programming beginning saturday morning at eight eastern through monday morning at eight eastern. nonfiction books all weekend every weekend right here on c-span2. >> here's a look at what's ahead this morning on c-span2. .. >> this week on "the communicators," the white house cybersecurity coordinator, howard schmidt, talks about

attempted cyber attacks against the u.s. and what the administration wants to do better to protect the nation from cyber threats. >> howard schmidt, what's your responsibilities at the white house? >> guest: i'm special assistant to the president and cybersecurity coordinator, and what that means is when we look at the broad issue of security around technology, everything from around consumers up to and including nation-states, my role is to coordinate this across the government and make sure we're working with the private sector and international partners. >> host: from that perch, how do you view the threat of cyber attack? >> guest: it varies from different sectors and levels of people. for example, when we look at state versus nation-states, there's an increasing threats from some countries around the world that basically see this as advantage they're looking to gain. add the other end of the spectrum, we start looking at end users, credit card fraud, identity theft.

as we move much of our lives online, that threat continues to grow as well. >> host: so that said, why is a cyber attack or a cyber breach at sony a national security issue? >> guest: a number of things. one, you look at the massive numbers of people that were involved in this. many people said, well, with the gaming system, it was just their ability to gain a network, but those same operating systems, that same awe they want case method are not just sony's, they're in government systems. they're in financial services. so that's the sort of thing that gets our attention. well, if it can happen with them, it could happen other places as well. >> host: also joining us here on "the communicators" is gautham ma again who is an editor at "congressional quarterly," he edited the technology executive briefing. >> host: thanks, peter. howard, you referenced the need to address various levels of cybersecurity legislatively, i would assume. the house right before the

recess, passed a package of cybersecurity fills aimed at increasing information sharing. the white house threatened to veto that bill before it went to the floor. can you tell us why? >> guest: sure. and let me back up to what we've submitted last year. when we start looking at all the issues we've talked about, from the threats from end users up to national security issues, we as a government looked at what are the things we really need the legislative branch to help us with as opposed to things we can do within the executive branch. so we submitted a proposal last may looking at enhanced criminal penalties for interfering with critical infrastructure, looking at things around organized crime, looking at issues about information sharing both from the government out, etc., and so that was where we started from, and that was based on a lot of work not only amongst -- within the government, but also external partners. so when we saw this proposed legislation, we truly support,

we need the ability to share information. we truly believe that the government has to give some ability for private sector to share not only with the government, with each other, but we can't do that at the expense of privacy, civil liberties, liability about some of the laws that currently exist. and when we saw that after a lot of discussions that that wasn't meeting that threshold, we said, listen, our advisers will recommend a veto if that comes forward. >> host: now, the bill did undergo some amendments before it ultimately passed. have those amendments addressed those concerns sufficiently, or would you still recommend a veto? >> yes, they have not. and that's the challenge we have. some people say, well, gee, they've made progress, that, you know, we're looking for too high of a threshold, and that's not good enough. and when it comes to privacy for american citizens, corporate liability and the ability to share information, when we look at protecting core critical infrastructure, good enough just isn't enough. we as an administration have to have a higher threshold than

that which is why we continue to say if you don't take care of the things similar to what we've put in the proposal for the senate side, that we'll recommend a veto. >> host: you mentioned the fact that actually, and it's regulations that would address core critical infrastructure. the house has expressed a great deal of resistance to anything that smacks of a mandate or regulation. do you believe that it would be possible to get something akin to what was in the white house proposal or the senate package through the house and into law? >> guest: as a nation, i think we have a long list of bipartisanship when it comes to national security issues, particularly those that effect public safety and economic well being, so i continue to hope and feel confident that we will get the smart people together to say, listen, the small regulatory regime that we're talking about, core critical infrastructure very narrowly crafted, very much built on international best practices on the things that corporations should and in many cases are doing for their own business

purposes, we don't see that being asking too much of anybody. so as a consequence when we start getting all the people together in a bipartisan, we hope that need fixes one small piece of the legislation front, and i hope we can come together on that. >> host: now, mr. schmidt, in your administrative briefing to the president or the one you released on april 25th, you say that the following legislative changes are necessary: voluntary government assistance to industry, state and local government, voluntary information sharing with industry. is that what the senate bill says, though, voluntary? >> guest: we're talking about two different things. in one piece what the senate's talking about is core critical infrastructure. not everything that's out there. we want to make a clear distinction between that. when we're talking about the voluntary piece, there's a lot of other pieces of our infrastructure that are not core, critical infrastructure, and we start looking particularly at the roles we

have state government, small and medium-sized businesses, we need to have their ability to help protect themselves as well. give you a quick example, if i may. if you look at a natural event, say an ice storm, a tornado, something that takes place, the governor, elected officials have to deal with that. the federal government at some point comes in and helps out, but they have to worry about paying overtime. and in these economic times if there's something we can prevent in cyber, what we care about. within those jurisdictions we have small and medium-sized businesses that if they can't sell their products, move their goods back and forth, they're impacted as well. so that's the other piece when we look at the voluntary sharing to help those as well. >> host: do you think companies have a responsibility to report cyber attack to the federal government, or in the case of the senate bill, to the department of homeland security? >> guest: yeah. once again, when we look at core, critical infrastructure, absolutely. i don't think any of us as citizens or as government

intuties want to say, yeah, we hope you're doing the right thing, and if something happens, you may or may not tell us. we need a higher level of assurance. i think the citizens deserve it, i think the government in our role in order to protect the country has that role as well. >> host: leon panetta last year said we could face a cyber attack that could be the equivalent of pearl harbor. do you agree with that assessment? >> guest: well, it's truly difficult when we start attaching physical events and bring them into cyberspace. can we experience some tremendous disruption through cyberspace whether it's intentional or accidental or even equipment failure? yes. that's why we have to get ahead of this to make sure we reduce that risk, fully understanding we can never, you know, 100% secure everything, but we can reduce the risk significantly. >> host: mr. schmidt, is it tough to compare the world of cyber to physical events or events that have happened in our

past that we want to compare them to? >> guest: it is difficult. and that's one of the challenges we run into all the time, people will talk of different conflicts and say how do we compare that to cyber? first and foremost, cyber connects everything we do. it's used for communication, entertainment, electrical, etc. . on the other side, if we lose capabilities, it could effect things we have direct knowledge of. electricity goes out, you can't get water or fuel, we know what that's like in the real world. it doesn't matter whether it's a cyber or physical event, the end result. >> host: next question from gautham nagesh. >> host: thank you. i want to go back to peter's questions because he mentioned a parallel harbor, d pearl hard door, that's -- pearl harbor. i asked this question of someone from industry on the show

recently, and that is are we at the position, place now where a cyber attack from a foreign state actor or a criminal organization could cause catastrophic damage to our economy or significant loss to life? >> host: you're asking me the same question? >> host: i'm asking the same question. >> guest: the answer is, yes. the idea of having an infrastructure owned and operated by millions of people, corporations, disruptions could be very, very bad. now, once again i have challenges with associating with a particular event and saying it could be the next digital whatever -- >> host: sure. >> guest: but we do recognize there's significant risk out there, those prisonings are growing. while the risks are growing, we're doing a lot to mitigate some of those, sort of a chessboard piece, but i think we can do more, and that's what

we're compelled to do. >> host: now, the problem be, not the problem, but the thorny part of this issue is the very industries regulated under these proposals are mostly lobbying fiercely against this sort of requirement because, obviously, it would open up not just the cost of implementation, but liability concerns when they are, inevitably, part of the attack. so how would you address those concerns, and is there any flexibility with incentives substituting for requirements? where do you think an agreement can be reached there? >> guest: i think when we look at the incentives, we actually have had a significant r&d agenda through the office of scientific policy that we have helped them work on. i'll give you an example, the insurance community. so if a company receives benefit from doing the right thing and getting an insurance benefit from it as well, that's a pretty good incentive. but the bigger picture is what we are looking for and, once again, narrowly crafted to core,

critical infrastructure, these are things businesses should be doing anyway. electrical companies don't get paid unless that meter's spinning or the number's spin anything the day of smart grid. so as a consequence, there's a business reason to do it. the cost should not be something where the government's imposing some cost on it. the second piece, what we have proposed, not create some new regulatory scheme what now you have to do 15 reports to 15 different agencies. if you already have a responsibility to report, we just need to make sure that dhs has the visibility so they can have a level of assurance that you're doing what you need to do. that's what we're working on. >> host: and one other concern i've heard from the cybersecurity expert side of things is that some of that lobbying has resulted in exemptions in the senate bill in particular. is that a concern for the white house in terms of raising the bar too high for the regulation? >> guest: i think when we start looking at any exemptions that are out there now, hopefully, we reconcile it as the bill moves

forward. but clearly, narrowly crafting core, critical infrastructure may, indeed, have some exemptions to it so we can just continue with business and get that done whereas we're still supporting that narrow piece we need to keep those other industries running and alive. >> host: howard schmidt, you probably saw this, but i want to get your reaction to speaker boehner's quote in the "new york times." the white house believes the government ought to control the internet, government ought to set standards and government ought to take care of everything that's needed for cybersecurity. they're in a camp all by themselves. >> guest: yeah. and i couldn't disagree with that more. i mean, it's quite the opposite. the government, the administration specifically has worked very hard to make sure that internet governance, for example, is a multistakeholder, international piece. we're not looking to go out and say here's a government standard you have to adhere to. there is international standards organization, 27,000 series. there's standards that private

sector has held build. private sector has helped put forward a lot of these, so that couldn't be further from the truth. what we're trying to do is make sure it's available to everybody by making sure we're having a collaborative, multistakeholder effort to secure cyberspace. >> host: now, you've talked about narrowly crafted to national concerns. >> guest: right. >> host: who's left out of that? >> guest: and, for example, you mentioned a few minutes ago about different businesses and things. thicks that are not core -- things that are not core to power coordination in large metropolitan areas, for example, things that effect our ability to keep airplanes flying on schedule, things like that. those are the pieces we have to look at. once again, the legislation looks to have a dialogue with private sector to identify and define a process on how do we actually define what business process, what company or what sector is going to be a part of this. >> host: some have described the current cybersecurity legislation, particularly the one in the senate, as kind of a

patriot act and that it, there's some privacy concerns here and some freedom concerns. how do can you address those? >> guest: yeah. and that couldn't be farther from the truth again. i mean, we were very, very deliberate in putting privacy protections in there at all levels including oversight, making sure that we have independent bodies like the president's civil liberties oversight board, making sure that they are part of this process. so it's been very, very, there's been a lot of work and a very, very deliberate effort to make sure those things that you mention don't occur in this bill. >> host: this is "the communicators," c-span's weekly look at telecommunications, legislation and policy. this week our guest is howard schmidt who is the white house cybersecurity coordinator and special assistant to the president. gautham nagesh is the editor of "congressional quarterly," and he's our guest reporter. >> host: thank you. now, one of the tensions about implementing this cybersecurity plan at the white house the

senate proposed is who should be in charge, and we've seen the democrats in the white house come down largely on the side of the department of homeland security as a civilian agency. however, we've heard from republicans and some other national security stake hold early they would like to see nsa have a more active role. the white house has been very strong that it should be a semiyang enterprise. -- civilian enterprise, can you explain why this is? >> guest: i think there's two pieces. this is an all-government effort, and that's the viewpoint we've had. the intelligence community, the department of defense has tremendous capabilities they've built up over the years. they were one of the early adopters when it came to moving networks into an ip-based environment. so the the expertise exists. we fully recognize that the fbi, secret service, department of justice has an investive role and, in some cases, a counterintelligence role. but department of homeland security by congressional law as well as presidential directives have said that you are the body that works with private sector

to help protect critical infrastructure. as well as there is the belief on the fisma implementation for the dot .gov environment as well. we think that gives us the best ability to leverage the components of government but clearly the responsibility with department of homeland security. and i also like to add the department of homeland security over the past years have not only had tremendous leadership from the secretary, the deputy secretary, a number of undersecretaries, but also has recruited and trained some tremendous talent that really understands this area, that comes from private sector, that comes from a background that says, yeah, this is not all about the government. >> host: you actually spoke directly to my next question which is, we have seen the dhs hire a rash of new cybersecurity officials in recent months, but do they have the level of expertise necessary especially when you consider they're competing with the pentagon, the intelligence community and the

be private sector for skills that are in high demand? >> guest: right. it used to be a discussion i would have with some of my colleagues i used to work with all the time that would say, yeah, i thought about going to dhs, but i'm not quite sure they're ready for somebody at my level. my response is if you going there would help prepare them better, i think that's what we've seen. the talent that came over that really implemented, we brought someone who was with the energy secretary, ran the cybersecurity for a couple states. we have the talent there. and, granted, it's very competitive which is part of why legislation is looking to give dhs the ability to become more competitive pay wise with not only private sector, but other goth agencies -- government agencies. >> host: what do you think of john mccain's approach? no mandates, but protecting infrastructure, according to him. >> guest: yeah, and that's the challenge we have. the idea of somebody saying,

well, i'll do something i'm supposed to do, but don't ask me to prove it, that's a challenge. and is coming from a private sector background and a background with venture capitalists and folks that work in that area, we always ask somebody to say, yes, if you're going to ask me to invest in you which is effectively what we're doing as a nation, that you have to give me some sort of level of assurance that you're going to deliver on these things i'm investing in. we as a government have a responsibility to help foster that. >> host: is there a side of a business that you would say, nah, we don't care about that ten-person company, or not that we don't care, we're not going to make them report to the department of homeland security as well? >> guest: absolutely correct. and that's where, and i keep using the term core, critical infrastructure. things that effect major metropolitan areas or effect health and safety in certain areas. so the small company that's doing great business helping on e-commerce, there's no intent nor desire for them to interfere

with them. on the same token, through other everetts within the executive branch making sure they have this ability and some of the threats that may be out there through ftc, through department of commerce and department of homeland security so they have got the information. so we care about them, but they're not part of this discussion. >> host: but that goes back then to the sony question. why is sony, should sony be part of this core, critical infrastructure? >> guest: yeah. and can i'm not sure anyone has suggested sony would. the question was the events that took place at sony were of such a magnitude, we could see them in other, more critical areas, and that's the part we need to focus on. not that sony itself would be part of it, but the fact that we see it happening in other places as well. >> host: is there, and do you foresee a role for the pentagon or the national security agency? >> guest: absolutely. and that's when we talk about the all-of-government approach be. the expertise that's been built in the intelligence community and department of defense, no one wants to duplicate or even try to duplicate was the

expertise exists there. but to make sure the d. of homeland security has the ability to leverage that as far as fulfilling their mission. >> host: gautham nagesh. >> host: now, you've mentioned the threat to companies, but one of the threats most cited is the advanced, persistent threat from other nations. we've talked about how to secure our networks. what about when does the feel it's necessary to respond, and can you talk about the policy in that area which congress has asked the administration and pentagon to clarify? >> guest: and so when we released the president's international strategy for cyberspace last year, it was sort of the first document that brought all these things together from the prosperity, economic, openness, the defense, the law enforcement capabilities and what not. so when we start the looking at referred to apt or advanced persistent threat and a couple quick pieces on that. while we use the term often "advanced," often times the successful rates of getting into these systems is not advanced.

it's using spear fishing e-mails, disguised as your 2012 pay raise documents. so that's not very advanced, that's just hacking 101. persistence is very much the case, in fact, a threat. so one of the things we need to do, we know the vulnerabilities exist. every expert within the government and outside the goth said about 85% of the successful intrusions into be systems by plume my nation-states -- presumably nation-states could have been prevented from basic cyber hygiene. that weans we can focus on that top 15%, the most insidious and most damaging to the country. then that gives us the ability to follow up with a policy. the president has the ability and his role of commander in chief to designate under any national emergency the tools and resources he's to help mitt date that. >> host: at what point, in your view as adviser to the country, does attack on our nation's infrastructure constitute an act

of war? >> guest: i'm not a lawyer, and we have to look at the totality of the circumstances. as we said in the international strategy, there's a whole myriad of things with any conflict from a diplomatic to an economic to a military response, and all those things have to be part of the discussion based around a specific scenario that may or may not occur in the future. >> host: mr. schmidt be, are you seeing evidence that nation-states are actively proposing the use of cyber attacks? >> guest: you know, it's interesting because often times we see an awful lot of nation-states talk about the threats that are out there, their military response, so there's a lot of discussion about that which comes back to part of the international strategy is how do we establish those norms in cyberspace, what are the things that we as nations agree are things that are off the table under the normal day-to-day operations? so we see a lot, we read a lot about it, but the focus is how do we deescalate those things as to don't effect the way the

world interacts is a very, very positive internet. >> host: because we often read about the chinese or the north koreans. what does that mean? >> guest: well, and it's interesting because there's intelligence reports that, basically, accumulate things from their perspective, there's companies, individuals that write their own things. once again, we can't just focus on one piece of it. we're looking with a partnership with the international community including those that are competitive with us to say how can we bring this down o -- down a notch to make sure we're not putting our countries and citizens at risk? >> host: cyber attack is a tool that the u.s. could use militarily if it chose to, right? >> guest: and we've called that out. the laws we think apply in cyberspace just like they do in the real world. so these are all the things that our strategy laid out that says here's all the options that are available as nation-states. >> host: do you have a paragraph

or two in the president's daily intelligence report that he gets about cyber attacks on the u.s.? >> guest: yeah. and the president's daily reports are based on products that the intelligence community, based on a lot of situations, so i wouldn't say there's any specific thing that's there on a daily basis. but, clearly, when cyber issues arise at that level, the president would be briefed on it. >> host: if we identified your job as having three constituencies, the president, the congress and the american people, at what level do you have their attention at this point on cybersecurity? >> guest: boy, i think on a high level on all respects. the president cares very deeply on it, he's very much engaged. his state of the union he also addressed the issue specifically around cyber threats. legislative branch, we've seen tremendous bipartisanship in the past for national security and public safety issues, so we have a lot of attention there, the i industry community has come

forth and said not only do we understand the threat, but here's what we're doing. we have a lot of efforts taking place out there, and i'd also throw in the broader, more than the president, it's the entire executive branch because the dot.governor -- gov are very much a part of it. >> host: gautham nagesh. >> host: absent compromise on critical infrastructure, do you anticipate some of these other measures from the house addressing cybersecurity issues like fisma reform, is that something that the white house would be receptive to, or do they insist on seeing a comprehensive package like the senate bill go through? >> guest: well, we put a lot of effort into taking all these ideas across the government and private sector and culling them down to say here are the specific things we need congress to do which is why we support lieberman, collins, rockefeller and fine stein bill. and a piece feel is going

partway, and we can't afford as a country to go partway. this has been a lot of discussion since 2003 when we released the 2003 national strategy to secure cyberspace. it's time to act on it, and that's why we need to have these all come together at one point. >> host: so would no bill at all becoming law this year be a better situation than the -- >> guest: we'd like to hope we won't be faced with that. cooler heads will prevail, let's get 'em in and move forward. >> host: howard schmidt, on an international level what's a country that we could look at, maybe see as a model of cybersecurity? >> guest: well, it's interesting because many countries are facing the same things we are. owned and operated by the private sector for critical infrastructure. government have a tremendous dependency on it, developing strategies. we've seen probably half a dozen national strategies come out from canada, the u.k., australia in the past months. we have the german government.

we have a really good relationship, confidence-building measures with the russian government. so there's a lot going on in the international world, and i think we're starting at different places, but we continuously dialogue to help shore up each other to make sure people don't have to reinvent the wheel. >> host: and, gautham nagesh, we have time for one more question. >> host: i think international is a good place to close. how big do intellectual property enforcement become in trade talks? obviously, we're speaking to some of these countries that are accused of stealing from our country every day. >> guest: it does come come up. the diplomatic, the trade issues, every facet of the dialogue the executive branch is having with our international partners whether it's a strategic economic dialogue or security dialogue, these are part of the agenda. and increasingly even a higher

point within those dialogues. >> host: howard schmidt has been our guest, white house cybersecurity coordinator along with gautham nagesh, editor at "congressional quarterly." gentlemen, thank you. >> guest: thank you. >> just ahead, a discussion about executive branch powers and how they're used today with form beer deputy attorneys general in the clinton, bush and obama administrations. then fcc chairman julius genachowski how wider broadband access to translate into jobs and greater opportunities for minorities. and then the senate returns to begin debate on a bill to prevent student loan interest rates from doubling in july. >> later today, ban ki-moon talks about the u.n.'s role in postconflict situations. he'll be speaking a