tv Politics Public Policy Today CSPAN March 24, 2015 5:00pm-7:01pm EDT
very active in a whole series of national and international global policy issues of cyber security. and david tret ski. the current partner at acon gump. and in a recent former life he was the bureau chief for the federal communications commissions public safety and homeland security bureau. and last but not least the moderator shelly mitchell whose the editor of the very important publication in washington. inside cyber security. and you'll make your remarks and charlie are moderate. >> thank you. it is a pleasure to be here. a year ago i came here and i walked on ice. sliding on my way here. and my kids' school was canceled and i had to deal with that in the morning. so if you could think about april next year. [ laughter ]
just a suggestion. >>. [ inaudible ] >> thank you. we have a hurricane -- that's usually later in the year but point taken. i want to start briefly by talking little bit about the administration the obama administration's work in this area. and, you know, a lot of this goes straight to the top here. president obama upon taking office said cyber threats were one of the most serious economic national security challenges we face as the nation. and he made confronting them a priority from the beginning of the administration. he's renewed that pledge several times with each action taken moving this issue forward in the public consciousness. in particular most recently at the white house cyber security summit last month at stanford university where the president once again renewed his commitment to keep combatting cyber threats as the top
priority. let me just recount things that happened locke the way too so people have understanding where we are and where we have ended up on policy issues. four years ago the administration promoted legislation in this area. several areas including standards for critical infrastructure reforming government agency security standards, new hiring authority for the department of homeland security allowing them more authority in the space information sharing and liability protection for information sharing and data breech. national data breech notification standards. two years ago it became clear congress would not be acting in these areas as quickly as anyone would want. last year they did pass two of these provisions in particular. and we were pleased to have that move forward. but two years ago when it was clear that information sharing and the moving forward on standards for critical
infrastructure were not moving as fast as anyone would like, the -- the president signed an executive order to promote cybersecurity standards for critical infrastructure. this had two pieces to it. one was effort to share more information from the federal government to businesses. the second was the creation of the voluntary private sector-led cybersecurity framework which nist was convening at the time. national institute of standards and technology. the cyber security framework has really been the key to the success of this effort and work of groups like u.s. telecom and members and other trade associations and companies and the other stakeholders have really led for the framework to become a truly successful document in terms of creating voluntary -- a voluntary framework that can be used in this space by boards and by
executives to make decisions on cyber security. and i think at the cyber security summit we really heard about the success of that effort and how it is started starting to really change the consciousness of the u.s. industry and organizations around the world even. and i think the best analogy i've heard the framework came from was someone who said that the cyber security framework is the rosettea stone for cyber security. and that is what it was intended to be. mirroring up all the sets of standards that have been done over the years and making them so that we can read them across critical infrastructures. and make sure we have coverage and moving forward. and i that's where we ended up and it's due to the leadership of groups like u.s. telecom. so we really appreciate that effort and we're making some
real progress towards having a better set of understanding of where we need to get to and where growth needs to happen because of that effort. another space that the administration has spent a lot of time and effort is in incident response. we've heard from stakeholders we need to do a better job, that the government needs to participate better and we need to give the tools for industry to be able to respond to threats. we've continued to work with many sectors in the space, in particular financial sector has worked very closely in terms of coming up with ways to respond better to new threats. and we continue to move those efforts forward. but one other area announced last month was -- is the cyber threat intelligence integration center. and a lot of discussion has gone on about how that relates to the information sharing. i think for the government it relates to information sharing but i think a good way for industry to think is how it relates to incident response. because there is not going to be a public face between industry
and the cyber threat intelligence integration center. it is going to be much more of a -- it is the way that government is going to pull its information together. pull the intelligence together that already exists out there. this new center is not creating new -- is not gathering new intelligence. it is pooling all the intelligence together. taking the analysis out there and integrating it in a way very quickly so then it can be shared back out with stakeholders and that information can be used better. so this is about responding to threats, responding to incidents in ways that can happen much more quickly. the interface with industry rewill remain the same. working with dhs or the ncic or the service, the treasury department or the fbi when there is an incident or working with other sector-specific agencies that will -- those will continue to be the face for the
incidents. but in terms of the integration, now we'll have a place where that can happen much more quickly than it has and does today. next on information sharing. efforts that have happened in this space. again, we've been promoting the idea of moving forward legislation in this space. but while that is happening, we continue to take -- make efforts to get more information sharing from the government to the private sector. as i said the executive order two years ago did. among private sector entities. and from the private sector to the government. we continue to work in all of those areas. and try to move those efforts more quickly than we have in the past. for example we have beyond the executive order, after the executive order from two years ago was signed where we changed the default from sharing to say the default should be to share unqualified information and to make more information -- and to
declassify more information to make sure that it is shared with the private sector and move in that direction. i think that in my discussions with the private sector i think they have seen a marked increase in the type of information they are getting from the government and the amount of information. so i think we're making headway in that area. also in terms of the private to private sharing we've seen everetts sefforts as well. the anti trusts. the department of the justice and the federal trade commission have now put out guidance saying that if you have -- are sharing legitimate cyber security threat information that that information -- that there should be no real barrier to antitrust. i mean -- from antitrust concerns. so we are -- and we've seen -- heard of sectors now being able to share among each other in ways that they could not in the past because that concern has been taken off the table.
number two. we've seen from the department of justice that they have published guidance on sharing information in the aggregate and making sure that that does not run into barriers from the electronic communications privacy act. we think that has been helpful for companies to be able to understand what information they can share pretty clearly today and where there are issues. also at the cyber security summit we had the release of a new executive order, signing of a new executive sord order from the president which is focussed on the information sharing organizations. we used information sharing and analysis organizations which iss taken directly from the homeland security act. we use that term because it is the broadest set of organizations out there. a lot of times in the past there's been focus on information sharing analysis
centers. we still support the idea. in fact those are information and sharing analysis organizations by definition. but information sharing and analysis centers happen to be sector-based. so we're talking about sharing across sectors also well. this would be regional sharing. threat-based sharing. and other ways of coming up with new ways of sharing information not just tied directly to a sector. now the sector work that's been going on for the past decade really has been instrumental in demonstrating how information can be shared and for building up the standards and best practices in the space. and it's exactly that kind of work that we think needs to be -- needs to be put into a real standards private sector led consensus based standards body. which is why we've proemtded this idea of the dhs granting new funds to a private sector body to stand up as the
standards organization in this space. by the it will help to drive efforts in this way. the way the executive order does it is the completely market driven. we think that will be enough. we've seen a number that want to start up but have trouble with the resource and understanding what they need to do. and we have having the best practices out there in a clear way will help from a market driven way. but we've also said in our legislative approach that if we can get bodies information sharing, organizations to self assert that they are following these body, we think that will also help to move this forward -- this area ford. and again we're not talking about certification. i think there ease been some discussion of the certification. we're just saying that organizations would self assert they follow these practices. we think that will be enough to drive the marketplace today considering there is demand for information sharing and these new bodies to form. we think that light touch will
help. and it is exactly this type of information sharing legislation that we would like to see move forward. we think it is essential that all of the efforts we've done to date we feel we are continuing to do what ke do in under existing law. but there are still barrier where we need legislation. we think we can have targeting liability relations. in a way that actively protects security and privacy through civilian channels which will allow us to do government oversight of our own work to make sure that we're protecting the privacy and security of americans as we do this. there is -- we think that it is possible to get to that balance and we should do it in that way. and we've had good response from the private sector and stakeholders in moving this idea forward. we're open to further discussions with those stakeholders and with congress and we look forward to having that and i think hope we can have some of that debate today on this panel.
[ applause ] hello everybody. let me start by saying i want to thank u.s. telecom once again for holding this event and this whole series of events. really throughout the entire framework process. i think it's been an invaluable use to the dialogue in this course. and i hope we have more. and like ari i hope we have one in may or something. that would be great. probably a good point. let's bring cris and david in. can you speak a little bit to the state of information sharing going on right now and how the executive order is likely to effect the current environment? chris do you want to start off with that? >> so within our sector, within the communication sector we
already have an organization called the cons isac that meets regularly to facilitate information sharing. and also the individual telecos meet themselves on a routine basis to talk about cyber security. so i think there certainly is information sharing going on today. and there could be more. but in terms of how the executive order effects that i think it remains to be seen. the iso uconn september is interesting i think. and we'll see what happens over the next several months. my understanding is the existing i sacks will be views as the basis for the standards that will be used to develop the i sow. they participate in the process and provide leadership and examples of things they do, i think that will process will be effective and i think we're optimistic at this point.
we'll see what happens. >> david? >> i also think that the communication sector companies have something to gain from the isow process. while they can control through contract some of the supply chain issue, if the isow process is acceptable they may want some of their vendors to participate as well to ensure that they are getting the best information as well to defend against cyber threats. i i i think one of the questions in addition to the very important question of liability protection is going to be whether the information sharing that is proposed in congress in that the president incorporated into the executive order meets the president's test. the president noted that the private sector needs to defend
itself, government can't do that. but it also said that there needs to be a partnership. because government often gets good and important information that the private sector does have that would be important to defense. so i think one of the questions that will determine the success of the sharing arrangements is whether business feels like it is not only providing information but getting good information back that makes it have greater success in defending against cyber threats. there's been some view that that is a challenge that sometimes that kind of information hasn't been received. and i think the process with the ncic that ari outlined is designed to improve on that and deliver on the president's recognition of what is
necessary. >> ari how quickly do you think the private sector will see a tangible difference in the quality of information that it is getting from the government side? >> from the government side i think that over -- as i was saying over the last two years, i think we have heard that they are -- that companies already are seeing a difference in the amount of information. in terms of the quality of the information i think it depends how was we can get the ctic cyber threat intelligence integrate center up and running. and also making sure that we can prioritize declassification or even keeping that information unclassified that that center will help with that as well. depends how was question get that set up. the goal is very quickly to set it up. i think as with anything having do with organizing in the intelligence community there is a lot of questions how that is
going to work and we're wong working with congress on the details and want to make sure there is stronger understanding of that is we move forward. but i think people will see over a the next few months as that body gets stood up and we get people there and working that they will start to see quality of information improve as well as the amount of information. >> chris. >> i just want to add i think the pointed david made and ari has been make are critical. the mutual exchange of information is a big incentive for companies to participate in the process. if it is a oneway information flow then companies aren't going to see it as valuable as it is if it's going both ways. it's also within the private sector i think there is the potential for there to be a lot of information conceptually if the isow takes off you can see a lot of information dumped on folks. and making sense out of that and putting context around it are really critical issues.
so the mutual exchange and making the intelligence actionable will be where it provides value. >> this is also the importance of the move to automated information sharing. so much of the information sharing today relies on folks to take action themselves. everyone wants to join an information sharing organization in order to get the information. but they are not thrilled about putting in there. if we automate it and say you are part of this. the information you are shea sharing, you will know exactly what information you are sharing. the information gets shared automatically out. you will see a lot more information out and there is a lot more certainty. i thinks we move to more automated you will get a lot more of that too. and in some ways the move for isow and having the policy overlay as we've built these technical standards that go underneath it will help make people feel more comfortable moving into the process. where we get more information
and there is more certainty around it. >> in the administration's legislative proposal you have structured the liability protection around the act of sharing with either the ncic or with the new isows. why is it limited to those two entities. >> isow is very broad. i think there is a viewpoint that in order to share you have to share with -- we're not talking about the individual companies or a small number of the companies that could be isows but that is not true. the term means basically anyone sharing with one or more individuals. we want to page sure there is some rigger to who it is if you are getting this liability protection. in this case all you are doing is raising your hand and saying we are following under the liability protection in our draft you are just raising your hand saying we're following these best processes that the
industry has put forward but that there is something basic commitment to doing something in order to get the liability protections. and so that is's -- we want those based on the best practices there. when you are sharing with the government the reason we want it through a civilian portal and the reason the ncic is the place to do it we need to have some oversight. if we're over writing all of the policy laws that exist in government today in order to make sure that information is being shared in a way that then can follow some guidance that is going to come in the future from the attorney general and the secretary of homeland security, the way to do that is to make sure it flows through a place. then as david and others -- you know, can flow out to other parts of the government. but the key point there is that we have that kind of oversight that has on top of it to make sure that when it comes in that it's actually cyber threat
information and that privacy rules have been put in place. that confidentiality rules have been put in place that companies will want to see. we want to make sure that that is very clear and moves forward across the government. and the way to do that is to get the kind of oversight you can't have the kind of public oversight you need if that is happening in the intelligence community. >> how do the industry folks feel about that? would you like a more expansive look at -- or a more expanseive arrangement in terms of who you can share with and know you get liability protection? >> i would say that is probably true. i think we appreciate the administration putting a the ploem on the table and, you know, we've been trying to get information sharing legislation passed several years now. and so the administration putting a the proposal out there is something that i think is helpful and something we can work them on going forward. but yes, i think that we are -- we do think the concept of tieing the liability protections back to the isow framework is limiting. i think the approach i would prefer is more akin to what, you know senators fine stein and
the burr were working on in the senate select committee on intelligence and the approaches being taken in the house also. but i think overall this debate plays out over the next several months and we look forward to working with all sides and i think from at&t perspective we're mindful of the privacy concerns. and i i don't think we're that far abart on issues. i think we can work together and hopefully come to some reasonable conclusion this year. >> we don't want to override any existing relationships. and we try to carve that out. and we're open to ideas we just feel it needs to follow the basic framework. it needs to come dlu some kind of the civilian place primarily in order to make sure we have the oversight and privacy is being protected as this happens and that the liability protections are targeted to the sharing. right? >> yeah. >> if we can stay in that framework we're happy -- there
are lots of ways information can be shared. as long as we hit the key goals the nixadministration is going to be focused. >> our is more private to private sharing side. i always viewed information sharing is three scenarios. government to private private to government and private to private. so private to government, the issue is always should it go through a civilian agency or go through the intelligence agencies? and i think our view in the past has been the legislation that was proposed out of the senate last year -- the previous verbs i guess. the 2014 version would have had that run through dhs and generally we were okay with that model. you know, as long as it didn't disrupt existing relationships where, you know, a lot of times our companies deal with entities like the fbis and the cijt if and other parts of government. so as long as the proposals allow existing relationships to continue. we would have been okay with that last year and supported that skbil this year's is a
little different but i think still the same path. i think when it comes to private to private, we think forcing everybody to be an isow might be too limited bull wiit we'll see how it plays out over timeout.. maybe as the non issue. but we'll see how it plays out for the rest of the year. >> i would just add that one thing that we also have to be mindful of in setting the criteria to get liability protection is the differences between big businesses on the one hand and small and medium sized businesses on the other. the extent database-- to the extent we want this to be real time we want to take a count of what their capabilities are of managing information stripping out information that may raise privacy issues. and we need the make sure that we require privacy to be a principle consideration and protected. but we also have to make sure that some inadvertent breech
from trying to share in a timely fashion and depending on what the information is doesn't result in capital punishment. >> right. i want to get into the question of the role of the regulator. but while we are here and we're talk about privacy, ari i thought it would be really helpful if you could describe how the different pieces of the administration's privacy proposals fit together. there is the nist privacy engineering effort, the private element this is the information sharing legislation proposal and there is the consumer privacy bill of rights. there are three distinct legislative initiatives there that all have privacy at their heart as policies. can you say how those fit together? and does this all add up to a uniform approach to the issue? >> so it's -- we're actually
talking about a few different types of privacy there in the details. so in the information sharing proposal, we are talking about -- we have a definition of cyber threat information sharing. and that definition is a limited set of information that is tied to certain kinds of cyber threats. when that information -- and has limited uses when it comes inside the government. but when you share that information, then you have this broad ability to share that information, knot withstanding any other provision of law. so you are overriding a panoply of existing privacy protections in place and replacing it with guidance that is outlined in the legislation. but really still to be written into the future. so we are talking about kind of -- and most of that guidance is for government agencies. it is how government agencies will use that information. so we're giving companies the
ability to share that information into the government or share it amongst themselves with a set of new privacy protections that we hope will be strong. private sector will write its own through the process of creating the information sharing organization standards and sharing with the government will happen through the guidance from the attorney general and the secretary of homeland security. so you have this kind of new regime that will come into play for that small type of information. that type of information is excluded from the consumer bill of rights. in our draft there is an actual exclusion directly for the same definition of cyber threat information in there. because that already has its own regime through this other proposal that we have. and the hope is that -- that you have cyber threat information sharing in place with this kind of definition and then you would have this exclusion when consumer privacy bill of rights went through.
the consumer privacy bill of right is focused on the privacy irks s issues that we see with new types of online and electronic commerce issues that come up. where information is shared across each other. because in the united states we have an industry-based privacy regimes. we have a lot of holes that pop up. you don't really have the kind of basic safety net that would be in place to protect information across all the -- those will remain in place and the consumer privacy bill of rights builds a safety nest for those areas that don't have privacy protections today. so this would be exempted from it. and the third is the nist privacy engineering effort and that is focused on government agencies and other stakeholders have seen that that when new products are being built privacy has come in afterwards. and there's been this question
of how do we think about building privacy in from a voluntary consensus-based approach. looking at the risks involved and looking at the kind of benefits that could come if we made the decisions earlier in the process. and nist is working to work on an engineering -- voluntary, completely voluntary -- effort to be used to make these decisions help. government agencies make these decisions easier. and you would hope companies might look at that too and they could learn as well. but it's really focused on kind of looking at these efforts in a way that relates to building new technologies and looking at how to go about doing that. >> thank you. >> before we move onto the regulatory piece. while we are on information sharing. i want to make one ore comment. a lot of people talk about information sharing in the legislation as being the thing that we're trying to achieve through the slejs but it become a term that encompasses a lot of issue. the one thing i don't want lost is why do companies like ours
and others support the information sharing legislation? and part of it is because today when we try to stop a cyber threat it require ours lawyers to be heavily involved in analyzing a variety of statutes. and determining what we can do. so a big aspect of the information sharing bill that is not talked about as much is the actual authorizations component of the legislation. so specifically, authorizations for companies to do things like monitor their networks or take actions to stop the attacks or i think in the last panel brine asked the question about liability protection, that if you don't act on a threat. those are critical aspects because to us that would provide a clear legal framework, notwithstanding legal framework itself but under more clear which we can act and apply to cyber security. and i i don't want that lost. a lot of the reason we have been supportive of this type of lengths is because it clears up that legal overhang and allows
us to act more independently in addition to the information sharing proponent. and we appreciate all proposals and i think one area they could improve is on the authorizations piece. that is a piece that without that, just having information sharing by itself and probably not going to be a really move the needle on security in my opinion. >> charlie i would just add in addition to having been bureau chief for public safety and homeland security at the fcc, i also am a former deputy assistant attorney general for antitrust. so i'ved the chance to look at information sharing regimes in other industries and other circumstances and it's clear that it makes a difference in terms of lowering costs and improving performance. and that is true if you look at the insurance industry and its important sharing of past loss information and the like. and that is going to be true i
think in connection with cyber security. to raise the cost of conducting successful breeches for the bad guys and lower the cost of defense. and on the privacy point i think the senator was absolutely correct when he says that we all need to care about both of these issues. because with the threats out there and the breeches we've seen, improved cyber security improved data protection means enhanced privacy as well, done correctly. >> great. let's talk about regulators here. [ laughter ] do we have to? >> sure. the fcc charged a new working group about a year ago with coming up with a new paradigm around cyber security. and i know you chris and david have been closely involved in
this. the final draft report has been completed. i guess tell us what is a new paradigm around cyber security. what is the goal here and what's boon accomplished? what is the state of play within the fcc's working group. >> let me set the stage naar, if you will -- for that. i'm not on the working group and it hasn't publicly been released. the advisory committee. which is called the csric. i hate to use the knack anymorera anymores. and then this working group four which was going to flush it out
and give it meaning specifically for the telecom industry was going to be active and spend the next year trying to develop a report. issue information that would make it applicable and usable in positive ways by the communication sector. and they have had more than a hundred people involved in a very intensive effort. and i think that we're going to see a report that moves the needle and helps establish the telecom industry has one of the leaders in making use of the nist framework in trying to make it usable by small and medium sized businesses as well as the largest businesses. i haven't read it so i can't comment on, you know, its outcome. but i think it's been a very positive process and it is going to move the needle. >> i can give a few highlights as how the working group as
doempb the last year. i know robert's here. he used to chair the working group. i chaired the wire line group. the way it's structure is we had five subgroups or each major segment of the telecommunications sector. we had a wire line working group. a wireless. a cable satellite and broadcast. five subgroups or each segment and also five feeder groups including things like threats. and metrics and the measurements feeder group i'm actually chaired. and we had ten different groups working on over a hundred members. and we've been working for the last year can the report issued in march will be a 300 page report. goes through a lot of detail in various practices. we generally try do -- and i don't want to go into a lo lot of detail because it's not officially released. a lot of what we tried to do is conform the framework and
prioritize the nist framework for infrastructure. how do we secure critical infrastructure. if you look at the communications network and understand it is interdependency or other things like financial services and electricity and water and others. how do we secure that and in the vent of the large scape attack that that continues to secure and function. how do we reform the framework and address it for those issues. that was the big focus and i think like i said we spent the last year working on that and i i this people -- my view that the work products is a true example how our sector partnered with the commission and others in the group to generate what is a solid work product and set the framework going forward. >> we have an question from our online audience. it's directed at you mr. toretski. as isps shift to title two, will the cpni requirements make
information sharing impossible? >> first of all i haven't seen the text of the net neutrality order. i think it isn't out yet. it certainly wasn't a day or so ago. so i'll refrain from give judgment on that. but one of the things that is in play everywhere from the federal court where is the linden case was argued this week and the federal trade commissions jurisdiction to enforce under section five of the federal trade commission act privacy and data breech reasonableabilityility standards is the subject of some uncertainty and some tech.
and the sec to where in october they did thinker ferris major data breech case. the uncertainty from the rules and also the legislation that's been proposed i think in some cases delegates to the federal trade commission much more clearly. and some of the legislation i think would remove from the federal communications commission some of its enforcement. so what we're seeing i think is a lot of uncertainty around what the standards are, whose enforcing them. and how they apply. and i think we just need to take a look at what comes out of the fcc on the net neutrality order before we draw any conclusions about it. i am pretty sure that the sec is going to want to make sure that information sharing isn't inhibited. i think the kind of information we are talking about sharing is
you know, not at the core of what cpni is necessarily trying to protect against. and i think i'll leave it there. >> any other questions? >> another one online. we have a second question for ari, how do you see this government private industry partnership improving the reliability of the electric system our utilities and power company, are they getting on board? >> we've had a really good relationship with the electric sector in particular. that they have been very supportive of the cyber security framework. they have done a lot of effort in this space.
we've had -- and our plan is to work even more closely with them moving forward in terms of incident response and trying to make sure that they are getting the information that they need to be able to respond very quickly, the information that we have from the government and in sharing among themselves in order to get information in terms of the moving -- the response more quickly. obviously there are a lot of different people in the energy space. and a lot of different companies in that space. i think we -- it is not an easy thing to say you are working with energy together. but if you can work sector by sector and certainly starting with the electric sector makes sense to us and move through those and come up and make surerersure inging ingcoordinating and getting the information we need. in terms that they also have existing information sharing and
analysis centers today to try and chair information electrics is -- the electric isec has been growing and has been becoming more effective. oil and natural gas has been growing and becoming more effective. we hope that we can help to make those moving more quickly as we move the isow process forward. >> great. well listen, i really want to thank this panel. that was terrific. thank you all for your contributions. okay. we'll ask our next group of panelists and speakers to come up plus.ease.
very good. that was an excellent panel and i think you heard ari talk about the seminal nature of the nist framework. and i think we're very fortunate to have the participants we have today on the panel. adam sedgwick i will now go into the future referring to him as one of the architects of the rosetta stone. or discoverer. i don't know. but that is quite an accomplishment. also larry clinton who many of you know as president of the internet security alliance and someone who's been an outstanding advocate around the framework for quite some time. brian finch is a partner with
pillsberry pillsbury winthrop. a lot of experience in the policy arena. and kevin morley for the american water works association, which is one of the lifeline critical infrastructure sectors, very much involved in thinking about the framework as it relates to his sector. and then finally very happy to have jesse ward with us whose the industry and policy analysis manager with ntca of the royal broadband association. jesse is also one of the leaders on the working group for effort that dealt with addressing small and medium businesses. with that i'd like to introduce david perera whose with -- i'm sorry. i'm ahead of myself. i'm going to introduce adam who will speak and then we'll have the panel moderator by david.
>> thanks. i'm eager to move to the panel too. i'll get through these quickly so we can have discussion. thanks again for u.s. telecom for having me. these events are really helpful for us in terms of hearing what industries are thinking about, particularly telecom sector. but we certainly have representatives from a number of sectors here in the audience so it is very helpful for us. i was thinking about this event and the title of it which is on gaining traction or falling behind. and so i was thinking about it. and i actually wanted to go back and look at some of the things we were saying -- you could go many years but i chose back two years ago around when we were initially kicking off the work under the executive order to develop the rosetta stone or the cyber security framework. and coincidentally i found there
was testimony we gave or my boss at the time game pat gallagher gave before the commerce and homeland security committees on what we intended to with the framework. and that was almost exactly two years ago. march 7, 2013. so i gave that a quick look to really try to understand what we had done and if we were hitting some marks and some expectations that we'd set up then. and it was helpful to look at this and to think about some of the language that we were using then how the approach had been developed and if we were hitting the marks of the expectations on this part of the executive order. one thing we had in this was a heading called "why this approach"? because we at the time we had to do a lot of work to convince people this was an approach that would have impact. and he said this
multistakeholder approach leverage it is the respective strengths of the public and private. and helps in which both sides will be invested. facilitates industry coming together to offer and develop solutionings that the private sector is best positioned to embrace embrace. so two years later i think we are seeing a lot of evidence how industry and government can come together to help develop those solutions. not only through the process that we did in developing the framework, that yearlong process, where we had engagement from industry. we estimated around 3,000 participants. but even through groups like sric. the communications security reeblt and inoperability council. and that got into coming out in about two weeks we think will
really help provide guidance to the telecom sector to really think about meaningful implementation guidance to a sector that is not only critical but broad and diverse and very unique in this space. we were really pleased that we could participate with csric. donna dodson our chief visor there and throughout the process we were really happy to contribute our thoughts about what could -- how the industry-led group could develop thesis products. and so in addition to work like that work like the csric for that sector and we've seen other sectors come together. kevin is here to talk about some things the water sector has done but certainly we've seen the electric sector and the financial sector come together to provide guidance. we've also seen a lot of other examples back in what director gallagher was talking about with
industry coming together to offer and develop solutions. so we've seen technology companies coming together to talk about products and services that could be aligned with the framework. we've seen the auditing inging inging community thinking about the auditing standard they could provide. and insurance providers have begun to officer offer policies tied to the framework in promoting among policy holders. and we've seen states leveraging the framework to improve security of their infrastructure. including in many cases as a foundation for their work in cyber security for state of emergency management agencies. these are all things we are seeing out there that we didn't -- help catalyze, capture and share back. and a lot of this material was discussed quite a bit at the forum last month that the president was at in stanford. where a panel of ceos discussed these initiatives. in terms of what that means for
us and how we at nist think we can help and our work for the on going year and plus i hope we can get good feedback on this panel. we're going to continue our efforts to going to continue to raise awareness on the framework including by working with other organizations including associations like u.s. telecome and others here today. also thinking of the international audience. one of the top priorities will be to develop and share training materials that can advance the use of the frame work and other management purposes. like how they're using and employing the framework and the ability to look over each other's shoulder to understand the practices they're putting
into our view and extremely beneficial. and how it can be aligned with business processes including the really key challenge and key issue of making sure that we can integrate cybersecurity risk management with the broader way that these associations think about risk. that is something they think is very important. and in addition to that if you think about what the framework effort was all about, identifying the best practices standards, and guideline to use through critical infrastructure it was making them used more widely through the framework. we talked about what we called the roadmap, the list of priority projects from supply chain risk management, technical privacy standards they continue to work on and share information back on the progress that we're seeing with the hope that in the
future as this continues to be a living document through the experiences and through the projects it can have a richer conversation about what are the priorities moving forward to keep this truly able to react to the priorities of the people that need to manage signer security risk. in all of these efforts it will be a priority for us to be sure it can be conducted in the same open and collaborative manner in which the framework was developed. i think going to the title of the event are we gaining tractions or moving behind, there is a lot of work to do about is there any effort -- based on the advice we have gotten from the private sector our immediate focus has been to continue to raise awareness our stakeholders have told us that more needs to be done, and a lot
of that is raising awareness with sectors that don't have regular events on cyber security. thinking about that is the e eventual first step. we have seen efforts like this to improve quality in other fields. there is no single definitive and universal end point for aimproving quality or cyber security. we recommend they do a serious evaluation of their cyber security practices and develop plans to improve their capabilities ideally through the use of their framework or other
management tool. because the framework is voluntary, it allows us flexibility to continue to increase the number of stake stakeholders that with can work with. i realized that the people across the aisle from me were talking about putting framework in their infrastructure. the private sector has voluntarily participated actively in the development process. and we have found that they are more than willing to discuss how they're using the framework and ensuring lessons learned. we intend to work with our partner agencies across government on their sector wide assessments, monitor their surveys and understand how we can leverage those and then continue to receive information through the workshops meetings
and future rfis that we tend to have meetings like this. and all of that information we're thinking about what can we glean today to help our stakeholders and eventually improve future versions of the framework. with that i will close my remarks. i'm looking forward to this discussion, hopefully that helps provide a foundation. i thank robert and ustelecom again for having me. hi, i'm dave a cyber security reporter with politico. i will be your moderator. we have a great panel. we all agreed in advance that we will be direct and to the point. so let's get to a first
question. let's talk about the cyber security frame work scope. we have two utilities on the panel. perhaps both of you could address do you envision this as something applied just to your core infrastructure, how would you define that, what about the enterprise i.t. systems that you also control? >> so the framework has applicable beyond infrastructure. infrastructure as defined in the order, a narrow definition. so what we have tried to do is really thread the needle. as robert mentions i coled with susan joseph, the small and medium size working business group. and we're looking at small and
medium business issues. and what we saw is that although s&m, small and mid sized businesses may not fall in that definition, that doesn't mean they can't adhere to the same spirit of this assignment. they can keep the scope the same but appropriately scale it for their operations. so we were looking at having each small and mid sized business define for themselves poor and critical infrastructure. so for small and rule telecommunications companies, it may be that one of those companies defines their switch as core infrastructure. without that there would not be communications taking place within that local area. so i think there is applicable for our customers the e.o.
defines the frame work. i would also say that what we looked at. >> the sister working group i'm sorry, is that the framework also has applicability at the corporate level. every company wants to be more secure, right? as much as they can look at that it seemed to be helpful. >> out of a fear that that might, as i understand it, give the ntc additional leeway in regulating what it doesn't regulate. >> from our perspective again, if you're a company with ten employees, you have extremely limited resources. you have one perhaps technical officer who is the where should he prioritize that?
but all of the associations the network operators on there agreed this is a good business practice. so if they can, it should be applied at the enterprise level. >> so if i could add so that, we have embarked on this process a little bit before and we have been anticipating the need for the sector base and we run the gam gammet from small communities. and we had to be cognizant of the scale. there has been a lot of activity of folks going around some of the business enterprise systems,
and there has been less talk in the past on process control systems, or city yal control systems. we developed a process to make it more transactional for our members. a lot of them don't have cios, right? so putting it into term nol of how they prioritized the technology, where should they focus their time and efforts? so we created a priorityization cool to help them work through the application of the principals and the frame work to try to change that behavior and institutionalize is as i think we have heard from so many other
speakers today. >> so i think the answer is yes. yes. >> so that plays other to the enterprise system as well. >> are we changing the name for the critical infrastructure any time soon? >> well so i think you posed your question in terms of how do companies evaluate their infrastructure within the entities and can it be used more prodly. and that is one of the decisions we had in the development of the frame work. different entities view it very differently. some will treat how they deliver critical services others take more of an enterprise wide view and leverage it that way. people do it in different ways, you could set up a serious of
profiles in your organization and we're seeing people using ittinging large to small organizations been the information that we have received are getting more utility from the broader application where you can look across your entire enterprise and that is the sort of thing that awe diting and insurance also like to see. they like to see that you're managing all of your risks for all of your networks. in terms of others using the frame work even though it was developed by critical infrastructure, you look back to our first rfi we said that given -- we used the term generally organizations. one of the reasons we did that is we had an expectation that critical infrastructure also evolves as i services change and
they move up and down in the marketplace. s and we thought about doing this in a way that could be broadly used and now we're excited that it is being used by organizations that may not traditionally be cured critical infrastructure. >> let's get other folks involvemented. larry, you talked a lot about the need for the federal government to follow through on a portion of the executive order. one thing that officials say a lot of is that the framework is infinitely plexble because every company is a special snowflake. and what constitutes cost effectiveness must vary company to company, but there can be no
federal government cost effectiveness standard or guide or what have you. >> i think the reality is that if you're twoing to have as valueen tear system, it will have to be cost effective. there is no other way to deal with this. this is what every single study that looked at signer security tends to find. csi, price waterhouse coopers, cio magazine the list goes on and on and on. the companies make decisions based on cost effectiveness. and one modification i might make building off one of adam's comments, how that risk is true, but really closer to what senator johnson said at the very beginning. we need to integrate the missed framework and other security
steps into profitability. into growth. into innovation. these are all one in the same things. now as to whether or not we can offer any guidance on this this is what we do with everything we do in the private sector now. companies look at environmental regulation, or activity or disabled regulation or activity, and they make a cost effectiveness asseration. and so we will have to do this. my guess is we could come up with some fairly useful guidance because frankly electric utilities don't look much like i.t. companies. defense companies don't look very much like some other manufacturing companies, et cetera. i think we could do some useful studies, and we have proposed that this be done in a collaborative fashion integrated the sector agencies with the
sector coordinating councils to jointly come up with a mechanism, and we can determine what would be the most cost effective way to implement the framework in their sectors. and with have done further and found that various a sizes of companies, even within the category of small businesses find different things to be cost effective. we have looked at companies with one security personnel such as jesse was pointing out. and we found there is certain things that can be done in that small company that are cost effective and not the same thing as if you have ten security people. the reality is that if we're going to get truly broad based voluntary adoption in this framework, we're going to have to address this at the economic
level and integrate this into our economy which is growth innovation, profitability all tied together. >> guidance by sector and by size. >> those are two ways that we could subdivide these things. i'm sure there are lots of others, but i'm happy to start with those. >> so individual companies are not as special as they like to think? >> well we are all individually special, but every single one of us probably does well if we exercise watch our diet things that are health effective for us, cost effective for us. we're allel probably pretty good. if we study and do our homework as students et cetera, et cetera. i think there are best practices
that can be applyied and i think that is probably true. >> i would like to note that i am morally opposed to exercise, dieting, studying and doing my homework. live long to 42. it is very interesting building on larry's comments i think it is an excellent representation about how companies can begin to start to think about cyber security. i think the number of people dedicates to cyber security is misleading and focusing on that in terms of how useful the framework will be. you're all being breached at any
given moment it's about recovering and managing that risk as much as anything. and in my mind, looking at the political infrastructure, i done think the framework is a big surprise or innovative for the larger communities. it is not in any way shape or form to denigrate the great work they have done. i think they have done a great job for the smaller and medium size businesses and they have nowhere to start when it comes to cyber security. and so i would like to look at a frame work from that perspective. the other thing that is
important too is a lot of times when people talk about we adopted the framework, we fully integrated it into our systems and we will see comments from media and lawyers saying if we don't -- when determining liability when it comes to cyber risks. i just don't think that is the case. i don't think the framework represents a standard of care. >> are those lawyers charlitans? >> no, i think it is a fundamental misunderstanding about the framework's intents
and purposes. it is like a golf swing i can watch a old video of tiger woods as many times as i want and try to mimic it but i will never get it right and i will never pound it 340 yards down the fairway. that usually takes me three shots, so we're talking about spending for further critical infrastructure, we have to understand it is one piece of the puzzle just like inform sharing. we're talking about threat signatures or indicators of compromise et cetera. that is all well and good, but it will not it is only about how you execute at the end of the day, and the framework will be helpful in some context and
it comes down to how does that company supplement, that's where the rubber meets the road. >> so this brings up a question of how do we measure that. because the framework is individually implemented a universal set of implements could measure the wrong thing, but we heard that sectors have commonalities. business horizontals like size, have commonalities. there is common ground for some kind of measurement, isn't there? adam? >> well, i'm going to take this opportunity, you said to keep our responses brief. one of the things we recently
put up was a frequently asked question, a very legitimaty one. other questions for future forums. so let me read the response here. can we measure the effectiveness of a framework? is the organization saeking a overall assessment of cybersecurity related risk, is it seeking a specific outcome like better management of cyber security with the suppliers or greater competence in it's assurance to customers. varies per use in a circumstance. individual entities may develop dwaun daytive metrics for use within that organization or it's business partners but there is no model for measuring specific use. that is where we are. that is our overall thought on
the issue. we can certainly study and dust with our partners to think about what common measurements and metrics are. that is something we're very interested in seeing. we have risk management tools rather than the steps they put in place to evaluate and measure that they're do the right things. >> let's go down the line. >> i just want to jump in quickly to agree again as i usually do with my close friend adam on issues like this. and i think that is exactly right. not only can these things be measured following the outline that adam just laid out, they will be issued. every single corporate directors, focus on the framework, endorse them in the publication, every sing one of the corporate boards comes to these important decisions and they want to operate based on a
metrics. can a individual company come up with their own goals and determine their measure for achieving those goals? of course, that is what every company does with virtually every single business decision they make. where should we open a new store? where should we launch? all of these things are looked at carefully, measured and measured in terms of effectiveness and their cost. and unless we integrate both of these as i'm telling you the companies will, then we will miss the boat. what i'm saying is that we could do a substantial solid, a favor for our private sector companies if we gave them some samples that we could work from. if we said we did a study of
small water systems, and we found out that this set of best practices was most cost effective and this one was not, people look at that. people now know where they can go to implement the tramwork in a place that will most likely benefit them and they will make adjustments. that's how we integrate the flexibility of the framework one of the major pluses with the inherent obligations of businesses that are charged with maximizing shareholder value. we have dual stresses here security and profitability. we must integrate them. and as i mentioned, that is very difficult in the digital age.
things that duo to drive innovation and productivity under mind securities. >> again, so kind of playing off of the points that adam made, on the individual nature and the flexion ability, the frame work and the opportunity it provides, and entities and companies, telecoms so provide the practices, and in the studies that we have done with our members, looking at their potential, there is a significant amount of variability in the types of things that i do, and the controls applicable, maybe only have of them because of the way they operated, so the collection
of that data outside becomes kind of apples and oranges. >> there is no way to come up with a measurement? so here is the question. the question is, right, what are we trying to measure? are we trying to measure that i tie my shoes and put my shirt on left hand or right hand first? or is what is important that the entities are taking the appropriate risk management activities through application of the principals in the framework that are laid out in the guidance that we have designed to help utilities apply in this framework. so there is different measures of activity whether it is process related. i think that is good, a individual entity, that is how they can do their internal benchmark benchmarking. but we're seeing a chance of how
it is integrated into the business practices and that is through some form of an option, to use that term loosely, of the frame work. that is how we approached it in our center. >> i agree with what kevin said, you're looking at anlevel of is it better at securing, making sure the network is still available, when you look at a sub category of control, it doesn't, what one company does compared to another might be very different. for instance if you're a small rural telco serving defense contractors the security you need is very different from a small rural telco in middle
america that has different customers, institutions, and needs opinion i think we're having a discussion about metrics, but the framework in dc circles, we have talked about the framework for years but when you talk about framework, it is still a real uncommon concept out of the beltway. i used the term n.i.s.t., and i had to define that for the audience. what we really need to focus on is awareness and education. from our perspective our members are 900 rural telcos across the u.s. and they all want to be more security, right? they want to protect their core network, their customer's data and information. it is a question of assisting them with doing that more efficiently and effectively.
>> so we were talking about metrics with reference to the framework. every company has a corporate risk manager. they don't have a corporate risk eliminator. you can't eliminate risk. and so then when you start applying the frame work at the individual corporate level, you have to utilize it. you need define the threats, the types of attacks that you can suffer, that you can protect against, you might be able to protect against, and those you cannot protect against. and that last bucket is data tap. not even the federal government can withstand a nation state attack. in that fuzzle middle area, where it may be a nation state or organized crime, it is kind
of a mix between incident respond and -- there is malware and individuals, itself. ultimately again, it is individual companies looking at their risk and how they're appropriately protecting themselves. are they trying to stop it or minimize what is associated with the cyber attack. and one thing is an article that you read, david, a month or so ago that we're dancing around a little bit here about some of the responsibilities of the software companies as well. you read an article about google, and a certain time frame they have come to discover. that is an important point to remember as well. as much as the companies can do to protect themselves perimeter defense or response, there is lots of moving parts here.
part of that front is a lot of times companies are receiving, utilizing vulnerabilities, and this is a shared burden throughout the and entire supply chain, and you have to look at that whole picture before you get closer to managing the risk. >> other questions? >> chris? >> more of a comment than a question. i wanted to see whoaat the comments are about metric that's are going around. i think it should be focused on education and awareness especially in the belt way. one thing that frustrates me is that people focus on how are you measuring the framework. the real question ought to be what is the framework that is provided. it should be focused on outcomes not activities. we were all busy this year, but
that is not a outcome. the fact that we're using the frame work, that companies are using it is almost irrelevant to whether or not it is an effective tool and that's why with the working group, we focus so heavily on things like integrity and how quickly we can recover from attacks. and we go about response activities because those are things you can measure. as opposed to just -- >> we have a question from the online audience here. and anyone can jump in. considering the vast amount of devastating breaches that have occurs and are known and also taking into consideration the breaches not publicized how comfort are you that the awareness and use in the public and private sector will help reduce the number of incidents in the future? >> well, so on the awareness
front, i would agree with our colleagues that that still continues to be a priority in making sure to jesse's point that we communicate to people what we're working on here why it matters to them, how it's voluntary, how to use it. in terms of the other part of the question, in terms of minimizing incidents one of the things we talk about quite a bit is there are those unknown unknowns that companies will not be able to prepare for. the reason we talk about risk management and resiliency is in some ways we're trying to have folks understand that you can't prevent every incident from occurring, and the reason why we had those five functions, and we talk so much about respond and recover, is that we think from the security community there is a wide understanding that you
can't prevent incidents, but it has not always made it's way to corporate leaders and policy makers. so recovering from an incident. we also see are critically important. and then i think to the point of the question, if you go back to ari's presentation earlier in the day, this is one element of many going on that the industry is under taking that the federal government state government, national governments are under taking to help manage this problem and we think, together we hope that obviously it will have the approach of making things better out there. >> david if i could just build on adam's comments, and i agree with them, and particularly the last one about how many things we are dealing with here, and in, you know, thinking about the title of the event as to whether we're gaining traction or losing ground, i think we are both gaining traction and we are
losing ground. the u problem is so complicated. and the bad guys have all of the advantages. it is cheap easy, profitable, there is no return on investment, and virtually no law enforcement. and with jesse's comment about having to go outside of the beltway on the community and do more awareness and communication, that is so true. these past weeks, mr. clapper said that cyber security is a bigger threat to our nation than international terrorism. and i think that is probably true. but the spending in our government, which by the way does get it and is expert, is about ten times more we need
more funding more effort, more investment, and more thinking about this or we will continue to fall behind. a couple comments, i mostly disagree with the panel on metices, chris aagree with dwlu it is measuring outcomes. with the frame work being roe set ta stone, it-- rosetta stone even though they do it differently, and if you want to know how there is one measurement that everyone ought to be measuring which is good, how do they respond, how fast do they respond and do they to the priority indicators and security breach. because they don't.
because of the people that prioritize -- >> most breaches there are indicators of compromise. target had two times they could have prevented it. there are indicators. we miss them and it goes back to what mr. finch said. process control management. cybersecurity is great -- >> i hate to do this, but for time do you have a question? >> thank you very much, come talk to me about how to measure it. thanks. >> i'll just respond to the comment. i think there is one point that i would make. if you think about a lot of our efforts, it is about reducing complexity. the goal of getting these things out there is not to add more guidance, to add more paper for people to go through, but to help make these conversations a little easier because we all understand where we're coming from. that is the role of standards. that is why we think a lot of these efforts are really important. that's one of the things we think will be really important
in the long run in terms of reducing costs. we think we can have a much richer conversation. >> please join me. [ applause ] i'm going to say thank you all for attending in person and acknowledging all of the folks who attended via live stream. i will want to thank all of the panelists who were involved today. i thought it was very excellent and informative set of panels and discussions. and i want to also announce that we will have a, you heard a lot today about the work of working group four that will be released on march 18th. on march 19th u.s. telecom will have another forum to talk about that event. look for that on our website. we'll be pushing that
information out as well. thank you and have a great day. president obama said today that the united states will stay rather than reduce it's current level of 9800 troops in afghanistan through the end of the year. it was announced at a joint press conference with afghan president ghani who met with him at the white house today. >> in support of today's narrow missions we have just under 10,000 troops there. last year aannounced a time line for growing down our forces further, and i made it clear that we're determine today retain the gains our troops have
drawn. i consulted with general camp bell in afghanistan and i decided that we will maintain our current posture of 9800 troops through the end of this year. the specific trajectory of the 2016 draw down will be established later this year to our final consolidation to a embassy presence by the end of 2016. this flexibility reflects our partnership with afghanistan which is aimed at making afghanistan secure and preventing them from using it to launch terrorist attacked. reconciliation and settlement makes it the best way to safe guard international interests peace, as well as security interests. second, and the best way to ensure it is a political
sentiment, we're going to support an afghan led reconciliation process. president ghani you have shown great leadership. afghanistan and the united states agree on what the we must do. abide by afghan laws including the protections for women and minorities. third, we'll continue to support the national unity government in their efforts to truly serve the afghan people. see president obama's first press conference tonight at 8:00 p.m. eastern. or log on to our video library any time at c-span.org. >> here are some of our featured programs for this program on the c-span networks. on c-span's two's book tv, peter
wallison says that government policies caused the financial crisis and that it could happen again, and director of the earth institute at columbia university on a plan to target global issues, and saturday morning at 10:30 eastern on american history tv a discussion on the last major speeches of abraham lincoln and martin luther king jr. and the 1965 meet the press interview with martin luther king junior. find our schedule at c-span.org. call us, e-mail us or send us a tweet. join the c-span conversation. like us on facebook and follow us on twitter. next a supreme court
justices anthony kennedy and steven brier testify on the court's 2016 budget. the question is for just over $78 million. a increase of about 1% from last year. they say they will use funding for a new electronic filing system that would be able to track petitions. this is an hour and 20 minutes. >> this hearing will come to order. first of all, let me welcome justice brier and justice kennedy. we appreciate you coming back and being with us here again today. we all look forward to this time to have an exchange not often does the legislative branch and the judicial branch get to talk to each other. so we look forward to that.
i think all of us know that a fair and impartial judiciary is a corner stone to our democratic system of government. the fact that you're here today i think is important. i think the work that you do is obviously very, very important. and not only you resolve disputes between individuals, but also between executive branch, federal government, and legislative branch. and to do that you need the respect of the citizens and i think you have that. i think you also give respect to the citizens with regard to what is right and what is fair. today is important because we have a chance to talk to each other about issues that are important. one of the things that i want to comment you for is your work to try to help save money. everybody knows that the government needs money to provide services.
but of late we are trying to make sure that every task of government is completed more efficiently and more effectively than it has been before. money is limited. and you are to be commended for the work that you have done to try to save the taxpayer's dollars. i notice that your request this year $88.2 is almost a million less than you requested last year, and i can tell you, fellow members up here don't see that happen very often when an agency comes in and asks for less money than they received the year before. we thank you for that. i know you done some cost containment initiatives dealing with technology and personnel and it has paid off. i flow isknow there is small increases that are inflationary themselves. so we look forward to hearing from you about the resources
that you need and any other comments you might have about the judiciary? general and we will pledge to you to work the best we can to make sure you have the resources necessary to carry out your constitutional responsibility. once again, thank you for the work you have done to try to save money and be efficient and effective. in closing, let me say on a personal note i'm from jacksonville florida and we have the chester bidel end of the court. and every year they have a special occasion on law day. they will be requesting one of the members of the supreme court to come in 2016 to be there for that celebration in jacksonville florida. i hope you will be on the lookout for that invitation. they would love to have you there and i would be honored to
introduce you to jacksonville, florida. >> the chairman has no shame. >> and that hasnology to do with your budget request. we look forward to your testimony, but first let me turn to the active ranking member, mr. bishop. >> thank you, mr. chairman. ranking member sorano would have liked to be here today and he could not and he sends his apoll guy -- apologies. i would like to welcome you to our sub committee. this is a rare opportunity for our two branchs to interact. because of this sometimes our questions range beyond appropriation issues. we look to you for insights on what affects the federal
judiciary at a hole we have to be careful not to affect the ability to hear cases and dispense justice in a fair and timely manner. we have to be sure also that the supreme court is both the final authority of our constitution, and the most visible symbol of our system of justice with our sufficient resources to under take not just judicial functions, but public information functions as well. we look forward to your testimony. welcome, and whatever we can do to make sure that we have a strong independent well funded judiciary, we want to do that. >> i yield back mr. chairman. >> thank you now let me recognize first justice kennedy
for any remarks you might like to make. we'll put your written statement in the record and if you could keep your remarks in the neighborhood of five minutes that will give us time for questions. the floor is yours. >> thank you, mr. chairman. thank you for your welcome and your greeting. we bring our messages of greeting from our colleagues with us today. i was just going to order -- where they are seating, our jeff who is counsellor to the president, or counsellor to the chief justice and kevin cline, our budget and personnel director, and the marshall of the court and is patricia here? cathy, our public information office. as you indicated mr. chairman we're always very careful, very
cautious about budgetary expenditures. and the budget of the supreme court is just a small part of the budget for the courts as a whole. and the budget for the courts as a whole is a very small part of the united states budget. and i think today you will hear a presentation from judge julia gibbons from the sixth circuit. she does a marvelous job, and the budget for the federal judiciary as a whole is important, i think, for the congress to realize that it is not just judges, there is 7900 probation and presentencing. this keeps people on supervised
release. it is very cost saving, and over the years in the federal system we have a very low resid vision rate for those on release. it is high if you look at it as one-third, but it is quite low compared to the state. this is comfortable effective. the federal courts as a whole, mr. chairman, are a tangible palpable realization. and they see the judicial system and they admire it they're inspired by it and they say you can't have a free economic system without a functioning
legal system so what you do is of immense importance. for our budget, overall, we have a decrease in our own court operations and expenditures. we have almost exactly 1%, a little over a 1% increase. and that is for mandated increases for inflation and salary increases that are mandated. over half of that we have absorbed cost cutting in the courts. so we absorbed over half of the mandated increases in the frame work that we have. the court is planning to have in the year 2016, an electronic filing system so that all of the
papers filed with the court will be on electronic filing. we waited until they could get on that system so we could then take it from there. but of course this also includes filings from state courts and from prisoners. we think this may require an increase in personnel by one or two people we're not sure. the petitions of which they're, i don't know, it's in your chart, probably in the area of 6,000 a year, are usually handwritten. when this is put on electronic retrievable system you will have a database from which scholars and analysts can look at the whole system and make comparisons. how many -- what are the percentage of cases where there
is a complaint that is search and seizure. this will be a data dais that will gift us considerable data so we can study our system. we are prepared to answer questions about the specifics, but we thank you for the honor of being here and justice brier and i are pleased to answer your questions. >> mr. brier you're recognized. >> i simply just reinforce what my colleague said. you're here and that's a good thing, so are we. i think our problem is not necessarily the budget, but how do you get the american people to understand what their institutions are about? in our case we're not up in some heaven somewhere where we decree
things from on high. we're part of the united states. and you're interested in the income mechanics of how we bring this about. trying to explain to people what we do. and you say we're part of you and you're part of us. and that is talking to the people of the united states. so i'm glad to have even a little opportunity too talk about our institution and how it works, and i'm glad you're interested. >> thank you very much mr. chairman i just might mention court which you eluded to. was the idea of former chief justice warn burger. he wanted to replicate this structure in which judges and attorneys and law professors and law students get together and talk about stuff and he did it
with the late judge christianson. and it has been remarkable. it cost the government no money, and in california and boston, they have sendends of court, and it made a real visible difference in the civility that we have. >> that is grease because it is there to boost professionalism, and they're doing certainly a great job. as we're getting the questions, i can't help but recall the last time you were here i asked you how the court decides who they will sent over to testify before us, and i think you rely it is
based on merit. so you're back again. let me ask you one of the thingss that i know there has been a lot of work being done and in the last ten years i think this committee appropriated money and things were upgraded. so i just want today ask for a update on how that work is done, if the facade was redone, north and south is that all complete. at one time there was a big hole in the ground next door but since i have been back of late, everything looks really nice can you just five us a update on how that is being done. is that being finished? >> the project for refurbishing of the building is completed. we came in under budget and the
project has been closed and has been very, very successful. incidentally, the original cost for that was, the original estimate was $170 million. and i talked with your predecessor when i got the message, and he said i think we've got a problem. it sounds too high to me. we hired our own architect. and worked with him. and in fact my recollection is he did most of this work pro bono. from the architect we hired, he was from the university of virginia, taught architecture there. we got it down to 120. and the billing came in under that. there were some contract claims. one of the problems was the windows. you look at our win des on the court. there are these lovely windows. they measured the bottom, the
width of the window anded the height, they didn't know it's not a rectangle it's a trapezoid. it's brilliant architecture. so that was about a $15 million mistake. which we weren't going to pay for. that's the kind of thing that comes up. and it's -- it is finished. we had to replace all the wires, all the air conditioning. we had the air conditioning system from 1938. and when it broke, there was a fellow that was retired in west virginia, we sent a police car to get him we better fix this. that's been a -- the facade is a different project. that's the -- some of the marble was falling off time has not been kind to the marble on the building. and so we're still in progress.
the entrance, the west side of the building is done, but the north south east and west have yet to be done. >> let me ask you, the whole security issue, the world seems to be getting more dangerous, whether it's internationally, or domestically, and i know from time to time the supreme court hears controversial cases i know you spend about $18 million a year on security. i wanted to -- you to tell us, is that adequate? if you hear -- going to hear maybe a highly charged case, that you have to increase security during the time those hearings take place. give us an overall view of how you see -- i was just speaking with the folks in the federal
courthouse. that's a concern to them. in these difficult economic times to make sure we have adequate security for a lot of people that are in public service. but give us a little update on how -- is that all being funded? is that all being taken care of? >> it has been, a few years ago, we projected that we needed more than we ultimately asked for. we're satisfied that we have the right number. yes, of course in high profile cases or when threat assessments are going up we have increased security. but we can do it all within our existing staff. >> thank you. >> mr. bishop is recognized. >> last year, we discussed the real impact of sequestration. unfortunately, we still need to discuss that, i think most
people think of grants and federal programs. as a way to dial back operations. it's not the case with the federal judiciary. the courts have a constitutional responsibility, and you cannot control the scope of your jurisdiction. and you've already undertaken strict cost-cutting measures prior to sequestration. i know you can't answer for the entire judiciary. what do you see as the continued effects of sequestration. what concerns do you have is sequestration is continued? >> i haven't heard the testimony for other agencies. we're all unique, you can't have any sequester for us. >> i want to repeat the argument you hear all the time. number one, we can't control our work load, it's controlled by forces and factors that are behind our direction. number two. we have a tradition, as the
chairman indicated of being very prudent and very cautious. with us if there were cut backs, it would mean delay processing time of cases. and it could mean compromises in security. with the courts in general, it's much more significant as we indicated, we have 7900 probation officers, and if they're laid off. that means more people are in prison at a greater cost. the secret stayed and it works back backwards. >> at some point you cut back enough. you keep going you'll discover that unfortunately in the united states there are crimes, and people ar rested. and they are supposed to be tried and you need a judge and you need a jury and you need a courtroom. and the alternative is not to have the trial. you don't have the trial the person has to be released iks
and there we are. there is a minimum. and if you go toward that minimum and beyond it, you will deprive the country of the services that basically are needed to run the government of the united states in this area. >> thank you. your total fy 16 request buildings and grounds does represent a discretionary decrease of 1.1% for fy 15. it looks like this is a combination of the construction work being completed and savings from nonrecurring costs associated with implementation of your new financial system. are there program increases that you're delaying but you still feel would be beneficial at some point? and well regard to implementation of your new financial system, which i understand you're leveraging resources from the executive branch, the department of
interior specifically in the area of payroll and financial tracking. and i understand this move has reduced your alliance on contract employees, and it seems to be a great step toward efficiency. do you feel you're getting an improved level of service. would you recommend this to other agencies that are looking to reduce that cost? >> i'm not enough of an expert to recommend it to other agencies, but our staff tells us it's working very very well. they like it. they like it better than the outside contractors and it's much cheaper. we are in partnership with an agency, in the department of interior. which has some similarities to us and it's been the source of -- it's generated most of the savings we've had over the last few years. >> thank you mr. chairman.
>> thank you. >> congressman bishop the -- we're not holding back on anything, other than we do have this projection that we may need two more people because of the electronic filings we're going to put in place in 2016. >> i must remark, thank you very much mr. chairman, the answers from our witnesses are so succinct and to the point. >> we don't. not only do we not get people requesting less money, we don't get people that speak clearly and concisely. corn grat u laces on both fronts. now, i'd like to recognize mr. womack. >> i wish they were all this way. justices once again a great honor to have you before us. we always look forward to hearing your commentary. and specifically interested in the i.t. piece of what's going on in the supreme court. these technology changes are
happening so fast. so fast that we get further and further behind i think in trying to keep up with what technology ought to be able to do for us. and so i am interested in knowing just how well the i.t. upgrades are going and listening to your testimony justice kennedy, i got to thinking about our friends over at va dod, they're having such a difficult time coming up with a platform that can kind of serve a very special group of people to our country, our veterans, and being able to get these two systems to talk to one another. do you encounter any of that kind of conflict within the judicial realm in dealing with matters of information technology. >> the guess is justice brirz is much more well versed in this than i am. my guess is that, by comparison with many other agencies, our
problems are predictable. we know there's going to be a trial with the plaintiff and the department, we know there's going to be an appeal. we know there may be a petition with a petitioner and respondent. so the universe of problems is rather well known and rather predictable. we don't have to project for uncertainties to the extent -- nearly to the extent that other agencies do. and our system, the legal system lends itself very well to the electronic technology. >> in my own mind i classify three different things that technology can do. one you heard about and that's the budgeting for example, and things that are technological, they made advances in getting together with other agencies. the second which is coming along, is the ability to file briefs and