tv Key Capitol Hill Hearings CSPAN May 27, 2016 4:00am-6:01am EDT
we spending enough to buy down our risk one of the questions i would throw out to the andys is, you know, so as you buy these things, are you developing or buying? so the question is, you know, how do you leverage the private sector? how do you leverage some of the things that are already out there with respect to the development and the implementation of these new systems? because in terms of scale it's almost a defense industrial base for cybersecurity. you've got the big players out there that build ships and airplanes and they sell them and the question is how do you strengthen those types of partnerships and leverage things for cybersecurity in it represents a very different way of thinking about the relationship between the private sector, between states, between locals, between higher ed and so forth. >> that's a good bleed-in to managed services. let me start by saying i'm a big fan of managed services and i think the conversion experience for a lot of us was opm, where you had 12 guys manning an
agency's i.t. system doing cybersecurity and also doing password restoration. kind of -- and against them you had the people's liberation army. so it wasn't entirely a fair fight. sought idea of managed services is good but it's easier to say than to do. so in talking to people in the government they say, well, there's networks, there's e-mail, there's the application that's are running. what is it you're going to be managing? what is it you're going to move to? then there's the question of who is it that's going to manage the services? do you go to commercial contractors the way gsa does it now? do you have it be a central agency like dhs? i don't know if you want to talk about managed services. if this works, it and the budget will profoundly change how the federal government does cyber security. i'll stress at this point the way if. so i don't know who wants to go first. >> i'll take a first stab. i think the answer to your question depends on the answer
of who. commercial. is it another agency? is it dhs? depends on the nature of the service. right? and, you know, i think in a minimum we need to be flexible and, you know, approach this from a pretty dynamic perspective. if i could pick one shared service, i would start with the e-mail i think. wave of a magic wand. that's the vector by which bad guys and people in the private sector know this as well. it's one of the most common -- if it's the most common way for bad guys to get into a system is e-mail and if you'll harden e-mail you'll go a long way towards reducing your risk. >> i would just jump in and say i think part of the goal is not just managed services and shared services and may be situations where it makes sense to have,
for example, centralized provision from one agency for other agencies. my -- the one closest to my heart there is the continuous diagnostics and mitigation program or cdm and partially accelerated and enhanced by the cnap and it's dhs's way of agencies secure the inside of their network so if the einstein program is perimeter protection, cdm is what gets inside their network an it's really three things. it's a new approach to acquisition, a new approach to governance and capables. capables first. that's easy. they need security tools. we're buying them security tools. nothing too sophisticated about them. how we're buying them is novel, though. we've brought together the agencies and we're saying, and this is a common private of the private sector. you buy a lot of individual tools, it doesn't get you where you need to go. you have to tie those tools together.
and so we're saying, we are going to buy you a suite of tools with integration to tie them altogether and give you a coherent picture of the internal security and that's the acquisition approach so we're using gsa to do an assisted acquisition on this, essentially helping us run the acquisition. we're buying a suite of tools. we've grouped agencies into buckets. each of them is getting a different suite of tools. there were different competitors and different contractors chosen for each of the buckets of agencies. so we're getting some diversity in the tool set but we're getting integrated outcomes. and the final win there is governance. which is where see a coherent picture of how agencies' risk is being managed across the federal government. so they get all these capabilities, they get them cheaper, dramatically cheaper because we buy them in bulk as a government and we get an integrated roll-up of all the data that comes out of these tools. it's a win for everybody involved. and it's a really different way of looking at a shared service for the federal government. >> anybody else?
kirsten? tom? >> from the -- you know, i think -- i think andy's right on. you know, but i want to kind of go back to the notion of signal versus noise that i think one of the areas where a managed service can be most useful is helping that poor cio working in an agency who's getting hit kind of make sense of, you know, you get -- you know, you always hear the numbers. we have been hit 400,000 times today. of the 400,000 times today, when's most important? my guess is maybe only 1% or 2% and when you begin to look at the targeted, sophisticated attacks, if you can help that cio leverage, you know, extensible capabilities where they can say i have 400,000 but only two of those are important. you have the term of art contextualize it. you say i know this is going on across the world and that's the type of managed service that would help make things actionable. >> i think seeing the outcome of
the cdm dashboard and seeing that put in place is very interested for the idea of managed services. >> great. i have more questions but i don't know if anyone out there has a question. go ahead, please. we have one here. >> thank you. nick farmer. is there any effort going on from the either the federal government or the governor's association to move to web services? something like aws for the government instead of doing discrete individual services for individual agencies. >> so, that might be a cloud question. >> yeah. >> so i'll -- you know, i'll tell you there's a few answers to that. one of them is the government put in place the fed ramp program in 2009, '10 time frame.
the idea of the fed ramp program was to make it easier for the government to use cloud services like a.w.s. and the idea there is when the government buys i.t. normally, the agency that's bought it does its own security assessment. so they test the i.t. and make a decision like is it sufficiently secure? the problem with doing that with the cloud services company is do we want 20 agencies testing the same company? because it's no longer i'm buying something you're installing it here. it's i'm going to use the thing you're providing in the cloud and doesn't make sense for 20 agencies to all test and fed ramp said we'll test it once. each agency can look at the outcomes and make a different decision. for this agency, what you got out of the test is sufficient. for another agency they may want more and not redoing the test 20 times. that was a very foundational way of making cloud services available to the government. now, is it perfect? of course not. but it's a really important foundation and we're building on
that and we do see agencies taking advantage of this. there are agencies on the d.o.d. and the intelligence community side, there's a goal to build a private cloud just for them but using commercial technologies. on the civilian government side, there's increasing use of public cloud providers and through this fed ramp process making it more efficient to use those cloud providers. >> sometimes cloud raises privacy questions. where is the data held? who owns it? how you control it and so forth. i think cloud is coming more and more. you know, probably the same answer andy had within the states that it's going to depend on the state and depend on the agency and depend on how they need to protect that information and where it can be stored. >> maybe one question to ask raised by this and services is how does the federal government compare to the private sector in how it manages cyber security? if there's a private sector best practice and that could vary big
companies to little companies, how does the federal government stack up? i don't know who wants to go on that one first but when i look at what companies are doing it seems to be different from what agencies are doing. >> i would say one key difference i see is in governance. cyber security is increasingly centralized in large private sector companies. even for companies that have fairly autonomous business units, the level of centralized oversight is increasingly significant and directive. we're still fairly distributed in the government. fatara, legislation that the congress passed, was intended to help that strengthening cios at the agency level. cnap is intended to help that by creating a federal siso. but comparatively speaking, we are still very distributed from a governance perspective. in terms of the technologies, i don't think we're that different
from very large private sector enterprises in the sense that private sector enterprises that are at large scale are -- that are not technology companies, are actually being somewhat delegate about the move into the cloud. they do struggle with their scale. they are often ahead of us in terms where phase one which is coming out now in the government is probably a few years behind where the private sector is, but in general the large enterprises not tech companies are not dissimilar in the approach of the government other than that centralized governance. >> i think just, you know, as you find within the private sector pockets of excellence with respect to management of cyber security risk and also some real players. the level varies across federal government as well. there are also budget issues we talked about earlier come into
play here. one-year budgeting. senator kaine mentioned that as a real challenge for the federal government that's unique to the federal government. even the state governments don't even have that. as to your budgeting. so i guess -- i always caution against when comparing the federal government to the private sector yes, there's a lot we can learn. i don't want to say it's apples and oranges. maybe it's oranges and mandarins. >> okay. kirsten, tom, i don't know if you want to -- no? there's no way in hell i'm going to compare the private sector to the federal with andy sitting right next to me. >> i'm a big guy. >> let me add one thing to that. we risk falling hint if we don't sufficiently fund our efforts. the '17 president's budget with the cnap if it is literally the minimal amount we need to get
progress. we cannot go below that or we will absolutely fall behind. >> i do think that the processes, the governance we're talking about, i think we're going to come to an flx point where the difference between what the feds do, what the private sector does, whether organizations -- i think we're moving, i think we're years away from that but i think we will hit a point where there is more parity there. i think it's going to depend on the agency because not every data system, not every critical piece of infrastructure has the same value and i think that's going to really kind of weigh on how much dollars get spent to reduce risk. >> i have heard that the president sometimes thinks of himself as the ceo of the federal enterprise and he's a little frustrated at his ability to manage it, which explains some of the rationale for cnap. we'll see if it works. but any other questions? we've got -- goodness. i said the wrong thing.
we have four questions. we'll take them -- why don't we start there and we'll work our way across the room. can you move up here? go ahead, please. >> hong kong phoenix tv. i have a question on china. last year when the opm happened the united states was about to put sanction on china and then the chinese president came, the attention was sort of relieved. and recently we had u.s.-china high-level experts conversation on cyber. so could you please shed some lights on what happened, what is going on right now. is the united states still face the same challenge from china as it had before? thank you. >> so our relationship with china is complex. has many, many dimensions to it. cyber's obviously one.
we were very pleased with the commitments that were made in september during president xi's visit here. obviously, we are watching watching china's adherence to those commitments very closely and with great interest. we've got i think a very robust dialogue with the chinese government on cyber among many other issues. i think it's a productive dialogue and one that ought to keep happening. >> i will say one positive sign is eugene caspersky complained that after the agreement it looked like russia was getting more attention from china than the u.s. that's probably a good thing. we had another question right here in the front. we'll go across the room. >> hi. my name is john gudgel. i'm a ph.d. student at george mason university school of
policy. we know that cyber information has value. obviously fire eye has a business model for managing cybersecurity. i'm wondering, what is the business incentives for a private industry company to want to share with the government? i think it's part of what i'm doing my dissertation on. >> sure. so what i'll tell you is first of all, you need to separate the companies that do have a business model of selling indicators or selling cyberthreat information from the companies that are just defending their networks. right now there's a lot of value, shared value locked up in companies who are just defending their own networks but not taking information they gained from that and sharing it on ward. and our goal is first of all town lock some of that value. if you're the acme corporation you're not in the cybersecurity business, you're just defending yourself, you're still learning valuable things every day, and if you share that through the
automated indicator sharing system, we can help other companies protect themselves. on the -- now switch your lens to look at the cybersecurity industry companies and obviously thomas is going to have an opinion on this as well. but when i talk to those companies increasingly what i hear from them is they realize that indicators themselves are going to be commoditized. and if you think about an indicator, an indicator is something like the i.p. address of a malicious computer or the e-mail address that a phishing e-mail is coming from. these things are becoming pretty widely known. i think the business value is not as much on the indicators themselves. it's going on the contextual information that surrounds those indicators. i think there's still going to be a huge market and a huge need for cybersecurity companies to help provide the context around indicators even as we more broadly disseminate and rapidly disseminate the indicators themselves. i think the business models are shifting in that sector and that's really how we're reaching
this goal of broadly sharing indicators. >> i would say not all indicators are going to be commoditized. certainly there's already commoditized. a company like fire eye brings -- and i'm not here to pitch for identify eye. but a company like ours, we're in 20 or 30 different countries. we've got tens of thousands of end points. we're on many, many, many systems. we gather intelligence and information. and frankly, if indicators -- first off, we hold the -- our clientele. their privacy as paramount. that we don't share information about particular clients unless it's already on the news, unless they've already, you know, agreed to do that. so when the skater geindicator pushed out there it loses its value. the bad guys are going to change their -- you can still stop them and track them down. there is a value for a company, for the whole private sector to be involved in this. my notion earlier of a dib for
cybersecurity, a defense industrial base where there's a balance between what the feds do, what private sector do, what higher ed does and ngo' we all have an intrinsic val krewe. i think cybersecurity is different from a kinetic response. for example, if there were a substation that was under attack by an armed -- you know, an armed group, big green is going to be there. the army's going to be there. someone's going to show up. and there are a lot of instances right now where those private substations or universities are under attack by nation states. sometimes it's organized criminals. and it's not always going to be dhs going to be able to respond or the fbi be able to respond or whoever. you need companies like fire eye and others because we fill a very, very important need. and what dhs does and what the feds do, they provide some great services but it's not going to
be ubiquitous and it's not going to be esoteric for every single need that every single state has. >> we had one. please. >> rick webber at inside cybersecurity. i guess this is for andy ozment. you mentioned when we were talking about information sharing and sisa implementation. have any of the participants in the nk evoked the liability waivers under the new law and in addition to that dhs has said you'll be revising and reissuing the guidance on sharing between non-federal entities. if you can talk about that also. >> just by sharing you received the liability protection. you don't have to sort of formally invoke it. the act of sharing is protected under sisa and the cybersecurity act. in terms of revising the guidan guidance, as we were talking
with about earlier, i'm proud of the fact that dhs has hit all the deadlines. they were very aggressive deadlines. we had a lot of people working very late hours. but the next deadline for us. one of the more recent deadlines was first to publish initial drafts of guidance documents in mid-february and then final drafts in mid-june. and so we are on track to meet those deadlines. either there is out now or we'll very shortly be out, a federal registry notice that we're going to have a workshop on june 9th to go over where we are on those guidelines and sort of show people final drafts and elicit their feedback. and then i do expect us to meet that mid-june deadline of finalizing the documents. by the way, we got really positive feedback on those first set of documents we published in february. i think we were pretty close on the mark even in those draft documents. what i've heard from industry is they were very clear and they were very helpful. the biggest feedback we've gotten is actually they want the
documents to cover a topic which we just hadn't intended them to cover which we weren't expected to cover, which is the liability protections that companies receive for sharing with each other. that was really we thought outside the scope of that first set of documents but we are going to address it because we have heard a hunger to get more information on that. we are going back and forth right now. the final will be mid-june. but we have shared these documents. we're eliciting comments -- i mean we've 3ub8d these documents in mid-february. we're illiciting comments, talking with sector coordinating councils. we're going to have this in mid-june and then issue the final in mid-june. >> i have one final question. do we have one more question over there? one in front. >> good morning, everyone. my name is elias akora. with the global governance institute. thanks very much for that really interesting presentation.
i have a question about this issue and i'm wondering if you can put it in a global perspective and really hone in on the question of alliances. senator kaine talked about nato as a natural ally partner to build a cyberdefense frameworks to be mutually beneficial. i'm wondering how much progress has been made or how much work has been done toward this effort on the administration side. and of course i'm wondering if congress has looked at it. >> kirsten, do you want to go first? >> sure. in the cybersecurity act there are some interesting provisions about international cooperation with indicator sharing and things like that. so we were definitely i would say thinking about this and about the importance of that global conversation. on these sorts of ideas. as we negotiated the cybersecurity act. >> let's close out the session by asking the question that no
one has asked so far but we really need to hear about. i'm going to pick on kirsten first. which is what do you any congress ought to do? what's on the congressional agenda? you've done a fair amount. what's next? let's get the views from the others. what would you like congress to do? that's going to put some of them on the spot. kirsten, why don't we start with you? >> sure. what we are continuing to do is oversight. obviously, we've talked a couple times about the deadlines that are sort of ahead of us for the implementation of the cybersecurity act. june 15th i think there are a handful of additional documents due, final guidelines, privacy and policies and things like that. so we'll continue our oversight. we are considering two potential hearings to look at this implementation. sort of an industry perspective. and then having folks from dhs come in and talk to us about the implementation.
the committee is also very engaged in sort of outside cybersecurity acts. but internet of things, cybersecurity insurance. the security versus security debate that senator kaine spoke about. obviously chairman mccall is one of the leaders -- >> senator warner. >> with senator warner. >> yeah. >> that obviously is as the senator said looking at all digital security technologies. so that will continue to be at the forefront for us as well. outside of our normal oversight duties. >> pass the president's budget request, please. >> i would just say two things in terms of what i think congress should do. i think they should continue to look at the mission, the whole of nation approach. when you look at what the role of d.o.d. is, what the rovell
dhs is, what the role of states and locals are, and to continue to look at a way to build out a mission that is truly national that really -- it's not just fed centered because i just don't think that's going to work in the way we want it to in terms of getting security. i think the other thing they should do is look at how they are really supporting states and locals with respect to dollars being pushed out to support their own esoteric needs. >> great. >> i'll have two as well. npbd has made a proposal for authorizing legislation to the congress in terms of our own organizational structure. i think that's a very important bill to move on. and i'll be frank. just from a managerial perspective we have to come to resolution on that issue. it creates enormous uncertainty for us. we really need closure there. the second thing i would say is really to foot stop andy grotto's message. the fy17 budget is a make or break budget. the department of defense has i think gotten from my civilian
perspective pretty steady and good funding for what they're trying to do in cybercommand. we have relatively speak not put as much funding into civilian government and cybersecurity. and if we're going to be serious about this, we have to put the dollars there. it's not going to magically happen without the resources to support it. and i think the '17 budget is truly a make or break budget for them. >> we're doing a report at css looking at the progress made in the last decade, which has been substantial, both from the congress and from the bush and obama administrations. but we're also looking at the next things that need to be done. so i think a lot of the issues you've heard, building up dhs, thinking about governance, moving to managed services, some of the things we didn't talk-b authentication, figuring out d.o.d.'s role, these are all going to be big problems. let's see how far cnap gets in moving the ball forward. it's a great last effort. we'll see if it works. thank you very much for coming.
george mason school of law foundation professor, buckley, will be on to talk about his new book about american's ability to go up the economic ladder has been hampered and what can be done to reverse that trend. be sure to watch c-span's washington journal every friday at 7:00 a.m. in addition to the graduating classes all over this planet, i wish you'll graduate into a world of peace, light and love but that's not the case. we don't liver in a fairy tale. but i guess the 1% does. >> this memorial day, watch commencement speeches in their entirety, watching advice and encouragement to the graduating class of 2016. and founder of oracle larry elson at the university of
southern california. and maria contrarau sweet administrator at whitier college. >> you can can't on yourself. what makes you special? what distinguishes you from others? in business, we call it your unique value proposition. figuring out yours is key. >> senator jeff sessions in hunts vill. senator barbara boxer that university of california berkley. >> to be strong and curages and to learn to stand for who you are and what you believe is a way that you've changed here. and will carry into the balance of your life. >> and white house officials. vice president joe bide en at t university of notre dame and president obama at rutger's university. >> is it any wonder that i'm