>> if we turn away from the needs of others, we align ourselves with those forces which are bringing about this suffering. >> the white house is a bully pulpit, and you ought to take advantage of it. >> obesity in the this country is nothing short of a public health crisis. >> i think i just had little antennas that went up and told me when shall be had their own agenda. >> there's so much influence in that office, it'd be just a shame to waste it. >> i think they serve as a window on the past to what was going on with american women. >> she becomes the chief con my adapt. she's really in a way the only one in the world he can trust. >> many of the women who were first ladies, they were writers, a lot of them were writers, journalist, they wrote books. >> they are, in cases, quite frankly, more interesting as human beings than their husbands. if only because they are not

first and foremost defined and consequently limited by political ambition. >> roosevelt is one of the unsung heroes. when you go to the white house today, it's really edith roosevelt's white house. >> during the statement you were a little breathless, and it was too much looking down, and i think it was a little too fast. minor change of pace. >> yes, ma'am. >> i think in every case the first lady is really -- has really done whatever fit her personality and her interests. >> she later wrote in her memoir that she said i myself never made any decision. i only decided what was important and when to present it to my husband. now, you stop and think about how much power that is, it's a lot of power. >> part of the battle against

cancer is to fight the fear that accompanies the disease. >> she transformed the way we look at these bugaboos and made it possible for countless people to survive and to flourish as a result. i don't know how many presidents realistically have that kind of impact on the way we live our lives. >> just walking around the white house grounds, i am constantly reminded about all of the people who have lived there before and particularly all of the women. >> first ladies: influence and image, a c-span original series produced in cooperation with the white house historical association. season two premieres september 9th as we explore the modern era and first ladies from edith roosevelt to michelle obama.

>> and we're live this morning for a daylong discussion on cybersecurity challenges facing the electric sector in ways industry and government can work together to protect the nation's electric grid. it's hosted by the bipartisan center here in washington d.c. speaking now is joe krueger of the bipartisan policy center. this is just getting underway. >> we expect to release a report with some recommendations for policymakers in the fall, so say tuned for that. so i'm going to stop there. thank you again for coming. thank our partners in this, eei and eric, for helping us with this workshop. one housekeeping thinking, at the end of each session we'll have time for questions, there are microphone stands set around the room, so we'd ask you to sort of come up, and introduce yourself before you ask your question. so with that, let many introduce my colleague, carie lemack, who's the director of bpc's homeland security program, and she will introduce our keynote

speaker. thank you. >> good morning. well, i know you didn't all come here to listen to me, so i'm going to make this very short and sweet. my name is carie lemack, i'm the director of the homeland security project at the bipartisan policy center. it is chaired by former governor tom cain and former congressman lee hamilton who some of you may remember as the cochairs of the 9/11 commission, and they have come together along with a group of 14 other experts to do their part to make sure that our country's keeping vigilant and remaining ready to thwart any threats that we face. obviously, cybersecurity is something that a lot of people are talking about, but not a whole heck of a lot of people know exactly what to do about it. that's why we're so thrilled to be working with the energy team at the bpc on this very important electric grid with cybersecurity initiative. so today we have general hayden

is here to speak for us this morning. he is the cochair of this initiative along with sue tierney and kurt ebert who you'll hear from later. general hayden was the director of the cia and the nsa. he's now a principal at the chertoff group, and he's going to talk to us about the threat as he sees it, and then we'll open it up to q&a, so we'll be very happy to hear your thoughts, and i know he'll give you some of his answers. so without further ado, i want to introduce general haden. [applause] general hayden. >> well, good morning, and thanks for the chance to chat with you a bit today. as carie suggested, i'll try to limit my transmission up here to about 20 minutes and then leave about 15 minutes for any questions or comments that you might have. as already suggested, my purpose here is what my army buddies

used to call the briefing with the big hand and the little map, all right? i get to do the strategic overview. and what you have following me are people far more expert than i in the specific definitions of the problem and specific responses to the problems that i think we're all going to identify here today. folks from government, folks from industry, federal government, state and local government, think tanks who can come and perhaps begin to map out a way ahead that we certainly want to see reflected in our final report. so let me begin, as i said. big hand, little map, broad concepts and then as the day goes on we'll burrow down into more specifics. first of all, let me point out the obvious. i mean, this cyber thing is pretty important. i think it's here to stay, and we kind of messed it up. finish now, i actually did that at a black hat conference about four summers ago in las vegas. i leaned forward, i'm in the

ballroom of caesar's palace with the 3,000 reformed or semireformed hackers, kind of leaned out into the darkness with the wright lights on me -- bright lights on me and said, look, as an american g.i., i view cyber as a domain. you know, land, sea, air, space, cyber. and i know who did these four, and frankly, i think he did a reasonably good job. and i think i know who did this one, and that's you, and i kind of leaned into the darkness, and said i really do think you messed it up. and thankfully, no one said get a rope. the response was kind of, you know, mild giggles, and we moved on. but we did kind of screw it up. look back at the history of this thing. i mean, we're lucky enough, you know, to have the people who created this still among us. ben surf is living over there in great falls, for example, and he comes to my class at george

mason about once a year to talk to students about, you know, being out there at stanford and starting to plug things in and respond to the statement of work from around pa, you know -- arpa, you know, give me something that connects a limited number of labs and universities so i can move information quickly and easily. keep in mind what that statement of work was. quickly, easily, limited number of nodes, all of whom i trust. and that remains the architecture of today's worldwide web, and that's why we're in the position we're in. it wasn't built to be protected. it made no more sense to build defenses into that original concept than it would be for you and i to put a locked door between our kitchen and our dining room. i mean, the whole architecture of the house is designed to get the food from the kitchen to the dining room while it's still warm. why in god's name would you put a locked door between the two?

now it's an unlimited number of nodes most of whom i don't know, and a whole bunch don't deserve to be trusted, and that's as clear as i can put it in my liberal arts background statement of the problem. let me talk about cyber sins and sinners since i've already suggested it's a pretty tough neighborhood, all right? three layers of sins. the first layer of sin, they're just stealing your stuff. and the former deputy secretary of defense who wrote what i think is sill the seminal article on the american thinking of cyber domain, bill lynn pointed out almost the all the things we fret out on the web is in the range of stealing your stuff. it's cyber espionage, it's personal identifiable information, it's your pin number, your credit card number, they're stealing your stuff. the second layer and, actually, you're going to get the tone of

this commentary here pretty soon like things are getting worse, the second layer -- and it's becoming more active -- is not just stealing your stuff, all right? it's disrupting your network. so i'll throw out examples. estonia 2007, remember patriotic russian hackers crashing the estonian internet system because they were mad they were moving a memorial to the red army out to the suburbs? same patriotic russian hackers, 2008, invasion of georgia bringing the georgian net to its knees, a net which the government was using for command and control. more current, more problem mat ing, more -- problematic, more personal for you and me. 35,000 hard drives wiped clean. pick your enterprise, imagine yourself going back home to wherever it is you work, and imagine tomorrow 35,000 hard drives being wiped clean. you get the picture.

and, frankly, although our government hasn't quite announced it yet, i think you and i know that's the iranians. and the iranians apparently are somehow feeling offended in the cyber domain, we'll get to that in a minute, have been attacking american banks with massive distributed denial service attacks. you know, serial attacks against wells fargo, jpmorgan chase, the list goes on. i talked to one security officer who said on a normal weekday you and i hit their web site about 15,000 times a minute to cash a check or move our money. they're getting three million hits a minute at the height of the iranian attacks. so a lot more disruption. and they steal your stuff, disrupting your network and then finally using this domain up here to create effects not confined to my thumb, but creating effects down here. and the most dramatic example of that, of course, is stuxnet which destroyed about a thousand

centrifuges. now, stuxnet almost certainly conducted by a nation-state because it's too complicated to be done in your garage or basement, all right? look, given my background, carie said, former director of cia, former director of nsa, i think that's absolute unalloyed good. but i'll describe for you in slightly different words. someone, almost certainly a nation-state during a time of peace, just used a cyber weapon to destroy another nation's critical infrastructure. ouch. that's a big deal. you may or may not have seen me making a comment on "60 minutes" about a year and a half ago in which i kind of characterized that as somebody crossing the rubicon. you've got a legion on the other side of the river now, and life is going to be very, very different. so those are your sins, right? stealing your stuff, disrupting your network, destroying your infrastructure. who are the sinners? nation-states. you know that. criminal elements. and then, finally, this third

group that i really have trouble defining, anarchists, activ anonymous, 20-somethings who haven't talked to the opposite sex in five or six years, okay? [laughter] blessedly, the capacity to do harm is pretty much the way i laid out the taxonomy. governments are by far most competent, criminal gangs, the next layer, and then you've got, you've got this group down here. and that's kind of good, because as bad as governments could be, sooner or later governments can be held to account. you've got criminal elements, and they could be pretty dangerous and, you know, they're kind of guns for hire, but fundamentally criminals want to make must be. make money. and they enter into a symbiotic relation with whatever their target is. and it's a strange creature, a strange parasite in nature who

enters into a symbiotic relationship with a host that they want to kill or destroy. and so i think even criminals are somewhat limited. what worries me is this gang down here. blessedly, right now they're least capable. but you know better than i that the tide's coming in, and all the boats in the harbor are going up here. and so this group is beginning to acquire capacities that may be a year or two or three ago we kuwaited only -- we equated with only some of the more competent, more capable groups. in other words, as time dose on, we're going to see in this group down here whose demands are actually hard to define, whose demands may be with unsatisfy bl, okay? beginning to acquire the capacities that we now associate with nation-states. let me just drill this down to something very, very specific. if and when our government grabs edward snowden and brings him back here to the united states for trial, what does this group

do? well, they may want to come after the u.s. government but, frankly, you know, the dot.mil stuff is about the hardest target in the united states. so if they can't create great harm to that, who are they going after? who for them are the world trade centers? the world trade centers as they were for al-qaeda. okay? so i guess what i'm suggesting is this is, this is going to get worse before be it gets better. and i mentioned it being very hard up here. let me give you a couple reasons why it's really hard for us to defend ourselves up here. number one, look, i'm sorry, pull you through kind of a dod, a department of defense knot hole here and talk about intelligence and operations for a minute. bear with me, i think it's a very relevant point. down here in these domains where, frankly, i conducted intelligence for most of my career, okay? intelligence is what you do

before the operation. you've got to know your enemy before you conduct an operation against your enemy. so it's sequential. intel first, operations next. i'd also suggest to you that as hard as intelligence was sometimes, intelligence almost always -- this is pretty close to a universal rule -- intelligence gathering almost always was easier than the actual operation you were going to try to perform eventually. i'll just throw out an example from the cold war with. you've got the soviet union, you've got those missiles out there beyond the urals. finding those missiles, they're actually kind of hard. dealing with those missiles, much more difficult prospect. much more difficult proposition. that's in the physical domain. now, let me pull you up here to my thumb, okay? reconnaissance up here still happens before operations.

you've got to know the target before you operate against the target. but unlike the physical domain, the reconnaissance is harder. unlike the physical domain, it's more difficult to penetrate a network, live on it undetected, extract what you need from that network for a long period of time and to continue to operate on it. it's far more difficult to do that than it is kind of figuratively or metaphorically kick in the front door and melt some gray tooths or something. in other words, up here the attack, the disrupt or destroy thing, the attack is a lesser-included case of the reconnaissance. if i can live on your network undetected for intelligence purposes, i've already established far more than enough

control to use your network for disruption or destructive purposes. do you see the parallel i'm trying to draw here? so that's why president obama in this year's state of the union when he kind of makes husband cyber point there -- his cyber point there about midway through the speech talks about enemies on our networks, enemies on our grid and why that is so disturbing. because if they're on there and undetected, they already have the -- whatever their intent, okay? whatever the intelligent, they already have the capacity to do harm. now, i think without question, you know, the country that's out there stealing our stuff the most is china, and there is evidence if you realize kevin hand ya's report, that white paper he put out several years back about the chinese and that unit in shanghai, there's evidence they're out there on industrial control networks as

well as just penetrating networks to steal our stuff, intellectual property, trade secrets, focuserring positions and -- negotiating positions and the like. but, frankly, i find it hard to imagine circumstances where china would want to do something incredibly destructive to any american network, the grid absent a far more problematic international environment in which the cyber attack is itself part of a larger package of really, really bad things. but bear with me for a moment. i mentioned iran a few minutes ago. what would prompt iran -- a second rate power overall but a very bright nation with very technically-competent people -- what would prompt iran to try to inflict economic pain, economic damage on the united states? sanctions? sanctions with no hope of relief

what we used to euphemistically call while i was in government limited kinetic action against iranian nuclear facilities? look, these are all fanciful scenarios and, you know, i'm not trying to be predictive up here. i'm just trying to be illustrative. okay? as i said, this'll get worse before it gets better. now, a few words on -- well, okay, how do we make it better? okay, i got it. you've got some trend lines out will that a lot of this is heading south. what are things we can do to stop it from heading south? what are the steps we can take as a prudent people? and, again, up here on my thumb, all right? it's much harder for us to defend ourselves up here. i already told you about the geography. we created it incorrectly. we didn't build any ravines, rivers, oceans or valleys into this domain, so defense is very, very hard.

i'm willing to accept the proposition that the united states of america will forever have one of the least well-defended networks on this planet. and we will have one of the least well-defended networks on this planet because of james madison and alexander hamilton and all those other good knocke folks who wrote the federalist papers, okay? we have not, we as a people have not yet created a consensus as to what it is we want our government to do up here or what it is we will let our government do up here. down there in the portfolio, okay? usually at this point in the speech with less knowledgeable

audiences i pull my iphone out and say, hey, look, give me another 15 minutes, i'll convince you this is the gateway to conflict, and you'll be all scared of your iphone and your blackberry, all right? and i usually get the response from the audience, yeah, he's right. this is -- when i bought my iphone, i was in the apple store, there with my wife two years ago. i'm upgrading here this month. contract's over, new phone. [laughter] so i'm in the apple store over in northern virginia, and you know how it works, young kid comes up to you, he's got stuff around his neck, he sells me an iphone. and he's telling me its features, and he points to the iphone, and he pulls up the page, and he says apps, app store. 400,000 apps available. and then he turns to do something else, and i turn to my wife and said this kid really doesn't know who i am, does he? [laughter] i mean, those are 400,000 attack vectors. okay?

and so i can generally convince an audience this is a gateway to conflict, and most american audiences say, so, okay, where's my government? i pay taxes, why isn't my government defending me? when i'm done with my speech, i hope i get polite applause, then they actually do reach into their coat pocket, they do pull out their iphones and blackberry, and what do they do? they check their e-mail. and what was the zone of conflict of my waving my arms up there 20 minutes earlier and saying where's my government is now the zone of their personal communications. and let me tell you a thought, this does not naturally occur to americans: gee, i wish my government were here. [laughter] and so we have that tension. mike rogers -- [inaudible] a lot about some recent things, but before this stuff blew up, they actually got a bipartisan bill passed through the house of representatives, frankly, a

tremendous step forward. but on balance a very modest bill about information sharing. okay? that thing is dead in the water. this congress is not going to act moving the cyber ball much down the field. and a lot of that has to do with what's been in the news for the last seven or eight weeks x that's edward snowden. because, frankly, the greatest concentration of cyber power on this planet is a $45 cab ride from here up the bw parkway at the intersection of the baltimore/washington parkway and maryland route 32. okay? keith alexander has got world class athletes, and they're not only not on the field, they're not even on the bench. they haven't even suited up. because you and i haven't figured out what it is we want our government to do or what it is we will let our do. and this whole -- let our

government do. and this whole snowden thing, raising the specter of government overreach and so on is going to freeze in this. and so those of you in private industry, i guess the point i really want to make is the next sound you hear will not be a bugle and the sound of pounding hooves as the federal cavalry comes over the near rest ridgeline to your cyber rescue. to a degree you have never expected it down here in the physical domains, you're responsible for your safety up here a lot more personally and corporately than you are down here. by the way, the snowden thing also seemed to have cleared another, i think, useful approach with regard to dealing with this domain and its inherent dangers, and that's international cooperation to create global cyber norms. i mean his release of alleged nsa hacking of chinese computers was timed precisely a few days

before our president met with the chinese president where they were to begin an honest dialogue about appropriate cyber behavior. and that, of course, turned into mutual recriminations as snowden's allegations allowed the chinese to pretend that there was some actual equivalency between american and chinese cyber behavior. so industry's going to have to do a lot more up here than they're accustomed to doing down here. the government is going to be late to eat, and by the way, you're going to have government speakers up here. i tried my best, but i know culturally, politically, philosophically we're going to be late to the meeting. now, the good news is industry understands this a great deal. i've been out of government now almost five years, and i have seen a migration in industries' appreciation of the problem.

as i first started working with the chertoff group after i left government, we got to talk to ctos and csos and cios. we talk to ceos now, and we talk to ceos because the ceos want to talk to us. so government as client has kind of ceased the issue. government as provider is also finish i'm -- i'm sorry, the pre sector as client has seized the issue and as provider is also doing some incredibly interesting things. there is just a tremendous intellectual ferment out there in terms of reducing vulnerability or managing consequences or precisely identifying the kinds of threats that you and your industry should be worried about. let me give special credit to two industries who i think are really seized on this issue. one is financial services, and the other is the electric

industry. now, they're very, very different, but they do enjoy one thing in common. if something dose bad, you're going -- goes bad, your going to notice it, okay? in both of those industries. so they know that they're on the x, as we used to say up at langley. and both of them are working very, very hard to do the kinds of things i've suggested they're going to have to do up here to be safer and more secure. the industries are different. there's a lot less personal identifiable information sloshing around in the electric problem than there is in the financial services problem. and so i would suggest to you that the electric industry in addition to being seized of the issue, understanding how lucrative a target they are, understanding the vulnerabilities that others might try to exploit, in addition to all that the electric industry might actually be the trail breaker here. the electrical industry might actually have the opportunity

since they have perhaps a few less of the problem sets that financial services might have, they may be able to establish precedents up here in this new domain, precedents that not only, a, help the industry better defend itself but, b, break trail, as i said, for the kinds of relationships we're all going to have to develop over time between the private industry and government. so that's kind of the topic we have here for today. how's the electric industry going to scope the problem. what are the avenues by which they can move forward. the point i simply wanted to make here at the end is other industries are going to go to school on what this industry does. and that actually is a pretty attractive proposition. with that, i've used up my allotted time, and i know carie said we could havetions, and the

microphones there, so i'm very happy to take whatever you might have. are you going to moderate? .. >> and what evidence do you have that causes you to say stuff like that? >> you heard me say, it's not predictive. i'm just trying to illustrate that you got a group of people out there who make demands, whose demands may not be

satisfied will, may not be rational from other points of view, may not be the kinds of things government him a comedy. certainly mr. snowden has created quite a stir, and global transparency and the global web kind of ungoverned and free, and i don't know that there's a logic between trying to punish america or american institutions for his arrest, but i hold out the possibility. i could sit here and imagine circumstances and scenarios, but it is nothing more than imagining. >> so you don't think it would be, for instance, a foreign intelligence service that would pull off such a thing? you think would be a transparency group? if so, what with that level of attacker capability look like? >> again, i said there are three levels of attack. this one down you worries me the most. they become more capable each day. i can't precisely predict where one or another element of the

group might have skills, wonderful abilities, how much of a mess effort they could put together on short notice. i know nothing of that. i do know, you know, wikileaks stage one, they conducted, distributed an attack against credit car companies, paypal and so on. its punishment for the steps they took. it's possible that could happen can. >> my name is chris. i found your comments interesting about the way government and private sector getting bombarded everyday with cyberattacks. is it fair to someone of the potential ways to combat those are both a reduction in the nature of communication electronically, use at an paper until for and that sort of thing come is that one trend? is it fair to assume government and private sector would be looking at dumbing information

across cyber networks and the like if they know they're being attacked, i assume you could create dummy data to send people down rabbit holes from cyber perspective? might those be a couple of ways to combat this? >> yeah, i've easily. and to make it less lucrative, more problematic, keep the less talented from stealing, for example, and those are less sophisticated. one idea i've heard, i would be truly making it up, from my liberal arts background, people talk about god secure, kind of an additional network, kind of going up here and taking a mulligan up your, getting a do over, and who doesn't i'm doing what we have. keeping what we have for everybody who wants to buy their own privacy and post things on facebook. and so it. they enjoy the freedom.

but they create another more secure environment over here that is less ubiquity, less easy-to-use, requires multiple factors set, isn't nearly as fast, has a high degree of latency built-in. it's really hard to take your money. again, i'm a history major. i don't reason by technology. i reason by example so i was in london 30 years ago. has anyone been to soho in london 20 or 30 years ago? it's been cleaned up now. so i then, theater, arts, dance, freedom, liberty, license, drugs, prostitution, petty theft, okay? that's kind of over here where you get the maximum liberty, the maximum danger. there are other neighbors in london that are incredibly boring. in fact, most of the houses had fences around them. i don't think they're nearly as interesting as soho but then

again there wasn't much because they're either. so there may be a future in which we began to build an alternative universe that actually is, and has security from the beginning rather than trying to apply it here as an applicant. >> general hayden, you've been very interesting this morning in terms of, you said you are only 10% provocateur. that may be true. somewhere else if you're talking, it would be considered probably 90% but let me tell you why. because you raise this notion and you said apprehension. and, of course, the russians and the chinese would consider it kidnapping. of course, and let's say you mentioned even iran. i'm sure you remember that united states an issue together

hacked iranians nuclear facilities first, before they started attacking the financial, solar. so given that, the days are evocative speech are getting here, is that meant to provoke the united states government to give more contracts? >> first of all, the chertoff group is not a government contractor. we have all had our fill of the government. there were questions in there, hang on. [laughter] their our two countries on earth that have a sovereign command, to the best of my nose. one of them is the republic of korea, the other is the united states of america. by the way, mentioned bill's article, right? deputy secretary defense, article, foreign affairs two, three years ago. most important line in the article was the line under the

title, by william lind, deputy secretary of defense. in other words, the seminal american article on cyber thinking was not written by the deputy attorney general, not by the deputy secretary of commerce, not by the office of science policy in the white house, not by the as trade representative, not by anyone except the deputy secretary of defense. and so, i'm catholic by tradition, so blessed me by father i have said, i was part of this. we could be accused of nudging the militarization of cyberspace in that direction by the way we've talked about as a nation, and by the way, we organize ourselves as a nation. this article talk about cyberspace the way i talk about the atmosphere as an airman. you talk about air superiority, cyber dominance, used only for your purpose, deny its use for

others, on command. that's how we talk about. so i did it. okay? and i have no views on who may or may not have conducted the attack against, with the stuxnet virus but that's really a big deal. actually what i said to david sachar was i understand determined and destruction is dramatic but this has the whiff of august 1945. somebody just use a new weapon. this weapon will not be put back in the box. i get all about. but you probably were provoked by my comment about suggesting equivalency between american and chinese cyber behavior. up there in that range, let me go on the record. we are really good at it. as director of national security security agency, i used to do that we were number one when it came to stealing stuff in the cyber domain. but we steal stuff to keep you

free. we steal stuff to keep you safe. we do not steal stuff to make you rich. and that is a big discriminate between ourselves and whole bunch of other nationstate actors out there. >> high, general hayden. sir, you seem to be pretty confident about the ability of the private sector and the public sector to safeguard its assets. but in the private industry, executives have to make cost calculations. they have to weigh the cost of the mitigation measure against the threat or against the risk. the kind of incidents that you are talking about are i was a probably low probability but high impact. a combination you're familiar with from the intelligence world. are you comfortable the private industry facing low probability of incidents that would have a high impact are going to make the same sort of cost

calculations, expense calculations that a government agency would make? >> let me make it even tougher, all right? very often even in the event of a low probability i impact attack, the cost to the industry is infinitely less than the cost to the surrounding society. live in north virginia, two summers regard the violent storm came through, created great damage, cost human and how about. it a know it came close to what across northern virginia. and so in addition to the low probability, it also got the fact your costs may be more compliant than the cost to the overall society, all true. and, therefore, what you need to do, number one, it's really hard to build a business case for this. okay, it really is. and so it's more of a broader

responsibility case that has to be made. in terms of good for citizenship in addition to the narrow business case. one excremental idea is not quite tied to what you're suggesting is the whole concept of cyber insurance. which then spreads both the costs of defense and the costs of catastrophe over a wider audience. i don't know what cyber insurance looks like quite. i don't know the equivalent of collision, comprehensive and personal injury but i can imagine cyber insurance for i lost my stuff, i lost my network, my network was used to harm somebody yells, or i've got a big class action suit because all that personal information is out there. but there may be ways to great that structure of insurance, and then within the insurance, you know, i can check the shield on my house now before i buy it

because the insurance is different, depending on what kind of shingles i have or if i'm closer -- you understand. so there may be ways that we collectively spread the burden over the society, that the government fosters mechanisms i which these natural forces take shape and effect, rather than the guy with a whistle and a clipboard kind of coming to your industry and checking things off. sorry, great question, and we have a lot of work to do. but i think there are ways. >> i think we have time for one more question. >> thank you, general, for your comments. i'm with the state utilities commission from missouri. you had mentioned in your talk about congressman rogers house bill which stressed information sharing. my question is, how important do you think it is for the federal government to share information about threats with the utility sector?

and do you think the federal government is doing a good job in that area of developing relationships with the electric sector in sharing information about threats that come you know, the electric industry can take into account and respond to? >> when i talk to anyone in government they tell me they're doing a really good job. now, and the private sector, however, when i talk to other folks, it's not quite the glowing review. let me take the question and describe a dynamic and a problem inside government. i was director of nsa for six years. in is a very famous for its offense if the squad out there and stealing stuff. about a fifth of the agency is defense. so nsa also has a responsibility for protecting government secrets here in the united states. that's odd. not every country in the world has organized its signal intelligence enterprise that way, with the offense and the defense in the same

organization. we've done that way and i think we have done it well and correctly. we've done it that way because offense and defense around the samanonthat concept s vulnerability. if you've mastered the vulnerability you can play offense. if you master the vulnerability you can play defense. in the life of nsa, let's even go pre-cyber. in the life of nsa, he always had a trade off between the two squads. when you discovered a vulnerability, do you want to exploit it to play offense, or do you want to fix it to play defense? and back in the pre-cyber world we have a pretty well-worn rut in the road as to where that line is. i am willing to enter into a debate that that line may now be in the wrong place. that the old approach to, the old calculation of want to keep

that vulnerability because i'm want to use it in the future, the actually be tactically correct, operationally sound any discrete one off decision sort of way. at the a cumulative affect of this discreetly corrected decisions has been a real strategic problem. that industry is not aware of vulnerabilities out there. so i actually think that the trendline -- the trendline will go too far. you know this works, and we will kick back a little bit. but i think the trendline now is in the direction of more defense, even if it has to be at the expense of offense, and the degree right now what we need to do with the trendline is to accelerate it as it moves into a positive direction for the time in which we are located. does that translate? you'll have people other.net security clearances, declassification, pool sharing of information. that's how that works.

but it comes back to the core problem. what do you want to do with the vulnerability. i think the level of grand strategy, i think with the balance point perhaps not quite in the right place. >> thank you, general. >> may i ask you one more thing? would you talk about the threat of -- what is the role of mexico and canada in helping prevent these type of attacks, providing assistance if it happens? i mean, the other and, after we know they're receiving information from nsa, how could you believe this information has been helpful to fight these cartels? >> number one, with regard to e&p, i do know a lot about it. i do know that when i touched it while in government we had big meetings, realize this is a really hard problem and for me to say we need to meet again in two or three months. i don't mean to you so flippant,

but they really aren't any solutions to this. so i will just leave it at that. it's hard for me to comment about signals intelligence and drug cartels and so on. it's hard for me to comment specifically about any operational activities, but i would thank you for the question and take the opportunity to say, although the snowden allegations seem to point to the americans spying on everybody, all right, actually the americans share intelligence with almost everybody. and get the benefit of both ourselves and our partners, and i'll just leave it at that. thank you. [applause] >> thank you very much, general hayden. that was very helpful. at this point, i'm going to introduce her to a bare who's going to be monitoring the next

panel. and just -- for a beer. curtis also a co-chair of the electric grid for cybersecurity initiative at the bipartisan policy center. is a member of the mississippi bar. he was an executive vice president of energy and the youngest chairman of the federal energy regulatory commission to date. so with that said i would like to invite kurds and the entire panel to come up. -- kurt and the entire panel to come up. [inaudible conversations] good morning. great to be.

i really want to thank the bipartisan policy center for putting this together. as you know, this is the cutting edge issue right now, and when it comes to risk and how we deal with going forward, mitigation of those risks has everything to do with our success. and yes, the industry is doing a lot. the industry has already done much to make certain that is too. one of the things i really find a little humorous, norman the industry goes last on these panels. your first here, and i think complexity, how is it -- how isn't listed here? what did i do with -- anyway, it has something to do with responding them and you get to respond first. so i think that's a great opportunity for you too sure exactly what's going on in industry, what yo you know, howu know it and then what you think i risks are going forward. now, as we talk about that, we will move a little bit away from

some of the nationstate stuff, and i know that's a sexy stuff and general hayden did a wonderful job covering that, but we are going to move to some of the not quite as sexy information about how we check the risk, when we deal with that, how our standards set and on the standards right, sure we have a minimum standards, do those men and standards get in the way? should we be more risk-based? those type questions we're going to get into here with this panel. because one of the things we know and one of the things that the bpc said early on while i co-chair this with the general hayden and sue tierney, is another we don't have all the answers. but to talk about the fact that cybersecurity is, in fact, a journey and not a destination, we're not going to reach an end date by y2k where we say okay, we did it right, now we can go home and rest. it's all over. some very bright people out

there, lots of it has to do with ownership. some of it has to do with the bad actors, that we do have to ask ourselves, when we look at compliance, does that compliance in and of itself with fear and penalties, does it actually try the bar down perhaps? should we be looking at another way to do this? as a look at that understanding that you have, ferc, b.o.e., department of homeland security, dod, nerd, don't forget all the state commissions and the municipalities who are all involved in this. and as we look at that and one oother question for the industry is, are we perhaps more prepared on the transmission side then we are on the distribution side. and to the states maybe, maybe just a little less prepared than the feds are on this because of the amount of attention that's been paid in the past. and some of the jurisdictional issues and calls. and when it comes to

jurisdiction, should we be looking at criticality of information versus private information? when it comes to the sharing of the day. one of the people just got up and asked a question about the sharing of information, should that sharing of information, do we need to make certain between the government and the private sector that it is flowing both ways, that everyone is getting any and all of the information that they need? and i would suggest to you that we probably do need to do that. but as we do that let's listen to the industry, let's see what they have to say. because we do know that electricity is the most critical of infrastructure we have, right? because we know that the gas, the water, the telecommutelecommu nications, all of that is debating on what we do on electricity. so if we fail at electricity, we are going to fail miserably. one of the things we can do, doesn't matter if you're looking at a hurricane sandy, katrina,

it doesn't matter if you look at some of blackouts and brownouts we've had, you look at the billions of dollars are involved in the losses, and the cost to systems and customers, it's easy to see why we need to go down this road. .com and i'm going to close with this and then i'm going to bring the panel on, the one thing that we cannot lose sight of in this because i can tell you from my experience in this industry as a state commission to come as a federal commissioner, as a practicing lawyer and then someone who spent a decade with a fortune 500 company, i can carry the costs matters but if we can solve our problems perhaps through software that might be less expensive than hardware, then probably we should look that way. right we do have to have a focus on cost. and again that is one of the parameters that bpc is putting your that we need to look at. because we need to understand as we go for that we do it correctly, we mitigate the risks that we understand the costs to

consumers and must be a balance between those benefits there, right? so we're going to do that. having said that, i'm not going to read through everyone's lives. you have been in the packet, but those of you who know chris peters, chris is vice president of critical infrastructure protection at entergy. ed goetz is vice president of corporate and information sector to excellent. doug myers is chief information officer at pepco holdings, and scada saunders, information security officer with sacramento municipal utility district. at this time i'll bring them up one at a time. you would probably rather come up here, but what we'll do is go through and then have some quick question but if you have questions out there, i'll have a few questions and we'll see where this takes us. chris? spent okay, thanks. let me ago what curt just a. it is a pleasure to be here to talk about cybersecurity integrated and also the response

that our company has taken, and some changes we have made over the past three or four years as we've seen a gathering threat of cyber actors out there, and responding to the changes we've made from a regulatory perspective. from nerc and the cyber world. so the three quick as i want to touch on, so everybody has a chance to comment this morning. one is threat. the other is strong governance, and command-and-control. so from a threat perspective i think the change we've made from a paradigm shift is we have to treat the cyberthreat with the same respect that we ca give to force of nature that impact our great. hurricanes, floods, ice, storms. the impact -- they impact our grid throughout the year, and we are organized to deal with those

threats, more strategic about how we respond, and we have to put the same comprehensive approach and the same attention to cyberthreat as we do the of the threats that impact our system. these cyberthreat as part of our risk profile. we have defended. we have to staff it, and we have to be prepared to respond as necessary. the other part is strong governance. i think what we learned as a company that the cyber message needs to come from the topic it needs to be a board level and a ceo issue. they have to drive it. but as the cyber leadership, as a cyber leader, we have to give them the right information that they need to make decisions. not to blindly fund technologies or personnel. we have to give them the right information on what the threat

is, what the investment is, or what the regulation is so they can make good decisions and keep them informed. i can tell you that over the past three years the awareness level of the ceo and the board level at least that our company has risen dramatically. they all read "the wall street journal." they read the "washington post" and ask hard questions. they ask questions about stuxnet and what we are doing to combat those threats. they also asked about regulations, what a we doing to get ready how is the white house executive order impact our company? so they are asking the right questions. and lastly, command and control. i think it is just critical from a utility perspective that we need to have firm command and control over our assets, over our people, over our processes, over our investments. and how those all are integrated

together, how the impact our cyber regulatory perspective. we have to maintain an adequate security and compliance state. i say that because i think the two are inextricably linked together to security and compliance state. so we need to know configurations. you know, the basic fundamentals, the boring things that nobody likes to talk about. we need to know who's coming in and out of our secure sensitive our mister we need to know what traffic is coming into our networks, what traffic is leaving. i can tell you that we have external threats and intro, and we have dealt with internal threats insider if instead of having impact on various areas of our company. went to be able to track those and monitor, so we have to continually evolve with technologies and with awareness a couple all the data points together, and we can see them in one complete and comprehensive

picture so we can make those decisions in real time that we need you, and not wait 12 months to find out that we have a threat or a nefarious actor insider network. so with that second link away and turn it over to ed. >> thanks very much, chris. after 9/11, the united states government moves very quickly to close the information sharing gap within the intelligence community. and i would assert that the gap that we now have to close is the information sharing between the critical infrastructure key resource sector and the government. i would like to talk a little bit about exelon's position. we have a very strong commitment to securing our enterprise, and we take it very seriously. our responsibility to maintain and protect the privacy of our customers, and to maintain the

reliability of the bulk electric system. we prepare for incidents through an all hazards approach. so i think as chris alluded to, it doesn't necessarily matter what the impact factor is. it is the result that we prepare for. in the area of information sharing, we rely on the government but not solely on the government to address the threats to the electric sector, and to ask along specifically. -- ask along specifically. exelon has for cybersecurity legislative priorities. better government and private-sector information sharing, increase access to

security lenses, liability protections for good faith efforts when sharing information with the government, and avoiding additional and duplicative regulations. exelon has specifically supported a bill introduced i chairman rogers and representative workers berger, as we believe it provides intimation sharing a story to the executive branch to address the privacy concerns and reduces a company's liability associated with good faith efforts. on the oppressed national on the operations side of information sharing there is some good work going on in the industry and government. i would like to cite ics cert and us-cert for the good work. i would also like to cite nerc and give them recognition specifically 10 roxy from nerc

for stepping into the gap and working with us to come up with a set of processes and procedures to share information on a real-time basis. one of the concerns initially and information sharing process was whether the information shared with nerc would be provided to the enforcement arm of nerc. in the march memo from d.o.e. assistant secretary hoffman, we believe that that has been addressed and exelon is comfortable with nerc's initiatives there. exelon also supports the president's executive order, and we believe that it emphasizes partnerships and allows good cooperation between the private

sector and government. so finally, there's some positive movement to enhance cooperation between electric sector and the government, but we need to increase the speed of establishing processes and procedures that will enhance our ability to protect the nation's critical infrastructure. with that, i'll turn it over to doug. >> thanks, ed. good morning, everyone. my remarks today our focus but rarely on cyber incident response. first however i would like to provide some context for those remarks the electric utility industry is one of the world's most asset intensive, and those assets are critical to society. and many of them are necessary located in harm's way. depending on the areas they serve, utilities face different types of our. earthquakes, wildfires, ice storms, tornadoes, hurricanes. the industry has extensive express and disaster recovery as one would expect them to site electricity the civilization, and the role we play in

providing electricity and restoring it. as such, all utilities consider emergency response planning to be essential to the mention, and pepco holdings is no exception. all utilities have considered cybersecurity matters in their emergency planning for some time. but as the risk of a cyber event has grown, so, too, has our collective attention to this risk. we take appropriate multilayered defense in depth steps to address cyber threats. for obvious reasons i can't talk about the actual steps and procedures and system that employs but i can speak to the four broad categories under which they fall. the first to our preparedness and prevention. one way we enhance our preparedness and prevention efforts is t through information sharing which you've heard repeatedly this morning through participation in various threat and all of the assessments with government agencies, industry groups. companies, and third party experts in the cybersecurity feel. this includes for example, penetration tests at phi that go beyond nerc complaints.

assuring that great participants at the time access to actionable threat information from the intelligence community is critical. it is not, however, essential for industry to know how threat information was obtained or by whom. often, it is the source and the dictates higher levels of secrecy classification and makes actionable threat information not immediately available. because the prevention of all cyberthreat said beyond the capability of any company or industry, the other two broad categories, that all utilities are addressing and planning our response and recovery. the action will take in the event of a cyber attack. our extensive express preparing for and respond to major weather events has taught us that having clear response procedures and protocols is essential to a rapid recovery. now, a point needed emphasis to our focus across preparedness, prevention, response and recovery is to address what can be controlled by the utility. by that i mean the phone bill is the threat actors might seek to

exploit them and response and recovery readiness. regarding the prevention of the vulnerabilities, the electric utility industry is very actively engaged in that effort. utility and the manufacturers that serve our industry actively participate with the thumb in an application of standards, cybersecurity requirements already exist for the electric sector, a transfer process for keeping those requirements dynamic exist as well so that they continue to address changing threats. so we believe we will continue to lead the process for setting and -- we also believe there's room for ferc, dod and cyber matters as well. for example, ferc and d.o.e. are better positioned in our opinion to facilitate a coordinated great response to a major event. dhs is perhaps best positioned to facilitate coordination across critical sectors in the case of major events. so regarding cyber response plans, it's important to bear in mind what most experts say about the likelihood of an event and

you heard already this morning, at least once. it's not if but when. phi takes an all hazards approach to emergency preparedness. utility think about natural disasters as when, not if and we think about the threats of a cyber event in the same matter. however, there are several key differences between hurricane, for example, and a cyber event and these differences must be factored into response plan. for example, a hurricane comes witwith some degree appointed utilities typically begin their preparatory work days in advance, detailed 72, 48 and 24 hour checklists are in place across the property. cyber attacks are not expected to come with any warning. secondary, situational awareness is essential to hurricane response. it is known with certainty when the event begins. systems and processes the utilities have in place can determine the extent of the damage and the restoration priorities. the actual started with a cyber event may not be known until well into the event, ma and the

systems that the utility relies upon may be the very targeted attack. third, unlike natural disasters, a cyber event can be a crime. and actress a good incident or even an act of war. as such, the type of nature state and federal agency coordination could vary greatly from event to event. agency request might even be in conflict. while every storm is different in terms of the damage on utility systems, a utilities response and its coordination with external entities during storms is purposefully consisted. last example, natural disasters are typically state or regional events. as such the industry is able to come to the aid of the affected utilities through mutual assistance. while there are cyber attacks contemplated that are county-based event are also sinners that our industry based. for many reasons, therefore, the nature of the attack complicates the mutual assistance process. so in closing, some key principles that should come out of this brief summary our, one,

emergency response is something that utilities have extensive express with, and, too, we rely upon consistent and repeatable procedures and protocols both internally and externally. to the latter point there are probably a half a dozen federal agencies with clear lines on the grid, d.o.e., ferc, nerc, dhs, fbi, and the various intel just agency. what is not clear is how the federal agencies will coordinate activities amongst themselves with state and local governmengovernmen ts come and with the private sector during an event. what is also not clear is what the trigger will be for direct federal engagement with the grid. which agency would lead that engagement, how deep that engagement will reach into our operations, and what level of frustration will signal federal disengagement. these questions need to be answered before an event occurs. through collaboration between industry and federal and state government, we can answer these questions in a manner that facilitates coordination when coordination is needed most.

scott? >> good morning, everybody. general hayden, i just need to say, i love my iphone as well. on hardware encryption, digitally signed apps and apps store review do that before they are published. somethings that a few of the competitors might want to think about. anyway, onto the remarks. of the nearly 3300 electric utility in the training, over 87% fall under either the umbrella of cooperative that owns utilities, publicly owned utilities typically have either an elected board of directors or operated by some form of local government such as the city council or mayor's. one other important characteristic is that many of these utilities can be classified as small businesses with limited resources. i worked at the sacramento municipal utility district in sacramento, california. where the sixth largest mean is found in the united states serving the state capital, 600,000 residential and commercial customers over 900 square miles and we have an electric board of seven.

we cannot underscore that electricity would be a significant target by those who are intent and destructing art american life. room threats are changing rapidly. stuxnet, saudi aramco, shamoon, and showed in which provide a public website. there is no doubt we are being examined. many at tax use well-known exploits and could be -- plucking the low-hanging fruit, basic such as patching, secure coding, turning on security, creating a clear day notation line between corporate and control systems, and having a security aware workforce. is a voluntary standard or mandatory standard. electricity subsector them working on resizing since the voluntary urgent action 1200 standards 2003.

creative critical infrastructure protection standard directed by the north american electric liability corporation voted on by industry, and ultimately approved by the federal energy record for commission come the standard car owners and operas government cyber practices that protect identify critical assets. the selection and implementation of windows is based on a risk model likely with the national institute of standards and technology. special publication 853 security and privacy controls. we use the high moderate and low classification, even low classified systems will have some measure of control. one size does not fit all. we need to be mindful that overly burdensome regimes can threaten our ability to respond to emerging threats and create complexity where it is not needed and where it does not add value. regulations have the potential to create a strong culture of compliance. while sacrificing security. the selection of controls is -- threat actions and consequences of one of those being excluded. as an industry this is what we

have been focusing on with our federal partners, led by the department binge and to collaborate with the national institute of tech county, the department moment in the north american electrical liability corporation can we created two documents their first the risk mentioned process, managing cybersecurity risk unique adjectives of utility operations providing a systematic approach to framing, assessing them responded to and monitoring cyber risk. and secondly the subsector capability maturity model which provides owners and operators with the ability to measure the implication of objectives and practices related to the cybersecurity program management across the domain. industry is significant take into element of the president executive order 136 and defaulted cybersecurity framer, our sectors provided a tremendous amount of professional capital. we see this as a living voluntary framework that can evolve over time as threats

evolve, focusing on the cyber hygiene best practices that we all should be doing anyway. are we doing enough? since the big city order was released we've seen a great engagement of information sharing between the federal government industry. we're seeing a rapid release of indicators of compromise. this is critical so we get the actionable intelligence in defense of the owners and operators so they can assess their system. where we have opportunity to improve information sharing with bidirectional exchange. the coalescing of security event information across utilities, across region, and across sector. to do this successfully we need to make sure that we follow basic privacy principles such as the federal information practice pencils. in our view of security of the if match we do not see that we would need to show that type of information about our customers to additionally to remove concerns of sharing information with the federal government, through the executive order we are poised to expand the use of information get an analysis center anyway. let's have been as a mediator

between industry and the federal government. while information sharing is important, this alone is not going to increase our cyber resilience. over the past years we've seen energy and security successfully compromised the sense were not designed energy management hardware and oftware that's implemented within a utility we have to rely on suppliers to build security into their development practices. into theply chain practices, and now cloud service practices. in many cases they hold back details about their technologies stating intellectual property concern. this leads the field with the burden of compensating measures thereby increasing the cost to the ratepayer and increasing the complexity of interoperability but just as important, we need to cultivate not only our i.t. brethren to understand the unique attributes of energy systems, but our engineering students to seek cybersecurity. i know seems like an odd statement and we've heard several times already, it's not if you get attacked, but when you get attacked. we cannot prevent cyber

criminals from trying but we sure to protect our systems, our people, our companies and agreed by building resiliency into the ecosystem. thanks. >> okay, great. i know we are likely going to have some folks in the audience come up and ask a few questions, but as we prepare for the come if you want to walk to the mic and i will try to recognized. and we did you come to the mic am pleased them who you are, who your with. one of things i want to jump on right now, scott touch on something i think is very important to the industry. and that is the privacy issue. because the privacy issue in and of itself can be a real obstacle to try to solve this. and one of the things that we talked about, general hayden talked about was the information sharing and how you share the, how much of you share and hoosiers want with you. but i thought doug did a good job -- and hoosiers want with you.

if we don't need the name of the actor, if that's not critical to come if there's other information that quite frankly we don't need, scott, i have to agree with you that information sharing in and of itself does not solve the problem, but we have to admit it is the cornerstone of solving this problem. and without it you cannot solve it. what would you recommend we do from your when it comes to privacy? then i would invite everyone to join in on the. >> i think from a privacy perspective, from a security information, we do not have customer, phi indigestion at all. we agree that from a privacy, we do not have no concerns over the release of our security information. where we think that we have opportunity is that we have seen what might be coming as much a municipality focused in a very,

in the center of the state, right? we have, california is a huge day. we have a lot of utility companies in thi in the state. wouldn't it be great if we could exchange information and say hey, look what i think of look what you were sent to individual we think that information is just noise. together we see it's a concerted attack against our region. from an information sharing with the federal government, i agree. we do need the indicators of compromise we've been seeing coming from information. that is critical information. we are able to take that and put it into our situational awareness system and were able to make decisions based on that, based on that information. but if we're just waiting for the government to tell us about attacks, i think as 3300 utility across the united states, we have a lot of information coming at us every day. that if we pull together into a more cohesive manner, that we could provide much more actual

information back to the government in terms of what's actually happening to us. >> again, on, this information being shared within industry and this information being shared with the government. since the executive order in, i believe february, phi have seen a lot of outrage from our government partners, interest in sharing information with us that is potentially valuable to us, and being aware of potential threats. again, we don't need to know who -- we don't even necessarily need to know what their in game might be because we all have imaginations to know what that might be. frankly, we need some fairly boring stuff like known bad ip addresses. and i've received some of that. i preceded though typically in a non-dynamic form. so one thing that would be

potentially very beneficial to industry would be a form of dynamic of known bad ip address. again i'm giving some of the boring details of what i.t. people do. >> this is exactly what many. this is the information we need. but if we have information like that being provided to us on the record basis, that can supplement some of the other layers of defense we already have. and if we know what the government knows, we can make sure that we are aware of threats. obviously, the earlier you know them, the better your reaction could be. as far as within the industry, phi blustery threat information sharing portal, along with i believe it's about a dozen other utilities. secure portable we can begin to share information with our industry brethren. because we work for an industry, a notion of mutual assistance. we come to each other' other sag storms come and we certainly are coming to each other's eight as we prepare for cyber events. public if we pursue both avenues, we will be better positioned.

>> on the privacy issue, exelon takes the privacy of our customers very serious way. and there are ways to protect that privacy when we share information with the government. there's currently a practice in place, if you get a wiretap from the court, not a fisa warrant, but a criminal want that non-pertinent information has to be minimized by government, so i would suggest that that practice can be adopted, and any information that the private industry would shared with the government could be minimized, and personal information redacted that was not pertinent to the investigation. so as far as information sharing, i think that information from the government

as far as threats ago, information developed by the companies themselves is the foundation for how we position our defenses. so we can't just say, protect us against everything. we need some type of design days, for lack, and that has to be based on actionable and timely intelligence, whether that's generated by the government or whether that's generated by companies. and i would suggest that the nrc has a pretty good model of providing information to nuclear operators about current and emerging threats. so if we can adopt a similar model, it would help companies position their defenses to address the threats rather than just try to protect against everything. >> yeah, i'll go back to, i

think it was the center for strategic and international studies report back in 2008. they made three points. one, cyber is a national cyber problem. it's got to be dealt with. they also said it has, the approach need to be comprehensive your needs to use the full suite of american capabilities and resources to deal with it. and the third point was the decisions and actions must respect privacy and civil liberties and that's true at the federal level and it's true at our level as well. we have to have those basic protections in place. and i think as an industry, i think we have pretty been good at sharing data with the federal government, respecting privacy, and from a private to private perspective, we share information all the time but i think at one point we tried to tally the number of information sharing forums we had, just within the industry, and with

the federal government. there were 64 or 65, so we're accountable with doing that we need to make sure when we exchange information, it is a secure, we are using protection methods and respecting privacy and civil liberties. and we continue to improve that process. i know dhs has a program, we are comfortable with using that to we have used it in the past. we need to continue to evolve and make sure we make this a tenet by the way to go about protecting information, whether it is at the federal or the private levels. >> great, thinking. i know we have a question. before we get to the two questions, i see ferc commissioned on the clock after. after. if you withstand the force. i didn't realize you going to be here. we would've certainly had you a. no, and we thank you for being here. i know your advisor is as well. we appreciate both of you being here. we know the hard work you do,

and we know that this is important to you or you wouldn't be. i will have to say, it's rare that you see a commissioner in an open audience when and not serving on the council i think that says a lot about commissioner clark, and we appreciate your attention to detail and appreciate you. let's give him a hand. [applause] first question speak with my name is david. i write for forbes and my question is for doug, although i would be interested in what the rest of the panel has to say. i was interested to hear that cyber is considered by pepco on the same threat level as weather events. and given that whether it into getting more severe, and that utilities like pepco has had to spend a lot of resources to recover from storms, how much, how many resource are going to be needed to protect against cyber threats? and where are those resources going to come from? >> well, we have, the initial

answer to that might well be that there across the entire property. security is part of everyone's job at phi. we have security awareness efforts, and i'm sure the other utilities under do the same things as well to make certain that everyone at the company understands what the potential threats are, what they can do to help mitigate those threats. in terms of the level of resources required to solve a problem, i think either is first off define what the problem is you're trying to sell. and i think you heard this, is that it's the on the scope of the industry or any company within the industry to stop the threats. ..

we have the resources we require for the task at hand however we have also heard that trendline mentioned and how this is a growing threat. so i think a reasonable conversation about cost recovery is useful as part of those and i guess the point i would make combat is that it's important to understand what role the federal government will play in cost recovery and what role the individual state commissions will play. so i will make a couple of key points here. first off i think we would agree with the following statements. i think we would agree that the security of the electorate grid is in the national interest. i think we would agree that

prudent and appropriate investments in cybersecurity and continual investment in cybersecurity risk mitigation are also in the national interest and i think we would agree that a path toward recovery for prudence appropriate recovery of those investments is part of the regulatory compacts so i guess the question for this audience might be, are we better served if we attempt to solve that driven by the visions of 51 different regulatory commissions or driven by a consistent federal vision across the nation? and again as cio i don't get to solve many regulatory issues. i am not asked to solve them. in i.t. we deal with ones and zeros and i.t. is very nuanced but i simply asked that question of the group, the various roles of the federal government and the state commission i think is important question to be answered.

but. >> anyone else have anything on that? let's go to the next question. >> hi i'm a reporter with-today. my question is on the nrc suggestion. i have heard that before as being a model for the electric industry. i was wondering if anyone at ferc is considering it strongly or if they put forth proposals to that effect? >> i haven't seen that along those lines at this time from nerc or ferc. >> what would that look like? if you could elaborate on the analogy with the nuclear energy energy-industry and what would that look like in practice? >> so if we are going to take the esi is-as a clearinghouse for information they would be the focal point for intelligence

information from the entire intelligence community so the cia nsa and fbi all the different intelligence agencies and then put together a suggestion about how to protect yourself against these threats. that is similar to the way the nrc does it so in practical terms that is what i would envision. >> i want to make a quick point about the nrc. we are one nuclear company and we have brought in a lot of talent from our nuclear business to help mature parts of our i.t. liance programs and we have rocked their discipline and their practices and their processes into our nerc cip program and it has helped us

mature and evolve to discipline state because they are used to operating under that level of prescription and scrutiny for many years so they have a lot of practices that we have been able to bring in so it is a model that we have looked at to help us in other parts of our company. >> yeah, i would say the esi said is meant to be the mediator. the assurances that we now have on the separation between information-sharing and enforcement, it would be a great way for us to be able to share information and to have a body that actually understands the information we are sharing and that is one of the keys. we can open up every security event system in every company but unless you have an understanding of how those systems communicate and operate its going to be very hard to

meet-information out of that. nerc and nerc csi have information about that. >> bring up an interesting question i'm going to follow up without a little bit and submit to this group. the nuclear industry is a good example when you look at wings like probabilistic risk assessment and things we have learned from the industry which certainly mitigate risk to make us understand not only qualitatively but quantifiably what the risks are and what actions we should take. having said that if you look at the nuclear model with the nrc one of the things we do have their is an organization. the nrc gives great deference understanding that it's a private organization required frankly is a very good job of self regulating the industry to make sure they are safe and secure an understanding they are vital to the economy. having said that do you foresee

anything like that within the industry where there is maybe something that kind of steps into the role for the nuclear transmission, i mean for the electric transmission and distribution sites? >> i think one of the challenges and i think scott got to this is that part of it, there is data and there is information and i think we all agree those are two different things. you can be awash in data but not necessarily understand how to connect all those dots to make sure you understand what the key threat is you are looking to address. so i think one of the challenges , certainly there is a role for data to flow into the industry through various means and we talked about a number of those as well but i think another key point that we want to make sure is emphasized here

is the need to be mechanisms to turn that data into actual information and that, the role that government can play or other agencies can play in helping provide not just the data but also to start connecting some of the dots is key. it's also worth noting within the industry the ability to take that data and understand how to turn it into information would be very helpful and very necessary as well. >> fill with icf international and a former colleague of chris's. and i think mr. myers racism i want to go back to it and that is the issue of effectively who pays and the regulatory compact. i think some of you said that resiliency of the grid is not free and it's not cheap and so in my discussions with regulators and i think chairman you have teed this up as well, regulators are looking for some sort of regulatory construct in

which to be able to understand the cost and benefit of the investments that are necessary to both make the grid more resilient to cybermaca solve and potentially recover the grid from cybermap assault but yet regulators you know are facing lots of pressures, rate increases, affordability etc. so how do we talk to regulators at both the state and federal level and how do we deliver some sort of model or regulatory construct against which regulators can make some sort of prudent see or cost effectiveness or cost-benefit decisions regarding what is necessary to protect the grid from a cyber situation? >> i think it's clearly a difficult issue or it would have been solved already. i think a point that is worthy of emphasis is pathetic and when we are trying to solve this issue at 51 different

commissions, we need to also understand the grid is such that is one large system. it's interconnected. the actions are in actions in one state can have effects on the other states and if you study the history of the industry there are obviously specific examples that can be cited such as the 2003 blackout. you also heard mentioned earlier today by general hayden that it's very difficult to build a business case for cybersecurity. i have never been asked to actually have to build a business case for cybersecurity. iyer was recognized within the hbi that it's a risk that needs to be medicated but no one has ever challenged me for this x dollar spent because it doesn't lend itself to that type of discussion. we do what needs t. -- we need to do is to make sure the system is reliable and secure so i think at some level the

conversation at the state level that could be informed by a very clear and compelling federal vision about what they would like to see each utility across the country do and what they would like to see each state commission get some clear guidance on a path toward recovery for those investments i think would be very help both. >> so a little different, we have three iou's. we have a little different issue when it comes to cost recovery. our rate cases don't go in front of the public commission. they go in front of our customer owners and quite frankly you know that as a conversation they are expecting us to be taking care of now and we are very much a community organization. what i would say, what i say in how the program is built and how i have been working with other two are gone as we are an insurance policy.

we buy insurance for a lot of things. you rented a car when you got here and you paid insurance in case of an accident. what we need to be mindful of is that not every vulnerability has to be mitigated. if there is a vulnerability with no means of exploitation i've challenged folks to think about whether that vulnerability needs to be mitigated or not. is that the right investment to make at that point in time? if we have a threat after with the means to carry out and exploit and a vulnerability in which to exploit, that will cause some kind of catastrophic event. those are the vulnerabilities that we need to invest on. those are the vulnerabilities and i can stand in front of our board of directors and our customer owners and clearly tell them that stuff can happen if we don't do this. those are their rate cases that make a whole lot more sense to the american population, putting that out there. >> go ahead. >> i would just add that i agree

that the issue has to be addressed at the federal level. it can't be every utility in the country trying to recover rates at the state level and i think that the president's executive order opened the door to this possibility because it discusses incentives for companies that comply with cyber security. so i think that may be a way for the federal government to incentivize companies to comply with cybersecurity. >> let me just kind of approach it from a different angle and then i will come back to you. one of the things we deal with in the industry is we do have regulators that look over our shoulders, right? so when we make mistakes, to

scott point, if something bad happens we are going to have regulators asking us why did you not, right? in this economy i think it's a very difficult time for the industry because for those of us who have had to focus on the balance sheet and see how we are performing, when it comes to cost-cutting this may be some of the areas quite frankly that get the knife. are you confronted with that right now? it is an issue with the industry and if so how are you dealing with that? >> again, i am expected in my role as cio to make rude and inappropriate investments to mitigate a number of risks and to ensure the performance and stability of the systems that enable all the business processes. to this point i can tell you that actually matters of cybersecurity given the ceo focus on it have been ones that

are the easiest to spare from the knife at present and that speaks to the level of commitment that the industry has and the level of ceo and board involvement in the issue. my concern and i think the concern a lot of the share again as those trend lines continue and as the risk grows that path toward recovery for prudent and appropriate investments is key. and having some sort of federal consistency around what utility should be able to recover i believe is in the national interest because as i stressed earlier we are only as good as our weakest link. we want to make certain the companies that are supporting this interconnected grid that we are all approaching in the same way and we can all be making reasonable and appropriate investments and not have to worry about how we are necessarily going to have to argue for the funding of them. >> i would just add to doug's comments that we have a lot of

support from the board of directors from the ceo at exelon's for security as a whole but more specifically for cybersecurity. in fact, we have quadrupled our staff on cybersecurity over the last four years and i don't see any cuts in that area on the horizon even as they cut back on other areas. >> yeah, i would echo those comments as well. the security compliance are areas where we don't compromise on and we need to have a five-year plan in place to bolster our defenses and make investments around security technologies and compliance in those areas are very important to our company and their strategic priority. >> so, i just want to say one thing and make one comment. i have spent a lot of time the past five and half years in this

industry telling people it's not if you are going to get attacked but when you are going to get attacked in the question is why did you do something? the question really is what was the resiliency you had? a lot of a lot of things that you are about resiliency. they are about being able to be aware and respond because i know somebody is coming. at some point in time someone is coming after you. we have a very good engagement because of that mantra of it's going to happen and i am an insurance policy. my board and my executives ask all the time whenever we are doing something, that timmy is really important. that means they understand that there is a risk that they want to make sure his being mitigated but they want to make sure it's the right risk and not just some checklist or some requirement that someone has put out there that is not going to actually add value to our security. >> yes, sir. >> i'm with the d.c. public service commission.

i was just wondering to what extent, there has been a lot of talk so far about what's going on at the federal level and what american ferc are doing having strong standards. to what extent are using the lessons to fill in the gaps where where states haven't taken action to protect the local distribution systems? >> that's a good question. >> i will talk from a media perspective. there are a lot of distribution systems where their billing providers -- our distribution we treat exactly the same ways we treat our transmission system. we have this exact control systems. we classify them as assets that need to be protected. they may not necessarily fall under designation under a standard that we treat them the same. we recognize that it is fantastic to transmit power. it's fantastic to generate power

but our customers expect us to actually deliver it so we have taken that erred in on of already to protect their distribution varied from a smart grid perspective when we implemented smart grid it went through our entire security posture and we look at where the gaps were and looked at compensating measures and when we applied for our grant through the aara funds with built-in cybersecurity requirements into the grandson built them into our smart grid so we are treating it the same. >> security is really in the dna of phi's approach to it hearing systems. we have worked with vendors that we did not feel had sufficient security features on something of critical importance along with other industry partners and the utility partners and worked with them on helping them shape the future direction of the products so they had the

appropriate features in there to keep the grid secure. we have chosen not to do business and have communicated to vendors that if they did not have certain features on their products we would not do business with them. as more and more utilities deliver that message within the marketplace i think you will see more and more vendors where they realize that seat elves and car safety is not this annoying thing that they are supposed to do. it's actually a basis for sustainable competitive advantage and it's something that customers need and want. so we have not necessarily relied first and foremost on what the government is telling us we need to do to secure our system. obviously we are compliance focused family need -- meet those requirements and take them seriously. i mentioned earlier we conduct penetration test that go well

beyond anything that nerc is requiring us to do. we really take a systemwide approach to these potential threats and these vulnerabilities and we do our best to make certain that we are making security, the appropriate security and functionality trade-off decisions. when you look at the people who have made the most money in the i.t. marketplace day for the most part have led with functionafunctiona lity and not as severely with security. what we have done and i think what you will hear from the other folks up here is that within the utility industry we take that security functionality trade-off very seriously and if we have to do something slower in order for it to be more secure maybe not move as quickly in that area we will do that because security and reliability go hand-in-hand. >> at exelon's in order for anybody to put something on our corporate data network or to

bring in a new industrial control system they have to go through a review process by security. we created a security architecture team now that is specifically dedicated to reviewing all of the proposals that come in. the way we view it and the way we get buy-in across the company is we have the argument that if it's not secure, it's not reliable and so when you are dealing with engineers who in their entire careers have looked at things through the reliability i, that really rings true with them so they are more apt to come to us at the very beginning when they are getting ready to send out a statement of work for an rfp for something.

they will get us and at the very beginning. >> anyone else? i think we have time maybe for one more. if you have a wish list, it doesn't matter if it's federal commissioner, state commissioner, whatever. what tools do you need that you don't have and what is in your way that you would like to have removed? whoever wants to go first if i could get everyone to answer that. i know sometimes especially when we have a commissioner in the room we are a little apprehensive about what we may say but now would be your opportunity to say here is what i need. here is what is in my way. >> i will take a first pass at that. it's not a really long list. i think you have heard these things reference throughout the morning. we really need four hour

response efforts in the face of an event we really need very clear protocols and procedures around what agencies are responsible for white and i laid those out in my opening remarks. utilities rely on clarity and repeatable consistency. when we respond to emergencies that are beneficial to us. the second would be again information and if that information can be declassified and be dynamic and that at the board level of detail words essential to the i.t. groups and i think the third would be some degree of consistency around a path to recovery for prudent and appropriate cybersecurity investments. >> so, i would just add to doug's comments and i agree with everything that he said as far as priorities go. what i would like to see is machine time information

exchange. so what i mean by that is something similar that has been done at argonne national labs where they have a federated model and the information from some of the intelligence community members, the national labs is funneled into one location at argonne and that information is pushed out by machines to all of the members. so i would like to see something along those lines. i think it's more of a technology challenge at this point rather than a willingness to share. so that would be mine. >> all right, i have a really long list so i apologize in advance. anyway so from my wish list perspective first and foremost a

trained workforce. we need to invest in bringing up a generation of cyberprofessionals and we don't need to wait until they are in college to do that and we don't need to look at just the i.t. field. we need to start young. i talked to parents who have young kids who know how to mess with their phones a lot better than the parents do. that's the age we need to start hitting them out. we need to start ringing them up and making them understand what security privacy is. along with that we also need bidirectional information-sharing. i always talk about bidirectional and getting -- i think i have information that might be beneficial to you and i think every single one of us at this table has information that will help the federal government to better make what they share with us more actionable. we also need clear lines with the federal government who is in charge. everybody wants to be in charge that we really need to know if we are going to call the bat phone we know -- we need to know who's going to pick up on on the

other line and it can't be a rotating set of characters. lastly a need is limited liability for due diligence. all of us as companies are doing things that are good and something bad is going to happen to somebody at some point in time. the fact that we did our due to legends doesn't mean automatically that we should be penalized for that. it's again how would you respond , how is your resilience? what we don't need and what we absolutely don't need and i remind you this is coming from information and this is what i do for living. i don't want respective controls. that limits my ability to be agile. prescriptive lee telling me everything that i need to do to protect my system is going to create complexity and it's also going to create a security risk for my company. i need to put controls in place that respond to threats, vulnerabilities and threats actors not the checklist. thanks.

>> chris. >> i would characterize it more as if i had three priorities that i think need the most attention, one is the nerc ferc model needs to to mature. to mature peter think it's on the right path with version five where there is a platitude and flexibility for entities to self-identify and fix their issues from a security compliance standpoint. it seems to be the approach of the nerc and we are moving in the right direction so i am very encouraged by where that is going. i think it's already been discussed, the information-sharing and the public-private partnership needs to mature and it needs to be more effective. we need to leverage more of the capabilities and offerings that the federal government has to offer in rnd and training and awareness, things that the federal government has been

working on since his mouth. there is a lot of benefit that we can leverage from an industry perspective. and lastly i think just from an energy standpoint we need to continue to mature. this is evolving process in building our cyberand regulatorregulator y constructs. we need to improve. we need to continue to improve with investments, trainer workforce and bring in talent. ..

it really is just an education awareness, and people issue for the most part. but it can exist again on either system, transmission or distribution. >> i agree. job one. that's why we try to make certain, and i'm sure my colleagues do the same thing. we try to make certain every employee of our country, every contractor understands what they can do to help keep our great

secure and reliable. >> it's a human issue and a -- it's a human issue for sure. >> i didn't get a single answer that i was looking for. [laughter] but tony is sympathetic to that, right? let me invite the panel to do this. obviously, the reason the bpc is here to try to present facts and understand issues when it comes to cyber and how we deal with that going forward. as you know, we will be producing a paper. we will be writing that in the coming months. as you leader, i know you've been picked by the industry to be here and share your information, and you're all very intelligent people, we would invite you to send us any information you may have when it comes to how we do this better, how we do it best and how we make america safe.

please, read their bios. they are all very impressive people. i want to thank them all for being here, and at least take a 15 minute break, and i think we'll in here at 1115 time that. scott aaronson and eei are going to lead us off. [applause] [inaudible conversations]

>> our live coverage of the bipartisan policy discussion will continue after this break. we heard it is a day to get back underway at about 1115 eastern, about 15 minutes from now. other live coverage to tell you about on our companion network c-span. at noon eastern economist discuss health care costs and impact of that there is insurance coverage that people have now and options for the future. at 1:30 p.m., the air force quadrennial defense review. then later in the day, c-span will live coverage of president obama visiting a high school in phoenix to discuss housing and the economy. he is thinking his speeches across the country as congress works on the 2014th penny but all of that on c-span today. and update, former president

george w. bush has successfully undergone a heart procedure after doctors discovered a blockage in an artery. a bush spokesman said a stent was inserted. the blockage was discovered yesterday during mr. bush's annual physical. the spokesman said the blockage was open with no complication, and that the 67 year old bush is expected to be discharged tomorrow. while we wait for the next session, a daylong discussion on protecting the nation's electric grid. we'll hear from nsa and cia director, former nsa and cia director michael hayden. he spoke to the group today about cybersecurity and challenges facing industry and how much protection expect to get from the government. >> well, good morning, and thanks to have a chance to chat with you today. i will try to limit my transmission of your to about 20 minutes or so and then leave about 15 minutes for any questions or comments that yo

have. as suggested, my purpose here's what my army buddies used to call a briefing with a big hand and the little mouth. i get to do the strategic overview. and what you have following me our people far more expert than i can be specific definitions of the problem, and specific responses to the problems i think we're all going to identify here today. folks from government, folks from industry, federal government, state and local government, think tanks who can, and perhaps begin to map out a way ahead that we certainly wanted to see requested in our final report. so let me begin. as i said, they can, little nap, broad concepts and then as the day goes on we will burrow down into more specifics. let me point out the obvious. this cyber thing is pretty important i think it's here to stay, and we kind of messed it

up. i actually did that at a black hat conference about four summers ago in las vegas. i leaned forward, i'm in the ballroom of caesar's palace with these 3000 reform a semi-reformed actors, kind of leaned into the darkness as a with a bright lights on and said, look, as an american g.i. i view the cyber as a domain, you know, land, sea, air, space, cyber. and i know who did these four, and, frankly, i think he did a reasonably good job. and i think who know -- i think i know who did this one, and that's you. and i kind of leaned into the darkness. and i said i really do think you messed it up and thankfully no instead get a rope. the response was kind of them in the, mild giggles, and we moved on. but we did kind of screwed up. look back at the history of this thing. we are lucky enough, you know, to have the people who created this still among us.

living in great falls for example, vince comes to my class at george mason about once a year to talk to students about being ou at the stanford and starting to plug things in, and respond to the statement of work from arpa, you, give me something that connects a limited number of labs and universities so i can move information quickly and easily. keep in mind what that statement of work was, quickly, easily, limited number, all of them i know, all of them i trust. and that remains the architecture of today's world wide web, and that's why we're in the position we're in. it wasn't built to be protected. it made no, no more sense to build defenses into the original concept that it would be for you and i to put a locked door between our kitchen and our dining room. i think, the whole architecture of the house is designed to get the food from the kitchen to the

dining room while it's still warm. why in god's name would you put a locked door between the two? that's kind of what we built here. except now rather than -- all of whom i trust them is an unlimited number of nodes most of them i don't know and whole bunch who cannot be trusted. as clear as i can put, the statement of the problem. let me go down one letter and talk about cyberspace and sinners sense of our suggested it's a pretty tough neighborhood, all right? three layers of sins. the first layer of sand, they are just stealing your stuff. bill lynn, former secretary of defense who wrote what i think is the seminal article on the american thinking on the cyber domain, bill lynn pointed out that almost all the things we fret about -- fret about is in the range of stealing your stuff. it cyber espionage, criminality, personal identifiable information, it's your pin

number, it's your credit card number. they are stealing your stuff. the second layer, and actually you're going to get the tone of this commentary here pretty soon, like things are getting worse, the second layer, and is becoming more active is not just stealing your stuff, it's disrupting your network. so i will throw out example to estonia 2007 can remember patriotic russian hackers crashing the estonian internet system because they were mad they were moving the memorial to the red army out in the suburbs? same patriotic russian hackers 2008, innovation of georgia during, brought georgia to its knees. a net which the georgia government which is the for command and control. more current, more problematic, more personal for you and me. shamoon, a virus, saudi aramco, 35,000 hard drives, wiped clean. pick your enterprise can imagine yourself going back home where

ever it is you work and imagine 35,000 hard drives being wiped clean. you get the picture. frankly, although our government has not quite nsa yet i think we know that is the iranians. the iranians apparently somehow feeling offended in the cyber domain, we'll get to that in a minute. has been attacking american banks with massive distributed file service attacks. serial attacks against bankamerica wells fargo, jpmorgan chase, the list goes on. i talked to one secured officer who said on a normal weekday you and i hit the website about 15,000 times a minute to cash a check or move our money. they are getting 3 million hits a minute at the height of the iranian attacks. so a lot more disruption, and they're stealing your stuff, and then finally using this domain up here to create a facts not confined to my thumb, but creating effects down here.

and the most dramatic example of that, of course, is stuxnet, which destroyed about 1000 centrifuges at the top. now, stuxnet almost certain i conducted by a nationstate, because it's to compensate to be done in your garage or in your basement, all right? given my background, former director of cia and nsa, i think it's -- i would describe i just described to you and just slightly different words. someone almost certainly a nationstate during a time of peace just use a cyber weapon to destroy another nation's critical infrastructure. ouch. that's a big deal. you may or may not see me make a comment on 60 mins about the unethical in which i can characterize that as somebody crossing the rubicon. you have a leaking on the other side of the river now and life is going to be very different. so those are your sins. stealing your stuff, disrupting

the network, to stronger infrastructure. who are the centers? nationstates. you know that. criminal elements. and then finally this third group that i really have trouble defining, nihilists, and artists, activists, lulzsec, anonymous, twentysomethings. the capacity to do harm is pretty much the way i laid out -- governments are foremost topic. criminal games, then you have this group down here and that's kind of good because as bad as governance can be, governments can be held to account. you've got criminal elements and they can be pretty dangerous and they are kind of guns for hire. but fundamentally criminal's want to make money. they enter into a symbiotic relation with whatever their

target is. and it's a strange creature, strange parasites in nature. and so i think even criminals are somewhat limited. what worries me is this game down here. right now they are inescapable. you know better than i at times come in and all the boats in the harbor are going up. and so this group is beginning to acquire capacity that may be a year or two or three ago, we eat waited only with some of the more confident, more capable groups. in other words, as time goes on we're going to see this group down here whose demands are hard to define, whose demands maybe unsatisfiable. beginning to acquire the capacity that we now associate with nationstate. let me just drove us down to something very, very specific. if and when our government grabs

edward snowden and brings them back here to the united states for trial, what does this group do? well, they may want to come after the u.s. government but, frankly, the .mil stuff is about the hardest of in the united states. so if they can't create great harm to dauphiné liberé know, were they going after? who for them on the world trade centers? the world trade centers as they were for al qaeda. so i guess what i'm suggesting is this is, this is going to get worse before it gets better. and i mentioned it being very heart of your. let me give a couple reasons why it's really hard for us to defend ourselves up here. number one, look, pull you through kind of a deity, department of defense not all and talk about intelligence and operations 40 minute. there with me, it's i think a very relevant point. down here in these domains

where, frankly, i conducted an intelligence for most of my career, intelligence is what you do it for the operation. you've got to know your enemy before you conduct an operation against your enemy. so it's sequential. intel first, operations next. i would also suggest to you that as hard as intelligence was sometimes, intelligence almost always, this is pretty close to a universal rule, intelligence gathering almost always was easier than the actual operation you're going to try to perform eventually. i'll just throw out an example from the cold war. you've got the soviet union, you've got those missiles out there, they threatened the united states. finding those missiles, that's kind of hard. deal with those missiles, much more difficult process. much more difficult proposition. that's in the physical domain. now let me pull you up here to my thumb.

reconnaissance up here still happens before operation. you've got to know the target before you operate against the target. but unlike the physical domain, the reconnaissance is harder. unlike the physical domain, it's more difficult to penetrate a network, live on it undetected, extract what you need from the network for a long period of time, and to continue to operate on it. it's far more difficult to do that than it is kind of figured of it or metaphorically kick in the front door and do something. in other words, appear -- up here the attacks, the disrupt or destroy thing, the attack is a lesser included case of the reconnaissance. if i can live on your network

and detected for intelligence purposes, i've already established far more than enough control to use your network for disruption or destructive purposes. do you see the parallel i'm trying to draw? that's why president obama in this year's state of the union when he go guided makes his cybr point there about midway through the speech, talked about enemies on our networks. enemies on our grid, and why that is so disturbing. because if there are other and undetected, they already have -- whatever their intent, whatever the intent, they already have the capacity to do harm. now, i think without question the country that is out there stealing our stuff the most is china. and there's evidence if you read kevin's report, that white paper he put out several months back, about the chinese and the unit

in shanghai and so, there's evidence there after skating networks as well as just penetrating networks, trade secrets, physicians and the like. but, frankly, i find it hard to imagine circumstances where china would want to do something incredibly destructive to any american network, the grid, absent a far more problematic international environment in which the cyber attack is itself part of a larger package of really, really bad things. but bear with me for a moment. i mentioned iran a few minutes ago. what would prompt iran, second rate power over all but a very bright nation with very technically competent people, what would prompt iran to try to conflict economic pain, economic damage on the united states?

sanctions. sanctions with no hope of relief. what we used to euphemistically call while i was in the government, limited kinetic action against iranian nuclear facilities but look, these are all sinners. i'm not trying to be addictive up here. i'm just trying to be a luster to. pashtun illustrative. as i said this will get worse before it gets better. now, a few words, okay, how do we make it better? we've got something lines, a lot of this is heading south. what are the things we can do to stop it from heading south? what are the steps that we can take as a prudent people? and again, up here on my thumb, all right, it's much harder for us t to defend ourselves of you. i already told you about the geography. we created and/or the. we didn't build any routines,

rivers, oceans or valleys into this domain, so defense is very, very hard, all right? but it's also hard for another reason. it's hard for philosophical reasons. let me offer -- okay, i am being 10% provocative here and maybe 90% ac rai am willing to accept the proposition that the united states of america will for ever have one of the least well defended networks on this planet. and we will have one of the least well defended networks on this planet because of james madison and alexander hamilton, and all those other good folks who wrote the federalist papers. we have not, we as a people have not yet created a consensus as to what it is you want our government to do up here, or what it is we won't let our government do up here.

i love my iphone down and the portal to use at this point in his speech with less knowledgeable audiences i pull my iphone out and say, look, give me another 15 minutes. of a convention that this is a gateway to conflict, and you'll all be scared of your iphone and blackberry. i usually get a response from the audience, yeah, he's right. when i bought my iphone i was in the apple store, and i was there with my wife two years ago. i'm operating, two years, contrast, new phone. sans in the apple store over in northern virginia and you know how young it works. a young kid comes up to you, he's sf around his neck. he sells me an iphone but i just want to buy an iphone. he points to the iphone and he pulls up a page and he says at the store, -- at the store. 400,000 apps. then he turns to do something else and i turned to my wife and said, this kid really doesn't know who i am, does he?

[laughter] i mean, those are 400,000 attack factors. so i can surely convince an audience this is a gateway to conflict, and most american audiences say, okay, where's my government? i pay taxes. why isn't my government spending it. when i get there with my speech, i get applause, and then they actually do reach into the coat pocket. they do pull out of iphones and blackberries, and what do they do? they check their e-mail. what was a kind of conflict of my weight in my arms up there 20 minutes earlier saying where the government, not to go to their personal communications. and let me die a thought not national occurred to americans when they're checking their personal communications. gee, i wish my government were here. [laughter] and so we have that tension. mike rogers -- >> former nsa and cia director michael hayden speaking before

the bipartisan policy center discussion earlier today. you can see the rest of his comments at c-span.org. more live coverage of the discussion on protecting the nation's electric grid. up next, a discussion, a look at federal government is doing for subsidy. participating officials from homeland security and energy department and and the not-for-profit agencies that oversee the electric grid. looking ahead a little bit, about 1:30 p.m. eastern on look at what state activities and challenges with officials from state utility commissions. that's you at the bipartisan policy center live on c-span2. >> [inaudible conversations]

>> and so, good morning, everybody. wait a couple minutes to get folks back into the seats, but wanted to introduce this panel introducintroduce myself. minus got tears in her i have a national security policy for the edison electric institute. where the trade association for the u.s. utilities and very happy to be sponsoring this event today. also want to appreciate, this been a great turnout. i think this is a testament not just to the importance of this issue but it's a testament to bbc's ability to bring the right people together, and i think the panel previously i want to thank them. they really start to talk about the industry progress that is being made. they showed all segments working together, the co-ops, my members, and they really reinforced the value of

public-private partnership, public-private coordination. executive order, cispa, all of these steps are being taken to rip of an industry coordination. the sort of flipside of that coin is the panel we have here today, i'm very pleased to be moderating, a group of leaders who have really worked on the government side, both currently and previously, to improve the coordination. government industry coordination and government interagency coordination. the popular refrain from today that i am at least getting from this is that protecting infrastructure that is critical to national and economic security is a shared responsibility. neither side can do it itself. last i checked, none of my membership or know the electric utility had a standing army. we don't have intelligence gathering capability. we need the government to help us with it. the flipside of that is, the last i checked, the government is not take a good operating an

electric utility system. so our expertise, the expertise on the panel before, chief security officers, and leadership in cbo's to make decisions is invaluable. so one of the things i've noticed in both the discussion here today and the debate as it materialize within capitol hill, in the executive order, indie media is this discussion of information sharing. information sharing is great and it is from a component to improving critical infrastructure protection, and cybersecurity, but it misses the mark to what we're talking out his clothes coordination. we are talking about government and industry working together, not just to share information, but on a set of deliverables that can help, with that defense in depth concept. general hayden, why pressured his remarks earlier, referred to

the leadership of electric utility industry as trailblazers and away. and i appreciate that comment, but i can speak to one of the reasons why this industry has been such a leader in this space. the sector at a very senior level, and mining ceos working with the deputy secretaries and folks from the white house, have found common cause to working together to protect critical infrastructure. i also are under the statement from general hayden that i've used before. he talks the north-south and east-west and north-south is that bidirectional government energy, industry to government information sharing. east-west comes with the coordination and its that broad cross sector coordination. somebody earlier, and the chemical who it was, talked about how, i think it might have been hurt, that this sector is most critical because all the

other sectors rely on us. that may be true, but all of the other sectors and we also rely on all of the other sectors. you can't operate an electric utility system without water to create steam to spin our systems or, or two cooler systems. you can't operate without telecom. you can't operate without transportation to move our fuel. so that interdependence, that east-west coordination is another place where the government can be incredibly helpful in improving our readiness and our cybersecurity. wco leadership working with deputy secretaries of d.o.e. and tedious and also work with national security staff at the white house also identified three areas that we can be focusing on for the defense in depth. the first is deployment of tools and technology. the government has some pretty cool toys and industry would

like to put those out on our system. so facilitate deployment of the tools and technology to improve detection and prevention and mitigation and response to recover. the second, and again this is, it's really information flow. making sure the right people get the right information at the right time. ceos need a certain class of information or operators need a certain class of information. the government needs a certain type of information, and because we're talking about things that move at the speed of light, we need to get the humans out of the equation entirely and start sharing information from, at a machine to machine level. that goes back to the valley of tools and technology. the last place where we're working together, both industry and government, very closely is what comes to individual response but basically if there was something that happened tomorrow, what would you do. and previously the answer was, largely it depends. and to borrow a phrase from some of my intimate friends, that is some optimal.

what we need to be doing is formalizing processes for working together, practicing them, exercising them, and getting better. the old eisenhower quote, plans are useless. plan is invaluable. so we are going through the exercise of planning and planning and planning government industry coordination. and this group today well seat in the second, has been a big part of the progress that has been made and also allude to some of the work still left the and. so i'm going to do some going to introduce it to them because i think that backgrounds are salient to their perspectives i want to give them a little bit of bile and context as to the are and where the cover. i'll do that each individually. we will get five to 10 minutes from each of them. in a ask a question and would urge you got to ask a few of your own. so with that the first burst with a pair is larry zelvin. larry is the director of national security, national side is good and communications integration center, more easily

known as nccic. in this capacity was 24/7 operations and responsible the coordination of national response to cyber and communicate and. before leaving nccic he was at the white house during both the deepwater horizon incident and the asian earthquake. he was involved in homeland security plan for the joint chiefs during both 9/11 and hurricanhurricane katrina. so clearly he needs a little more excitement in his life. is a graduate of boston university with a masters from intent -- intelligence college. >> thank you all very much. i greatly appreciate the opportunity to speak with you this afternoon. in my opening remarks, if i may i would just give you a little bit about the organization i had the honor of leading. as mentioned, national cybersecurity and contusions into gratian center at the department homeland security, the organ station is made up of four components to grab the united states computer emergency

readiness team, or us-cert. web international control system search, and with a national coordination center for telecommunications and and final i have been operations and integration function. all told i have about 500 folks come and primary centered in arlington, virginia, where my operations floor resides but our industrial control system is in idaho falls i don't have a capability that is going down in pensacola, florida. so what do we do? i tell my folks we have repos that we really strive for. one is information sharing to i know the term gets batted around but that's the one i'm going to sit on. but on information sharing, this year alone between all the components that make up the nccic, we've had over 200,000 reports of cybersecurity. ..

>> to see where adversaries may be going. i will tell you that my experts, my analyst are as good as anyone in government or in the private sector, and i'm glad we put them toe to toe. they are actually extraordinary. as look at the energy sector i

conclude my opening remarks. we've been working very close with the department of energy and with private sector energy partners. coming up with deliberate planning. president obama and present you policy director, they put out a call for national preparedness. in national prepared as the president said we should be looking at the capabilities. what our capabilities to respond to a number of events, albeit man-made, natural disaster even cybersecurity? so we early on in dhs working with her in the agency partners and private sector partners have been in the touring what are those capabilities in cybersecurity? we have quantified those between eight or nine categories and i get confused because we are on version 47 that we call in the judge or. my late planners is how many more of these are we going to do? i said a lot. planning never stops. we want to continue to get better. but the point of this is that we're looking at the capabilities in cybersecurity. we quantified those down into the right of capabilities such as a vfilrensics, to

do analysis, information sharing and the ability to put capabilities out to where they may be needed. so once we got all the capabilities identify, we then need to look at how do you apply them, and would look at the sectors, energy, transportation, i.t. as i've mentioned before, they would look at some of the major cities around the country, just as a starting point. we are starting with a 10 urban areas security initiatives but that issues where we're starting. why are we doing this? the challenge i put before my staff is let's take manhattan. you can make any city in the united states around the world. i said let's pretend that all the power went out from 40 the street all the way down to the battery. some would say, hey, the cause was cyber. what do we do? where do we go? what of it going to be asked to do? the first responders in this incident will be the private sector, the owners and operators of these systems. then if you need help, what are

you asking us for? then do we have it and then can we get there in a timely manner? it is best have these conversations ahead of time. it is best to know what your capabilities are and for you to know what hours are. so when is a crisis that requires us to lead the support or aid, that you know what to ask for, you know what we're capable of a new how much of it would have. so with that of a turned back over to scott and welcome your questions. >> thank you for that, larry. next up is mike smith, one of the ways where trailblazers in space were very lucky to have a very good working relationship with our specific agency. in this case deal we. mike at dod that is the senior cybersecurity advisor. he came to the infrastructure security and energy restoration division within the office of electricity within march 2000 a word in a lease a wide range of energy sector cybersecurity initiatives across the department across the country. mike lee's participation as the energy sector specific agency and has been charged with implementing executive order.

mike is the cybersecurity risk information sharing pilot program manager. that is a tool that might industry is very interested in deploying. prior to coming to do we mike was a consultant with booz hamilton allen we support a classically defense grew ever structure program. microtargeting u.s. army jag corps in 2000 for falling a 16 year grim which users -- received a masters of law in international from georgetown. mike? >> thanks, scott. well, obviously the reason for this report and this conference highlights that cybersecurity for the energy sector has emerged as one of the nations most serious greater monetization and infrastructure protection issues. cyber adversaries as we've heard are becoming increasingly targeted on the energy sector, more sophisticated, and their tools are widely available.

cybersecurity practices must address not only the threats and the abilities of traditional information systems but also the unique jerker of electric grid technology. such as the extended life expectancy of our control systems, and the technology that developed to protect business i.t. systems and networks can inadvertently damage energy control systems. to address these cyber threats to the grid, parallel efforts are needed to effectively protect the grid that secure specific components, along with the broader strategic approach, recent events in california have highlighted the need to do that. cybersecurity standards while they are not the ultimate solution, they can provide an effective baseline to address known vulnerabilities. managing the risk from the unknown vulnerabilities and dynamic threats that we see in cyber can best be addressed by time information sharing of

relevant actionable threat information, the use of proven risk management policies, and effective incident management and response capabilities. our office's role, speaking for the department, a wide range of national requirements under the national protection plan, other directives, our focus is on for priorities. et cetera and information sharing to enhance situational awareness, expanding implementation of cybersecurity capability and maturity models, and i risk management process guidelines. as many of you know, the capability maturity model provides a tool that allows electric sector, and soon the oil and gas sector to assess their own cyber strengths and weaknesses, and informed their investment decisions. third priority area is developing and deploying

cutting-edge cybersecurity solutions in this sector. our roadmap to secure energy delivery systems has been employed for years, and the lead of the office will tell you it's not our plan, it's the roadmap for industry. and forth, exercising and refining energy sector cyber incident response capabilities. how do they all fit together? research these operational capabilities, and real-world events feed research requirements. planning exercising and responding and recovering from events revealed best practices indeed new standards, and produce new best practices. so all of those areas that i've mentioned we timed together in that fashion. the roadmap that i mentioned, the latest version in 2011, provides a vision am a strategic direction for the next 10 years to enhance the cybersecurity for the sector. the nation, or the statement in the roadmap is by 2020,

resilient energy delivery systems are designed, operated, and maintained to divide a cyber incident while sustaining critical functions. all of the recent cybersecurity efforts align well with ppd 21, the new e. o., and a roadmap. >> thank you very much, mike. next up we have matt blizard from the north electric reliability corporation, currently. he works to assure the security of both rss and without a great opportunity work with nerc and 10, his team as well as with the others. we appreciate the opportunity at nerc, matley said powerful and expense team of cyber and physical professionals. to accomplish this he and his team have worked to enhance standards, monitor compliance and built a very capable electricity subsector information sharing and analysis.

he and his team also support exercises like green eggs and critics tonight which will be coming out in november and his support of the esc see, electricity subsector courtney the council. matt came to ner transit after \30{l1}s{l0}\'30{l1}s{l0} commission with u.s. coast guard would have multiple command strategy, as was command and control of conditions, computers and information technology. his coast guard career culminated in his assignment at the deputy chief of staff and accepted direct to the deputy commandant for mission support. hills a bachelors of science in electrical engineering and, from u.s. coast guard academy, and masters of science from purdue university. it's always nice to people who are accidents work. msc yes, masters of science as well as an ms in national security stretch and resourcing. very capable and very well

educated. matt is a professional engineer with the state of washington has taught electrical engineering at the academy at the naval war college university and with that, matt, take it with. >> that's quite a mouthful, scott. very pleased to be here with you today, and look forward to your questions. after this. i took one slide out of about 30 slides to talk to you about today. i thought it was important that i try to provide this in a strategic context. what the bold power system, nerc and our government partners are all doing here to basically secured arguably the most important and largest man-made machine in the world, and that's our system. i'm going to talk about six main focus areas. basically, our strategy to secure the power grid is indeed reliable, so the first main pillar that would like to talk about is the standards compliance and enforcement.

we are one of the few critical infrastructures of the 17, as i understand it, that definitely has mandatory and enforceable standards that are designed and built by industry for industry. and has were earlier from industry panel, we are now headed for zip version five but it's been an evolving journey to develop the standards. they just don't happen overnight. they take a while to develop and bake, and i'm very proud of where we are at. we are currently enforcing with industry zip version three. zip version four took it to a bright line criteria, and zip version five is when to be high, medium, low impact. basically risk-based standards. the next area that i would like to talk about that is very important for reliability is having an adaptive control.

adaptive controls in this case is information sharing and analytics. we're going to hear a lot about it and will continue to do so, but we do that at nerc and with the system, with the es i suck. about year and a half ago we really decided to roll part -- one stop shopping for the system as -- where they can have valued analytics on the information that is coming through from the intelligence sources and putting a system lens on it. basically, over the last year and a half separated with extreme measures from the compliance and enforcement realm of nerc so that we could truly be a trusted partner, so the

industry would feel comfortable sharing their concerns, issues without any type of fallback, or fallout from it. our board of directors, two times now, has reinforced the issue of separation between the isac and the compliance enforcement so that we can have that discussion. ..

private and public partnerships, and over the last year and a half, the sector in government have been involved in many things. i'd just like to list a few of this. we have our coordinating counsel council, and it did high-impact, low-frequency studies. it did at the gmc study, information sharing study recently, cyber attacks, spare equipment, database and

resiliency came out along with the technical commitees. also, we have something we started working with paul stockton on was his electricity private-public partnership. it's basically the bulk power system work hand in hand with the department of defense to look how we can assure mission assurance for the national security. another example is the tcis, cross sector group. we're involved in the executive order ppd21, and the industry is fulling supporting. also developed a cyber security capable maturity model, known as c2m2. working with a sector specific agencies and experts from

industry to look at a model how to assess the maturity of your cybersystem. also, as scott and the previous panel brought up we were involved in the recollection management process in this framework. with doe and industry. and coming up we're going to do grid x, and grid x2 is going to separate it from two years ago we're going to look at the policy triggers, the tough questions for a national security event caused by cyber. and we are going to actually peel back an event that, if the grid were to go down for a month or two months, what would be the policy triggers, all those type of things weed in to explore that was mentioned in the first panel. and also, we do things like personnel security clearance task force report and

information sharing task force report. these will be presented next week, and i'm pretty sure they'll accept those reports that were built by industry, for industry. and lastly, policy and coordination is one of our last elements of our strategic plan at nerc, and we work with our country here on all the activities they have going on. the executive order, pbd21, and so forth. and so whenever there is any type of input they need from industry, looking at it from an industrial viewpoint, we'll get the subject matter experts from industry lined up to talk to government and make sure the partnership continues strong. so that's basically it. standard compliance enforcement, information sharing and an -- analytics, private can public

work, outreach, training, and exercises, and lastly, policy and coordination. the pillars for reliability and security for the power system. thank you. >> thank you very much for that. i think from his comments you can see how this fits together. if you think about the mandatory enforcement standards we have to abide by, and then all of it comes with coordination with each other, with the government, with the other sectors, and then finally preparing for incident response. this is a unique relationship that this industry has with this agency through nerc with a regulator of jurisdiction and across the board. so thank you for that. last, but certainly not least, dr. paul stockton, currently the managing director of sonecon, and he was the assistant secretary of defense for homeland defense. in that position he was responsible for dod initiatives to strengthen security and help

partner nations build their capacities. dr. stockton created the department's first ever mission assurance strategy and launched a range of initiatives with the department of homeland security to help ensure the -- he divided the protection program to serve as a crisis manager and it was in this capacity got to know dr. stockton very well and worked directly with him with the response to superstorm sandy. he was also a senior research scholar at stanford university, and associate provost of the naval post graduate school. he will be publishing in the stanford law and policy review and has been published in international security. home leaned security affairs, which he helped found in 2005, and other journals. dr. stockton holds a ba from

dartmouth. >> thanks to all of you. i ask you to dig a little deeper into the response challenge that we face. that was prefigured by general hayden0s comments this morning, and if there's a successful computer network attack that brings down the grid, over an extended region, perhaps even in a connect-wide failure to for a significant period of time, what is the response challenge going to look like? there's going to be a twin challenge and we need to think about the integration of two lines effort. the first, of course, is in the cyberworld, and larry, i have to thank you for all the progress you and your colleagues are making in partnership with industry and the rest of the federal government to be prepared for after an attack occurs to scrub the malware, to do everything else to deny access by the adversary to our

critical cyber systems that govern the electric grid. simultaneously, of course, there would be, let's call it, physical response, because with a loss of electric power, critical lifeline infrastructure is going to fail. hospitals, transportation. food and pharmaceutical distribution. they're going to be massive threats, unprecedented threats to public health and safety, and here, we're going to fall in on traditional kinds of disaster response, the kind we saw in hurricane sandy, although potentially as you just noted, matt, of a much more severe duration. we're going to be conducting two very different types of response simultaneously. and obviously there's a risk here of gaps and seams and challenges for coordination, and

there are also some terrific opportunities for mutual support to leverage between these two sets of response requirements to make sure that both of them go forward much more effectively thanks to the pioneering work going forward today. let me talk to you about some very specific challenges, which i'd like everybody to think about what is the way forward, what are the contributions that everybody in this room could make. first of all, what are governors going to contribute to this process? a primary responsibility for governors, maybe the primary responsibility for governors, is the safety of their citizens. and we saw in hurricane sandy, governors are front and center in protecting their citizens. they're absolutely vital as the lead partners for the department of defense in a hurricane sandy type event, and you can imagine

how prominent a role governors would play in this kind oscenario i just outlined for you. they're going to take a leading roll. what does that role look like in the cyber response realm? how do we provide for integrated approaches by state level government to both of these simultaneous kinds of response operations. that's a big, important question. we ought to be thinking about that now. ranging from immediate response operations to strategic communications. secondly, authorities. i'm so grateful you, larry, and many of our other panel participants are looking at how would you use the stafford act to provide for reimbursement to provide for the authority in law that we're going to need in order to conduct both types of response activities. how about the defense production act? all kind of opportunities for

government support to industry in ways that have never been envisioned when the defense production act was written and enacted into law by congress but now provide a basis for leveraging those long-standing capabilities, authorities, into a new realm. they are terrific opportunities here to think creatively about the the stature authority and applying it to bridging the realms in order to provide for unity of effort as both types of response go forward. finally, i want to talk about the critical role of state utility commissioners. in the first panel we heard perspectives on the importance of having national level guidance, and sort of national coherence to these initiatives. i want to argue today that state utility commissioners and their staff, on a state-by-state

basis, also have a vital role to play. every state is going to face its own challenges, and as we build on the inheritance we have, terrific understanding how to provide for electric liability, what is the delta now. what do state commissioners need in order to assess resilience projects in order to decide on cost recovery for resilience projects, knowing that a key difference for resilience is going to be how effectively, how strategically can power be restored in order to limit damage. that's a key component of resilience and gets back to the critical role that states, the regulated utility commissioners, are going to play in building the response side of things, over and above traditional approaches to reliability. these are just a few examples of

opportunities to think hard now about how we're going to have not only continued excellence and the two realms of response but how to make sure that we eliminate potential seams and bring these two enterprises into mutual support. thank you. >> thank you, dr. stockton, and thanks to the buyer panel. so i'm going to ask a couple of questions but would encourage you guys -- this should be interactive and you're sick of hearing from me and we rad rather hear from you. >> paul, start with you. just to unpack a little bit more your experiences that i alluded to in working with the electric sector following superstorm sandy. i think it came up in the previous panel. doug myers said system is in our dna and that's a true story. you see events like want happened in the gulf with the deep water horizon, and it was really a government-led

response, whereas you see something like superstorm sandy and folks from the west coast were sending crews to the northeast, facilitated and supported by the government. so, can you talk about your experiences through that and how that may have helped, and maybe some of the things that translates to signer and the things we could be doing better with respect to government and industry coordination, to use tim roxy's language, right of boom. >> i'm going to start with the last question and that is what can we be doing better? it goes to a point you made in your introductory comments. we need to capture the lessons learned from sandy. we indiana to formalize the support procedures. we need to exercise them. we need to train to them. instead of making things up on the fly, building the aircraft as it is in flight in the case of c5as and the terrific support that we are able to provide to industry for power

restoration, we need to understand what are these protocols, what are the support requirements that would be most helpful from the perspective of industry and how do we build and regularize that system so as personnel turnover occurs, both in the department of defense, department of energy, federal government, and the home lean security for critical infrastructure, and industry as well. how can we institutionalize these ways of supporting industry. it's vital to do that and we need to continue to work on it. let me just say one other thing very quickly. a harsh lesson learned for me in sandy, is we thought we understood what the critical nodes were in the energy sector. in the east coast. we thought we knew where we were going to need to provide emergency power generators and fuel for those generators in a blue sky environment, and understanding of, well, what are

the critical nodes, the single points of failure. my friends, in a disrupted environment you will find new critical nodes emerge. we had no idea that the tender morgan terminal would be so essential to restoring energy functionality. so as you think about where to invest in resilience, blue sky environment, not enough. think about what it would be like in a severely disrupted environment where, by surprise, critical nodes will emerge. >> let me ask one quick question of larry or matt. with respect to the deployed of tools. similar question to what i asked of paul. what could we be doing better institutional, legal hurdles to deployment of budgetary constraints as well and what can we be doing better to get more of