the key private sector players and their security and the security of the country. so i think we have to revamp how we do this starting carrier leon, catching people when they are 5-years-old or 6-years-old and getting them excited about the possibilities of going into this space. during encoding, doing other

sorts of things much like years ago you would have kids out there with their mom or dad working at the engine of a car. is the same sort of thing. you've got to get people excited. make sure when they go to the element there's security education early on that when they are in college if they are taught how to do development or taught i.t. degette the secure fundamentals as a part of that as chris was saying and then once they graduate and go into the workforce that we have mechanisms that give them career paths so they can have a full career. they are not stuck as though you're the security guy, your ags 12, right? for those of you and the federal government, you know what that means. there's unlimited ends. you can go through the political ranks as a security professional. i think back when chris and i were both prosecutors in the mid-90s we had this problem where you would see investigative agents in particular who would develop considerable expertise in doing cyber, investigations and then they would be rotated out.

they would be doing some sort of paper fraud or something else and some of them said the enough of this. i'm going to the private sector where my skills are in demand. that's changed substantially throughout the federal government but we've got to go farther to make sure we develop the career path and then provide the work force training as people go forward and i sure other people have thoughts about that. >> i think a career path is especially something important. one of things mentioned at the fbi security is their top priority. you going to cyber and something else and again and you can't really understand this field unless you stay and play in it and the developments are too fast to go away and that isn't just true in the law enforcement field, it's true across-the-board. they've developed a career path within the fbi where if someone comes in the stay with it their whole career and get more advanced training. that's happening in the network security field and other places but we need to accelerate that and i think phil is right we

need to make the school for kids so that it's something they want to do. >> i would say on this point i think there are a lot of aspects insider security were there will be controversy in congress i think on work force of allied and training. it's something there can be congressional encouragement for scholarships and training programs and it's all so easily something that we can work with private sector on that's already bought its own training. goebel has its own and training i'm sure and other leaders in the field so that is a place we could come together to put more resources so that we are prepared for the future and we wouldn't run into any of the controversies some of the other big pieces of this policy might. >> you are right, google does have training. in fact for the engineers and continuing education we bring cybersecurity to everything we do and as phill mentioned we were having this conversation in the waiting room before and i found it fascinating the idea of actually getting kids involved.

we teach spanish, french and languages to kids. why not consider cutting as a mother language so kids can start early to learn how to do and then big cybersecurity and awareness on top of it. anyone else have comments on the pipeline? i guess i would call this a pipeline issue. how do we get the cybersecurity professionals of tomorrow ready today? >> i have one comment. there are some examples i think that are models we could follow. the national security agency as the centers of excellence program where they have gotten a lot of universities to put together a curriculum on cybersecurity and teach it. the other thing we have is the national science foundation and scholarship programs that are graduating first grade kids who owe the government a little bit of time but what we found is they tend to stay in the government when we could give them good works of they are transforming house bottom-up. that's an incredibly successful, probably the best money we spend

so far on cybersecurity. so i feel we need to do more of that. the other piece is i do think we need some curriculum review. this technology is for satchel. i tried to make this point in the green room, too. everybody who writes software has to think of security. you can just the security people who think about security. so this business and security has to start with the people who are doing the design of things and the coding so every single computer programming class has to consider security as part of the programming class. it isn't an algorithm class and in computer security class. so my analogy is it's like doing civil engineering without worrying about gravity. everything in civil engineering is help to make buildings and bridges stand up and things like that. so, human behavior is the gravity in computer programming.

we have to consider it in everything we do so that is a thing i think the government might help influence partly by the way we fund -- partly by the way that we reward colleges and universities with r&d. we might put strings around curriculum development or curriculum change. >> liesyl? >> i'm not going to disagree if anything folks have said. i would like to add that as we look at ways to develop our cybersecurity professional bass over the long term, and this is a truly strategic effort to, is to think of it also in a multidisciplinary week. yes, you have to build up the technical expertise of those that are going to be discreetly working on building software

projects or systems engineering or architecture but keep in mind all of us in this room now used computers and other devices so back to what chris said earlier about the human element or fill or with both of you probably said about the human element and it's not just look at it as just technical training but multidisciplinary effort to build practices and norms and awareness of the kind of things that as individuals we need to do at a young age as well. also i would say that not everyone working on cybersecurity today has an engineering degree. so i would like to think and flexible terms as possible not only for the types of people that might be touching cybersecurity in their company or government organization, but those that can contribute to

multi disciplinarian every devolving technological environment so let's try to keep the flexibility for that evolution as well. >> thank. once again i would like to ask on the point made in the 60 day review the importance of public private partnerships and so, on the private sector side of this, what is the collaboration look like if you have an incident response and i would also like to look into this question there is legislation that proposes the idea of shutting the internet of from critical infrastructure i would like to get your take on how would that work in practice? >> can i take that as the private sector? first i think i touched upon but the collaboration might look like in an incident and the key part of that it isn't just an

incident. it's in the collaboration cooperation co analysis a true partnership from day one will. so that when something happens there is an organic way to respond, not a forced way. you're not just reacting to addressing a problem. by working together over the long haul. with regard to a disconnect proposal as suggested i would say that we need a strong dialogue about that kind of thing because first of all it's not something you can just do. i think in today's technological environment you just can't disconnect somebody without either unintended consequence for the services that network provided or the fact that there are all kind of redundant

networks and ways people continue to do business so while you may have disconnected one thing you haven't disconnected another so you have to sit down and have a dialogue about what actually would happen if you did that and i would say that perhaps there might be alternative measures to protection and the emergency efforts that might be needed. >> i'm going to give you a chance on this since this is senator rockefeller's bill but i want to get the perspective of the dod as well as phill if both of you on this issue and senate response but courting of private sector infrastructure from other systems how does that play of? >> ayman cold play at dod now so i have ancient history stuff i think actually might be helpful as we think through this. when at&t broke up they said our infrastructure is no longer

owned by one company. the country actually said it's a national security priority to be able to work with industry if there is a problem and we have to be able to work across the whole industry that handles telecommunication. so there was an outfit formed after the bay of pigs was a sort of telecom emergency being the national coming occasion system which is part of dhs but after the at&t breakup there was this national coordinating center and it was actually manned by people from all of the telephone companies and by dod people and intelligence people so we actually have full operational entity and still exists. i think the priority has gone down a little because cyber has overwhelmed but we had a model where we could operate very quickly in an emergency and we

used it. some 9/11 and was used heavily for instance to try to figure out how to -- the president's priority was safety, you know, rescue people and then get the stock market running again. you know, the nrcc was the entity that helped coordinate those priorities and the actions by government so we were working together toward those goals so something like that might be important. another sharing thing that started is dod started worrying about its technology secrets leaking out of its industry partners networks, so you know, big defense contractors pulled all the technology data for the department. they were getting cyberattack as well. the data was being exfiltrated from their networks so the department started another thing i think might be a bit of a model called the defense industrial base cybersecurity

effort and we started to wrestle with these problems how do you have a tight sharing relationship with somebody you also want to compete for business for so that is one of the problems the government has. so how do you work that and how does the industry respond to that? we want them to share incident information and they don't want to be used against them in the next competition for a fighter plane for instance, so we have a really robust pilot project with about 30 companies were we've worked through the legal arrangements and we are proposing federal acquisition changes to enable the sharing but the thing the industry folks came back with is that fine, we will tell you incident data the you've got to give us something. what are you going to do to help? so we have always shared best practices through in my st or dod or nsa but we started

sharing threat data, classified threat data in some cases and this is a breakthrough. we have not done this in the past and i think we need to grow this model and the government needs to have -- this is a conversation we need to have internal to the government how classified as some of this threat data need to be? can we share it with the banking sector? of the need to understand some of this stuff if something is coming at them we want them to be robust, to max we start with this industrial base under the critical infrastructure protection lobby, so you know, we think it may be a model that can be grown out inherited by dhs to have this brought conversation, so i think i only answer the first part of your question but light on a long time. >> we will let fell into the second part. [inaudible] >> well, i will start where

liesyl left off. it can't just be part of a shipper of incident response. it has to be partnership more generally because it's got to be built into the dna of all the different players because when something bad happens the last thing somebody in the private sector is going to do is reach for the 300 page government binder on the shelf behind him. they are going to start doing what they do on a normal basis but scaling in their best way to meet the emergency. so we've got to build those organic ways of working together. as richard said we don't start from. there are a lot of models out there. the national corydon meeting, which goes back to the 80's as he pointed out is a good one. and in fact that particular model what amounts to a joint operation center between government and industry is behind a lot of the proposals you see coming out of bodies like nas-daq which some of you were deeply involved in

developing. to in the front row. so those ideas don't go away. there's the dead model, too. we've got to figure out the way that we refine those and help them meet what is a broad cross sector issue. there are at least -- we could spend the rest of the panel talking around information sharing. i will call out three things i think are absolutely central. first is trust. you've got to have trust. with trust almost everything else will work and without trust nothing will work so you've got to build that. you've got to start with personal trust and move towards organizational trust where in fact there's a return on investment for everybody involved so they continue to play in that partnership and as richard said that involves government making sure we shared the information that we can share, not overly classifying information or if necessary, you know, providing the right security clearances to people in

industry so that they can see it and making sure we give them information that's actionable. notte here's classified information by you can't do anything with it, that's not helpful to people in industry except to inform their going to do in response to the threat. the second thing is agility. we have built a lot of mechanisms to work together. the information sharing analysis centers, sector coordinating council's, various advisor committees and the national court and meeting center. all of these things and more are designed to work together. we need to work through them where they are working but also we need and ability through them or otherwise to bring together the right people in a very agile way because you can get unique problems and see vulnerability coming back and affecting three companies from multiple sectors and you need to bring together the right people to solve the problem. very, very rapidly. the last thing is clear roles

and responsibilities. a lightweight process how we are going to work together. nobody's bringing that to read page binder. we need to tie down as part of the response plan that come out of the 60 day review who does what. what are the rules of everyone. how to the implement that in their existing business process these whether they are government business process or industry so that we can work together without building the plan as we are flying at while bad things are happening >> that's actually a perfect place for me to jump in because i think the provision in the legislation of cybersecurity act of 2009 senator rockefeller and senator snowe introduced an effort to get this kind of dialogue going we didn't envision it as any kind of on or off switch probably the terminology in this draft is in a perfect and we need to change it because the only are speaking to lines of authority so that we

know what happens in the event of the cyberattack so that people are not guessing so we don't have the kind situation and confusion we had with katrina or 1911 where there is confusion between the national decision makers and the local and state authorities. it's about trying to make sure that organically there's an understanding of who does what and i feel we are stating the obvious in an extreme cyber emergency or attack that the president ultimately has constitutional authority to protect the country. it wasn't meant to go beyond that and this kind of discussion is something we've been having in conference rooms since we introduced the bill and it is very helpful in this interim process that is legislation so that by the time that we got to actively moving the legislation i'm hoping more warmly received. >> i think a core part of the report was exactly that,

defining what the lanes of the road are and how the agencies on the government side work together and how they work with the private sector. we've known this was a problem for sometime but haven't had a response plan and that the word is only one part of the public-private partnership. i thought i would echo both of the sentiments mentioned here but the partnership for what purpose? people throughout public private partnership without content behind it. so what is the purpose? is it incidents response? what relationship do you need for industry as government? what does the government give to make that value and opposition important? getting people to report the incidents has always been a big problem as long as any of less have been in the area but one of the reasons for that is people who were asking to report don't really see what benefits they get out of it said making the value proposition clear which i think is a government and industry problem we need to do our part, too. i don't think to eckert of

bill's point the government is going to pick up on cider incident and get the 300 page thing off the shelf. we need leans in the road and organic processes to come together and respond and that is one of the things we are working on. >> can i ask fill a question? a case of the dod what we do is planned. we are planning of it. we plan everything. we work out relationships and in spite of all the planning what we discover is that there is no substitute for practicing a plan. all those details you didn't think of appear in that practice, so phil, what do you think about how we ought to work out -- we have legislation that defines but how should we really work that out in practice? >> sure, richard. i agree with you completely. one of the reasons dod exercises and practice is so much is because the idea is that one is not in the more normally. so you want to train and

practice to what you were going to do. in some ways cybersecurity is a little different because one is always in that environment. everyone of us, all of us are always under attack. so, we are in a slightly different place and even a happen all the time. for example telecom companies get caught all the time because of a back hoe that dropped somewhere. so what they need to do and we all need to do is to be able to scale rapidly to address situations that could be much more severe than what we do on a day-to-day basis and in cases where it is a really uptick maybe that is a difference of kind and not like, so we actually do need to even if we didn't want to we do need to exercise to plan for that. we have done a series of exercises over time, burst from one and cyber storm two and

three is in planning plus there are some exercises in government and industry to make sure we are getting ready for future events. we need to do a couple things. one, first of continue to do those things, make sure they are not too burdensome so they keep people away from doing their day-to-day job but make sure we do them and to the right way to get the private sector where appropriate involved from the very start so we are in fact training to the goal and bringing all the people in who need to play. second, we need to make sure there is a key dance around those exercises so we are using them in concert with policy development and testing the things we actually want to use. so as we go forward on exercise we want to make sure those aligned with the instant planning and response process these we are developing and then we have an interim cycle much as dod has always done. so exercise informed plans.

we exercise plans and we actually will paramount and included in that is future planning. what do we think we are going to need in three years and five years? design the plans to address the capabilities? exercise and the paramount for a cycle, a virtuous cycle of that. >> at this point i'm going to ask one more question but would like members in the audience if you would like to start lining up at the microphones we are going to take questions and also from google moderator after i ask this question. a great point was made i think chris and someone else mentioned what is the flow back to the private sector? and other workers sometimes there's the question we give up information if you were a business and say what's in it for ross hauer dewey shares of its great to hear that folks are really thinking about how do we provide value and send information back and figure out a framework that we can work together to make sure that working. the last question for the panel before we take questions from the audience and the google moderator is what do you think in the concrete sense that we

can do to really get the word out and involved citizens in the sense that there is of course a criminal element to cybersecurity and the problem as well as small businesses and the impact to buy an expensive computer, maybe you have several if you are a small business person and you can't use them and people are becoming more aware but what is the role for this public facing consumer side of this effort? >> i think one of the chapters, the full chapter of the report was based on both the education but also the public outreach and a public outreach campaign is supposed to educate how important this issue is and one of the things i've seen is that, you know, all while ago at least we have to change the culture. kids growing up think being a hacker might be cool, attacking the might be quote there's nothing wrong with that. it's different from someone breaking into your ghosh next door because it is in cyberspace and a look at that differently.

that's changed and we need to accelerate that. with small businesses and other businesses intruding, not just to the security experts that is something that becomes important and they understand that by contributing the information if they come forward. we have to convince them there's a capability that we can actually do something for them not just on wall enforcement side but the network side and policies i and especially dealing with things maybe they can't do like dealing with international partners since these always having international dimension. >> we are going to run out of time. >> this is something that is a problem because what we have now is a collection of people who did not grow up with i.t. sorted indicted in the infrastructure. now people gerlach and by the time they take their drivers' tests they've seen people driving for every and they've

taken drivers it in high school and so there is an entire community informing them -- educate them about driving from when they are very long. we will get there eventually if we do this right but we have to get over that hump and get to that point and that's where the recommendations are. this isn't a blank slate. people off and doing great work like the national cybersecurity alliance for a long time but we do need to step this at another level. we -- seven if in fact this is a national-security problem we have treated that way and make sure we devote the resources and the effort to educate the public down through kids, three individuals, for small businesses and corporations with the threat is and what they need to do to protect themselves. so it's not a mystery what we need to do, we just need to execute. >> that ties back to the president's statement this is a national priority.

>> we are going to take questions from the audience and google moderator he can introduce yourself and then ask your question briefly. >> i'm michael nelson georgetown university. i think this is a useful panel and very encouraging. you have laid out the right issues. there's a lot of agreement on what needs to be done but we have not spent enough time how to make the infrastructure itself more secure and particularly i wanted to pick up on phill's point that we need to have at the foundation and infrastructure that has good authentication built into it with privacy protection built into that authentication mechanism. when phil and i and others were working on the cyberpolicy 15 years ago when the clinton white house, we knew we had to have better authentication. and 15 years later we have more problems with on-line identity theft and more problems with fishing and we still haven't solved that problem. there have been dozens of

private public partnerships. to highlight some of the specifics in this area i would like each of the panelists or whoever wants to take to tell me why you think we haven't made progress on this and 15 years and what we need to do going forward, industry, government, congress. >> richard, d12 -- >> what being lulled again i got to watch these technologies develop, all these technologies poor develop with the notion everybody was denied and they were developed with the notion so the network is completely anonymous and there is essentially nothing bills into the technology infrastructure that makes it less so. so in the department we have the goal underlining some of these higher level goals i mentioned of driving completely out of our internal networks and with as many partners as we can so we are