>> you've been watching booktv, 48 hours of book programming beginning saturday morning at 8 eastern through monday morning at 8 eastern. nonfiction books all weekend, every weekend right here on c-span2. >> you're watching public affairs programming on c-span2. here's a look ahead. next, "the communicators" talks with white house cybersecurity coordinator michael daniel about president obama's executive order issued earlier this month and the increasing number of cyber attacks on the u.s. from china. then a discussion about nuclear weapons in the middle east and america's declining influence in the region. after that we're live with the closing session of the nation's governors' annual winter meeting as they discuss personal responsibility in relation to government policies with their guest, tv's dr. oz. and later the senate returns at 2 eastern following its weeklong presidents' day recess when

senator kelly ayotte delivers the annual reading of george washington's farewell address. >> at age 25, she was one of the wealthiest widows in the colonies, and during the revolution while many her mid '40s, she was of considered an enemy by the british who threatened to take her host aage. later she would become our nation's first first lady at age 57. meet martha washington tonight in the first program of c-span's new weekly series, "first ladies: influence and image." we'll visit some of the places that influenced her life including colonial williamsburg, mount vernon, valley forge and philadelphia and be part of the conversation about martha washington with your phone calls, tweets and facebook posts. live tonight at 9 eastern on c-span, c-span radio and c-span.org. >> host: and beginning with his state of the union address earlier this month, president obama began laying a framework for enhanced cybersecurity

protections. here's the president from earlier this month. >> we know foreign countries and companies swipe our corporate secrets. now our enemies are also seeking the ability to sabotage our power grid. our financial institutions. our air traffic control systems. we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. that's why earlier today i signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy. >> host: and michael daniel is the president's cybersecurity coordinator. mr. daniel, in the president's executive order of february 12, 2013, he talks about vital infrastructure. how is the white house defining "vital"? >> well, vital infrastructure's

really defined as that infrastructure that if something really bad happened to it, lots of really bad things would happen in the real world. in other words, significant damage to our national security, significant economic disruption, potentially loss of life. and specifically in the cyber context, it means that that infrastructure that if something happened to it in the cyber realm, you could have the resulting physical effects in the real realm. >> host: so a lot of those infrastructures, though, are in private hands, is that correct? >> guest: the vast majority of them are in private hands, well in excess of 80%. >> host: will these private companies, banks, etc., have to participate in the cybersecurity enhancement? >> guest: well, i think that for the most part it will be a voluntary and collaborative process with industry for them to participate. um, if you sort of look through the executive order and follow how the framework is laid out, first, you have nist leading a

collaborative process with industry to develop the framework. and then the department of homeland security will set up a voluntary program to encourage adoption of that framework. at the same time, the primary regulators in the federal government will look at their regulations and requirements and assess them relative to that framework that nist has developed. and if they believe that their regulations or requirements are not, are not sufficient in that area, then they will -- they could, in neary, impose -- in theory, impose new regulations or executive actions that would require infrastructure to be brought up to that level. i finish but i think you will find it's going to be a voluntary process for companies to participate. >> host: there are some deadlines in this executive order, 120 days, 240 days, etc. will congress have a role in developing this cybersecurity package? >> guest: well, for the executive order that's something that sort of by definition is

trifn from the executive branch side. i think from our perspective the executive order is really just a down payment on legislation that we ultimately need to get to. so we'll, we view the executive order and the tasks and activities that are going to be going on underneath it as advancing the cause of cyber or security and advancing some of the issues that were raised in some of the congressional debates previously, but we still actually need congress to act and enact legislation in cybersecurity. >> host: michael daniel, as the white house cybersecurity coordinator, what is your role in this? >> guest: i often actually describe my role as being the chief cat herder for federal cybersecurity. it's really my job to oversee the policy development process within the white house and related to cybersecurity and to work on insuring that agencies are actually implementing the president's policies and directives in this space. there's also a big chunk of my job that is really outreach to the private sector and outreach

to industry and academia and think tanks in this space. and there's also an aspect of my job that is international in talking to my counterparts in other countries, you know, from great britain to canada to germany and other parts of the world as well. >> host: also joining us here on "the communicators" is gautham nagesh who is the editor of cq roll call's technology executive briefing. >> thank you. michael, can you tell us, please, how would the cybersecurity executive order improve cybersecurity for the businesses that take part? what would these standards do to operationally improve security? >> guest: sure. so if you look at what we're really trying to do, it's really taking the best practices that are already at stand from the leading companies that really do cybersecurity well and spreading those out to the companies that don't do it quite as well yet. so really i think that what you'll see as this framework develops is it's really about

taking the standards and practices that are already well known and putting them together in a coherent framework that a company could adopt. i think what you'll see is this will enable companies to better close known loopholes, have a more rigorous process for insuring that they know that their cybersecurity is actually where they are and what they need to be doing, and i think what you'll see is it'll help close a lot of the known vulnerabilities and the easy accesses that the bad guys have right now. >> host: now, those sorts of standards, are those similar to the types of security practices that federal agencies have in place right now? >> guest: so they would be related, and i think you would -- i think if you actually looked at the federal government, you'd see the same kind of diversity that you see in the private sector. some agencies are much further along than others. so one of the other priorities i have is sort of bringing the federal government cybersecurity standards, raising the bar there as well. so i think you'll see a lot of parallels. of course, since there are differences between how private industry has to operate and how

the government operates, exactly how the framework would be applied will probably -- well, almost assuredly be different. but i think you'll see a lot of parallels there. >> now, there is a law that governs how federal agencies should secure their systems, fisma. how has that worked, and if so why? if not, what are the failings? >> guest: so i would say that fisma has worked, but it needs to be updated. it was a good piece of legislation for when it was passed, and it moved the ball forward for that time period. but now we have a more sophisticated understanding of what you actually need to do in cybersecurity. so, for example, i would say one of the things that needs to be updated is a move away from a compliance model where you only periodically go back and check every so many years. um, that's not going to really work now in the modern cyberspace age, right? things move too fast. so we want to move to much more of a continuous diagnostics

approach such that you are always getting information about the state of your network and where -- what assets do you have that are hooked up to the network, and what are your vulnerabilities? have you done the latest patching so that you have that information in realtime. i would tell you that fisma's shortcomings are more in that area, that it needs to be updated than sort of completely replaced. >> now, one of the main stumbling blocks, as you are aware, to legislation on cybersecurity is the industry believes that any regulatory regime may eventually resemble fisma and that it is more focused on complying than operationally incolluding security. how would you mollify those concerns? >> guest: well, i think that one of the things that we've done is we were in the process of developing the executive order, we had extensive outreach with industry and academia, really held dozens of meetings -- more than 30, actually -- with different trade associations and industry groups and companies. and one of the things that we stressed in that is the process that we want to set up is one that is very collaborative and

really rests on the practices that they themselves, the leaders in their industries, are already doing. it doesn't really do us any good to put out a compliance model that is not, that companies can't comply with or that doesn't make any sense in their business environment, because the goal is to actually improve cybersecurity. sort of just checking the box doesn't actually do any good. so i would say that the other thing that you can see in the the executive order is that it's designed to be highly collaborative and really bring in industry and have industry be the one that is defining those standards. >> host: michael daniel, in section four of the executive order, cyberrer security or information sharing, you write it is the policy of the u.s. government to increase the volume, timeliness and quality of cyber threat information shared with u.s. private sector entities. are u.s. private sector entities required to share more information with the government as well? >> guest: well, under the executive order the president can only direct executive branch

agency to take actions. so under the executive order, only entities that are directed to increase sharing are on the federal side. we would like to see companies be able to share more information with the federal government, and we are working to encourage them to do so and are working thruways to have that happen. i think that's one of the areas that we think we need legislation in to eventually deal with some of the issues or that are in that space to enable more information to flow back from the private sector into the government in a way that protects privacy and civil liberties. that's very important to the administration. but we do need to increase that information flow. >> host: throughout this executive order the word "voluntary" is used frequently. >> guest: yes. and i think the point behind that is when you really look at the issues that we face in cyberspace, if you look at the problems and how the federal

government has to deal with them, you see that no one agency within the federal government can deal with it. it has to be a whole-of-government approach. similarly, we think that it's not just the federal government that has to deal with this issue, it's federal, state and local governments all deal with this issue. and it also involves the private sector. and really this has to be a collaborative approach from all the different parties that are involved working together to tackle the problem. so we're stressing the voluntary part of it because we really believe that it's the leaders in the industry that we want to come together, um, that really have the expertise and the skills to make the difference that we want to make. >> host: what are some of the concerns that you have heard as cybersecurity coordinator from private companies such as banks, electric companies, etc. >> guest: well, you hear a lot of different concerns. interestingly enough, i think, you know, one of the concerns that we hear and you see it reflected in why we set volume, quality and timeliness, okay? great, you've shared information

with us about stuff that happened three months ago. yeah, but what about now? so that's one reason why we're trying to increase our timeliness so that we're out ahead of the issues. and we're making progress in that space. i think that we're over the last year in particular we've really improved our ability to share information faster with the private sector. um, i also hear concerns from different sectors about insuring that the other sectors that they rely on also are increasing their cybersecurity. you know, if you're, if you're a bank, you're reliant on power and water and transportation to conduct your business. so what i frequently hear is that all the companies want to make sure that all of the critical infrastructure sectors are moving together to increase their cybersecurity because everything is so interdependent. >> host: this is c-span's "communicators" program. michael daniel, the white house cybersecurity adviser, is our

guest. dpaw that many nagesh -- gautham nagesh is our guest reporter. >> why is legislation necessary? what are those legal obstacles or otherwisesome. >> guest: well, it's not so much the barriers on the government to private sector side. there those are really about policy and how we actually implement it, and i think that's one thing that you can see in the executive order is we can ramp that up on the executive branch side, um, and i don't think the barriers are as much statutory there as they are policy. in the other direction, um, i think there are potentially barriers to private companies sharing information with the government based on liability, concerns about the government's ability to actually protect information once a company gives it to the government. i think there are also concerns about company-to-company sharing and competitiveness issues and whether or not that's sort of anticompetitive to share that

kind of cyber information. so i think from the administration's perspective one of the places we want to have discussions with congress on is are there ways to remove some of the statutory barriers to information sharing coming back into the government and between companies. i think we want to be very careful in this space. one of the things i've discovered as i've worked on some of these issues is that when you actually really begin to get down to what the real statutory barriers are, they're often more limited than what sort of appears at first blush. and so we want to be very careful that we don't sort of overshoot any sort of legislation that we pursue. >> well, you bring that up because the cybersecurity voter and also the new administration tragedy for combating trade secrets both increase information sharing by companies between each other, presumably also with the government. what, if anything, has changed as a result of the executive order that would allow companies to come to the government. >> guest: i think what it really does is it directs agencies to really put in place the

foundations to insure that we can, for example, deal with information when it comes into the government to protect private and civil liberties. so, for example, one of the key pieces of the executive order is to really bake in the fair information practice principles into everything that we're doing in cybersecurity. um, i think that will give, you know, the privacy community on the outside much greater levels of assurance that the government can protect and properly handle information related to cybersecurity when it comes in. so i think that should help encourage people, companies, for example, to have some confidence that we can handle the information on the federal side. um, i think that really this is going to be a continuing conversation between the administration and congress to work out how to lay the legal foundations and framework to make that happen more efficiently and effectively. it does happen now, it's just that, um, you've awive got to -- you've often got to negotiate a lot of those agreements company by company, sector by sector,

and it's a very time-consuming and laborious process that doesn't scale up to the level we need. >> host: michael daniel, what kind of concerns are you hearing from members of congress about this executive order? >> guest: actually, i would say in general the reaction has been very positive, and i think most of the members, certainly on the democratic side and even on the republican side, i think we've seen a very great willingness to talk and openness to discuss how to actually move forward with this and to help insure that implementation occurs as effectively as possible. >> host: section 7c, the cybersecurity framework, shall include methodologies to identify and mitigate impacts of the cybersecurity framework and associated information security measures or controls on business confidentiality and to protect individual privacy and civil liberties. how do you envision protecting businesses' privacy,

individuals' civil liberties? >> guest: i think a lot of that has to do with, um, when you look at the way that information needs to be shared. it's really about making sure that only the appropriate and necessary pieces of information get shared when you move information around within the federal government. and so we establish the rules and the clear criterion for when specific pieces of information will be shared and under what conditions. um, and i think that, for example, what that means is that in many cases for a lot of parts of the government you don't need specific names or attributions to specific individualings. you just need the broad outlines of the incident that has occurred. so that -- and in those conditions only that information would get shared. in other cases, you know, law enforcement to respond to things they need that information, but they need -- but they have a longstanding, longstanding practices and procedures to protect that kind of information once it's part of an investigation. so i think really this is about,

um, sort of instand shading a lot of the procedures or that are already largely present in the government, but making sure they're robust and actually function efficiently. >> host: michael daniel, as you well know, a lot of news stories in the last couple days here in washington, around the country as china. and the headlines are often china has, attacks x. big cover story in bloomberg as well. is this policy directed toward china? >> guest: no. it's not directed in any one specific country. it's really addressed at the broad range of threats that we face in cyberspace that, you know, stem from any number of both, frankly, domestic and overseas actors. so it's really not targeted at any one individual country. >> host: so when we see the headline saying china attacks, what does that mean? who is behind that? >> guest: well, it's hard for me to sort of speculate on what

might be behind some of that. i think that it's, you know, undoubtedly true that, um, we have seen, you know, actors or that are based in china carry out activities, but we've seen that, you know, in multiple countries around the world. and the attribution problem comets to be difficult -- continuing to be difficult in cyberspace. so i think that from the administration's side we try not to focus as much on those sorts of headlines and really focus on improving our cyber or security defenses across the board so that we can thwart whatever actors are behind the intrusions and try to reduce them as much as possible. >> host: gautham nagesh. >> speaking to attribution, the security company released this report which generated many of the headlines, and they have traced these attacks to a building in shanghai they believe is controlled by the people's liberation army. at what point do attacks that appear to be sponsored by a foreign state rise to the level of a military threat,

particularly if they target critical infrastructure or, say, a defense contractor? >> guest: i think that's a very good question, and one that we are continuing to sort through. frankly, it's the source of a lyely debate both within the government and industry and the private sector. if you actually take a step back, one of the questions that i think we're currently wrestling with is exactly what is the government's role in providing cybersecurity to the private sector. at what point does the government intervene. under what conditions. i think all of those are still questions that, um, while they are much more well developed in the physical realm, we're still trying to figure out what those rules of the road are in cyberspace. >> can you speak to currently when does the government sewer screen in terms -- intervene in terms of a cyber attack on a private company or organization? >> guest: well, certainly if you take, for example, the recent spate of denial of service attacks on the financial sector,

the government was very involved with providing information to the financial sector and was very active when they had requests for technical assistance which they did make upon occasions that we worked with them closely to help them figure out what was, what was going on. um, we have -- and i think we would do that with any industry that came to us with, you know, those kinds of requests. again, i think that was some of the impetus behind the,tive order of -- executive order of wanting to make sure that our critical infrastructure really has the structures and processes and practices in place to really defend their networks very robustly. because it's in the government's interest to make sure that that our critical infrastructure can protect itself to the maximum extent possible. >> and how involved is the intelligence community in providing that information to companies and helping them identify attacksesome. >> guest: well, i would say that when you look at it, again, i come back to the whole of government approach, it's really

about not just the intelligence community, but fusing the information that the intelligence community has with what law enforcement has, with what the department of homeland security has through the cert, the computer emergency response team, and really combining all of that information across the government in a whole-of-government approach. that's one thing that you just, i learned that lesson over and over again that no one agency, no one part of the federal government really has a monopoly on area, and no matter how competent or good it is, it really takes a coordinated effort across the government to address the problem. >> so would it be fair to say that the line between civilian, military and intelligence on cybersecurity is not as bright as it is in some other policy areasesome. >> guest: i would say that it's really that you have to take all of their roles together. um, so there is -- there are clear lines and clear responsibilities that belong to, say, the department of homeland security versus law enforcement versus what the military is

going to do. so it's not that they're blurred, but it's that you often need cools from across all three of those areas in order to address any one problem. so going back to the information-sharing example, you're probably going to want to draw on information from overseas, you're going to want to draw on information that companies have, you're going to want to draw on information that law enforcement has. so you need to put all of those together. it's not that sort of law enforcement is straying into areas that belong to intelligence collection or that the intelligence community is straying into things that belong to the department of homeland security. it's really that you need all three of those elements working very closely together to tackle the problem. >> host: michael daniel, what about the? has it conducted cybersecurity attacks as threats or as military actions? >> guest: well, i can't really go into, um, a lot of those kinds of details, but what i can say is that from an overall standpoint, um, across the board if you look at what the administration is doing in this

space, we have been updating and expanding and defining our policies in cybersecurity and cyber operations across the board. you see that in the executive order. you see that in the presidential policy directive on critical infrastructure, security and resilience. you see it in, um, other strategy documents that we've released like the administration's international strategy that came out in may of 2011. um, so really what you see is the evolution of all of these capabilities across the board as a tool of state craft. and i would say that we apply the same principles, the same underlying approach to this tool that we do to any of our diplomatic, economic, law enforcement or military tools. and that the administration -- and i would, i would venture to say any administration will apply it using those same, those same principles. >> host: and michael daniel is currently serving his third president. started at omb under president

clinton, worked there under the administration of george w. bush and is now special assistant to the president and white house cybersecurity coordinator, section 8, part d. the secretary of department of homeland security shall coordinate establishment of a set of incentives designed to promote participation in the program. how do you envision those incentives? >> guest: so i think what we're really looking for is a broad set of potential incentives that could encourage companies to adopt a framework. and one of the things that we discovered as we were working on the executive order is that there's a lot of possibilities, but there's not as much work has been done to develop those into concrete incentives. so part of what the executive order is designed to do is to flesh those out. and that could range from, you know, you could imagine a whole range of incentives, right? sort of a good housekeeping seal of approval, right? companies could use in marketing

to say that they're actually following cybersecurity standards all the way up to potentially being put into government contracts if that's possible to, you know, that you must meet a certain level of cyber or security standard, you must employ these standards to have a contract with the government in this area. so there's a whole range of things that you could imagine in that space. and i think we want to explore what those are and actually try to get some creative ideas. >> host: gautham that fresh. >> again, there has been a lot of talk about the attacks on u.s. companies regarding trade secrets. the administration rolled out a new strategy to combat them. discussion of using new diplomatic tools as pressure, how much of a priority are cybersecurity issues in diplomatic discussions now, and will that change with the release of new strategy? >> guest: well, you know, i think it's been very interesting. i think what you see is, um, over the last few years cybersecurity issues have really emerged as a policy issue in a number of different areas, in the diplomatic front. i certainly think it is much for

more part of diplomatic discussions now than it was of just even four or five years ago. you see it emerging from within the private sector, it's emerging from the cio and the computer security geeks, right? it's emerging as a total ceo, c suite, you know, issue. on the government it's moving out of just being, you know, thought of ans nsa issue into all of the federal issues and secretaries and tenty secretaries -- deputy secretaries having to deal with this issue. so i think when you talk about that specific strategy, that's just one more building block in a long series of efforts that this administration has been doing to move this issue forward and put it more front and center. >> host: time for one more question, mr. nagesh. >> cybersecurity experts have questioned the efficacy of legislation if it passes. also we've seen some discussion of antivirus software. what -- how effective is the antivirus software legislation in terms of improving security, and what steps do you think

would best improve the security for u.s. organizations? >> guest: i think that when you look at it across the board, obviously, you know, all companies really need to have a robust set of cybersecurity practices in place no matter, um, you know, no matter what industry they're in. really you need to have updated antivirus software. you've got to have that. that's not going to catch everything. you need to know what's on your network, you need to have good practices to know who's on your network. you need to make sure that you can watch your network and know when information is having or leaving your network. um, basically, i think that the things that would make the most difference right now is for companies to really maybe sure that they're employing the best practices in their industry. and really going after those basic, those basic kinds of cybersecurity activities to really raise the bar. um, and then the next thing that we really need to do is increase that information flow that