tv Politics and Public Policy Today CSPAN September 14, 2016 1:00pm-3:01pm EDT
valuable than the other. who are the mercenaries and state actors behind these breaches and how are they purchasing, selling and splitting our systems? in the paper we publish next month we'll have a briefing on it september 22nd. the federal inspector will be acting health and human services, scan loan, so we look foshd to seeing you there. want to thank underwriters for making the evening possible engage on social media, #icit. to get started with tonight's briefing, as you know the energy sector is considered by many to be one of the most critical infrastructures we have. as we're here tonight energy grid riddled with vulnerabilities which have yet to be exploited large scale. tonight we're discussing current security posture of the energy sector, what vulnerabilities exist and which bad actors are targeting the sector and of course how we can improve our
defenses. the first session for the evening is from pete and joyce giving public sector perspective on this topic. pete was former cto for department of energy, currently a member of icit gala board and ceo of doths and bridges. joyce hunter deputy cio policy and planning for u.s. department of agriculture. so please help me welcome our first speakers. >> great, thanks, parham. i appreciate the chance to be here. two villanova grads, if you're wondering what the v stand for, pretty excited, it was a good year for us. again, i'm only about nine, nine and a half, ten months removed from the federal government. what's most exciting after 25 years and spending the last 7 1/2 or so at the department of energy was the opportunity to sort of take what i was doing in my role there.
that was working inarguably the members us of the critical sectors, the 16 we know exist today but also on this panel or this conversation we're going to talk a bit about how joyce at the usda and department of energy, collaboration that's needed to really talk about this complex ecosystem. my time in government was very rewarding. being on the outside now and looking back, this is a topic, critical infrastructure that is pervasive. it touches the public sector, federal government, private sector and i should say state, local, tribal and territorial communities as well. but the private sector and investment that's needed r&d that's being done, we'll talk a little about that part of the ecosystem and the consumer sector. i think most of us when we go to bed at night and flip the switch off or get up and turn the switch on, drink the water, take the shower, eat the food, take a plane somewhere, i know we may
pretty it subliminally but these are the things, that's the consumer element of this infrastructure that i don't care we take for granted. but when the light doesn't turn on or the water doesn't get warm or come on period, not to be an alarmist, to parham's point but we rely and depend on this. maybe if there's a a snowstorm, the power might be out for two days and you enjoy it. after three you get a little antsy, want to shave and get the power on but you assume things will kick back up. what we'd like to do tonight and talk about it later in our second panel really how the federal government and the role it plays from oversight, if you will, and the relationships it is having with not only amongst the agencies but also what kind of -- the compliance versus the mandate versus what do i need to really know to really move that pendulum forward ash innovation. what we'll talk about is not so
much the sectors themselves, the critical infrastructures are there to simply identify where are we at risk across the 16, again, the ecosystem itself it's quite diverse but more important we want to look at what are the threats today beyond physical threats and natural disasters. cyber security is now going to impact our critical infrastructures. the human factor, which is not just insider threat but you think about an aging workforce, a skilled workforce that knows the infrastructure as it exists today that was purpose built 100 years ago to do a job it effectively is still doing. as we address the internet and its impact or the internet protocol, the smart grid, which sounds cool but really the same concerns we have in our agency, business, and home networks we now have to think about those as threats as we make the grid
smarter, the power grid and, of course, the impact downstream on other critical infrastructures. that's a little about my passion and interests. again, i'm excited to be talking here with my colleague, joyce, who is going to paint a little bit of a picture on the mission of not only what we may think the usda is but its impact. joyce, why don't you address some of the things we chatted earlier about and not just what the usda is doing but its critical role and its dependencies on other sectors. >> just a little bit of background. i went the opposite way of pete. i have been in federal government service for about 3 1/2 years, spending 25 years in industry and then five years with my own i.t. consulting company, so i came from the opposite end of the spectrum. but i think that agriculture is very complex. i'm a city girl. urban, born and raised in
philadelphia. so what did i know about agriculture? not much. i spent a lot of my time in my previous life in health care. so i knew a lot about health care and i was a very mission focused person. and agriculture is a mission focused organization. with critical infrastructure have you to realize with agriculture we have 29 agencies, staff offices and mission areas. some of those include areas like animal plant health inspection service or food nutrition service or nes, national agriculture statistical agencies. those are influential in the marketplaces. when you really look at it, it's complex because we do not only production but processing and delivery. so production, the farmers, producers, and ranchers. the supply chain also includes
areas such as processing. you have tyson foods, other processing organizations. then on top of that you have the delivery. so you have the grocery stores and then you also have the food chains that access the food supply. when you look at it, any one of those areas could potentially be a target for any kind of contamination. we ploy a lot of inspectors, meat inspectors, egg inspectors, chicken inspectors, you name it, we can inspect almost anything. they have even added tilapia -- not tilapia, but catfish, i guess because they are grown in farms. therefore, farms, catfish, so we've got catfish now. it is of great importance to us because our job is to protect the american people. and to be able to supply those
security features and security measures so we can make sure that the food that is grown from a production perspective, you look at it, it's more than just the food, it's the soil, what's in the soil. it's the water. it's the water that takes care of those plants. it's the pests. we have introduced several pests. with people traveling as much as they are, we have to really admit that sometimes these are not maliciously brought into this country but they are just travelers. bugs attach themselves and come along and come along for the ride. they get free airfare and come in and lodge themselves in our citrus organizations. there is a big now that is
destroying the citrus population in florida. imagine this, it has made its way across the country and it is now in california. we just recently had a hackathon to try to come up with various measures in which we can try and find this bug and report it as it is trying to grow and develop. so those are the kinds of things we're involved in in trying to keep our agriculture products safe. >> that was awesome. you touched on a couple of things i just for clarification purposes when i mentioned 16 infrastructure sectors and you can find those by googling 16 infrastructure sectors in our country obviously and they are unique. one of the things tonight we will address there's an unintentional silo effect that occurs with every sector, every agency and in the case of dhs
which oversee a bit of activity and policies in those sectors. information sharing, data collection, creation, analysis around each of those sectors as we my great data to the cloud, engage in analytics, which is a hot term in washington and i imagine any revenue business that wants to understand and extract value from -- whether the intellectual property associated with domain space, there's a theme in order for us to create a more resilient infrastructure. yes, it's available today. the light should turn on and may turn object. you could see it's reliable to an extent. it might be out a few hours. this injection of technology and the analytics associated with the amount of data we create as an agency, federal agency, i can tell from the energy sector
standpoint, the value of turning data into information is extremely valuable and information sharing to be an effective ecosystem requires collaboration. i don't mean, hey, let's get on the phone and have a conference call and talk about what we think is important, that's part of it. you have to be willing across those sectors, private and consumer sector to engage in a dialogue not always 50,000 foot level but bring it down a bit and a bit more to talk about. hey, maybe some of the data we have generating and how you're protecting it is how. >> joyce, you hit on a couple of things, worth referencing, dependence on sectors. i never thought about food safety and food security terms when i was doing a little research into how usda was approaching it. from the energy standpoint and
energy sector generation and transmission and storage and delivery and distribution of energy. what i'm eating and where it was grown and the impact of fertilizers, you were recently out in northern california, i believe, with some of that hackathon and awesome activities where you're doing a lot of crowd sourcing and communicating with the public to look at innovation. water transportation systems and chemical services are impacted, food and agriculture are impacted by those. the food deliver y, supply chain. when we think about critical infrastructure and impact cyber is having and the report generated and all these bad actors and trojans and worms and all these things that are affiliated with more of an internet or computer or technology oriented discussion, there is a supply chain for food and agriculture. there's a supply chain for dams
sector, defense industrial base. looking at that ecosystem again across -- and having the impact the internet protocol will have in those sectors, you see that merging if there's something i should be worried about on infrastructure and data center, it's probably something i have to be thinking about and can have lessons learned and translate that out into if you're a commercial owner and operator in the case of utility electric utility, oil, natural gas, at least from my world and production facilities in the fda. so let me ask you a question here. we here a lot about regulation, compliance, an agency that is the ultimate nonprofit, if you will, federal government. we are investing money in r&d. a lot of the federal government pushes money back out for research and development
element. how do you feel that it's balancing meeting and being compliant with regulation versus stimulating ecosystem the president talks about when he addresses it in his cyber security national action plan. we have to have a lot more not just reliable but resilient secure infrastructure that's flexible. how do you balance that tension or address it? >> it's very difficult. as we know, sometimes the government does not necessarily move at the speed of light. but if we're going to stay ahead of things like i said before, there are natural disasters home grown bugs, the bugs inserted and other organizations that want to get ahold of information. having signs-based surveillance is key and critical to be able
to figure out exactly what's going on. that means you're going to have to ploy and talk to other agencies. so we have to have a relationship with energy. we have to have a relationship with transportation. as we are growing more crops in climates like california, arizona, other areas, and they are shipped akrcross united states, we have to make sure they are secure. it's a multi-agency relationship we have to have. surveillance systems are steamily important. we have to determine exactly where the source of the problem is. remember the avian flu last year? it was kind of marching its way across the country. being able to work with transportation organizations and farmers and other places to be
able to provide that information ahead of time, letting them know there's a tracking system that we have put into place that allows them to find out where the disease is going to be next time or where it's going to be the next season. as you know avian flu only starts up when the weather is starting to get cold and birds start migrating. you have to have some kind of tracking system on the birds so you know where the birds are flying and where they land next time. it's a lot of science-based information that you have to employ. sometimes legislation and scientific discovery and innovati innovation. sometimes they don't commune with each there's a lot of fear, uncertainty and doubt, what i
call fud in the system. a lot of people think too much scientific investigation leads to the frankenstein effect, whereas it basically is necessary to inform and educate. it allows everyone to make better decisions. farmers, producers, ranchers and consumers. that's what we use the data for so we can better inform people what's going on. how it is going to affect them and what they can do to mitigate some of the circumstances that they have. legislation sometimes is slow to come about. and sometimes a lot of the directives that come out don't come with money. >> the unfunded mandate. >> the unfunded mandates. so a lot of times we're thinking the agency isn't moving fast enough, a lot of times the
mandate didn't come with funds so we have to rob peter to pay paul to actually get some of these things done. it's not necessarily that we don't want to do it, it's that sometimes we have to figure out how we can do it. that's not going to be a burden on the consumer as well as not be a burden on the agency providing that particular service. >> well said. you hit on a couple of points to wax or riff off, there's definitely no shortage we know about and the report so well done referenced a lot of chronology or genealogy of what is critical infrastructure. i highlighted 10 in my notes i find that build on one another. for those of you listening and watching there's great material at the dhs website for starters begin that's a defactors portal for a lot of information and it can be overwhelming. when you start with what does
critical infrastructure mean, it's the animals, it's the electricity, it's the networks that we use. it's the distributed energy systems that we hear and read about but wonder what it is. i like to break it down to if i was talking to my phone which i do, the power grid is a network. it's an antiquated one and one that works but purpose built with platforms that needed to be available to the consumer to provide power. when we think about how to approach today, network in house solution building out ping, power and pipe we called it back in the day in the data centers i worked in. all that plumbing behind the scenes to allow us to do e-mail, applications to do phone mail, convergence of telephony, voice,
video, data on one wire coming out of the wall, that freaked a lot of people out. i was fortunate enough to be in education at the time and i was asked to spearhead an effort to take that bull by the horn and really a make it happen. who today doesn't think i want to have one bill that handles my voice, video as well as mobile phone bill. it's innovation that seemed to not so much outpace the technology or situation at hand. i think with the energy sector and i don't want to speak for the agriculture sector but we're seeing a case where very slow to in accelerate, if you will, or implement the innovation. there's a country of innovation happening in the government. the government spends arguably about $150 billion, with a b, every year on r&d. there's a big chunk on r&d spent on physical, cyber, electricity, oil and natural gas systems and of course in the farming
industry, et cetera. using satellites to watch crops g generate or grow. geology and nasa together in california. there's this linkage of technology that requires that institutional knowledge of what does a farmer see and deal with every day. the convergence of telephony put people out of work. it took aging infrastructure and not so innovative and said, hey, we need to build something that's going to force that workforce to become more of an expert in new technology. some folks said, hey, it's time to cash out my chips. i don't want to learn about voiceover ip stuff. we're seeing that as more of a challenge with aging infrastructure and aging workforce. i don't want to gloss over that. what you also said, joyce, that really caught my ear, you did reference the information and technology that's available today is allowing taos make data driven decisions.
if i'm a farmer and used to do something a certain way, i might not be asking you new technology i need information extract freddie your brain to know what is the best way to irrigate. what is the best time of the year to do the i think so you referenced. on the energy side the smart grid is the hot topic. smart grid, i was guilty back in the day thinking one day it was going to be at my house. yeah, i have a smart meter in my home but i don't know who is watching that data, what it's going to do. the idea of controlling it from the beach or driving an autonomous vehicle and interesting internetwork, i embrace innovation but i'm not sitting here saying i want to be the first person and early adopter. that's a challenge and that's incorporating standards which the good folks at federal regulatory commission and it can't be adversarial, coalition
of the willing like joyce and i like to refer to our selves as. i appreciate the fact that you emphasized data and analytics in driving some of that innovation. >> i think one of the things we have to understand that agriculture is no longer beverly hillbillies and green acres. so people out on farm now have gps. i was last summer, two summers ago, maybe two and a half centers ago i was out in iowa and taken out to the john deere r&d facility. i expected some grizzled senior mature man to come out in overalls and help me drive a tractor of some sort. i was absolutely amazed and floored when a young man about 21 years old, graduated from iowa state six months ago,
t-shirt, jeans, had his tablet, waved me over to the planter, got into the cab of the planter, took his tablet, plugged it into the console. he his cd changer and put his ear phones on his ears, plugged it and programmed it and gave me the joystick and said drive. that's where we are. data-driven information. the planter drove down a prescribed path, turned around. it missed a spot. once it completed its run, it went back to the spot it missed and planted the seed. it takes that information from the soil, uploads it to the gps system and sends it out so agriculture or one of the other
agribusinesses can prescribe a prescription for the soil. too much water, too much oxygen, too much nigtrogennitrogen. that information, that's what we're concerned about. when we're talking about critical infrastructure, we're talking about people being able to get ahold of that data and being able to use it for either nefarious purposes or for purposes of their own. one example eggs we've highly -- we really, really do protect the information that nas has, our statistical agencies because they are the ones that inform the stock markets. so you have the markets of soybean, wheat, corn, et cetera. and if anybody were to get into that, they could adjust the markets and either become very rich or become very poor. so that's part of the critical infrastructure that we need to protect. so it's a very complex
organization, and it's going to involve a lot more data sharing so that we have the information that's necessary in order for not only us to make decisions at the agency level but also information that we can inform our stakeholders. >> great, great points. now, the transition there, as you were speaking, got me thinking about the triage of critical infrastructure protection, cyber security and go down the path of what elements of cyber security, many elements there, user entity behavior analytics, incident detection response, there is models and simulation of an environment so you can see if something happens prescriptively i need to be prepared for. >> zero vulnerability report. >> we know we read before this event. highlighted. that will grochl the same report a year, six months from now will
have new threats. what i took extracted from what joyce is saying. again, natural disaster threat. the climate action plan is not a bad read in terms of how do we prepare when there's changes in climate. there are definitely cyber security threats, again, whether it's the power grid, agricultural food, what we worry about in data centers we need to worry about. back and forth flow of information. i think it's great you vp people out there. i'm looking for actionable activity. actionable intelligence is a great word, sexy to say, internet of ideas. from a consumer perspective we expect iphones to be privatized and protected. we could have a whole other discussion with health care sector about hipaa and that
aspect. information flow, incident response, cyber security as it relates to critical infrastructure i think it's pretty awesome and amazing that these only -- these 16 sectors are so intertwined. this is one of those factoids. from an energy perspective, this is what the power grid is today. think about this. two points -- quadrennial energy review. approximately 2.6 million miles of interstate and intrastate pipelines. 640,000 miles of transmission lines, 414 natural gas storage facilities, 330 ports with crude petroleum and refined petroleum products and more than 140,000 miles of railways with crude petroleum, liquefied natural gas and coal. if you think about that in the context of that's a network of stuff, physical stuff. there are folks out there that are shooting guns at physical
plants and transmission facilities. there are drones that are being used now to not just spy on electricity and facilities that are in the middle of many rural areas in the country but literally picking things up and dropping pieces of metal and so forth to bring down transmission facilities. that's a physical threat. and then the cyber threat we've talked about, whether it's stuxnet, what have you, that's a good example of one that's like, thank goodness it didn't happen in my backyard but it can happen. with this wireless information of data sharing, who is protect thanksgiving data about my information as petco customer, satellite from farmer to utility. we have to think about that from foreign nation perspective. that's where the report addresses bad actors inside and outside. that triage is something we want
to take away today that affects all 16 of the sectors. >> if we go back, he quoted some figures. if we look at agriculture, there are 2 million farms, approximately 900,000 firms and 1.1 million facilities. that's a lot of information. if i could say that over five years ago i say there are three things that worried me. the things that worried me five years ago still worry me. cyber security, infrastructure, and i.t. workforce. it was true then. it's true now. >> well said. >> joyce, pete, thank you very much. >> can we have our panelists come to the stage. while our panelists are getting settled that was a really great
conversation. one of the things we want to show today is the connecting points between the different sectors. energy is not independent of agriculture, which is not independent of transportation. these are all interconnected. so the more we get stakeholders in each sector to understand dynamics that play within national ecosystem with these issues drive holistic solutions to some of these problems. so the final panel for this evening is going to cover the content of the paper and have some experts share their perspectives on what was discussed and share anecdotes from their own points of view. to my left product manager from force point. jay williams, fellow and vice president of cyber infrastructure protection at parsons. to jay's left is, of course, pete and to the far left is ryan, fellow and cto for
critical infrastructure at fire eye. thank you very much for joining us today. i want to start by giving the audience a lay of the land from your perspective. describe current security posture of our nation's security sector and how well are we doing? >> i'll take that one. i think we're sharing a mic here. as far as the energy sector and other energy sectors, i think on the positive side of things we have increased our awareness for the need for cyber security in i.t. and o.t. we're taking necessary precautions and policies and guidelines have been created such as industrial standards, isa 99, 64423, and specifically for the energy sector, a series of nine security measures that entice both cyber as well as physical security. however, one of the areas we
need to correlate cyber security is similar to where safety was 20 to 30 years ago in that cyber security is one of the risk factors that need to go into everybody's risk management plans. cyber security needs to be part of the culture in critical infrastructure especially in the energy sector. the greatest thing is the security industry has matured to sound state of policies and training and procedures that could follow suit and pull cyber security in with that the other note i want to make in the ol t. space, when i speak ol t. and industrial control systems, specifically level one and level two are not necessarily addressed very specifically in the documentation. there's a ton of vulnerables in pocs and iot devices. there are thousands of protocols
and manufacturers of those that are unique. not like i.t. where you have intel processor amd, windows or mac, that's about as far as it goes. in the iot down in the ot and industrial control level, a whole other bailiwick of controls. >> i would jump onto that and say, yes, it's complicated. all of these things you've mentioned, it's a very complicated sector to look at. the good news is it's recognized. we're all here talking about it. the report was written. we're all looking at it. everyone is ready to jump in and figure how do we tackle this and fix it. that's where that information sharing that pete and joyce talked about earlier really comes in. let's make sure we're talking across agency, between agency and private sector so we can keep all of that knowledge base movi moving. >> excuse me. one other thing.
it's highly -- key to have proactiveness in that sector. they definitely lead the way as far as advance cyber and critical sect or, nerc cip. >> i would add if there's a theme from any sectors and the discussion we're having, risk management, risk mitigation, minimizing risk is your goal, not the silver bullet. there is no silver bullet. great technology as a claim. i can make sure you never have a breach in your power grid or water filtration system. i hope nobody really believes that. but mitigating that risk through innovation, and i have to give shout out to national laboratories for those that don't know that ecosystem, amazing people doing amazing work for not just this country but the world. when you do a little research
into what these places have on their plate in terms of taking some of those billions of dollars to look at how do we mitigate that risk from a cyber standpoint in this case in the energy sector, my colleagues here on the table i would assume agree that we've got to keep pushing that envelope, move the pendulum forward, connect the dots in the sense what could the impact be if this happens or that happens. keep asking the question, continuous cycle. if you can create a bridge where you ultimately can say that information we learned in this sector can be shared, you avoid this noncollaborative or valley of death as we call it in the r&d space. that's something that is important. please, if nothing, take away there are amazing folks doing research and development at the earliest level to invent but also to leverage with the private sector, entrepreneurs out there who have developed capabilities. risk mitigation is something we
definitely want to have as a theme when we walk out of here today. >> absolutely. the next question is going to be based on one of my favorite quotes in the paper, just let it sink in. the paper states, the nation of survival depends on complex energy grid which in turn is dependent on assortment of power generation plants, distribution facilities and transport mechanisms to deliver energy to home and businesses that support life, business, operations and critical infrastructure systems. think about that. it supports life. we're talking about things that when we mentioned earlier kicking off the session people consider this to be the most critical sector, this is why. my first question is what are factors that contribute to growing attack surface, why is it now becoming sing such a lar issue. >> 15, 20 years ago, no wi-fi, these controllers weren't
accessible at someone's home on the beach. to your point, whole efficiency and uptime to the extent we're introducing vulnerability because we want that ease of use and efficiency, we're broadening that attack surface. that's what scares me the most. before insider threat, focus on my inside folks and if i get that locked down, good. now opening ransomware we never saw before in industrial control now we are. largely stemmed from phishing e-mails, never part of the industrial control, adps we'll get into later on. that attack vector surface was never there. i think through efficiency and ease of use have opened that up. so we need to take a step back and say how do we take your typical i.t. cyber security and make them industrial control relevant so they are still doing uptime and efficiency but securing nation's energy sector
as a whole. >> in general technology and innovation what we seek for vulnerabilities, it is unavoidable. it is our responsibility as solution providers, public and policy creation to create a safe inform to continue to deploy those technologies and innovation in order to remain competitive and to remain as capable as we are especially like the energy sector and grid. >> as stated in the report and also on energy.gov, we've decentralized all these different aspects of what makes up the sector. so we've got different transmission, generation, delivery functions, these are all separate markets. what used to all be one is now controlled, sharing and
complexity we've added in, which strengthened a lot of it. in a lot of cases we control where they are. no one knows what's happening. the more we get control of that and know what's out there, the better we can mitigate and manage. >> just a thought, when you're driving down the highway, working at energy did for me, you look at cables, phone lines and transformers, i'm no engineer but i'm like, man, somebody invented that and it does something really important. you just assume that's how it works. now i think about what if a line was cut, what happens? what's the disaster recovery like we think about if a server goes down. that's where innovation is happening with terms you're hearing and reading about, microgrids, renewable fuels, distributed energy. whether you're on a -- have a green thumb or not, the fact of
the matter is the grid is growing. there's new technology that we as a country are investing in. bad things happen in fukushima. bad things happen deepwater horizon. bad things happen katrina. those bad things unfortunately spawn opportunities to innovate and be able to predict if something happens maybe not have cities and people dying to parham's point after a few days because there's no food new york city clean water, no ability to communicate. i believe the federal government, public-private partnership, this innovation, r&d invested is awesome and the reality is we have to -- i believe we should embrace it. we know things won't always work. there are cyber risks. you can take a data center down three days and say, hey, it's maintenance window. you don't do that on power grid. you're building -- we talked about this. building cyber, bolting it on now and one day retiring but you can't bring down the power grid, right? just say, hey, everybody,
there's no power for a few days or a few hours. it's not convenient. that again adds to the complexity but we have to have streams of pushing innovation and inertia behind it, risk focused. wait a minute, we don't want to open up the grid for a breach. the report talked about this current snapshot, that static list of 20 or so items we have to be thinking about and there would be more tomorrow. but we need to, as a country, respect the fact that those national laboratories and other academic institutions or allow them to do that basic and research that's applied so that we cyber folk or cyber community enmeshed with scientists doing r&d are looking towards really delivering that resilient flexible, scalable secure network we will call this generation's power grid. not the smart grid, just more
features. >> one thing that was mentioned, stacy mentioned, increases efficiency but caused some problems. i want to focus that comment in the context of ot convergence. a lot are i.t. and o.t. is becoming a newer concept for them. can somebody talk about the phenomenon and whereas yes it is driving efficiencies but what vulnerabilities is that also creating? >> i think what we tend to forget about, we really beef up enterprise i.t. side to maximum security and cyber but no one is losing their lives in these attacks, right? you take it to the o.t. side, you've got german steel mill blowing up, actual loss of life potential here. that to me, talking about energy grid going down or take water going down in manhattan for a week, bedlam and brawl, stock market goes down, this is something we really need to take
serious and really focus on applying that cyber security to that particular point. i think the really key point is convergence between i.t. and ol t. and how the attacker can attack through i.t., cross dmz firewall and has access to controllers. on the flip side they can come in through o.t. and come across dmz firewall and get into the enterprise i.t. side. so where we hear that concept of air gap, that's not really the case. jay and i were at seemans together, a lot of companies say we're air gapped, completely off from enterprise i.t. you go in there and find out 15 different ways back and forth. they didn't know that. i can guarantee you the attackers do. we really need to button up both sides of the fence. >> i want to take that from a different perspective, people's standpoint. cyber security is not just technology but people and
process. one thing that anybody who has been in the industry knows, there's been this battle from i.t. and ol t., industrial control engineers and i.t. we're coming around to accepting the fact it requires collaborative effort enterprise wide with i.t. and industrial control engineers and maintenance and facilities. but even more than that, it requires people from environment health and safety, requires people in auditing, requires sea level suite for budget to implement these things. convergence between i.t. and o.t. implies convergence with all our critical infrastructures. >> i completely agree. it's a bunch of folks who now need to talk to each other that never need to talk to each other. maybe now they don't speak the same language. we have to educate all different sides of this issue and actually get everyone talking about the same things.
have you i.t. come in spouting cyber security acronyms, i.t. won't know what they are talking about and advice verse. we need to converse at the same level. >> i want to switch gears and talk about attributioattributio. for a long time, maybe a common thought. attribution leave that to certain federal agencies and only lashlg companies who have the budget to go through that process. but something the paper talks about and we've been talking about in our circles is the value the attribution process provides to defending your sector, specifically energy sector. can you talk about your views on that and why attribution can protect your investment. >> how can you protect something when you don't know the attacker. you have to know the attacker landscape. are they criminal organization, a state sponsored attacker. that's a good question because you have to understand, are they
severely backed by funds. do they have the ability and region and depth to do that or some small time group out that got lucky. you really need to understand your attacker and be able to take that counter-measure and in turb build your protection up against that. that's typically how i would just look at the service. >> again, to expand on that, it gets back to something as simple if the sectors themselves, which we all agree are intertwined, who would argue they are not, you've got tension of regulatory body in some light is, you know, viewed as a compliance focused, telling us what to do and you've got owners and operators from pg&es of the world and duke energies and florida power and light and co-op in texas that doesn't have the dollars to invest in the innovation but the grid in that complex ecosystem that it is, it relies on each
one of those entities no matter how much money is being invested or not. so if a pg&e is doing some really compelling stuff and innovation around protecting assets, information assets, instead of like i don't want to share my secrets with another sector because i have customers and it's my bottom line i'm dealing with, that's a mind shift, paradigm. information sharing sounds great. after everybody leaves the room, are they really willing to do that. i'm talking about sharing information not on who are your customers but how are you dealing with cyber security and incident protection and protecting architecture to say this is how we've done it at our utility or in our utility sector space. that's to me, again, one of these it sounds really good. the white house, of course, pushes it. it's one of the most common terms if you search object threats to the energy sector, it's resilience and information
sharing and cyber security. some people are doing some really great things. it doesn't do the country any -- it doesn't do it good if one sector or one business says we're super and uber protected and then their neighboring state that they rely on for who knows what protection doesn't have time, energy, or workforce. >> this is something we've seen the needle move maybe not as quickly as we'd like in the room but definitely move in the defense and intelligence spaces. so they have already started this path to better sharing with each other. not always do they want to. but they do recognize once we are a collective and we do talk to one another, that's much more powerful. so i think perhaps we can take those lessons learned and hopefully share that with the critical infrastructure sector and all sorts of other sectors. >> i think to the point i do want to give credit to them, i
have seen sharing. are we going as fast as we like, probably not, but that's the nature of the beast. joyce's point earlier. we move at our i think this al opportunity where we are responsible also to work with our local, state and federal agencies, even fbi which there is threats detected, because they can help be that common piece that helps collaborate that data between the different infrastructu infrastructures. in addition to that, there's private sector companies doing global threat po portals that collaborate and utilize that data like an anti-virus. >> those of you who read our papers know we spend a significant portion of each report discussing threat actors
and their motives and their preferred attack vehicle toctor. they list them out. we are proud to provide that to the conversation. i want to discuss from your perspectives some of the threat actors mentioned in the paper who are the ones who stood out to you for what reasons and any ideas there. >> i think that's -- i could go on for probably about an hour. you always hear russia, china. there's two different types of motives there. russia is typically in it for the monetary value. china is in it for trade secrets. chemical, energy, water, that's serious business when you talk about the polymers and data. it's not about stuff blowing up. it's also about keeping the data. don't want to see another jet that looks like our jets in the air. we want to focus on that. but there are other threat actor
groups. of course, you have russia with the dragonfly groups and chiet na wi china with apt. axium is one of the most sophisticated out of china. you have desert falcon out of the middle east which a lot of people don't give tout to. you have a lot of different threat vectors. either state sponsored order criminal organizations. they are targeting the energy sector. we need to look at what kind -- are these rand -- cyber terrorism is an act of war. the easiest way to take down is this. now, i can take a group of
individuals, highly skilled individuals inside a room and take down your energy grid your power, water. what are you going to do? destroy from within and crumb blow on the ocrumble. we need to understand their tactics, reverse engineering, building our intelligence from that perspective. >> i just wanted to give honorable mention to insider threats. we can't forget about insider threats. they represent -- >> '80s. it's still legitimate. >> one of the higher areas. frankly the good news is with just proper training and policies and end point hardening and basic best practices, we can scircumvent a lot of the inside threats. >> good point. >> i will jump in on that. recently, actually just announced today, 2016 ponymon
report have some statistics. i will read them to you. increasingly malicious insiders target privilege users to obtain access rights through social engineering as we discussed in the paper. and this has been an increase of 48% over 30% back in 2011. so we're seeing that much higher percentage of speer fishing attacks and other this other social engineering avenues. there's also a lack of visibility continuing to hinder the ability to determine if users are complying with policies. is your training working? yes, insider threat is so '80s. but we still have the problem. people aren't listening. our staffs are turning over. so as joyce and pete talked about earlier, we're having an aging workforce, especially in the federal government. millennials are coming in. their view of security is different. than most of us in this room.
so we have to just be very aware of that. 57% of respondents to the survey said that organizations do not have capabilities to effectively monitor privileged user activity. your privileged user is the one you have given the keys to the kingdom. so how do you know when they're not doing something they're supposed to be doing or doing something they're not supposed to be doing? we have to be very cognizant of that. it's a different type of insider. >> something that's -- i mentioned a few times tonight is that it's said the energy sector is the most important critical infrastructure we have in our country and any country. i was wondering, do you agree with that statement? if you do, which i presume you do, why is it possible to reinforce that concept to as we mentioned in the onset of the discussion increase the awareness of this issue to
ultimately drive better defense? >> so, yes, obviously, the energy sector is truly the backbone of all 16 critical inf infrastructu infrastructures, without energy, all the critical infrastructures fall. as far as reinforcing, as we continue to do, the energy sector is one of the few infrastructures that have a policy that's regulated. all the other critical infrastructures do not have any regulated policies or compliances right now. nist is a framework, isas are guidelines. we have to continue to enhance. they came out with a new revision. we have to push deeper into the sector on a control aspect of properly protecting those systems as well. continue the whole culture change.
>> i just want to chime in that i don't want to steal presidential policy directive 21. but it does identify the energy sector as uniquely critical, because it provides an essential function across virtually all critical infrastructure sectors. from a consumer standpoint, if you give it a 10 second thought about when i flip that switch what's really happening, do you care, maybe not. if a cell phone is not working, we get frustrated. things you take for granted that i think the energy sector not to be an alarmist, but ryan brought up a great point, when a city goes out and people don't have food and panic and mayhem and pill ladies and gentlem all that, you see the impact not having energy or power can have on our daily lives. the information exchanges that need to happen amongst policy
makers, regulators, innovators, entrepreneurs, we need to make sure we have a bridge for the entrepreneurial individual who out there today has invented something that could encrypt data. maybe we turn it upside down on es encryption. maybe we have to think about not just mitigating a risk for the thing that is a known vulnerability but who is thinking outside of the box? i know there are people doing it. i think we cannot allow that road to innovation to be stifled by compliance and regulation and just meeting the mail. which we all know happens. here is a standard. i met it. i don't have do anything beyond that. it gives an opportunity to celebrate innovation. i think we need to do more of that in our country. and maybe it easier for those individuals that have a passion for protecting this infrastructure we know that is vulnerable today to have that
voice. whether they're in a grand investing it today or in another country, we have to trust that there could be an exchange of information and a fluid exchange so that we can really push that again pendulum forward and create that inertia that's needed. >> we have about six minutes left. i want to get to the final two questions we have. we talked a lot about the importance of information sharing and collaboration between public and private sector, between different sectors, between different agencies. how can this come to fruition? i can't recall if it was in a previous offline conversation where we said everyone is collaborating and talking about it, but is it doing anything once you leave the room and talk about these great idea ss? is it legislation? is it innovation across industry s industry? >> public and private sectors come together extremely key and critical to us moving forward as
a society -- in a secure society. i would like to call our security vendors. being able to imbed a security, not from a network perspective but on that particular asset, is really going to be key to absolutely squashing any type of attack at that level. to jay's point, how do we get down there, secure, embed it down at the proprietary level so we can ensure that's not overrun? >> another good example of this i think that applies here is the smart city initiative. there's much cities that are taking this on and even in foreign countries and nations. it really does exemplify the combination of combining all the private entities, critical infrastructures, transportation, energy as well as local government, local fbi, police,
fire. there's a lot more at stake in the sense of there's radio blockers. there's all sorts of other threats that can actually influence a city's inf infrastructu infrastructure. if they can't respond to an emergency. so i think the state of indiana is an example. recently held a large-scale drill where they involved all ems, all emergency services, critical infrastructure, state and local government and local fbi and went through a cyber security drill of an actual incide incident. and i think it's going to take those local and state entities that drive these type of activities that cross all these different agencies that really will make the difference in the long run. >> if i can try to triage my thoughts. i think in threes. if i'm an investor, if i'm a
entrepreneur, a large or small business, let's focus on the folks who get up every morning and want to change the world. the government who is a not for profit arguably that says i will give money -- i will pump it into the ecosystem. the white house or the national economic council and ostp, office of science and technology policy put out a document, it's a great read, in november of last year that spoke about the american innovation ecosystem. how do you feel the entrepreneurial community? how do you incentivize, which is something we talked about. how do you create an incentive for somebody to want to collectively share information? you have to think what's the greater good. the grant money that gets pumps in the economy. i'm a fan of the grant. a lot of people don't understand what a grant is for. go try to discover or work and team with an institution to invent something. when you can coalesce that -- we
know it's broken today. the president talked about the accelerating the transfer of technology into this ecosystem and out of and to commercialize and to create viability opportunities for that commercialization. that's a broken process today. it's well intentioned like communicating and information sharing and all these committees that talk about it from the hill to the executive branch to the government agencies. i think people really want to make a difference. but in government and in these institutions where privacy and protection and staying ahead of your competition does stifle the ecosystem from accelerating. that's something we need to really put a microscope on and figure out what's the best way to streamline that process. >> the last question we have a couple minutes left, want to make sure we have time for this. joyce mentioned earlier that the unfunded mandate -- every organization out there, i don't know of one who says i have more money than i know how to spend. this is something we need to
address. it's going to take money and resources to do t. how can organizations who feel they don't have the resources or they can't get new resources to do things we talked about, how can they reprioritize existing resources to go down the list? what does that process look like? >> it's really simple for me. training and enablement. you look at something as simple as fishing, which could be easily caught by your trained companies. most companies, 80%, 90% of the companies are coming out with negative fishes findings. something as simple as that that leads to ransom-ware. enabling the workforce to be stronger minded and understand the environment and be on their toes is probably step one to be quite honest. >> my closing remarks would be, you have to take the first step.
that's in the form of an assessment. you have to know where your vulnerabilities are, weaknesses are. the most important, you have to fix what you find. unfortunately, sometimes the vulnerabilities hurt. there's a lot of personal -- people's reputations at stake. if you are going to improve, you are going to have to accept that. the message is that you also have to understand that. you have to create the budgets in order to be able to move forward with these. only other thing is you have to create budgets, create the teams and you have to create the culture within these agencies and within these businesses in order to tackle this. it's only until you have done all those things and like ryan said, training which is a very important piece, is the beginning of protecting. you gotta do all these things to get to the point where you start protecting yourself. >> i completely agree with the training. i think that is probably the least expensive thing that we can all do. we are all first line of
defense, no matter where you sit. just keeping that and reiterating it and the people hear it and they think it's a broken record. eventually, it will sink in. we will all be very well armed to be that first line of defense to not click on the link, do not actually get taken in by those. the other thing is just good cyber hygiene. don't connect your systems to the internet unless you have to. use a separate system. multi-level work stations are out there. they have been out there for a long time. maybe look at that technology. things like that. >> panelists, thank you very much. that was a fantastic discussion. [ applause ] that concludes the briefing. we want to thank you here and at home for joining us. we look forward to seeing you at the end of next month for the next briefing. thank you very much.
our live coverage will continue this afternoon at 2:30 eastern when veterans affairs secretary robert mcdonald goes before the senate v.a. committee. he will talk about what he needs to implement recent recommendations from the commission on veterans' care report, including developing a process for vets to appeal healthcare decisions. the heads of several veterans groups will be there to respond. live coverage starts at 2:30 eastern. that is grand rapids. and the grand river, which divides the city and which in many ways defines the city. >> there's a good chance that most people over the course of any given day will see or interact with a piece of furniture made in grand rapids. >> we were the first city to ever receive a grant from the
endowment to be used specifically to commission an original work of art for a specific civic site. >> this weekend, the c-span cities tour along with our comcast cable partners will explore the life and history of grand rapids, michigan, on book tv. gordon olson talks about notable people who grew up in grand rapids. then we will talk a tour of the home of richard norton smith as he shares with us how and where he works and about his newest biography and gordon andrews talk about the life of attorney charles hamilton houston in his role in the early civil rights movement. >> people understood the role of charles hamilton houston. but you cannot have a conversation about the civil rights movement in the united states without an inclusion of the work of charles houston. >> on american history tv on c-span3, grand rapids resident
nancy twedale talks about the letter she wrote that brought artwork to public places across the country. we will visit the grand rapids public museum with the curator. we will take you to the exhibits at the gerald r. ford presidential library and museum. >> a new car pulled up and stopped in front of the store. this big fellow stepped out of it and stepped into the entryway of the store and paused there. for a long time. and stared at junior. ford asked him if he could help him. the man looked at him and said, you are lesley link king junior. he said, no, i'm gerald ford junior. well, you are my son. i am your father. i want to take you to lunch. >> the cities tour of grand rapids, michigan, saturday at noon eastern on c-span 2 and sunday afternoon at 2:00 on american history tv on c-span3.
today's white house briefing began with questions about president obama's meeting with myanmar's leader. the white house is restoring trade benefits with the asian nation. here is a 20-minute portion of today's briefing. >> with the easing of sanctions on burma, is the administration taking away its leverage to improve conditions for the muslim community and to force changes to that nation's constitution. >> kevin, i think we're enhancing it. the more deeply the united states engages in a country like burma, the more success we can have in encouraging them to pursue reforms. that's been documented in the president's engagement with burma over the last 7 1/2 years of his presidency. you recall that when president obama took office, the leader of
the country, was in the oval office of the president of the united states today, was a prisoner in her own house. so i think the progress that's been made in the country has been remarkable. as the united states has been pursued a policy of deepening our engagement in burma, critics all along have suggested that there was a risk associated with that kind of engagement. and in some ways that it was too soon for the united states to be pursuing that kind of engagement. so this was the criticism we heard from some when the obama administration decided to appoint an ambassador to burma. people suggested it was rewarding bad behavior. this is also criticism that we heard in advance of the president's first trip to burma, a suggestion it was too soon for the president to be visiting burma. what we found at each stage is
that by more deeply engaging with burma, we have been able to influence and encourage greater reforms that are consistent with our own national interests and consistent with our own values. of course there's more work that needs to be done. the preside they both acknowledged that in the oval office. we have been heartened by the increased commitment we have seen from her government to addressing the human rights concerns. we certainly welcomed her inclusion of coffee annon providing international input on the process. it would give the international community greater confidence that her government in burma is taking those reforms seriously.
that's a good thing. >> domestic policy, the california congressional delegation is calling on the administration to approve a waver that would allow undocumented immigrants to purchase unsubsidized health insurance through covered california, that state's medicate program. is that a concept the administration is supportive of? >> kevin, i have to acknowledge i have not seen the letter you are referring to. so i'm not sure i can respond to their specific request. as you know -- i guess this is evident from their letter -- that the way that the affordable care act is written, individuals who are undocumented immigrants are not eligible to collect benefits associated with the affordable care act. that's been the subject of some
fear mongering or even outright lying on the part of republicans. >> they are stressing the word unsubsidized. >> i haven't seen that proposal. i'm not in a position to react to it. we will take a look at the letter and see if we can get you a response. >> more on the visit today. senator corker released a statement after meeting with her saying he was appalled by her reaction by human rights violations in the country. i was wondering during the president's conversations with her, what was his -- did he have any response to the way -- what were the discussions about human rights? and did he come away with a similar feeling about her reactions to his concerns or to the u.s. concerns about human rights. >> the president made clear in the meeting that it's important
for the burmese government to uphold the human rights of all religious and ethnic groups inside of burma. and we have seen, since she assumed office, a gater commitment to the pursuit of reforms that will protect human rights. there's been a greater effort to recognize the citizenship of the -- the rights of the citizens of burma. and there has been the inclusion of anon in the process. there is more work that needs to be done. there needs to be a sustained commitment to these reforms. that reflects the priority that the united states places on
universal human rights and ensuring they are protected by governments all around the world. i think all of you had a chance to hear directly from her in the oval office indicate that she intended to make that a priority. and we certainly would welcome those kinds of comments, because there's a lot of important work that remains to be done. >> on the dakota pipeline, there was a protest outside the white house yesterday, i believe senator sanders spoke at that, and there were protests around the country. is the president following these protests at all? does the administration have any response to i think senator sanders induced an amendment that would stop the court for issuing any permits for that -- for that pipeline until an environmental impact statement has been completed. does the administration support that move? >> i do not know that the president was aware of the protests yesterday.
obviously, the president was on the road most of the day. i don't know if he was here when the protest was organized. i can just say that the administration's policy speaks for itself. which is that despite winning an order from a judge who indicated that the process had been properly followed and that the department of interior and the army corps of engineers could move forward with the project, the army corps voluntarily stated that they would pause the project to ensure that the consideration of efveryone's views and perspective, particularly those most directly affected by the project, are carefully and properly considered. so that's -- that would be the next step in the process. the president certainly believes that's an appropriate course of action. in this case, we're talking about individuals who are -- who are native americans.
there's a rather sad chapter in our history with regard to the federal government not effectively looking out for the concerns of native populations in this country. and that's left a legacy, and it's one this administration is determined to address. in this instance, it means ensuring that the process that is in place for the construction of this pipeline has adequately consider considered the impact it will have on everybody who lives in the area, including tribal populations who live in the air. >> does the administration think it's time to overhaul the way they are permitted in general? this isn't the first pipeline that has been run into protests. there have been a lot of these issues that are ongoing. >> i think that might be a
little bit of an oversimplification. the keystone pipeline, that was part of demonstration for a number of years, the issues related to the construction of that pipeline are different than this one. in this case, the army corps has voluntarily indicated they will pause this project to ensure in the context of this project the concerns of everybody who could be affected were adequately taken into account. they have indicated a w willingness to go back and make sure that all infrastructure projects they are involved in adequately consider the views and rights of affected populations, including tribal populations. and that's an appropriate step for them to take. mary? >> thanks, josh. in the past 24 hours, we have seen the release of information hacked from the dnc, colin
powell, even american olympians, hacks coming from groups with suspected ties to russia. is this an another example of russia attempting to meddle in the u.s. election? what is the president considering or what recourse does the u.s. have to try and stem this flow of embarrassing leaks? are new sanctions on the table? >> i think obviously i have seen the report of the variety of cyber intrusions and leaks that have emerged in the last 24 hours or so. the united states has not made a formal determination in public about who may or may not be responsible for these kinds of -- for these incidents. the motivation for each of them i think is likely different. i know that you asked about it in the context of the election.
i'm not sure that the reprehensible release of the personal health information of u.s. olympians has anything to do with the election. it may have to do with some other things that have been well documented. but what i can just say in general is that all this does serve as an illustration of how it's important for our policy makers to make it a top priority. the united states congress has fail doed to do that. there's more congress should do. the president included in his fiscal year 2017 budget a significant increase in funding for cyber security that would not just enhance our cyber capabilities but also improve our ability to work more effectively to investigate cyber intrusions when they occur and to work with the private sector to deter potential incursions.
as we have discussed in here many times, the congress refused to even have a hearing on that budget. republicans have essentially said they are refusing to talk about that proposal to enhance our cyber security. that's unfortunate. that's an indication that republicans are failing to even discuss what should be a top national security priority. particularly given the widespread reports and the conclusion reached by some professionals outside the government that russia is likely responsible.ly seems like something that should get the attention of republicans in congress. unfortunately, it hasn't. the good news, however, is that this administration has not just relied on congress to take steps to try to protect the american people from cyber security.
over the last couple of years we have seen the president convene a summit bringing together technology experts, leaders in private sector and national security figures to discuss what can be done to enhance our nation's national security. the president signed an executive or the designating new authority to the secretary of treasury that would law him to impose financial sanctions on countries or individuals that are suspected of involvement with cyber intrusions. that is new authority. that gives the united states government additional options when it cops to responding to these kinds of situations. the president has prioritized in his multi-lateral meetings, the effort to establish internationally accepted norms when it cops comes to conduct cyberspace. we have gotten additional commitments from the chinese with regard to some of those international norms. that enhances the security of
the united states. the time has come for republicans in congress to do their part. we would like to see them do more. i think last thing that i will note here is that over the weekend, the cia director was asked about this. and he noted that russia -- this is a quote -- has exceptionally capable cyber capabilities as well as whatever else it might want do in the cyber sphere. we have known this for quite a while. i think this is an indication that the president and his national security team are not just keenly aware of the situation but have taken aggressive steps to try to counter it. we would welcome republicans in congress doing their part for a change. >> on syria, there reportedly is a significant difference of opinion, shall we say, between the secretary of defense and
secretary kerry about partnering with russia. if the cease-fire holds, is the president concerned about implementing or developing this next phase, whatever that may be, because of this disagreement? >> let's start by acknowledging that the if that's included in your question is a sizable one. there remains significant doubt inside the administration and around the world about the capacity and willingness of the russians to fulfill the responsibilities that they have accepted in this arrangement. and that skepticism is not just well documented, but i think entirely reasonable given the way that we have seen the russians and the assad regime behave over the course of the last year or two. so that's a big if. and i feel like that's an
appropriate place to start. from there, the president and the secretary of state have both spoken publically about how deeply concerned the united states is about the humanitarian situation inside of syria. and our efforts to engage diplomatically with the russians is rooted in the knowledge that the russians have more influence over the assad regime than anybody else. the assad regime has been the chief impediment to the delivery of humanitarian aid to hundreds of thousands if not millions of innocent civilians who have been caught in the cross fire in syria, including in aleppo. so this has been the best opportunity that the united states has to try to reduce the violence and allow for the unimpeded delivery of
humanitarian assistance. and that's what we have been trying to -- that's the result that we have been trying to bring about. when the president discusses complicated issues like syria with members of his national security team, he is not looking for a bunch of people that have exactly the same opinion. the president is not looking for a group of people to sit around the table with him in the situation room who all nod their head every time that he speaks. what the president is looking for are informed experts who do their homework and who can make an argument and assist him in crafting a policy that advances the interests of the united states. that's why the president is proud of the people who serve on his national security team. at the same time, the president is entirely confident that once he has made a decision that he
can count on the members of his team to execute that strategy with excellence. he is confident that every member of his national security team is committed to that goal. all right? michele. >> many times when we have heard you talk about the president's goal on the trail and in the instances where he is talking about the election, his goal is to support hillary clinton as the most qualified candidate. what we heard a lot of yesterday in his speech was as if he was trying to prove that donald trump is not qualified. so would you say that that is now a big part of the president's goal when he is out there? >> i think president's goal is to ensure that he is succeeded in the oval office by somebody who is committed to building on the progress that we have made over last eight year. secretary clinton is the only
candidate who has indicated that she's committed to building on that progress. i would put her in the category -- as i was answering mar m mary's question -- as somebody who doesn't agree with everything with the president. but it's their vision in expanding economic opportunity for the middle class, equality for all. advancing u.s. interests around the world. their visions are quite similar. the president has enormous confidence in her ability to lead this country in a direction that will continue to strengthen it and make progress in a direction that he has been fighting for for the last eight years. that was a portion of today's white house briefing.
see the rest online at cspan.org. we are live for robert mcdonald. you see him on the right of your screen, he is testifying this afternoon before the senate veterans affairs committee on a recent report looking at recommendations for improving the v.a. healthcare system. we will hear testimony from the heads of several veterans groups. this hearing expected to get under way in a moment. live coverage here on c-span3. >> i'd like to welcome the secretary and we're glad to have you here today. we will change our methodology a little bit. we have two votes, one at 2:45 and one following that vote. we will run the hearing continuously. the ranking member andry going to wave opening statements so we can go directly to secretary mcdonald to make his full statement for the record. then we will go into as much
q & a as we can. when i have to leave, hopefully there is somebody here so we can keep it rolling. with your cooperation, we will maybe make sure we don't have to shut down. if we do, it's only for a couple of minutes. let me welcome everybody to this meeting of the senate veterans afairs committee. we had a great hearing on the innovations taking place at the v.a. last week. today's hearing will be equally as good, because the commission on care was a great project that examined the veterans administration and its delivery system. it had a lot of recommendations that are very meritorious. i appreciate the embrace that secretary mcdonald has given. i know he will have great testimony. let me welcome the secretary of thecdonald to make his testimony and we will go from there. >> thank you, mr. chairman.
ranking member blumental, members of the committee, thank you for this time to talk about vach v.a.'s final report. i wish the house would have allowed me same opportunity last week. but neither i nor the organizations were invited to testify in person. i ask my written statement be submitted into the record. >> without action. >> thank you. let me thank mission schlickting for chairing the committee. nancy did an outstanding job. overall, i see the commission's report as validation of the course we have been on for the past two years. there's hardly anything in the record that we haven't thought of or aren't already doing as part of our ongoing my v.a. transformation efforts. we differ on details, but we we agree with the intend of almost all of the commission's recommendations. 15 out of 18. we certainly agree on how wrong it would be to privatize v.a.
healthcare. privatization would be a boon for some healthcare corporations, but as seven leading vsos told the commission it could threaten the financial and clinical viability of some v.a. medical programs and facilities which would fall particularly hard on the millions of veterans who rely on v.a. for almost -- for all or almost all of their care. there are many things that v.a. offers that nobody else offers. we have a unique lifetime relationship with our nine million patients. nobody else offers that. our mental healthcare is integrated with our primary care and specialty care. nobody else offers that v.a. healthcare hole veteran healthcare. including care for many non-medical determinations. nobody offers that.
our research and innovation has made v.a. a leader in many areas. nobody else offers that. if we sent all veterans in the committee fine care, they would lose the choice of integrated comprehensive care tailored for veterans. by people who know veterans and are dedicated to serving them. that's what v.a. is to veterans. that's why you don't find veterans demanding community care as the only choice. the demand for that only choice comes from elsewhere. it doesn't come from veterans. veterans know better. i have tested this during my time as secretary. when somebody tells me that veterans should only have the choice of the choice program, i ask them, are you a veteran. by and large, the answer is no. then i ask if you talk to veterans about this. i get the same answer.
then i appropriate a little bit more and i found that beneath the banner of choice there are always two things, interest and ideology. let's face it, privatization would put more money into the pockets of people running healthcare corporations. it's in their interest. of course, it makes sense to them even if it's not what veterans want or need. then there's the idealogs. government bad, private sector good. that's as far as the thinking goes. most members of the commission were more understanding. on one point i strongly disagree with the commission. that's the idea of an i independent board of directors for the health administration. i don't need to say much about that since constitution probably won't allow it. i will say a governance board doesn't make sense to me. it would only make matters worse by complicating the bureaucracy
at the top and spreading reresponsibility for vha so no one knows who is ultimately responsible. the fact is, we already have a governance board. congress is our governance board. in congress works the way it should, nobody would be talking about adding another layer of bureaucracy to v.a. v.a. is not the holdup on increasing access. we're doing that we have been doing that for more than two years now. vc v.a. is not the holdup on expanding community care. where he doing that. we submitted a plan to streamline our programs last october, almost a year ago. what's happened to it 1234? v.a. is not the holdup on getting rid of real estate that costs us much more each year than it is worth, or adding more points of care where they are needed. he wou we have eight major medical construction projects and 24 leases needed authorization.
they are funded. but we still need a green light from congress to move forward. we're not even the holdup on holding people accountable for wrongdoing. ask the former v.a. employee in geor georgia facing sentences. all told, we have terminated over 3,755 employees in the past two years. we have made sustainable accountability part of our ongoing leadership training. the veterans first act would help us hold people accountable. we look forward to seeing it brought to the senate floor for passage. the senate appropriations committee has approved a budget nearly equal to the president's request. but again, we need to see some follow through. the holdup in our very real and ongoing my v.a. transformation is our need for congressional action. we have submitted over 100 proposals for legislative changes that we put in the
president's 2017 budget. no results yet. i detailed our most urgent needs. they include approving the president's 2017 budget request to keep up with rising costs and medical innovation. extending authorities to maintain services like transportation to v.a. facilities in rural areas and vocational rehabilitation. fixing provider agreements to keep long-term care facilities from turning veterans out to avoid the hassle of requirements. and ending the arbitrary rule that won't let v.a.'s dedicated medical professionals care for veterans for more than 80 hours in any federal pay period. we also need to you act on modernizing our claims appears process. under the current law, with no significant changes in resources, the number of veterans awaiting a decision will nearly triple in the next ten years from 500,000 today to
almost 1.3 million. we submitted a plan to reform the appeals process in june. we developed a plan with the help of the vsos, state and county officials. they're all on board. we need congress to get on board. i'm only after what's best for veterans. as you know, i'm not running for office. i'm not angling for a promotion. i could have taken an easier job two years ago. but i didn't. i answered the call of duty thinking only of giving veterans the benefit of what i learned at west point, in the army and 33 years in the private sector running one of the moste ed adm companies in the world. my only concern is to see it continue. i know nancy will tell you, transformation is a marathon, not a sprint. it will take several years to turn any large organization around. to turn v.a. around, we must maintain our momentum of change. we can't do that without cooperation of congress and
passage of legislation we talked about. that's an absolute certainty. the commission, vsos and v.a. are in agreement on this. congress must act or veterans will suffer. that's unak scceptable to me an no he it's unacceptable to you. what can we do? whatever it takes, i will do t. just let me know what it is. thank you, mr. chairman. >> thank you, very much. we appreciate your testimony. >> were you going to testify or are you here for moral support and hard questions? i have one question. i'm going to get to the members of the committee. we will go through the votes. i will wait until the last minute to go over and vote and come back after voting. hopefully, between the votes going back and forth, we will keep everything rolling throughout the hearing. we have three great panels headed off by secretary mcdonald who we appreciate for being
here. if you would look at recommendation number one, which i know you read and referred to in your testimony, have you got any idea what you would estimate the cost of implementing recommendation number one for the commission on care? >> recommendation one is about establishing an integrated high performing community-based healthcare network. in our plan in october, i can't remember the exact number. i'm sure david will remember it. we had different levels of costs depending upon what we decide to take on. we're already in process of establishing that network. david, you want to -- >> yeah. the secretary is referring to the plan that we submitted at the end of october 2015 where we currently spend right now about $13.5 billion a year in community care. that's the combination of choice and community care funds.
in order to do the changes that we suggested, we suggested that we would need $17 billion a year. we wanted to fix the emergency medicine provision that so many veterans get stuck in the hole. we need the investment in infrastructure to do care coordination in an integrated fashion. we think that that's the best use of money for taxpayers, that it's a -- it's actually an efficient plan. the commission on care's plan was far more expensive than that. >> i think it contemplated putting together -- the v.a. being part of a network with the private sector? >> that's correct. >> i think it contemplated doing that without the contractors we have today for the two gatekeepers but to issue a single card? >> yes, sir. we would integrate the network. it would also include department of defense partners, indian health service and other federal
partners we have. >> this is not a setup. just like to hear your answer. is it not true that in the veterans first bill, this committee passed out unanimously, by the provisions in there for provider agreements, we're expanding the opportunity for v.a. to make that happen, to make that possible? >> yes, sir. >> that was the right answer. i just wanted to make sure we did it. >> i said that we would like veterans first to get to the floor. we're happy to help in any way we can to help you -- >> we appreciate your continuous support on that. >> we appreciate the committee's leadership in putting it together. >> my last question is really a comment. they have a recommendation on i.t. and working on the i.t. system in the v.a. i'm interesting in hearing how much progress you have made and the program at georgia tech which i think you are under contract with them. i understand there's a breakthrough that helped on that? >> yes. >> can you comment on that? >> i will be glad to. just as you mentioned, mr.
chairman, in april of this year, we did certify with the department of defense. we have created a concept of what's called the digital health platform. this is really taking where the industry is to a new level. it's going to increase our ability to do interoperability. and so what you are referring to is georgia tech has really a fantastic technology center. we have a prototype for this that i think we're looking forward to sharing with members of this committee that we think is really a path forward. to take us to a new level. >> good. we appreciate the progress that you are making. senator blumental? >> thanks, mr. chairman. secretary mcdonald, i think in your letter the president dated august 6 or august 2, 2016, you
indicated that you had concerns about the cost estimates. that the commission put together to reflect various options on the vha care system model which ranged i think as low as $65 billion to $106 billion in fiscal year 2019, depending on enrollment, network management and other factors. i want to say, i appreciate that the commission really devoted itself to seeking to improve the v.a. healthcare system. and i certainly appreciate its recommendations. i wonder if you could explain the v.a.'s concern with those commission estimates. >> this is the nub of the issue in terms of the different between the report and our point of view on the network. i'm sure nancy will comment more on it later. the question is is how much
unfettered access to the private sector do you allow the individual veteran? who takes responsibility for integrating their healthcare? we believe that as the v.a., we need to take that responsibility, that when a veteran goes out to the private sector, we still have to own the responsibility for that healthcare. the integrator tends to be the primary care doctor. if we don't do that, that it results in not very good care and also dysfunctional care because it's not integrated. it also results in higher cost care, because those doctors that they may go to, first of all, may not be qualified by us as being capable, being high quality enough to be in that network. secondly, may not follow the standards of cost that are necessary to be part of that network. >> i think the secretary has said that very correctly,
senator, which is, we really have differences here with the commission on care report on two counts. one is the quality of care, we believe is better with v.a. maintaining the care coordination and interest grace role. we understand the needs of veterans best. we do support and we embrace working with the private sector. that's absolutely correct. but we believe the v.a. needs to be the care coordinator. on the cost side, this would be, in my view, irresponsible just to turn people out with no deductibles, no cost control mechanisms. this would be returning us to the late '80s, early '90s, where there was runaway costs. we think the very best thing for veterans and the very best thing for the taxpayers is to do this carefully in an integrated network the way we proposed in october of 2015. >> speaking of costs, the
commission on care report found that 98% of all clinical supplies were acquired using purchase cards and that 75% of what the vha spends on clinical supplies is made through this purchase mechanism. only 38% of supply orders were made through standing vendor contracts, which presumably would be more effective and efficie efficient. and i've been told as well that this same issue may arise with respect to medical devices and perhaps other kinds of supplies. that's in stark contrast as you probably know to the private sector bench mark of 80% to 90% of supply purchases from existing master contracts with negotiated price discounts, which the v.a. can do unlike medicare. we're pushing for medicare to have the same options of
negotiation. what is preventing the vha from using those kind of master contracts? >> nothing. in fact, if you recall the hearing we had on the 12 breakthrough priorities which you had here in the senate -- we didn't get the same in the house. one of the 12 is to set up a consolidated supply chain. right now, every one of our medical centers has its own supply chain which, as you have suggested, is nonsensical. our cost advantage is tremendous of the scale that we have and also our customer service is fantastic. we have been rated number one pharmacy in the country for six consecutive years by j.d. power because of that scale advantage. what we're in the process of doing is building a consolidated supply chain for all of our
medical centers. so far, we have avoided about $35 million of cost. our commitment to you was to avoid $75 million of cost by december. i think we will beat that. >> thank you. thanks, mr. chairman. we'll bea >> thanks, mr. chairman. >> as a courtesy to everybody in the office and the members of the committee we will take a little bit of a different order in terms of question and testimony because to pay senator brownback for doing me a great courtesy for being here on time given he's got a tough schedule i will let him do the next question followed by senator bo boozman and then senator manchin. >> thank you. i will ask two brief questions. secretary mcdonald, first to you. you correctly note in your testimony that implementation of veterans choice went through some initial growing pains as we all expected. your meetings with veterans and providers and health experts and
others, lay out briefly the challenges and opportunities that you see for veterans choice where we're going. >> veterans choice, you know, we've made tremendous progress. when you recognize we set up a program in 90 days that affected roughly -- and sent out cards to 9 million veterans, we made tremendous progress, but we've also made changes along the way. since the original bill we have now changed the way we define distance, the 40 mile limit, we've changed it from geo des sick distance to driving distance, that virtually doubled the number of veterans being able to avail of veterans choice. we also have made efforts originally the program was designed where we would simply give a phone number to a veteran and say go call your third party administrator. my belief and i know david's is you can't outsource your customer service. so we're pulling that responsibility back in. the integration coordination
responsibility. and we're now taking responsibility for customer service and we've taken third party administrator employees and put them into our buildings as a test in order to make that easier for the veteran. where are we headed? about 22% of our appointments every day now are in the community. there are about a million veterans that rely on the choice program. there are about 5,000 veterans that only use the choice program, which is really a strikingly low number, but it demonstrates that most veterans really want the hybrid, even if they have the choice program, they want the hybrid. >> they really want to know they have the choice and they're generally mostly satisfied with cincinnati va or dayton va or cleveland, but they want to know they have that choice and i think that's so important. >> thank you. >> doctor, quickly, are there bureaucratic or legislative hurdles that prevent vha from
routinely updating facilities, infrastructure, thus providing va medical staff and veterans the best care possible? >> yeah, i do think that if you ask most of our field hospital directors they would say that there are challenges and i think we've seen a really strong direction towards being more responsive to the hospital leaders under laverne counsel's leadership. she has established executives who work with vha and we are working together to break down some of those carrierai barrier. this does take time because we're breaking down years and years of barriers, but i think we're headed in the right direction. >> thank you, mr. chair. >> senator boozman. >> thank you, mr. chairman and thank you all for being here. we really do appreciate your hard work.
the choice program has over a million people participating in it, which i think is a good thing. you don't list that as a legislative priority as far as reauthorization. is it a priority or is it not a priority or am i -- have i misunderstood? >> we look at reauthorization as part of our program to consolidate care so we believe we did request reauthorization in that october 2015 package that we submitted on the consolidation of care. >> good. well, that's good to know. >> we do want reauthorization. >> i would just add, i'm sure this is why you're asking, senator, the program ends august 7th of 2017. >> yes. >> without reauthorization we are going to see us actually go backwards because we've now reached 5 million choice appointments. that's fantastic and this program should be congratulated and we are just getting it to work and if we could get veterans first passed through it's going to work even a lot
better. so reauthorization is absolutely a priority for us. >> sorry to take more time. if you don't mind -- >> no, it's important. >> august 7th is an important date, but if a woman is pregnant, you know, we really need to know nine months in advance of august 7th whether or not -- how we're going to care for her. so the sooner the better. >> right. and i guess that was my follow up and it's good to know that, you know, that you've cleared that up and that it is important and truly have done a great job. this being a momentous task. do you have any contingency plans, you know, in regard to august of 2017 if the reauthorization -- and there is also i think you can really help us at this hearing and in future hearings by helping members understand not on this committee but throughout congress how important it is to get the reauthorization done. >> we are in the midst right now
of renewing our strategies for 2017, most of our leaders are at the national training center right now and one of the things we've brought up is the importance of communicating that august 7th date, but also the nine months in advance of that. so i do think that's critically important. >> just to give you -- to quantify this, we spend about $13 billion a years in the community, as the secretary said 22% of our care goes out in the community, $4 billion of that is the choice program. so we would have to reduce access to care by about a third in the community and that would hurt veterans. our contingency plan, we are here to help veterans with the resources that you provide us, so we're going to continue that mission and we will do the very best job possible, but there is no substitute for what you've provided in the choice program. >> thank you, mr. chairman. i do think that that's something that we really to work on is to make this clear how important
that reauthorization is going to be. >> that was a terrific question and i appreciate the answer and it gives us our homework to do before that august date next year. >> we're going to stand in recess for a moment. senator moran is on his way and we will continue the hearing and then senator boozman and i will be back as quick as we can cast our two votes. we will stand in recess until senator moran gets here. thank you, mr. secretary.
thank you for this time to talk about v a's ongoing transformation. i wish the house had allowed me the same opportunity last week, but neither i nor the veterans service organizations were invited to testify in person. i asked that my written statement be submitted for the record. >> without objection. >> thank you, sir. >> first let me thank ms.
selecting for chairing the commission. i know it wasn't easy but nancy did an outstanding job in keeping things together. overall i see the commission's report as validation of the course we've been on for the past two years. there's hardly anything in the report that we haven't already thought of or aren't already doing as part of our ongoing my va transformation efforts. we differ on some details but we wholeheartedly agree with the intent of almost all the commission's recommendations. 15 out of 18. we certainly agree on how wrong it would be to privatize va healthcare. privatization would be a boone for some healthcare corporations, but as seven leading vsos told the commission in april it could threaten the financial and clinical viability of some va medical programs and facilities which would fall particularly hard on the millions of veterans who rely on va for almost -- for all or almost all of their care. there are many things that va
offers that nobody else offers. we have unique lifetime relationship with our 9 million patients, nobody else offers that. our mental health care is integrated with our primary care and specialty care. nobody else offers that. va healthcare is whole veteran healthcare customized to meet veterans' unique needs including care for many nonmedical determinants of health and well being like education services, career transition support, housing assistance, disability compensation and many others. nobody offers that. our research and innovation has made va is leader in many areas such as pros stet sticks, traumatic brain injury, posttraumatic stress disorder, poly trauma and telehealth. nobody else offers that. if we sent all veterans in the community find care they would all lose the choice of integrated comprehensive care tailored for veterans by people o