tv Politics and Public Policy Today CSPAN May 24, 2016 9:03am-10:01am EDT
would be the commission that could make a recommendation. now, i know, there's kind of a reaction to, oh, man, another commission just what we need. but i actually think it would be a good idea to do that commission that could then forward material to congress and i'm going to tell you why i like that. i would prefer to do that rather than jump into eistien berg and i' -- bird. the question of privacy versus security is about a careful balancing of really important things. as i said, well members of congress should have the ultimate responsibility for voting on legislation to try to strike that balance. we're uniquely unqualified to do it for this reason. there's no area where a member of congress is more than different than the american public than in a reasonable expectation of privacy. members of congress, the 535, we're different than the american public in a whole lot of ways.
but i would argue there's no area we're fundamentally more different and than we have long ago surrendered any expectation of privacy and we have forgotten what it is to have an expectation of privacy. i'm -- you know, i started in politics in 1994 and it was preyoutube and essentially preinternet. i still at that point as the city council person had some expectation of privacy, but i have none now and nor do anybody else in my line of work. and so if you give us the task of striking the balance between privacy and security, first, we will over value security and, of course, we should. that should be the top priority of everybody in congress is to protect national security and so we will be extremely diligent about that and we should, but we will under value privacy because we've forgotten what it's like to have any privacy. and so if trying to strike that balance is something that is for
congress, we're doing to strike it in a way that i don't think we'll fairly take into account the legitimate privacy interest of american citizens. now, that question, what is a legitimate privacy interest of the citizen is a very complex question. it's not easy. there's got to be some -- to strike the right balance, some expectation of what is a reasonable expectation of privacy. most citizens knowingly or unknowingly surrender that privacy every day and there's sort of an issue of how relevant is that repeated surrender to the question of how much privacy vis-a-vis government individuals would be entitled to. there's all kind of challenges as you get to trying to decide this issue about the scope of a legitimate individual privacy interest. but congress is just not the right body to do that. and we would really be benefited
by a commission that -- of people that include folks who can remember what it's like to have a private sphere and who would then -- and would also respect the national security interest trying to set that balance. rather than rush in to a solution where we haven't really out the scope of that individual, legitimate private interest, i would say, you know, we should get that done and hopefully get it done with some dispatch because i think those recommendations back to us would really help us grapple with it. that's my second. my third thought is in the cyber security investment area. we have to invest more in cyber capacity and i think this is one of the areas of government that has been most effected by budgetary uncertainty. if you look at sequester, shutdown, furloughs, continuing resolutions instead of budgets, it's had effect on everything we do, i would argue it might have had as much or more effect on cyber as anything else. because it's -- first, it's
coincided with the time where the need and the acknowledged need for cyber investments has been ramping up just as that's been happening, we ran into march 1, 2013 going into full on sequester and then needing to figure it out. so some of the budgetary uncertainty that people are looking at career paths they're going to look at one the government that seems uncertainty and they'll look at other opportunities, i boar ri that our uncertainty is basically chases talent in another direction. on the budget committee, i came into office with sort of two goals in mind on that committee, first a very state sen trick kind of governor's type goal which is i really like two-year budgeting, every state does two year budgets at the federal level we do one year bulges when we do budgets.
but states do two-year budgets because it's good for predictability. it's wonderful for our own people. it's everybody more wonderful for the private sector, so everybody can understand the parameters and what they'll be dealing with and adjust accordingly. we have now done two two-year budgets in a row. it was ugly getting there, the first happened after the shutdown of government and the second happened after i'll resign into a two-year budget deal. but, at least, we're moving back towards some level of predictability. but i'll tell you, when i go out and talk about budgetary issues to virginiians and i try to make the case sequester and budget caps, the bca strategy that was voted on 20111 and the things that went into place. i when i try to tell them why it's bad. i always use cyber. you know, in case of the bca caps, basically sort of held
harmless, safety and it's pending war fighting, but everything else nondefense discretionary accept -- and defense other than fighting we're all effected by sequester, it's kind of like we'll hold everything down, and i say, people say, that's great. we should save money. . so why should cyber when it's not core work fighting get effected like everything else. i mean the notion of across the board anything is foolish from a management's standpoint, especially areas where there's a wide recognition that we're doing too little, not too much. the first thing that we need to do on the investment side.
>> a lot of work we do in cyber is done in d -- and to the extent the caps hit dhs cyber gets effected and so it will be taken up on the floor. and if we do that, then we have to make the right investments and the right investments are twofold and i'll be glad to open it up and take some questions. the first one is work force, when jim introduced me, he talked a little bit about work that i do. virginia is center for technology work force, not only the center, there are other states that have huge expertise. but even as a center of a technology work force, second in the nation percentage of workers in technology, in virginia
there's huge gaps, state economic development partnership says there's one candidate for every three cyber security positions that are open in virginia and this is in the state with the technology work force. and so we have a dramatic need to get more people into this field. this is one of the reasons among others that when i came into the senate, i didn't get put on the help committee, health education labor pensions is a committee i really wanted to be on. i realize you don't have to be on the committee, you have to pick an issue that nobody on the committee is championing. i grew up in a manufacturing house, my dad ran welding shop. i ran vocational school in honduras 35 years ago and u.s. sort of systematically downgraded the importance of career and education over the course of few generations, now there's a renaissance and it's coming back and cyber is one of those areas where trained technical talent does not necessarily have to have a college degree, there are other
ways to get the skills, to verify validated skills that you need to be a player in this area. and so this is one of the things we're working on, we put in important career and technical advances into the every student, we're now working on perkins act, do the same thing when we get to hired ed act, reauthorization will work on cte advances that will include cyber. in virginia, the i've got to mention that because my wife is secretary of education, they're also doing major work in this work force area to expand the cyber work force, the redesign of high school curriculum to include more cte and cyber courses. the effort to designate community colleges around the state as national centers of academic excellence and down in hampton road became the third community college received that designation. we have to have both federal and the private sector work force
necessary to meet the challenge and some of that is going to be really tied up with our work on perkins and reauthorization to promote this work force. in addition of the work force we just got to shore up our investments in technologies and platforms. i visited fire eyes is one of the cosponsors for today and they're a wonderful powerful leader in this field in virginia and i visited their office last fall and we had an extensive discussion about the problematic reliance of many federal agencies on unsecure systems that are legacy systems, but they're unsecure because there hasn't been the dollars available to purchase the upgrades, to either make upgrades that can be made or define new systems that would be more secure and largely this has been because of the budgetary uncertainty sequester budgetary caps. so if we can find the path out of bca and sequester, and i'm
not talking about just for -- i am kind of a budget hog. i do believe in the management of debt and deficit, i just don't believe you do it by across the board gaps, i think that's foolish. i think you have to manage that through targeted strategies that involve both sides of the revenue sheets but across the board reductions that hit accounts that are so important in the cyber world are vur foolish given the needs we have. i'll conclude, maybe take a couple of questions. the information sharing bill that we did was sort of in law, we call it necessary but not sufficient. it was very important that we do that and it was good to kind of have some discussion with folks working on this issue as the implementation was underway, companies are kind of starting to get use to the notion of sharing. companies are starting to get use to the notion if they do share, they get helpful tips back about things they should, you know, prepare for or watch for, but there's a lot more of
that to do and we hope that will ramp up, we'll talk about implementing it. i think these areas of further development of doctrine grappling in the correct way with the privacy security balance and getting over some of the budgetary malpractices so that we can make the investments we need to do and people and systems are the next beyond information sharing issues that congress should tackle and with that, jim, i'm glad to take a few questions before i head up to my committee -- we have a committee hearing in foreign relations on u.s. india relation to prep, u.s.-india relation, india does more military exercises with the united states than any other nations and capacity of good cyber partner, if you thought about somebody you would want there's a lot in that space, we'll be caring for this discussion up in the hearing room in a manner of minutes, jim, i'll take a few.
>> all of the committees, i think the hardest thing we've seen efforts by different committees, but the stone pipe nature of the jurisdiction seems to be blocking us getting an integrated view, what can we do about that. >> that's a great question, you'll have panelist, ask them that same question, too, i want to hear what they say. . we had an information sharing bill on the floor of the senate year before and couldn't do it because the committees of intel and judiciary were arguing with each other about wait a minute, you put it on the floor, it
should have been us, we should have worked together. so the stove pipe effect hurts us and we're not just talking about those committees, you know, foreign relations and sask and the appropriators is very critical they be involved. this is a topic that cuts across domains. that's one of the reasons i like the call approach. i think it will develop -- the idea, the commission and i think i read this right, it's not just about encryption, we're not just trying to solve the encryption question, it's more a look at digital encryption questions but others as well from multiple disciplinary stake holders. if we rush into being about a solution because the, you know, the fbi cases grabbed everybody's attention as it should. we rush into being about the solution of that issue and we look at narrow gauge, we'll certainly approach it, in my view, in side of side look way that won't give it that ge grated look that it needs. that's one of the reasons i like
to call the approach. >> do you want to call? >> yeah. >> introduce yourself, please, if you ask questions. do we have a microphone? >> the relationship you think you have at the moment with companies like apple and google, is it bit too confrontational and do you think there's a way you can mend that and incorporate with them and secondly, if asked, are you -- if asked about, would you like to be vice president, what would you say. >> i'm hoping nobody ask. let me answer your first question. well he said, if asked, what would you say, i'm just hoping nobody asked. on that, is it too confrontational. you know, senator warner says this, mark is on intel and most of you know mark and i are really close, we've known each
other for 35 years and one of the virtues from doing the senator from committees, he's intel banking and finance, they put me on the aging committee, too, i don't know why just recently. but mark, his pitch on sort of fbi apple, both sides are kind of claiming a moral superiority that is above their actual, you know, moral stature. so there is some tough red rick back and forth, and the apple fbi case is the case that the law school professor would write. it's got all of the features that law school professor would write for the exam. and those features make it incredible compelling for the fbi's case that it is a phone that was used by people who are actually carrying out attack connected with terrorism. it is a phone that is owned by the county that said we give you permission to search. the facts militate for the fbi's
point of view. when you dig into it. you do get into even if you're strongly in support of the security impaired, which i am. the whole notion of, you know, getting into back doors into and encrypted systems that could potentially chase users to other companies, to other technologies that would end up hurting the law enforcement effort. so there isn't a, you know, complete -- black hat in this. and so i think that we can -- we should just diffuse that red rick and really grapple to the extent we can with nuance that is will change. i mean, one of the things about this area is we are almost guaranteed in a solution we come up with to do our -- best effort and then still find the world changing around us and have to revisit it. again, i will go back on your question about red rick to the point that john asked me. that's one of the reasons i like the approach because i think getting stake holders from different sides around the table is more likely to help congress
do the informed thing rather than react to one really dramatic case and either miss elements ore overcorrected. >> thank you, senator, my imi'm just on the other side of the circle here, my questions coming more from a trance lantic perspective. what opportunities do you see to rebuild that trust or bridge that gulf that exist between the united states and europe on cyber security on data privacy. >> obviously, the trust was really damage, again, at least facially after the snowden publicity. some of the distrust was, you know, public private stations by people who are kind of pretty aware of what was going on, nevertheless that's real and there's a need to rebuild it.
and, again, the underlying issue was -- the revelations brought to bear spotlight on this issue of how you bah listens the security and the privacy issues. and, you know, we look at some of these issues differently, but i think the gap between the u.s. analysis of these or our sense tytys to the privacy and security side and europe peian, to the extent there's a gap, i think that gap is closing pretty quickly, you know, obviously in tragically, european nations have had to deal with some very very difficult situations in this space terrorist attacks and not just europe, obviously, not just paris and brussels, you know the sinai, we will know what we'll know about the egypt air flight. you know, i think as more nations are seeing the security versus privacy challenges in the same way that we are, so i think
that as the security issues become more equal, some of that -- it's not necessarily that creates trust, it kind of create a shared sense of mission for getting this right. they kind of make this decision would a cyber attract trigger this legislation. there is good work going on within nato. cyber security cooperation between nato and allies in the united states. that's, i think, move forward in an accelerated pace, that's probably helping. but sadly the security realities of the world are probably bringing all of our sensibilities a little bit closer together in terms of the urgency of answering some of these questions. >> how about one more on this side and we have to let the senator escape. sorry. >> coming up.
>> let's go back to the 15 person panel that's being proposed. mieg that be a way of addressing the stone pipe issue and might one of the out comes be a recommendation of joint committee of some kind of the house and senate. >> possible. i think -- so, ever heard the question, that it is possible that a solution might be some kind of a joint committee, you know, my -- i have proposed a similar joint committee on work hours questions, the work hours consultation act that senator mccain and i have been pitching to replace the work hours resolution in 1973 will establish bipartisan consultation committee that will be permanent committee, permanent dialogue with the executive over hot spots that could develop into needs for
military action. and that could certainly be a possibility in this one, i think one of the things we'll want to make sure, if i'm going to remember this right, i think the warner proposal is 15 that sort of eight by the house rg eight by the senate and one by the president and i'm trying to remember if there are specified disciplines that need to be included. i think it's important to get that right i want to make sure you've got the full group of stake holders privacy experts, business leaders academic. you want to make sure you've got the full range of -- full range of expertise around the table. but, the larger issue that they're going to grapple with is not just encryption but digital security. if they would identify and i can't imagine they wouldn't, stove piping as an option to digital security you would suspect they make recommendations to help us to get over stove piping. it's not just an agency thing,
it can be a congressional concern as well. we've got to figure out ways to get by that. that's a good thought of what one of their charges can be structural on both executive and legislature. you really have a good panel coming up. these are the real experts after me. thank you for letting me come and kick it off. i look forward to following and getting a read out on what the panel puts on the table and i look forward to working with cscs and thanks for including me today. [ applause ] truly insightful seat by the senator. if i can ask the panelist to come on up. we can get started. this is an easy panel for me.
if i introduce them as i know them, it will probably sound wrong. let me introduce people quickly and we'll have their bios on the web site. eddie, graga senior director of national security counsel. we have two andys they both have the same job, which is a little confusing. andy -- before that he was senior adviser for technology policy secretary commerce and i know he was very effective there hearing from other people, including the secretary and he, of course, was professional staff member at snci starting all of this. after him, we have kiersten duncan. she's pitch hitting for some reason the other speaker we had from the committee had to go to a meeting on tsa. i don't know might have happened today that will call for secretary johnson to have an emergency meeting, in that case, we're grateful for you being here and filling n. she handles cyber security infrastructure
protection for chairman mccall. she works on cyber security and cyber and technology issues. and most importantly for you in the room. she was at pmf, which is the real seal of approval from the federal government. thank you very much for filling in. andy sitting next to me, old friend has worked in cyber security for two decades, it's hard to believe, he must have started when he was six. he's currently the assistant secretary for cyber security and communications at dhs where he has -- i didn't know this -- a budget of more than 1 billion and 600 employees that's like real money. right. and he's -- he leads the federal efforts to respond to cyber security incidents. and prior to that, he was also senior direct tr at the white house and the thing you probably know andy best for in that role was executive order on critical
infrastructure protection that resulted in this framework. and he is that rarity in the discussions of cyber security, someone with phd in computer science, so very rare and finally we have tom mclellan, director of national homeland security policy and government affairs, many of you, of course, know tom from his previous work at mga the national governor's association where he helped really reorient that organization to think about cyber security. he led the resource center for state cyber security there and has worked in these issues as they relate to the state level and to cyber security and homeland security for a long time. >> that's kind of old to do
several years ago, as you're probably aware chairman mccall and the scholarship for service program, a couple of things we already discussed here also cementing sort of work force issues, getting engaged with the national science foundation, gsa uses the scholarship for service. that same year, a number of other bills passed to authorize the cyber security across the and provide for more higher authorities at dhs to make sure that we can build up this cyber work force. so i think, we had the ability to build on a number of efforts that are already underway.
i think one of the elements, as i mentioned is cyber instant response plan. i look forward to seeing that. we had a number of fire chief came and spoke to us and talked about sort of their plans for cyber and talked about other training opportunities that they might be aware, we're doing another hearing today at 10:00 a.m. to build on that for state and local issue and i think that silence response plan will help prepare all around. caps, more than seven years of determined effort by the administration to raise our
cyber defenses, disrupt activity in cyber space and enhance our incident response and capability. i thought i had spent a couple of moments focused in particular on the sort of under the banner of national defenses there are sort of two pieces to that. one is sort of, you know, providing tools to the private sector and structure to help them it's really important also i know the president has asked the commission on this is where
the connection two information sharing really becomes clear, you know, as you all know this threat very unique challenges, right, many of the targets are in the private sector, critical infrastructure, be they financial information, financial information, that means that combatting this threat requires collaboration both private sector and government. obviously with information sharing, it's been a priority focused initially on intragovernmental sharing coming out of the cnci work, fast forward to december of last year in the cyber security bill finally passed, you know, sort of surreal for me. i was deeply involved and you,
you know, since then and this is kind of enough since then passing a step is building out capabilities to both share information and receive information so that we can better understand the threat investigation and in turn provide more support to private sector and other entities. we're focused right now on deploy, the capability called automated indicator sharing, aka the portal for those of you who familiar with that phrase. -- we're finalizing clear and
trance parn r parent guidelines for companies and individuals on how to share information through the portal the first draft of these. next month, and so, i'll leave it to andy to elaborate on that. maybe out for a couple of observations about how this debate on information sharing is kind of involved in the six or so years that i've been involved. if you go back to 2011, 2012, i received at least a fretty widespread sentiment of the
industry. >> you've got to know your network. if you don't know your network, how can possibly put information to use. you have to know how to deploy information. you have to know which information to focus on and which is simply noise so, today, it seems to me that the main barriers to information sharing, if they were received as sort of like legal liability issues, obviously, the legislation has helped clear many of those away. now we're left with, you know, barriers such as mainly business drivers, right, so things like, you know, the cost of capability, the maturity of an entity cyber security risk
manager program to be able to use information in a productive way. i think this will be a challenge that we all need to put on both the government and friends of the private sector is trust, yooz it for the purposes that both sides agreed to and the information that we protect it from unauthorized use. i -- a big question in my mind is, you know, what we and the government do to further build trust along the private sector that sharing information with the government going to andy is nice follow up on. >> go for it.
. we're like a twin act here, andy and andy. you know, we started this work in 2012, that's very smart people on my team, one of whom is here in the audience, who said we're going to share indicators in an automated way. there's no way we get the volume of information we need and the government to private sector back again unless we can standardize and automate this. we had to have first standards. dhs led the developments of two standards called sticks and taxis and those two have been able to implement the legislation today. we handed those standards over to standards body oasis last year, so a normal industry standard consortium is taking them forward. in 2014 we took those standards, all right, we've got to pilot this stuff. we worked with financial
services sector and set up a pilot for sharing indicators back and forth. it was very successful. so successful that it spun off a company to to sales of product the out come of this pilot. and then, of course, we worked with the congress and with folks in this room to bring about the legislation and i really thank the congress for the cyber security act of 2015, which gave private sector companies liability protection for sharing this information with the government. we formerly, the secretary formally certified our system as live on march 16th. and since then we've got about 30 entities right now, companies, federal agencies, state and local governments, part of that system we're growing and -- by a handful of companies every week. we've shared thousands of indicators to date, obviously, we're still in the early stages of that system, it's working, live and people are receiving value from it already. what i will say is my charge to
you in the audience, the only way we collectively succeed with this system is that we all put information in and take advantage of the information that's in it. my message is out when i i'm talking to companies, we've built it, and given you the tool, i need you to join and share it back with us. that's really the next stage of where we are on the automated indicator sharing effort. with cnap, a brief additional comment, a lot of people are confused about dhss role in government. the analogy i've settled on, i think of every cyber incident is being like an arson in the real world. when you have an arson, you want the firefighter there is and you want the cops there. we're the firefighters in that scenario. law enforcement has a hugely important role, fbi, secret service, hsi and all the other federal law enforcement arms. you also want a firefighter there who is concerned with let's put up the fire and let's
hope you -- help you rebuild this building so it's more resistant from fire in the future. we helped victims, whether they're companies or government, find the bad guy on the network, kick them off the network and rebuild to be more secure. we're not law enforcement, although that's hugely important role, our only customer is the victim and our job is to make them more resistant to future attacks part of that i have a former firefighter on my team. he said almost, if you rounded it, it would be about 0%. i said, okay, where did you spend time. >> our goal is for there not to be fires in the first place. that's the same thing with dhs. in addition to this incident response, we share information and promulgate best practices and help government agencies not have incidents in the first place. this indicator sharing is a key part of that. it's sharing information that will prevent incidents from happening in the first place. >> great. >> my turn?
>> yep. >> great. >> first up jim and csis thank you for having you here. i know we go back quite a ways. i'm the private sector guy up here. i work with the company called fire eye and we do incident response, you heard about us many times in the news. we also do services, kind of a big move augmentation to challenges out in the field with the challenges of work force shortage and so forth. so i'm also a late addition to the panel, and i'm going to focus a little bit about cnap and broader about some of the challenges with respect to information sharing. so just my background, it will help understand my perspective, i spent 16 years working on the state level with governors through the national governor's association working on cyber security and cyber crime and so forth and also kind of in a role with a development on the development on the joint action plan for state and federal unit
of effort. i come from a state policy background with now this overlay view of what the threat environment looks like. i have four opening comments, jimt, and in general the traditional approach that we got, in this country really isn't working all that well. rsh oirks usz. you've got to keep in mind, the adversary ris are changing radically every day, every hour. so things like hygiene and firewalls. they're still important. what we've dot to get more active and more proactive. and i think some of the steps that we're seeing some of the bills are going to help get there. they're not getting us there all the way. i think there's another big step that we need to get out there in
terms of having proactive defense we'll go out and hunt in our systems. the second is, i really view and have always viewed cyber security as a shared responsibility between states, locals, feds, the private sector, and ngos like the msi and some of the other groups that are out there right now. when you look at the bills that have been pushed out there, one of the questions i have and having worked with states and with governors here, heard governor senator cane, i worked with him when he was governor, that notion of how -- what's the right mission between what the states are doing, what the locals are doing, what the feds are doing, you know, it's not a criticism it's kind of observation that the -- the cnap and system really kind of more focused on the federal level i know that states an low calls.
. i do know that states hunger to build up their own in terms of capabilities. and the third thing i want to mention, again, is that privacy. privacy is paramount. in this context, what i mean by privacy isn't the right to be left alone. it's not the expectation of privacy. it's that fair use of information. so as companies begin to contribute to -- whether it's ais or some of the other sharing arrangements ar out there, they have to be very very careful
with respect to respecting the privacy in so much of the fair use of the information that's being shared whether it's about victim, individual or victim company. and lastly, i want to say that information sharing is a great role, but it is not enough. information sharing is a step in the right direction and there are also some inherent challenges we're sharing information and the first is, and i think either one of the panelist the senator mentioned it earlier, the notion of more information that's out there, the more noise you get for the same amount of signal, maybe a little bit more signal. the question is, information has to be action nabl that's being shared, so how do you begin to take all the information and pulling in all these indicators to turn that into something that's action nabl for the agency or individual or for the organization. and lastly, with respect to the information sharing kind of side is that notion of sometimes when you share information, the bad guys know you're sharing
information and they're doing to change their ttps, their tactics, techniques and procedures, so that may also kind of push the cycle a little bit faster. in and of itself information sharing is a good -- not in and of itself, but as a component of larger strategy, information sharing is very good. our company rerecently announced the development or the launch of information sharing network where we're sharing indicators of malware and atomic indicators and other things. we value that notion of sharing. it's the end, what's next. >> great. thanks. when i look at the cnap five things, five or six things leaped out at me that kind of biassed us out of the debate we've been having since 2012 and the -- i can't do all the names, rockefeller, eistien, collins, lieberman, that's ancient history. >> five years ago. >> seems like forever. >> so the five things i think that leap out are assurance, the
emphasis on assurance and particularly it's interesting to look at some of the things that might be done for things. budget, managed services, the whole series of work force efforts and then maybe the rethinking of the framework. we may not have time to hit them all. i wanted to hit a couple right up front and see what the panelist thought. budget is always good one and the president is calling for 19 additional billion dollars. what is he going to spend it on. what do you think he should spend it on. andy that might go first to you. >> so, yeah, one key element of the budget is this proposal that we offered last month for $3.1 billion information technology modernization fund. so taking a step back from cyber security, you really can't separate cyber security from it acquisition and management, right? at the end of the day, we don't do cyber security for its own
sake, we do cyber security to support, you know, reliable i.t. and we use i.t. to deliver mission and services to our customers. and what the information custom information technology modernization fund itm for short hand, you know, we have a long list of legacy i.t. spread across the government. we can bubble wrap it. we can wrap it in duct tape. you know? these systems were not necessarily built with cyber security in mind, so what we are doing to protect them is kind of, you know, again, bubble wrap it and duct tape and finding in a lot of cases -- well, what we expect to find in many cases is that it is more cost effective both from an immediate budget perspective but also because today's legacy i.t. becomes -- potentially legacy i.t. in five, ten year this is's cheaper to replace it today than to keep
bubble wrapping and duct taping and it what the fund does is provide a revolving fund for agencies to basically identify systems that they have as eligible, potentially eligible for being replaced through this revolving fund. i think, you know, senator kaine mentioned -- i believe the doctor mentioned, as well, the congressional angle here and how in particular the way we do i.t. budgeting, which affects cyber security budgeting, also has that same kind of congressional jurisdictional challenge that some of the more strategic issues that senator kaine discussed meaning that, you know, one of the goals of cnap to encourage and incentive shared services because it's more efficient and easier to defend from a cyber security perspective. the challenge with that is, you
know, right now each agency's i.t. budget for the most part is authorized and appropriated in that agency stovepipe. so real challenge for us is going to be working with congress to figure out how you actually get -- how you, you know, get to that -- get to that model of shared services. it's actually incidentally one of the challenges or questions that we have asked the president's cyber commission to look into is this very question. >> i personally will be upset to see the government finally stop using windows 2000. but -- >> i know. it's a collector's item. >> cobalt on some systems. >> let's foot stop. >> hear that? still using cobalt if you know what that is we can talk about it later. talk about antiques. >> let me foot stop one point that andy made which is the i.t. modernization fund, the idea
here is, i'm running a legacy i.t. system. it costs me a lot of money to keep it running. and yet, congress is, you know, understandably reluctant to give me a pot of money to buy something new. they want me to have the same amount of money, run the old thing and replace it with something new and that doesn't work because when you're replacing a big system, you have to spend money to run the old one and build the new one and for some period of time you have to have essentially doubling the money. the idea hopefully is you end up with savings replacing the old one and for a period of time you have double the money and obviously an approximation. the fund is intended to bridge that. it will give agencies what will essentially be a loan to run -- while they pay for the old system with the current budget, it gives them a loan to build the new system and pay it back over time with the savings from having replaced that legacy system. that's a pretty novel approach to running things in the
government from a begt tear perspective but i think it's a huge improvement and really the only way to be able to replace these legacy systems because there just isn't the money or the congressional will to fund us to run old things even as we build new things. >> kirsten? >> from my perspective, i think following the passage of the cyber security act, watching how that is implemented, you know, our role and my role in oversight of that, not only the automated indicator sharing but also the growth and strengthening of tools like einstein and cdm. we haven't talked a ton about, you know, homeland security's role in securing federal networks or helping to secure federal networks arriving at tools to be readily available and one of the things the try to take on in the cyber security act was making sure that those tools are flexible, dynamic and can continue -- are not stagnant. we hear a lot that, you know,
perimeter defense isn't only defense and i think watching einstein, cdm, grow, be implemented, what? the deadline is end of this year for everyone to be accessible in the federal government. right? so i think one of the things in cnap is to support those sort of activities. >> so -- but in terms of -- so from a budget tear perspective, you know, one of the things of my role both prior to then and now is to educate state policymakers to really think budgeting for cyber security, that it's not a -- it's not an op-x or a cap-x and buying things but infrastructure and so when you look at the budgeting process for all of this, and, you know, the feds actually do a pretty good job about it for budgeting dollars for cyber. 12% to 15% of the overall state i.t.
so you question about budgeting is kind of raised the awareness of are we spending enough to buy down our risk? one of the questions i would throw out to the andys is, you know, so as you buy these things, are you developing or buying? so the question is, you know, how do you leverage the private sector? how do you leverage some of the things out there with respect to the development and the implementation of the new systems? because, you know, in terms of scale and, you know, it's almost like a defense industrial base for cyber security. you have got the big players out there that build ships and airplanes and they sell them. and the question is, how do you strengthen those type of partnerships and leverage those things and represents a very different way of thinking about, you know, the relationship between the private sector between states, between locals, between higher ed and so forth. >> that's a good lead-in to managed services, i'm a big fan of managed services and the
conversion experience is opm where you had 12 guys manning an agency's i.t. system with cyber security and also doing pass word rest ro ration and against them the people's liberation army and wasn't entirely a fair fight and idea of managed services is good but easier to say than to do and in talking to people in the government, they say, well, is networks, there's e-mail, there's the applications that are running. what is it you're going to be managing and move to? and then the question of who is it to manage the services? do you go to commercial contractors the way gsa does it now? do you have it be a central agency like dhs? i don't know if you want to talk about managed services. if this works, it and the budget will profoundly change how the federal government does cyber security. allow stress at this point the word if. so i don't know who wants to go
first. >> i'll take a first stab. i think the answer of who, is it commercial, another agency, is it dhs depends on the nature of the service. right? and, you know, i think in a minimum we need to be flexible and, you know, approach this from a pretty dynamic perspective. if i could pick one shared service, i would start with the e-mail i think. wave of a magic wand. that's the vector by which bad guys and people in the private sector know this as well. it's one of the most common -- if it's the most common way for bad guys to get into a system is e-mail and if you'll harden e-mail you'll go a long ways towards reducing your risk. >> i would just jump in and say i think part of the goal is not just managed services and shared services and may be situations where it makes sense to have,
for example, centralized provision from one agency for other agencies. my -- the one closest to my heart there is the continuous diagnostics and mitigation program or cdm and partially accelerated and enhanced by the cnap and it's dhs's way of agencies secure the inside of their network so if the einstein program is perimeter protection, cdm is what gets inside their network an it's really three things. it's a new approach to acquisition, a new approach to governance and capables. capables first. that's easy. they need security tools. we're buying them security tools. nothing too sophisticated about them. how we're buying them is novel, though. we've brought together the agencies and we're saying, and this is a common private of the private sector. you buy individual tools. you have to tie those tools together. and so we're saying, we are
going to buy you a suite of tools with integration to tie them altogether and give you a coherent picture of the internal security and that's the acquisition approach so we're using gsa to do an assisted acquisition on this, essentially helping us run the aweization. there's different come pet to recalls and different contractors chosen for each of the buckets of agencies. so we're getting some diversity in the tool set but we're getting integrated outcomes and the final win is governance. we see a coherent picture of how agencies' risk is being managed across the federal government so they get all the capabilities, they get them cheaper, dramatically cheaper because we buy them in bull okay as government and we get an integrated roll-up of all the data that comes out of the tools. it's a different way of looking at a shared