tv Washington This Week CSPAN October 12, 2014 2:37am-4:06am EDT
i think it should be repealed, but i also think it should be replaced. i also think we should have a health care system that moves away from the goals of this administration. barack obama, harry reid, nancy pelosi all said obama care is the first step toward national health insurance. we don't want and don't need national health insurance. we need a system that is market driven. we have health savings accounts. a of things have to be restored. it is that doctor-patient relationship that really has to be restored. so i think we have to repeal it, we have to replace it. we have a considerable number of republican ideas to s -- ideas to do that, first we have to win the senate. harry reid will not -- the house has passed 350 bills. as i said, the senate is the place where good bills go to die. so all of the repeal and replaced legislation passed by
the house of representatives and shared in many cases with many different senators has been stopped by harry reid. unless you stop him, the same thing is going to go on. because the president has indicated this is a referendum on his policies and his programs nd his legacy. if you look at his legacy, you will see this guy is a liberal democrat. i don't know you can't come clean about it and just be proud that you are a liberal democrat. >> the senate suggested i voted for harry reid. i want everyone to know, i didn't commit voter fraud. i didn't go to nevada and vote in that election. the senator also talks about contributions. some of the contributions he's failed to talk about are my contributions to republicans. i actually gave money to scott brown in massachusetts in 2010
precisely because he was the vote that was supposed to prevent the affordable care act from becoming law. that's why i made that contribution. i've said from the beginning that i think the affordable care act expanded a proken system. when asked the question will you repeal the affordable care act, what i've said is, i think that's a false choice. i think any senator who stands up here and tells you he is going to repeal the affordable care act is ignoring the reality that president obama will simply veto the bill. so from my standpoint, what i say is, let's start talking about the real issue in health care. let's start talking about health care affordability. we have a health care affordability crisis in this country. we had it before the affordable care act. we have it today. for people like me who run businesses and like you, you know every year you try to decide what kind of raises you can give employees.
every year the first question you have to answer is, how high have my health care premiums gone? last year we gave 2.5% raises. it would have been 4%, 4.5%, if we didn't have to deal with the rising cost of health care. the reason we have a health care affordability crisis is because the incentives are all i don't know. we pay for quantity and not quality. if we realign the incentives in health care, i think we can get affordable health care that is also very high quality. that's what i think we need to be folkoused on. >> the marketplace has become increasingly global, certainly challenging businesses to remain flexible and competitive. what are your views on wage and benefit man at a time? including, potentially increasing the federal minimum wage and out-sourcing of jobs overseas? mr. orman you will lead us on this one. >> as a small business owner, i
have to deal with these issues every day. my father refers to this as the bee hive of regulations. what he says, these mandates, any one of them, you can survive, they are like a bee sting, but the collective effect of all of them is like falling into a bee hive. collectively i believe we are over-mandated, over-regular lated in this country which is one of the reasons we came out , th our small business plan repealing dodd-frank. someone said to me, that's impossible to do. how are they going to do that? i said that's precisely my point. if it is impossible for the government to be able to review it every 10 years, one-10th of them, how difficult do you think it is for industry to comply with them?
i definitely think we need to be smarter about that. the other thing i talked about is, if we are going to regulate business, we need to do it more efficiently. my father's store will get visited by the department of transportation because he has trufpblgts he will get visited by osha because he has a spray booth. he will get visited by -- i think we can do a better job of consolidating that regulation so it is not as intrusive. the average small business in america today now pays about $11,000 for employees complying for regulation. i think that's the problem. >> mr. roberts? >> the key is to get the regulatory reform bill through the senate. i was one of the first people that took the president's order and said let's look at all the regulations that have been prom
gated to date and all the regulations you will do down the road, and if the cost out-weighs the benefit, we won't do that. harry reid wouldn't let us consider the bill. that's the problem is the gridlock in washington. everybody here knows about the regulatory overkill. i can't go any place in kansas or any section of our economy when we have not experienced regular industry over-kill. you walk in a room, someone hands a piece of paper, senator, have you seen this regulation? i probably did not. they didn't until tuesday and that's on a wednesday. it used to be you could go in and talk to the agencies and at least have it make a little sense. that isn't the case now. you have a regulatory agenda where that person you are talking to has an agenda, and you are not going to win that.
you may be -- that's why people think many people have lost faith in their government. that's because the government doesn't have faith in the business community. they don't trust us. that's why you have to change this. but we can't do it when we have a rpt that stands up and says, this is a referendum on my policies and pram programs. he says this is what the election is all about. again, by word, by deed he is one person. he gave to kansas tems, harry reid. this man is a liberal democrat. he will say otherwise, but that's not the case. >> higher education is important to a well trained competitive work force. much of the funding, of course, comes from state, tuition, and
donations. what do you see as the role of the federal government in higher education? >> number one, i think the federal government should live up to what we promised for special education, more especially in our elementary schools and in our high schools. i think the amount of money we provide is somewhere around 12%, 13%. that's going to be an awful tough job. we have a budget situation where we have i debt of $18 trillion. i actually teamed up with a democratic member of the senate in insisting we can put a mandate on the federal government. that in one area is where i think the federal government can be of help. i believe in education. local control is best control. that is because we have the knowledge and hands-on experience. we don't need more federal mandates telling our kids how
much to eat in a school lunch. no child left behind. if you want to get out of that, you have to get into more regulations. just let me say again, i have a record of creating real jobs and on the education votes that the nsib scored and the chamber of commerce scorksd that's who they endorse. the same issues that you deal with, the same issues that i talked about in kansas and also in washington. that's why they endorse me. they did not endorse my opponent. my opponent is very amorphus on where he stands on the issues. that's why the chamber endorsed me, and also went on to say -- i didn't say this -- went on to say my opponent is, in fact, by donation, by deed, by past experience, he wasn't independentent when he ran against me in 2008 and he isn't now. they defined him as a liberal
democrat. i know why he says he wants to be an independent. it's because if he says he's a liberal democrat, we won't vote for him. >> i would actually invite everyone to go to my web site and look at my responses to the issues and draw your own conclusions about who i am as a candidate. i have actually always been independent minded, i've always been fiscally responsible and socially tolerant, by more importantly, focused on solving problems. i would ask you to not listen to what you are hearing hear today but to look at the web site and draw your own conclusions. i would like to address a couple other questions before we get to higher education. first, senator roberts said the senate is the problem. i agree the senate is run poorly. he house has similar problems.
david camp, chairman of the committee on house reform, put together a bill that his own chamber wouldn't take up because it was a difficult issue. the senate passed an immigration bill that 14 senators agreed with. senators twho i will tell you greed with my position on immigration, including guys like john mccain, the house wouldn't take that bill up. both parties are to blame. both chambers of congress are acting in an overly political way. as to higher education, i believe thaze policy failure in our government. we spend over $100,000 a year on guarantee yeed student loans, pell grants all with the goal of making higher education more affordable, yet we don't hold colleges and universities accountable for that will public policy goal. i think we need to say to colleges and universities who
get taxpayer money so that specific goal that you have to increase your rate increases -- i'm a capitalist, if you don't want to do that, that's fine, by don't do it with taxpayer money. >> advice and consent is a key constitutional issue, and it is likely vakiansies will occur on a wide variety of issues and require senate confirmation. what are your views on the process? do you have a particular litmus test or principles that will guide you in your con fir nation mation vote? mr. orman you will start us off. >> i look at confirmation votes the same way you find people to run companies. you have to ask some basic questions. one, are they qualified to do the job. two, does their track record suggest they are thoughtful and reasonable and intelligent people. as a chief executive of a
company, i also understand the to of chief executives aappoint their own team. i would be less inclined to turn down a candidate unless i really thought that candidate for the job had some serious red flags, some questions in judgment that were real lapses in judgment, a lack of capabilities. otherwise, i any if -- i think if you would approach it to the way you would hire an executive for your company, i would address it, and we need to let republicans and desms pick the team they think they need to pick to run various cabinet agencies. > mr. roberts? >> it was just this past session when the drems broke the rules to break the rules, and less than 60 votes on nominations and
judges, it went down to 51. they were able to ram through many of their nominations in judges on a 51-vote basis. one way to stop that was a legislative maneuver, which i won't get into because it's too complex, but the first thing a republican majority will do is restore minority rights so that we get it right on nba.com nages nd judges. i don't have a litmus test, but i want people nba.com nailted to be for limbed government. i don't want them to be legislating from the bench from some agenda. and i want them to be conservative. conservative in the standpoint that they don't have over-reach with regard to their responsibilities. how is that working out for us with regard toll harry reid and
barack obama? i.r.s., department of health and human services, the e.p.a. i don't want to name names here, but all these people have an jepped. department of the interior. this is an incredible agenda. the agenda fits. it fits the obama-reid agenda. eye vote for pat roberts is a vote to achieve the senate majority and put back the rules that we had before for 225 years. a vote for greg orman is to continue the barack obama and the harry reid jens agenda. t is really that simple. >> time to move now to closing statements. senator roberts you can lead us off. >> the eyes of the nation are on
kansas. the rest of the country is counting on us to get it right this election. it will be up to us, to kansas, to determine who will be in the majority in the united states senate. it is up to kansas to help restore a long over-due check on the obama-reid agenda. a republican majority majority will repeal and replace obama care, stop the president and his allies from forcing amnesty on america. a republican majority will bring common sense principles to our country. we will get the government off your back, lower your taxes, and help give you and your family freedom to pursue your dreams and those of your children and grandchildren. i am the only candidate in this race who can deliver that republican majority, who will fight for kansas values and fight for you. i'm a man of my word.
the same cannot be said of my opponent. e don't know who my opponent is. he dodges questions and tries to take both sicedz of every issue. trying to get greg orman's opinion on an issue is like wall. to nail jello on a greg orman is no independent. he's a dyed in the wool democrat y word and deed. elections determine the future of our country. the people of kansas need someone in the senate who has a back bone. first my opponent says he's a republican, then he says he's a democrat. then just this year he became an independent. legislation, who and what will greg orman be next year? do you want to gamble our
children's future on a man with no con vicks? mr. orman ran against me in 2008. he has given thousands of dollars to the democrat. hillary clinton, harry reid, and barack obama. that is not an independent. a vote for greg orman is a vote to hand the future of the country over to harry reid and barack obama. mr. orman is pro-am midwesty. he wants more government restrictions on the first and second amendment, if you believe that, and he won't repeal obama care. that's not an independent. i voted against obama care every time, and i'll continue that fight. we must stop president clinton from another presidential amnesty. he's threaten today do that again. we need to create jobs and provide certainties. will do that.
i have a strong record of this, which is why the u.s. chamber, the same issues we take when you meet with you here when you come to washington and the same issues i talk to you here and the national independent federation of business, also the same issues, they have endorsed me. friends our vision is their vision. most of all pill fight every waking palestinian to restore our faith in government, a government that governs, not rules. a government that is a partner, not an adversary, and a government that respects the vision of our vanding fathers. thank you, and my -- founding fathers. thank you, and god bless the united states and our great state of kansas. >> mr. orman. >> thank you for everyone who took time to be here and those of you who are listening at home
and to my wife cybil. >> the way you solve problems is by applying logic and common sense and then make a.i.g. practical decision. the decision we have in front of us today is a simple one. do we want a continuation of what we've had in the past? is the status quo acceptable? are we solving problems? is a government that behaves like two children fighting in the back seat of a driverless car what we want to hand off to future generations? if it is, i'm not your guy. if you want to try something new. if you believe we are at a point and time in our country when we have to send a message, i'm asking for your vote. we're the country that put a man on the moon, that harvests the power of the atom. i believe that country and those people can solve any problem when they put their minds together and work together.
we can't accomplish any of that if we continue to accept that there are only two paths forward. i am running as an independent agenda.t the two-path i believe we can have humane border controls and -- border controls and a humane amnesty program. we won't get there if we keep electing part sans. change can be scary. but what frightens me is more of the same. what pritens me is the health care system running out of control. what frightens me is a federal government that seems to grow regardless of what happens in washington. what frightens me is two parties that seem more interested in seeing the other party fail than working together so that our country can succeed.
i believe this election is an opportunity for the people of kansas to send a message to both parties that you can't hide behind your party label. that if you can't set your differences aside and saturday solving problems, we will find someone who will. this is an opportunity to -- for kansas to say -- this election is an funt for cans caps to show the nation what's right with kansas. you can read more about my ision at orman for senate dot com. today i'm asking for your votes to finally get washington back into the business of solving problems, regardless of party labels. >> thank you both for being here. a nice round of applause for our candidates today. [applause]
>> campaign 2014 is bring you more than 100 debates. stay in touch with our coverage and gauge. follow us on twitter and like us at facebook.com/cspan. >> live coverage of a debate in the michigan's governor's race today at 6 p.m. eastern on c-span. >> october is that related as cyber security awareness month. experts- cyber talk about the need to build more security protocols into products like smart phones, tablet and computers. bloomberg government hosted this one hour of event. -- one-hour event.
>> i am the cofounder in head of bloomberg government. we are thrilled to be hosting an event with the department of homeland security on cyber security. when we started bloomberg government we have the aspiration of creating a one-stop shop for government affairs to help them make better, faster decisions. part of that aspiration was convening conversations about important topics, particularly business and government and cyber security fits that bill. last year, we did a study and looked at public company to see over time as the mention of government risk increased? it has but we went back to the same methodology to look and see what have companies set about cyber security. 2010, out of all the us-based companies publicly traded, how many companies do you think mentioned the word cyber
security in their annual report? thousands of companies. 20. a total of 20 companies mentioned cyber security just four years ago. the world has clearly changed in that time. in fact, bloomberg government has written 172 pieces that talks about cyber security. we have held dozens of events on it and we have recently created a marketplace that a deaf eyes all the cyber security contracts by the federal government. it is a new world and i think we will be partnering homeland secc and on this event.
we will have questions and answers among the panel. the audience for questions and people watching online, send us questions. this seems to be just a great time to have something that may actually help in cyber security. it seems like it is not every day, every week we hear about a new major cyber security incursion. the names go on and on. we have gotten used to the home depot most recently until jpmorgan came in and wiped it off the pages. my colleagues from bloomberg articlete an sender could be 13 other financial institutions that could be under the same hackers. i will give a very brief introduction because you have the detailed bios in your program. who isfar side is andy the assistant secretary of the office of cyber security and key
at the department of homeland security. ngela is the director of cyber security and policy at microsoft. stross her is benjamin who is an engineer at facebook. to my immediate right is teresa who is the best title of all time -- security princess at google. i tried to see we could implement those and he says he is considering it. i guess my first question is we are talking about cyber security. we are hearing a lot of that about that. we are not sure what that means and if they can help. we will start with you. can you tell us what your company is doing in this area? we will come back to that woman talk about the internet of things. what is google's take on this and what are they doing?
>> i should preface by saying i am an engineer. i joined google as a software engineer or hired hacker. i come this from an engineering standpoint. we have a team of engineers that are -- our main goal is to make chrome secure some people can browse the internet safely. there is certainly a technology standpoint. as an engineer, i tend to think about that first. i my experience at google -- have been there for seven years -- i have come to appreciate the people and process part. i really have thought about it in past seven years where we had a dedicated security team that can support all google products and now we had to grow that model to support all of the engineers. processes that can make security part of the
development lifecycle. there are certainly key technologies that i think the people are important. >> some good points to follow up on. >> i am also working on engineering specific angles. i am a member of the security infrastructure team. we try to minimize risk across the entire organization by finding pitfalls or mistakes and building frameworks or tools that eliminate or reduce the possibility for errors. we are part of several security teams that have other focuses. there is a big human element to it. thingse most successful we have done at facebook is empowered everybody at the company not just in the product and engineering, but across the entire corporation. we actually run several programs to encourage people to report security vulnerabilities or security issues might be happening. it really highlights areas we need to focus on.
>> perfect. i think we are going through a nice group of engineering and policy experience. i have an engineering background at microsoft. i am part of a team that has been -- i was joking with these guys -- forward employed to help work with policymakers as they continue to struggle with these issues. as was noted earlier, the world is really lighting up with concerns about cyber security. microsoft's commitment to this series of issues is long-standing. we stood up and organization called trustworthy computing considersars ago that security, privacy, reliability and transparency in the practices that we engage with our customers. a lot of that has evolved over time. i agree with the comments of my colleagues here in terms of thinking about policy process, human element and training.
what i would add is applying it across the framework of protect, detect and respond. while we are thinking about the right policies and procedures are, you want to look across the whole sex from -- spectrum of designing and encoding. making sure you are building features that help people understand current state and operational security. also really engaging actively in the response process because as we all know or hopefully most people know, there are going to be vulnerabilities in hardware, software and services. collectively, we need to ensure we can respond to those to make sure we serve all of our customers. >> andy, if you could address really what the government is doing. we have heard a lot from the national institute of technology and the department of commerce in february.
recently, there have been a number of speeches -- over the past year, talking about cyber security. if he could talk about this perspective and what you are trying to achieve. >> we are attacking this problem from different approaches. on the one hand, your things like r&d to support the development of tools and really even concepts about how we build things more securely in the first place. you have standards. nist standards. to a more practical end of things, the fda released a set of guidelines in the past few weeks for medical device makers and what they need to take into account as they build medical devices. butprescriptive guidelines recommendations for these device makers about how they think about incorporating information technology into their devices and making sure they are secure. a year ago or so, the department of transportation to the same
thing for smart cars, cars that drive themselves. you probably care about the cyber security of that. there was a spectrum of a government activity from the more forward, future looking rnd to guidelines, to individual sectors. thisten don't think about as far as building security but awareness is part of it. we have to create the demand for secure products in the first place. the work of the government does to raise awareness about the importance of cyber security and the need for companies and individuals to secure themselves -- that is going to feed this one. >> just so i can understand, when we are talking about -- people have an idea about what it means for taking responsibility and safeguarding passwords. people have a less developed understanding of designing cyber security into architecture and design. when anybody like to address really what kinds of things we are talking about?
>> i can take a stab at this. i worked on chrome, it is a browser. there are about 1000 people to make it work and millions of lines of code. people contribute from all over the office. everyone is to think about security. that is why we don't focus on 90 specific technology but really principles. one of them is defense. the idea is we need multiple layers of defense. you cannot trust anyone because there will be holes and bugs and one -- if sure if something is penetrating in one place, there are some the girls to protect against it. -- there is something else to protect against it. whether you're working on facing your designer and thinking about what you are presenting to the user that maybe has some security applications or whether you're a systems engineer, there
is a technology called the sandboxing that is implementing that. whether you're working on the other part of the product -- we really think about the principles and people can interpret them on their specific roles. >> anybody else? >> i think a huge benefit of having a dedicated engineering security team is they can do things like focus on pitfalls or vulnerabilities. many of the issues we see coming up across the broad struck them of country -- spectrum of companies -- and we can focus on taking those. we want our engineers to make decisions that don't have security impact. when you are building a product, how do you minimize impact in making a decision about security? frameworks that are able to be solved under the hood. it eliminates the entire process. defense and deficit is important and able to have an extremely quick response to
issues. one of the ways to flesh out the sort of things is bug counting. the idea we can pay external researchers a bouncy for bugs for companies that use software. fix the problems before they are exploited and give recognition where recognition is due. >> these are many confluence in her answer is a different angles. -- these are many complementary answers in different angles. one of the things we do is to secure development lifecycle. this starts to look up front of the coding and thinking about the design of the system. where there will be data stored, where there would be flows, the surface area of exposure to a n attack. we are really looking before starting to do coding about what is going to operate in that system, what are the potential areas for vulnerability.
when you move into the coding experience, one of the things we found is important is integrating that directly into the coder's experience. it is not like i need to go check and see if i am allowed to do that. in their tools, you may have things -- we know certain functions in code typically can often result in a vulnerability. the function is one of those examples. there are further activities downstream like ensuring as you are doing that whole process that you are building in the response element because there will be issues found and we need to be responding to them. has a program for chrome and the web app. how you think about building a specific piece of software -- it needs the fence. we have -- defense. we have guidelines in those
framework to mitigate vulnerabilities. you cannot always solve all problems so that is why you have to think about bugs and finding them. lot ofomething i think a our neighbors in silicon valley have been doing. it is definitely a hot topic. should you be paying researchers for bugs. >> andy, there was a recent ms. tatian ino -- reason the words that struck -- presentation and the words that struck me. this is coming across many people from commerce and nist. there is a national imperative -- how do we get the private sector to take that out? is that something that will do on their own and if they are, is that sufficient? >> let me first talk to why there is a national imperative.
you are hearing from organizations that are primarily information-technology organizations and they are doing great work and forward thinking. the world of organizations that are primarily i.t. organizations and as you look to the future where we are going to be building information-technology in almost every device we interact with whether it is the refrigerator which people of joked about for years, whether it is your car, you name it, the world of the internet of things as we call it -- when everything is internet-enabled security is even that much more important and relevant to your life. is a national imperative? absolutely. we are are already incredibly reliant on cyber security. if we build these devices being secure from the get-go, they are hard to update, improve -- we are in deep trouble if we don't start out with more secure devices. how does the government help bring about that change? can we leave it to the market?
the approach is to take a voluntary one. even the fda is issuing a guideline to help medical device companies who have not necessarily had to think about cyber security before actually start to consider -- as i ready a device for market, i think about cyber implications. it is really high level. it walks you through a risk management process. think about what the threats are, the impacts could be and think about how you mitigate the resulting risk. it is not prescriptive. it is a very good approach to take. the same for the department of transportation guidance for smart automobiles. giving guidance to sectors who are new to think about this problem in helping them understand it is their problem and they have to be engaged in the solution. i think just to highlight another point i made -- everything we can do to raise awareness whether it is at the
strategic level, making a ceo better understand that cyber security is imperative or whether it is at the more operational level like putting out threat information so that people who were on security engineering teams can understand what the bad guys are doing in the real world and how they can defend against those activities. that is a huge role for government to play as well. >> i wanted to follow up a little bit. you mentioned the fda guidelines at that came out in the past week or two. i would like to understand that a little better. the fda says these are things to consider and they are designs to develop the medical devices. the devices themselves go to the fda for free market screening. presumably, the fda will look to see if the things they recommended are actually in the devices that manufacturers are trying to get approved for the market. does that make some of these maybeendations have -- they are not obligatory, but more mandatory basis presumably hashe fda sees the device
not considered these things and may not approve it for sale. >> i will be honest. the nuances of the fda's approach are more than i know. i will say to the degree that is true, that is a reasonable case to make. the fda has a mandate to make sure medical devices are safe. what they of eventually said is tell us about the approach you have taken to understand the risk that you have in these devices and security risks and what you have done to mitigate them. it is extremely light touch. we don't know yet. i don't think anybody knows how that will play out in practice. i think it is a very good way of giving direction, creating a north stars of the device makers know which direction of any to be heading and then letting them identify the best way to do it from the markets they are in and the risks they face. >> i will soon be opening up to the audience for questions and also online.
question starting with -- we are hearing a lot about companies that offer security. it is not what you folks are doing. the companies are coming in to fix things after there is a problem. we hear that everybody is going to suffer incursion and it is going to be a matter of it containing the incursion was it occurs. it is not going to be perfect cyber security. the kinds of things we are talking about, the design and -- architecture, how much is that incursion problem can we take off from that? is that going to go away? no security is ever perfect but how much of the problem we are bying now can we take off building in some of these things from the get-go? anyone want to take that? >> i will jump in. it was like angela may have
some. look atnytime you intrusion towards a company or government, it starts with a vulnerability on a piece of software that faces the outside world, something that could be touched by the internet. whether that is an actual coding flaw or a system that let you -- that let you log in with a different password. that design from ability -- vulnerability. when schumer on the computer to take advantage of another one and game what is called a ministry to privileges which is all-powerful.t th those key steps involve taking advantage of vulnerabilities and how products are designed and incremented. not always. --i think that is actually it is not always the vulnerability.
social engineering is a really effective way to get into an organization. one of the things i'm hesitant about is when people think technology or really any one thing that will cause problems when there is a big human aspect. there are motives that drives people into organizations. it is much harder than the internet. >> that is a very true statement and we cannot forget the human element. i totally agree. >> i can add in -- your question was will be -- will be able -- will we be able to stop these incursions? i think we may be able to minimize some of these but when you go with however many lines of code that are getting and all of updated the humans who are touching these machines, it is going to be impossible to stop the incursions. it is really good that we do
think about the defense and depth, how to engineer protection capabilities into the architecture of our network and then making sure we know how to stop incursions that occur and limit the consequences of them. there are some really interesting work going on in architecting systems where we all know there is no boundary, but there is more work now orund identifying data systems who have similar type of risk and working to manage those that have higher risk with more resources and more attention than some of the others. there is going to be the need to be prior to asian -- prior to prioritize asiaation down. >> i know how to secure a computer completely. you unplug it from the internet and you drop it into the ocean.
things withof the risk management -- we will not get this perfect. it is because we are trying to innovate and do a lot of things. the internet could be increasingly be scary but it is also becoming powerful in terms of what we can do. it is important to think about the balance of making sure that we can continue to innovate as well as continuing to secure it. i agree, there will never be an absolute. >> i agree it is not going to be absolute. there are a couple of easy steps we can do to minimize the human factor of it. in facebook, we have a month -long activity. if you reported attack against you, you get a cool t-shirt and public recognition. over half of the company joins
an internal discussion group about security matters and participate in it which could be painful. in august, we get these reports -- there is this e-mail that was really well-crafted. that is not us, that is an attack. getting people engaged about security and feeling like they are empowered to make secure decisions and if they are doing their job there are can's -- security issues they should be considering and we should focus on that as well. >> i think that is totally awesome. october is national security cyber awareness month and that is a really innovative way to make it very relevant for your entire organization. what i would ask everyone in the room or who was watching or listening online is is your organization taking the same approach? do not send an e-mail to let people know to watch out for attacks and have a long password. really say what we can do to make it important and address
the human element that is always going to be a part of the problem. >> on the notion of hacktober, of a like to turn it out to the audience. there is a question. please state your name and affiliation and off to the races. >> i and with booz allen. you talked about the human element, how do you read a user base that is security aware? users are some of the best testers. how do you go about that with your various organizations? >> we do try to provide ways for people to raise awareness about security and learn about these things. we are a browser so that means
we have a whole spectrum of users. some who cannot read and still using the internet. i think a very conservative approach is hell effective education can be for users. we like to have as much secure education as possible. -- try tothink it is be opinionated when it comes to security. something called safe browsing which is technology in chrome but also available for other browsers. it is backed by google. looking at the entire search engine, seat which search pages are malicious pages. if a user tries to navigate to that -- if they were to loade it, it is really an evil site. we can tell that and not let the user navigate to that. we show warnings.
resources to describe what it is, but i think we try to make the software to just make it so people don't encounter those threats. >> maybe too bad to that point -- -- maybe to add to that point -- technology companies are really starting to fine tune the kind of information that we are providing to users to help them make more informed decisions. one of the classic examples that used to occur in ie was a pop up window would come up and say this may be in unsafe site. awesome. i don't know anything additional from that than i knew before i browse to that site. we work to do similar things like providing users information that enable them to make better choices. a little bit on the internal is thinking about what incentivizes
folks to do security. i talked a little bit about how you reach the development practices into the actual developers tools. what we need to look at is how you compensate employees who have different functions inside of the overall development lifecycle. you don't want to have folks who are focused on review to be compensated lower those that are doing development. i'm going back many, many years at this point so it is really thinking about what other incentive structures to drive human behavior to improve security. >> the question in the back. as the framework starts to make available standards for cyber security and critical infrastructure which has a lot of embedded systems, i'm curious to ask what should be our expectations over time and investment in upgrading a lot of
the legacy operating systems that are indebted in power plants, pipelines and other infrastructure? how can we use lifecycle management to improve the cyber security of essentially an embedded set of operating systems associated with critical infrastructure? at criticalok infrastructure like power plants or dams or water treatment facilities, they have expensive equipment that historically was never intended to be connected, reachable via the internet. install a upgrade or patch because it is supposed to be running all the time and you cannot break it. this is incredibly difficult. we start with a really tough legacy base of this equipment that is often connected to the internet, but like i said, was never intended to be. -- of the things that raises there are actually two things.
what are the protections you put into place even as this equipment that you can no longer add security to continues to run? the other is you build up of the security so as you do those upgrades, you start off with more secure claimant in the first place. i think it is a most taken to which is you can have the best software development approach in the nation, in the world and you will still have vulnerabilities and design flaws that have nothing to do with implementation for ability but your user interface fuse -- confuses people on they make the wrong decisions. you have to have an ability to issue patches. for all of these organizations that are building out of the internet of things, building the systems for critical infrastructure has that life a cycle. how do you patch it over time?
you asked how do we -- what is that market looking like? what are those companies going to do and the answer is they will do what the business compels them to do which is due upgrade their legacy systems over time. on biggest concern is how do we make it that when they install new systems, i cannot solve the ones that were built 20 years ago, but we can do will be can so it starts off secure. >> that is an excellent point. chrome had a huge advantage. but security is important for browsers. one of the distinguishing things excitingn't seem very which is security but is our number one -- what makes me excited about security is that chrome does updates because it is true. there will always be flaws. we have the advantage because we
can roll updates out to people without them having to elect into it. i get annoyed with updates as well. i don't always want to install security updates because that means i have to stop what i am doing or reboot my machine. one of the things i hope would in operating devices is that updates can be rolled out without users having to opt into them. >> may be just one other thing that has not been mentioned is when the folks who are building ips systems, we build a lot with these vendors to talk about the secure development practices of that organization has learned. as you start to architect the systems, you can use virtual machines to be able to manage the availability requirements of critical inter-fractures -- infrastructures and sue do updates -- and still do updates.
we would like to continue to see the automatic updates. what we've experienced in the corporate environment is that people want to do testing of patches themselves to understand , particularly in these high-availability systems, if things might break. you need to make sure you have the right model in updating a think about the innovations that are occurring that can allow systems to update when they have high-availability requirements. >> from the online community, paul had a question that ties into this. to paraphrase -- why do companies take building cyber security? is a market comparative? is it out of the goodness of your heart? toit is a market imperative, those things also apply in a situation like the power grid where it is a utility and may not be the same kind of market forces at work.
>> i am from google and a lot of users entrust us with their data. if we lose their trust, we no longer exist. it is from day one. if people don't trust google with their data, we have no business. it is imperative to our business. >> i would be very surprised if he didn't hear anybody it was a market imperative. andtrust of our customers the continuity of them trusting us to continue towards our business requires us to address security, privacy, reliability. all of those component factors of trust. in addition, the second part of your question was due the market dynamics exist another's sectors. that is an area where you see some variation both between sectors and among subsectors
about what the market dynamics are. it is one of the areas where think the executive order from the administration has worked to provide a baseline of what a reasonable approach to cyber security risk management could be through the cyber security framework and then provided the ecosystem and incentives to see how they can a fact the market dynamic to drive adoption of better practices. and pulling as it question from before -- talk about the power grid or other parts of the economy that are utilities. hearing from a lot of these companies that this is expensive and they need to cover these expenses. before they can really go back and represent legacy systems. >> that goes to the point i was going to raise. one of them is it is expensive.
there was a degree we have been realizing the benefit of the i.t. resolution -- revolution and the risk is catching up with us. absolutely, security does not come for free and that is a challenge. speak to youro state level regulator about how to make rate increases. theher interesting thing is companies here feel the market imperative. aspect whichther the market can respond because the market gets fairly ready evidence to whether or not the products are secure. there is a feedback cycle. for products that in the visuals do not interact with at the level these products, whether it is a control system that controls your power grid, the feedback mechanism is much less clear. one of the areas we do a lot of research is if you are a power
plant it want to buy a secure system, how do you ascertain which one is secure? it is not an easy question. aw do you as a consumer, power plant buyer of a system know which system is more secure? a lot of work to needs to be done on this. here in then right second row, in the middle. >> one of the things you mentioned was the balancing the security versus vulnerability. the pop-upsta, notification shows what can happen if you have the settings to high on security. what have these three platforms --windows, facebook, chrome taken to be that balance between security and vulnerability? security means
usability. -- oftenonsider them times, the solutions that are proposed to improve the security of a system have a usability trade-off but i don't think that is the case. they should have both. in terms of what is chrome doing, we have a chrome security team. about 25 people that are completely dedicated to making chrome secure. everybody has to think about it. product to be fast, everybody has to think about it. we have experts on the problem. some of my engineers are very interested in the technical architecture piece of it and there are five people dedicated to the user experience and thinking about what we are showing to the user. their backgrounds are completely different -- computer science and that crownic
andsychology and design -- a background in psychology and design. >> that is exactly right. a lot of our problems are that we actually don't always understand why users feel they have not had a secure experience. manyied to codify how people a reported they had a poor experience versus how many people we can identify who had access inappropriately. we actually reached out. we asked users why they had a bad experiences. people don't always have the same mental model. patch -- address or people need to understand what that means. we have molded our products where people are having a bad experience, we will say are you worried about the security of your facebook account, you can
authenticate. usability is a part of security because it is not just about technical policy, you have the good 1.3 billion people to use it in a secure fashion. >> echoing the comments -- you actually highlighted what i think has todd a lot of industry -- has taught a lot of industry. the usability was affected. much like these companies of that said those are integrated functions now where you are bringing together from across different souls gets -- skill sets. it is on the technical folks who need to be involved. it has to do with the humanity side. you have to bring a lot of creativity into the security discussion because the folks who are militias are pretty darn creative so we need to have that combination of the engineering
mindset of being structured and process oriented and the creativity to help innovate. >> other questions? right here on the front row. >> there is an interesting te partnership.are to shi it has segments on power, water and transportation. it is interesting for sharing information in both directions. from the fbi on risk analysis. it is embedded community so people have to be approved. if the companies are working with instaguard in both directions about risks are known? >> i am not familiar with that organization. i am not sure.
>> i am not aware of the specifics of the organizations but i know we coordinate people across to share the data and intelligence. there is a lot of cooperation between companies as we work better together. >> a lot of collaboration between people who compete in the marketplace. we will collaborate on security because your yours are -- your user experience is not defined by one process. member and the experience of bringing the local chapters of bringing together expertise has been very effective. one of things when we start going down the discussion of how to share information in order to enable cyber risk management is there are often times the information sharing and analysis. is that the guard model? is it something we just talked about where there is a
collaboration among industry. i would say in the information sharing problem set, it is important there is no one model. i think you have to think about how to bring together communities who have similar experiences, but also have the ability to act on the information to help manage risk. in some cases, that may be a steady-state organization that meets on a monthly basis. on other cases, it could be a dynamic system. we can start to address the issue. is not necessarily one model or the other but a combination of those. >> just a follow-up on the havemation sharing, we seen congress share information sharing legislation. they passed the bill a couple of times.
it would provide liability protection for companies that share information among themselves. for anybody on the panel, is this something that your company's support? andy, from the administration they try to veto it because of didn't think he provided enough protection for privacy. do we see that changing anytime soon or what has to happen to have that change? >> rather than speaking about and all single piece of legislation because that could be very contentious and down to individual lines and individual words -- what i would say is microsoft remains committed to advancing information sharing and does see a role for government in helping to do that. when you get down into specific bills, there are a lot of contentious issues so i will not get into the specifics but i will add that one of the challenges that has been
increased his government has several roles that it takes in cyber security. government is a user of computer systems. they are protectors of national security and public safety. they are also exploiters of technology around the world. that complexity has made the information sharing confirmation -- conversation much more difficult and has gotten muddied. what we want to do to help exchange information to manage risk has been gotten caught in the other issues that are around intelligence collection methods. it is really important that we are clear about information exchange to manage risk. that is a separate set of activities than the information that goes on in the law enforcement and intelligence community. from the administration perspective, we a believe there is a need for information sharing legislation to encourage and provide comfort for
industries and sharing information to the government and each other which is incredibly important. our general philosophy is any information sharing legislation has to be done that keeps privacy and civil liberties. if it offers protection, that needs to be narrowly targeted so we don't incentivize anything than the other exact behaviors. taking a step back from the legislative debate, the debate is really about how do we lower the potential risk that a company faces when they share information? goals at the department of homeland security is to make sure the company reaches the benefit of information. downside is in the hands of congress but rather than wait for congress, i am focusing on potential upside. here are the benefits you get for sharing information with the government and with each other. the kind of information we are talking about is if you see this
file, this file is a virus, do not let it infect your computer. work this is a vulnerability you need to know about an patcher computer. this is the kind of information we are talking about. >> other questions? in the back, please. >> andy, there is a dhs program that has been around called the build security. what is theis impact of the program been and how might it help in the future? i'm wondering if the industry has been involved in that. --i was try to figure out trying to figure out that sales pitch. thank you. the department of homeland
security has a larger effort called the software effort. we also have efforts in the science and technology organizations. all of which are designed in science and technology -- doing the rnd that helps us understand to build security in the first place. it is about taking industry and the expert to a been doing really strong software assurance meaning building software that does what we wanted to do and nothing else. spreading those lessons around the community. one of the challenges in this field is we learned a lot of these lessons in the 90 70's -- 1970's. a lot of the lessons we learned about doing this stuff securely fell by the wayside. there was a huge core of historical knowledge that we are supplementing with experts in the field today and we are bringing it together in this software assurance forum.
if you are out there and want to participate -- it is a great way to talk to other experts in the field, find out what the best practices are and how you can make your software more secure. sales pitch over. thank you. >> we have a question from our online audience which basically says the companies represented on the panel are all large players. there are problems throughout the infrastructure. what is the role of larger companies in helping smaller companies improve their cyber security? what about the smaller companies? >> one approach that google takes is, in addition to a web application and browser and our products, we also have a platform. it is appropriate for some small businesses or small organizations that want to actually have a large part of what they need to operate.
the outsourced to google who has the resources. we have like 400 people working exclusively full-time on security and privacy, a large infrastructure that supports our own business needs. it can be appropriate for some customers that actually want to have the hosting of their business be taking care of why a cloud provider. google offers that. i think we also offer other tools outside of just being the main platform for hosting. webmaster tools is one example where web developers can as testinge them tools that google uses internally to detect flaws and address them. i do think we try to contribute an address that problem and not just assumed that what works for for everyg to work sized company or organization. >> one of the big things we do is open source.
a lot of the hard security problems we have encountered, we have built solutions for and try to import them out into the community so that other small companies don't have to reinvent the wheel. we have been really active about that as well as posting security meet up groups and various tech talks, bringing other people together to talk about this. >> i talked a little bit earlier about the secure development lifecycle and this challenge about what can be done inside a large organization versus a smaller organization is one of the things we have done a lot of thinking about. we have created a simplified sdl that is available and can be used not only by i.t. companies but also by other companies who are doing in-house app development. one of the key examples i like to mention is there is a case study out where one of the -- an electric power company leveraged to simplify the process and they were able to demonstrate the
lifecycle cost of that system was lower by engineering security upfront in a response system. the name is eluding me right now but if you look up simplified spl you will find that information. one thing that is important is whether it is in the cloud platform or development tool, we work to enable those security features and functionality for others. taken those lessons learned from coding ourselves and put it into the skill set. the last piece is the policies. i have talked a little bit about technology and policies. challengese on the that pose policymakers, we want people to be building on top of windows, on top of our cloud-based platform. we have to think about the
innovators experience. we have resources to engage in major capitals around the world on the set of issues. we also work to make sure if we are advising on policy, it is not only something that will be working for the large companies, but it will continue to enable innovation in this industry and innovation in other industries. >> going back -- that was a heck of a page turner and i am looking forward to the movie. >> andy, on the government side, trying to raise the level of cyber security in smaller firms. it seems to be a challenge because there is not awareness among larger players even though some of the things that dhs is doing. what can the government do to help because a vulnerability in one player could spread out? >> we have to separate it.
are the smaller firms building security into those things and what are smaller firm rings using in the environment securely? we see the huge challenge for small firms. we did a request for information in february which is the government's way of having a conversation with industry about how we can help small businesses. it did not getting lot of clear answers. this is a problem that everybody is struggling with. if you are small company and time toovative startup, market is everything for you and you committee postponed some of the security risks. some of those don't seem important because you have others. you may run out of pizza tomorrow. i don't think anybody has cracked the code. we are partnering with the small business administration to reach out the small businesses and he will be can offer to help them. stay to because there are not answers yet.
>> other questions from the audience? >> people have brought up trust which is a very relevant piece. people talk about the trust on the useren end. as i.t. professionals, we have trust in things like protocols. there are some significant challenges. one of the unspoken things from heart bleed was the significant risk authorities. -- i would level of love to hear some thoughts and ideas on what is going on at that level of those fundamental things that is something the big dogs can do that is relevant to all of you. >> anybody? >> i like the model of trust. we build protocols and we assess
them. i cannot trust there are no vulnerabilities in any of these protocols that build internet and that is why we build extra in places to give us an anecdote for chrome. the certificate exchange is an important part of that. the certificate ecosystem has shown flaws. aat is why we have built system that goes one step further. you might expect you can trust the certificate that has been issued i one of these trusted authorities. sometimes ahat certificate authority is compromised and end up issuing certificates to the bad guys. we actually do extra checks and it shows -- and let us to detecting gmail users that were being targeted in parts of the country. -- the specific example.
as an engineer, as somebody who started her career finding bugs, trust very little. i assume there are bugs. i suspect they are there and try to think about a way of defense. cannote that somebody change the bugs and a trip on something. >> certificates are a great example -- chrome providing us additional security. open andof using implementation, we have seen across the industry of additional research and minimizing the threat areas. of opek a model of ho implementation is goodn.
--the identity echo system in ecosystem is a place where there is a great opportunity for adoption of existing practices and enhancements of how to use those to manage across the ecosystem. one of the things is hardware-based trust. people tend to think about identities as humans. identitylking about associated with a piece of data, and application or operating system. what is the identity associated with that hardware and how can you actually combine those elements of trust to kind of get the user experience, a trusted system and a trusted experience from potentially hardware we don't necessarily trust all the components. >> i think that will be the last. so please a reception stay and among yourselves.
thank you for the online audience and thank you to the panelists. [applause] >> live at 7 a.m. at your calls and comments on washington journal. here are just a few of the comments we have recently received from our viewers. execute on not air all of president obama's talks. when he was at the congressional black talk is, i do not remember seeing that on the c-span stations. but i saw the hispanic one. but i did not see president obama. hey of his outings, where goes round and makes speeches and talks to people, you do not
show them. screen all of those dull, lifeless hearings that nobody wants to see. i do not know what is the difference in that. -- >> i appreciate really appreciate c-span. it is a great source of information, and i am frustrated ,hat our representatives especially those in the republican party who sit there and say this is a christian nation, this nation was founded on slavery. stealing land from native americans. i wish some of the hosts on howan would at least say native americans, blacks, and women feel about the views of the founding fathers who started it. we all know it did not work out well for minorities. calloutlike for c-span2
some of the representatives on this basic lighting keeps getting passed around. is ignoringspan giving the background of some of their speakers. stipulated an attack on the koch brothers. that the source was a major component of miranda.org. no fair. i want more people giving background. i do not care if they are republican, democrat, liberal, or conservative. everybody must give their background into his financing them. continue to let us know how you feel. e-mail, or send us a tweet at c-span a #comments. like us on facebook and follow
us on twitter. on wednesday, we will discuss online voting technology and its potential use in the putting process. taking part is rhode island congressman. this is almost two hours. >> i want to welcome those of you who are watching this online or through our tv audience. we encourage you to join a discussion using the #acevote. in the world of connected power, ubiquitous connectivity come
almost every task can be executed online, the fact that the vast majority of elections are held, online voting and e-voting has the unproven potential to make -distance voting easier, cut costs, and improve voter turnout for younger generations. it takes time, effort, e-voting benefit in terms of reach, access, and participation have the power to revolutionize the democratic process around the world. indeed several countries, many of whom are in our audience with us today, have implemented successful e-voting already, brazil, estonia, switzerland, so we here at the atlantic council are delighted that this report is the outcome of effective top partnership between our cyber
statecraft initiative and international security, the partnership they have formed with mcafee. we undertook a separate in part because of the practical results-oriented approach of our cyber team led to our expert jason healey, but it also affects the atlantic council into nonpartisan work. this is a bipartisan issue with both sides aiming to create a cost-effective, efficient, secure, and trustworthy voting platform. it is also timely as we head into the home stretch of midterm elections next month and we face the beginnings of what is already unfolding at the presidential election two years out. as we enter the season, the council is intent on working hard to help us hit a broader public debate on the role of the united states and the world and a critical ingredient to this debate is the extent to which our own public engages in the discussion, especially through voting, so this report makes