>> host: beginning with his state of the union address earlier this month president obama handling the framework for enhanced cybersecurity protection. here's the president from earlier this month. >> we know foreign countries and companies swipe at our corporate secrets. now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic

control systems. we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. that is why earlier today i signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards that protect our national security, our jobs and our privacy. >> host: michael daniel is the president of cybersecurity coordinator. mr. daniel, did the president's executive order of february 12, 2013 he talks about vital infrastructure. how is the white house defining vital? >> guest: title infrastructure is really defined as that infrastructure that is something really bad happened to it lots of really bad things would happen in the real world. in other words, significant damage to our national security, significant economic disruption and potentially loss of life and

specifically in the cybercontext means that infrastructure that something happened in the cyber realm you could have the resulting physical effects in the real round. >> host: so a lot of those infrastructures though are in private hands come is that correct? >> the vast majority are in private hands well in excess of 80%. >> host: will these private companies banks etc. have to participate in the cybersecurity enhancement? >> guest: well i think for the most part it will be a voluntary and collaborative process with industry for them to participate if you sort of look through the executive order and follow how the framework is laid out, first you have myth leading a collaborative process with the national institutes of standards and technology leading and collaborative process to develop the framework and then the department of homeland security will set up a voluntary program to encourage adoption of that framework. at the same time the primary

regulators in the federal government will look at their regulations and requirements into system relative to that framework that it has developed. and if they believe that their regulations and requirements are not sufficient in that area, then they could in theory and pose new regulations or executive actions that would require infrastructure to be brought up to that level. but i think for the most part you will find will be a voluntary process for a company to participate. >> host:participate. >> host: there are some deadlines in this executive order, 120 days, 240 days etc.. will congress have a role in developing this cybersecurity package? >> guest: for the executive order that by definition it is driven from the executive branch side. from our perspective, the executive order as a down payment on legislation that we ultimately need to get to. so we view the executive order

and the tasks and activities going on underneath it as advancing the cause of cybersecurity and advancing some of the issues that were raised in the congressicongressi onal debates previously but we still have to have congress enact legislation in cybersecurity. >> host: michael daniel as the cybersecurity coordinator what is your role in this? >> guest: i describe my role as being the chief -- for federal cybersecurity. it's my job to oversee the policy development process is in the white house and related to cybersecurity and to work on and ensure that agencies are actually implementing their present policies and directives. there is also big chunk of my job that is really outreach to the private sector and our reach to industry and academia and think-tanks in the state state and there isn't also an aspect of my job is international in talking to my counterparts and in other countries from great

britain to canada to germany and other parts of the world as well >> host: also joining us here in "the communicators" is gautham nagesh who is the editor of cq role tall -- roll call brief. >> guest: how will the executive order improve cybersecurity and what would the standards due to operationally affect security? >> guest: would be look at what we are trying to do instead of taking the best practices from the leading companies that really do cybersecurity well ,-com,-com ma and spreading those out to the companies that don't do it quite as well yet, so really i think what you you'll see is the framework development taking a lot of the standards that that are at there that are already well-known and putting them together in a coherent framework that the company could adopt. i think what you will see is that this will enable companies to better clothes known loopholes, have a more rigorous process for ensuring that they know their cybersecurity is

actually where they are and what they need to be doing and they think what you will see is a will help close a lot of the known vulnerabilities and the easy access is that the bad guys have right now. >> guest: those are standards. are those similar to the types of security practices that federal agencies have in place right now? >> guest: no, they would be related and i think if you look to the federal government you would see the same kind of diversity they have in the private sector. some are much further along than others so one of the other priorities that i have is to bring the federal government cybersecurity standards raising the bar there as well. you will see a lot of parallels and of course there are differences between private industry has to operate in how the government operates. exactly how the framework would be applied it would most assuredly be different but i think you'll see a lot of parallels there. >> guest: there's a lot of governs how federal agencies should secure their systems.

has that worked and if so, why and if not what are the failings? >> guest: so i would say that fisma has worked but it needs to be updated. it was a good piece of legislation for when it was passed and it moves the ball forward for that time period. but now we have a more sophisticated understanding of what you actually need to do in cybersecurity. for example i would say one of the things that needs to be updated is a move away from a compliance model where you only periodically go back and check every so many years. that isn't really going to work now in the modern cyberspace age it moves too fast. to move to a much more continuous diagnostic approach such that you are as getting information about the state of your network and what assets you have hooked up to the network and what are your vulnerabilities? have you got the latest patching so you have that information in real-time.

i would say fisma fisma's shortcomings or more in that area and they need to be updated and then completely replace. >> guest: one of the main stumbling blocks to legislation on cybersecurity is the industry believes that any regulatory regime may eventualleventuall y resemble fisma in that it is more focused on complying then operation of cybersecurity. >> guest: one of the things we have done is we are in the process of developing the executive order and we had extensive outreach with industry and academia. we held dozens of meetings, more than 30 actually with different trade associations and industry groups and companies in one of the things we stressed and that is the process we want to set uy collaborative and really rests on the practices that they themselves the leaders in their industries or already doing. it doesn't really do us any good to put out a compliance model that is -- that a company can't

comply with or doesn't make any sense in their business because the goal is to improve cybersecurity. just checking the block doesn't actually do any good so i would say that the other thing that you can see an executive order is it's designed to be highly collaborative and bring in industry and have been distribute a one that's defining those standards. >> host: michael daniel in section 4 of the executive order cybersecurity information sharing you write, it is policy of the u.s. government to increase the volume timeliness and quality of cyberthreat information shared with u.s. private sector entities. our u.s. private sector entities required to share more information with the government as well? >> guest: under the executive order the president can only direct executive branch agencies to take action. so under the executive order the only entities that are directed to increase their sharing her on the federal side. we would like to see companies be able to share more

information with the federal government and we are working to encourage them to do so and are working through ways to have that happen. i think that's one of the areas that we think we need legislation and to eventually deal with some of the issues that are in that space, to enable more integration to flow back into the private sector into the government in a way that protects privacy and civil liberties. that's very important to the administration's. but we do need to increase that information flow. >> host: throughout the executive order the word voluntary is used frequently. >> guest: yes, and when you really look at the issues that we face in cyberspace, if you look at the problems and how the federal government has to deal with them you see that no one agency of the federal government can deal with it. it has to be a whole of government approach. similarly we think it's not just the federal government that has to deal with these issues. it's this federal state and local and it also involves a

private sector and has to be a collaborative approach from all the different parts that are involved working together to tackle the problem. so we are stressing the voluntary part of it because we believe the leaders in the industry that we want to come together that really have the expertise and the skills that make the difference want to make >> host: what are some of the concerns you have heard as cybersecurity coordinator from either company such as banks banks and electric companies etc.? >> guest: you hear a lot of different concerns. interestingly enough you know one of the concerns we hear and you see it reflected in volume quality and time, great you have shared information about stuff that happened three months ago. but what about now? that is reason why we are trying trying to increase her time is so we are out ahead of the issues and we are making progress in that state. i think that we are over the last year particularly we have

improved our ability to share information and factor with the private sector. also i hear concerns from different sectors about ensuring that the other sectors that they rely on also were increasing their cybersecurity. if you are a bank you are reliant on power and water and transportation to conduct your business. so what i frequently hear it is that all the companies want to ensure that all of the infrastructure sectors are moving together to increase their cybersecurity because everything is so interdependent. >> host: this is c-span's communicators program, michael daniel white house security adviser is our guest and gautham nagesh is our guest. >> guest: you mentioned there were barriers to the government sharing information with the private sector. why is legislation necessary? >> guest: it's not so much the barriers of the government to the private sector side.

those are really more about policy and how we actually implement it and i think that is one of the things you can see in the executive order. we can ramp that up on the executive branch side and i don't think the barriers are as statutory there as they are policy. in the other direction, i think there are potentially barriers to private companies sharing information with the government based on liability ,-com,-com ma concerns about the governments ability to protect information once a company gives it to the government. there are also concerns about company to company sharing and competitiveness issues and whether or not that anti- competitive to share that cyberinformation. so i think from the administration's order they want to have discussions with congress on is are there ways to break barriers to information sharing coming back from the government and between companies? we want to be very careful in

this space. one of the things i discovered as i worked on these issues is that when you actually begin to get down to what the real statutory barriers are they are often more limited than appears at first blush that we want to be very careful that we don't overshoot any sort of legislation that we pursue. >> guest: you bring that up because the cybersecurity executive order and the administration encourage increased information sharing by companies between each other presumably also in the government. what if anything has changed as a result of the executive order that would allow companies to come together? >> guest: i think what it really does is it directs agencies to put in place the foundation to ensure that we can for example deal with information when it comes into the government to protect privacy and civil liberties so for example one of the key pieces of the executive order

information practice principles into everything we are doing and cybersecurity. i think that will give the private community and the outside much greater levels of assurance that the government can protect and properly handle information whether it be cybersecurity when it comes in. so i think that should help encourage people or companies for example to have confidence we can handle the information on the federal side. i think that really this is going to be continuing conversation between he administration and congress to work out how to lay the legal framework to make that happen more efficiently and effectively. if that happened now, it's just that you have to negotiate a lot of the agreements company by company, sector by sector at a time consuming and laborious process that really doesn't scale to the level that we need. >> host: michael finn you what kinds of concerns are you hearing from members of congress about this executive order? >> guest: acts that would save the reaction has been very

positive and i think most of the members certainly on the democratic side and even on the republican side i think we have seen a very great willingness to talk and open it up to discuss how to actually move forward with this and to help ensure implementation occurs as effectively as possible. >> host: section 7c the cybersecurity framework shall include methodologies to identify and mitigate impact of the cybersecurity framework and associated information security measures or controls on business, confidentiality and to protect individual privacy and civil liberties. how do you envision protecting businesses privacy, individual syllable -- civil liberty? >> guest: a lot of that has to do with when you look at the way that information needs to be shared, it's about making sure that only the appropriate and necessary pieces of informatiinformati on gets shared when you move information

around within the federal government so we establish the rules and the clear criteria for when specific pieces of information will be shared and under what conditions. and i think that for example what that means is in many cases for a lot of parts of the government you don't need specific names or attributiattributi ons to specific individuals. you just need the broad outlines of the incidents that have occurred. so in those conditions only that information would be shared. in other cases law enforcement to respond they need that information but they have a long-standing practice and procedure to protect that kind of information once it's part of an investigation. so i think really this is about sort of substantiating a lot of procedures that are already present in the government of making sure they are robust and actually function efficiently. >> host: michael daniel as you

well know a lot of new stories in the last couple of days in washington and around the country about china and the headlines are often, china has attacked. a big cover story in bloomberg as well. is this policy directed toward china? >> guest: no, it's not directed at anyone specific country. it's really directed at the broad range of threats that we face in cyberspace that stem from any number of frankly domestic and overseas actors. so it's really not targeting any one individual country. >> host: when we see the headlines saying china attacks, what does that mean? who is behind that? >> guest: well, it's hard for me to speculate on what might be behind some of that. i think it's undoubtedly true that we have seen actors that are based in china carry out activities. but we have seen that in

multiple countries around the world and the attribution problem continues to be difficult in cyberspace. so i think from the administration's side, we try not to focus as much on those sorts of headlines. we really focus on improving our cybersecurity defenses across-the-board so we can't afford whatever actors are behind the intrusions and try to reduce it as much as possible. >> host: gautham nagesh do you think the security company which generated many of the headlines and they have traced it to a building in shanghai that they believe is controlled by the liberation army. what point do the attacks appeared to be -- rise to the military threat particularly if they target critical infrastructure or defense contractor? >> guest: that is actually very good question and one we are continuing to sort through and try to source of a lively

debate both with the government and the industry in the private sector. if you has to take a step back, one of the questions that i think we are currently wrestling with is exactly what is the governments role in providing cybersecurity to the private-sector? at what point does the government intervene? under what conditions? i think all of those are questions that, while they are much more known in the physical realm we are still trying to figure out what those rules of the road are in cyberspace. >> guest: when does the government intervene in terms of the cyber attack on a private company or organization and? >> guest: well certainly if you take for example the recent fate of the tax on the financial sector, the government was very involved with providing information to the financial sector and was very active and requests for technical assistance which they did make upon occasions and that we work

with them closely to help them figure out what was going on. we have, and i think we would do that with any industry that came to us with those kinds of requests. again, think that was the impetus behind the executive order of wanting to make sure that our critical infrastructure really has the structures and processes and practices in place to really defend their network. it's in the government's interest to make sure our critical infrastructure can protect itself to the maximum amount possible. >> guest:>> guest: how well doee intelligence community involved in helping them identify threats? >> guest: i would say in the come back to the whole of government approach. it's really about matches the intelligence company but using the information the intelligence committee has with what one person has with the department of roman security has and the emergency response team and really combining all that

information across the government and a whole of government approach. i learned that lesson over and over again, but no one agency, no one part of the federal government really has a monopoly on this area and no matter how competent it is it really takes a corrugated effort across the government to address the problem. >> guest: would it be fair to say that the line between civilian and military and intelligence from cybersecurity is not as bright as it is in other policy areas? >> guest: i would say that it's really, you have to take all of their roles together. there are clear lines and clear responsibilities that belong to say the department of homeland security versus law enforcement versus what the military is going to do. not that they are blurred, but it's that you often need tools from across all three of those areas in order to address any one problem. so going back to the information sharing example, you are probably going to want to draw

on information from overseas. you are going to want to drawn information the companies have reviewer going to want to drawn information that law enforcement hasn't put them all together. that the intelligence community is straying into the department of homeland security. it's that you need all three of those elements working closely together to tackle the problem. >> host: michael daniel what about the u.s.? is it conducting cybersecurity attacks as military action? >> guest: i can't really go into a lot of those types of details but what i can say is that from an overall standpoint, across the board if you look at what the administration is doing in this space, we have been updating and expanding and defining our policies in cybersecurity and cyberoperations across-the-board. you see that in the executive order. you see that in in the presidential policy directives

on critical infrastruinfrastru cture security and resilience. you see it in other strategies and documents that we have really slick the administration 's international strategy that came out in may of 2011. so really what you see is an evolution of all of these capabilities across-the-board as a tool of statecraft and i would say that we apply the same principles and the same underlying approach to this tool that but we do to any of our diplomatic economic law enforcement or military tool and the administration, and i would venture to say an eight administration will apply it using those same principles. >> host: michael daniels currently serving as president at omb under president clinton and his work there under the administration of george w. bush and is now special assistant to the president the white house cybersecurity coordinator, section 8, part d. the secretary of the department of homeland security show

coordinate establishment of a set of incentives designed to promote participation in the program. how do you envision those incentives quest. >> guest: i think what we are really looking or is it a broad set of potential incentives that could encourage companies to adopt their framework and one of the things that we discovered as we were working on the executive order is that there is a lot of possibilities but there is not as much work done to develop the concrete incentives so part of what the executive orders designed to do is to thrash those out. that can range from, you can imagine a whole range of incentives, sort of a good house he keeping seal of approval and companies can use marketing to say that they are following cybersecurity standards all the way up to potentially being put into government contracts if that's possible, that you must meet a certain level of cybersecurity standards and you must employ the standards to contract with the government in

this area. there's a whole range of things you can imagine in that space and i think we want to explore what those are and try to get creative ideas. >> host: gautham nagesh? >> guest: again there has been a lot of doubt the attacks on organizations regarding trade secrets. they have administration rolled out a strategy to combat that with with the discussion of using new diplomatic tools. how much of a priority are cyber security issues into the discussion now and will that change with the release of the new strategy is? >> guest: you know i think it's been very interesting. i think what you see is over the last few years cybersecurity issues have really emerged as a policy issues in a number of different areas. on the diplomatidiplomati c front i think is certainly much more part of the diplomatic discussion now than it was even four or five years ago. you see it emerging from within the private sector and its emerging from the cio and the computer security emerging as a

total ceo issue. on the government moving out of the nsa issue into all of the federal agencies and separate these -- deputy secretaries dealing with this issue so when you talk about specific strategies that is one more building block in a long series of efforts the administration has been doing to move this issue forward and put it more in front. >> host: michael one more question. >> guest: cybersecurity has questioned the efficacy of cybersecurity for passes and also we have seen discussion of antivirus software. how effective is the antivirus software in legislation in terms of improving security and what steps you think would best improve the security for u.s. organizations? >> guest: when you look at it across-the-board obviously all companies really need to have a robust set of cybersecurity practices in place no matter

what industry they are in. really, ginnie to have updated antivirus software. that's not going to catch everything. you need to know what's on your network and you need to have good access is to know who is on your network. you need to make sure that you can watch your network to know what information is entering your network. basically i think the things that would make the most difference right now is for a company to really make sure they are using the best practices in their industry and really going after the basic, the basic kinds of cybersecurity activities to really raise the bar and then the next thing we really need to do is increase that information flow that we are talking about in all the directions of government industry, industry backed a government among companies to really make sure we all have a good sense of what a threat environment is really like and what is really happening. and then that will put us in a

much better place to actually tackle the long-term more persistent threats and allows us to focus on those. >> host: michael daniel is cybersecurity coordinator for the white house and gautham nagesh is the editor of technology executive briefing here this is "the communicators" on c-span. homeland security secretary janet napolitano said