Skip to main content

tv   Politics Public Policy Today  CSPAN  October 31, 2014 1:00pm-3:01pm EDT

1:00 pm
issue. but i have think it's an issue whose time has come. andrew was talking about that. because of the need, because of the labor force, because as tom donohue was saying, we see this -- you look at young people, we are talking about a $4.2 trillion problem if you look at the lifetime of those young people if they are not engaged in the work force and are changing demographics. people recognize it's important right now. but at the same time, often people have looked at young people and thought, we have to get them young. 3, 4, 5-year-olds, much more attractive cohort to work with. but now people recognize that it's incumbent upon us to work with young people. now we know more about what works. we know -- kathleen was talking about the national academies foundation. we know with urban alliance. we can look at europe. we can look at other programs and see that if you have blended programs that involve work and more businesses are engaging those young people, that not
1:01 pm
only do you get great interns and apprentices but you get great hires and people who know your business. we also know that if you start earlier with pathways -- this is work we are doing at the aspin institute in 21 urban, rural and tribal communities, that you also bring in those hard skills. we use the term soft skiills. these are difficult and important skills. you bring those together with support services that you have much better outcomes at the end. so i think we're getting to a point now where people recognize the imperative. we know more about what's needed. we're moving further and faster and now we are also applying evidence, the type that urban alliance is doing with the urban institute, other programs around the country that we can talk about. so we're getting better evidence. we can apply it to the programs. we have continuous learning. we are doing this across sector. but one of the things i will say and am so proud we are here at
1:02 pm
the chamber doing this, it was so wonderful to hear tom donohue and the passion in his voice about business being involved and we have other business leaders here, that it's hardest to get business to the table. and i think one of the things we saw in the psa is that that comes attached to tools, to help businesses better understand how to do this very important work. >> tom, you are deeply involved with urban alliance, morgan stanley is also another committed organization and partner. but you have spent a lot of the last few years thinking about around the world and the role that countries where their youth is not engaged, what kind of affect that has on the culture and the health of those countries. we are not in the same consequences as some of the countries you spent your time worrying about. but do you see some commonalities and in larger
1:03 pm
imperties for the country in this work? >> it's a very good question. before i answer, let me say it's remarkable that 20 years ago, andrew had this ridiculous idea. when he called us and said i want to do something about youth employment, great, i want to find a job myself. and we are sitting here 20 years later with the vice president of the united states. with the leadership of -- [ applause ] putting her life and soul into the organization. my dear friend mary who took the chairmanship. [ applause ] go figure what happens when you have a crazy idea. obviously, thank you. at least from the morgan stanley perspective -- i will talk about the world. but from morgan stanley's perspecti perspective, the easiest thing to do is write checks.
1:04 pm
we get hit up. we can write a check and call it a day. every time i triy eied to do thi get a call that says we don't want the money, we want the job. come on, just take the money. no, we want the job. then it dawned upon me a few years ago what they were trying to achieve is life changing. i know this sounds a little bit -- a little larger than life. but think about it for a moment. a kid who is 16, 17, 18 years old is able to get a job at morgan stanley for the summer. for the rest of that kid's life, every time he walks into an employer and applies for a job, they will see marriott or bank of america on that kid's resume, on their application. immediately, they will say, wow, if they can work there, then obviously they can work here. it is it -- i don't think any of us understand the impact that that has in -- you have to have a job sometimes to get a job. as tom donohue said, you have to
1:05 pm
look for a job. but you got to get a break. urban alliance is that break. i encourage all of you who are the employers here to understand how important it is to get the job. the arab spring was really a youth revolution. some fruit vendor lit himself on fire and it caught on fire literally throughout the middle east. it was all about youth unemployment. which is it 30% in many arab countries. in places like libya and equgye it was hope. when you have no hope, you act out. so our view from the u.s., luckily we don't have those issues. but don't make any mistake about it. we have a responsibility when youth unemployment is at 14% and frankly substantially higher in the african-american and hispanic community. we have a responsibility to step up and do things.
1:06 pm
from our spperspective, we are trying to do something to move it forward. >> kathleen, you work around the world. our country here at home is becoming more and more diverse. more and more people who come from backgrounds from family from those countries that you serve around the world are here. so many of our own work force is becoming much more diverse. and yet there are enormous disparities between the access to education and access to job opportunities for different parts of our society. how does that play into the work that marriott is doing and your thoughts about that challenge for our country? >> first of all, our customer base is more and more diverse. i mean, the volume of international travellers that come to the united states and stay in hotels is approaching 100,000 -- i'm sorry, approaching 100 million visitors
1:07 pm
thanks in part to tom nides and the work he did at the state department to get vis is a vist here. people want to go to businesses where they see people like themselves. if you are a millennial, you want to see millennials. if you are african-american, you want to see african-americans. if you are from the middle east, you want to see people from your country. if you are from hispanic countries, latino countries, you want to see people like you. the diversity of the country here is an asset. that's what i think you see in a lot of these urban schools and even rural schools increasingly in programs like the urban alliance, in programs like the national academy foundation. the schools that we visit generally are majority youth that are the first in their family to go to college and they are disproportionally from immigrant populations. and these are kids that when they do get these opportunities
1:08 pm
for these internships and to get mentors, generally, graduate from four-year colleges when they never imagined when they started high school they would have that chance and their parents never imagined they would have that chance. i actually think in addition to the programs that the schools are doing and that the non-profits are doing, it is that third ingredient which is the corporate engagement. that's why it's a win win for us. but it's so inspiring. andrew was talking about how companies feel and how a hotel or bank branch feels when they have these youth in them. the engagement of the rest of the employees is astounding. we do a program and for 25 years have had a program here in d.c. and serven other countries calld bridges. it focuses on kids with disabilities, a whole range, which you increasingly see in the urban schools as well, learning disabilities.
1:09 pm
we find that when we place those youth -- we have about 100 that go through the d.c. area every year, 1,000 that we support through the seven schools across the country. it has been 20,000 youth that we have graduated. when you put one of those students at the front door of a marriott hotel, that student becomes the center of a family in that workplace. it motivates everybody to root for their success, to support them. actually, has this ripple affect to the rest of the work force at that institution. to see things like that, you also realize it's not just the gift of giving that young person a job and an opportunity, it's actually the gift you are giving your company and the rest of your work force for having the opportunity to work with them. >> melody and tom, i'm going -- we have two more minutes left. i'm going to ask for very short, quick comments. we are trying to figure out what works here.
1:10 pm
what are your -- from your experiences so far, what are your 30 second thoughts about what it is that works? >> i mean, from -- it's about partnerships. it's about joining existing organizations that have got proven track records. the clinton foundation is doing something that is pushing towards youth employment. you need to grab on to existing programs who have great platforms. and it's about having metrics and proving the facts. when i go back to our firm and sit down and talk to the people who are mentoring the kids and they are the advocates to increasing and enhancing our commitment, i think it's really grabbing on organizations that exist, putting your efforts towards them and not trying to reinvent the wheel. there's no need to. there's great programs like the urban alliance that exist. you should put your money down on that. organize around existing programs. >> melody, what works? >> yes to what tom said.
1:11 pm
i would say, blended programs that blur the line between high school and college so students can start to get credit before they even leave high school. programs that include that critical work experience. and that includes xhm s compan just interns or apprentices but potential hires. i have seen this work. time is short. but there are other examples like that. i could go on. i will also say this. we have to step just looking at this as a program by program solution. we are program rich. but we are system poor. we have to think about how these programs work together and how we leverage them in larger systems. we are talking about at least 6.7 to 7 million young people, many more that we can bring in and bring into our work force. >> i want to end with you, andrew. i think as tom mentioned, it's got to feel like a pretty extraordinary moment to have seen the evolution over a
1:12 pm
20-year period. and i think about mary and jeff and yourself and the other board members of the urban alliance are here. >> and tom. we won't sell tom short. >> karen i know one of my friends karen is on the board. you guys must feel really terrific about it. what's your biggest -- what has been your lesson learned and what's your hope for the future? >> i was really glad to hear melody say it's not easy. we shouldn't be polly anna about the fact that this is easy to do. businesses have to push the envelope internally to make these programs viable. and it's a lot easier for businesses and we learned this really the -- in the early years, a lot easier for businesses to say no to tom's point, i will write you a check, all sorts of hr reasons, we can't put kids in the workplace. it's easier to not employ youth at this age and to get companies
1:13 pm
to understand, to kathleen's point, how successful it can be for the company and for the youth is really the next leg to make these things scaleable, to get companies out of their comfort zone and embrace this in a way that says, this is going to become part of the fabric of our company, that will be true success 20 years from now. >> we're going to close this with great hope and high expectations for achieving that great success. i think eshauna will come up and bring us to a close. let me say thank you and ask you to join me in thanking this panel and the work that they have done. [ applause ] >> thank you so much to our panel, to sarah, many thanks, melody, kathleen, tom and andrew, thank you so, so very much. another round of applause for them, please.
1:14 pm
[ applause ] thanks for you all for being here for sticking in with us. we are just about there. i would be remiss if i did not again thank the united states chamber of commerce, mr. tom donohue and his team. thank you so, so much for this opportunity to be here today. thank you to them. [ applause ] and we heard about a lot of good work happening today. and we also -- i hope you are leaving here knowing more and more that there's a lot more to be done. with that in mind, i want to do something really, really quickly. i want to acknowledge urban alliance's 2014/2015 major partners. without you, we could not do what we do and put young people in the meaningful job opportunities. i want to go ahead and just -- raise your hand or stand if you are okay with that as i call your name.
1:15 pm
bare wi bank of america. [ applause ] capital one. corporate executive board. [ applause ] we will clap after everybody. d.c. children and youth investment trust corporation. deloit. the mire foundation. fannie mae. [ applause ] freddie mac. the harry and jeanette wineberg foundation. marriott. morgan stanley. new signature. [ applause ] northern trust, who is in the room all the way from chicago. [ applause ] mr. rob sobani. the advisory board company.
1:16 pm
[ applause ] almost there. the community foundation for the national capital region. [ applause ] the mariah fund. the morris and gwendolyn foundation. the united states office of personnel management. and a new partner coming online with us, the united states patent and trademark office. [ applause ] for our virginia program, the urban institute. [ applause ] venture philanthropy partners. [ applause ] and last but not least, the world bank. [ applause ] one more, usaid as well. thank you.
1:17 pm
[ applause ] we thank you for indulging us to do that. this work cannot be done alone. it's done in partnership. we have to make sure and we want to make sure that we acknowledge all of our wonderful partners who many of the folks that i just listed have been with us since the very beginning. we wanted to give them an opportunity to raise their name here today. there are so many, many ways that you can get involved. urban alliance staff in the room have information that you can take with you. they have cards themselves. we will be following up with you. that is what -- you will hear from us probably more than you want to. but just look out for that. again, i want to thank all of you for being with us today. just finally, on a personal note, today is very personal to me. about 24 years ago, a man by the name of earl hupp who owned a cpa firm gave me a girl from
1:18 pm
inner city los angeles a job when i was just 15 at his cpa firm. i had to commute there two hours a day. i was paid $5 an hour, which was a lot of money. especially working 40 hours a week. and i was able -- the biggest thing i remember is that i was able to buy all of my own school cloe clothes that year when i became a sophomore from the money i saved up. but more importantly, the confidence i got from the job, the tasks i was given, it made me feel like i mattered. and so without that experience, i really wouldn't be here today standing before you. so, please, just walk away doing whatever it is that you can to help more young people access those kinds of opportunities. thank you. [ applause ]
1:19 pm
watch all of these debates saturday on our companion network c-span. join us tuesday night for
1:20 pm
live campaign 2014 election night coverage. starting at 8:00 eastern, see who wins, who loses and which party will control congress. engage with us on the results on twitter or facebook. screeria --
1:21 pm
with live coverage of the u.s. house on c-span and the senate on c-span2, here we compliment that coverage by showing you the most relevant
1:22 pm
congressional hearings and public affairs events. on weekends, we are the home to american history tv, with programs that tell our nation's story, includesi i story, including se ining six u stories. history bookshelf, the best known american history writers, the presidency, looking at the legacy of our nation's commanders in chief. lectures in history with college professors. and our new series, real america, features government and educational films from the 1930s through the '70s. created by the cable tv industry and funded by your local cable or satellite provider. watch us in hd, like us on facebook and follow us on twitter. october is the department of ho homeland security's cyber
1:23 pm
security awareness month. more security protocols into information technology products like smart phones, tablets and computers. this event is one hour. >> i'm don baptist, co-founder and head of bloomberg government. we are thrilled to host an event on cyber security. when we started back in 2011, we had the as sppiration to make better, faster decisions. part of that was convening conversations around the important topics that face our nation, particularly at the intersection of business and government. in cybersecurity fits that bill. last year, we did a study and looked at public company end reports to see over time has the mention of government risk increases.
1:24 pm
it has. over the past few years. with went back to the same methodology to look and see what have companies said about cybersecurity? in 2010, out of all the u.s.-based companies publically traded. how many companies do you think mentioned cybersecurity in their annual report? thousands of companies. 20. a total of 20 companies mentioned cybersecurity four years ago. the world has clearly changed in that time. in fact, bloomberg government has written 172 pieces that talk about cybersecurity. we have held dozens of events and discussions on it. we have recently created a marketplace that identifies all the cybersecurity contracts by the federal government. it's a new world and i think we're thrilled to be partnering with homeland security on this topic and on this event. we have a great group of panelists. thank you for joining us today to discuss this very important topic.
1:25 pm
with that, i will pass things over to sandy reback who will moderate and who is our senior technology analyst. >> thank you for joining us today. i would like to welcome in everyone who is watching on our live web cast. we will have questions and answers among the panelists here. we will turn to the audience for questions. we can take questions on my ipad as well. this seems to be a great time to have something that may actually help us in cybersecurity. it seems like if not every day, every week we hear about a new major cybersecurity incursion. the names go on and on. all of us have gotten used to home depot most recently under j.p. morgan came in and wiped that off the pages. my colleagues wrote an article saying there may be 13 other financial institutions that may be victims of the same hackers.
1:26 pm
it's a great time to have the panel we have here today. i'm going to give brief introductions. you have the bios in your program. to the far side is andy ozment, assistant secretary of cyber security and communications at homeland security. next is angela mckay from mic microso microsoft. next is ben strahs, security and infrastructure engineer at facebook. to my right is parisa tabriz, security princess at google. i talked to don to implement some of those titles here. he is considering it. i guess my first question is, we're talking about cybersecurity. we are hearing a lot of that about that. we're not sure what it means and we're not sure if it can help.
1:27 pm
i guess starting with parisa and down the line, can you tell us what your company is doing? we will come back to that when we talk about the internet of things. build-in cybersecurity, what's google doing? >> i should probably preface by saying, i'm an engineer. i joined google as a software engineer or hired hacker. i come at this from an engineering stance. i manage a team of engineers that are -- our goal is to make the chrome browser secure so people can browse safely. when i think about imbedded cybersecurity, there's the technology standpoint. as an engineer, i tend to think about that first. but in my experience at google, for seven years, i have come to appreciate the people and the process part of that. now i'm a manager. i have thought about how we have scaled in the past seven years to where we had a dedicated
1:28 pm
security team that was able to support all google products at the time and how we have had to grow that model to support all of the engineers and also implement processes that can make security part of the whole software engineering development life cycle. there is key technology, but i do think remembering the people in the process part is important. >> good points to follow up on. ben? >> i'm actually also from an engineering angle. we try to actually minimize risk across the entire organization by finding common security pitfalls or mistakes and coming and building frameworks or tools that eliminate or reduce the possibility for errors. we are part of one of several security teams that are other particular focuses. but actually, i think that's right, that there's a human element to it. one of the most successful things we have done at facebook is we have empowered everyone at
1:29 pm
the company not just in the product and engineering organizations to think and care about security but across the entire corporation. we run several programs to encourage people to report security vulnerability or security issues they think might happen. it highlights areas we need to focus on that we might not have otherwise seen. >> angela? >> perfect. you will see as the panel goes down, we are going a nice blend of engineering experience and policy experience. i have an engineering background and security engineering at microsoft. but i'm part of a team that has been -- i was joking -- forward deployed to help work with policy makers in key regions as they continue to struggle with the issues. as was noted earlier, the world is really lighting up with concerns about cybersecurity. microsoft's commitment to the series of issues is longstanding. we stood up and organization called trust worthy computing over 12 years ago that consider
1:30 pm
security, privacy, reliability and transparency in the practices that we engage with our customers. a lot of that has evolved over time. i agree with the comments of my colleagues here in terms of thinking about policy, process, the human element and training. but maybe what i would add is applying it across a framework of protect, detect and respond. while we are thinking about what the right policies, procedures and techniques are in tooling, you want to look across and doing the right thing in design, engineering and coding, making sure you build in knee turs that help people understand current state and manage operational security and at the same time also really engage actively in the response process. as we all know or hopefully most people know, there are going to be vulnerabilities in hardware, software and services and collectively we need to be able to ensure that we can respond to those to make sure we serve all
1:31 pm
of our customers' interests. >> andy, if you could address really what the government is doing. we have heard a lot out of the national institute of standards and technology, which put out the voluntary cyber security framework in february. recently, there have been a number of speeches over the past year really talking about the need to design in cybersecurity. if you could talk about what the perspective is and what the u.s. government is trying to achieve. >> we are tackingling this from different approaches. you have r and d to support development the tools and even concepts about how we build things more security in the first place. you have standards, as you mentioned, for example, nist standards. to a more practical end, the fda released a set of guidelines in the past few weeks for medical device makers and what they need to take into account as they build medical devices.
1:32 pm
not prescriptive but recommendations about how they think about incorporated and making the devices secure. the department of transportation did the same thing for smart cars. a car that drives itself. you probably care about the cybersecurity of that car. there's this spectrum of government activity from the more forward future looking r and d to guidelines to individual sectors. then i think we often don't necessarily think about this as part of building security in, but awareness is part of it. we have to create the demand for secure products in the first place. the work the government does to ra raise awareness about cybersecurity and need for companies and individuals to secure themselves, i think that itself is going to feed the market. >> just maybe so i can understand, when we talk about actually -- i think people have an idea what have it means for personal cybersecurity and taking responsibility in the processes and safeguarding
1:33 pm
passwo passwords. most people have a less developed understanding of designing and cybersecurity into architecture and design. from the company side, would anybody like to address what kinds of things are we talking about? >> make it work and millions of lines of code, people contribute to it from 20 different places around the office. everyone needs to be thinking about security. this is why we don't focus on any specific technology but principals. one of them, for example, is defense and depth. the idea is really that we need multiple layers of defense. you can't trust one because there will be holes and bugs. we need to make sure that if one, you know -- if something is penetrated in one place, there's something else to protect against it. now, the actual interpretation
1:34 pm
of that really varies depending on what your role is in chrome. whether you work on user interface and are a designer and thinking about what you are presenting to the user that maybe has security implication or whether you are a systems engineer, there's a technology called sandboxing or whether you work on some other part of the product. what we try do to is think about the principals and people can interpret them on their specific role and specialty. >> anybody else? >> i think a huge benefit of having a dedicated engineering security team is that they can do things like focus on common security pitfalls or vulnerabilities. it turns out that many of the issues that we see coming across a broad spectrum of companies are the same class of problem. we can focus on fixing those. one of the ideas that we leverage is that we wand our engineers to make decisions that don't have security impacts. when they build a product, how do we minimize the potential to
1:35 pm
make a decision about security? we come up with frameworks. they do reasonable things about default. it eliminates problems. i think defense in depth is important and being able to have an extremely quick response to issues. one of the ways to really flush out these sort of things is bug bounties. the idea that we can pay external security researchers for disclosing bugs to companies that use software enables us to fix problems before they are exploited and give recognize where recognize is due. >> i'm happy to add in -- what i love is these are many complimentary answers but a few different angles. one of the things that we have been doing and i know other companies are using awell is something called the secure development life cycle. this really starts to look up front of the coding and think about the design of the system, where are there going to be data stores, where are there going to
1:36 pm
be flows, what is the surface area of exposure to attacks. when that piece is called threat modelling. we are looking before you start doing coding about what is going to operate in that system, what are some of the potential areas for vulnerability. when you move into the coding experience, one of the things that we found is really important is integrating, like ben said, that directly into the coder's experience. so in the tools, as they are working on things, it's not like i need to check and see if i'm allowed to do that. in their actual tools you may have things like, we know certain functions in code typically can often result in a vulnerability. the get function is one of those examples. so that's kind of banned in use. and then there are further activities down stream about ensuring as you do the process that you are building in the response element. because there will be issues found. we need to be agill in responding to them. >> an interesting thing that i think we have a commoncommonali.
1:37 pm
we have a reward program and for our web apps. as i was talking about how you think about building a specific piece of software with defense in depth, also this software development life cycle needs defense in depth. we have coding guidelines and best practices where possible we will build frameworks to mitigate vulnerability. i'm sure you can't always make software to solve all problems. that's why you also have to think about bugs and finding bugs and paying for bugs. it's something that i think a lot of our neighbors in silicon valley have been doing. but it's a hot topic in terms of should you be paying researchers for bugs? >> andy, there was a recent presentation that -- there have been several. the words that struck me were, there's a national imperative for building stronger, more resilient information systems. and this is coming across in many speeches from people from commerce and from nist. i guess my question from a
1:38 pm
governmental perspective is, there's a national imperative. how do we get the private sector to take up? is that something they will do on their own? if they are, is that sufficient? >> you know, i think let me talk to why there is a national imperative. you are hearing from organizations that are primarily energy technology organizations. they are doing great work and are forward thinking. but as you leave the world of organizations that are primarily i.t. organizations, and particularly as you look to the future where we will build information technology into almost every devise that we interact with, whether the refrigerator that people have joked about for years, whether it's your car, you name it, the world of the internet of things as we call it, when everything is internet enabled, security is that much more important and relevant to your life. is it a national imperative? absolutely. we are reliant on information technology.
1:39 pm
that will only increase. if we build devices to be insecure, they are hard to update, improve, where he in deep trouble if we don't start off with more secure devices. to your question, how does the government help bring about that change? can we leave it to the market? the approach of this administration is to take a voluntary approach. it goes to some of the activities i talked about earlier. even the fda issuing a guideline to help medical device companies who haven't necessarily had to think about cybersecurity before, start to consider, all right, as i ready a device for market, i have to think about cyber implications. if you look at the fda guidance, it's high level. what it does is walk you through a risk management process. think about the threats. think about the impacts could be. and think about how you mitigate the resulting risk. it's a good approach to take. the same for the department of transportation's guidance for smart automobiles. that's one area. giving guidance to sectors who
1:40 pm
are new to thinking about this problem and helping them understand it's their problem now, too. that they have to be engaged in the solution. i think just to highlight another point i made, everything we can do to raise awareness, whether at the strategic level, making a ceo better understand that cyber security is imperative to the company or whether it's at the more operational leave egg he will, putting out threat information so that people who are on security engineering teams can understand what the bad guys are doing in the real world and how they can defend. that's a huge role for the government to play as well. >> i just wanted to follow up a little bit. you mentioned fda guidance which came out within the last week or two, i think. i guess i would like to understand that a little bit better. the fda says these are things to consider in your design phase. the medical devices then go to the fda for premarket screening. presumably, the fd awia will loo
1:41 pm
see if the things they recommended are in the devices that manufacturers are trying to get approved for the market. does that make some of the recommendations have -- maybe they are not obligatory but more of a mandatory basis? presumably if the fda sees a device and it does -- it hasn't considered these things, it may not approve the device for sale. >> so i will be honest with you. the nuances on the fda's approach are more than i know. what i will say is to agree that's true, i think that's a reasonable case to make. the fda has a mandate to ensure that medical devices are safe. what they have said in the guidance is, tell us about the approach you have take ton understand the risks that you have in the devices, the security risk and what you have done to mitigate them. it's extremely light touch. we don't know yet. i don't think anybody knows how that will play out in practice, because it's just issued guidance. but i think it's a very good way of giving direction, creating a
1:42 pm
north star so that the device makers know which direction they need to be heading. and then letting them identify the best way do did for the market they are in and the risk they face. >> i will soon open it up to the audience and online, submit questions. we will turn to you for your questions and participation very shortly. one more question, maybe starting with the companies. we are hearing a lot -- we heard a lot over the past year or two from combhps th companies that security services, offering to come in and fix things after there's a problem. what we hear a lot is that everyone will suffer incursions and it's going to be a matter of containing the incursion once it occurs. there's not perfect cybersecurity. i guess my question is, the kinds of things we are talking about building things in and the design and architecture phase, how much of that problem can we take off the map? is some of that going to go
1:43 pm
away? no security is perfect. how much of the problem that we are seeing now with all this hacking going on, can we take off by building in some of these things from the get go? anyone want to take that? >> i will jump in on that. i know it looks like angela might have a few thoughts. one of the things i will say is, almost any time you look and an intrusion upon a company or government, you name it, it starts with a vulnerability on a piece of software that faces the outside world. something that can be touched by the internet. there's a vulnerability, whether that's an actual coding flaw or whether it's a system that lets you try to log in with a different password. either way, that's a design or implementation vulnerability. that's the first step. a second step is once you are on that computer to take advantage of another vulnerability and gain what's called administrative privileges. to become all powerful in the network. two of those incredibly key
1:44 pm
steps on almost any intrusion volume taking advantage. >> it's not always. >> not always. >> there's also humans. >> humans are huge. >> that's actually -- i want to throw it out there. it's not always a vulnerability. it's the fact that humans trust each other. social engineering is an faekive way to get into an organization and one of the things it i'm always hesitant or -- about is when people think technology alone or really any one thing is going to solve this problem when there's a big human aspect. there's motives that drive humans to want to get into an organization. these things are larger than the internet. those are things i want -- >> that's a very true statement. we absolutely can't forget the human element. i totally agree. >> maybe i just add in -- your blunt question was, will we be able to stop these incursions? tieing together the two points from my colleagues here, i think that we may be able to minimize some of these. but when you go with however
1:45 pm
many lines of code that are getting dynamically updated in cloud-based services and all of the humans who are touching these machines, it's going to be impossible to stop the incursions. i think it is really good that we do think about the defense in depth, how to engineer detection capabilities into the architecture of our networks and then making sure we know how to contain incursions that do occur and limit the consequences of them. there's some really interesting work going on now in architecting systems where we all know there is no boundary. but there's more work now around identifying data who have -- data or systems who have similar type of risk and working to manage those that have higher risk with more resources and more attention than some of the others. there is going to immediate to be pry organization done. but we cannot stop all of the
1:46 pm
incursions. >> i think another point when i come from with chrome, we try to innovate very quickly. i do know how to secure a computer completely. you unplug it from the internet, dump it in a case and you drop it at bottom of the ocean. it's completely secure. it's also completely useless for the purpose of it. one of the things i always -- it's risk management, as you said. we won't get this perfect. but it's because we are trying to innovate and do a lot of things. the internet is -- it can be a scary. but it's becoming powerful in terms of what we can do. it's important to think about the balance of making sure that we can continue to innovate as well as continue to keep it secure. i agree with everyone that there's never going to be an absolute solve problem here. >> i agree that it's not going to be absolute. i think there's a couple really easy steps that we can do to minimize the human factor of it.
1:47 pm
at facebook where he in the middle of an exercise where our security team attacks our employees for the month. if you report an attack against you, you get a t-shirt and public recognition. what's cool about this is we have gotten over half of the company to join in internal discussion group about security matters and participate. but better, in august, we get these reports, are you sending it early? here is this speer fishing e-mail. that's not us. that's a real attack. thank you for reporting it. you can still have a t-shirt. getting people engaged about security and feeling they have actually empowered to make decisions and when they do their job they there are security things they should be considering is really hard. i think there's novel ways we can do that and we should focus on those as well. >> let me jump on that. that's totally awesome. october is national cybersecurity month. it's an innovative way to make it very relevant for your own organization. what i would ask everybody who
1:48 pm
is in the room and who is watching or listening online is your organization taking the same approach. don't send out an e-mail to that tells people to watch out and have a long password. what can we do that's relevant for our organization in october to really drive home the importance of security, to address the human element that's going to be a part of the problem? >> on the notion of a hacktober, i would like to turn it to the audience. if you have a question, please indicate. there's a question over here. just state your name and affiliation and off to the races. >> sure. you talked a lot about the human element, mostly internally. how do you breed a user base that's secure where security aware -- users are some of the best testers. they love breaking things. how do you go about that with your various organizations?
1:49 pm
>> i will say that we do try to provide education and ways for people to raise awareness about security and learn about these things. at the same time we're a browser. we serve a whole spectrum of users. some of whom can't read. i take a conservative approach in how afeblgive education can be for users. and we try to have as much safe and secure by default as possible. as we have described, for that i think it is -- chrome tries to be opinionated whether it comes to security. we build in security, safe browsing, which is technology that is in chrome but also available for our browsers, services. and it is backed by google looking at the entire search index to see which pages it thinks are malicious, maybe serving malware or fishing
1:50 pm
pages. if a user tries to navigate, if they were to load it, may -- they may be social engineering attack. it looks like your bank but it's really evil. with safe browsing, can we can tell that and we don't let user navigate to it and show a warning, safe browsing detected this by phishing. so we have resources to describe what social engineering is and what phishing is, but i think go try to make the software as opinionated at possible to just make it so people don't even encounter those threats in the first place. >> and maybe just to add to that point, you know, the message that comes up from the browser is one of those incredible things. i think technology companies are really starting to fine tune the kind of information that we're providing to users to help them make more informed decisions. one of the classic examples that used to occur in ie was, you know, a pop-up window would come up and say, this may be an unsafe site. well, awesome.
1:51 pm
i don't know anything additional from that than i knew before eyebrowsed to that site. so we've worked to do similar things, like providing users information that enables in em to make better choices. the other side a little bit on the internal is, thinking about what incensivizes folks to do security. soap i talked a little how we can embed the development practices into the actual developer's tools. one of the other things we needed to look at, how do you compensate employee whose have different functions inside of the overall development life cycle? you don't want to have folks focused on perhaps review to the compensated lower than those who are doing development. so this has been -- i'm going back many, many years at this point, but i was really thinking about what are the inseptemberive structures that help drive human behavior to improve security? >> other questions? yes, a question right in the back, please. >> yes. sam with icf international.
1:52 pm
as the framework starts to make available standards for cyber security in critical infrastructure, which has a lot of embedded systems, i'm curious to think, to ask what should be our expectations over time and investment in upgrading a lot of the legacy operating systems that are embedded in power plants, in pipelines, and other infrastructure? how can we use secure life cycle management to em prove the cyber security of a centrally embedded set of operating systems associated with critical infrastructure? >> so, sam really hits to me one of the harder challenges we face. if you look at critical infrastructure like power plants or dams or water treatment facilities, they buy expensive equipment that historically was never intended to be connected, reachable in any way via the internet. that you never upgrade or install a patch on it, because it's supposed to be running ought the time and you can't break it. this is incredibly difficult,
1:53 pm
and we start with a really tough legacy base of this equipment that has often now connected to the internet, but is, like i said, was never intended to be so. so -- one of the things that i think that raises, there's actually two things. one is how you operate it right map what are the connections you put in place allowing it to continue to run. the other, you build that security in, as you do the upgrades you start off with more secure equipment in the first place. the third thing we haven't touched on, almost taken for granted but hugely important. you could have the best software development approach in the nation, in the world, you're still going to have vulnerabilities and design flaws that have nothing to d to do wi so you have to have ability to fix it. issue patches and update that
1:54 pm
software. for all of these organizations that are building up the internet of thing, building out the systems underpinning our critical infrastructure, it's also about that life cycle. how do you patch it over time when you find the inevitable vulnerabilities that will be out there? sam, you asked in some sense, ho you do we -- what's that market look like, and what are those companies going to do? and the answer is, do what their business compels them to do bp yaud great their legacy systems over time. a big concern, how do you make it to install these systems that last 20 years. i can't solve the ones built 20 years ago but we can do what we can so when they buy a system now and install it for the next 20 years, it starts off secure. >> as an excellent point, one of the -- so chrome had a huge advantage in that we were able to learn security is important from browsers, from ie and a number of other companies. one of the distinguishing things which doesn't necessarily seem like anything very exciting with
1:55 pm
security, but it's probably our number one -- the thing that makes me excited about security the fact it does automatic updates and chrome ware does updates because it's true. there will always be flaws and the advantage, we can roll out people without them having to be annoyed by it. i get annoyed by updates, too, and don't always want to install security updates because i have to stop what i'm doing or reboot my machine. one of the, i think, things i hope to see in operating systems on embedded device, whether running african structure, or a f fitbit, without users having to opt into them. >> one other great point that maybe hasn't been mentioned, which the folks building icht cs systems, we work a lot with these vendors to talk about the secure developmental practices our organizations have learned, were ut one of the other things you start to architect the new
1:56 pm
system, you'll be able to start using virtual machines to be able to manage the availability requirements of critical infrastructures and still do updates. this would be something where i think we would like in a lot of the consumer environment to continue to see the automatic updates, but what we've experienced in the corporate environment is that, you know, people want to do testing of patches themselves. to understand particularly in these high availability systems if things might break. so you need to make sure that you have that right model on updated and do think about the innovations occurring that can allow systems to update when they have high availability requirements. >> from our online community, paul in washington had a question which kind of ties in to this as well and it's basically to paraphrase, why do companies take building in krcyr security so seriously? a marketedability?
1:57 pm
competitors doing it? out of the goodness of our heart and if it is a market imperative, do those things also apply in a situation like some, the power grid, where it's a utility, and in may not be the same kind of market forces at work? anybody want to take that on? sure. >> so i'm from google. and we, a lot of users, entrust us with their data, and if we lose their trust, we no longer exist. so, i mean, it's from day one. i think if people don't trust users -- then we have a problem. our purpose in that sense. >> i'd be very surprised if you did not hear all of us say it's a market imperative. exactly what was said. the trust of our customer, and the continuity of them trusting us and continuing to work with our business requires us to address security, privacy, reliability. all of those component factors
1:58 pm
of trust. you know, in diggs, you know, the second part of your question was, do the market dynamics exist in other sectors? and i think that's an area where you do see some variation, both between sectors and among subcircuits about what the market dynamics are. this is one of the areas where i think the executive order from the administration has worked to provide a baseline of what a kind of reasonable approach to cyber security risk management could be through the cyber security framework, and then provide the ecosystem time and incentives to see how they can affect the market dynamic to drive adoption of better risk management practices. >> so -- >> i'm sorry. just to completely focus it and to try to pull in sam's question from before. so let's talk about the power grid, for example. or other parts of the economy that are utilities. and you're hearing from a lot of these companies that this is expensive and they need to
1:59 pm
recover these expenses through rate base increase, and these kinds of thing, before they can really go back and retrofit legacy systems. what do you think? >> that actually goes to one of the points i was going to raise. one of them is, absolutely, it's expensive. there's a degree we've been realizing benefits of the i.t. revolution without paying the cost of security around accepting risk. that risk is catching up with us. so absolutely, you know, security doesn't come for free. and that's a challenge. if you're in a rate-based market you may have to speak to your state level reg later about whether you need to make rate increases or other prioritization resources. to angela's point, you as companies up here with me, you very much feel this market imperative and there's another aspect to it, though. the market can respond, because the market gets fairly ready evidenced whether or not your products are secure pap fairly fast feedback cycle.
2:00 pm
those that don't interact at the he of these products, whether it's the control system that controls your power grid, feedback is much less clear. one of the areas we do a lot of recertain in if you're a power plant and want to bay secure system, how do you obtain which is secure? you'll hear a lot of marketing claims but how do you as a consumer, a power plant buyer of a system know which system is more secure? a lot of work that continues to need to be done in that space. >> questions from the audience? a question right here in the second row? in the middle. a mike is -- coming. >> carl with netchoice. one of the things you mentioned was balancing. balancing's security versus usability and famous windows vista example of the pop-up notification showed what can happen if you have an emphasis too high on security. 10 what steps have these three
2:01 pm
platforms, windows, facebook and chrome, taken to meet that balance between security and usability? >> so i want to just head this off, because it's -- i think security need to consider usability. i don't consider them often at times the solutions that are proposed to improve the security of some system, having usability trade-off, but i don't think that has to be the case and the best solutions are going to have both. so in terms of what is chrome doing, we have -- chrome security team. about 25 people that are completely dedicated to making chrome secure. the whole, everyone in the project has to think about it. ip think of security like speed. if we want the product to be fast, everyone has to think about it. not just one team, but we really -- are experts on the problem. some of my engineers are very interested in the technical architect chir pieces of it and
2:02 pm
there's five people dedicated to the user experience of it and really thinking about all the warnings and what we're showing to the user. and their backgrounds are, you know, from a completely different computer science and also -- academic and background in psychology and design to think about these problems. but the best -- i think security does have to consider usability, yes. i don't think they're absolutely at odds >> i think that's exactly right. a lot of our problems are that we actually don't always understand why users feel that they've had an insecure experience. so we've recently tried to codify how many people reported they had a poor experience on facebook versus how many can identify, yes, your account was accessed inappropriately. you've been phished on by another site or some other issue and we've actually reached out via survey to users asking, why did you have this bad experience? it's really teaching us that people don't always have the same mental model.
2:03 pm
even with a simple product, a password, getting people to understand what exactly that means is hard. so instead we've sort of molded our product if we think you're having a bad experience we'll say, hey, are you worried about the security of your facebook account? down load this app giving you two-factor authentication. here's how it works with a nid video. userability is a part of security. we have to get 1.3 people to use it in a secure fashion, being much better about the feasibility. >> echoing the comments. you highlighted what taught a lot of industry. a rough experience going into the base of the operating system and work to upgrade security were all the secure development practices i talked about and usability was affected. much like these other companies have said, those are integrated functions now where you're bringing together competencies from across different skill sets. it's like parisa said, no
2:04 pm
loaninger the technical eck tos need to be involved but the humanity side's we have to bring a lot of create tifbty into the security discussions, because the folks who are malicious actors are pretty darn creative, too. so we need to have that combination of the engineering mind-set of being structured and process oriented and the creativity to help innovate in this space. >> other questions? yes, right up here in the front row, please. >> gabe goldberg, free lance technology write perp there's an interesting public/private partnership you ka ecalled infraguard. power, water, transportation and everything else and the interesting for sharing information in both directions. to the fbi for risks, but also from the fbi on risk analysis, threat. it's a vetted community. so companies, people, have to be
2:05 pm
approved to get in. i wonder if the companies here are working with infraguard in both directions to share information and to get information from them about risks that are known? >> i'm not familiar with the organization. i couldn't answer on behalf of google. it's possible, but i'm fought sure. >> yeah. i'm not aware of the specks of that, but i do know we coordinate with people across silicon valley to share both threat data, intelligence, different things we're seeing. there is a lot of cooperation amongst companies because we face more threats and work better together on this. >> echoing the point of a lot of collaboration between people who compete in the marketplace, but we're going to collaborate on security, because your user experience is not defined by any one product or service. microsoft is a member of infraguard and we have found the experience of bringing particularly the local chapters of bringing together expertise has been very effective. one of the things when we start going down this discussion of how to share information in
2:06 pm
order to enable cyber risk management is, you know, there's often times, it the eye sack model, the information sharing and analysis centers? is it the infraguard model? is it something like, we just talked about where there's a collaboration among industry, and i guess i would say that in the information sharing problem set, it's important that there is, again, no one model. i think you have to think about how to bring together communities who have perhaps similar experiences, but also have the ability to act on the information, to help manage risk. in some cases, that may about steady state organization, like an fran guard chapter that meeds on a monthly basis. in some cases that may be more of a dynamic system, like how these companies came together when the harp lead vulnerability is out there and we can start to address the issue. it isn't necessarily one model or the other or steady state or dynamic but a combination of those. >> just to follow-up on the
2:07 pm
information sharing for a second and maybe a question to angela, if you'd like to answer it and also to andy. we've seen congress consider and information sharing legislation. the house passed the bill a couple of time. the senate pass add version which provides liability protection for companies that share information among themselves and with the federal government. and for anybody on the panel, is this something that your company supports and, andy, from the administration perspective, i know the administration is essentially threatened to veto because they don't think it provides enough protection for privacy. do we see that changing anytime soon? or what has to happen for that to change? >> so i'll speak first. rather than speaking about any single piece of legislation, because that can be very contentious down to individual lines and individual words what i would say is, microsoft remains committed to advancing information sharing, and does see a roll for government in helping to do that.
2:08 pm
when you get down into specific bills, there are a lot of contentious issues pop so i won't go into necessarily all the specifics but i will add that one of the challenges that has been -- that is historic but increased lately, is government has several roles that it takes in cyber security. government is a user of computer systems. they are protectors of national security and public safety. and around the world are also exploiters of technology and support of their mission. so that complexity has made the information sharing conversation much more difficult and the gotten muddied. what we want to do to help exchange information to manage risk has gotten caught up in some of the other issues that are around intelligence collection methods, and so i think it's really important that we're really clear about information exchange to manage risk. that's a separate set of activities than the information that is -- goes on in the law
2:09 pm
enforcement and intelligence community space. >> yeah. i would just add to that. so from the administration perspective we absolute lie believe there's a need for information sharing legislation to encourage and provide comfort to industry and sharing information to the government and to each other, which we think is also incredibly important. i'll note that our general philosophy is any information sharing legislation has to be done in a way that it protects privacy and civil liberties and if it offers liability protection hawaii to be narrow targeted liability protection so we don't incentivize anything other than the exact behaviors we're trying to incentivize. taking a step back from the legislative debate, that it's about how do we low are the potential risks that accompany when they share information? one of my goals at the department of homeland security is actually make sure the companies reaped the benefits of sharing information. they're making a decision, here's potential down side. what's my potential upside?
2:10 pm
the down side is in the hands of congress. but rather than waiting for congress, what i'm doing is focusing on raising that potential up side. here are all the benefits you get from sharing information with the government and with ich other. with each other. again, for the purposes of the room, the kind of information we're talking about is, hey, if you see this file. this file is a virus. don't let it infect your computer. or -- this is a vulnerability that you need to know about so you can patch it and protect your computer against this vulnerability. that's the kind of ngs we're talking about with information sharing. >> other questions from the audience? yes, in the back, please? >> hi. eric fischer from the congressional research service. i have a question, andy, there's -- a dhs program around a number of years called built security in. and the part of cert now, i gue guess. so my question is what has the impact program been, and how
2:11 pm
might it help in the future, and i'm also wondering whether the industry folks have been involved in that. >> oh, man. an awesome -- trying to fig are out how to insert this sales pitch. >> you didn't plant this. >> thank you. so dhs, department of homeland security, has a larger effort called the software assurance effort. in my organization. we also have efforts in our science and technology organization. all of which are designed around first doing, in science and technology, about doing the r & d helping us understand how we do build security any the first place. my organization's effort is really about taking industry and the experts who have been doing really strong software assurance. meaning, building software that does what wei want it do and nothing else. and spreading those lessons around the community. one of the challenges in this field is we learn a lot of these lessons in the 1970s as the i.t. market exploded. you know, the desire for speed, a lot of the lessons we learned how to actually do the stuff
2:12 pm
securely fell by the wayside. and so there's a huge core of historical knowledge that we're now supplementing with the knowledge from the experts in the field today, and we're bringing it together in this software assurance form that we're hosting. so google dhs software assurance form, you're out there and want to participate, it's a grat way to talk to the other experts in the field. find out what best practices currently are and how you can make your software for secure. sales pitch over. thank you. >> we've got a question from our online audience from lauren, which is basically -- says, the company the represented on the panel are all large players, but cyber security is a problem throughout the infrastructure, including among smaller companies. so what's the role of larger companies in helping smaller companies improve their cyber security and on the government side, how do we reach the smaller companies? >> one approach that google takes is we're, in addition to a web application and a net and
2:13 pm
browser in our products, we also have the cloud platform. that is appropriate for some small businesses, or small organizations that want to actually have a large part of what they need to operate. the outsource to google who has the resources. something like 400 people working exclusively full-time on security and privacy, a large infrastructure that supports our own business needs, that can be appropriate for some customers that actually want to have the, you know, the hosting of their business be taken care of by a cloud provider. so google offers that. i think that we also offer other tools outside of just being the main platform for hosting. webmaster tools is one example, where web developers can actually use this and use some of testing tools google uses internally to detect flaws and address them that way. so i do think we try to contribute and address that problem, and not just, you know,
2:14 pm
assume that what works for us is going to, you know, work for every size company or organization. >> one of the big things that go is we contribute back actively to open source. a lot of the hard security problems we've encontinuered we built solutions for and try to support them out in the community as well so other smart companies who don't have those resources don't have to try and re-invent the wheel and we've been active about supporting that and hosting security meet-up groups and various tech talks trying to bring others from smaller companies together to talk about this. >> and maybe, so i talked earlier about the secured develop life cycle and this challenge of what can be done inside of a large organization versus a small organization is one of the things we've done a lot of thinking about. so we actually created a simplified sdl that is available and can be used not only by i. tncht companies but also by otherties who are doing in-house
2:15 pm
app development. one of the key examples that i like to mention since we've been talking about the electric power industry is, there's a case study out where one of the, an electric pouber company lever achd the simplify lds process and were able to demonstrate the life cycle cost of that system was lower by engineering security up front in a response system. it's a berkshire hathaway company. the name is alluding me right now, were ut if you looked up amplified scht dl in that you would find that information. two other things i think are important is, one, just like parisa says, whether in the cloud platform or development too manies, we work to enable those security features and functionalities for others. somebody's building in dot net, we've taken lessons learned from coding ourselves and put it into that tool set. the last piece is in the policy sphere. right? i've talked a little about process,alities about technology. let's talkalities about policy is, as we engage on the
2:16 pm
challenges that are before policymakers today, the partner play for microsoft is incredibly important. we want people to be building on top of windows. e want people to be building on taj ash shure, our cloud platform and somewhere to think about the innovators experience. and as we have resources to engage in major capitals around the world on this set of issues, we also work to make sure that if we're advising on policies, it's not only something that's going to be working for the large companies, but it's going to continue to enable innovation in this industry, and innovation in other industries. >> going back to the simple pla phied sdl, a heck of a page turner and i'm really looking forward to the movie. >> andy, just on the government side in terms of trying to races the level of cyber security in smaller firms it seems to be a challenge, because there's not awareness uniformly among larger
2:17 pm
players and some of the things the dhs is doing. what can the government do to help in that? obviously, a vulnerability in one player could spread throughout the infrastructure fairly quickly? >> yeah. i think we have to sort of separate the two key things here. one is what smaller firms are building and are they building security into those things and that are smaller firms using and are they operating their environment securely. in both of those places, we see that this is a huge challenge for small firms. and i'll say we did a request for information in february, which is the government's way of having a conversation with industry about how do we the government help in small and medium businesses? i'll tell you, didn't get a lot of clear answers back. i think this is a problem everybody is struggling with. if you're a small company, you know, and you're being -- you're an innovative start-up making a new software application, time to market is everything for you and you can maybe postpone some security risks or some don't seem at important because you have all sorts of other risksyou
2:18 pm
may run out of pizza tomorrow. you never know. i don't think anybody's cracked the code on this, to be honest. we are partnering with the small business administration to reach out and see what we can offer to help them, but stay tuned. i don't think there are great answers yet. >> other questions in the audience? yes, in the back on this side, please. >> hi. max. so i had a question. people brought up trust which i think is a very relevant piece and i think a lot of us as i.t. think about the trust on the user end. and i.t. professionals, we have a lot of trust in things like proposal protocols, and one of the most unspoken things from heartbleed around certificate authorize and protecting and revoking security certs. so that's when i think that's at the level of some of the companies up there would love to hear thoughts and ideas what's
2:19 pm
going on at that level of fundamental things that are really, something the big dogs can do probably irrelevant to all of you. >> anybody? >> i like the model of trust, but verify. we build protocols and assess them, but i do not trust there are no vulnerabilities in any of these protocols that build the internet thp that's why we build extra checks in, in place. and to given us specific anecdote for chrome, we, i believe in ssl as protocol, the certificate exchange is an important part of that and there's a certificate ecosystem that has shown flaws. its flaws. that why we built something in called certificate pinning, which actually goes one step further, and in general you might expect you can trust the certificate if issued by one of these trusted authorities. well, we you know, noticed sometimes a certificate authority is compromised and end
2:20 pm
up issues certificates to the bad guys. within chrome we actually do extra checks and it showed, it's led us to detecting gmail users targeted in parts of the country, and at the root of it was a compromise certificate authority. i guess -- it's specific example, but i do think -- as an engineer, and somebody who started her career finding bug, i trust very little, and i assume there are bugs and i get my kicks out of finding them. and i accept that they're there, and really try to think about a layer defense, and you know, you hope that somebody can't chain together all of the bugs, and they trip on something. so -- >> certificate, does a great example of chrome providing additional security. we leverage that as well so we don't have to trust the entire ecosystem. but if terms of using core libraries like implementation, we've seen a lot of interest across the industry of both
2:21 pm
sponsoring additional research into it and minimizing the threat area there. i think ultimately a model of open implementations is really good and shows that when the community is twlaer could be problems it respond quickly to those issues. >> and i guess the only thing i would add is that, you know, the identity ecosystem is a place where there is still i think a great opportunity for adoption of existing practices. and enhancement of how to use those to manage akrcross the th the human -- what we're talking about is what is the identity associated with the piece of data? what is the identity associated with an application or operating system? what is the identity associated with that hardware? and how can you actually combine those elements of trust to kind of get the user experience of a trusted system in a trusted
2:22 pm
experience from potentially parts where we don't necessarily trust all of the components? on that, that's the last word. i awe apologize. i saw a lot of hands. thank you very much to our audience and thaump very muthan very much for the panelists. c-span's campaign 2014 brought you more than 100 debates this election season. one recent debate for louisiana senate between incumbent mary landrieu and her two main republican challengers. bill cassidy and retired colonel rob maness. here's part of their debate. >> i'm part of the first generation of americans who may not achieve the same standard of living as their parents. that's a very frightening concept. what is the role of government if any in ensuring economic prosperity for my generation and future generations?
2:23 pm
colonel, you may answer first. >> i thought the congressman was going to be first. >> actually, it's senator landrieu first. >> the first real gaffe of night came from the moderator. >> okay. first of all that's a legitimate concern, and that's one of the things i work hardest on in washington, is trying to lift the economic power of our country. as chair of the energy committee, i'm in a particular great position right now on behalf of the people of louisiana to help create millions of high-paying jobs so that your generation can benefit. in addition, i'm excited to be here at lsu where we have science, technology, engineering and mantle for men, women and minorities as well in the field of energy. but number two, i also think access to education is important. my opponent, bill cassidy, refuses to sign on to a bill that i had to lower interest rates on student loans, which are $21,000 average, $11,000 -- i mean 11% interest.
2:24 pm
he's refused to do that and won't sign on to my bill to double the opportunity for pell grants for poor students who are smart and want to work, but they come from families that simply can't afford the cost of education. >> congressman? >> yeah. i can tell you, clay, government doesn't create permanent jobs and if it does, those jobs really you don't want to have. the greatness of our american economy comes from the american people, not from government. but government gets in the way. keystone pipeline, if the president would allow it to be permitted would create 40,000 jobs with better benefits. senator landrieu speaks of her clout, becoming chair, to get a senate floor vote on keystone excel pipeline. she's not been able to do so. did everything in hur po are, that just means she's not very powerful. but there's other things. the president's health care law is a damper on the economy. look at those in the lowest fifth of income earners, the
2:25 pm
obama care laws hammered them and lincoln parish, for example, 400 cut todayial and food service workers had hours reduced from full to part-time, because they could not afford the obamacare law. get. >> guest: out of the way, get creativity going you're going to have a better job. >> colonel maness. >> the main thing senator landrieu accomplished on energy, push through all of president obama anti-appointees and we certainly in louisiana don't need that kind of clout. we need to pull obamacare out by the root, it's a job killer. talked to small business owners and in many parishes all over that through 85,000 miles in my pickup truck. every one of them give the same message. do away with obamacare. we cannot afford the restrictions or the new fees. we cannot afford the taxes and are not creating the job wes could and cutting the jobs we had down to part-time jobs and that hurting the economic spectrum. that's exactly what obamacare
2:26 pm
was supposed to help and we need to unleash our energy sector in the state so we can lead america to energy independence. that's what we should be doing here in louisiana. across the board, drill, baby, drill. >> recent polls list the louisiana senate race as a toss-up. you can watch the full debate online anytime at join us tuesday night on c-span for live campaign 2014 election night coverage starting at 8:00 p.m. eastern, see who wins, who loses and which party will control congress and engage with us on twitter @c-span or the c-span industries tour takes book trv and american historytive on the road traveling to u.s. cities to learn about their history and literary life. this weekend we've partnered with comcast for a visit to colorado springs, colorado. >> in 1806, montgomery pike was
2:27 pm
sent in to explore the region, similar to lewis and clarke, sent to the northwestern part of the newly acquired louisiana territory. pike was sent to the southwest part of the territory, and from his perspective, when he came out here he really walked off the map. he went to an area that was unknown. when pike first seized the grand peak, he thinks he'll reach the top of it in just a few days. but it really takes weeks to approach. they reached what we believe is a lower mountain on the flanks of pike's peak calmed mount rosa. so they turned around and at that point pike wrote in his journals that given the conditions, given the equipment that they had at the time, no one could have summited the peak. pike's peak inspired the poem that became "america the beautiful" written by katherine
2:28 pm
lee baites who came here to colorado springs to teach a summer course at colorado college in 1893. and the view down to the plains from the top of the mountain inspired the poetry and inspired the images that are captured in that poetry of the united states. watch all of our events from colorado springs saturday at noon eastern on c-span2's book tv and sunday afternoon at 2:00 on american history tv on c-span3. next, minnesota congresswoman michele bachmann discussing the arrives the tea party and it's continuing influence on the american political process. she talks about the tea party's prospects in november's midterm elections and beyond. congressman balk smaun founder of the house tea party caucus and not seeking re-election this year. from the herridge foundation, this is about an hour.
2:29 pm
good morning. >> let the congresswoman sit over here, closer to the flag. >> that sounds greatants for the fought oh shot. the photo shot. good morning. welcome to the heritage foundation and our douglas and sarah alison auditorium. we of course welcome those joining us on c-span and other television networks as well as those joining us on the website. i would ask everyone here in-house to make that last check that cell phones are turned off as a courtesy and, of course, we will take internet questions at any time. simply epails u us @speaker and post it on the home page for everyone's future reference as well. hosting our guest today and welcoming her to the heritage
2:30 pm
foundation is the executive vice president of the heritage foundation, phil trueluck. >> thank you, john. >> thanks, john. i've learned not to bring my cell phone anymore because i always leave it on. we're delighted to have you all here today. appreciate you joining us. i hope we'll get out of here before the rain start and you don't have too much trouble leaving, but we are delighted year here for this very special session we have today. in boston harbor in 1773, a bunch of patriots got angry about taxes imposed by distant politicians and they threw tea overboard. move ahead. in 2010, a bunch of patriots got angry about taxes imposed, threw the politicians overboard. those men and women who took up the tea party achieved more electorally and legislatetively than the grass roots movement such as the occupied wall street, which received far more
2:31 pm
pandering from the elites. well, the tea party's principles were simple. tax less, spend less, and get the government out of our homes and businesses. their roots, however, lay in extensive intellectual history in american founding. behind that snake on gladston's flag is a deeper message than just don't tread on me. it is in fact a bold philosophical statement, liberty is of more fundamental importance to human dignity than paternalism and a government which sacrifices the former for the latter tramples upon the rights of its citizens. well, few have exemplified this ideal more than our speaker today. she has represented minnesota sixth district for almost eight years now, and importantly for this session, she the founding member of the tea party that, the house tea party caucus which
2:32 pm
is remained, and she has remained, a strong force for keeping conservatives true to their principles in congress. and i believe she ran for president one time a couple years ago. although she will soon leave washington, and we're going to dearly miss her, i can assure you of that, and she's going to return to the real world. maybe she'll tell us a little about what she's going to do, but she will always remain a shining light of the tea party movement and a testament to what good people can achieve when they get fighting mad. ladies and gentlemen, please welcome representative michele bachmann. >> thank you. bill, thank you so much for that warm introduction nap is the question everyone is asking me now. michele, what are you going to do when you leave congress after eight years here and i tell them, number one, i'm going to have a very long, extended vacation. you get really tired when you're here. and so i've chosen the perfect
2:33 pm
site for the most secluded place i could find. it's msnbc primetime. actually, that's a lie. so, anyway, i do want to thank you, though, for that introduction. it is an honor for me to be here and i can't think of anywhere i would rather be to give one of my final speeches while i'm an official member of the united states congress than truly the gold standard for conservative thought and that's the heritage foundation. that's a thrill to be able to be here. this is a stellar organization. i'm thrilled to be here, as is aei and kato and american and the family research center as well as the forum as well as concerned women for america. this city is filled with terrific organizations that have stood long and hard and valiantly have fought for american principles and american exceptionalism, and for 40 years, heritage has been at the top of the heap. and in many way, i believe that as you said, phil, that the american values and principles
2:34 pm
that heritage aspoused for these years has provided the framework for the tea party. its limited government. it is strong families. it's free enterprise. there's nothing new here. but just because it's not new doesn't mean it isn't profound. these aren't new ideas. they're the same values that have been espoused since the time of the american revolution, but what is different is that it was time for us, we were in desperate need, of a reawakening, and that's what the tea party was all about. republishing the american values of american greatness. all the media wanted to talk about was whether the tea party was up or down. whether it was dead or alive, but that missed the point entirely. because the tea party never was, never has been, never will be a political party. because you see, it's a movement. it's a movement about returning us and our nation to our
2:35 pm
founding principles. front and center. by contending for them in public kiss doors. it went, as you said, the patriots threw tea into the boston harbor. they weren't just protesting an unfair tax. i'm a former federal tax lawyer. i hate high taxes. that isn't just what the boston tea party was about. it was also about cementing the soul of our nation and the soul is this -- opposition to an overreaching government and a fierce passion for self-determination. and it's the idea of the declaration of independence that infuses, really, the meaning and being of what it is to be an american, and it's this -- it's the idea that there is a creator and we acknowledge that in the declaration, that a creator created all of us, and created us equal. that in itself is profound.
2:36 pm
as the declaration of independence says. it isn't a government. it isn't a politician that gives any of us our rights. we were given those rights by virtue of birth. by the fact that a creator created us and gave us these rights. they're inalienable, which means, no politician, no government takes them away, because only a creator can give them to us. it's a phenomenal philosophy upon which the nation was founded. those three inalienable rights that the founders enewspapererated were these. the inalienable trite life. only a creator can give it and only a creator can take it away. the second was liberty. freedom. the franchise intended for every hugen on the face of this earth. every human doesn't enjoy it, but that's what makes this government exceptional. because we recognize that freedom is yours.
2:37 pm
not something government can give. and certainly something government should never take away. the third is the pursuit of happiness. and that isn't just wanton hedonism. what it means, quite profoundly, you have the right to earn and keep the fruits of your own labor. what a concept. life, liberty and the right to earn and keep what it is that you earn. they aren't just nice sounding words. what i say to you is this -- our founders gave us the ultimate social compact that governments were instituted among mens for one reason. just to secure the inalienable rights that were given to us by a creator. so government can't interfere with them, and certainly government can't take those fundamental rights away from us. and that's what makes us an exceptional nation. and as phil said, the modern tea
2:38 pm
party stand for three very basic things. number one, we are taxed enough already. number two, government should not spend more money than what it takes in, and number three, government should live under the constitution. pretty extreme. right? pretty radical. right? last night our vice president of the united states, joe binden, said that the tea party is crazy and that the tea party lacks judgment. well, that rich. because if these are the principles that we stand for, i think that whether you're democrat or whether you're republican, there ones you would agree that this is what brings for american greatness. if 23450ez ideas are extreme then that's all we need to know about the chal challenges and ideas. on each of these three, unfortunately our current president has a failing grade. every step of the way he's pushed for government that would have a more intrusive role in all of our lives. and the president telegraphed his intentions during his very
2:39 pm
first inaugural address when he said it's time to "begin again the work of remaking america." he went on to say that we should no longer be asking the question whether government is too small or too big. instead he offered, we should simply pursue government to get the job done. well, mr. president, the job isn't getting done for the american people. and i think we know that all too well. of course, some of us realize that the question of whether government has the right to do something is far more important than the question of, if government has the ability to do something. there's nothing in the constitution that says that government is a charity. there's nothing that says that government is meant to be our family. it's not meant to be the church. the constitution is clear. and it certainly, government should never be our doctors' office. though the president wants it to be all of the above, including our banker, our student loan
2:40 pm
officer, and even our car dealer, placing government at the epicenter of our lives changes the game of the social compact. you see, political liberty and economic liberty are imperilled, they're intwined. they're woven together by our creator who provides them both to us. you don't get political liberty without economic liberty. and you don't get economic liberty without political liberty. history teaches us that people are most productive, they're most happy, they're most successful when they're free and when they can be independent. if you restrain freedom, if you sap a person's independence, then you'll lose that vital spark of liberty that's made our country so great. to be fair, the love affair with big government did occur under the bush administration. it occurred long before that. hearkening back to the days of fdr and lbj. you can go back to the time of, give me liberty, give me death,
2:41 pm
patrick henry. he was worried about big government. but president obama took the mistakes of his predecessors, unfortunately, and hit the accelerator with a quantum leap of unimaginable proportions. it began when i was here with the wall street bailout. i was a freshman member of the united states congress. it was one of my first major votes. i was sitting as a member of the financial services committee and i was in the midst of this very consequential debate. as you recall, this was a blank check for a $700 billion bailout. it had never been seen and never been heard of before in the united states history. sent over from the white house was treasury secretary hank paulson. he came to our republican conference to sell us on the bailout, and i confronted him at the microphone with a few very important questions. none of which received an answer. one of my questions was, where does the number $700 billion come from?
2:42 pm
the second one was, what will you use it for? since we couldn't get a straight answer to either of those fundamental questions, not only did i vote against him, we put together a great ad hoc group of both democrats and republicans who came together and said, maybe this isn't a great idea. forgiving t forgiving -- for giving the treasury secretary a blank check for $7 hp billion. the first vote failed. could you have heard a pin drop in the chamber when the vote came up. nancy pelosi thought she had the vote in the bag. she didn't. four days later, i voted no again. but enough arms had been twisted. you could hear bones breaking from here to san francisco, and the vote got rammed through. that $700 billion bailout laid the predicate for bailout mania here in washington, d.c. the next time was for the automobile industry.
2:43 pm
and once again, the taxpayers were on the hook to bail out private companies to the tune of billions of dollars. and upend 150 years of settled bankruptcy law and protections for investors. worse, the government gave pink slips to 3,400 privately-held automobile dealerships. this was shameful in our history. many were ordered to close their doors within 30 days. imagine that? you own a private business, and the government send you a pink slip, shut your doors, because we tell you to? you have 300,000 dollars worth of spare parts and inventory in your back office, and you're told, tough. we're telling you close your door? unconscionable. next came the trillion dollar stimulus package. if you were politically connected ally of the obama administration, you got a leg up. so-called green energy companies, like solyndra, received hundreds of millions of
2:44 pm
dollars before they went bankrupt. it was cronyism at its worst. the department of energy became the epicenter of lopes to obama donors. and then there was obamacare. the crown jewel of socialism. it amounted to a government takeover of 1/ of our economy and look how that turned out. politically connected allies one of a another got a waiver to obamacare. false promises like, you can keep your health care plan, if you like it. or, you can keep your doctor, if you like him or her. or, you'll save $2,500 an awaniy on your health care premium. it's not so funny for the american people that have to live with this abysmal health care system. $2 billion was spent on a website and doesn't include all the money spent on state websites either. conveniently, the government
2:45 pm
won't reveal insurance costs for next year until after the midterrible election is over. the earn people watched all of this unfold, and fed up, the modern tea party was born, as a positive turn of the pendulum. i founded the tea party caucus in congress, just so every day real americans could have a voice, and way to share their concerns. with their elected representatives. more than anything, approved to be a listening caucus to get the pulse of real people who live outside the beltway bubble. this was pretty refreshing for washington, d.c. americans of all background organized rallies, went to town hall meetings. they showed up here at the u.s. capitol. it was a spontaneous, organic uprising. so, of course, the left called it astroturf. it couldn't possibly be real people would actually stand up and say they want to be able to have self-determination? a rally to stop obamacare that i
2:46 pm
ca called -- produced tens of thousands of americans showing up here at the capitol. they had less than one week's notice. no organization. no one paid them to come and they came here simply to besiege their legislators, not with my health care, you don't. one woman from hawaii came. she told me that she saw me make the call on a television show, sean hannity show on a friday night. she said, i went to my phone, oerdsed a plane ticket on the spot so i could be there with you the following noon, thursday, at the capitol. people came from alaska. all 50 states. over 20,000 people, doctors, lawyers, people from all walks of life saying, the country cannot embrace socialized medicine. well, the grass roots energy sent a wave of freedom-loving ream forcements to washington, d.c. in 2010 including the likes
2:47 pm
of senators mike lee and rand paul. and it took the gavel away from nancy pelosi and the house of representatives, and with the largest number of seat pickups since 1948, i wonder what this election this year will yield? even the establishment moved towards embracing the tea party's messages about constitutional principles, like national debt and balanced budgets. you know you're effective when tea party organizations were systematically targeted by the irs, which tried to diminish their voice in 2012. the irs admitted they wrongly asked conservative and faith-based groups for their donor lists for their memberships list, even for the content of the prayers of people who were in tea party organization meeting. all to intimidate and all to slow down applications for tax exempt status before the crucial 2012 election.
2:48 pm
ironically, president obama himself once made the case for less government intervention in the marketplace. yes, he did. during a town hall meeting in new hampshire in 2009, president obama said, "i mean, if you think about it, u.p.s. and fedex are doing just fine. right? no, they aren't. it's the post office that's always having problems." a rare moment of clear thinking from our president. if only his actions had followed suit. but i also bring up that quote, because it illustrates the choice that's facing us in just a few weeks. on one side, you have president obama. our post office president. bigger government, and more spending is the solution to every problem that comes along. if a better model exists, the answer is not change the models, but spend more money to prop up the old model. on the other side, you have a philosophy that believes in maximizing your choices. not forcing you to choose the government preselected choice.
2:49 pm
it encourages entrepreneurs to create new models and let the free market decide whether or not your idea will succeed. earlier this year, i had the privilege of traveling to england to speak at the oxford union, both about innovation and about the bureaucracies that stifle innovation. in that speech, i told the story of a great american. his name is norman borelog, a ph.d. biologist from the yoof university of minnesota. borelog is in a very unique class. he's one of only three americans to win the nobel peace prize, the congressional gold medal, and the presidential medal of freedom. those distinctions go to luminaries like martin luther king jr., and like ellie wiesel and also borelog, an iowan/minnesota. as an iowan/minnesota myself i am pretty proud of him.
2:50 pm
her story is studying in depth for everyone because it illustrates why human capital and human creativity as an innovating force has to be nurtured, it has to be defended, and it has to be allowed to thrive. the the research led to thousands and thousands and thousands of failures. failure upon failure upon failure, year upon year of failure of trials in his research, but ultimately it led to a strain of wheat that was able to succeed in two very different environments. as a result the wheat was heartier, more resilient and tougher than any variety of wheat that had ever been produced before. today norman is credited with literally saving the lives of over 1 billion people across the world. who can say that?
2:51 pm
that because of what they did over a billion people live today? he is remarkable. how fortunate it was that he had the freedom that he needed to test his ideas. that he department have to go to some bureaucracy every time he needed a previously for each of the 6,000 varieties of wheat he bred. and he saw an opportunity that none of the experts could dictate to him where he could or could not plant the seeds or how he needed to do his work. he saw these bureaucratic threats to innovation. more than 40 years ago, this is what he said. one of the greatest threats to mankind today is that the world may be choked by an explosively pervading and well camouflaged bureaucracy. this urge is control progress is
2:52 pm
exactly what stifles innovation. it freezes the trial and privileges the status quo over the new. it embraces the powerful over those who are powerless. it lifts up the rich over those who are poor. it helps the big at the expense of the small. you see centralized control discourages the thousands and thousands of tinkerers across this country and the small businesses who individually and together move our great america forward. we see this as uber and revolutionizes the transportation industry and instead of making the company more competitive, the taxi industry has been calling on lobbyists and powerful friends and government to impose even more regulations on the upstart ride sharing service. we see this in california. even education bureaucrats are trying to forcibly shut down and
2:53 pm
heavy fines against computer software learn to code boot camps. their offense? the new and exciting approaches to learning don't fit inside government's preconceived box. we see this in the technology industry where the fda is stepping in to renovate one of the most innovative markets in the world. we are talking about the developments to change our lives in the next five years in the realm of health care. exactly what we don't need government to put a net over innovation, we see explosions in greatness in the medical industry. they are innovating when it comes to mobile aps that allow each one of us more personalization and more control of our health care. imagine if you have a disease, your prescription drug could be designed exactly to fit your
2:54 pm
dna. not just a one size fits all penicillin, but it is designed for you to get you healed. all these regulations caused google ceo to recently say and i quote "health is so heavily regulated. it is a painful business to be in." it's not just government. there is never a shortage of companies who would like to fix the regulatory environment to advance their particular business interests or protect themselves artificially against their competition. crony capitalism is what corrupt nations do. that's not what america does. it's no coincidence that the greatest explosion of industrial innovation and history accompanied the very first experiments with political libertyy and free enterprise. only freedom of speech, freedom
2:55 pm
of expression and freedom of association and scientific freedom and certainly economic freedom allow us the freedom of experimentation and the debate and the chance for risk takers like the great norman bor log to start and yes, fail time and time again. it's in the use as the great economists once said of the particular knowledge of time and place. innovation demands. it's the genius of an idea that no one else sees. the environment of freedom caused the greatest leap ever in our human well being not just for america, but they are seen immediately and replicated even in third world and developing in additions. you can go to the poorest country, haiti and you will see cell phones by impoverished people all across the world. impoverished people want a leg
2:56 pm
up too. you see trickle down does work. when you have innovation and you have growth and you have new wealth that is created, it's those at the bottom of economic ladder who have the most to gain. the environment of freedom has created the greatest leap ever in human well being. improving our lives by an order of magnitude. it represents the tund to thrive regardless of age or race or gender. the recipe for success is simple. encourage work, don't discourage it. that's what england found. embrace human creativity and capital. don't limit it. expand for to follow their dreams. don't stop people from the benefit of failure. those who overcome failure ultimately learn how to succeed. here's just one example. i'm a former federal tax lawyer and know firsthand that our tax
2:57 pm
code has become too complex, too unfair and blatantly too old for political cronyism and control. that's what lobbyists are all about. we need a platter fairer system that levels the playing field for everyone and encourages innovation and growth and stops taxing investment and productivity. last year saw the 100th anniversary of the united states federal next tax code. hardly something to celebrate. just go back down memory lane. in 1913, the top tax bracket in the united states was going to be a 7% tax rate and the tax code was 400 pages long. 100 years later, the top tax bracket has ballooned to nearly 40%. that excludes state and local taxes. the tax code today is over 74,000 pages long.
2:58 pm
that doesn't include the rules and the regs. i just returned from speaking at the reagan ranch center in california. i had the privilege to speak to a wonderful group of young conservative women. when ronald reagan came into office in 1980, the top tax rate was, hold on to your seats, 70%. sound like france? not working so well for them. it didn't work so well for the united states either. by the time ronald reagan left office, the top tax rate dropped from 70% down to 28%. he secured a 25% across the board reduction in income taxes for all americans in every tax bracket and he simplified the code from 16 down to two. in addition cutting taxes, he also reduced spending. he reduced regulations and he maintained a strong -- excuse
2:59 pm
me. today too many policies and institutions are on the opposite end of free market spectrum. one example in the news coming from the financial services sector is this. the export import bank doesn't sound terribly sexy and overwhelmingly subsidizes the
3:00 pm
corporations in the world. last year the fortune 500 companies received more than half of the bank's financing. nobody would care if this was a private bank, but this is a government subsidy. it amounts to cronyism that is financed by tax dollars and puts americans businesses at a competitive disadvantage. do you see what i mean when i say that government is lifting up the big at the expense of the small. enabling the rich at the expense of the poor. that's not what government is supposed to do. it's time to let the free market work and allow the export-import bank to expire. we can and must advance opportunity for all americans without giving special handouts to the select few. after six years of barack obama's presidency, it's no wonder that the american people feel this is a government for government, not a government for people. i believe that president o's


info Stream Only

Uploaded by TV Archive on