every weekend right here on c-span2. >> coming up next, "the communicators" or with a look at cybersecurity threats to government and business communication networks. then commodity futures trading commission chairman gary gensler on his agency's new regulatory role under the dodd-frank financial regulations law. after that we'll be live at in this year's u.s./israel policy conference with remarks by joe leishman and actress and ceo kathy ireland. and later, more remarks by the head of the transportation security administration on the future of aviation security. >> this week on "the communicators," a look at cybersecurity with two business executives involved in safeguarding communications systems. they also talk about federal regulation of their industry. >> host: and now we want to

introduce you to robert dix who is vice president of juniper networks and recently, mr. dix, you testified at a house hearing on cybersecurity. >> guest: yes, sir. >> host: what was your message to the members of the energy and commerce subcommittee? >> guest: it's really important at the time of this challenge that we are face anything cybersecurity that we maintain an environment that facilitates investment and innovation and doesn't do anything to confine the ability of the private sector which owns and operates the majority of the networks upon which all critical infrastructure, most of the things we have come used to in our daily lives, rely on. from having their attention directed away from being nimble, agile and fast to respond to this challenge as it continues to grow. >> host: and that in direct reference to the white house plan that was introduced last year on cybersecurity which puts a emphasis on dhs? >> guest: it certainly responds to it around the parameters that have been outlined in some of

the legislative initiatives that we've seen. >> host: do you expect cybersecurity legislation to move through the congress this year? >> guest: well, my crystal ball is a little cloudy about that. i have reason to believe that there will be a legislative initiative that will be introduced on the senate side. not entirely sure what it will look like yet. i believe there may be some pieces of legislation introduced on the house side. not entirely sure what that looks like yet. what's really important here and what's valuable is we're having a dialogue in a different way than we have in the past, and we're trying to drive towards adding some arrows to the quiver that can help us fight this fight. we may not always agree on that path forward, but having this dialogue and finding our common ground is extremely important at the time that the adversaries are getting more sophisticated. >> host: mr. dix, what is juniper networks, and how would cybersecurity legislation affect your company? >> guest: we are one of the world's leaders in trusted, high-performance network and security solutions. we are a hardware and software

manufacturer. we are involved in data center and virtualization and mobile security, so we span the spectrum of offerings in this space. one of our successes has been that we invest heavily in research and development to drive innovation. we're a u.s.-based company with offices and operations around the world, but we belief innovation is the answer to meeting the challenges of the future. computing, storage and networking is changing as we know it, and t changing rapidly. the only way we're going to be able to respond to that and be able to address the challenges associated with that is to innovate. so we have believed in that investment, and we worry a little bit about anything that may have an unintended consequence of con training our ability to in-- constraining our ability to innovate. >> host: and also joining us on "the communicators" is gautham nagesh who is the new editor of cq's technology briefing. >> host: thanks, peter. mr. dix, the number one question

for a lot of americans unfamiliar with this issue is how serious is the threat when we talk about cybersecurity? specifically, how far away are we from an attack that could either cause significant physical damage or cripple our nation's economy in some way? >> guest: so we always have to be vigilant. the one thing i want to remind everyone, including our viewers today, is that even in recent risk assessments conducted across the telecommunications and i.t. sectors, we have demonstrating using a methodology that the networks we rely on today are resilient. that doesn't they're -- that doesn't mean they're not subject to attack, but we can respond, and we do respond. people read about some of the high-profile breaches we've had. what they don't read too much about is the hundreds of thousands of attempts that we repel every day because we have made these kinds of investments i talked about earlier. what really needs to happen is we these to raise the level of

awareness and the consciousness of the american people from home users to small businesses to the academic community and nonprofits all the way to large enterprises about how they can better protect themselves in this thing we call cyberspace. >> host: now, you talk about a lot of deflected attacks, and that's clearly true. we've seen thousands, if not millions of attacks are made on u.s. networks every year, but it's also fair to say it's not how many that are deflected but how many get through. one attack could foresee my be enough to cause massive damage. are we at a place where a cyber attack could result in the loss of lives or perhaps billions of dollars of damage to our economy? >> guest: i always worry about that risk. i would like to believe the resilient nature of that would be in ask of itself a deterrent. however, the adversaries we're dealing with today are more committed, better resourced and becoming more sophisticated. so we talk about the advanced persistent threat, i worry about

that and whether or not we are actually paying sufficient attention to that. but let's remember this, the point of entry -- this is what we don't talk enough about -- the point of entry oftentimes is at the very low level. so bot nets, as an example, are generally a result of home computers that are overtaken by the adversary because of a lack of hygiene. and it's not because people aren't interested in protecting themselves, they don't know how. small businesses are ripe victims for getting into the supply chain, as an example. so we have to take care of raising the bar and cyber hygiene is one of the ways to do that. that's about 80% of the issue. the other 20% is tougher and more sophisticated. what i'm happy to report to you is there are extraordinary efforts underway with the public and private sector working together to address some of those more sophisticated things. >> host: now on that 80% issue, we've seen a campaign really on the part of congress to raise awareness of cybersecurity as an issue to make americans aware that they these to safeguard their information. we've also seen some rather

heated rhetoric behind this issue, talk of a cyber 9/11 behind one of the sponsors from the senate cybersecurity bill. how to you -- that rhetoric seems a little bit out of line with the threat that you're laying out for us today. how do you reconcile the two? >> guest: some people are driving a particular agenda, and that's fine. i don't want to minimize the risk here, but this is, again, about managing risk. we can't protect everything all the tile. right now i don't believe we're doing a good job of the basic blocking and tacklingover cyber awareness, of creating an operational capability. today we still spend a lot of our time, energy and resources around response and recovery. we need to build the capability with government with industry to create something like a national weather service or a center for disease control where we have a nerve center that has the pulse of what's going on in networks in a steady state and during any

points of'slation. we have the ability to do that, but we have some policy issues in the way, some legal issues in the way. it's really not a technology issue, so i think we need to have a different dialogue around what are some of those impediments to creating an operational capability, to creating that sustained national education and awareness campaign, whether the law enforcement tool that is we need that we don't have to today, and what are the ways we might leverage government procurement activity to be able to drive changes in behavior. >> host: mr. dix, so how is it that the role of dhs as proposed in the obama cybersecurity plan, how does that impede what you think should be the goal? >> guest: so as an example there's a recommendation in the legislative initiative under covered critical infrastructure which this and of itself is not clearly defined as to what would qualify or quaff and leaves it -- qualify and leaves it to the discretion of the director of homeland security. but it talks about the

establishment of performance requirements, it talks about an annual certification process, it talks about third party assessments to validate that the presumed covered critical infrastructure is meeting the performance measures of those requirements. all of that takes time. just building building the perfe requirements and building the compliance model, the regulatory regime that i refer to it as takes time. and by the time that's complete, the risk has changed so much, it's very dynamic, that probably whatever comes out of that is moot. it's old news. we need to be nimble, fast and agile in being able to respond to that which means we need to facilitate greater innovation and the ability of the private sector to have access to threat intelligence information to improve the risk landscape and break down some of the barriers that we have had that impede our ability to collaborate better. >> host: and, in fact, in your congressional testimony you said it is imperative that all of us acknowledge that cybersecurity is truly a shared responsibility and that managing risk will require true collaborative

approach between government and the private sector. the private sector owns and drives the majority of the innovation and also owns and operates the majority of our nation's critical infrastructure. >> guest: that's correct. and that's why it's absolutely essential that we be at the table and engaged in this dialogue with our counterparts in government. and you know what? this' happening in some places -- that's happening in some places. we have a framework under the national infrastructure protection plan that allows government and industry to work together through sector coordinating councils across the 18 sectors through information sharing and analysis centers that every day are doing good work building information. we need to leverage those relationships that we have built and invested time and resources over the period of their existence and utilize them to the nation's best interest. >> host: gautham nagesh. >> host: mr. dix, you spoke about the need for information sharing, and there does appear to be bipartisan agreement on that issue, likely to see some legislation move in the house in the near future.

>> guest: hope so. >> host: however, speaking to the dhs portion that's been proposed in the white house and the senate plan, what to you propose beyond the information sharing be substituted for audits or some sort of regulation? in other words, how can the federal government be sure that critical parts of the infrastructure are being protected without implementing some sort of regulation? >> guest: so there are parts of the senate bill that i think have merit. there is a section that talks about a sector-by-sector risk assessment. excuse me. i have firsthand thong of work that's been -- knowledge of work that's been done to connect such sector-wide risk assessments utilizing methodologies, an attack-free process to identify high risk activities that these to be identified. remember, in i.t. and coms it's more about functions than assets, but the infrastructure community has been engaged in some type of risk assessment. so working with our government partners in a collaborative way

to take a look at those assessments, identify gaps, what are the protective measures we can recommend across the members of those sectors, and where are the gaps that require research and development? these are the kinds of things we can be doing together, so i think that's a good part of the bill, and i like that piece of it, and it talks to the broader range of the risk that we need to try and manage without drilling down and telling individual companies the things they need to do to manage risks in their own environments. >> host: but under that suggestion if a company were to have gaps in their protections identified and they weren't able to address it either from cost issues which have been cited by industry or other reasons, what can the government do, essentially? should it be up to the company to leave their systems open to attack, to if they decide that the risk doesn't outweigh the cost? >> guest: so let's remember that these companies want to stay this business, and stay anything business depends on their reputation, and reputation includes the ability to be

secure. so companies will make those kinds of investments. this some cases, particularly in small business, they often times don't know what they should be investing in. and whether low cost or no-cost items they could be doing to try and help improve their protection profile, that's a place we can help. the small business administration could be engaged in this with us, the internal revenue service. they have engagement with citizens all the time. lots of things we could be doing together. >> host: mr. dix, in your testimony, again, you write in today's increasingly connected world, the move to cloud computing and the explosion in the use and proliferation of mobile devices and applications mean that we must be able to rely on the resilience of the network more than ever. does this change the equation with the -- expanding use of the cloud and also the mobile proliferation? >> guest: it's a perfect example of what i was talking about. the technology's moving rapidly, and every time the technology changes, the adversary changes

their modus operandi to try to take advantage of that. so we need to be able to be nimble and fast. to move to cloud and virtualization and the use of data is responding to the demands of the users, the increase in data, video, voice is demanding that we have this virtualized capability that is the next generation. as i mentioned earlier, computing, storage and networking is changing to be able to deal with the scale and the requirements of the big data. so we need to protect it. actually, i think that we have a great opportunity with cloud to be able to be more secure. and this is what we need to be able to innovate and stay ahead of and not spend our time, resources and attention on complying with a regulatory regime. >> host: so, robert dix, does this issue stop at our nation's borders, and could more regulations in your view make us less economically competitive? >> guest: that's part of the problem. this really is an economic issue, and it's about u.s. competitiveness. no, it doesn't stop at the border. this is a global challenge, and

u.s.-based companies dealing around the world have to deal with laws and regulations and requirements that other cubs as well -- countries as well. so we need to be cognizant of that in whatever steps we take and make sure we're thinking about that in the global context. >> host: robert dix is the vice president of juniper networks, and coming up next on "the communicators" we're going to talk with bill conner. he is president and ceo of a company called intrust. he also testified before the cybersecurity subcommittee. >> host: and now on your screen is bill conner, he is president and ceo of a dallas-based company called intrust. mr. conner, what is intrust, and what do you do? >> guest: well, we're a software security company that focuses on protecting digital identifies and information. about half our business is with governments around the world, so everything from your u.s. pass port of a u.k. passport or has our technology in it to protect your personal information. to some of the next generation

passports in europe and other places that have biometrics. here in washington as an example if you're a government employee, your physiological access card uses our technology to protect that and enable it. and banks use us for securing e-mail to their clients and content as well as fraud detection or fraud prevention which is what i was talking today in the committee meeting ab. >> host: well, you did testify at a cybersecurity committee hearing today, and what was your message to members of congress? >> guest: well, what we were trying to do was make it simple. cybersecurity's a little complex, hard to see until you see the money leave your account if you're a small business, especially, and the question is what do you do and what is it and what can i do? what i wanted to provide is a real example which is an attack that's really crippling small business. so i explained how that happens

and what small businesses can do with technology available today to get behind that and what they need to ask their banks to do to protect them. we went a little bit wider with, you know, what are the issues in this public/private chairing, i co-chaired a public/private partnership at dhs, so we experience a few straps on the back in terms of that experience. >> host: the obama administration came out with a cybersecurity proposal last year. congress is now looking at actual legislation. what is it about that proposal that you agree with with, where do you disagree? >> guest: well, i won't talk about obama himself. let's talk about there's lots of legislation. i think the issue is we need to do more, and it needs to be focused. and it starts with, you know, this is an identity issue. you know, governments give you your best government-protected identities. we've got to take that and make it useful for businesses and how

they use that. second is in public/private sharing, when i co-chaired the task force, the first one on this, you can't share information. i'm a security company that most of the government and the u.s. uses for protection. when i go talk to the people that work on cyber threats and those pieces, it's a one-way dialogue legally. i can give them information, but they can't give me information. because of competitive nature and antitrust and all that. when i work with compadres, ceos and other companies on the private side, all the ceos and presidents can be in agreement until you get the legal team in. and then the minute you guys do something, you've kind of got all kinds of antitrust issues, and more importantly, then you're raising a different standard, be it criminal or civil, of whatever you do that's not out in the standards body regulation or legal framework. >> host: also join canning us is

gautham that dwesh, editor of cq's technology executive briefing. mr. nagesh. >> host: thank you. now, you spoke about the need for or the result of cooperation being that you're setting a think standard. who should be in charge of setting that standard? we've seen some debate on that as part of this. >> guest: yeah. i think that's one of the real issues, right in is it a u.s.-only standard or not? if you look, i think you've got to be careful to go by what sector you're involved with. like passports, there's a global standards group, and it's iko. they do a great job of first generation digital passports, so let's leave that as global standard. as you come to the u.s., you've got a plethora of standards, some created by myths, some that are p developed by industries on their own that are de facto standards. and i think mist has a real role to play in helping us say what is the floor to what's

acceptable in terms of encryption or protection of data as well as what's the policy procedures behind how you use -- >> host: okay, setting the floor itself is a base of the -- >> guest: that is correct. >> host: do you believe it's necessary for the government to establish a baseline? >> guest: yeah, i do, i really do. and let me tell you why. today if you want to, if you look at one of the most significant pieces of legislation that brought security to the forefront, it was california 1386. unfortunately, we now have 40-plus states with their own legislation and laws in place. but it said if you encrypted and protected data, you had a carrot and a stick. if you had done that, you didn't have to nondisclose it, you didn't have to disclose it, and you were protected from class action. if you hadn't, then the stick was you're subject to notification and breach and a fine in terms of class action.

that certainly gets a ceo's attention in the private world. the problem with that is there's over 200 plus encryption standards, some of which may not be useful to our country or the good guys. forget our country at this point. well, who is encryption -- whose encryption you're using and how you protect it are critically important. and i don't think people want to do the wrong thing, it's just the availability to pick up things that you think are good, but they're not. you need to have someone helping the industry understand what that floor is. >> host: of course, we saw some of this difficulty in terms of compliance and standards getting outdate with the the federal information security management act, fisma, which is also part of the reform proposals from both sides. >> guest: that's right. >> host: but the question is then how do you effectively set these standards, these baselines in such a dynamic sector where things are changing so quickly, faster than the government? >> guest: yeah. i think that's why i go after

the minimum, you know? because i think minimums change a lot less. but if you get them too nebulous, they have no meaning. you know, i know in washington it's very popular to want to create a cybersecurity organization to oversee this. and i think that's just folly. and the reason i think it's folly is having done this before, energy and grid and nuclear are very different than financial infrastructure than telecom where i grew up than health in terms of the information, how the businesses work, the information that's trying to be attacked and the ultimate risk or liability in terms of the company and the country and the individual. and so i think, you know, i look at the joint forces advisory board where i serve. i think it's a great model. you know, we join forces you still have army, air force, marines, coast guard, and they all have what they're supposed to do best.

joint forces, though, were to sit and coordinate that it and look across it and the best people and some of the money got carved into that. that doesn't mean i ask dhs or nsa to sit and know more about energy than energy who already has the relationships and processes and what are the priorities that you need to do. i think we heed to lean into that -- we need to lean into that, give them the money and resources and say take 10% of that and force that between public and private in a meaningful sharing not just with isp. because, you know, here i sit as someone who's supposed to be securing it, well, carriers are at the end point, it's not about an ip address anymore. that's what's getting knocked off. so that's why i get out of of the frameworks that many talk here in washington because you got to get into the businesses of what's at risk and how do you deal with that at that level. >> host: and in your testimony at the hearing today, mr. conner, you said what we face is a threatening cyber

environment where warfare is being conducted by foreign governments, international crime rings and common thieves in the u.s. it takes everyone, government, major organizations, small businesses and individuals, working together to defeat these forces, and then you go on to talk about moore's law. and we've just been talking about standards and procedures. are we outdated as soon as we, as soon as we form these standards and procedures? >> guest: yeah. standards by definition are always going to be lagging because someone's going to get advantage on the good or the bad by, you know, either being pre or post. and i don't think that's the issue. you still need standards, and you still need a floor to say this is how you operate. i think the difference is if you allow people to innovate and people like us to do what we do best and take off some of the shackles and share really meaningful content, frankly, not just within the u.s., i mean,

we've got five intelligence groups around the world that coordinate. you look at defense today, they share some stuff publicly with their companies, they share other stuff not publicly, and they share it across borders with other mlds around the world. cybersecurity's got to mature the way it did with air, land and sea, that next battle front is where we've got to take some of the lessons and just reapply it to a digital age instead of a brick, mortar, bullets and missiles war. >> host: at today's hearing you were just testifying at, what level of interest would you say members of congress have in this issue? and what level of comprehension? >> guest: that's a good question. you know, peter, that's a great question. i'm green. eleven years of dealing with this subject and being one of the first ones, i saw today actually after the piece, the morning after bush spoke to the

joint session he spoke on signer and the these to start to look at that as a piece. i spoke at nato, and i look at that today and go we're still talking. now, i don't want to take that -- we've made great strides and great progress, and this is not something like year 2000 that's going to be dealt with once and we're done. it's not like quality. if you look in the last ten years in the amount of time i spent personally not for profit on this subject, you know, it's trying to get a lexicon and an understanding just like demming did with quality. so i think that lexicon in golfer nance and in companies -- governance and in companies is way better than it's ever been. but on the corollary country-states and criminal intent, organized crime people also understand that they can make money at that ambiguity,

and that's the pace they're at this terms of that understanding. but i think, you know, when i hear stuff like today when people say, oh, the cost of security's too great, that's what i said today. that's what i heard this quality. well, what is the cost? is it really the cost to do it once and to keep it up, or is it the total cost when it doesn't work? when people started with quality it was, oh, it's a process, and it's too costly, i don't understand it, you know, let's not do it. but, you know, the government was pretty effective in using quality in the bully pulpit, and american business finally got it. they got the lexicon, god, it's cheaper than the total cost of ownership. and i think cybersecurity and all of us have to kind of learn this is good for us. it can be a brand differentiator, and the total cost of not being secure is for those that are now breached as an individual or small business or a company, you quickly understand the cost of not being. i mean, as you heard today from the question of congressman

rogers, i mean, there's companies even in security that are out of business today because they were breached. so i think that's the message that we've got to keep focused on is what -- it's not going to go away overnight. what are the things we can do and take that and, hopefully, up the pace a bit. >> host: we have time for one more question, gautham nagesh. >> host: i think you did just touch opinion one of the roots -- upon one of the roots of debate. critical infrastructure providers are saying it costs too much to take necessary precautions. how do you as a security expert evaluate their argument begin, as you said -- given, as you said, the potential for catastrophic damage? >> guest: i think it's how you define costs. economists are going to define it one way, operating guys another, and if you define it as my up-front cost to fix everything, it's a big number. but i would offer to you a lot of what they're spending today is not even relevant. they could cut their costs and

be more or relevant by using some of the later technologies that could be used to protect their infrastructures. >> host: so it's, in your view, long term versus short term in this case? >> guest: correct. >> host: and we have been talking with bill conner, president and ceo of entrust. mr. conner, thank you for coming to "the communicators"' studio. gautham nagesh of cq, you as well. and this program as well as the hearing that we have been discussing on cybersecurity is available to watch online at c-span.org. the hearing was held on february 8th, 2012, and you can search it in our video library there. >> just ahead, the chairman of the commodities futures trading commission talks about his agency's role in safeguarding consumer rights. then live coverage of this year's annual u.s./israel policy conference with remarks by senate homeland security