thank you again. [applause] cybersecurity. white house cybersecurity coordinator howard schmidt is this week's guest and she's interviewed about the obama administration's efforts to reduce cyber threats and protect the u.s. against cyberattack. >> this is a weak one in the communicators for week series on cybersecurity, cyber threats and legislative proposals to address the cyber threats.

we are pleased to be joined on our first week by howard schmidt, assistant to the president, and also white house cybersecurity coordinator. guest reporter gorman. if we could start before we dive into the proposals the administration put forward on cyber set to become is there a working definition of what cybersecurity is across the government and across the different stakeholders of what it is and what it will entail? >> i think the term that we use and the approach of what we call a cybersecurity has evolved over the years it used to be called computer security than it was information security and information assurance and now we have sort of ) cybersecurity because it encompasses everything from the end user devices such as smart phones all the way of to and including the government systems and defense systems so we have pretty much gone around that from a government perspective. internationally we see other governments that to different

terms. the use information security still and the debt issues around the security. so locally we've got it. internationally it is in the same. >> is it a global issue? >> it is a global issue and that is why not only are we paying a lot of attention in the u.s. government and private-sector, the economics of the world has turned around on the technology backbone we see today and a lot of this hinges on what we've done with our security. >> the white house has released a series of cybersecurity proposals, some of legislative. how would you encapsulate this proposal's? spec is a continuation with the president asked us to do in may 2009 where he released a cyberspace policy review and said there's specific things we need to look at. one of them of course is the release of the national strategy for trusted identity and cyberspace. looking at identity and how we do that and how do you trust the identities. the second one of course which i think we will talk about in a little bit is of the administrative case. what are the things that

congress can do to not only help the u.s. government but the businesses. the end of the third one is the cornerstone of a lot of what we are looking at is the president's international strategy on cyberspace and the cyberspace strategy security because the subtitle was prosperity and economy in a sort of technical world that we live in today. >> i'm wondering if we can do one more state setting question to the if you can characterize on at least a weekly basis with new evidence of the cyber infiltration attack and things like that. how do you when you look across the board whether it is state based, cybercrime etc., how do you characterize the threat the united states is facing right now? >> characterized the bald leases. you have to get the areas in the cybercrime. clearly we've seen a cybercrime ever since we moved from the systems to the internet that

there's been concentrated efforts by criminals out there to take the advantage of that so there's one piece we continue to see that of course increases the systems and the more people are engaged with it the more opportunity to operate the cyberspace to read on the other end of the spectrum and start looking at the dependency we have is a government and as a civil society because somewhere there's an i.t. system. so therefore because that dependency exists any threats against the systems have been more dramatic effect on us which is why we are getting more focus on identifying what is going on out there trying to isolate what it stockley the impact is going to be would more importantly how would we stop it from happening. islamic one thing that has intrigued me is different corners of the government seem to have different views on how severe the threat is and one of your jobs is to coordinate the differing views. but one of the most visible components has been the pentagon. with officials warned of a cyber

pearl harbor and things like that and did a lot of times in your comments i don't necessarily see that the approach taken and i wonder how publicly we are supposed to assimilate different views across the administration of house of your the threat is. >> when you look a different parts of the government of different responsibilities, the department of defence is responsible for looking at the worst-case scenario and doing what they can to protect the united states and our interest against that whereas you look at other parts of the government, the commerce department and the department of energy and treasury who all have different responsibilities and you're absolutely correct when the president created this office, the idea was to coordinate these and develop good policy the president put forth on behalf of the u.s. government. >> what do we make of the pentagon's much stronger statements about the cyber threat? if you like and to concerns about a cyber pearl harbor or just when the talk about the defense systems every day. >> i would say that it's not

necessarily only on the defense systems, the private-sector, we have other parts of the government and putting other governments, and what it is when we hear what they say we have to take that as a part of the overall picture that we look at, take into account and figure out what they can do to help and how much is it really did to the defense activities, how much of it goes to the fbi department of justice secret service and homeland security. but this is part of an overall picture but not the whole picture. >> we were a little bit directly on the cyber secured a legislative proposal, and i'm wondering perhaps now that we are over the debt crisis if we are going to see a little bit more action speaking with people on capitol hill wife heard a lot of fear at least from the aids who've been working hard on this issue so can you give an update? >> we, like you, mentioned we believe we will start to see movement as the congress comes back. this has been a big issue and we recognize there's a whole lot of pieces need to put in place on this. legislative is only one of that.

while this has been up there since we submitted the proposal on behalf of the president, that doesn't mean we should stop waiting for congress to do something. we continue to make efforts. but we think when the congress comes back we have to focus on that boat on the the senate but also the house and to see to continue moving forward on a bipartisan basis recognizing that there are pieces of cybersecurity the legislative body can help us with. >> you talk to the pieces of cybersecurity legislation. would you prefer to see a package passed or would you like it in bits and pieces? >> we submitted what we consider to be a comprehensive package based on the question from senator reid. we think that's the important way to look at it because when we start looking just at the process of getting things through the congress if we have small chunks we are dealing with is going to take a lot longer than i can get any of us want to see happen so looking at it from the perspective here is the piece we need to put in place at one time and then continue to evaluate things as we move

forward if we need more in the future because technology changes, the threat changes, then we can adjust them in the future but looking at it as a comprehensive fashion is that the way forward now. >> if the congress doesn't look at it that way which one piece to you think is critical to get past? >> the biggest one is the part of the nation's herring with the private-sector particularly the critical infrastructure in the u.s. government about what is the government's role and private-sector and how much interaction there should be private-sector consume for a long time. there's a lot of things they can do on their own but the government has unique information based on intelligence, law enforcement investigations, other activities. so those are the two pieces that we really need to make sure we get that locked down so that we can accept that shared responsibility on the critical infrastructure. >> what have you been doing to work with private industry on this? and talking with people on capitol hill about the prospect for the legislation the pushback

from not just the chamber of commerce the table communications company and technology companies are not fans of the sort of system that fans of the sort of system that the u.s. proposal and the proposals on the hill would set out to kind of require certain parts of the critical infrastructure to evaluate the systems and kind of report back on that. and i'm wondering what, how the white house is managing the industry concerns on this. >> i think there's a couple things. we said we've rolled out the proposed legislation this is the beginning of the dialogue and by no means the end of the bye all. second coming as we work with the private-sector, not only the white house but also the department and agencies that have the sector specifically committing feedback with a sector and shaping what is it that we really need to do and what are the things they need i don't know that i would characterize the private-sector response of the pushback. there's concerns about -- to make one person characterized it became out with guns blazing. some of the folks getting

feedback on capitol hill discard the significance to respect think the majority of people i talk to say there seems to be various measures. the understand the def was in the details need to figure that out and define what exactly is the critical infrastructure and what is the reporting mechanism. we want to make sure if someone has a particular requirement now to some government agency that we are not piling something else on top of it. those are the concerns i for of the private sector which by the we are shared concerns we have as we get into the details we need to make sure we continue to continue the economic growth that the technology gives us while still making sure that we have the ability to communicate. >> would you anticipate any changes made to that portion given that this kind of the section that seems like those that is the legislative proposal and also the thing that is causing heartburn among some in the industry. >> i would think it is further input from the private sector, as if they get more, less on the

details in this and work together, and we anticipate it changes and expect them to come back with some of the changes so we can provide feedback on how workable we think it is in the current set of the situations we are living under now to respect mr. schmidt on may 27th in "the wall street journal," an article she quoted the internals chamber of commerce document that said this leering the new regulations on the critical infrastructure will harm public-private partnerships, cost industry substantial sums and not necessarily improve the national security. >> it's interesting because we've read that article needless to say and have had a number of conversations with of the chamber. basically as they try to bear in mind that there's a number of different companies and organizations such different perspective and there was a draft. it was not fully vested with the of the members, so basically that wasn't fully representative of the position of the chamber itself into the told me.

we continue to be sensitive and we continue to hope that they work together entirely for what are the alternatives they can only once again continue the business needs we have out there while improving security. >> i want to read one of the record if i may. john cornyn of the 451 group posted on may 13th after the white house cybersecurity proposals came out the attackers of the two years ahead of the defenders were two years ahead of the market which is two years ahead of compliance and legislation is to fight years behind that. how do you keep that? >> when you start looking at how do you define someone i get all the time. we are better now than we were last year. we were better prepared. we've got better process he's not only in the government but outside the government but the vulnerability is we've had for years still exist committed the bad actors still exploit the same vulnerabilities over and over again, typical thing we see

through the anatomy of the autopsy of the the formidable the which gives somebody the privilege. we've seen that the past 20 years. so why don't know people will able to recognize it and that basic hygiene that we are looking at a rate of legislatively as we pointed out in the proposal we put forward there are things we need to catch up on. the penalties for the infrastructure, the impact on organized crime which is now part of the cybercrime thing we talked about a few moments ago. so updating that is key but i don't know that i would put two years and. we recognize some we have to make up. >> this is the c-span's communicators program. kicking off today we are doing a four week series on cybersecurity and cyber threats. howard schmidt, seibu security coordinator for the white house and assistant to the president is our guest. siobhan gorman for "the wall street journal" is our guest

reporter. >> one of the other issues that has come up in the legislative proposal was the white house puts a lot of stock in the role of the department homeland security, and i talked to some of the lawmakers who have hesitation about that because the field with the dhs is still even nearly a decade old not quite yet and still kind of a young agency, and cybersecurity is an even newer responsibility for it whereas the national security agency has been doing this for decades. i'm just wondering why focus so much on the department of homeland security and how were you responding to the concerns from lawmakers because i assumed this comes up from time to time in discussions with the administration. >> we look to the different parts of government. you mentioned the the national security agency which for long as the great technical capabilities it said many times as i need someone to protect the system they are the folks i would go to the tune with the civilian responsibilities across the homeland security coming to look at the things but in place

for homeland security and the relationship with the private sector they are the best place to put it. on the other resources the government and in the department of defense and the department of energy and justice and the fbi so it is a supportive role but somebody has to lead this. as a consequence of the continue to build their kid the the the the as we develop these response plan will get things such as cyber storm which are the exercises. that gives a window into some of the things they have to modify and change to do this. so i have confidence in leadership in the mission that they have got but we continue to build the capabilities with smart people and good laws put in place to support them. estimate can they do it fast enough so? because as we were just discussing this is something the government's response to the threat has been slow so if you're having a sort of learning curve for an agency on top of that, can the department respond quickly enough to this? >> i think they can and it's the type of thing that it's more

than responsibility. private-sector is a big part of this. private sector has been doing it a long time so as a consequence the ability to wrap up the deal with what we are doing is ongoing work. but more importantly for the future because the idea is part of the way of dealing with of the things we deal with today but how we wind up making sure the private sector is better organized, the government is better organized and we are sending a message to those the would try to disrupt the system because there are consequences for this. so it is a building of capacity but they are not the only ones in the world that have to deal with that. spec james lewis white think worked with you on this report csis salles a quote buy him saying that asking private enterprise to help protect cybersecurity systems is like asking the airline to protect the u.s. from air attack. what's your response to that? >> i'm not sure that is a delicate characterization. number one, a few to pay

attention to the security needs its luxury it is something you need to do. it's part of a business process. into the system having an open system all my transactions to coordinate is once again a new thing. this is a brand new technology we've been pushing that the boundaries with and having the need to do that to meet their businesses successful people talk all the time about power stations and all these other things they don't make money if the lights are not on. businesses don't make money if they do the products can be sold securely so there's a business imperative as well. some come to the table to fully recognize the role in the critical infrastructure but clearly they are getting smarter part of georgia and the homeland security to make sure the understand the official responsibility as well.

>> at what point does exceed the responsibility? one of the things the pentagon is concerned about is that there reliant on the scene power grid that all of us are and if the lights about it affects them as much as it is going to affect next door or whoever. when does the cyberattack for server technology used in to the military? >> we continue with smart lawyers looking at the president's international space to the trustees and then the person there but the the the two reach the like this and a lot of discussions putting labels associated of the cyber intrusions and serve as a text and continue to look at what is the escalation point but to your point specifically the dependence and the department of defense and homeland security or anyone that has on those resources we have the mechanism which is a part of the proposal

and the legislation to approve to us you can do this, prove to us your set up to do most things that get thrown at you and if not what are you going to do to fix it, and it sounds like in some cases a civil discussion but how do we deal with a major snowstorm or shut down for days and days and days? we are processing plans to do that and the unexpected we have to do this and the critical infrastructure as well. >> javan as the lawyers debate this you've now studied this problem for decades of to the estimate if we ever get to the when d estimate if we ever get to the when desultory gives to the jury or civilly instructors, and that sort of puts this which the other week. it's not to say that it's automatically turn it back and become more, you have diplomatic and economic and all kind of cases which the president laid out in his strategy to deal with these but that is the sort of worst case scenario. >> of the u.s. can prove other

countries' military actually attack because proving a specific government much less the government is responsible that is something difficult to do. it almost seems like i'm not sure. >> and then you look at the attribution number one and think it is just foolhardy of any government to do something like that because they are going to be affected as well. we talk about them before because it's in their interest to create a cyber armageddon or digital pearl harbor but we've to be careful analyzing everything we see take place, every intrusion were service every intrusion were service attack from every scam you mentioned it to analyze and say duties pose a threat to the u.s. or the u.s. interest and if so how do we deal with them? a lot of this as i mentioned in the year goes back to the basic hygiene and making sure these things we know of can't affect us to the stomach howard schmidt is the white house cyber secure

record nader and special assistant to the president, but i've got to tell you mr. schmidt has had one of the most intriguing careers i've ever see me and i would suggest you go to the white house website in case you would like to look at it further but he served in vietnam with the air force, he worked as a policeman in chandler arizona and worked for the fbi at the national drug intelligence center and was a special adviser for cyberspace security for the white house chief security for white house chief security for the white house under the george w. bush administration and he was vice chair of the president's critical infrastructure protection board. he served as with microsoft as well, and that's just a couple of the things he's got and both his p.a. and his mba from the university of phoenix. one of the proposals the president calls for is this needs to be coordinated from the white house to do you misuse as

a cyber securities are to coordinate this activity? >> the term coordinator is what this job is about and interestingly enough and a positive we've seen a similar states around the world do similar things recognizing there is the defense side, the intelligence side, the commerce intelligence side, the commerce site the needs to be somebody bringing those together getting the input and making a device to the president of the prime minister as well so clearly it has to be incurred in the white house the president has put forth. estimates are there any funding numbers in place for this? >> as far as the white house? >> cybersecurity in general. >> we have things that go back to the comprehensive national cybersecurity initiative where some of the money is allocated for that. but once again come as we've all consider secure, one of the things we look at this cybersecurity costs and the would-be firewall fees' sort of things. no longer of the viewed is strictly security things.

they are part of the infrastructure. it's like when we buy a car we don't say i want to have breaks or not have breaks. it's just part of the safety that we are building now and that's why when you look at the i.t. infrastructure the security has to be built into it. >> and just looking at your office hung one of the proposals that is still circulating on the hill is to sort of create more structure around in your possession now that you have had some time to spend on that position what is your take in terms of proposals that would either give more control over the purse strings are just sort of stuff which your office york and rounded in statute? >> having the purse strings doesn't make you more secure. we've seen that in the evolution and most recently some of the changes we've made to make that work. the structure we have now is a good structure and the ability to bring all the leadership and all the departments made seized into one room and go through these tough issues and how it

gets handled and what are the policies we need to do and what is the legislative piece so by virtue of the fact we've been able to accomplish so much insurance jay short-term irca what time of cybersecurity source lenders to the fact we are less structured plus as was mentioned earlier when the president predisposition not only the national security council but also the national economic council which once again i think is important for the economy deals so much with the cybersecurity and the technology. >> what is the hardest issue you have to start out with the agency's 04? >> i think as you mentioned in the very beginning, the great expertise and the different areas looking at it very specifically from their area, which is what we want them to do, and getting people to sort of come together with a consensus of what we need to do, we need to fix right now to be the moving away from the edges like we have seen in the xin news recently and getting to move to the middle of how can we move this forward. >> what are you hearing from the

congress? >> the meetings we have had with congress and on the hill submitted the president's proposal a lot of good feedback that they welcome the opportunity to debate this more deeply than in congress and they look forward to us providing input on what are the things we really need and i think the last count there were 50 some odd pieces of proposed legislation across the 26 committees, all of them well intended and exercised in the jurisdiction that had not heard from us saying what are the things you really need and we put forth and they are very happy to get that. and as we mentioned earlier to start year when congress comes back and the details of the summit is going to best work. islamic given the realities over about three months or so of the legislative season and left this year do you foresee anything happening? >> i do i'm very confident because they're seems to be a commitment from the leadership of there that says yes now that we've got this big issue behind us right now we can start focusing on this because they

all recognize the need to do things and those things are part of the proposed legislation we put forward and we need to move them forward, so i feel very confident we will be moving this forward as soon as we get back. >> have you gotten republicans to move on this because that is one of the things i was hearing on the hill was there was a concern that the republicans have other priorities and this wasn't necessarily going to be wasn't necessarily going to be at the front burner. estimate my conversation had not been partisan had all. i met with members of both parties. they all admitted they wanted us to do more and it's a matter of getting educated in a way forward. so no great which side of the i was going to be working with us on this. >> you think they are going to have time to pass legislation to the next few months? >> i do. i feel very good because they recognize how critical this is to so many different pieces of what we look at across the united states. united states. >> we now talk to the privacy concerns of the electronic privacy information center which will be a guest in the series a

little later in a couple of weeks. this is a quote buy clark looking at the white house proposal. there should be legal standards, not voluntary guidelines when it comes to controls on privacy. >> one of things we did not only for the legislation but also the other work that we did were very deeply engaged in the privacy and civil liberties community. if you read through the international cyberspace strategy, it has had in many, many places references to the freedom of speech, freedom of expression, privacy, civil liberty when it comes to cyberspace. so what that is one of the core pieces. even the when the president has a dedicated privacy officer in a dedicated privacy officer in my office to look across the areas but when mark or anybody from any utter presidency agencies look at this, we want to make sure that the confidence that we are focusing on that they have controls in place to make sure that we are protecting the privacy and civil liberty and it's something we are

accountable for and is transparent to what other organizations look at. i think we are doing that and we will continue as we move forward with legislation to make sure that this takes place. the devotees and we look at the proposals is the data breach notification. there's two pieces to that when we look at the national breach notification. one is the citizens oftentimes we are not sure what our rights or when it comes to our information being compromised in the hands of a third party. on the same token businesses that have that affirmation are dealing with the 47 odd pieces of legislation from different states on we think something happened, so once again, i think that we held -- we were more on the privacy of the proposal with the data, the national data brief notification. >> how do you make this user-friendly? >> that's one of the tough things and security has to be transparent to the end user. when i see in user it's not just any of us sitting in front of a computer it is a small medium

size business when you look across the united states since the 27 plus million businesses doing things online even a couple years ago we saw a tremendous increase in the billions of dollars of online e commerce so it's got to be transparent and user-friendly and the end user shouldn't be the ones saddled with is this good or is this bad? we should have mechanisms in place as governments and business to make sure you are not confronted and that is part of the proposals will become too. >> back to the privacy concerns are the critics who say that the are the critics who say that the white house proposal didn't go far enough. that it was just sort of creating a voluntary set of standards for business particularly critical infrastructure and they say will but this is truly infrastructure that's critical to our security, why is in the government simply telling them what they need to do in order to, you know, protect maximum-security? what do you think of the people who raise those concerns that this isn't really that enforceable?