Skip to main content

tv   Admiral Mike Rogers on Cyber Security  CSPAN  November 1, 2014 10:00am-11:01am EDT

10:00 am
from 8:5 to 9:40, we will be to talky two guests about voter targeting, how campaigns are reaching out specifically to voters in these last couple of days. michael beach of targeted , and jimcofounder walsh. plus, we'll look at late information of the races, what is going on, and the papers as journal""washington continues tomorrow morning at 7:00 a.m. we'll see you then. [captions copyright national cable satellite corp. 2014] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] some of thisnext,
10:01 am
year's cyber security summit hosted by the u.s. chamber of commerce. campaign 2014 debate coverage continues with the race in new hampshire's second congressional district between democratic incumbent and the republican challenger. that is followed by the race in new york's 24th congressional the democratic incumbent is running for a third term against republican challenger. camhe 2015 c-span student video competition is underway, open to all middle and high school students to create a five seven-minute documentary on the theme "the three branches and you." there is 200 cash prizes for students and teachers totaling $100,000. for the list of rules and how to get started, go to
10:02 am
studentcam.org. >> the u.s. chamber of commerce recently held its third annual cyber security summit in washington, d.c. the event included remarks and a ,&a with the nsa director admiral mike rogers did he spoke about information sharing and efforts to encourage public-private partnerships to combat cyber security threats. this is an hour. >> thank you very much. i want to start by thanking you and the chamber. your proactive leadership on this topic, i think, is second to none and i think you are doing a great service for the global community. what i want to do is very briefly provide a private sector view on the environment -- the importance of information sharing and the obstacles we face and a call to action before introducing admiral rogers. let me start with something everybody well understands. the range of attacks we have experienced in the private sector is really unprecedented
10:03 am
and getting worse by the day. the volume and sophistication of attacks is only showing signs of acceleration. every published success simply encourages new entrance and bolder moves. threat actors from social activists, cyber criminals with a range of objectives from disruption, intellectual property theft, financial crime and destructive intent. cyber criminal activities in particular have simply exploded. while one at a time, the impacted individuals, companies collectively represent potential threats to the country if they continue to build the way they are building and if they become more orchestrated. imagine the top 10 retailers attacked at the same moment. the top 10 financial service companies attacked at the same
10:04 am
moment and the impact on the confidence in our economy. especially, if the capabilities that today are pointed towards financial criminal activities start to turn towards a destructive intent. it is a very sobering concern for us. now, we each in the private sector have a range of capabilities in terms of cyber protection and continue to invest. we probably spend more than $2 billion in the u.s. across the financial sector in cyber defenses from protecting the perimeter to protecting data loss, insider threats. we continue to invest in our capabilities, but i would like to use the analogy. think of the company as a fort. we have to know when we are under attack. at the same time, it is incredibly valuable to know when a neighbor's forte is under attack or when the adversaries are marshaling their forces in a forest getting ready to attack.
10:05 am
when they are back in the home country, building weaponry to attack the fort. my view, probably the best control that any company can have is transparency around what is happening around us with our sector and with the government. said another way, i believe the lowest-cost, highest value control is information sharing. it has the best roi of any investment anybody can make in the system of cyberprotection. one companies detective moment can become an entire sectors defense or cross sector defense. further, no one entity can stand alone. not a single business, sector, law enforcement, intelligence community. each brings added insight. i believe the whole is greater than the sum of its parts and that is to protect individuals,
10:06 am
businesses. customers, business, law enforcement, intelligence, homeland security working together to protect our customers' interest, business interest, critical national infrastructure and the country. further, while i do believe information sharing is in the best interest for each of us in our businesses, i also believe that we have a moral obligation as socially responsible enterprises to share and not to consider our cyber insights as a source of competitive advantage that some companies look at that way. effectively sharing cyber information actually is not easy at all. there is a fair amount of information that does get shared. there is information sharing, but it is slow, relationship and trust-based, very variable within and across industries or the government and there are
10:07 am
a range of obstacles. the first obstacle for the private sector is that we are simply in many cases unable to share cyber information due to potential legal liabilities that may occur. you think about what if somebody acts on information that we have shared, we share in good faith but by acting, they cost some harm? on the flipside, if we share information but a good faith of companies don't act on that information because they have a basis for not acting, the liability in both instances is so substantial form and risk perspective that it completely stands in the way of information sharing. second, there are too many vehicles for information sharing. it is variable, well intended, a bit chaotic and hardly complete. the ncfta, cifct, the physics, fusion centers. company to company, fbi,
10:08 am
treasury, homeland security, secret service. all of those occur in some moment or another. there well intended, very appreciated from the private sector, but sometimes they are conflicting, sometimes very inconsistent in him was information sharing happens real time. the third obstacle i would say from the private sector perspective is the government over classifies. what a shared at the secret level is very rarely actionable. not enough private sector employees have clearances above the secret level where more of the actual information resides. i compare and contrast what we get in open-source intelligence. thinking about the last two days. yesterday, you would've seen some information about a new watering hole attack that has been out there called scan box. we get what are indicators of compromises which we can act on. last night, detail was released on an open-source context about
10:09 am
a new purported chinese apt attack called axiom. what comes with the open source is actionable intelligence, things we can do something about which is not relevant. i will close with a call to action. on the private sector -- for those of you from the private sector, support legislation that is out there on information sharing. i would support either of the two bills that are out there. they're opening up the volume and the capability of sharing. it is the highest roi opportunity in the system of cyber defense. i would call out to things. there should be liability protection both for acting and not acting. the second thing i would say is
10:10 am
information can and will be anonymized. there is a reason not to anonymize. we could address privacy concerns very effectively. for the private sector, if you re not in one of the isac's, if you are not in one, you should join one. if you are in one, you should be very active. there is a very uneven level of contribution in terms of information sharing. we need your insight. i would cal on you to do the same. for the public sector, call to action for my perspective is pass the information sharing legislation. also, we need a better process to get private sector clearances either above secret or to make sure intelligence is more actionable at the secret level. what we really need is a systematized construct for how information is shared. frequency, format, actionable substance and close to real-time as we can make it. coordinators across intelligence agencies and the private sector. that is a view from the private
10:11 am
sector. it is now my privilege to introduce admiral rogers. in april of this year, admiral rogers assumed the post of director of cyber command and chief of central security service. you have his biography in your package but he served as commander of the u.s. fleet cyber command and the navy's u.s. 10th fleet. since becoming a flag officer in 2007, he has served as the director of intelligence for both the joint chiefs of staff and u.s. pacific command. with over 30 years of service, he has extensive experience in the intelligence gathering, computer network defense and information warfare. i've shared this with the admiral as he was coming in. i actually met him in 2012 very briefly at a cyber security conference at west point. the theme of the conference was actually public-private collaboration and the role of the sector in defense of the
10:12 am
nation. my impression of the vice admiral was we set next to each other for maybe 30 or 45 minutes the morning of that event. i thought back on the experience to try to convey the sense that i took away from that short moment. i will tell you is this -- having not had at that time a lot of private sector experience, he was very inquisitive about the private sector. he asked a lot of questions. he was a very active listener. he seemed to have an appetite to learn about the challenges based in the private sector and to contemplate the opportunities for collaboration. he also conveyed purpose, sense of purpose, belief in his mission and a clam sense of command. what was interesting as i reflected is what came away for me in that moment which i think would be reinforced from what you will hear today is the
10:13 am
admiral is very committed to public-tried partnerships and is a very strong advocate of information sharing and partnering with the private sector. please join me in welcoming admiral mike rogers. [applause] >> good afternoon. how is everybody today? i apologize that i will speak what you're eating but please keep eating. you have about 50 minutes or so. i will speak for about 15 minutes and give a few thoughts from my perspective. i really interested in an exchange with all of you because i am curious as to the perspective that you bring to this issue. why is admiral rogers talking to the chamber of commerce? and to the private sector about the idea of cyber security?
10:14 am
because as you heard from mark, one of my takeaways in the 10 years or so i have been involved in cyber is that cyber is the ultimate team sport. if we are going to make this work, it is about creating a true integrated team and a set of partnerships that will make this a reality. that there is no one single technology that will enable us to give and see percent security of our systems. there is no single entity that has all the answers. nor is there one single group or entity capable of executing the solutions that we need to do. it takes all of us working together. before i get into what i think we need to do to work together, let me start out by thanking the chamber very much both for your kind invitation today but more importantly, for the dialogue that over time you have been a part of in helping to facilitate.
10:15 am
this is all about trying to talk to each other about how we can figure a way ahead here. mark, thank you very much for your kind words. more importantly to me, as a senior business leader, i want to thank you for your openness. for your sense that cyber security is a direct impact and concern to the leadership of corporations. i will tell you -- it doesn't matter if it is a military command within the department of defense, whether it is a private company i am talking to, i can tell which organizations have leadership buy in in which those that don't. if you don't have leadership, you are fighting with one hand behind your back. all of you here today with us who play a role of leadership within the business community or in the government, i thank you for your willingness to spend some time in your busy lives on this important topic because as leaders, it is up to us to help drive the change that i think we need.
10:16 am
this is much less about technology to me and much more about changing our culture. traditionally, in our nation, we have tended to view the private sector in one arena. the government and another. and the whole question of national security as something that is apart from that. my argument would be the line between those three groups and viewpoints. i view the cyber security challenges we are facing as a nation as a national security issue for us. how where we as a nation going to addressing the challenge that is not going to go away? if we think this is a short-term phenomena either of short duration or of relatively minor impact over time, i would argue we have missed the boat. i see this both extending for a significant period of time and
10:17 am
it will have greater and greater impact on us both within a corporate sector, within the public sector. as u.s. cyber command, one or our jobs is to defend the department's networks -- dod. we are dealing with the same challenges. every day, there are individuals, groups and nationstates attempting to penetrate our dod networks. it is the same thing we are seeing in the corporate world. you may ask yourself what is it admiral doing talking to us? i come here wearing two different hats both related and both applicable to this idea of separate security. the first as commander, we have three missions which is applicable. the first mission is to defend the department networks. the second mission is to generate the cyber mission called the cyber team that the department will use to execute its missions over time.
10:18 am
the third one and the one that really brings me here today is if directed by the president or secretary, u.s. cyber command is tasked with providing protection and support to attack against critical u.s. infrastructure. i have to be ready if i get an order of how we will partner with our teammates because if there was one thing you learned in the military, you do not wait until the day of the crisis to say to yourself i guess we better do some training with each other or i guess we better understand what our partners need and what they don't need and what is effective for them and not. we are in the midst of working collaboratively with the department of homeland security, fbi teammates, ourselves, other elements of the government depending on the sector. we are in the process of partnering on how we are going to work through the details of how we are going to exercise and train with each other so that when we are in the middle of the crisis, we can really make this work in real time.
10:19 am
the second hat i wear -- the national security agency, which has gotten the most attention over the last 18 months or so, has two primary missions. we talked a lot about one of those missions -- the foreign intelligence mission. nsa uses its foreign intelligence capabilities to attempt to understand what nationstates, groups, individuals are doing in the cyber arena against the united states. the other mission that nsa has is information assurance. nsa is tasked of the the information assurance mission not only defending the department of defense systems as well is helping to develop the standards for systems. we do it with the federal government and increasingly, we find ourselves called on by our dhs and fbi teammates to provide capabilities to support the private sector. that is not going to slow down. that will increase.
10:20 am
you can pick up a newspaper, you can get on your favorite website, you can blog on whatever particular interest -- you can go to whatever media outlet that you find is the best source. every day, you will find something about a major cyber incident. this is not a short-term phenomena. later today, you'll hear from senators feinstein and chambliss. i think the role they are playing is attempting to generate legislation to help the private sector deal with the very real and legitimate concern about legal liability. that is critical for us. because if we don't help address that very legitimate concern that i think for many of you, many of you in the private sector that is a real challenge for you, for timely information sharing. as the director of the fbi, in a private life, he was general counsel of the largest brokerage firm in the united states.
10:21 am
i will often ask him -- when you were a lawyer, what was your recommendation? what advice were you giving? he doesn't hide the fact that he would oh is tell them to be very mindful about the liability. that you have to be very careful and if you're not, potentially, the corporation is going to be setting themselves up for major financial liabilities and potentially impact on market share and business and the image. we have got to help address those concerns. what we have to get to is a real-time, automated interface. we need to define in advance what information we are going to share. i do not want privacy information in this because it
10:22 am
creates challenges for me. under the law, anytime as are dealing with privacy information for u.s. citizens, i have very specific restrictions on what i can or cannot do. my input to this is we do not want privacy information here. that will slow us down. that is not what the focus of cyber security is. what we need to share with each other is i need to be a low provide from the government standpoint, what i ought to be able to provide is actionable information that you can use, that gives you insight as to what is the malware you are going to see, how will it come out you, what are the indicators you should be looking for in advance that will suggest to you that activity of concern is coming? i ought to help you identify who is coming after you. what i need from all of you is i am not in your system nor do you want us there.
10:23 am
i want to understand what the malware you are seeing. what have you done with your system configurations that have worked and what did not work? what did you anticipate, what did you not? collectively between us, we need to share this across the entire sector because as you heard mark say which i agree with, the inside of one could translate to the defense of many. that is a great value for us as a nation and we need to come up with a system that enables us to do this in a real-time way. the only way to do that in my mind is the legislation you will talk about later today as well as sitting down in a partnership and walking through exactly what elements of information are you comfortable with sharing. what do you feel you need from us, the government, and likewise i would like to have the same conversation with you. here are the elements of conversation that would help us and here is what we are comfortable with sharing.
10:24 am
i have got to do this in a way that you can actually use it. that is not going to help anybody. we will be working our way to that process. the key to it will be dialogue. the sector construct that has been developed over time is very powerful. if you are not engaged than the sector construct whatever area of business you are in -- i would urge you to consider doing that. that helps us because we have a framework within a particular sector that we can deal with. we have tried at times to simultaneously work across sectors. that has proven to be complicated. some sectors would not apply it to themselves or they are not interested in that and that is not how we are constructed.
10:25 am
the sector piece has been very powerful. i think one of the things we need to do as a government is simplify this. i am constantly telling my peers at the senior levels that we have created a structure that is so complex that if you are outside the government, it is incredibly cumbersome and difficult to understand. if we are honest with ourselves. that is not because people are not working hard and not because they are not motivated to do the right thing. it is because we have tended to do this incrementally over time. i think we need to fundamentally look at how we structure the government side in a comprehensive way that makes it easier for you. at the same time, makes it easier for us because many times right now, this information sharing is based on personal relationships, personal knowledge, limited awareness.
10:26 am
i know this but i don't know what else is out there. that is true for all of us. we have got to try to simplify that. that is one of the areas we will be working on. with that, i really want -- i tend to use questions as a way to make some broader points. i am much more interested on what is on your mind. if you are ready, ms. ann. >> we have collected some questions earlier. >> can i steal one of the waters? >> absolutely. there you go, sir. we collected questions from the audience earlier. we will go to the audience as well. get your questions ready. we have microphones that will come to you. if you could just identify yourself and what company you are with before you ask your question, that will be great. one of the things we have been talking a lot about is how do we
10:27 am
punish those bad actors that are stealing companies' it. some companies are becoming more vocal of the need to actively defend themselves against cyber attacks in the absence of private support. is this something they should view or exclusively the responsibility of the government? >> we have a legal framework. we have seen five individuals from in nationstate being indicted. we have a legal framework for how we as a nation address criminal activity. i often get asked this question about cyber mercenaries. should we go out as a private sector and hire individuals to conduct with the military calls offensive operations to try to stop through the use of tools nationstates, groups, or individuals from conducting these attacks against us? again, that is something that is a broader policy issue so we
10:28 am
will work our way through it. be very careful about going down that road. you can potentially open up a whole new range of complications. think about the legal implications. i will be the first to admit i am not the smartest one about it. i will urge you to be very careful about going down that road. >> how about attribution to the so-called bad actors? >> that is when this partnership becomes very powerful because that information sharing between us about what is the attribution? based on our confidence and knowledge of that, is there options that is available to us? information sharing, increased knowledge gives us a greater option to consider. >> talking about definitions. we have the different domains.
10:29 am
one of the questions was does the defense department have a definition for what constitutes use of force in cyberspace and will that definition be the same for activities in cyberspace and those for other nations as well? >> we have a legal definition under the law of armed conflict and the law of warfare as to what is a military act if you will. we are working our way through a policy debate about what is the extension of those rules to the cyber arena. we have definitions for what is offensive versus what is defensive response actions. the broader issue is as a society where try to come to grips with we feel this activity directed against corporate networks, governmental networks, private individuals. what is the right response? i think the broader issue is what is the right response to this?
10:30 am
what i hope we can develop over time is a set of norms and rules that get us into an area where we have a much better definition of what is acceptable and not and even the idea of deterrence. right now, if you are a nationstate, a group, an individual, my assessment is that most come to the conclusion that it is incredibly low risk that there is little price to pay for the actions they are taking. i am not saying i agree with that but i believe that most look at it and in light of that feel they can be pretty aggressive. that is not in our best interest in the long term as a nation for others to have that perception. we need to try to change that over time. >> one more. if you have a question, please raise your hand and we will bring a microphone to you. we have one right here.
10:31 am
tom from eei. can somebody bring him a microphone? i will ask mine first then. one of the things we were talking about this morning was the chinese issue and russia as well. it was mcafee that conducted a survey of cyber experts around the world. they asked americans who do you fear most and american said the chinese. every other country said americans. what are your thoughts on that? >> what we are clearly articulated as a nation like every nation in the world, we use a broad range of tools to better understand. the biggest issue we have raised is in the cyber arena, we don't use the power of the nationstate did you cyber as a tool to gain insight into foreign, private competition to then share with the private sector in the u.s. to gain a competitive advantage.
10:32 am
we do not do that. many other nations in the world do. some publicly acknowledge it, some do not. we have been very vocal with our chinese counterparts. we view this as a concern and behavior that is fundamentally incompatible with the relationship we want with the chinese. we continue to work from a policy perspective. you have seen the legal action we have taken. my only argument would be i certainly understand as an intelligence individual. we are subject to more oversight and rightfully so because it is the way we are structured. we have more oversight congressionally and legally than most of my counterparts around the world. that is not a complaint. that has served us incredibly well because as a nation we want to be comfortable with what we are doing and why we're doing it.
10:33 am
i view that as a strength for us. >> thank you. tom? >> i am tom from the electric power sector and former navy lieutenant. >> i knew that you were a good man. [laughter] ceo-led effort going on with the >> in the electric sector, we have a ceo-led effort going on with the department of energy and the homeland security, with the electric sector coordinating council. we are focusing on tools and technologies and providing some good detection technologies. i think we have a lot of good information sharing going on. hopefully, the technologies will help us get the machine to machine stuff going. on the latter ones, since you are from the military and i think one thing we don't do that well in the private sector is the actual drilling and exercising of the response and recovery plans.
10:34 am
i'm wondering if you might give your thoughts about how we might be able to do that more often. obviously, with the participation of our sister agencies in the government, it is a very important part of that equation. >> first, it reminded me. one of the things i hear in the power sector -- i was down in san antonio talking to merck last week. one of the challenges i think in the power sector and what i often hear from corporate leaders is you need to understand some of the constraints we work on. we are regulated industry. in order for us to generate income to make some of the changes we feel we need to do, we need to go to a regulatory body and make an argument. few of our citizens are interested in increased power rates as a vehicle to generate more money to address cyber
10:35 am
security and our regulatory bodies share this concern. first, my thanks to the power sector for within those constraints try to push this as hard as we can. i have some real concerns in this arena. in terms of the kind of idea about how we can train and practice with each other -- one of the things i have said both internally within the department of defense as well as the private sector, individuals and organizations i deal with, we have got to move from a focus where almost all the resources focus on stopping someone penetrating our networks to an acknowledgment that there is a likelihood that despite our best efforts, we are going to fail and therefore remediation and mitigation starts to become critical. i have had to defend networks against a determined opponent who got inside the network. it is one of the best fights i ever had in my 33 years as a commissioned officer.
10:36 am
it really was each of us trying to anticipate what we are going to do, how they thought we were going to respond, and us driving them away. one of the takeaways i told our team in the department was we have got to learn how to continue to operate a network even if you are fighting to defend it. often times around here, when the answer is just shut down. i am like you have to be kidding me? you know what function does network execute day-to-day? do you know what this does on our ability to execute our mission? i will not take mission failure just by shutting down. that is not the answer in most cases. i think we need to shift to a focus on remediation and mitigation -- how you fight through a network that has been compromised.
10:37 am
one of the things we are trying to do is on a sector by sector basis, how can we look at doing that? one of the things i have said in these exercises, this coordination should not be done at my level. where we generate value is the level where men and women are actually doing their work. that is what we have to get to. it is not myself, cabinet heads, agency heads meeting with ceos. not that that is not a part of it but that is not the level we need to get to. we need to get to an actionable level. i am always looking to the private sector -- how can we help with that and what is the right level for you? i know what that means in the department of defense, the government but i don't know what that means in your structures. i would be curious about what you think, tom. >> what it means is really at all levels because on hurricane response, for example, we are pretty good with response and recovery and have a good resource system program.
10:38 am
companies come to help each other and hurricane sandy, we got together an army of 67,000 people from all around the country. with the help of the military to get that done. at that level, it is important to have that. the other part of it is during a cyber attack, there will be a lot of things happening in terms of coordination at the highest level of the government. in terms of media congressional interest or governors or other folks. there has to be a lot of coordination. they are couple of different tabletops that have to be done. one that would maybe practice coordinating some of those activities as well. >> i apologize if i came across as not embracing that. it is such a multifaceted problem.
10:39 am
they are so many different levels and complexities to this. we have step back and look at this holistically. it is not just a technical piece. i see so many people just want to focus on the technical piece. we had to think much bigger than this. >> following up on that, more of the human component. we were talking about back as 1994, "time" magazine wrote a story about the internet. no one heard about the internet. they put it on their cover and described what it was. when you think about it, all the terms that have come into our vernacular -- twitter, youtube, blogging and tweeting -- what will be the next generation of cyber threats we will face? >> i think the next arena will be the digital handheld device. both because it is exploding in its application and use.
10:40 am
increasingly, whether it is for business, the military, whether it is us as individuals, look at the series of actions and steps you are taking in your everyday life, corporate, government or individual with a mobile, handheld digital device. that increasingly is becoming the norm. that is the area i look to in about 5, 10 years, that is what concerns me. we tend to focus on fixed networks. large, corporate-based -- those aren't going to go away but the handheld digital is the next area of concern. >> the internet of things, the wearables. >> i consider the internet of things part of that. >> question right over here. wait until we bring you a microphone. >> i apologize, i can't see you
10:41 am
so well. >> i hear the lights are pretty bright in your eyes. i am susan morrow. i guess my question, in the energy sector, we don't differentiate between physical threats and cyber threats. we drill with the assumption that they will probably do both at the same time if it is a sophisticated attack. to be frank, the military's response in its own protection seems to be focused on isolation as a tactic for dealing with the idea of the grid going down. i wonder if you could talk to that a little bit. as tempting as isolation is as a strategy for response, it also potentially makes security a lot more difficult if you have individual grids all over the place.
10:42 am
so, i don't know, if you could talk about isolation versus integration. >> isolation works at a tactical level for immediate short-term periods. it is not a comprehensive, sustainable strategy. it is this idea of, i will just shut the network down. it is not that it is a bad thing at the tactical level. if you are looking at a base, an installation as opposed to an entire grid or sector. in the long run, i think the right answer for us is going to be, again, rather than isolation, how do we do something in a more integrated way? isolation is difficult as a strategy, particularly if you have high power requirements. we have huge power requirements so this is something that i pay a lot of attention to. power is a big concern for us
10:43 am
because we are a huge consumer of electrical power. i agree with your fundamental premise. the challenge becomes, how can we have a conversation about the right response strategy here? are we really comfortable with this idea of isolation? as a broader strategy, i don't think that is the best response. thank you. >> a question about -- i have heard some members ask, and likewise with the response in the question about tabletop exercises, say a business is sharing information, using a framework told or a risk management tool and they are dealing with an adversary that outstrips their abilities to keep pace. we know that there are partnerships with dhs and other agencies. when would the nsa step in?
10:44 am
what is the policy there? >> first, i would argue that the most likely scenario is probably u.s. cyber command. one of our three missions is when directed by the president or secretary to provide capability to the critical u.s. infrastructure. our role to do that, our mission will be to attempt to interdict the activity before it gets to that u.s. company. that is our primary strategy. that is what dod brings to this. a subset of our strategy is, if we should fail in that regard, we have also developed defensive response capabilities that we can deploy to partner with dhs, the fbi and the private sector. it goes to tom's question. how do you mediate and mitigate? if you fail, how do you remediate? that is really the u.s. cyber command side. that is what the president requests the secretary of
10:45 am
defense to do. there is a policy debate, a legal debate. it is why in my an initial comments i talked about this as a national security issue. viewed as a national security issue, the capabilities of dod and their application are in keeping with our broad policy and legal structure as a nation. if we view this as a private sector issue, then traditionally, do you really want dod involving themselves in this? that is why i think looking at this from a national security perspective is important. there will be a discussion about the refocus on critical sectors. is it any private entity? we have defined approximately 16 segments as being critical infrastructure whose loss would have significant national security impact.
10:46 am
what we are developing at u.s. cyber command is to be prepared to apply capability in those 16 segments after erected by the president or secretary. >> thank you. >> admiral october, according to the department of homeland security -- you may know the chamber has embarked on a outreach campaign. over the last few months, they have been going around the country. as you can imagine, very different audiences. a lot of us in washington are well-versed in the cyber framework. in phoenix or chicago, some of them hadn't heard of it. we are spreading the word on that. the question is, that is great, that is a campaign. what else do we need to do? you look at the als ice bucket challenge and how quickly that went viral. what can we do to jumpstart people paying attention to cyber
10:47 am
security? >> one of the issues, what is the tipping point? what does it take when it gets so bad that we finally say, ok, enough? we have to get the legislation, put those partnerships in place. the status quo is not working for us. for whatever reason, it doesn't appear that we have reached that point across society. in no small part, because many of our citizens, it hasn't reached a true pain threshold. so someone steals your account information, steals your credit card data, charges on that card. right now, if you report this to your bank, we are not paying a price. the corporate sector is assuming liability. they are covering it. the point i think about is, once this becomes something that
10:48 am
impacts a broad swath of our citizens in a real manner that impacts their daily life and ability to do what they want when they want, then watch for a whole shift in the way we are talking about this. my frustration is, it shouldn't take a disaster to tell us that you can see this coming. every one of us knows that this is a significant national security issue that is not going away. it will likely only get worse. we can either deal with this now in a collaborative, professional way, we can wait until we hit a across the forehead. i don't like to get hit. i find that to be a painful experience. i would much rather we have a dialogue and from the dialogue to the concrete sets of how to make this real and how we can work between the private sector,
10:49 am
government, and a broad swath of government -- one of the comments i made is, right now we are asking the private sector to withstand the efforts of nationstates against them. that is asking a lot of the private sector. i think you have seen this reflected in what we are trying to do as a government. this is about partnerships. we have to be able to provide government capability and capacity to support the private sector. likewise, we need the private sector to provide capacity and capability to make this work. it is not either/or. for those that argue it is a private sector function, i think the reality is it is between viewpoints. we have to work this collaboratively. there is no single technology, no single source of intelligence or insight that will clearly tell us exactly what we are
10:50 am
seeing. it takes partnership to make this work. you have information i need and i have information that could be of value to you. >> you have not just one of the toughest jobs, you have two of the toughest jobs. cyber commander and head of the nsa. what do you think your biggest challenge is? where do you go from here with the cyber command? how can the chamber be helpful to you? >> my biggest challenge is creating a culture and building the framework for the future. on friday, united states cyber command celebrates its fourth anniversary. we are four years old as an organization. in the scheme of things, for years is not a long time. there are organizations that have a much longer history than we do. my challenge is, create that workforce, build the operational
10:51 am
concepts and command and control as to how to deploy it, and exercise it with our partners inside and outside the department, as to how to make this work. what you need from us, what we need from you, how to share it, what format. the answer to this isn't, i give you everything we have. i don't want that from you and i don't think you want that from us. we can bury each other with data. putting on my intel hat, data is interesting but what i care about is insight and knowledge. i use data as a tool to get there. data is not the end-all. >> we have a question here.
10:52 am
wait for the mic to get to you please. >> i am with the industry leaders association. i will stand, sorry. >> i can't see because of the light. >> my question is, you talked about the importance of cyber information sharing. we are going to hear later about sharing legislation. one of the big criticisms by some is that these bills allow you to get the information and they would like that -- how do you get around that? >> let's have a very clear definition of what you are providing us. i don't want privacy information. it creates challenges for me. it slows me down. for this mission set, not a good thing for us. what i like to have is a discussion about, what is the information we want to share with each other?
10:53 am
what is the value that information generates? this idea that you can't trust fill in the blank, that is a recipe for disaster for us. among the things we need to address is, the controls and the oversight mechanisms. what is the role of civil liberties and privacy? what is the role of inspector generals? we have lots of mechanisms about oversight and control of information. we need to make that a part of this. i'm not interested in anybody writing a blank check for u.s. cyber command or the nsa. i bet the fbi and dhs would tell you the same thing. remember, dhs is the leader here. in military jargon, they are the supportive commander and we are supporting them. we work through the department
10:54 am
of homeland security. we partner with others in the federal government in addition to dhs. fbi, treasury, energy, we partner with others. u.s. cyber command, we are not the leader. the national security agency, we are not the leader. we partner with others. >> we have time for one last question. can you wait for the mic to get to you? >> politico pro cyber security. there have been reports about employees of the nsa working -- there have been some reports recently about employees of the nsa working part-time in the private sector, former employees
10:55 am
going on to the private sector. how is that affecting morale within the nsa? is there concern about that relationship with the private sector? >> first, we have a formal set of processes that must be applied when individuals do something in addition to their nsa duties. we review that and when circumstances change, we will say, that is not acceptable anymore. the circumstances have changed. the relationship is different. we do that on a recurring basis. for some, it is as simple as someone with a language background saying, i want to use my language on a contracting basis to increase my skills. sometimes we will say yes. sometimes we won't. in terms of the flow of partnerships and information back and fourth, i have been very public about saying for the nsa, i would like us to create a model where members of our workforce don't spend 30 or 35 years working directly for us.
10:56 am
it is amazing, the employees that i will talk to. when i say, how long have you been with nsa, 35 years, 38 years. i just said goodbye to an employee after 50 years. given the state of technology, we have got to create a world where people from nsa can leave us for a while and go work in the private sector. i would also like a world where the private sector can spend a little time with us. one of the challenges that we are dealing with, and you have seen this play out, we have talked past each other a lot. we don't understand each other. the nsa culture and experience isn't optimized to understand concerns from our i.t. and corporate partners.
10:57 am
likewise, many of the individuals we work with in the corporate world don't have an understanding of us. i think we should change that. i think it will produce better outcomes for both of us. thank you very much. >> thank you for your time. thank you for all that you do. the u.s. chamber of commerce looks forward to working with you and your team. we hope you will come back. >> i thank you for taking time from very busy personal and professional lives to be part of a dialogue -- it won't be just today, next week, next month -- being part of a dialogue about what we ought to do to address a foundational challenge for us as a nation and for our friends and partners all over the world. cyber does not recognize geographic boundaries. the idea that we are going to deal with this in america, i don't think that is a winning strategy.
10:58 am
we can learn great insight internally, but also from our partners overseas as well. it all starts with our willingness to have a dialogue with each other and a willingness to be open. not starting from a position of, you are in the private sector, you are all about money, i don't know that i can trust you. or the private sector saying, you work for the government, i don't know that we can trust you. that is not going to get us where we need to be as a nation. that is not going to provide the protection that our society, the private sector, government, us as private individuals, that is not going to generate the outcomes we need. this will take all of us. it starts with an open relationship and a willingness to be transparent with each other. i thank you very much. have a great day.
10:59 am
[applause] from the cyber security summit with the assistant attorney general for national security, john carlin. he spoke about the government's efforts at combating cyber security threats. this is 25 minutes. >> thank you for your warm introduction and for inviting me to your annual cyber security summit. we benefit greatly from your leadership, especially in promoting the chamber of commerce's role in national security. in establishing an annual gathering focused on cyber security challenges, the chamber of commerce demonstrates commitment to keeping our nation secure and lowering barriers for businesses to compete fairly in our global economy.
11:00 am
the fact that this is your third annual cyber security summit is a testament to the growing magnitude of these threats and your commitment to make cybersecurity central to the business plans. this is an important business issue and one that i know the chamber has exercised as a part of its national cyber security awareness campaign which kicked off in may. in may. in the campaign roundtable events that occurred throughout the country the chamber stressed the importance of the cyber risk management and reporting cyber incidents as to the law enforcement. i couldn't agree with these two recommendations more. today's event is our opportunity to discuss how we can take the steps and others to best protect ourselves and to the nation. cyber security threats affect us all and they affect our privacy for our, our safety command our economic vitality. they present collective risk and disrupting them is our collective responsibility. the attackers we

0 Views

info Stream Only

Uploaded by TV Archive on