tv Key Capitol Hill Hearings CSPAN October 10, 2014 4:00am-6:01am EDT
2009 with the virus. and these attacks were aimed at disabling those organizations' ability to conduct their primary mission. you can imagine the military unable to perform its mission as a result of a computer virus. this is a very real potential problem. then you have the insider threat. we're all familiar with the snowden case. you have the cyber vigilantes like anonymous conducting espionage, disrupting systems for a wide variety of purposes. so this is a global, borderless problem, and it's not going away any time soon. the real question is, why is it so easy for the attacker and seemingly so hard for the defender? how is it that they seem to march in and out of these systems as if nobody is watching? and you'll get a lot of different opinions on that. people spend their careers trying to figure that out. but when you blow away all the smoke, i think it comes down
really to two root problems. the first is that the cyber systems that we rely on are inherently vulnerable. so the commercial operating systems, the commercial software packages, the commercial hardware platforms, these are all designed rimarily to address profit motives. they are easily obtained by the attacker. they can exploit and find the vulnerabilities in those systems and that is largely what they take advantage of. that's probably not going to change any time soon. and then the second problem is that you have machines against people in a high speed battle. and now what do i mean by that? well, you have hundreds of thousands of malware samples being generated every month. that's not people writing that malware. those are machines. those are machines automatically circumventing all of our defense systems.
that malware typically operates inside of an infrastructure that is also automatically controlled by machines. so the command and control notes, the hot points, the channels that connect these different adversary systems together are typically set up, used one time, or for a very limited period of time, and then torn down and never seen again. now, let's contrast that with the way we defend our systems. so we have fixed infrastructures. monitored by thousands of people. climbing up mountains of data trying to sort through what's happening. patching software. writing signatures. reacting and chasing and trying to find this machine driven, fast moving target. so you have a static, human controlled system battling with an automated machine driven system. and at the end of the day, the machines are going to win that
battle every time. it doesn't matter how many people try to put up against those machines. and so how do we fix that? how do we overcome that? how do we develop a protective strategy that makes the systems inherently resilient? one way that i'd like to introduce into this conversation is by making our cyber systems disposable. and i don't mean disposable in the sense that you throw them away like a paper cup. i'm talking about disposable in the sense that they are single use. if you think about it, that is exactly what the adversary is doing. they're malware, command and control, channels. single use. and we can do the very same thing with our own cyber system. this would make it far more difficult for an adversary to gain access and persist into the system if what they saw on tuesday was no longer there on wednesday and it was different yet again on thursday. so this would shift the battle
from us chasing them to them chasing us. and that would move the advantage in favor of the defender. there are six technologies that make this concept possible. you'll recognize them because they're already out there. and they're in varying degrees of maturity. so three of them are sort of the biggies and then there are three smaller underneath that. the first is the cloud computing paradigm. this is a technology that is designed to be flexible, recon figureable, you can establish, compute storage devices anywhere anytime. it is essentially disposable technology. the second big pillar is software defined networking. think of this as cloud for communications. rather than a static communication channel, software defined networking allows you to do ad hoc networking, allows unconventional devices to behave as routers, and really
provides a lot more of that sort of flexible recon figureable, disposable capability. and the third big pillar are these increasingly mobile end points. while many people think that the mobile end points are more vulnerable when you look at the security architecture it's actually moving in the direction of being more secure. and again, it enables a very flexible recon figureable disposable approach. when you bring those three pieces together, the software defined networking, the cloud, and the increasingly mobile end points, you have the opportunity to create an entirely disposable system. so rather than fix static gateways, static routes, static end points that never move, we would have virtualized moving gateways, ad hoc networks, and single use, private end points. this system would be controlled by our network defenders.
rather than spending their time reacting and chasing and climbing up that mountain of data, they would send their time proactively recon figuring these systems so that they are very hard to understand and breach. underneath of those three big building blocks there are three other critical enablers. they are, route of trust, identity, and always on encryption. part of the disposable concept of operations is to con figure, operate, dispose, and restore. that restoration piece comes from the root of trust. identity is a very important thing within this paradigm. being able to understand the identity of the machines and the people and permitting them into the system, permitting them the access to information based on their identity and their role is a key to keeping unauthorized people out of the system. and the always on encryption is a no brainer. all right. you don't open the door and let
somebody come in and walk all over your network. all right? you need to lock down zones and lock down different information based on always on encryption. so when those six technologies are brought together, again, it creates the opportunity for us to enable a disposable system concept of operations. let me talk about a couple of scenarios of how that might be used, kind of illustrate the application of this system. for the first one, i'd like to talk about is an operation center scenario. more of a strategic network. so imagine operators coming in to perform their jobs and rather than carrying their device with them or finding the device on their desk they walk into the building and they pull it off of a rack or out of a bin. that device would have been established to a known, good state by a team of people, network defenders that know how to do that from the root of trust. when he turns the machine on,
it has an identity. it turns on the encrypted channel. that machine awe thentcates itself into a central system. the operator then uses his fingerprint, his voiceprint, his cad card to authenticate himself into the system and his personal configuration is loaded on to this device. when he walks into the operations floor, his other analyst friends are there with him. and they form up a private, ad hoc network among the team, fully encrypted, only the people permitted to participate in that mission are allowed inside. those people can be outside the building. they can be around the world. they can be anywhere. so those operators can function throughout the day within this private trusted environment and at the end of their shift, they turn the machine off. they toss it back in the bin. and they leave. that machine is then wiped clean and given a new identity and the next shift of operators
can come in and do the same thing. so that system is essentially disposed of. it's never used again. the route, the notes, the identities. if somebody were able to see and understand it when they came in the next day it wouldn't be there anymore. now, let's take that into a more tactical environment. because tablets and lap tops are not the only kind of end points that we need to be concerned about. we need to think about unmanned vehicles, u.a.v.'s. we need to think about sensors on u.a.v.'s. we need to think about fire control systems. all of these can function within the same disposable concept of operations. so imagine if you will a special forces team has been asked to go perform a rescue mission. they need to have overhead surveillance to help them out. we're going to use some u.a.v.'s for that support. so once again the u.a.v.'s should not be sitting there with untrusted software on them, with untrusted operating systems. they should be loaded for that
specific mission at the time of the mission from a strong route of trust. the people flying the u.a.v.'s and controlling them should have their identity authenticated into that system so that they can move the u.a.v.'s over to the area of interest. and then the ground forces will have some device that is also built from a strong route of trust so that they can receive the real time video they need to conduct their mission. in the end, all of those systems will come back. they'll get wiped clean. they'll get to be given new identities. once again, that system is essentially disposed of. never used again. so this is a concept that would be very frustrating to an adversary. imagine them spending their time mapping, trying to find holes. maybe they actually identified some. but the next time they come back to take advantage of that, that system is no longer there. so how do we get there? how do we move from the react
and chase model to this proactive, disposable concept of operations? one thing you don't do is take the current security architecture and implement it to this flexible, reconfigurable infrastructure. for example you wouldn't want to take today's monitoring applications v. virtualize them, and put them into the cloud. because all you are really doing is implementing the same paradigm and you'll still be reacting and chasing. what we need to do is take those six key building blocks. we need to bring them together. we need to accelerate the integration of those six technologies and then we need to build that proactive model for security. this will make it far more difficult for the adversary to gain access and persist. if there is an insider threat, it'll make it far more difficult for him to reach out and grab information he is not permitted to have.
if we want our systems more resilient in the future we need to think about making them disposable. thank you. i guess i'll take some questions now. thank you very much. applause] >> i've been given the opportunity to ask the lead question and i'll seize that opportunity. first of all, vern, i love this image that you present of moving the momentum from the attacker to the defender. it's very helpful to look at the three supporting core technologies that could create a disposable system. within those three is there an area that your team is thinking most about and/or next step in this integration that would move us forward in creating these disposable systems? i.e. where should we focus next? >> well, we're researching each of those technologies, and some of the customers are also
researching each of those technologies. i think where we need to go next is in the direction of bringing those six pieces together and figuring out how to implement the disposable command and control, the disposable security model to wrap around the six key technologies. we're already working on the individual pieces. >> excellent. great. let's have some questions from the floor. i think, is there a mike? he gentleman here on my right. >> hi. thank you so much. this is very informative and interesting. my name is guy taylor, the national security team leader at the "washington times." , you a question about were touted as someone who speaks english or common man language about this. so let's say this hypothetical u.a.v. mission you're talking
about involves recording some video. where would that video then be stored once the systems are wiped? with that system on which that video is stored, would it be something that gets recycled constantly? it sounds like an inconceiveable amount of data that would have to be wiped and moved, wiped and moved all the time. >> yes. good question. so we're actually not talking about disposing of mission data. you know, the recorded video would potentially be temporarily stored onboard or moved into a back end cloud infrastructure. what we're talking about wiping and restoring are the infrastructure pieces of the system. so that the processors and the operating systems and the software that collects the video is what would be wiped clean and restored. the mission data would be preserved and put into the cloud and moved and changed as
part of this moving target disposable model. >> in the back, could you state your name and affiliation please when you take the mike? >> hi. brian pendleton private security consultant. my question is what about cost and risk analysis? you talked about having multiple sets of lap tops, infrastructure, businesses have a huge cost there. how are you going to get them to buy into this? >> right. so that is a good question. i've been asked that before. what is the cost of something like this? and i think you want to look at this from a life cycle cost perspective of a breach. what does it cost when an organization, whether it be a military organization, or a financial organization experiences a breach? what does that cost? the second dimension of cost is
the man hours. how much time and money are we spending chasing, reacting, searching for things that are no longer there? we want to shift that to a more efficient use of those man hours. so those are really the two biggest variables in the cost equation. cost of the breach and the cost of the people. i think if you move the needle on those, you're going to wind up coming out ahead. >> we have time for one last question. that was fast. yes. the gentleman in the black shirt here. >> i'm with voice of america. in terms of the rapid response that you mentioned that is going to shift and you're going to have disposable responses, is that country specific? for example we know iran, china, russia use different tactics. do you also analyze what kind of methods they use so the response that you give would be specific to those countries? >> i think one of the advantages of a proactive
security model is that somewhat agnostic to the attacker. all right? so our goal is not to try to analyze, react, and chase what the adversary is doing. our goal is to take control of our own systems and proactively con figure them so that they're very hard to gain access to. so independent of who is attempting to gain access, whether it's a criminal, a cyber vigilante, a nation state, we want to take control of our system. that's what the proactive security model is all about. >> vern, thank you so much. it is fascinating to hear of a potential more agile response to defending cyber attacks and we appreciate your thoughts immensely today. thank you. quick round of applause. >> thank you. applause] >> we're now going to move to the next phase of today's discussion and i want to introduce mike fera who will be up in just a moment.
mike is the editor of the monitor's new pass code section. he is a veteran tech and business correspondent who shared in the boston globe's recent pulitzer prize. we're delighted to bring mike from the globe back to the monitor where he was reporting from our san francisco bureau and was at one time our mid east editor. we're thrilled to have him leading our pass code team. mike is going to introduce you to our next speaker.
which i think he, himself, has described as sort of a job of herding cats because he oversees many different agencies who have many different protocols when it comes to their security implementation. and issues and so i'll turn it over to michael. he's got some words to say. then we'll do a brief q & a and turn it over to the audience. >> thank you. thank you, everyone, for coming out this morning and participating in this event. i would be remiss if i didn't remark it is national cyber security awareness month so appreciate all of the interest in this particular topic. i think one of the points that i would like to make just to start, you know, i think that cyber security, you can clearly see it emerging as one of the defining policy challenges we face for the 21st century. and i think that is actually driven by several factors. but one of them is actually it's not obvious why cyber
security is in fact such a really hard problem for us. if you look at the data on intrusions, it actually is pretty clear that most of the time the bad guys are getting in through holes that we know about and holes that we know how to fix. so at one level cyber security really shouldn't actually be a hard problem. but if you take a step back and you think about the various aspects that cyber has taken on and given the depth of penetration it's had into all of our social lives, our private lives, our public lives in terms of the interaction with the government and in the private sector, our commerce, and economic, you start to realize that cyber security is not primarily a technical problem. it is also an economic problem in terms of incentive, a human behavioral and psychological problem. it is a physics problem because of the way met works are
constructed. it's a political problem because of its international dimension. and when you start to roll all of that together suddenly you have what the folks in boston might call a wicked problem. >> very good. >> and that's what i think starts to actually make cyber security the particularly difficult challenge that it is for us. and that's why i think it takes such a wide variety of disciplines to begin to address the problem. from the administration side, one of the things i want to highlight for this audience today is our efforts to actually expand the cyber security work force. and so to address that problem you really want a much larger and much broader work force than we currently have. we need a much bigger work force to deploy against the problem. and it needs to have an incredibly wide array of skills ranging from a lot more technically focused folks to help companies out with, and government agencies out with their immediate technical
problems associated with cyber security, but, also, people that understand how cyber security interacts with their industry. how it interacts with industrial control systems. how it interacts with our financial sector. so from a policy standpoint, from a legal standpoint. from the administration standpoint we are really trying to drive a connection with the administration's jobs training initiative. in fact, earlier this month we wrote out a whole slew of grants for community colleges and a lot of universities a lot of which will go to cyber security programs to support efforts in expanding that and of course, because this is washington we have an acronym for our efforts in this area, the national initiative for cyber education. it's a nice acronym. but that's really focused on sort of three different efforts. one of which is to expand a heat
map -- develop a heat map of where the cyber security jobs are, to really expand the cyber centers of academic excellence that are accredited by the national security agency and to expand the scholarship program that funds security related scholarships. in all of that effort we are really trying to just do what we can from a policy perspective to drive an expansion in our cyber workforce so that we have the personnel that we we need to address this wicked problem that we've talked about. i'm sure folks want to get into other subjects. >> you bring up great points to confront this wicked problem. you also say that it's really in many ways not that difficult problem. in hindsight when we look at a lot of the breaches that occur,
some of them are occurring because of vulnerabilities we already know about. it's not just an issue of throwing bodies at it, it's also a mindset shift. so how do you confront that issue? is it training? is it redirecting the existing workforce to do their job that they should be doing in a better way or is it a technical fix? how do you see that? >> i see it as a combination of all of those factors. some of it is facing the security upfront so that developers as they think of developing softwares and apps that security is just one of the aspects along with usebility or the interface that you consider when you do the development. so that's one aspect of it. another is really i think some of the ideas that are embedded in the cyber security frameworks of standards and best security
practices. as a best how you do think of cyber security risk? and really starting to embed thoughts about risk management and cyber risk management the same way that companies manage their litigation risk or their pickup truck risk. and that is something that you informs in to manage -- manage the risk. in other pieces of it is really understanding how to enable technologies and capabilities that are focused on how people actually have to interact with their information technology. so one example is killing off the password. frankly i would love to kill the password dead as a primary security method because it's terrible. but it has to be -- but when we think about replacing it, we have to replace it for something that is easy for people to use. >> what would replace the password? >> i think there's going to be a variety of technologies that
will be able to do that, some of which will be biometric related. you started to see some of that with the emergence of the fingerprint readers but also you can use the cameras on cell phones which are now ubiquitous -- the selfies are actually used for something besides posting on facebook. there are also, you know, all sorts of different related technology that are used for authentication which is easy to use because of the way that people use their devices, card, card readers, all of those factors will be combined. i don't think there will will be one solution for everything. there will be multiple solutions. there will be things that we really care about securing like your bank transactions and things that you are less worried about like the cat videos on dwrube. >> those are important. this being cyber security
awareness month, the monitor did a poll to see what people are doing to secure their security especially with the breaches we've seen. we found that half of the people did something to improve their network and half the other people did nothing. of the people who did nothing they said well, they're not really concerned about it. is that a realistic view of the current landscape given what we're confronting? >> so i mean, i think that cyber security -- you're not going to be surprised that a cyber security is an issue that affects everyone. the -- i probably would not be doing my job well if i said otherwise. but i do think that -- i do think that it's an issue that everyone should be concerned about at some level because almost everyone lives some aspect of their lives online either in the form of how you interact with a company, what a
company -- the data that a company might have on you. not people that are largely connected still their data is online in various places. so it's something that everyone should really have some concerns about. but i do think that what that shows though is that we still need to work on, again, i come back to making it available and easy for people to use and to do and to make it sort of security by default rather than something you actually have to work really hard at. >> so what would that mean "security by default" in terms the apps that people use on the website? >> a lot of this comes back to how do we do the development work to make sure that we're developing a secure code from the beginning. how do you have systems that are much more intelligent themselves about monitoring their own
activity and bringing the disciplines of things like biology and how do you have networks that are sort of have the equivalence of, you know, the t and b cells that live in your body that hunt down intruders so that it's sort of just present on the network? and all of that happens, you know, much more in the background rather than being something that people have to actively engage in. and it also, i think, is making the services available to both businesses and consumers so that they can set them up and be functional on their networks. >> should the government be pushing the private sector harder? this framework is nice. it's a framework. should it be mandatory? or should there be aspects of it that should be mandatory? >> from our perspective we firmly believe that it can remain a voluntary standard -- a
voluntary framework and still be effective. we actually have a long history of voluntary standards being quite effective in the united states. i think that ultimately it's the market forces that will really make that take off and go some place and that's the most effective tool that we can harnest in that yea. -- harness in that area. >> i think clearly we can -- anybody can look at the news can see that we don't have the edge. i think probably everyone read the "times" story about the white house being concerned about j.p. morgan. that shouldn't be a surprise. t the "times" article didn't know what they were talking about. we're glad you're here to fill us in. >> i think in general we have watched for several years, you malicioustrend of the
actors in cyberspace trying to target our political infrastructure and it is a critical par of our economy and definitely a critical infrastructure for us. obviously any time we see one of our major banks being targeted and successfully targeted, that is going to be a source of concern for the white house. i would put it in its more general context though that is the broad trend of the targeting of u.s. critical infrastructure and how is it that we can do a better job of protecting that critical infrastructure over the long-term that is particularly concerning to us? while obviously we are concerned with an incident that exposes that many people as that incident seems to have done, it's also the broader, longer term trends that we are very concerned about. specifically which trends? can you point to a few threands you are most concerned about? >> so if you look at sort of
three broad trends that you can ick out, one, we are hooking more and more stuff to the internet all the time. the so-called internet of things that has somewhat arrived, your coffee maker, your car, your refrigerator. they are threat vectors in cyber terms. that's made -- we talked about cyber security in a world of wired desktops. now we're going to do it with a big data vocal cloud, just throw in all the buzz words at the same time. that makes the problem just that much harder. >> right. >> we've also watched the malicious actors be willing to move up the threat spectrum. so now it's not just a matter of doing the digital equivalent of graffiti but they are actually willing to take destructive steps. we saw that with the saudi heir
in 2012. we saw that the south korean banks. we seen the attacks on our own institutions here and we also know that the tactics and the capabilitys that are available to the malicious factors are drawn. they don't have to use them yet. but we know and we can watch their sophistication growing. there's this myth now that a lot of these hackers are still the disgruntled teen in their mother's basement which there are still some of those. hacking is a big business. and they are run like businesses. many of these organizations actually operate along very structured corporate -- corporate lines. and so the sophistication is available and the resources available to them, you know, are far, far more extensive than say
10 years ago. so that's pretty interesting right because the hackers are many steps ahead of what we're doing now to try to protect our networks. given that that's the case -- should there -- when you think out this world of critical infrastructures. some of sort of critical. some are really critical when you think of the electrical grid or nuclear power plan, can you just pull the plug essentially? is that the best way protecting a nuclear power plant, for instance? >> so as tempting as that might be to do as a solution, i also don't think it's possible to line the clock back and not have some of these systems in a bold forward access. now i think you need to think about that. there are some systems that we actually decide we may want to set them up so that if you -- you may be able to get data from
them remotely but if you actually wanted to make changes to them you have to be physically present. you could set up the systems to do that. one of the rules that we have around our office is that expediency will trump cyber security every time. unless you specifically put in policies to prevent that, most people will take the expedient root. you find that a lot of times when the systems end up being connected to the internet it was because well, that was easier for the engineers to do their job. and that's true. but there is a security down side to that. and organizations need to think about that -- that convenience vs. security trade-off and do that as a more explicit risk population. in some cases it might be the case ha the asset is to particularly critical that you don't weant it connected up. that may be a risk that you want to live with putting into risk
than other compensating controls. i think that's something that need to be given explicit thought than sort of just letting it up. >> are there areas where you think we should limit the action. it's hard for me to say from not being deeply involved in sort of all the different aspects of all the different industries but clearly what i would argue is that's where the combination of the subject matter experts and the security folks in any given organization need to have some real conversations about the risk is and what the benefits are and really explicitly make that trade-off. one thing that's coming recently and debates in washington and the industry is this notion of having a professionalized cyber security workforce. in addition to have more trained people in the field or just more people the motion of somebody having someone that's certified
some way being suber security specialist. what's your view on that? >> i definitely think that cyber security will evolve as a discipline. i think it is becoming its own discipline. and it's not the same as some of the other technical computer science field and it involves bringing in capacities from other -- other areas. so i think it will evolve into its own discipline. i think having some of the -- some of those certify cases will be a good thing. >> so you yourself have had to learn a lot about this field. you're not a techy? >> i'm not. >> you took some grief for that in the press. what did you think about that? >> well, actually i was -- what happened during august on a friday. so that was kind of par for the course in washington. and it comes with the territory i think here. i think some of it though was a misunderstanding of what i was trying to say which is that the
-- and that was my point about why i think cyber security is such a hard problem is that, in fact, actually it involves a whole bunch of different disciplines. and in -- and we need a bunch of different disciplines in order to address the problem effectively. and so we certainly need -- and as i was mentioning our workforce initiative, a huge chunk of that will left to the workforce to run the fire walls and develop the software and manage the security systems. but you also need people that are savvy about cyber security from a policy standpoint. how to actually get organizations to make those risk management option. how do you get the government to actually do something? how do you get the bureaucracy to function? those are different skill sets.
if you look at, for example, the security on the council staff, they have an i incredibly wide array of people who are engineers but also people who primarily have legal backgrounds, people who have done development work and the international space. people who have spent time in the military. people who have spent time in lalmt because all of those are different aspects of the problem that we need to bring to bare on the issue. >> and i imagine your experience in government various agencies urries you with the cat issue? >> yes. >> you don't have any real power with these offeringses. do you think that rule has to change in the future? >> actually, i don't.
think that -- i believe that as with any of the white house bs a lot of it is with the soft power. as you work with the agencies and bureaucracies to get them to move it in the same direction. i think with -- you can be very effective in that space as long as you understand how that space actually operates. i think cyber is such a humongous issue that you're not going to be able to put any one person in charge of it in that sense. and i actually think that would be -- i actually think that would not work very well. and instead you do need someone who can get to the various aspects of the infrastructure. what we're doing in the military and national security space. you're never going to put that under one spot. and i don't think that would be
a good idea. >> can you give us a bit of an update on what you're doing in congress to get the cyber security legislation moving? >> sure. >> we've been heavily involved with working with the committees on -- relevant committees of jurisdiction in both the house and the senate to work on the legislation and make improvements to it and get it into a place that could pass both houses and the president could sign. we remain committed to doing that. obviously getting anything past on capital hill is quite a challenge. i think that we try to be realistic but it's something that we remain actually engaged with. >> we talked to mark before coming on stage and another thing in the news is that apple and google are strengthening
their security protections on their phone. something that f.b.i. director and the attorney general don't really like so much. what's your view on that? , if you k the issue is look at the framework. encryption is the best practice and increpting data in motion are obviously smart things to do. it's not so much that any increppingsilingts. it's how did the government and our law enforcement agents can continue to gain access in the information in a court approved process that doesn't put something completely beyond the reach of law enforcement. even things that are in face or other places are reachable by search warrant. and so we do want something that
the reach erly above in certain circumstances. use incrippings. sh -- encryption. >> this is a hard area. the reason that you've seen we've had debates about encryption going back decades. i'm the babb lonian from the greek side of it in some form. i think this will continue to be an issue that we will try to navigate. >> joul to talk to jeff about getting better hackers. >> we have time for questions from the audience. f anyone ice got anything?
"politico." can you talk about what's going on in other financial institutions? was it briefings in the context of just randomly suggest. sanctions? >> so i think the way to think about this is that we keep the -- part of our job on the national security council and is to make sure that the president and his senior advisors remained informed about the wide arrange of national security threats and so that was the context in which we were treating this particular issue. it is part of an ongoing investigation with the f.b.i.
service. i think it's something that we pay attention to the sense that we are mindful of all the threats to the critical infrastructure whether you're talk about the electric sectors the telecommunication sector and so it's put into that broadst context. any time we see successful penetrations of those kinds of companies it's something we're oing to engage on. >> you in the back. >> sorry to hog the microphone but i dough think anyone else had their hand up. thank you so much. i want to ask -- maybe it's a different question. i don't want to feel like i'm conflating things. is broadly one of the topics
the extent to which the xecutive that should be -- adhere to certain super scrute standards. thed a minute tration's admission they should not be pushing the pros because market forces can be seen. but then on the other hand you said expediency will trump it every time. in a week where it might have been increrted there are certain standards are in place. >> i would say that there's the difference between making something like the missed cyber security framework. saying that the government doesn't have any roll in controlling or pressuring the private sector to continue to using on and doing a better job.
and i'm always concerned about a regulatory framework that is, you know, the speed of regulation does not move at the speck of technology. we want to be very mindful. we have -- for example the framework technology, agnostic. that is different than saying that the government doesn't want to be involved with and work with the private sector to improve cyber security across the board. in fact, i firmly believe that one of the -- up with of the key changes we face is actually figuring out how the government should interact with respect to suber security. .t won't be a traditional it's going to be a new
partnership and that in fact, is what -- one of the defining challenges that we'll be working on over the next, would argue five to 10 years really is. how is it that the government at all levels is going to interact with the private sector on this issue. both within the united states and internationally as well. >> talk about hiring cyber security staff. they said that some of their main problems working have been salary, job structure and just also the issue of getting a job at the federal. by haven't seen much -- >> that was an understatement, yes. >> those are three areas that we haven't seen much movement on.
are progress on various avenues trying to address some of those problems, including prying to get broader authority for cyber security professionals. to make it easier to move them. once your in the federal government to address some of those question problems. i think that, you know, it's unrealistic for that will compete in the pry vas sector with sal. and so we can do a better job. we're never going to completely overcome that. we have to look at it with the kinds of works that you can do. and the other that you are not ready to focus. focus on those aspects of the job. it's a compli cailted -- tes certainly -- complicated area. we are trying to -- but i think
that overall we still have to work the workforce as a hole because. -- because of the limited talent pool. what's happening in terms of recruitment? are you showing up at m.i.t. and carnegie me lons to get the and ow is the revelation certain hurt that? it's a p.r. problem that plays out there. >> certainly we are trying to expand our earths. that they have faced overall have not made that any easier to do. i would say that, you know, we continue to try to focus on recruiting the best talent that we can. and -- certainly n.s.a. has
faced some challenges. they're revelations as you said. what's interesting to me is that across a wide variety of places in the federal government including our law enforcement agencies which more and more crime has moved online. so they have a greater need for that. for cyber a huge need security network. o i think that it's also something that we're trying to address holisticically. >> anybody else? >> i'm josh wiggins from inside sishe security. i was wondering what is thed a mintstration hoing to see come out of that and moving forward
with the framework? are >> what we areart of hoping for is trying to get some feedback. what has been your experience? what has been the strengths, what has been the weaknesses? where does it need clarification, expansion? we know one of the areas that was less well developed was how you measure employment. we still need more. development in that area. thingse of the kinds of we're hoping we get out of that workshop. a lot of experiences with how the framework works. >> hi. federal times. just to follow up.
i was wondering if you could talk about about what you're saying in terms of adoption of the framework, how you are measuring that, especially when it comes to government agencies? >> so, there are a couple of different aspects to your question. certainly, from our perspective, we've gotten a lot of feedback of sources, bunch including the sector coordinating council's, our different agencies that have connections with different industries, treasury with the financial services industry, the energy department with the energy providers. and our own connections with the tech sector. in general, the feedback has been very positive for the framework. sven companies that oftentime they will tell us, we are not going to completely come out publicly and embrace the framework, but we are using it internally. we're using it even if we are
not officially using it, we ar to measure ourselves against. in general, we are seeing more and more different uses for the framework. you are seeing different sectors come up with their own overlays for the framework. view success is one measure would be that when people start using it for things we never anticipated. that would be a good sign of adoption. gottentionally, we have a lot of good feedback from other governments, that they are looking at how to use the framework in their own domestic context, which we think is really important. you also raise the federal government itself. in the recent guidance that came out from the office of management and budget on the federal information security act implementation tying it ever
closer to the framework. cio's arethink getting tired of me coming and talking to them about how they need to use the framework, but that is clearly the direction we are moving in. we're bringing those principles in to how we manage the federal government's cybersecurity. we are developing an overlay for the federal government that's related to the framework. >> so, if say, for instance, jpmorgan, had you been following the framework, could the breach happened? >> maybe, maybe not. but because the framework is not a particular cookbook for a set of security controls. having more of the detailed knowledge, it is difficult for me to say. what then say is framework enables you to do is to start to think about how you manage your cybersecurity from a risk perspective. and so, what it enables an
organization to do is really have a way o confrontingp what is sometimes other seen as an intractablef problem. >> i think we have got time for one more question. the gentleman there in the white blazer. >> university of washington. >> you flew all the way in from washington. >> courtesy of the tech policy lab. we talk about, the jpmorgan breach, the target breach, and so on and so forth, and these are just reputational hits they keep on slowing in the media. but the reality for cybersecurity is you assume you have been breached, and you do something. there is a distance between them betterfeel like maybe not inform the general public. what are your views on how to bridge that gap. >> i take it back to the
framework. when you look at the framework, the very first thing the framework actually talks about has nothing to do it seems with security at all, which is identifying. what it's really saying is you have got to figure out what information you have that you care about and why. what edo you want to protect it from? is it exposure? or do you want to protect it from?regulation -- from manipulation? that starts to define how you protect it. then goes on to say you have to be able to detect when the bad gotten past your defenses. what are you doing to recover and respond to them quickly and then recover from that? i think the part of the way you have to address that is as an organization, you need to be clear about your holistic approach to handling breaches. all the way from the beginning -- this is how we have identified the information we
care about. here is why. here is what we are trying to protect it from. if something happens, here is our response. here is our metrics for how we are going to respond and how we are going to recover. organizations have to learn how to treat that whole process from beginning to end as part of the cybersecurity problem, not just which isct part, the part that is easy to get focused on. i would argue that one of the things we have been working on in the federal context is those back end pieces, the response and recovery part of starting to build the machinery inside the government to not just do the protection but also the response and recovery mission. >> there has also been talk rogers about mike developing offensive measures in cyber security. a lot of what we're talking about are defensive measures, preparing ourselves to go out
and confront these issues where they arise. any thoughts on that aspect of this? >> so, there are a couple of different aspects to that issue. one of which is i think that the re are many tools you have to think about in that context, one of which is -- there a couple of different ways a think about it. cyber issue isa going to necessitate a cyber response. the proper response might be a diplomatic response might be a law enforcement response. it might be one that occurs in cyberspace, or one that we do through law enforcement authority. it is nevertheless true that cyber operations are going to become a much greater part of statecraft. they have become that over the
last 20 years. and that trend is going to continue. so, i think that as a government, one of our challenges is to begin to figure out how we talk about that policy development and how we talk about what the rules of theroad are in international environment. we want to start talking about how we establish what the norms of behavior are in cyberspace. things like you do not target critical info structure in peacetime. you don't harm critical infrastructure in peacetime. you don't steal intellectual property for the benefit of your message companies. like that you treat certs hospitals, that they are off limits so that they can continue to do their functions. so those are the kind of norms we want to promote. so i think it is another area that is going to involve a lot
of policy work and development. >> clearly, we could spend the whole day just talking about that. we have time for one more question if there something else. yes? >> i'm an attorney at steptoe and johnson. truman did a lot of work looking for the passage of cyber legislation. it appears that the president them apped forward couple of executive orders. it seems like there is a limit how far the government can go in implementing the needed reform for the private sector without some sort of carrot or stick. wondering, looking at certain things, what to think the prospects are in the coming passage ofr comprehensive legislation and what are the ramifications of it does not pass? >> i've bee n in
washington a while, and i've learned that there are two things you do not bet one. one is the weather and the other is congress. i think it is very difficult project on that score. i know there are a lot of people chairman hill, like the call on the house side. on the senate side, you have a number of senator whitehouse and carper and others that have b een involved in the cyber issues. is senator rockefeller on the commerce committee. so there is a lot of interest in cybersecurity legislation. i think from the administration's standpoint, one ourg that has evolved in picking is that i do think that it will be easier for us to get smaller pieces of cyber legislation rather than one, giant comprehensive bill. so a lot of our efforts are involved that getting whatever we can past in what ever -- on
what every vehicle we can manage to get it attached to, as long as the policy and the legislation itself is acceptable. so i think that is one thing that i would say we are trying as a different way to go about it. continue toill press forward with doing everything we can, and there is a lot we can do under existing authorities. we do need to eventually get to legislation, and it -- we'll eventually have to get there. but i think we will eventually. and we will continue pressing forward with what policies we can under the authorities we have. >> great. thanks very much for coming in taking the time to talk with us. >> thank you very much for having me. i really enjoyed it. [captions copyright national cable satellite corp. 2014] oning performed by national captioning institute] >> we ready? much.thank you very and now we're actually at the best part of the day.
so i'm glad all of the state here. bates, president at the center for national policy. welcome to the home of the truman project. we have a great panel. we have heard the view from 1600 pennsylvania avenue, but we also wanted to provide you with the take from the private sector and from some of the leading thinkers in cybersecurity and cyberspace this nation has to offer. we handle the emerging threats we see in cyberspace? can we increase our economic competitiveness, national security while keeping privacy protections and bein innovative leadersg? if so, what are the trade-offs that must take place? these are tough questions. fortunately, we have with us three people that are well- qualified to take them on. i've known our first guest for over a decade. how about that?
frank was present at the creation of the homeland security architecture of this response toarose in the attacks of september 11. during that time, he was appointed by president george w. lysh to serve in the new created office of homeland security. he served as a principal advisor for the first secretary of homeland security, tom ridge, and directed the president homeland security advisory council. government, he joined george washington university where he established the homeland security policy institute. and frank is an associate vice president at gw. co-director of gw's cyber center for national security and directs the university why strategic effort along with dhsael chertoff, the former secretary. peter singer to my right is an
author of multiple award-winning books. i have a few in my office. work.ay have read his he is a leading expert on what we would call 21st century national security challenges. ehe soaring institution -- th smithsonian institution lists 100 leadingf the innovators in the nation. he is listed by defense news as one of the 100 leading anchors and defense policy and by foreign policy magazine as one of the 100 global thinkers who are most advanced on all these issues. "s most recent book is cybersecurity and cyber war." are you able to say the title of your next book? >> no. >> stay tuned.
his last book was named to the reading list for the u.s. army and navy. his faking is present in the armed forces today. he's contribute editor at "popular science." he's a consultant to the u.s. military and fbi. he was at brookings and is now at the new america foundation. friendmy right is my new jeff moss. glad you could make it. he is one of the most sought-after courses in information security. he has spent the last 17 years as founder and director of black of the moston, two important security conferences in the world. jeff has the ability to bridge the gap between the underground researcher community and law enforcement, which is not easy. he also bridges the gap between pure research and responsible application in information systems.
appointed to the homeland security advisory council. chief security officer. he has been a keynote speaker all over the world. wasprior to black hat, jeff a director at secure computing corporation where he established professional services departments there. thanks for being with us. the way we will do this is i will ask a couple of questions. we were just in my office. i wish we had a hidden camera there, because it was a fantastic conversation. not to put the pressure on. you can interrupt each other, whatever you want to say. the we'll go to you, audience, pour your thoughts and your questions. we look forward to that. andor questions thoughts. i was watching a movie from 1996, in the lead character had to stop at payphones. figure about how the world has
changed. it seems hackneyed, but this is a unique moment in human history where we are able to access the power of information, individuals empowered to a degree they have never been ever. and what does this mean for national power? it would follow that the nation that is best able to use these technologies and adapt to them is going to have the edge in securing its national security and prosperity. so i suppose my broad question is how are we doing on that? and where are our biggest failings? in particular about the workforce. preparing tonow in education and training american workers and those who need to serve in government to understand information networks and cyber? jump ball.that
you can focus on government, and peter on society. jeff, you will get to interrupt. the disruptor. all right. theee, your example was payphone. nowadays, there is no anonymity like you had the pay phone. at least that guy could not be tracked. >> i try to tell my eight numeral son about prank calls and what a loss it has been to society that we have lost anonymity. >> the first hackers were phone freakeres. thank you, scott. it is a privilege to join you here today and thanks for your leadership on all these issues. at the getere there go after 9/11. very briefly in terms of the workforce, needs, gaps, deficits and also looking forward, stem issue.'s aa s
we need more computer scientists, engineers, more technical skills that can address some of these problems, including design and engineering we can start baking security into the design of systems, components, parts and the like. i see my friend mike who's doing good work at northrop grumman. we have a paper coming out of those issues. but in addition to the technical need, which i think everyone more or less recognizes and understands, there is also the need to get cyber into every other discipline. so we need to look at it from across multi- and interdisciplinary perspectives. in addition to having the cyber needs, there is al component of international affairs andaw -- and law and public health where you have health and i.t. which brings about new vulnerabilities
in systems. so one of the things we're trying to do at the university is how do you integrate all of these pieces? how to get diplomats who are cyber savvy that are technicals -- i talcall it -- one community that understands policy and the other that understands technology. what you have not seen is that integration. and i think that is the greatest deficit in terms of workforce needs going forward. more stem. women in particular, i would like to see more women involved in stem research, which can get to cybersecurity jobs. not as a footnote. i might note that i think that the navy does this best, where all midshipmen are required to take a cybersecurity course. all our services can learn from that and universities can learn from that. it's not an either/or. if you think about strategically, it's its own
domain, but it also touches every other domain -- air, land, sea, space. we need to start thinking from an education perspective the same way. we need cybersecurity experts, but we also need others, boards of directors me to start asking with tim had an op ed plenty on what question should board members be asking management to fulfill their oversight responsibilities. it's a workforce issue. and the government, i think it's a recruitment problem as it is a retention issue. if you want to play with the cool stuff, you go to the nsa. >> is it that the personalities that are drawn to this work to not fit into the bureaucratic structures of government, or is that too simplistic? >> promotion pats are still fuzzy because we do not have a clear discipline, but i think the bigger part of that is once they get good, they can get 2 1/2 times their salary in the
private sector. >> thanks very much. he seemed like he wanted to say something. >> oh, nothing. >> peter? we need more hackers. >> i was going to see the problem on this panel is we're going to agree a lot. maybe we'll see. this topic is too often framed as a technology issue, and we fo issue.at it is a human it is a human issue whether you are trying to understand the threat that is coming after you. it is a human issue if you are trying to understand your response to the threat. it's definitely now a human capital issue. you can think of it as a human capital issue in a number of ways. we can frame what frank was saying. there is both the cyber workforce issue, and then there is the broader aspect. the workforce issue is best illustrated by the fact that in
of homelandpartment security had roughly 40 people working full time on cybersecurity issues. that number has been multiplied by over 50 since then. and of course, they are not stopping. they are not saying, we met th e e need. ate that and repaeat it every government agency. government.el add it on the private sector side. out atme gap is played both large technology companies, carmakers, two small furniture companies. you see that we have a classic supply and demand issue playing out when it comes to talent. meetey here -- how do we the talent?
it is a good time to be somebody with the skills. it is a bad time to be competing. it is a story of retention. it will be an interesting retention problem for the u.s. military, because at the same time you are forcing up captain so-and-so who was the best company commander in afghanistan we have ever seen, you are going to be doing bonuses for the e gghead who is really good at cyber. i wanted the other part that frank said. across everything the field, you will be dealing with cyber is sues, yet there is a training gap. mba program teaches it as part of your management responsibilities. >> you got a cyber mba? >> there's a cyber mba. i am talking about the person
who goes into human resources and goes into operation and goes into legal, the person who becomes a board member. not in cyber. it is the same that plays out and how we train our lawyers, are journalists who are dealing with cyber issues both on the cyber beat, but by the way, on all the other beats. if you are a sports reporter in houston, one of the sports team d and you had to cover that story. we have this human capital gap. don't just take about it as training the stem folks. it is for all of us. i would add -- the need to teach our kids basic cyber hygiene. >> jeff. >> well, that is a lot of follow-up on. i want to declare victory hopefully in 10 years when we stopped speaking cyber in front of everything. because really we need to get to that point where it's baked in. cyber is just risk management.
when you tell board members that, they go ok. what are my risk-reward trade-offs? a lot of times we treat it like voodoo. >> only the guy in the back can understand. a couplewas an op-ed days ago sid said, why cant the this? -- solve it to root of it, none of me seems like rocket science. there is bad code being written. let's go to the root cause. how do we get better code written? you start looking into it and there are no good textbooks that teach people how to program securely. there are plenty of textbooks to teach how to program.
they are full of programming errors that introduce security bugs. from junior high, high school, college, all of the examples -- everyone is learning how to use -- full of security problems. a fundamental level. these go to google and you want to learn how to write a sort algorithm. the examples of pop up are full of security threats. the search engines are full of bad code. how about somebody gets publishing text books with good examples? there are steps we can take. yet, instead, we will pontificate about super advanced google insider out rhythms. let's teach people how to program before we get to the moon. it gets frustrating. >> can i pick up on that point? there is the, what is the role of the government and what is the role of the private sector and the individual? it is a shared responsibility. we need cyber hygiene.
washing your hands saves more lives in surgery then actual surgery. in some countries. but obviously, that is not going to help with surgery. what we need is a tiered approach. let's get to the baseline. in an ideal world, we want to get to that 80% solution where government can then focus its resources on the high-end threat after. the government should be focusing on, because what is new about cyber is companies, even the biggest of companies, did not expect there are in the business of defending against foreign intelligence. nor should they. but they should be able to focus on the high-end threat actor and anything below that, so they are thingsting involved in that honestly private sector is better positioned socially, from a partisan standpoint, and technically to be able to address. then if you get this citizenry, the equivalent of cyber hygiene, you can get to a point where you can actually prioritize limited
resources and deal with it. noise lowering the threshold. >> where they are best positioned. >> you are mentioning threat. let's go there before we throw it out to audience for questions. let's say you are advising the president. so, we'll see that on c-span later. what is the largest threat in the cyber domain or for american prosperity and security, knowing that you have limited resources to handle these threats? of intellectual property? or is it some kind of malicious attacks from state actors? where should we be putting our resources right now? >> you want to start? >> i'll kick it off, because i
think i have been a little bit outspoken on this. i think that there is far too much discussion and focus on the of cyberarrative terrorism -- >> pearl harbor. >> cyber 9/11. cyber pearl harbor are terms that have been used in government documents. >> we have got to quit attacking pearl harbor. >> cyber terrorism, there have been over 31,000 magazine newspaper and academic journal articles on the phenomena of cyber terrorism. there have been zero incidences of cyber terrorism according to the fbi definition. i'm not saying there is not a risk of it. we have shown via our own weaponry that you can do damaging things.
we kn that there is a potentialow here, but there is a difference between putting out warnings of the cyber califate, but yet adding in fine print that says, they do not have any capability. >> "coming soon." >> compare that. that is a real threat. you mentioned the other, which i do not think we do enough on, which is something that is real and bigger which is the massive campaign of intellectual property theft that we are the victims of the largest theft i n all human history, when you bundle together everything from joint strikes -- the most expensive weapons project. to oil company negotiating strategy issues. small furniture makers to pretty much everything -- every think tank and university in town. that has both definite economic security consequences and economic security is national security, but also, i would argue it might have real
consequence on the future battlefield 10 to 20 years from now. i do not think we do enough on that compared to the easier discourse on cyber 9/11. >> let me interject because frank, i am hearing shades of what we faced after 9/11 when we started up the homeland architecture, which was it was all guards, gates, and guns. we take out a yellow pad and list every potential threat. it was not a lot of risk analysis. so, we're saying we need to apply that more rigorously. ch, of course, i fundamentally agree with. it is an issue of secure coding. that and other things. let me, i agree with much of what peter said, but let me do a shade of difference. not all hackers are the same. not all capabilities are the same. computer networks avoid -- exploit the theft of data and the theft of individuals'
information. of the list. top anyone who has an attack capability has to have an exploit capability. if they can exploit and they have the attempt to do so -- and they have the intent to do so, they can attack. you have to start getting to a point where you have to start peeling back what the threat is. at the top of the list are peer nations with the united states. russia, china. they have capabilities, they are investing, they are engaged in computer networks exploit. engagingincreasingly in computer network attack. after the russias and chinas, you have got countries that are, what they lack in capability they more than make up for in intent. this is iran, north korea. given the size of their gnp's, they are investing heavily in computer network attack capabilities. do not under estimate that. i think that any form of future
conflicts will have a cyber component, either from a collection standpoint down to an attack perspective. so when you are looking at who is most likely to an attack, probably iran and north korea because they are less a turbo been russia and china. underneath that, you have got criminal enterprises, notably eurasian, russian speaking criminal enterprises that now have the capabilities that used to be in the domain of countries alone. so they can do the equivalent of a cyber drive-by shooting that can have major economic consequences as well as kinetic consequence. haveunderneath that, you got terrorist organizations. for the most part, they are in the business of propaganda. their look at isis, propaganda machine is sophisticated. but it is not kids with iphones as everyone thinks. they took over tv stations. they have the same production capabilities that major networks
have. so they may turn to computer network attack, but they do not have that capability yet. but they are increasingly building that out. and then you have got hackiviti sts. we have got to get more clear and concise when we start talking about what that threat is. ngt i don't disagree that comi soon, it tends to be the issue. i think we want a mirror image. we know what our own capabilities are and expect that it is not five years out in terms of r&d. it is not nuclear capabilities that takes billions of dollars. >> jeff, your thoughts? >> i will just say, i agree. it is intellectual property theft. that has got the big dollar tag. me, too, plus one. thumbs up. like. me, for also say, for
more of a nonmilitary nongovernmental perspective, it is really that we have entered to medium where small businesses are defenseless. you are screwed. if you look at the economics, security is a sick economics. if you have got skills, you want to get -- who's paying better -- google, microsoft and apple. the best talent feet uphi -- f biggestill to the companies. that leaves the small to medium businesses with the b and c teams. a situation where the company is in the middle are defenseless. g store-bought solutions because they do not have custom integration. they are buying whatever the last guy in that job said to buy.
we are moving into a situation where i really worry a lot about of service attacks because they are well understood. there have been press practices around how to defend against them f-- best practices around how to defend against them for years, but they do not do them. they don't mandate them. allar all the stories about of these great technologies we're going to deploy, and i'm thinking to myself, we cannot deploy well-understood, low-cost denial of service prevention for 20 years. what makes us think that we are going to go solve this next generation and take this challenge head-on? we cannot even cover our bases. so that has led me to this -- if you look at our trajectory, its complexity from here all the way down. and complexity is only going to accelerate with the internet of things and all these other technologies. so we are never going to puasaue or go back and fix things.
we seem to run faster and faster, leaving this trail of vulnerability behind us. doom don't like predicting and gloom, but everybody always -- you always sit around have a beer, and say when is it going to end?it is going to take a big cyber event, and then we will fix everything. we all have plans on the shelf, and the minute something gets cyberized we get funding. tohink it's really up to us protect it, but we also have to realize that we are overreaching, i believe, thinking we are going to solve these complicated problems when it is a lot of basic stuff we cannot even tackle. the confiscated discussions, but at the end of the day, i always go back to if you cannot defend against denial of service attacks -- like the iranians attacking wall street. that's wall street. they have got a lot of money. and even they are having problems defending against 0--- you see the capacity that some
organized crime groups have. it is frightening. my doomsday scenario in this area is a couple of small to medium businesses get bumped off denial of service attack. they get put out of business. another small to medium businesses that go out of business because of this, what government is going to let their sme's go out of business? the government is going to do something to save the day. now they are in their regulating, because the industry has not handled i t, because the technology providers have not handled it. we've only had 20 years. at some point, the government is going to say enough is enough. i cannot have my companies going out of business. that is going to be the forcing function where they're going to say you have had your chance. that is the friday scenario to be in. >> within this doing gloom, there is some positive news that is playing out from the bad things that happened in the last year. you mentioned in the article that you are working on.
so, the target breach was bad for target in many, many ways, billion-dollar bad. but because there was punishment in terms of the marketplace, punishment in terms of people losing jobs, punishment in terms of the board being threatened with a recall, it sent shockwaves throughout numbers of other boards and bringing attention to this. we are seeing action happen. what i am getting at is that there is, in this aura of cyber insecurity that surrounds us, we are seeing a lot of the needed actions that have been put off for a long time moving forward. we are seeing the building of the awareness that we have called for, seeing the education. it is not fast enough. it is not good enough, but -- a better place than we were three years ago.
i hope we can change from the mentality from thinking that we have to defend against everything to instead become resilient. power our way through. is way i joke about it squirrels have taken down more power grids than hackers. you add the wall street scenario. squirrels have taken down wall street trading three times. hackers have done it zero times. you will never defeat or deter squirrels, but we have figured out how to be resilient against rockey and bullwinkle. we will never defeat or deter all threats, but we can become more resilient. >> a sustainable war on squirrels. we can do that. >> and groundhogs. >> i promised that we would engage with their questions. so please, anyone who has a thought or question you would like to share. yes, in the back?
[inaudible] hartnett. the center for naval analysis and the defense counsel member at truman. topic brought up earlier was the idea of establishing -- you'll do ipr threat. heft. is there a way to get china to the table to talk constructively inut this issue, when reality, it supports their main drive of the communist party which is economic development. how do you go about doing that without using coercive means. naming and shaming is not working for the most part. thank you. >> i will take it. i mean, that is a great
question. the way to think about it is we talk to turn in the various threats. you deter actors. you don't deter cyber. you build up capabilities, make more secure design, but when you are starting -- when you are really looking at intellectual property theft, and when you're looking at the role that china is playing right now. they have it the best of both ways. the luxuries of being an emerging economy, and they have gotten none of the responsibilities of being a power. they are a power. the reality is is it is very mercantilist. why spend view, billions of dollars in r&d if you can steal it and put that money into market share? an flip side is they have overheating economy. i am not sure it is very easy for them to stop or to be able to address in a full, transparent kind of way. though,e optimistic,
that at some point they have got as much to lose because they have got investments spread out, including in the united states and in our debt. at some point, it hits that tipping point. i do not think it has hit that tipping point just yet. i think naming and shaming a significant. the fact that the mandian report can get down to individuals was significant. this is not smokescreen discussion. they were able to show specifically who is behind that keyboard doing what. the department of justice indictment was also a powerful statement. that's not going to be the end state solution. once you start looking at how security into trade discussions, you're starting to see -- let's go from the nouns to the verbs. i think the real place you can
have greatest traction is going to be more three economic leverage and discussion. >> i would build on that. it's classic cost benefit. right now they are saying extreme benefit almost no cost. that mandian report was powerful, except that unit -- i think it was 90 days until then they started up again. hyou got -- you got 90 days of rest. part of how to get to this is not only making it harder on the attacker. it should not be just picking ripe fruit. we've talked a little bit about that. but the other aspect is take it to venues that they care about. so, a pennsylvania courtroom is a wonderful place for a lot of reasons, but it is not going to be visited by those five chinese --dividuals who indicted who were indicted.
it was a warning shot that may have been a partial statement, but it had no impact, except on some of the american businesses that lost business because of it. i would argue a better venue is figure out venues they care a bout. and not merely.bilateral trade talks . but the wto, which has been crucial to their economic rise. and it offers you a setting to play on these issues that they would start up a little bit more attention to. but again, the key is don't think of this as purely a space for talk. to have got to move action. the other part of it is recognized that some of it is never going to stop. this is the game that nations play. my british friends find it very funny that we talk about intellectual property theft,
given that we, our economic rise was based on some intellectual property theft in what britain was doing in steam engines. war, we wereld able to come to tacit agreements with the kgb. like the other stealing information, but we were able to accept the moscow rules between this is the kind can do,theft you but these are the kinds of actions that move us into conflict. so this behavior we do not like it, but it is acceptable. versus this is a behavior that could cause the shooting war. to give an example, it may greatly disturbed me that your stealing from a defense contractor. i do not like it. i am going to do everything possible to stop it. on the other hand, when you start mucking around in particular networks or power grids, wow.
you are doing something that is raising a different kind of alarm for me. >> gerareat. jeff? the civilgo for society side of this which is, i think we sue everybody. because if you look in these discussions, what is missing is a lot of lawsuits. how many american companies? is google suing anyone in china? they are probably going to lose. if you do not try, you do not set precendentdent. then the whole world could watch their court system play monkey games. then the whole world could say wow. or whichever country it is. to microsoft and sometimes facebook. microsoft is suing botnet organizers. why is it just microsoft?
why is there not a huge association? i can donate money to doctors without borders. where do i donate my $10 to sue cyber thieves? there is no outlet for me as a civil society person to say, go get them. all our conversations orbit around what can government do? i want civil society to sue people. >> i think we have just created a new nonprofit. >> i have found lawyers that have lined up and said, i am first. i find the conversation two-dimensional. >> i get it. >> go for it. >> we don't want cybersecurity to become a cigarette rest -- wrapped in asbestos. i want a free market driven. >> it is not working.
>> you have got to the point. there is a difference between like safety systems and critical infrastructure where even what would be defined as less than root cause is a serious set of issues that should ring bells. but what i think you want to be able to get to is where does the market fall short from their? -- from there? house we bridge that gap? that is where you have got the mix of carrots and sticks. it becomes the president, and then it becomes check the box. i can go back to business as usual. norm?t's the cyber there are no civil society norms because they are not engaging. >> thank you. let's go for another question from the audience. yes, please, with a lanyard
there. >> the notion that things are getting better as far as corporations approving cybersecurity. i'm wondering if there is one way to incentivize that moving faster because yes, target took some hits, but some boardrooms might've gotten nervous, but home depot did not get nervous enough to take action. u and proof that process because some of the worst case is that were talking about four years ago are happening now? >> thank you. a criminal justice major. and criminal justice majors, we love data. so you can make an informed decision. there is not good data on any of this. 8 different breach notification laws. every state has got something different. if you are target, you're going to spend the next nine months figuring out you have to expose what to and when, as opposed to taking that energy and resources
and fixing the problem. i'm an advocate of a national law. it is going to have all kinds of problems with special interests, but at least we get uniform sets of data that we can start finding trends. we talk about -- i was a big believer that the market was solve thi i cans look at.speeches from 15 years ago where i was like, the market is going to save the day. people by product based on features. , you can say this is got twice as many features. but probably twice as many bugs. people buy on more features. so the market has definitely failed us. then we were thinking the insurance companies would save the day, just like it forces up to build better automobiles. insurance companies will give a lower rate to microsoft or something. becauset build tables there is no good data. so then the next thing -- the
where we are now -- the only thing we have left is regulation. and that is a really scary proposition. i really wish the market did it. it.sh insurance did we are running out of options. >> this actually connects back to the last -- there have been some great things the executive branch has done, but it can only go so far. laws.not write and pass we get have an argument, but roughly we have not had major cybersecurity legislation since the iphone 1 came out. fan ofs -- i'm a creating standards. job -- argue a very good good job of reaching
out to private industry, but at the end of the day, standards are something that the best companies will surpass. the average company will meet, and the bad company or unable company will not meet. i look at this room right now. there are these things that are pink exit signs over all the doorways. and they are they are not because the builder here was exceptionally nice. it was because at the end of the day, there was law here. this is not just in terms of notification. but you mentioned in the question, you made the parallel between target and home depot was recently hit. there is a fascinating illustration of the power of the law, which is how you are affected by the home depot hit depended on your nationality. so same company, same breach, your experience depended on whether you shopped at the home depot in buffalo, new york, or
the home depot in toronto. because in canada, they have got chips. in pretty much none of the canadian customers were affected. whereas the american customers were affected. there is only so much that the marketplace can do on its own. at some point, government, legislation, has to play a role. it's been absent. >> when the biggest gap in legislation, multiple bills out there -- is to facilitate the sharing of information. so you have got public-public to ensure that information be shared across and between all our 9/11 issues. public-private, private-private. i mean more in the role of more active defense, where companies can take a little more proactive steps, not taken down servers in beijing or wherever else, but at least to be able to collect forensic information that can be shared. right now that is the big
impediment. so once you get to the facilitation of information sharing. once you get to some of the -iability exemption - only if they're doing what they need to be doing. they need to meet that. because the framework -- i am a big supporter of, but it really is a plan to plan. eisenhower said in preparation for battle, i found plans to be useless but it can be indispensable. it is important, but it is not going to be the end state. if you do get to that point, then you can have other lovers that i think ultimately get us to the point we are getting at leverscan have other that i think ultimately can get us to the point we are getting at. >> does anyone have a question that can be answered in two minutes? and thise, which is, is maybe in a lightning round. 32nd response. >> go! >> they do not even know what we are talking about.
here it is. in the lame-duck session coming up, is there opportunity for some kind of cybersecurity security legislation? what have you been hearing? you think that might happen? failing that, how does it look next year? >> i'm just happy that finally the executive branch gave otherity to dhs to scan executive government facilities for vulnerability. dhs is going to have authority for dot-gov, and they cannot even scan. they're learning more about what is going on in the government for reading private sector researchers. there is such a big disconnect authorities and capabilities. so i am happy that we do not need legislation for that. federalt dhs and agencies taking care of their own business, and they do not need external legislation for that.
i think you can can still make lots of progress. like the continued diagnostic monitoring. i am a big fan, because that is going to force changes down the road. i do not think we have to sit back and say, without legislation -- >> i'm putting back on my government hat. >> three things. one, because it has been delayed so long, it has become a logjam. encond, you have got snowd how issues relating to that are connecting over. and that i believe, unless that'll slow it down. third, well i wish it was the other way, it is always a safe bet to bet against congressional action and energy. >> fair point. an optimistst is with experience. i am somewhat optimistic. i would not hold my breath because we have all been around
this road a number of times, but at least you have bicamerally similar bills. dianne feinstein, chambliss, gillibrand. the are not trying to boil ocean an cover everything. they do have discrete bills on the house side. the feinstein bill aligns with the rogers bils. ls. got the houseave homeland committee bill which also is not a separate bill altogether. staff and members actually working across yurisdictions that rarel happens. i always say there are three parties. republicans, democrats, and appropriators. now you are starting to see them work across chambers and across parties. so what i bet on it?
absolutely not. i am not a gambler, but at least there is momentum. >> thank you very much. i would like to thank all of you for attending this conference today and talking about one of the most challenging policy areas facing our nation. essential to our security and prosperity in the 21st century. and i am optimistic. after hearing what i have heard today that we are moving in the right direction. i would like to also thank our partner, " christian science monitor" for making this possible. please join me in thanking this fantastic panel. [captions copyright national cable satellite corp. 2014] [captioning performed by national captioning institute] [captioning performed by national captioning institute]
>> next, remarks from world bank president jim yong kim yesterday and what eagleburger -- about the global response to ebola. christine lagarde talking about the economy. more about ebola on this morning's washington journal. brady died in august. a memorial service will be held this morning at the newseum. will besident biden attending the ceremony. live coverage on c-span. the house home and security committee will hold a field hearing in the dallas area to hear from decisions about the state's response to the ebola virus. thomas eric duncan died from the
disease wednesday. the first person to be diagnosed in the u.s. with ebola. live coverage of the hearing starting at 1:00 p.m. eastern. student can2015 competition is underway. for middle and high school students. it will award 150 prizes totaling 100 thousand dollars. create a five-minute to seven minute documentary on the topic "the three printers and you -- " the three branches and you." minute byt be some january 20, 2015. grab a camera and get started. on thursday, world bank president jim yong kim called for increased funding to deal a break in west africa. he spoke at the international monetary fund-royal bank annual meeting in washington, d.c.. this is 25 minutes.
thehanks for coming to press conference to open the tiny 14 world bank-imf annual meetings. dr. kim will give a statement and then we will take questions. the 20 14th world bank group-imf annual meetings. 3 topics and then i will take your questions. i've just come from a meeting focused on the ebola epidemic. we had an extremely productive discussion. president conde from
guinea with us and president andn johnson sirleaf on video kuroma conference. they made requests as to what they need. could have an enormous impact. the world bank released a new economic impact assessment that said if the epidemic is not quickly contained and if it spreads to neighboring countries , the two-year regional $36ancial impact could reach billion by the end of 2015. one of the things secretary of the department for international development in the u.k., justin -- every pointed out day we do not invest in stopping
the crisis is more dollars and pounds that we are going to have to use later. it is an extremely good investment right now to prevent this kind of loss and put all the money on the table to get the response going. the world health organization needsstimated that liberia 364 medical staff. sticking points medical lack of evacuation. the european commission and the u.s. have now committed to medical evacuating health workers and other workers, the responders. a major roadblock. with the announcement this morning, i think we are on a much better path to be able to staff the response. the second subject, i'd be happy
to talk more about the other outcomes of that meeting. second subject involves infrastructure. i will be launching a partnership initiative, the global infrastructure facility, at mobilizing the private sector to tackle the infrastructure deficit facing developing countries and emerging markets. we estimate that these countries need $1 trillion a year and extract investment through 2020. the global and the structure globaly, the -- the infrastructure facility represents collaboration between is additional investors and the world bank group to unlock billions of dollars. it is significant that the heads of some of the world's leading institutional investors will be as partners. institutional investors have deep pockets.
pension funds have 80 trillion dollars in assets. less than 1% of pension funds are allocated directly to countries. it's a lack of bankable projects, a sufficient supply of commercially viable and sustainable infrastructure investments. this is a new concept that can be piloted quickly and does not require tens of billions in new resources. the aim is to crowd in the tens of billions or more potentially that's now sitting on the sidelines waiting for good investments, and we can bring those investments off the sidelines by addressing issues like risk. my third topic involves the fight against cholera in haiti. today we're pledging $50 million to help improve access to safe water and sanitation for all haitians aimed at preventing water borne diseases. later i'll be sharing a conference witth