide what to do so i majored in pre-med, pre-law and economic science and ended up with a multitude of degrees. if you look at world war ii, we had a much different relationship with industry in the second world war. we need to take a look at how we reestablish some of that. it was not uncommon for industry and the sector to move back and forth with employment, to have industry partners working right inside the projects. i think we have to start thinking about how we have to do that. that's particularly true in cyber i.t. because we do not own the market space.
11:27 pm
we're a big influence there, but we don't own it. if you're buying a submarine, we kind of own the market space. if you're buying an aircraft carrier, we kind of own the market space. if you're buying software in technology, we don't own it. in the commercial world, they're actually doing more innovation in that area than we are, so it's really critical that we partner with that. we're doing a couple things to expand that. some of you have reported on this and know we're doing it. for the first time we're putting civilians out into companies. we had done that with military but we're now putting civilians out in six-month tours with i.t. companies, and we're bringing i.t. company personnel into d.o.d. we've done that with cisco. this year we're going to do it with about 10 companies and they will be either on the d.o.d., my staff, or they'll be on the service cio staff. and they'll be in areas we think we need to expand on, and how do you do software design
11:28 pm
networking, that's an area we think we need expertise in, auto mated security, we already talked about that. so we'll pick areas that we need that match up with the companies. we'll certainly make sure we have all the right nda so nobody gets any advantage and we've done that in the past. but i think that's things we're going to have to do to make sure that we continue to have the edges that we gain through our use of the cyber and technology. and they will also help us get to an enterprise thought process. i also think we'll help industry through enterprise. i think one of the things we'll see in industry, there's going to have to be more partnering in the i.t. business. there is nobody who corners all of this. it's going to take much more partnering, i think, among the industry players for this to work. i really think that's going to have to be a major change in the way industry does business, too. i think you'll see more smaller companies partnering with mid and bigger companies so they can scale.
11:29 pm
that's a problem for us in d.o.d. one of the constant issues that i'll face is i'll have one person say, we have this great tool and we tested it for a million. so i request know -- can know that that will scale. that's hard for smaller companies. i do think partnering with bigger companies is the way that's going to have to head to keep pricing and delivery speed in the industry. thank you, and i'm happy to take questions. >> i have one or two and then we'll go to olivia stromm, mark thompson, and sharon sorcher to begin. let me ask you about the cyber economic curve. you talked about the fact that an enemy, in another speech you talked about the fact that an enemy can spend, quote, a fairly small sum of money and cause us to spend quite a bit. right now we're on the wrong side of that cyber economic curve, end quote. how are you going to change -- can you change that curve, and
11:30 pm
if so, how are you doing that? >> one of the things we're doing with our cyber culture and our cyber basics is you raise the playing level. when you get your cyber basics right and you've got people doing the right things, frankly you eliminate all of the small end players. and that's one of the things we have to do. the other piece of that will be bringing on the economist tools so that what we are doing is we're doing that with an automated piece, not with intensive manpower. manpower would cost money. so i think as we get there, you will see that it will get more expensive to cause us problems. and so i do think we can get to the right side of that curve. >> and is that, in terms of time horizon, is that a 3, 5 or -- >> i think that's an 18 to 24-month plan to get us there. we might not be exactly where we want to be, but i think we'll be very close and we will have
11:31 pm
eliminated much of the -- what i'll call the canned attacks that are somewhat successful today that you can download from the internet. >> one last from me and then we'll move on. i was interested getting ready for this that you're operating what appears to somebody who doesn't know a lot to be diverse ends of security spectrum. you talked in public speeches about rolling out at the pentagon, quote, secure enough mobile devices, and then the industry was fascinated when you mentioned, i guess earlier this month, working on a top secret capable device that would let forces communicate anywhere any time at a top secret level. so what are the challenges of operating two different ends of the security spectrum? >> i don't think the challenges are much different. you've got to get the right security level for the mission and the time and the cost. so, you know, you want the ts
11:32 pm
capability obviously would be for a small number of users in a very select set of missions. the more mobile device that's for everybody, obviously the scale of that is bigger, but the analysis you do to decide what's the right level of security, what's the right cost you want to spend is really not much different in terms of process for the high end of security or the low end of security. it really is getting -- and secure enough actually applies to everything. this is a little bit of a joke, but everybody tells me, i can secure the network today, i really can. i can secure it completely in the next five minutes. now, it would be completely shut down and we would get no work done, but it would be completely secure. this is a balance. it always is a balance and it's a balance across time, money, mission, threat, and it's getting that right. the other thing, i think, that we have to do that's part of that is understanding your data. most of the data that we have --
11:33 pm
and i joke about this, but i'm really thinking hard about it -- i think data ought to come with -- you know how the milk carton comes with "use by"? they ought to come with a stamp that says, "after this date, who cares?" it's perishable. i tell a story back in my younger career where i was part of an operation where we used to have these squad radios so i could yell, "mary ann, duck." mary ann could get that quickly and she could duck. we did this thing where people decided they had to be encrypted, and i will tell you everything you can believe. this is a truism. if a threat can put small arms fire onto you, they know where you are. that's a given. so we encrypted this so by the time you yelled "duck" when it went through the encryption, you no longer had to worry about duck. it was a different problem. you have to be secure enough for the environment. if the enemy knows where you are and they can put small engine
11:34 pm
fire on you, maybe that doesn't need to be encrypted. and we don't encrypt that now, we have better ways of doing it, but back then that was a problem. so knowing what your data's perishability is is a problem. >> go for it. >> terry, can you talk a little bit about the cyber implementation plan the chairman just talked about? you mentioned some of the pieces and parts of it. >> first of all, we go after the basics. the basics include things like, you know, higher education levels and more tools around some of the common attacks like spear fishing, setting up fake web sites, things like that. it's a combination of tools, culture and training and education. that's kind of step 1. step 2 raises it to the next level where we really start looking at more advanced attacks
11:35 pm
and how do we prevent those. and it's the same type of combination of training, education and tools, but they're just more advanced, you have to have more education, more training. and it's really also educating leaders at every level what their responsibilities are and what they need to know. when you're growing up as -- and i actually started as an infantry officer. they teach you very quickly what things when you go out to your units that you should ask that can tell you rather quickly if the unit is prepared. we have to do the same thing in cyber. what questions should we be asking about cyber as a commander at any level? we've also developed in conjunction with all of this a cyber scorecard that measures a series of things and will change. as we get good at certain basics, we'll move that up. we just had about an hour and a half discussion with sec def on that. i laid out for him the change and the progression of that.
11:36 pm
we will measure that consistently across all levels and across all forces. it includes co-coms, each of the agencies, each of the services. everybody gets to be measured. it's an interesting drill because i think it's an area where we were used to measuring readiness and other areas, we frankly weren't doing that cyber. again, i don't think that should surprise anybody. cyber is a relatively new warfare. if you look at the history of aviation, you look at the history of how we develop nuclear, it took us a while to get to this point. i think the big difference in cyber, though, that we're having to react to is it moves faster than any other warfare area. that's a challenge. the things we do today in cyber probably won't be the same things we do tomorrow. that's frustrating on industry, too, and i'll share that. we did our latest cloud documentation working with industry. we brought industry in, we helped them write the policy
11:37 pm
priorities. one thing they wanted to do was put in, this will be good for a year, this will be good for two years. the answer is no. it will be good as long as the threat and technology says it's good. when that changes in cyber, you've got to build a role fast. it's hard for any big institution to grasp at that. it's hard for industry to do that. it's accelerated change and we're generally not good at accelerated change as humans, period. >> i thank you for coming. roughly how often per hour, per day, pick whatever time you want, are systems tested by foreign hackers? have you seen a shift in their targets since the -- >> there is no time i'm not being attacked somewhere in the world. >> have they changed since the attack? >> i don't think they're less.
11:38 pm
we might find a change of data disruption. >> but not things like food distribution versus missiles, anything like that? >> to the extent i can comment on that, no. >> and you mentioned establishing a culture of cyber discipline. i have some active duty friends who have posted things on facebook they probably shouldn't and things like that. a cyber boot camp, is that something you're looking to establish for people? >> i don't think we'll be doing a cyber boot camp. this is cyber so it will probably be done in the cyber environment. but i think some of the things we're doing would be like the basics you would get in another boot camp, only we're delivering them through a cyber means. >> chris stromm from bloomberg. >> a russian hacker got into b&b's network. can you elaborate a little bit, when did that happen?
11:39 pm
do they actually steal any information? >> the answer to your question is no, i can't elaborate on that. >> ian clapper has said that russian hackers are the most sophisticated hackers, or they've been the most aggressive lately. what's your assessment of the threat of russian hackers versus the threat of hackers from other nations. >> given that ian said it, it's probably true. >> what is your vision of hackers? >> i think the russian hackers are a threat. >> we're going to go to mark thompson from "time." >> last month before this committee, you were asked, what keeps you up at night, and you said foremost in your mind was the fact that terrorists might be launching offensive cyber attacks. >> i don't think i said that, i think mike rogers said that, but that's okay. >> i've got the transcript right here, sir. i think it was you. >> i don't think so, but go ahead. >> then that makes that moot. leon panetta was in our offices a few years ago and he warned of
11:40 pm
an electronic pearl harbor. clapper said, there's probably not going to be a seeker armagedd armageddon. rather, it's going to be this sort of gradual incrementalism of problems and troubles. is this going to be a persistent thing, it's going to basically become white noise? we've been hearing about an electronic pearl harbor for a long time and industry plainly keeps waiting for it to happen before they're going to roll out a lot of big money. where is the threat? how much is a cyber pearl harbor and how much of it is just a persistent white noise we have to learn to grapple with? >> i don't know that anybody can answer that. i would tell you two things.1yp├▒ industry certainly is shifting money now, big money, into cybersecurity. a lot of that happened after the target attack that will tend to get you spurred when the cio, ceo all got fired.
11:41 pm
we see that. we talk to industry a lot. i'll tell you when i knew cybersecurity was getting really important to industry. i was giving a speech and after a speech i was getting questions from these two gentlemen. lots of good questions and i said, where are you from? they said coors miller. i'm trying to think, coors mill financial -- no, it was coors miller beer. i think the industry is getting this. the financial sector certainly got it a while back. is there a potential for a cyber pearl harbor? probably. i think it will depend on what scale of engagement. in kind of the normal phase 0, yeah, i think there will be persistent cyber probing, there will be persistent testing of cyber threat technology. i think that is something we're going to live with. i don't think, again, that should surprise us. any time we've had new technology, that's what happens. it gets probed. as it matures, it certainly
11:42 pm
becomes more available for threat to look at it. i think that's going to continue in the cyber world. and it will depend on a little bit on how much nations decide they want to cooperate, too, and i don't think there is any answer that's come in on that yet. we certainly hope it will get to some of that, but i don't think we will see that -- i don't think we're going to see quite the cyber cooperation we think for a while longer yet. >> here's your quote about it, offensive cyber attacks. >> i see it's an extract from the transcript. i really don't remember that. i thought mike rogers was terrorism, but we'll check. >> i have been known to make mistakes. >> hey, shawn. >> in terms of j and e, there was a report earlier this week by the "new york times" that
11:43 pm
russian vessels may be probing underwater cable links, and i'm wondering what role jie can have in warding that off if you've gone through those scenarios and if you think you're prepared to handle that threat. >> shawn, be really careful. cables are always a concern. jie really won't have any impact on that one way or the other. they're looking at the physical part of the cable. no way jie plays in that. >> so how are you prepared to defend against the physical part? >> that i'm not going to talk about. that gets into a whole bunch of classified programs on how we protect the cables. >> sara sorcher from pesco. >> mike rogers said earlier this year that the government's focus on defense isn't working and it's time to consider boosting the military's offensive capability in this space.
11:44 pm
curious as y cio for your opinion. what do you think if you're feeling this need pretty consistently, and as the u.s. considers it, what does that look like? >> i think that's probably a question to ask mike rogers. i'll give you my quick summary on it. as the cio, i am responsible for the defense and security side of that. i don't think it's a secret we are looking at what offensive actions could the u.s. take. i think there is always things we're considering. we don't, however, discuss that in public other than we're considering those things. >> so do you also feel a need to move into that space and go -- expand the definition of defense? >> i think what we're telling you is we're probably already in that space, and how much of that -- i think this is more of the question. how much do you publicize of that so it becomes more of an external awareness that would be in some way a deterrent. again, that's an area that we tend not to talk too much about in public. >> down at the end of the table,
11:45 pm
mr. marks from politico. >> you talked a little bit about the program you're working on -- the embed program you're working on in private companies. can you go into more detail on who those people are, and i imagine there are people who work from the d.o.d. to industry who already have clearances and so forth. is that the type of people you're looking for? >> we don't actually have the number of people you would think move from industry into d.o.d. and there's a really good reason for that. if you do that, you're generally taking a fairly significant salary cut. what we're looking at is some of our top government performers who have predominantly been government going out to industry and learning a couple things. there are certainly some technical things we want to learn. we also want to learn how the industry is doing their processes. that's important for us, and one of the things that in the office we spend more time than they have in the past, is
11:46 pm
understanding what businesses, what do they understand our economic drivers are, understanding what they're investing in in the future to see if we can influence that. so they'll be doing all of those things until areas that we really think that we need to get some better read on. we've talked about some of those. some of that is -- it's called software-defined networking, software-defined route, whatever you want to call it. it's a software-based tool. that has a big advantage for us. it lets you be more agile. you don't have to replace the hardware as much if you can update it with the software. it's also cost-effective for us to do that. we're looking 13 to 15 grade levels so that they've got a good track record of high performance inside the government. >> we're going -- the two-year programs you talk about we're going from industry to government. >> it's a one-year program that they come in to us. we're looking at industry to
11:47 pm
help us solve some specific areas. so in the case of cisco, they gave us a routing specialist. that's what they do, cisco routers. as we look at other companies, we'll bring in kind of what their sweet spot is and things. certainly this year we're looking for some software-defined pick your name expertise. modular data center technology. i do think that's going to be bigger as you look at it. we are certainly continuing our effort to close data centers. we have too much capacity. but as you do that, you start looking at the -- modular data centers can run at higher temperatures, they run with lower manpower and less power. it is true the number one cost in a center is labor. right now in d.o.d., our labor costs are higher than industry. i've got to get those labor costs down, and some of that is applying newer technology, and
11:48 pm
this industry has been able to apply it faster than we have. >> can you explain for a novice why your labor costs would be higher -- you're saying if you move from private industry to d.o.d. you typically take a pay cut. so the reason you're generally higher -- >> because our data centers are not at the same level technology as industry, the really leading industry, we just -- we just have a sheer number of people hired. it really is count the numbers. it takes us, in general, more people to do the same number of things that industry can do less. industry is really leading. you've got data centers now in some of the really advanced companies that are lights out. even five years ago in industry, what used to take 25, 30 people to do, they're now doing 10 people in a central location managing three of those sites. we've got to get to that same type of level.
11:49 pm
>> so, you know, your discussion about partnering with the private industry, and you touched a little bit on the issue of labor costs. this has been a longstanding problem with local government as well as state as well as federal, trying to get private industry to come back to government and avoid that sort of brain drain of government folks, really good government folks, usually, heading out to private industry. aside from trying to get labor costs down, what other ideas do you guys have about ensuring the people that, you know, it's not a one-way street. >> one of the things, and probably the single best recruiting tool we have is our mission site. we are able to keep people, and frankly attract some people from industry, because the one thing you get to do in d.o.d., there is nobody who has more exciting things to work on. that's our biggest advantage. that will work for a while. but i tell you what i worry about is when you get into kind
11:50 pm
of your middle years in this, that's when you're having kids, you're looking at college, and people come and offer you what can be two or three times what your current salary is. that's hard for even the mission to hold that. and frankly, we are seeing some drain, and i'm not winning that war right now. i'm losing. we're looking at some special plans. easier ways to recruit. we're working on it. we have some and i can do some hiring under some special cyber acts, but i can't really compete very well on the pay. i don't think we'll be able to compete on the pay. maybe we get a little closer, that would help. i honestly don't have a good answer how we win that one. >> i'm curious what the trust factor is when you talk about working with private industry. because it seems to me the last
11:51 pm
few years one of the major themes has been a lack of trust between private industry and the federal government, particularly the pentagon over nsa spying, encryption, et cetera, et cetera. i wonder when you talk about partnering more with private industry, are you finding private industry willing to do that, or do you have a big trust issue you have to overcome? >> within d.o.d., with our partners, i don't have a big trust issue, and i think there are two reasons for that. i'm not naive enough to think the first reason is i spend $36.8 billion a year. that buys a lot of potential trust. but i'm going to say this, and i actually had a very good discussion on this on my trip overseas. i do think american industry responds to d.o.d. very well and has a very good history of doing that. i was talking yesterday at a
11:52 pm
table where i was speaking at milcom. a lady gave me a suggestion, and i think i'm going to follow up on it, that we have industry with us on a forward edge. when we tell industry, listen, we need help in getting smaller communications to this far-flung unit and we need people out there, they deliver. when you talk to the industry that get this, they are very supportive of defending the industry. i don't see a big trust problem. do i think there are industries that worry about parts of d.o.d.? yeah, but that's generally not the industries that i'm doing as much business with. the ones that are doing business with d.o.d., i don't see a big trust problem. as a matter of fact, i applaud them. we give them a challenge. they're generally up to meeting
11:53 pm
it. >> may i add something to that? >> sure. >> the cybersecurity problem is very complex, it's very distributed, it's very difficult and it's something we all share. we've had great partnerships with them as we figure out together as a nation, as an industry, as a department of defense how we're going to figure out that problem. we share successes we've had. we've had a lot of great dialogue with our big industry partners on how they're doing that, how they're having successes in their companies, things we may want to look at, so i think there's been great collaboration. >> anybody who hasn't had one that wants one. yes, ma'am? then we'll go down there. yes? >> hi. so earlier this week we saw that the d.o.d. cybersecurity culture and compliance initiative memo came out. i was wondering, what does this memo mean for your office, and how are you carrying out some of the directives that are inside it, like the directives for
11:54 pm
culture change? >> well, amber, as we talked about, we certainly looked at how we're changing the training to get it down to every level and going up to every level, getting it to all the commanders. we are expanding what we look at in the cyber scorecard. i do think the things you measure are getting attention, and we are now measuring those things. we're having a lot more discussion with industry, as mary ann said, about how we better share all of the data that's available from both industry and the d.o.d. on what the threats are, how to counter the threats and then passing that around to both our partners and orchestrate it in the right way to get that culture change and that's what we're trying to do. you asked specifically what my
11:55 pm
role in my organization is to make sure that gets done. we do the measurements and we are trying to make sure the orchestration gets with all the data. are we doing the authentication? are the systems administrators using tokens so we know what systems administrators are on the networks? have we put all of our public facing and forward facing, meaning onto the internet servers behind the right set of firewalls or other security boundaries? firewalls will change here somewhat. but there will still be a security boundary, whatever that technology is. have we looked at how all of our data is encrypted or not? when -- there's times when data
11:56 pm
should be encrypted and are we following all those processes? >> thank you for taking my question. you had talked earlier about partnering with industry, particularly smaller partners. i know d.o.d. has stood up an experimental innovation unit in silicon valley, so i would love to hear how that process is going in the early stages. >> i think it's going about how you would think in the early stages. we're making some progress. we're still learning that. it's out there really to learn how silicon valley does business than to teach silicon valley how d.o.d. does business. i think that's a key that the secretary set very smartly for that. here's what d.o.d., when it comes down to it, if you're a small business and you're doing your innovation, you live on a 3 to 6-month funding cycle. if you don't get money in the 3 to 6-month window, they're not there anymore. that's what they have to do to pay back their backers.
11:57 pm
we're generally not turning that fast, so one of the things we try to do up there is how do we make the smaller investments we have to make faster? and i think we're doing okay. i would tell you the secretary probably thinks we need to do better and be able to still get faster. the other thing that unit is doing is not educating silicon valley about our business process at d.o.d. but actually educating about our processes and what do we need? what are the areas that we need the most help with? i think that part of it is going really well. and we've coupled that with -- we've had a couple trips out to silicon valley. we will have -- when i say silicon valley, it's the concept more than the location. we've put one out in california, but we're taking a trip -- my deputy will leave up the east coast, because there's actually a lot of innovation going on in boston, new york, places like
11:58 pm
that. so we want to make sure we're not just capturing what's out in the physical silicon valley but getting that concept. we're even looking at some places -- you know, there's interesting innovations going on in london and places like that. how do we make sure we capture all that? so in addition to partnering with the industry, we're also having better relationships with our counterparts. i spent a lot of phone with mike stone, who is the u.k.'s cio for their ministry of defense. we exchanged ideas. i just came back to see how they're doing. they're a little smaller, they can turn faster, but they're the exact same problems. so we can look and see a little bit what fails or succeeds faster, which is a big help for us. >> i'm going to keep moving around the table but i want to ask a question, if i can, about veterans. we were talking before the breakfast started that you were
11:59 pm
scheduled to testify on tuesday to the house committee on oversight and government reform about electronic records between the d.o.d. and the d.a. as you know, former secretary gates lamented that he never succeeded in cracking the bureaucracy and said if there is one bureaucracy more attractive in defense, it's the va. so how does the record inoperability thing stand? i ask that as an older veteran myself. >> it's getting better. i don't think it's good enough. i guess i would answer more about what we in d.o.d. are doing. i'm sure all of you are aware we have just signed a contract to make d.o.d. more commercial like. we're going to have commercial and we're using a very broadly
12:00 am
accepted commercial software to do that. we're spending a lot of time looking at how to make that work better. we are actually taking more and more commercial practices.


info Stream Only

Uploaded by TV Archive on