things like social security can't be part of that. we also decided the technologies that involve life secrets and in social security number somehow turned into a long lifetime secret. when i was a kid we printed them on our checks. the privacy act made in secret. so we have pushed aggressively in technologies that don't require us to reveal authenticators, yet allow us to authenticate so we have a big public infrastructure on the unclassified networks and we are rolling it out and we have a big one on one of the classified networks and rolling out on the secret network this year. i think those kind of technologies have to become much more ubiquitous. we've got to drive out the anonymity. the other thing we struggle with and it's not just a technology problem, is as you drive on and a mehdi out, you have to figure out how to establish enough to use so that people trust the

others that, you know, they've just discovered so now i know it's richard hale, so what. do i want to do business with him, to want to interact with him, so the other structures that need to come are now learning other things about richard gale, you can make a business decision now to richard gale. sallai but say there are technology pieces parts to start to solve the problem. again, we have worried a lot about privacy as a part of doing this. i don't think we've solved all the privacy problems but some of this business not revealing certain information to authenticate is part of it. but i think the pieces, are there. we just haven't had the economic reason to do it except places like dod. >> i take off that statement one of the reasons you haven't seen is the business case has been made to the industry or the public in terms of as it is

today when people are losing their identity and they see identity theft and data branches it brings it home to them. the other issue is how do you build in the privacy and civil liberties and to this debate and i think it's very important. i think there are some purposes we need anonymity and more authentication and in fact if you have good authentication and do this right you are enhancing privacy and protecting people stayed up and making it larger than doing this zero sum game and that's important, too. one of the things unprecedented about the report in the structure going forward is a civil liberties privacy person will be part of the nsc director dealing with this with all these issues and so we are going to have that kind of dialogue to make sure we balance the equation correctly but i think there's a lot in this area that could be done that could help get a lot of the malaise out of the system and make it more effective. >> specifically why i think the problem is, i think the problem is policy.

the technology has been there since 1995 or well before. first off, i would disagree slightly with richard that i don't think the point is driving anonymity of the system. the plate is making strong authentication available for places where it's appropriate. and it may be on a dod network, but on the internet id certainly not and we have to recognize chris's points that anonymity isn't only highly socially valuable but protected for a lot of stuff that happens on the internet so we have to keep that in mind at the same time though making it easier to have strong authentication. why we haven't made progress as it's not a public good problem, it's a collective action problem. too many pieces need to move together at the same time for this happened organically. maybe some industry or some entity in an industry wants to

use strong authentication but because there isn't a broad available way to do that they have to rule their own and it's not worth their economic time to do that and government has never provided the way to optional authenticate on wind if you want to do and so there is just the people that could act don't really have the incentive to act. where we have got to get is we have got to get to the point where if you don't want to use things like a user name and password, a set of shared secrets that may be shared but they are are really secrets, you don't have to use that, you could use some sort of credential that provides much more authentication or greater degree of security but if i want to see my thrift savings plan or my irs information or something but i've got a strong means of authentication skycam have security to do that i have the option and so i think how we get there is finding those places where we can catalyze action by government industry and spiral

out word >> liesyl? >> i think we addressed the first part which was how do we get more use of technology that is available already. if truly there is a place where the market hasn't met the need and perhaps we can look at a wafer and other private public partnership to bring resources of government and the resources of the private sector and whomever else needs to be involved together for a specific problem that might address fundamental things where there isn't current technology or it isn't a current system to address the infrastructure. >> thank for the question. over here. >> my name is steve with terrorism research center. this may be a question for richard. we've received some reports recently through cybersecurity experts testifying on the hill china has developed its own secure operating system and it's been in development in the past six years and they just started

deploying it in 2007. is this something that the dod is doing? the reason i ask is it seems like we are kind of on the reactive instead of the pro-active if the dot has spent over $100 million apparently the last six months on cleaning up cybersecurity issues and what do you think going forward recon partnership with some of these entities where their focus may be more on the business development and not security in some of the products should be developing our own security software like the chinese have done? >> so this is another old guy question. back in the system the dot did make the decision that the current models for operating systems in particular were not sufficient for this problem of both handling multiple classifications and a single machine but also just from general resistance to cyberattack. so we wrote a guidebook on how

to write an operating system that was more resistance and handled these people's and access control based on the labels and we had a public-private partnership. we had a really great one. we had every operating system in the world essentially except for microsoft build one of these operating systems and then we donner adopted them. so now we've burned the industry. people looked at that and said i'm not spending money on that again. you guys promised you would make a market for them, so i think there's a couple lessons. one is yes, the government does have to be active and demanding infrastructure that's more robust. the government is going to have to pay now so if we use our collective the government is still an information technology customer and we can't help nudge the market. we can't completely shake it

anywhere. as we have to be much more serious about using the body and power to harden up some of the commercial things and yes, there are places we are going to have to build our own special purpose technology. we still do cryptography. there will be other infrastructure pieces the government will have to build itself. >> okay, last question, we have 15 minutes so what we are going to do is move through as many questions as we can and take two more and got a moderator question. i may come of the panelists after one or two but if we have extra time please keep in mind a question that you want to revisit. >> paray and with public knowledge. when i hear the rhetoric of we are under attack at all times and security along with my cheek background it's difficult for me to associate those things with warrantless wiretaps and telco immunity or mandating the printers print out information in the pages that give up

individuals information about who printed the information so what is going to be done not just to give lip service to privacy that ensure the programs are open and transparent so that the citizens can decide whether we want to give up those rights in the name of this war that's being put forward. >> i will start by saying i don't think we should be asked to give up rights. we have to find ways to move forward. i don't want to sound by let service but we need to find ways to move forward and protect security and privacy at the same time. there will be places where there will be pushed points but i think in a lot of areas we can do that. we obviously need transparency to the greatest extent possible so that we can provide oversight from the public about what we are doing. the last thing i would say is that as chris pointed out in response to the question earlier the 60 day review basically said

on the team on the cybersecurity team in the white house there is going to be a privacy and civil liberties person present and so we have got to institutionalize the perspectives that we need in order to protect privacy. i think he would find that during the course of the 60 day review that the outreach that alstom brought me by the team that didn't under ms. hathaway is leadership was extremely broad and included the privacy community and that was a fairy lights on fact for a lot of people in the community. >> and that's right. we've met with the liberties and privacy act several times and they were delighted and said that's something they didn't have that experience with before so it's more than lip service. this president has made transparency a bedrock principal of his presidency and something that we take very seriously and want to make sure when we look at all these issues we are building that in. >> brought in, thanks for the question.

>> i represent defense studies. i'm curious in a situation we have civilian military and private networks running on share operating systems and not start own networks but those of potential adversaries how do you build that relationship and balance between a potential offensive capability where the military and developing and researching a sense of applications we have this new cyber come and how do you balance that against the need for defense if we discover for ability on one side of the public-private divide especially the military side how will that be shared, should it be shared so d patch of on our ability or keep a secret? >> is that one for me? [laughter] >> i think it is a great question. right now we tend to share the vulnerability information we find. so i can't talk about how these

processes work because they are not public process these. but there is vigorous debate process actually inside the whole federal government it's not just the department of defense about how this should work and in general the way it works is we choose to share the vulnerability information and fix whatever the portability or at least encourage the fixing of the vulnerability. we do have an active program to do that. and we've also tried to catalog these things and share them as widely as we can. there's a thing called the national borelli database that has run out of the national institute of standard and technology where a lot of the vulnerability sharing is done.

liesyl? >> i think an important aspect of that is the ongoing dialogue i mentioned between the various parties on an ongoing basis on just of something happens. and there's also the notion of responsible disclosure that's been worked on over time between government industry about how to disclose something at least publicly that at the right time when it allows you to take action to defend themselves but also doesn't subject, you know, the environment to be exploited without protections you put in place so there's a lot of dialogue required, the mechanism for that on a consistent basis. you know, there's going to be times when there is tension between a disclosure or not and that just seems to be worked out as quickly as possible. their finances wear the traditional ways of disclosing

have been overruled by the dialogue that took place. >> i'm going to go to the goebel moderator now. actually the first two questions, how would the lack of international by the three-year president on cyber warfare affect the development of cyber defense capabilities? and also, as the defense department outlined a moral framework for offensive cyber warfare? >> the concept like preemptive war and initially assured destruction applied cyberspace? anyone want to jump in on that? [laughter] >> we could let you off the hook. actually want to hear from someone else unless you want to jump in. >> i'm not a lawyer so i would say one of the lawyers. [laughter] >> i would say i think we need to wait for a treaty that might not be optimal, excuse me, to work on the defense protective measures. >> and i would say one of the things -- one of the things we

talked about in their report we need to do is to try to define what the norms are in cyberspace. but one of the things i think that's also clear when we look at these events that have happened is there are -- there is a fundamental thing we need to do no matter what the attack is and we have threats from criminals, major states, there's a whole range of threat actors. we still need to do certain things and one of those is to harden the target's and mature we have the defensive measures and partnerships that place but internationally in the private sector. those are cord no matter what because that tradition is a big issue in this area. we don't always know who is doing what and we need to get better at doing that. >> richard i will mention one thing. we are talking in the waiting room about not the same case but for piracy on the high seas. it's also international problem that age-old just in the spring three injured 50 miles off the somali coast attacked by

pirates, richard and i both have made the connections. i used to be a frogman's a that was ended with the application of force by the navy seals. but the development of both international norms, cooperation and the private sector, was watching a documentary what happened and the procedures these vessels have to share amongst themselves best practices i think one of the first things they did is called some antipiracy center in the u.k. when they were being attacked. so on this question i thought it was interesting you talked about history quite a bit during this. what are your thoughts on this question? >> well, at least for now we have been trying to concoct as many ad hoc relationships as we can. some of them are with our closest partners. those relationships have been in

place since before world war ii for instance and we've used those relationships to expand sharing around cyber stuff and a around incident response. we have succeeded in some of the cyber emergencies and putting together ad hoc coalitions and that is partly about the dod does is put at hawk coalitions together and figure out how to get something done a around some of the cyber emergency is and other parts of the world. so, i do think we need a better -- there are all social norms here yet. we need a better notions with those are, where the boundaries are and this goes back to the roles and responsibilities conversation. we need to to do some of those out with our partners solve it's not all ad hoc. >> one quick point. this is another area we need to go sort of for their, stronger,

faster. as a 60 day report makes clear this is inherently international problem. we have to solve it internationally. no one government could solve this. let's not -- acknowledging we have a lot further to go let's not pretend nothing has happened. both chris and i served time chairing the g8 on cybercrime and many years ago in internet time probably a century ago the council of europe developed cybercrime convention which was the first sort of major international instrument and is a very effective way for law enforcement around the world to work together on a very rapid scale to solve crime. that needs to be adopted much more broadly internationally. one of the things the senator did was ratified and that was a good thing but we need to find ways to build on those successes but successes they have been.

>> thank. >> questioned? >> matthew retail, public knowledge. earlier someone mentioned the idea that we need to sort of basic security into the process of creating the infrastructure applications and software used on a daily basis. i think that is a wonderful idea but i am curious as to how all of you, what ideas he would have. my own experience in the private sector is that it's not a lack of confidence on the part of the programmers but rather a lack of time and money. one of the first things to fall by the wayside there seems to be some kind of incentive -- there's a systemic flaw in the software design process. do any of you have insight into how you might approach that? >> i think incentives is one thing we are looking at. i also think the market is changing to some extent if software is and more secure it might demand for premium because people don't want their

information taken and they certainly are relying on this information everyday's of its combination of incentives and the market actually evaluating this more. i think on the government level it's actually having the security people in the same room as innovation people where we consider these issues so they are not separate camps there integrated and exchanging information at the outset. >> but the government could help drive the innovation and private-sector if it offered substantial incentive and i think that's something the folks on the commerce committee are interested in doing and something that might be take the form of a tax incentive. we are looking at all those options. >> metrics. if you want to bring the market to bear you have got to have an ability for people in the market to make effective decisions. so you've got to let them make decisions on the deck and if you can do that then you are going to bring a lot of additional incentives. >> one more question -- >> the government still has a lot of buying power if we ban

together we can actually make a market for some of this stuff. >> thank. one last question. >> thank, shannon kellogg. one point and then a question on the international front. i agree with you on the authentication on management issues and i think that mike's question was important. one thing i would throw out is there was a lot of focus what is happening in the government. there are sectors like the financial and industry that actually have for a number of reasons because of threat, financial loss, some of it because of market conditions and also the government push if you will have actually gone out and adopted based on the rest of the transactions a broad sense of authentication methods so i and encourage you to look with they are doing on that front. but the question is i agree with what you've been talking about on the terms of international coordination but going back to

phyllis point about competitiveness and allen, perhaps this is something you might want to start off because i think it ties into the legislation senator rockefeller has introduced and that is what about the international implications for what we do at home? ansel, there are different legislative approaches, different procurement requirements and strategies. there are a number of things we are looking at doing in the context of the cyber review that could have an impact on how we are perceived internationally and could give some governments who are already starting to go in the direction of requirements on big companies and multinational actors important to the american economy and they are putting these requirements potentially on us that would restrict ability to compete abroad and so i'm just wondering as you think about this challenge internationally are you also looking at how policies

at home can impact our competitiveness on the global front? >> i think it's a fair point but i also think that it's incumbent on cost to move the private sector to engage so that a government mandate is not required. nobody wants to put a mandate on the private sector. everybody wants to work on the public education public awareness campaign and try to make it something that's part of the cost of doing business in the 21st century. that's where it ought to be and of course you always considered domestically what you do and how it might affect the international partners but we think cybersecurity and improving the nation's cyber securities actually fundamental to our competitiveness that if we don't do it we are going to result in some situation where the economy is destabilized because of insecurity, because of cyber attacks and we think is

a competitive issue to push the private-sector to do more and better just as government needs to do more. >> i agree with that one implication is that there are governments abroad who are looking at what we are doing to give an excuse to go down a path that would be harmful. >> that is what i was going to add. there's a clip side. what we do here and what is happening in the international community affects business in the united states and part of our international engagement strategy is to bring along. phyllis right we've made strides in areas like the council which is still the treaty is a cornerstone of our foreign policy getting other countries to adopt that and we've built a lot of networks on some levels but bringing industry into the discussions we are having with other governments to make sure when we have all these multiplicities dealing with these issues we are actually making use of them in a way that helps us together achieve the competitiveness that you were talking about. >> so google takes cybersecurity seriously.

we look forward to working with others in the industry and members of the public but definitely with government as well and we are attacked every day. it is a serious issue. i liked thank each of you for your participation. everyone in the audience, thanks for your time and interest. [applause] ♪ [inaudible conversations] [inaudible conversations]

>> they are not to have any advanced information, is that clear? the message is not to be from me. if there is a will fire the whole department. >> more from the newly released tapes saturday afternoon on c-span retial. now, a discussion on health care policy. the national institute for health care management in fight health care policy experts and insurance company executives to talk about how the health care system is founded. this is just over three hours. >> now we will look at a state example where they are actually doing some very interesting things, the state of minnesota and for that we have patrick, president and ceo of blue cross blue shield of minnesota who will discuss the recent initiatives he is involved in. minnesota is well known for its low-cost of care and its high quality-of-care can really serve

as a model for the nation and as we work toward those goals. >> thank, nancy. some of you who are close to the room know that there is a fly buzzing over the podium here. [laughter] a couple of weeks ago i would have just swatted it but we live and wheeler. [laughter] thank very much. it's my honor to be here representing the state of minnesota and representing blue cross blue shield of minnesota. the discussion we are having as a nation is really not just about health care, but it's about health. and wellness, prevention and quality of comes is what we are thinking about and looking at. so, as we talk about what we are doing in minnesota, i would like you to take a look at these slides we're looking certainly at cost, we are looking at

improving care and we are looking at the value being delivered in the system. i am also going to talking little bit about how we have positioned our company as a whole company on some of the things distinctive about that and then i will touch on some disruptive innovation because health care is in great need of disruptive innovation to continue to improve what is happening in the country. one of the things we have in minnesota and i think it is the backbone of the difference in minnesota model is the tight integrated nature of health care and health care delivery in minnesota particularly in the twin cities but certainly in the rochester minnesota as well in a place called mayo. many of you have heard of mayo and it's getting a lot of play in the national discussion. we, in minnesota, are very proud of the mayo health care system, and it certainly does an outstanding job. but i also hear to tell youha