tv Politics and Public Policy Today CSPAN May 11, 2016 12:15pm-2:01pm EDT
this was part of a day-long conference on national security hosted by george washington you can watch all of university. you can watch all of it on our web we'll we'll show you another part in just a few moments here on c-span 3. on the issue of counterterrorism, the hill reporting this morning senator angus king introduced a bill to require the administration to develop a policy to determine
when a cyber attack rises to level of warfare. would require policymakers to consider the ways in which can the damage from a cyber attack to a conventional attack. it would require the definition in its law of war manual read more at the hill.com. back up on the hill today capitol hill coverage today of the centers for medicare and medicaid services and how her implementing new rules for physicians payments under medicar the the acting director would testify and our live coverage starts at 2:00 p.m. eastern here on c-span 3. more now from this conference on national security and counter the the department of homeland security talks about deputy secretary talks about efforts to increase cyber security threat information sharing between government and private sectors. and public and private sectors talk about what they are doing to encourage cooperation in combatting cyber threats.
>> good morning, and if i can welcome everyone to the campus at george washington university, thanks for taking time out of your busy schedules. let me also welcome our cspan viewers this morning. my name is frank salufo. i direct your center for sidebarer and homeland security and i'm really excited for what will be a rich and long day covering a whole host of issues that our center zeros in on ranging from counter-terrorism to homeland security to cyber to obviously the integration between federal, state, and local. and obviously with the and obviously with the integration between the public integration between the public and the private sector as well and the private sector as well as some of the international as some of the international issues. issues. i couldn't think of a better i couldn't think of a better time to host this than sunday time to host this than sunday was the fifth year anniversary was the fifth year anniversary off our successful raid on bin off our successful raid on bin laden in pakistan. laden in pakistan. and obviously serves as a good
and obviously serves as a good time to sort of take stock in time to sort of take stock in terms of where we are, how the terms of where we are, how the threat has changed and wha threat has changed and what sorts of capabilities and sorts of capabilities and capacities we need to be able to capacities we need to be able to get ahead of the curve. get ahead of the curve. our conference is titled our conference is titled "securing our future," and it is "securing our future," and it is meant to be a strategic set of meant to be a strategic set of issues that looks across our issues that looks across our various portfolio issues. various portfolio issues. let me ask everyone to please let me ask everyone to please put their phones in quiet mode put their phones in quiet mode and, when you do have questions, and, when you do have questions, please identify yourself and please identify yourself and allow time for a mike to find allow time for a mike to find you. you. i am going to very quickly i am going to very quickly introduce one of our board introduce one of our board members, mike balboni, who will members, mike balboni, who will moderate the first session this moderate the first session this morning with the deputy morning with the deputy secretary of dhs mayorkas. secretary of dhs mayorkas. mike balboni is a long-time mike balboni is a long-time friend, co-conspirator on a friend, co-conspirator on a whole host of issues. whole host of issues. he serves on our board and, more he serves on our board and, more importantly, has served in importantly, has served in numerous roles related to numerous roles related to homeland security including the
homeland security including the homeland security adviser to two homeland security adviser to two different governors in the state different governors in the state of new york, a former state of new york, a former state senator in new york who really senator in new york who really picked up and advanced a lot of picked up and advanced a lot of the homeland security issues the homeland security issues from the state assembly. from the state assembly. he also resides from my he also resides from my hometown, long island. hometown, long island. he represented long island. he represented long island. as you can see i am wearing my as you can see i am wearing my islanders colors today. islanders colors today. so go islanders tonight. so go islanders tonight. but without further ado let me but without further ado let me introduce mike balboni introduce mike balboni, who is ceo of redland strategies. you see him a lot on our tv screens throughout the country. and mike, the floor is yours. thank you. [ applause ] >> good morning, ladies and
gentlemen. i don't know if you share my i don't know if you share my sense of enthusiasm but it's sense of enthusiasm but it's great when you come from the great when you come from the hinterlands of the state and hinterlands of the state and come to washington, d.c., and come to washington, d.c., and get a chance to interact with get a chance to interact with the people who are decision the people who are decision makers behind the scenes. makers behind the scenes. you don't normally always get a you don't normally always get a chance to see them. chance to see them. and that's our opportunity this and that's our opportunity this morning p. morning p. alan mayorkas is a very alan mayorkas is a very distinguished individual that distinguished individual that you may not really have spent a you may not really have spent a lot of time focusing on. lot of time focusing on. yet, in 1998 he was appointed by yet, in 1998 he was appointed by then president clinton to be one then president clinton to be one of the youngest u.s. attorneys of the youngest u.s. attorneys out of central california. out of central california. then he went to the private then he went to the private sector and, when he went there, sector and, when he went there, the "national law journal" the "national law journal" called him one of 50 most called him one of 50 most influential attorneys in the influential attorneys in the nation. nation. and of course, the president, and of course, the president, obama, put him into dhs for obama, put him into dhs for citizenship and immigration citizenship and immigration services where he oversaw an services where he oversaw an organization of 18,000 organization of 18,000 individuals and a $3 billion individuals and a $3 billion
budget. budget. then he took the big step. then he took the big step. in 2013 president obama then in 2013 president obama then said you become the deputy said you become the deputy secretary for dhs. secretary for dhs. now he runs an agency as we all now he runs an agency as we all know, $60 billion, 240,000 know, $60 billion, 240,000 employees and he is the number employees and he is the number two for this incredibly vast two for this incredibly vast enterprise that has so many of enterprise that has so many of the issues that relate to so the issues that relate to so much of our personal lives. much of our personal lives. so without further ado, deputy so without further ado, deputy secretary mayorkas. secretary mayorkas. [ applause ] [ applause ] >> thank you. >> thank you. thank you very much. thank you very much. good morning, everyone. good morning, everyone. and i very much appreciate the and i very much appreciate the opportunity to share some opportunity to share some thoughts with you. thoughts with you. i thought this morning i would i thought this morning i would really focus my comments on really focus my comments on cyber security in particular, cyber security in particular, one of our greatest priorities one of our greatest priorities and one of the greatest national and one of the greatest national security imperatives that we security imperatives that we face. face. one year ago today, as a matter one year ago today, as a matter of fact, one year ago, two men of fact, one year ago, two men wearing body armor, carrying wearing body armor, carrying assault rifles, hand guns and assault rifles, hand guns and 1,500 rounds of ammunition
1,500 rounds of ammunition stepped out of a vehicle and stepped out of a vehicle and started shooting at the curtis s started shooting at the curtis s caldwell center in garland, caldwell center in garland, texas. texas. they did not achieve their they did not achieve their objective. objective. they were thwarted by valiant they were thwarted by valiant and brave law enforcement and brave law enforcement officers who were ready for the officers who were ready for the attack. attack. one of those valiant officers one of those valiant officers was shot in the ankle, was able was shot in the ankle, was able to recover in a local hospital, to recover in a local hospital, but no one died. but no one died. the curtis caldwell center was the curtis caldwell center was targeted because they had targeted because they had exhibited a cartoon show with exhibited a cartoon show with respect to the prophet mohammad respect to the prophet mohammad in protest of the tragic in protest of the tragic "charlie hebdo" assault that had "charlie hebdo" assault that had occurred a month earlier in occurred a month earlier in
paris, france. paris, france. the attack was essentially the attack was essentially thwarted successfully because of thwarted successfully because of the fact, in part, that the the fact, in part, that the intelligence community had intelligence community had shared information with local shared information with local law enforcement with respect to law enforcement with respect to anticipated attacks on the anticipated attacks on the center, and the prospect of just center, and the prospect of just such an event. such an event. and we, in this country, are and we, in this country, are quite mature and evolved in the quite mature and evolved in the sharing of information in the sharing of information in the counter-terrorism arena. counter-terrorism arena. not only within the intelligence not only within the intelligence community, the federal community, the federal intelligence community, but very intelligence community, but very importantly and critically with importantly and critically with our first responders, through a our first responders, through a network of fusion centers and network of fusion centers and other mechanisms we share other mechanisms we share information in as realtime as information in as realtime as possible with state and local
possible with state and local tribal law enforcement so that tribal law enforcement so that those individuals are equipped those individuals are equipped to protect the public whom they to protect the public whom they serve. serve. that level of evolution and that level of evolution and maturity does not yet exist in maturity does not yet exist in the realm of cyber security. the realm of cyber security. and yet, it is no less a and yet, it is no less a security imperative. security imperative. in fact, there is something in fact, there is something unique about the cyber security unique about the cyber security realm that really underscores realm that really underscores how imperative the sharing of how imperative the sharing of information is in this realm. information is in this realm. and that is the ease and and that is the ease and accessibility of replication of accessibility of replication of harm and the replication of an harm and the replication of an attack. attack. when i was a federal prosecutor when i was a federal prosecutor and handled -- at the outset of and handled -- at the outset of my career i handled bank my career i handled bank robberies. robberies.
i remember seeing bank robbers i remember seeing bank robbers who hit one bank and moved on to who hit one bank and moved on to another. another. and the ability to execute their and the ability to execute their particular modus operandi and particular modus operandi and replicate in one institution the replicate in one institution the harm that they had sought to harm that they had sought to inflict in another was actually inflict in another was actually quite difficult and usually quite difficult and usually unsuccessful. unsuccessful. here in the cyber security here in the cyber security realm, as we all know all too realm, as we all know all too well, it is just a click of a well, it is just a click of a button away. button away. when one hits one institution, when one hits one institution, whether it be ransomware or whether it be ransomware or whatever harm one seeks to whatever harm one seeks to inflict, one can easily hit inflict, one can easily hit another institution in a matter another institution in a matter of seconds if not of seconds if not simultaneously. simultaneously. that calls for the sharing of that calls for the sharing of information in a way that is information in a way that is rather unprecedented in the law rather unprecedented in the law enforcement arena. enforcement arena. very often in an investigation very often in an investigation information is not shared information is not shared because, number one, the because, number one, the investigation may be conducted investigation may be conducted in the context of a grand jury. in the context of a grand jury. but more importantly, the but more importantly, the investigation is seeking to investigation is seeking to identify the perpetrator and identify the perpetrator and
achieve accountability. achieve accountability. in a cyber security realm, the in a cyber security realm, the perpetrator may be an ocean perpetrator may be an ocean away, may be inaccessible to law away, may be inaccessible to law enforcement and actually enforcement and actually apprehending the perpetrator may apprehending the perpetrator may not necessarily be as important not necessarily be as important as ensuring that the as ensuring that the victimization is in fact not victimization is in fact not replicated elsewhere. replicated elsewhere. and so, the paradigm that we are and so, the paradigm that we are seeking to establish in the seeking to establish in the cybersecurity realm is a much cybersecurity realm is a much more open and sharing of more open and sharing of information paradigm than information paradigm than otherwise exists in the otherwise exists in the traditional enforcement and traditional enforcement and security arenas. security arenas. what we are seeking to what we are seeking to
accomplish in the department of accomplish in the department of homeland security and across the homeland security and across the homeland security and across the homeland security and across the administration is to treat the administration is to treat the cyber threat indicator itself, cyber threat indicator itself, this unique indicator of the this unique indicator of the perpetrator, to share that, to perpetrator, to share that, to no longer consider it a no longer consider it a commodity for profit but, commodity for profit but, rather, to share it as a public rather, to share it as a public good. good. so that, if in fact one so that, if in fact one institution is harmed, we share institution is harmed, we share the information as to the nature of the vulnerability and, more specifically, the nature of the exploitation and enable others who may share that vulnerability to patch the vulnerability and protect themselves from suffering the very same harm. right now we have a number of obstacles in achieving that information-sharing paradigm to which we aspire. i'm not worried about the obstacle of undercutting profit because we know very well that
in cyber security realm there are many avenues of making a profit. the the cyber threat indicator, the profit makers do not need to rely upon. but rather, there are different obstacles. number one, i think there is a number one, i think there is a general sense of distrust general sense of distrust between the technology community between the technology community and government writ large. and government writ large. there is certainly a residue of there is certainly a residue of distrust in the post-snowden distrust in the post-snowden environment. environment. and that residue, quite frankly, and that residue, quite frankly, has been built upon or sharpened has been built upon or sharpened a bit, quite frankly, in the a bit, quite frankly, in the dialogue around encryption and dialogue around encryption and the sometimes polarizing nature the sometimes polarizing nature
of that debate. of that debate. and we have to work through our and we have to work through our disagreements. disagreements. we have to work through the we have to work through the distinct policy positions around distinct policy positions around critical and important issues critical and important issues and find a level of trust that and find a level of trust that allows us to protect one another allows us to protect one another and, therefore, collectively to and, therefore, collectively to protect the nation as a whole, protect the nation as a whole, number one. number one. number two, there is a number two, there is a skepticism in the private sector skepticism in the private sector as to what is in it for us. as to what is in it for us. we will share information with we will share information with + the government, but what will we receive in return. will we, in fact, only be the subject of an investigation,
whether our cyber security protocols within our institution are adequate to protect our customers, our shareholders, our clients, our students, our patients, whatever the nature of the duty is. will we become the subject of investigation, or otherwise will it just be a one-way stream of sharing of information. and what we are building in the department of homeland security is a mechanism of, frankly, mutual benefit. our intention in receiving information from the private sector, stripped of personally identifiable information, so that we safeguard an individual or an institution's privacy interests. we are unique in the department of homeland security as having a statutorily created office of privacy and a statutorily created office of civil rights and civil liberties. but we will take that information and we will disseminate it. we will disseminate it in automated form, in realtime, not only across the government but, frankly, throughout the private sector to the information sharing and analysis organizations that the president created in his november 2014 executive order. and the idea is, if that one institution shares with us information that other
institutions may not be privy to, we will publish that information in a form that is useful from a cyber security perspective and not imposing -- unduly imposing from a privacy perspective throughout the participating private sector entities so that they can understand what the harm suffered was, how it was achieved, and protect themselves from suffering the very same harm. the sharing of information in the counter-terrorism space took time. it took time for the government to develop the mechanisms of sharing and to develop the muscle memory, to overcome, to some extent, provincialism that existed, stove-piping, but we are in a place now that is far,
far stronger and far, far better than when we -- the way we were in 2001. we do not have the luxury of time in the cybersecurity arena to develop institutional mechanisms, to develop a culture of information sharing and to build the muscle memory that we now enjoy in the counter-terrorism space. the cybersecurity realm, as we all know, is fast evolving. it is exploding. dr. eviatar matana, the head of israel's national cyber bureau, described cyber space as the third revolution. there was the agriculture revolution, the industrial revolution, and now there is the cyber revolution. there are more devices connected
to the internet than there are people on the planet. and things are moving fast. and we need to move fast as well. not only as a government. we need to be far, far better in our ability to innovate than we are currently, and we're making strides in that regard. but we have to be better as a community. and by that i mean as a public-private community together, in battling the threat of cybersecurity. we believe in the department of homeland security that we are uniquely situated to be the point of the spear in building that community, that community of sharing of information and a
cohesive response to attacks that can hit one or all of us together. we have been the beneficiary of critical legislation this past year that affords the sharer of information liability protection. we are a civilian agency, civilian department, though we have law enforcement components. we are civilian in nature and, as i alluded to earlier, we have unique protections that afford the interests of the dissemination of information and the privacy in civil rights and civil liberties arena. we are working within the administration to publish critical documents to guide the private sector in the sharing of information. we look forward to rolling those out in the near future. we are enhancing our efforts not just domestically but certainly internationally. our office of science and technology just entered into an
agreement in principle with the government of south korea. our office of science and technology has just entered into an agreement with the government of israel to pool funding for research and development in the cybersecurity realm. this is a matter where the community is not only a public-private partnership domestically but a public-to-public and a public-private partnership around the world. i returned recently from berlin and the united kingdom, where i participated in the biannual dialogue with our key partners in the national security space. and front and center in those dialogues was the subject of cybersecurity. of course, encryption arose, but the sharing of information and the development of institutional responses to a harm that we are all exposed to was upper most in our minds and upper most in our discussions.
and so i hope that we will be able to work together to build a cybersecurity infrastructure that parallels the success that we enjoy and that we execute in the counter-terrorism and broader national security structure, and i appreciate your time and i look forward to fielding your questions in the minutes ahead. thank you very much. [ applause ] >> permit me, if i may, deputy secretary, to pose two questions. and then open it to the audience for questions themselves. so let me switch to the counter-terrorism perspective. so post paris and brussels, what has become very evident is that there have been enclaves of isolated communities within those -- throughout europe really but specifically in brussels that have permitted the radicalization on a community basis of some members, certainly the ability to move in and out
of these communities themselves. given the level of rhetoric in this campaign and the concern that we've seen growing throughout europe, what is it that we can do from the department of homeland security's perspective to counter the narrative of radicalization? >> let me say that i appreciate that's the question. it's a very important priority of ours. the countering violent extremism mission. last year we were very focused on the foreign fighter phenomenon. the phenomenon of individuals leaving the united states, traveling to conflict zones, syria most notably, and the concern that they became or already were radicalized with the intent of returning to the united states to do us harm. that, of course, remains a concern of ours, but increasingly we are concerned about the home-grown radicalized violent extremist. and we had an effort that was under the rubric of countering violent extremism, but we
rebranded that effort very importantly and created the office for community partnerships because ultimately -- ultimately the owners of that effort must be the local communities themselves to be able to identify individuals who are on the path to radicalization and to intervene in that path. we, in the federal government, can facilitate and equip them to address this phenomenon. the -- director james comey has spoken on a number of occasions publicly about the fact that there are approximately 1,000 individuals under investigation in the united states now. there are individuals in every single state of our union who are under investigation. and they may very well not have travelled to an area of conflict, but instead become radicalized in their own communities. we were given funding by congress to equip local and
state and tribal law enforcement and community organizations, whether they be non-profit, religious or other types of organizations, to build the lines of communication and to build the apparatus to reach those individuals, their families, their friends, and equip them with the tools to intervene. we are also, of course, involved in transmitting the counter-narrative. and the one thing that -- or at least one characteristic that really distinguishes isil in the radicalizing effort is their very sophisticated use of social media. and we, in turn, are using social media to reach the very same individuals, to ensure that the messages that they need to receive in order to thwart their path to radicalization is in fact communicated. so this is a community-based
effort that we in the federal government very much support, facilitate and equip. >> i appreciate very much your remarks on the efforts in the department for cybersecurity. and one of the things that is so daunting to the private sector is this array of stove-pipe regulation, for the fcc, hipaa, all sorts of real hard penalties associated with that. yet, when you go to the federal government writ-large there is no law that tells you how to be cyber secure. it's one of the things that a lot of companies really struggle with. if you could speak to the private sector for a second. what is going to get the cybersecurity moving at the private level? what are the things? is it a carrot -- is it a stick, the sharing of information?
what do you think is the right recipe to engage? because, as you know, the private sector has 80% of the cyber assets. so how do we truly engage in a national dialogue with the private sector to make them more and more cyber secure? >> so, there is not a single standard for cybersecurity. in other words, this is the standard of care to which you must adhere and if you fall below that you may be exposed to liability, and if you satisfy that standard you are safe from liability. and there isn't that standard because of the dynamism of the environment and how quickly that standard quite frankly would move. and the opponents articulate that. the standard of care may suit
the current environment but the day after tomorrow it may be obsolete because we have learned so much. what we have done in the federal government is actually developed the n.i.s.t. framework that resides in the department of commerce which communicate the criteria that a private sector institution should look to in developing its cybersecurity ecosystem. and so if you're a big company, if you're a medium company, if you're a small company, depending on the nature of the jewels that you carry as an institution, you look to the n.i.s.t. framework to understand the analytic architecture that you should follow in building your cybersecurity. i will say this, and this is my personal opinion as a participant in this arena but also very much a student in this arena.
when i was a prosecutor, federal prosecutor, the standard of care was quite evident. and we did not pursue accountability as a means of defining the standard of care. because in the criminal arena that would be terribly unjust. i will say, in this space i do see federal lawsuits against companies for deficient cybersecurity, and i'm not sure that all of those lawsuits are just given the fact that we have a lack of clarity of what is really due care, standard of care. there are cases where the deficiencies are readily apparent. they are patent and, quite frankly, the protocols are irresponsible. but if one doesn't have that, frankly, level of -- of a lack
of care, it starts, to me, to get very difficult to hold companies responsible. and i worry about the use of a stick to build a cybersecurity ecosystem rather than a means of communication and the provision of tools to develop it. >> thank you very much. we'll open it to the audience for questions. if you want to ask a question, please raise your hand and we'll get you a microphone. >> down here in front, please. please identify yourself, if you would. >> hi. hi. rick weber at inside cybersecurity. deputy secretary, you mentioned critical documents that you are working on within the administration, in the near
future you'll be publishing them. are they on sharing within the government or the private sector and how will they relate to liability relief under the cybersecurity law? >> so with respect to the question of liability, we already in the department of homeland security published a number of documents, and we, of course, i think, owe to the public additional education materials. i think that the documents that we are working on, and not to get too far out in front of the administration -- and i probably already have achieved that -- but i think it really speaks to how we are organized within the government and how we will use our resources in the best service of the public interest. we have heard from the private sector who are we supposed to call if in fact we suffer a cyber event. we, of course, want to provide clarity in response to that question, and in an ever-increasing arena of change, we also have to be well organized and well coordinated within the federal government and within its institutions and our respective roles and
responsibilities. and it is on that latter point, i think, that we are focused. >> up front. >> allen day, retired cia. was there anything in the 215 data that, had it been pursued, could have been used to head off the san bernardino attacks? >> so that's a question that pertains to an ongoing investigation and an ongoing prosecution, so i will refrain from answering that question. and as a former cia official, you should well understand my response.
>> next. in the middle here. >> rich cooper, catalyst partners and a senior fellow with the gw center. have you been having conversations -- you talked about engaging with the private sector. have you been talking with insurance companies as to lessons learned, insights that they have? insurance companies seem to be a great arbiter of changing behaviors in lots of ways. curious what insights and dialogue you've had. >> so that's a great question and a great point. the allocation of risk is a phenomenal driver of behavior. we do dialogue considerably with the insurance industry. most importantly, to impart
information so that we share what we know with industry so that they are equipped to understand, really, the dynamics that we face, not in terms of schooling, how they choose to allocate risks and build their models. but i do think that the insurance industry will be one of the key drivers of cybersecurity standards. >> in the back. she's coming. >> kim quarrels. further to the point on insurance. there are insurance products
available, to your point, undersecretary, of educating the private sector to coordinate with the insurance industry, there are products where notification becomes an element of what they are required to do. and if that sharing does occur, the notification process becomes part of the incident process and the incident response. >> yes. and that's why i do think the -- the maturation of the insurance industry in the cybersecurity realm will help drive behavior, and i think it will help define the standards of care that are somewhat elusive now and seem to be developing through the crucible of the courtroom rather than the policy-making rooms. >> yes. down here in front. >> i'm from new jersey, so i can really speak out loud.
i won't. cindy faith, deloitte. in your vision with regard to the information sharing, automated information sharing program from dhs which is sort of a machine to machine level of iocs and sort of how you see small and medium-sized businesses being able to benefit from that given the fact that there's a level of infrastructure and maturity needed to ingest this at the machine speed. >> so great question. so just for everyone's awareness, we committed to developing an automated information-sharing structure where we can receive the cyber threat indicators in a particular format, a sticks and taxis format, in automated form.
and in near realtime, essentially strip of it the personally identifiable information that of course carries with it very important privacy interests that are not germane or material to the cybersecurity goal and then to disseminate information in automated form throughout the private sector, something to which i alluded in my opening remarks. we have, in fact, built on schedule the first level of that automated information-sharing protocol. we have 24 companies already participating in it, and one of the questions is, as i understand your question, how do we build it so that we achieve accessibility for all, not just
the big institutions that can afford the investment. and that is something that we are building towards and don't have just yet. and it's -- it's very new. and so we are working on it as a top priority. and this is one of the areas in which we need to innovate. quite frankly. we are hoping, as a government, to move from a flintstonian model of development to a jetsonian model of development. and for all of you who don't know, that is a literary reference. i'll give you a perfect example. the notion of embarking upon a ten-year contract for the development of a product which, by the time we roll it out, is obsolete, has to really disappear, and we are now increasingly using the agile
method of development, the waterfall development -- the waterfall method of development where we move in six-month or even shorter sprints and produce product in that way. we've brought in -- and this is really the president's leadership -- digital services, people from companies like deloitte, other very cutting-edge companies, to really bring the most cutting-edge development models and thinking to the way we not only acquire but execute on contracts. so building the automated information-sharing framework for the otherwise disenfranchised is something that we are very focused on. >> up front.
>> john gardeniere, gw alumnus and former naval intelligence officer. following up on your last answer, sir, i wonder to what extent you could address the topic of red teaming, and particularly outside the intelligence community of the government. to what extent can you use the dedicated hacker community or fraternity in some ways to help you understand and counter vulnerabilities. >> let me share with you an experience that i had that brought your question into my life. i was -- into my life as a deputy secretary. i was speaking at defcon last year, which is a conference of
hackers in las vegas, nevada. and there are about 20,000 attendees in the conference, and i spoke to a group of maybe about 700 or so, and i was actually -- the focus of my remarks was on the issue of distrust and how to bridge the divide. and i was not permitted to bring my personal or work phones into the hotel, whether on or off, for fear that they would be hacked. and i actually mentioned that at the outset of my remarks and told the group of people that i had brought a phone with me and that if anyone made it ring during my remarks i would pay them $1,000. this was at the outset of my remarks, and all of a sudden everyone is opening their backpacks and their briefcases
and they're pulling out equipment and working on things. it was rather stunning. they learned a few minutes later that i had brought with me a motorola flip phone from the '70s, so i was -- i was secure in my inability to afford paying anyone $1,000. but i said, you know what we need to do? in the course of my remarks, i said, you know what we need to do? we need to actually bring some of you into the government, not just from a red-teaming perspective, which frankly we do already. we do and the department of defense does as well. and secretary carter spoke of that publicly. but also so that they understand, they understand what we do, how we do it, and why we do it. you know, it's very easy to --
to distrust from afar, but if you are sitting next to somebody and you actually observe them and the intentions of their efforts and the policies behind their efforts and, in my humble opinion, the nobility of their efforts in government service, that's the best way to eliminate the distrust. and so we red team in the department of homeland security. there are red teams outside the department of homeland security, specifically in the cyber space. i think bringing in that community actually has other collateral benefits to which i refer. >> down front, please. >> we red team internally as well, by the way. >> deputy secretary, fred rosa with johns hopkins university and also senior fellow here at the gw center. would you take a moment to
comment on your sense for the maturity of the department's risk assessment process, particularly with respect to obviously there is a wide, scary dynamic threat spectrum much different than we have had in the past, and there is a day-to-day necessity to make decisions about establishing programs, allocating resources and so on, and they need to be risk driven. would you offer your perspective on that, please? >> so that's a very, very good question. i would say -- i would answer it in this way, in all candor. i think that we are more mature in our ability to assess risk with scientific rigor in some areas more than in others.
and let me -- let me give, as an example, the -- let me harken back to the question that you posed with respect to extremism. the radicalizing of individuals in the united states. in my visit in the u.k., they have a very sophisticated architecture of intervention and developing and disseminating the counternarrative. and it is empirically based. they have analyzed the risk and the underpinnings of their efforts are scientifically based.
i think that our development of that scientific foundation is not quite as mature, and we are working on it. frankly, our office of science and technology has funded incredibly important research projects, but we need to do a better job of integrating those research projects into our operational workings. and so i would say it depends in what area of our vast mission one is speaking of. we're better in some areas than others. we're very -- we're very mature in the border security arena, something that we have been very dedicated -- quite dedicated to and, frankly, countering violent extremism is a relatively --
relatively new phenomenon as compared to, for example, a border security. >> so with that i believe we have concluded this part of the session. deputy secretary, thank you very much for your remarks. >> thank you. thank you all very much. >> continue with the mission. >> thank you. [ applause ] >> well, thank you.
and now we're going to move into our panel on public-private sector coordination on cybersecurity. we've got an amazing group here representing a whole host of different actors that have to be part of the solution set. i will just literally give titles and let -- and if they want to expand during the q & a in terms of their backgrounds, that would be great, but i want to maximize time. starting all the way to my right. i'm rarely on the far left but starting all the way to my right is eric goldstein, who's a senior adviser at the cyber division at the department of homeland security. next to him is an old friend of mine, general reynold hoover, a major general in the national guard and is also very active in our active defense project that we're doing here at the center. kiersten todt, who is leading the president's commission as the staff director for cybersecurity.
so thought it would be really insightful to get a sense of where the commission plans to go. scott aaronson, who is at e.e.i. and has done a ton of work on public-private partnership and grid security and cybersecurity, and i think the sector as a whole has really raised its game in terms of cybersecurity. given the recent cyber attacks in the ukraine, think there could be some very valuable lessons in terms of the implications here in the united states. last and certainly not least is scott kaine, at delta risk. he is a newly appointed ceo there, so congratulations on that. and thank you for helping sponsor our event. >> sure. >> what i thought i would do is jump right into questions. we want to save time for the audience to engage in a q & a as well. kiersten, i thought we'd start with you. since the president recently concluded there was a need for a commission to examine cybersecurity issues, obviously
the scale and scope is quite broad, but what are the priorities that you guys are looking at? what is it you hope to accomplish, and what is it you hope to accomplish in a relatively short order of time? >> right. so i think that the short order of time, as i have said, works to our benefit. i've said it's the marathon within the sprint, the sprint within the marathon. either way it's fast and requires a lot of effort, but the end result is a report that's going to be delivered to the president on december 1st, and the key here, as the president outlined and as the commission has repeated, is this is not intended to be a culminating document of president obama's administration. quite the opposite. it's intended to be a document that looks forward and that hopefully the new administration that comes in can use as a transition document on cyber. and the general strategy approach to this commission is looking at the digital economy and it's looking at the role of the government as well as the
private sector in the digital economy. how these two elements and entities work together and what they can each do in order to look at creating a secure digital economy three, five, ten years down the road. and our -- sort of the way that i would define specifically what we are looking to do is to set forth in december a series of short-term practical recommendations, ones that, as soon as that report is done, can actually be used and implemented immediately for ways that can help and secure what we're trying to do as well as long-term ambitious recommendations, so that we're ensuring that innovation is a part of this. when we look at those and look at the different themes, that they're both possible, and how we do that is measured by taking best practices, lessons learned that are out there. what we're working with right now is looking at what are the models for how we're going to draft the recommendations. it's a combination of what's
already out there, best practices, lessons learned. it also could provide an opportunity for things that are working but don't have a lot of visibility and to raise the platform and the visibility of them on a national level. and then not most importantly but i think very -- very importantly is the innovation, being able to pull in innovation around this country on these initiatives and efforts in a way that, again, puts forth a digital economy that we're looking at three, five, ten years down the road. >> thank you, kiersten. eric, why don't we go to you in terms of trying to get a sense of where we are, what's working, what's not. can you shed some light on where the nccic fits into some of the public-private partnership initiatives and then we'll turn to general hoover and then we'll hear from the private sector. >> absolutely. i should begin by noting that cybersecurity in the u.s. government is, of course, a team sport. so we have law enforcement agencies that of course have to identify, attribute, interdict our adversaries, we have the military defending d.o.d.
networks and combatting our adversaries in cyber space. my agency, dhs, our role is to protect. our role is to actively protect federal civilian agencies and help the private sector and help state and local, tribal and territorial governments better protect themselves. with that, we're pushing forward very urgently on a few lines of effort, the first of which is congress was kind enough to pass the cybersecurity act as this audience assuredly knows, last december. as part of that act our national cybersecurity and communications integration center, or the nccic, was established as the u.s. government's information sharing hub to exchange cybersecurity threat information between government and the private sector. this past march our secretary certified that our capability to share information in realtime between government and the private sector is operational. what we need to do now is build the base of companies and agencies participating in this activity.
the act of last december really removed a lot of the disincentives that were stymieing sharing between government and the private sector, for example, the possibility of civil liability, foia exceptions, et cetera. so we now feel that the disincentives have been wiped away by this new act. we at the nccic now need to figure out what are the positive incentives. how do we in the government show added value from cybersecurity information sharing such that companies will see benefits to their security and to their bottom line to participate. i would also note, building off the point on the president's cybersecurity commission, we see ourselves as having a significant role in promulgating best practices across the nation and figuring out how should companies best evaluate their relative cybersecurity posture and measuring progress thereto. and of course our foundational document for that is the n.i.s.t. cybersecurity framework. we need to figure out how
companies use the cybersecurity framework to measure reductions to show measurable reductions in the cybersecurity risk. we're focusing in the private sector for increasing our capacity in these two key areas. how do we demonstrate to the private sector the value of automated cybersecurity threat information sharing and how do we actually promulgate and measure the effectiveness of best practices being adopted across the private sector and in particular across the nation's critical infrastructure. >> general hoover, when you think of the national guard, they embody the citizen soldier. we can all look back to major crises and recognize that the role that the guard plays in mitigating the consequences of these sorts of attacks. where do you see the national guard fitting into our overall cybersecurity equation? and what more can or should companies and state and local authorities know about the guard's role here?
>> sure. so i think there is a couple of things. first, the days of putting a lot of money into cyber to build a wall are over. we all have to kind of get our arms around the -- >> you mean we can't firewall our way out of this one? >> no. the firewalls are a think of the past because, you know, a company, a private sector, or the federal government, will spend millions and billions of dollars on building the wall, and it only takes one person on our side of the wall to do something really stupid to take down your system. so i think, as we think about cyber and what cyber means from whatever perspective you're looking at it, it really needs to be a whole of government initiative, and it needs to be a public-private partnership, and we need to think about active defense, and we need to think about risk management in the cyber arena. we think that the guard is uniquely -- in a unique position to support that effort through our citizen soldiers out there, and as part of that -- as part
of that we have -- we're fielding cyber protection teams in all the fema regions, in each of the ten fema regions, both on the army and air side. we should have those teams in place by fy '15. or '19. these units are in state active-duty status, so they're under the control of the governors in all 54 in the states and the district of columbia and territories they will be available. they're there to augment the d.o.d. mission and army cyber command. more importantly, they are an unique asset. as we think about what's the future for cyber and how do we do that in partnership, i think the guard has a unique capability to bring to the table. >> i want to pick up on a couple of those points in a bit. scott, how many companies went into business thinking they had to defend themselves against foreign intelligence services, nation-state threats? how do we translate the nouns
into the verbs? what is it e.e.i. and the companies you represent doing to try to make this real? and do we need to -- is it about consequence, is it about perpetrator-actor? what are your thoughts? >> there are a bunch of things that general hoover said that i want to pick up on. you heard the phrase -- or the word "partnership" over and over. that's exactly the way that we're looking at this. we as the electric sector, to your point, frank, we can't do this alone. we don't have intelligence gathering capabilities for the most part. we don't have law enforcement. we don't have a national security mandate. but we are a target. so what we look at in terms of partnership, there's a north-south partnership. government and industry working together. i am privileged to serve not just at eei but i also serve as the secretary for our coordinating council which just yesterday brought 30-plus ceos together with senior government officials. we do that meeting three times a year not to pat each other on the back and say doing a great job but to actually do things that are advancing the cause of security. looking at deploying tools and
technology that the government has. the way i put it colloquially, the government has some pretty cool toys, we want those on our systems. improving the sharing of information. making sure the right people are getting the right information at the right time. i talked about north-south, government and industry. east-west is incredibly important across the sectors also. we, the electric sector, because everything runs on us, are often looked at as the most critical of the critical. we don't have water, can't generate steam to cool our systems. don't have telecommunications we can't operate. transportation or pipelines can't move our fuel. there are many ways to attack the electric grid short of attacking the electric grid. so finding those east/west partnerships. so tools and technology, information sharing, partnerships, response and recovery. so much we get, like you said, general hoover, we can't firewall our way out of this. you build a higher wall they're going to build a higher ladder. what you want to do is make the adversary build the ladder but we understand security is not just protect, detect, defend.
it's also respond and recover. and what can we be doing today to make sure that bad day, because it's coming, does not become a catastrophic one? how do we manage the risk? how do we put the risk in a box? how do we ensure we have a short outage as opposed to something more catastrophic? >> scott, i don't want to -- before the -- i don't want to belabor this point. but if everything is critical, if we have 16 designated critical infrastructures, does that mean nothing's critical? or how do we actually get to the point where we rack and stack, prioritize? i mean, obviously the energy and electric, i mean, it is the most critical because without the lights we wouldn't be able to be here today. so how do we start thinking about that? >> i think people are. there genuinely are different terms of art. there's lifeline sectors. there's strategically valuable strategic infrastructure sectors. the national infrastructure advisory council knocked it down to five.
electricity, not energy broadly. electricity. transportation, water, finance, communications. and i think there's a lot of wisdom in that recommendation. i will say the three sectors -- there is not a knock on the others, but that have probably become the most mature because they have been the subject of attacks for so long, are going to be electric, finance and communications. and i can say, just because of counterparts that i have in each of those sectors, those partnerships are developing at a really rapid rate, to the benefit of the security of each of the sectors. >> so looking at interdependency as well. >> sure. >> between our various infrastructures. scott, looking at it from a private sector perspective, by very definition you've got to be able to provide holistic responses. where do you see things playing out today, and where do you see your greatest focus being in terms of making sure you are meeting your clients' needs? >> from a personal perspective i have been fortunate to be in the private and public sector side.
what i would say is the real issue is in the mid-market. in other words, the mid-size companies on down need help. they don't have the resources. they don't have the assets. my company is privileged to work for the department of homeland security to monitor via an rva program and do vulnerability scanning of critical assets but for mid to small size companies that are important. utility companies, small banks, county governments and so on. and so what we typically find is that my guys within four hours, they're in the door and owning the keys to the kingdom. so you hear this soft underbelly concept, but it's the truth. which is, if you were to take a look at where the most risk is that exists out there, the big companies have the assets, they have the resources, they have the funding, and by and large, from what i have seen, i know eight of the top ten banks work effectively with the government, with the intel sector, with the department of defense, with dhs. there is always that issue with
classified information, wanting to be brought over to the private sector and there are the issues with scrubbing and so on, but the real issue, from what i see as relates to public-private is that the public sector is trying to keep up with monitoring the security and risk associated with the mid-tier companies out there and they can't keep up. and so the program that we have is we work on behalf of dhs and we're not able to go after the list of all the banks and energy companies that need our help to scan because we've got to wait for some dhs supervision to support us to go out in the field. so what i've always thought was if you look at the overall risk where the public sector i think can assist the private sector is in the mid tier and instead of just assuming that one individual from the government can supervise let's say contractors in the private sector to take care of their own there needs to be some type of deputization meaning there's not enough folks to do the job of keeping watch over those
crit k8ical infrastrumture companies. if it's a national guard leveraging the assets in the field that would do a great service to this country in that if you take a look at what you are going to attack it doesn't take much to figure out and the easier ones plugged into the big ones and beforia know it, we have a much bigger problem. >> incident after incident after incident highlighting. precisely that concern. including even if i were to rack and stack the critical infrastructures, i would say finance and banking. >> those are the folks that control a lot of monies. they have the resources, but not everybody banks there. but the community banks that own a lot of assets the brokerage houses that manage billions of dollars on a daily basis have basically no infrastructure in place or no support to do anything so while they worry about the audits they're not adequately protected and that's where the program that dhs has
today is helpful and i'll tell you there's a lot more folks that need help. it's just a resource issue with getting the calvary out there to support it. i think if you're to ask me the one point i was hoping to make today is that from a public/private perspective, the big teams, d.o.d. intel, dhs at a high level, and the high-level financial sector, the energy sector, they would do as good a job as you would expect at this point in terms of information sharing. if someone has to problem, there doesn't seem to be aen issue with picking up the phone and calling for help. and for the mid market forget it, there's a very vulnerable exposure in this country and whether it's dhs, whether it's the national guard, i believe there needs to be a stepped up effort to support them and they're begging for it. >> i might note even the most critical of our sector, swift allegedly had it's credentials compromised through a central bank in bangladesh so it's getting down to the supply chain
third party vendors with target and many others. >> swift is as secure as they come. i've been in this industry for about 20 years. it's a hard target to get and they got it. so at the end of the day the mantra is if they want you they'll get you. that's what happened there and at the end of the day it wasn't a technology issue. it was someone making a phone call that didn't get received and went ahead without a approval to cause the whole mess. >> i think scott raises an interesting point looking at cyber security and initiatives we often think large companies. we often think where the resources are but any successful effort if you look at the missed frame work and what our intent is with the commission is to look at the small and the medium and the large businesses because when you talk about supply chain and just in general where critical infrastructure resides it doesn't always reside at the largest level and if you're a small company at the middle of the country you're critical and
arguably more critical than a lot of the big companies at that point. which is a reason why the national guard is this tremendous resource with the citizen soldier to look at how it bridges the day job with the government and we have this access point here around education awareness and knowledge that we could be utilizing a lot more effectively when we're talking about where our cyber efforts are going to be in the public and the private sector. >> go ahead. >> i was just going to add the other thing is not only private sector but the public sector we see a bit the small agencies and departments that need help as well so whether it's determined today in terms of certifying the private sector can support. the manage security service model is very common in the private sector. what it comes down to is instead of me hiring a staff i'll outsource my security. five years ago it was bad to do and nowadays much more receptive to doing it and i think there's a flip side to it so while there
might be mid sized companies in the private sector at the minimum do an assessment to tell them where their problems are. on the public sector, what i have encountered personally is there's a need for the smaller agencies and departments within the government to consider looking at the private sector to help manage their security. you have to have certifying process and body to ensure that whoever this security service provider is can ensure that they meet the standards necessary for the government but it's something that the feds ought to consider in that the big folk have what they need. the smaller folks are trying to do what they can and the private sector might be helpful in that regard as well. >> i'm not sure even the big folks have exactly what they need. >> i was trying to be nice but i take all of your points and i think there's another level that we're just missing and it goes back to my opening comment about what is cyber? and cyber is whatever you see it
as from the -- when you think about the elephant, everybody has a different view of what the elephant is to describe it and there's another segment out there and maybe many of you in the audience are just like me who lost your data through opm breach so cyber to the individual at home on their computer working on their bank information got hacked or their private e-mails got hacked, i mean, it's an issue for them as well and that's why when we think about this cyber defense or active cyber defense it has to be a partnership and it has to be a whole of government approach and it has to involve the private sector because we're all in this together and we're all facing the same things and that's again, you take it back to the guard, we have airmen and soldiers who in their day jobs do cyber for a living. and then when they go for their weekends they put a uniform on and we think they're uniquely
qualified to partner many that state status to support the governors and support dod and army cyber and air cyber in the mission but it is a huge whole of government. public, private partnership but down to the individuals sitting at their computer at home with online banking or using a smart appliance that all of a sudden starts talking to you on their cell phone when you walk into their house. think about that. that's what cyber is about these days. >> i think you raise a very important point here and i want to touch a little bit on the threat. not all hacks are the same, not all hackers are the same, not all intentions are the same or capabilities are the same. it doesn't come in a one size fits all. it comes in various sizes shapes and forms. in terms of understanding thread actors how would this group prioritize and rack and stack where we ought to be thinking about from a capability standpoint and then also from a likelihood standpoint and a
little bit on the ttps or tactics techniques and procedures and we seem to be chasing ransomware, issues seem to come into flavor and out of flavor, but if we were to actually start looking at the thread actors and then some of the ttps they're engaged in, how would we rack and stack that? >> the point of view of dhs one really interesting characteristic of most of the major security breaches from opm on down is they actually exploited known vulnerabilities and very common ttps in order to breach the organization and degrade data. even ransom wear, it's infecting the host computers is through the same vectors that we have been seeing malware deploy for years. at dhs, we're actually taking a
generally threat actor agnostic approach because what we have seen is even our most sophisticated adversaries are still breaking in using the most simple and common issues. they're exploiting unpatched software and operating systems, users who click on spearphishing e-mails, exploiting unauthorized privileges for privileged users. so at dhs, what we're trying to evangelize is the organizations deal with the basic blocking or security. that's going to invest in more complicated attacks and if we can devote our cyber security human capital to combatting those sophisticated attacks and just deal with the rest by doing basic cyber security hygiene that will put us in a much better place. >> i want to pull on that because i think you're spot on. at the end of the day at the time of the breach, in mose cases, you don't have the
attribution of the smoking keyboard that you're looking for. so you don't know who is behind that whether you're dealing with the nation state or criminal or disgruntled employee or someone with an ax to grind. but if we can get to the point where we can devote limited resources that the government has to the high end threat spectrum everything else below that domain in the private sector. we can probably calibrate our efforts a little better. do you see that happening any time soon? >> certainly the direction that we're trying to go in and we're really going in that direction in two ways. the private sector, we have been and will continue focusing on the critical infrastructure that could lead to either physical manifestations or significant degradation of national security or national economy. we're trying to segregate the assets and systems that could lead to the most dill tearious effects, but as scott noted, the inherent interconnections and
dependencies make it very challenging. so we need to go to these subasset and subsistm levels and understand what are the vulnerabilities internal to the structure that could lead to these effects. in the past we have taken an agency approach. we have treated each agency relatively equally. we're now transitions to a new approach as prommalidate igated by the president's cybersecurity action plan, we're focusing on the highest value data sets, systems, assets in government if degraded, the opm database one example, would lead to especially severe consequences. the cyber security capacity of dhs or any given organization is inherently finite. so we have to focus on the most significant consequences first and in so doing we would have
reduced the likelihood of the most significant or catastrophic events from happening. >> scott this gets to as many conversations as we have had in in the past in terms of actor consequence impact, and let's use this also as an opportunity to enlighten some folks on the lessons learned in the ukraine. i mean no state actor worth their salt are going to send the muddy footprints back to the kremlin. but we're using proxies to engage in this sort of activity. how should we think about this? >> a couple things because i want both eric and general hoover hit good points. it's rare that you get government and industry sitting on the same stage effectively finishing each other's sentences. >> i'm concerned then. >> you need to be more provocative, frank. >> so general hoover talked about this, what does it look like? sure, i care about business side
attacks, my companies do not like the reputational risk or what happens to their customers if credit card data or personal data is breached. we fight to prevent that from happening like every other business in the united states is doing. what i'm focussing on both on the sector coordinating council and with my day job on behalf of the industry is looking at the operational technology side. so the elephant to me looks like those things that are cyber incidents that have physical implications. and one of the conclusions we came to although i am glad that cyber has gotten everybody's attention the security of critical infrastructure is important and can be done from a keyboard across an ocean really what we are looking at is you're never going to have a cyberattack that doesn't have a physical implication and you'll never have a physical attack that doesn't have a cyber implication so i look at it a lot more wholistically and in this 24 or 72 hours following an incident you may just not know.
so so much of what we have to do during fog of war is understand the implication, power is out. response. how do we respond to that? now to bring it into what happened in ukraine people wanted to make the ukraine incident -- this was an eye opening experience for the north american electric utility industry. it was not an eye opening experience. we knew this is the kind of incident that could happen and had been preparing for many years. now that's not to say that we're not going to take this incident and learn really good lessons from it but it was not some moment where oh i didn't know that could happen. we absolutely did and we have been preparing accordingly. the biggest thing we have learned out of that is ukraine had some benefits that we may want to start to apply here in the united states. but they have also got some
drawbacks. they have a much different grid than we do here in the united states. we do have mandatory and enforceable standards, so to the point that eric was making, the sort of nuisance attacks are the kinds of things that the electric grid in the united states, in north america, is particularly good at obviating. what they had in ukraine is the ability to operate manually on we had this rush to automation over the last 15 years or so, on some level, almost blind to the security risks we were creating. now, there's a paradox here. now it is good that we have automation and gives us better situational awareness but also increases the attack surface. are there things that we can be doing today to go back to my original point? are there things we can be doing to be able to operate manually. in the event of an incident. to go to a degraded state to keep the power running and understanding it's going to be in a less efficient way. those are the big decisions that
we're taking as a sector and in partnership to the government to begin to do planning for those snenlts that could have an impact for a longer term on the grid. the second thing we're doing, and again, this is an experience coming out of ukraine. we have a culture of mutual assistance. you have seen it all over the country. when there's a weather event, you have crews all over the country descending on the affected area. can we learn some lessons from our mutual assistance culture in cyberspace? and in fact, we're building out a cyber mutual assistant regime as a sector, but we recognize we wasn't do it alone. there's going to be a national guard component, another sector component, a dhs component, a law enforcement component. bringing the whole unit together for response to cyberincidents is a great lesson out of ukraine. >> the physical cyber
convergence and growing exponentially we start talking about the internet of things and the internet of everything, baking security into the design of architecture becomes that much more important. secure coding and the like and i might note that one of the greatest deturrants and i have been an outspoken critic that we haven't articulated a strategy, and i think that we in essence blame the victim. we blame entities rather than put pain and cost on the perpetrator but that's a longer conversation but maybe one of the best deterants is not only the ability to to bounce back quickly. i think that's an area your sector in particular has some lessons we can all gleam from, an emphasis in planning. >> if the adversary realizes
that the impact is not going to be as catastrophic as they want it to be they'll go somewhere else. that's exactly right. >> you wanted to pull on that earlier. >> try to disagree a little bit. >> i want to say something. >> i think that this idea of education and awareness we have -- i think it still exists which is a false notion that the right technology is going to prevent something and we're not looking at it as effectively as a pyramid and on the base of the pyramid are people. the people are given policies that educate them on what to do, and the technology is brought in to assist the policy and the people, but at the core, it's the people. if you look at what happened to google, we were talking to somebody related to the commission. why facebook says they didn't get breach is because they pulled all of the operation systems out of the wall when they found out what the vulnerability was.
so how many of those operating system s exist in major organizations today. i can tell you that they're still a lot for the public and private sector that still carry that operating system that's known to have that vulnerability and in different ways as we look at these things. if we look at what the government has proposed, which i think is -- it is an opportunity for the government to play a model in both the public and private sector, what tony scott has proposed with his internet, the i.t. modernization fund, this approach theoretically makes a lot of sense, which is take the functions that are shared across all the agencies that are not agency-specific. hr, payroll, e-mail provisions. and create a shared platform that is resilience. to frank's point, what you're trying to do is you're not going to be able to prevent everything. this idea that actors are more sophisticated, it's not effective. they're just more opportunistic. they look to where the vulnerabilities are. you create an infrastructure
that prevent what is should be prevented, blocks the low hanging fruit. there's very basic things we can do but understanding that you're not going to get ahead of every attack, that we are going to be attacks and how do we create the infrastructure that is strong to manage what happens and get our systems up and running as quickly as possible, and that is an approach both when we're looking at the public and private sector that works effectively. at our core is what are we doing for people? and to the point that she made earlier is there is a simple vulnerability that we had that we are not doing enough to address and i know that one of the elements that we're looking at in innovation that's happening in the government as well as the private sector is how do you ensure that it is a lot easier to do the right thing? it's very difficult to do the wrong thing and if you do do the wrong thing it's contained and it doesn't spread to a system in a way that takes it down for a long period of time. so we have to be looking at all of these elements. the people, the policies and the then the technologies in how
they're integrating together. >> scott, this is a scott kaine good segue. i think kirsten hit it spot on. it's a three legged technology policy people work force and you mentioned this earlier and the need to empower the work force. how do we translate what is now arguably the weakest link into a strength? what should we be thinking about because at the end of the day, the talent doesn't grow on trees, but there are some general cybersecurity awareness capabilities that can be brought to bear. >> for us, there's two tiers. there's people with resources and people that don't have the resources so you'll tackle both a little bit differently. with the people process technology support. for the big folks, you know, to try to take a stance here, i'm not a big fan of the let's throw
our hands up in the air. i'm a coach in girls soccer. i don't sit there and plan well when the other team scores let's figure out how we're going to come back. that's a necessary part of the game. there's a preventive element. >> young kids soccer. 5-7. >> we're playing the football rules while they're playing soccer, that's right. so i guess my point is is that for larger enterprises the way we tackle it typically from client side is be preventive. it's not a bad word. it doesn't mean you have to plug up every gap but there's a couple of things. the classic don't be the slowest person the bear is chasing. just do enough to just get beyond that so i don't want to be the last person but i want to make sure that i'm not the last person. okay got it but the bigger piece is that on the preventive side you had talked about the thread actors. at the end of the day it's not that difficult to see what's going on. in a previous life, i worked as
a president of the thread intel company. you see what's going on. it doesn't have to be monitoring the dark web. there's social circles where you can take a look at threat actors and they have their patterns of attack. you know what they're going to do. such and such companies start showing up in bad places and certain places, on blogs and so on, not blogs but some of the message boards and so on. aha, now i know. such and such companies or this industry is about to be attacked. well instead of waiting until they hit let's take a look at how they typically attack folks and make sure that the companies in that particular industry or the fed groups in that particular industry are prepared, right? so hey we know john and the bad guys typically operate this way and your name showed up and within the next three weeks you're going to be on the target list, so get ready. that's not a very difficult concept. on the people side what we typically do on the large enterprises is our exercises so
using the soccer analogy, you don't just show up at game time and figure out what to do, so most of the folks when you run them through scenarios, the boards, the ops folk, the i.t. folks, the development folks who do the code, and you bring them together, run them through scenarios relevant to the threats in their particular industry, most don't do very well. so what ends up happening is you find the gaps and you fix it, so that's the way you get prepared. that if you're talking about people they'll do what they have to do but if you practice you'll do a lot better at game time so we usually advocate that. on the midsized side, the mall side, it's let the experts do it. do the minimum things you have to do, but you might want to consider someone coming in as the pro. >> i would highly recommend entities that don't have the capability to spend a whole lot of time in the deep web darkness, that's a tough
neighborhood. you have to have some real capabilities to be able to engage on that, and i think you're spot on. you make the big mistakes in the practice field and not main street usa and game day and i think you're starting to see a pretty big trend to even the financial services sector where you have small and medium sized banks looking to their providers to provide security and the cloud for example. aws, microsoft, you name the various means. i think you're going to see a big trend in that direction where entities that don't have the devoted capabilities, resources and efforts to throw at the problem. >> the industry will tell you where things are going. as the midmarket is looking to leverage the cloud more and more, because it's easier, faster, better, stronger, then the threat comes how do i keep tabs on the folks that i'm having my kids live with.
so what is happening is this is becoming enormous. keeping tabs on the big companies providing these services. you're not going the get the big companies to allow you to start rummaging through and making sure that the security protocols are in place but there's ways that the mid sized companies can use certain -- not that expensive technologies to work with their partners to keep tabs. it's a big thrust in the commercial world without question. >> awesome. i want to make sure that we have a little bit of time for audience q&a. we have about seven, ten minutes. when you raise your hand identify yourself and wait for a mike. so andy over here. >> you mentioned the active defense word. i'm wondering if you could describe for us your sort of vision of active defense and get other panel comments about where that's headed. >> first of all, back in the early '80s when we were carrying around brick cell phones and thought we were the coolest cats on the block, who thought back
then that we would be watching tv on our cell phones? who thought back in the early '80s that you wanted to watch tv on your cell phone? but today, everybody is doing it, right? the speed of technology is changing so fast and outpacing the roll call of victims to cyberattacks, and i know you'll find this hard to believe, the government moves rather slow. and so all of our policies and processes and the things that we're trying to do can't keep up with that. and i think that's then where the active defense comes in and that's where you need a layered approach to cyberdefense. it has to be risk management based so you have to accept some risk because as i said at the outset you can't build the firewall anymore because it takes just one person on your side of the wall to do something really stupid and it will take down your system and if you're in the private sector you can't afford that. so we have to all be in this together so when i think of active defense i think of the
risk management combined with a layered approach combined with the notion of the public/private partnership. and we partner with dhs, with doj, and we're looking forward to the president's commission. nobody really has a crystal ball of looking out to the future of what is the threat in the future. but this cyber thing is the long game. and i think that the president's commission has an opportunity to really lay a foundation and a pathway forward for us that we can go collectively together to be in this kind of active defense arena. >> one thing i want to underscore, you're not suggesting to people to turn off their firewalls. you're just suggesting that the perimeter of defense as we know it is insufficient. >> that's correct. >> please don't turn off your firewall but at the end of the day, in itself, it is insufficient. i don't know what's inside and outside the network anymore since it's all kind of blurring. and traditional ways of thinking of just building higher walls,
wider moats, ain't going to cut it. the question is, there's a lot of policy space between hack back and build higher walls. and that's the emphasis on the study we have ongoing as well. we have time for one more question. so please in the back there, and police identify yourself. maybe we'll get two in. how are we on time? >> quick questions. i'm john, a student at the university of pittsburgh. i have a question for eric on the left. the previous speaker was also from the dhs and he was talking about how important it is to share information with the private sector and the public sector. but you hear about these vulnerabilities like target got hacked by i think it was their point of sale technology and there's a bunch of old vulnerabilities on windows xp. that isn't even patched comm. how do you know when enough is enough? are you afraid of sharing too much information and creating more vectors of attack?
>> if i could build on that, a signal to noise issue and what impediments are there legally if any to be able to share some of this information. >> absolutely. this comes down to the sophistication and capacity of the recipients. building on the point that scott made for a large enterprise, a major corporation, a large federal agency, our current approach is that we should share as much as possible as fast as possible. because the recipient should have the sophistication and automated tools to be able to use that shared information to better their own security. i would differ enentiate as a ft point between sharing information about vulnerabilities, incidents, and threat indicators. our current focus right now in the automation space is on sharing threat indicators as quickly as possible. we believe cyber threat indicators should be a commodity. threat indicators should be published and shared across the
enterprise in real time. our goal would be when an adversary uses a single ttp, a single spearphishing e-mail, the first organization that detects that in their firewall they capture that and put that in a shareable format, they send it to nccic, and we share it with the world. and the adversary can only use it a single time and it's blocked everywhere else. >> a little polly ann-ish, but i like the idea. >> we're nothing if not optimistic. but it's only the case that some organizations will have a hard time differentiating the signal from the noise or they will need additional help to figure out what is most important? what indicators do they use first? we're building into our system the capacity to put in reputation or confidence scoring that will actually tell the recipient when they receive a cyber threat indicator how important is this? is this tied back to a nation state adversary, is it something
we have seen used elsewhere with significant consequences? and that will help organizations that don't want to just take the pipeline of indicators from dhs and use it all to differentiate based upon our confidence that is actually significant and the importance there of. >> eric, can i ask one point? we'll get one more question in. but looking at some of the bug bounty initiatives that a number of companies are initiating, which i think is a great marketplace. it allows for the white hat hackers and maybe even some of the gray hat hackers to be able to share information of zero day exploits and unknown exploits before they occur. do you see a day when the government can help drive the marketplace with the private sector or no? >> the dod is leading this. >> in essence, it would be providing incentives or no disincentives. >> right. certainly, the dod has launched their hack the pentagon effort where they're paying bounties for hackers to hack dod
corporation. the national guard experienced many years with physical response supporting states and disasters. you are gang experience in assisting with the response and have you given thought into how you might have to think our act differently or preparation or response when you have both of those involved simultaneously. >> that's a great question. part of the capability whether it's supporting a domestic response as you said or cyber event is the value we bring as we are right there and we are able to set in advance of other capabilities. our response as we think about a cyber response is really to set the conditions for other responders. that is a great area of exploration in terms of how we continue to support the state governors.
>> i think we just met 20 minutes ago and that's the wave of the future. we have about 45 to 50 employees. the limitation is because of certain locations. that's everywhere. plus they are private soldiers. the way the team plays out is they work with us and on the weekend, they are cyber warriors. they are totally prepared to support the mission in the field all over the place. you have a bank and a national guard representation with folks working day jobs that are fully capable of supporting that mission. i have always felt personally that it's coupled with the talent pool and they are in the
cyber community in the private sector doing day jobs. the second job is having more fun. >> join me in thanking the panel. this could have gone on so much longer. thank you. i think we have a short break and christian will kick us off for the mandatory evacuation panel in a little bit. thank you. >> this is part of a day long conference on counter terrorism and national security. you can watch the program online
at c-span.org and coming up shortly here on c-span 3, a hearing on how the centers for medicare and medicaid services is implementing new rules for physician payments under medicare at 2:00 p.m. >> there has never been a full accounting of domestic operations. this committee has undertaken such an investigation. >> the 1975 church committee hearings. the fbi, irs and the nsa. saturday night at 10:00 p.m. eastern. they question staffers and kurt smothers detailing fbi abuses including intimidation of martin luther king,jr. >> king, there is only one thing left for you to do.
you have 34 days in which to do it. it number has been selected for a certain reason. this is practical significance. you are done. >> james adams admits to the excessives. >> we may see that or two. they were the first to see patterns or shifts in how people are going out of the world. so they are the ones who sound the alarm. >> the university professor on the role of a coroner and how they shed light on the patterns of death within a society and spot potential threats to public health. sunday evening at 6:30. they later became a vocal opponent and shares views at the
lyndon b. johnson library in austin, texas. >> they did not receive the welcome home or the benefits or the treatment that they not only deserve, but needed. the fundamental contract between soldier and government simply was 23409 honored. >> then at 8:00 on the pedestrian. >> one of the persons watched reagan deliver the speech. dwight eisenhower. he called his former attorney general and said what a fine speech ronald reagan had delivered. he called a former special assistant and said what an excellent speech ronald reagan had dlifrelivered. he wrote back a plan for him to follow. he followed advice to the letter. >> the author developmented divide d. eisenhower's mentoring
of ronald reagan. for the american tv schedule, go to c-span.org. >> the military times out with a story, the results of a poll about who military personnel would prefer as commander in chief. the preference to be the next president topping hillary clinton by more than a 2-1 margin. they said they would rather not vote in november if they had to choose between the two candidates. hillary clinton over donald trump and male troops backing mr. trump over former secretary clinton 57-22%. officers meanwhile according to their poll were more likely to back hillary clinton, though the officers still favored donald trump by a 46-32% margin.
here's more from a reporter with the military times. >> let's begin first with who participated in the survey and what questions did you ask? >> sure and thanks for the invite. this was a survey of our readers who were serving members. active duty, guard, and reserve. we asked them pretty specifically given certain matchups, who would you vote for? i'm not trying to replicate the election, but get opinions on the likely matchups for the fall. we asked them if forced to choose between donald trump and clinton, who would you whose. the results were strike. 54% said they would back donald trump. 25% said hillary clinton. the point of the big numbers for us, 21% said forget it, i'm not going to vote if those are my choices. >> why did they say they would not vote?
>> we didn't give them the option for a third party. a lot of folks said if we have a third party option, we will take it. very interested in possibly voting libertarian or writing in other names. we will research some of that later this summer. we were looking at the front-runners and wanted to see their opinion and see how many were dissatisfied with the choices. we are seeing a significant number of service members are not happy being left with trump and clinton. >> what is it about the front-runners they are not satisfied with. >> we heard the anecdotal evidence. they feel like they are both establishment candidates in some way. we heard from a lot of folks that there is frustration that they don't understand the military and neither have served and don't understand the issues. that's one of the things we will be digging in.
this is the initial gut reaction or more systemic? >> you also did a hypothetical matchup between donald trump and bernie sanders. sanders fared better than clinton did. >> slightly better. not enough to overtake donald trump. the biggest thing is the party affiliation is what matter. when we looked at service members who are republicans, they broke for donald trump no matter what the matchup was. in clinton's case, among democrats, she got 72% of all the democrats again, regardless of when she matched up with donald trump. we are still seeing them reflect the ranks too.