industry and government. i would like to cite ice for the good work. i would also like to site nurec to give them recognition. specifically tim roxy for stepping in and working with to come up with safety processes and procedures to share information on a real time basis. none of the concerns initially in the information sharing process was whether the information shared with them would be provided to the enforcement arm. in the march memo from doe assistant secretary hoffmann, we believe that that has been addressed, and exlon is

comfortable with the initiatives there. exlon also support the president's executive order, and we believe that it emphasizes partnerships and allows good cooperation between the private sector and government. so finally there's positive movement to enhance cooperation between the electricity sector and the government. but we need to increase the speed of the establishing processes and procedures that will enhance our ability to protect the nations critical infrastructure. i'll turn over. thank you, ed. good morning, everyone my remarks are focused on cyber incident response. i would like that provide some context for the remarking. the electricity utility industry is one of the world's most asset-intensive. those assets are critical to society. many of them are necessarily localed in harm's way.

depending on the area they serve, utilities face different type of harm. earthquake, wild fire, ice storm, tornado. the industry has expense extensive experience given the importance to throct civilization and the role we play in providing electricity and restoring it. as such, all utilities consider emergency response planning to be essential to their mission, and this is no exception. all utilities have considered cybersecurity matter in the emergency planning for some time. but as the risk a cyber event has grown so too is the collective attention to the risk. phi takes appropriate layered steps to address it. for obvious reason i can't talk about the actual steps, procedure, and system in place. i can speak to the four broad category under which they fall. the first is preparedness and prevention. one way we enhance the prepared

and prevention effort is through information sharing. through participation in various threat and vulnerability. this includes penetration tests that go beyond their compliance requirement. assuring the grit -- with the intelligence community is critical. it's not; however, essential for try to know how it was obtained or by who. often it is this sourcing that dictates higher level of secrecy classification and makes actionable threat information not immediately available. because the prevention of all cyberthreat is beyond the capability of any company or industry, the other two broad categories that all you utilities address in the planning are response and recovery. the actions we will take in the event of a cyberattack. our extensive experience preparing for and responding to major weather events has taught us that having clear, response

procedure and protocols is essential to a rapid recovery. now a point worthy of emphasis. our focus across preparedness, prevention, response, and recovery, is to address what can be controlled by the utility. by that, i mean, the vol vecialt that threat actors might seek to employ. regarding the prevention of vulnerabilities, the electricity utility industry is very actively ebb gauged in that effort. you till and the manufacturers that serve our industry actively participate with nist in the developmentment and standards. cybersecurity requirement already exist. a process for keeping those requirements dynamic, exists as women. so they can continue to address changing threats. we believe it should don't lead the process for setting and enforcing requirement for the grid. we believe there is room for doe, dos in cyber matters. they are better positioned, in

our opinion, to facility a coordinated grid response to a major event. dpfs is perhaps best position to facility coordinate across critical sectors in the case of a major event. regarding cyber response planning. it's important to bear in mind what most experts say about the likelihood of an event. you hear it already this morning, at least once. it's not if but when. phi like most utility takes an all hazard approach to emergency prepared opinions. they think about natural disasters when not if. and the threat of a cyber event is thought of in the same matter. there are several key differences between a hurricane, for example, and cyber evident. the they must be factored in to response planning. for example, a hurricane comes with some degree of warning. utilities typical get the workdays in advance. details 72, 48, and 24-hour checklists are in place. cyberattacks are not expected to come with any warning.

secondarily, situational awareness is essential to hurricane response. it is known with certainty when the event givens. systems and processes the utilities have in place can determine extent of the damage and the restoration priority. the actual starting point of a cyber event may not be known until well in the event. and the system they rely upon may be the target. attack. sthird. unlike natural disasters a cyber event could be a crime, a national security incident, an act of war. as such, the type of nature could verily greatly. every storm is different in term of the damage on the utility system, the utilities response and coordination with external entity during the storms is purposefully consistent. last example, natural disasters are typically state or regional event. it's able to don't aid through mutual assistance.

cyberattacks contemplated at company-based event there are scenario under consideration that are industry-based event. for many reasons the nature of the attack complicates the mutual assistance process. so in closing, some key principle that should come out are one, emergency response is something that utilities have extensive experience with. two, we rely upon consistent and repeatable protocol internally and externally. the latter point there are probably a half dozen federal agencies with clear line of sight to a cyberattack on the grid. d.o.e., ferc, networking, fbi and the various intelligence agency. what is not clear how the federal agencies will coordinate activity among themselves with state and local government and with the private sector during an event. what is also not clear what the trigger would be for a direct federal engage with the grid in the case of an event. which will lead the engagement. how deep it will reach to our

operations? what level of restlation -- restoration. these need to be answered before an event occurs. through collaboration between industry and federal and state government, we can answer these questions in a matter that facilities coordination when coordination is needed most. scott? >> good morning, everybody. i need to say i love my iphone as well. on hardware encription they review app before they are published. some things that a few of the competitors might want to think about. anyway. on to the remarks. of the nearly 3300 electricity utility in the united over 87% fall over the umm they typically have either an elected board of director or some form of local government such a city council or mayor. the utilities can be classified

as small business with limited resource. i worked in a district in california. we are the sixth largest new municipality in the united states. we have a board of seven. we cannot underscore that electricity would be a significant target by those intent on disrupting the national security in the american way of life. electricity underpins the capability of everything we coand other critical infrastructure. threats are changing rapidly. a public website -- systems. there is no doubt we are being examined. many attacks use very well known exploit and could be -- cyber hygiene. plucking the low hanging fruit. patching, secure coding, creating a clear line between

corporate and control system. and having a security aware work force. is it voluntary standards or mandatory standard? they have been working on cyber resiliency in 2003. directed by the north american liability corporation voted on by industry, and ultimately approve bid the federal commission these standards require owners and operated to implement strict cyber practice that protect identify critical assess. now the selection and implementation of control is -- special public indication 853 security and privacy control. we use the high moderate and low classification. even low classified systems will have some measure of control. one size does not fit all. we need to be mindful that regular will story regime can threaten our ability to

respond. regulation have the potential to create a strong culture of compliance. while sacrificing security. the selection of control is based on continuous risk assessment and capability of threat actor and consequences of vulnerability being e exploited. as an industry this is what we have been focusing on with the federal partner. lead by the department of energy and collaboration with the national institute of standard of technology the department of homeland security we created two documents. first the risk-management process which tailored the special -- to the unique attribute of the utility operation by providing a systemic approach to frame, assess, and monitoring to cyber risk. secondly, the capability material model which provides them with an ability to measure the implementation of practices related to cybersecurity program management across. industry is significantly

engaged with to the president executive order and the voluntary cybersecurity framework. it provided a tremendous amount of professional capital. we see that this is a living voluntary framework that can evolve over time. focusing in on the cyber hygiene best practice we should be doing anyway. well, are we doing enough since the executive order was released we have seen a greater engagement of information sharing. we see a rapid release of indicators of comprise. this is critical so we get the actionable intelligence in the hands of the owners and operators. so they can assess their system. where we have opportunity to improve it. the coalescing of security event information across regions, and across sectors. to do it successfully, we need to make sure we follow the basic privacy -- i know that as we take the prove

of u -- we do not see we would need to share that information about our customers. additional through concern of sharing information with the federal government and the executivetive order we are poised to share it. while information sharing is important, this alone is not going to increase our cyber resilience. over the past few years we have seen energy and security suppliers comprise. since we are not designing it we have to rely on suppliers to build it. in to the supply chain practices and now service prak its -- practice. they hold back detail about the technology stating intellectual property concerns. this leaves utility with the burden of deploying compensating measure and increase the cost of rate fair and interoperate. just as important is the need to develop next generation of the cyber work force.

we need to cultivate the energy system, but our engineering students to speak cybersecurity. i know, it seems like an odd statement. we have heard it several times this morning. it's not if you get attacked but when you get attack. we cannot prevent cybercriminals from trying. but we surely can protect our systems, our people, our companies, and our grid by building resill gent sincerity to the echo system. thank you. >> great. i know we're likely going to have folk in the audience ask a few questions. as we pry pair for that. if you want to walk to the mic. i would try to recognize you. please tell me you are and who you are with. one of the things i want to jump on now, scott stowch -- touch on something that is important to the industry. that is the privacy issue. the privacy issue in of i.t. can be a real obstacle to try to

solve this. and one of the thing we talked about general hayden talk about was the information sharing and how you share that. how much you share, and who shares what with. i thought doug did a good job of placing something out there that i think is worth discussing. if we don't need the name of the actor. if that's not critical to us. if there's other information that quite frankly we don't need. scott, i have to agree with you that information sharing in of i.t. doesn't solve the problem. we have to admit it's the corner stone of solving this problem. without it you cannot solve it. so what would you recommend we do from here when it comes to privacy. i would invite torch join in on that. >> i think from a privacy perspective, we -- from a security event information, we do not have customer phi in that data stream

at all. we agree that from a privacy we have no concern over the release of our security information. where we think that we have opportunity we're seeing what bsh municipality focused in a very -- in the center of state. we have california is a huge state. we have a lot of other utility in california. wouldn't it be great if we could exchange information and say, look what i'm seeing. individually we think that information is just noise. together we see it's a concerted attack against roar region. i absolutely agree. we need it coming from the analysis. that's critical information. we're able to take that and put it in to our situation awareness system and able to make the

decisions based on that information. if we're just waiting for the government to tell us attacks, i think as 3300 utility across the united states. we have a lot of information coming at us everyday. if we pull together in a more cohesive matter we could provide more information to the government in term of what is actually happening to us. >> again, on the what was touched on here. information being shared with government. sin the executive order in february, phi has a lot of outreach from our government partner interested in sharing information with us that is potentially valuable to us and being aware of the potential threat. again, we don't need to know who. we don't even necessarily need to know what the end game might

be. we have active imaginations to know that. we need fairly boring stuff like known bad ip addresses. and i've received some of that. i've received it typically in a noni did -- nondynamic form. something beneficial would be a form of dynamic. a feed of known bad ip addresses. i'm giving you some of the boring details of what it people do. >> this is exactly what we need. it's the information we need. >> if we have information like that being provided to us on a regular basis. that can supplement some of the other layers of defense we have. if we know what the government know, we can make sure that we're aware of some threats. obviously a lot earlier you know them, the better your action can be. as far as within the industry, phi belongs to a threat information sharing portal, along with i believe it's about a dozen other utility. secure portal where we can going share information with our

industry. because we work for an industry. we are the notion of mutual assistance is baked to our dna. we come to each other's aid during storms and coming to each other's aid as we prepare for cyber event. i believe if we pursue both avenue we'll be better positioned. >> on the privacy issue, exlon takes the privacy of our customers very seriously. there are ways to protect that privacy whether we share information with the government. there's currently practice in place if you get a wiretap from a court. not a fisa warrant, but criminal warrant that nonpertinent information has to be minimized by the government. i would suggest that that practice can be adopted, and any information that the private industry would share with the

government could be min niced -- minimized and personal information redacted that was not pertinent to the investigation. so as far as information sharing , i think that information from the government as far as threats go, information developed by the companies themselves is the foundation for how we position our defenses. so we can't just say protect us against everything. we need some type of design-based. and that has to be based on actionable and timely. whether it's generated by the government or companies. and i would suggest that the nrc has a pretty good model of providing information to nuclear operators about current and

emerging threats. so if we can adopt a similar model, it would companies position their defense to address the threat rather than try to protect against everything. >> yeah. i'll go back to the -- i think it was center for strategic and international studies report in 2008. it made three point. one, cyber is a national cyber problem. it's got to be dealt with. it also said it has the approach needs to be comprehensive and needs to use the full sweep of american capabilities and resources to deal with it. the third point was that decisions and actions must respect privacy in civil liberties. that's true at the federal level, and it's true at our level as well. we have to have the basic protections in place.

i think as an industry, i think we have been pretty good at that sharing data with the federal government, respecting privacy, and from a fifth private perspective we share information all the time. i think at one point, we try totally the number of information sharing forms we had within our industry. and with the federal government. i think they are 64 or 65. so we are comfortable with doing that. we need to make sure that exchange information it's secure. we're using protection methods and civil liberty. we continue to improve that process. dhs has pcii program. we are comfortable using that. we used it in the past. we need to continue to evolve and make sure we -- on the way we go about protecting information, whether it's at the federal, the private levels. >> great. thank you. i know, we had a question before

we get to the two questionses. commissioner tony clark, if you -- we would have had you up here. and we thank you for being here. i know, your adviser is here as well. we appreciate you being here. we know the hard work you do. we know it's important you you or you wouldn't be here. i will have to say it's rare you see a commissioner in an open audience when they're not serving on a panel. ic that says a lot about commissioner clark. we appreciate your attention to detail and duty. thank you for your service. we appreciate you. let give them a hand. plldz. >> first question. my name is david. i am with forbes. my question is for doug. i was interested to hear that signer is considered by. koa on the same threat level as weather event. givethat weather events are

getting more severe, and that utility the like that have had to spend a lot of resources to recover from storms, how much -- how many resources are going to be needed to protect against cyberthreat? and where the resource come from? we have -- the answer might well be they are across the entire property. security is part of everyone's job at phi. we have security awareness effort. i'm sure the other utilities do the same thing to make certain that everyone at the company understands what the potential threats are. what they can do to help mitigate the threats. in terms of the level of resources required to solve a problem, i think the key there is first off to define what the problem is you're trying to solve. i think you have heard this a few times up here. init's worthy of emphasis.

it's beyond the scope of the industry or any company in the industry to stop the threat. you heard who the potential threat actors are. i think it's clearly unable why it's beyond the capability. our job is to make sure we understand the vulnerability and do our best to mitigate the vulnerabilities. there's many different types of investments that are made i think it might be prudent if i went any great details on those. but to this point, we have the resources we require for the task at hand. however, we also heard the trend line mentioned here. how this is a growing threat. i think a reasonable conversation about cost recovery is useful in part of this. and i guess the point i would make on that is that it's important to understand what role the federal government will play in cost recovery, and what

the state commissions will make. i'll make a couple of key point here. first off, i think we agree with the following statement. i think we would agree that the security of the electric grid is in the national interest. i think we would agree that prudent and appropriate investments in cybersecurity and continual cyber risk mitigation are in the national interest. i think we would agree a path toward recovery for a prudent and appropriate recovery of those investments is part of the regulatory impact. i guess the question for the audience might be are we better served if we attempt solve that driven by the vision of 51 different regulatory commission or driven by a consistent federal vision across the nation? again, as cio, i don't get to solve many regulatory issues. i'm not asked to solve them. in it we deal with one and

zero. it's very nuanced. i would simply ask that question of the group. is that the various role of federal government and the role of the state commission is an important question to be answered. >> anyone else have anything on that? >>let go to the next question. >> hi. i'm a reporter with smart grid today. my question is on the nrc's suggestion that ed made. i've heard that before as it being a model for the electricity industry. i was wondering if anyone is considerings it strongly or if they put forth proposal to the effect? >> i haven't seen anything along those lines at this time from nerc or networking. >> maybe you can elaborate on the analogy with nuclear

industry, and what would that look like in practice? >> so, if we're going take the -- say as a clearing house for information, they would need a vocal point for intelligence information from the entire intelligence community. they pull in from the cia, nsa, fbi, all the different intelligence agencies. then put together a suggestion about how to protect yourself against these threats. that's similar to the way the nrc does it. in practical terms, that's what i would envision. >> i want to make a quick point about the nrc. we're a nuclear company. we have brought in a lot of talent from our nuclear business to help mature part of our i.t.

and compliance program. and we have brought their discipline, practices, and the processes to our program. and it's helped us mature, i think, and evolve to a very disciplined state. they have been used to operating under that level of prescription and scrutiny for many years. they have a lot of practices we have been able to bring in. it's a model we have looked at to help us at other part of our company. >> i would say the e sock is well positioned to be that meduater for us. with the involvement already the assurances that we now have on the separation between information sharing and enforcement. it would be a great way for us to be able to share information and have a body who actually

understands the information we are sharing. .. one of the things you do have is

an organization called impo where the nerc is a great difference when you understand impo is an organization that quite frankly is a very good job of self regulating the industry to make certain that they are safe and secure, understanding they are vital to the economy. having said that, do you foresee anything like that in the industry may be where there is something that steps into the role of impo? >> for the nuclear transmission -- i mean for the electric transmission and distribution sector. >> one of the challenges i think scott got into this there is data and there's information and i think we agree those are two different things. you can be a wash in her data but not necessarily understand how to connect all the dots to make sure you understand what

the key threat is that you are looking to address. so i think one of the challenges there's certainly a role for the data to flow into the industry through various means coming and we talked about a number of those as well. another key point that we want to make sure is emphasized is the need for the mechanisms to turn the data into real information, and that the role that government -- can play or other day agencies can play to start connecting some of the botts is the key and it's also worth noting that in the industry the devotee to be able to take the data and understand how to turn it into information is very helpful and necessary as well. yes, sir. >> a former colleague of chris. and i think mr. myers raised this and i want to go back to it. that is the issue of effectively

who pays on the regulatory contact and i think some of you said that resiliency is the greatest and it's not cheap, and so in my discussions with regulators -- and i think the chairman as well, regulators are looking for some kind of regulatory construct in which to be able to understand the cost and benefits of the investments that are necessary to both make the grid more resilient to the cyber assault and potentially recover the grid but yet, regulators are facing loss of conflicting pressures, rate increases, affordability, etc.. so how do we talk to regulators at both the state and federal level, and how do we deliver some sort of model or regulatory construct against which regulators can make some sort of prudency or cost effectiveness or cost-benefit decision

regarding what's necessary to protect the grade and a cyber situation? >> it is clearly a difficult issue or it would have been solved already. i think the point that is worthy is that again, when we are trying to solve this issue at 51 different commissions, we need to also understand the nature of the greatest such that it's one large system. it's interconnected. the actions or inactions in one state can have effects on other states. if you study the history of the industry, there are specific examples to be cited such as the 2003 blackout. you also heard mentioned earlier today by general haydon that it's difficult to build a business case for cybersecurity. i've never been asked to build a business case for cybersecurity. it is recognized west nphi a

risk but no one has challenged me for the dollars spent. because it doesn't limit itself to that type of discussion. we do what we need to do to ensure the system is reliable and secure. so i think at some level of the conversation that the state level if it could be informed by the very compelling federal vision about what they would like to see, e.g. to the across the country do and what they would like to see each state commission get some guidance on a path to recovery for those investments i think would be very helpful. >> we have three iou's. we have a little different issue when it comes to the cost recovery because the cases don't go in front of the public utilities commission.

quite frankly, the conversation they are expecting us to be taking care of them and we are very much a community organization. what i say and how the program is built and how they are working with others, we are an insurance policy and by the policy for a lot of things. you pay insurance in case of an accident. what we need to be mindful of is not every liability has to be mitigated. if there is no factor and no need for exploitation, i challenge those to think about whether the vulnerability needs to be mitigated or not. is that the right investment to make at that point in time. if we have an actor with the means to carry out an exploit and invulnerability in which to exploit that will cause some sort of catastrophic event and those are the vulnerabilities we need to act on and i can stand in front of the board of directors and our customer

owners and very clearly tells them bad stuff can happen if we don't do this. those are the cases that make a lot more sense to the american population, just putting that out there. >> i would just add that i agree the issue has to be addressed at the federal level. it can't be every utility in the country trying to recover the rates at the state level. and i think the president's executive order opened the door to the possible because it discusses incentives for companies that comply with cybersecurity. so, i think that may be a way for the federal government to incentivize companies to comply

with cybersecurity. >> let me approach from a different angle and then i will come back to you. one of the things we deal with in the industry as we do have regulators that look over our shoulders. so when we make mistakes to scotts point if something bad happens we are going to have regulators asking us why did you not putting it and in this economy i think it is a very difficult time for the industry because for those of us that have had to focus on the pnl balance sheet and see how we are performing when it comes to cost cutting this may be some of the areas quite frankly to get the knife. and are you confronted with of right now, is that an industry for the issue and if so how are you dealing with that? >> i am expected in my role at the cio to make prudent

important investments to mitigating number of risks and to ensure the performance and stability of the systems that enable all their business process these. at this point i can tell you that matters of cybersecurity given the ceo focus have been one is better easiest to spare from the knife at present and that speaks to the level of commitment that the industry has and the level of ceo and board involvement on the issue. my concern, and the concern a lot of us share is as the trend lines continue and the risk grows, that path toward recovery for the prudent and appropriate investments is key and having some sort of federal consistency about what utilities should be able to cover i believe is in the national interest because as i stressed earlier we are only as good as our weakest link and want to make sure the companies that are supporting this

interconnected grids. we meet appropriate investments and not have to worry about how necessary you have to argue for the funding of them to this and i would add to doug's comments we have a lot of support from the board of directors at the ceo at exelon for the security as a whole. but more specifically for cybersecurity. in fact we cruncher pulled our staff over the last four years and i don't see any cuts in that area on the horizon even as we cut back on other areas. >> i would echo those compliance as well. we don't compromise on a and we have a five-year plan in place to bolster our defensive

investments on security technologies and compliance, so those areas are very important to the company had a strategic priority. >> i just want to say one thing. why spend a lot of time in the past industry telling people it's when you get a attack the question is what was the resiliency you have? a lot of things i do are about resiliency. they are about being able to be aware and respond because i know somebody's coming. at some point in time somebody is coming at me. we have a very good engagement because of that mantra of it's going to happen and i am an insurance policy. my board asks all the time whenever we are doing something as complicated. that, to me, is really important. that means they understand there

is a risk they want to be sure is being mitigated but they want to make sure it is the right rest and not just some checklist or some requirement somebody spit out there that's actually going to add value to the security posture. >> what is going on at the federal level and what are they doing and developing housing the standardized lessons to fill in the gaps and to protect the local distributions. >> there are a lot of meetings for the providers. at the retreat the distribution system is exactly the same way that we treat our transition system. we have the controlled supplied

to those. we classify and they may not necessarily fall under the designation under the standard of but we treat them the same. we recognize that it's fantastic to transmit power and to generate power that our customers expect us to actually deliver it. and so we have to take that burden on of already starting to protect our distribution. and from this margaret perspective, when we implement the smart grid, it went through our entire security posture and we looked at where the gaps were and looked at compensating measures and when we applied for or granted we built in a cybersecurity requirements into the gransta and built them into the smart grid so we are treating it the same picks connect security is in the dna of phi's approach to engineering

systems. we didn't have sufficient features of something of critical importance and industry partners utility partners and worked with them on helping them shape the future direction of the product so that they have the appropriate features to keep the grid secure. we have chosen not to do business that have communicated to the vendors that if they do not have certain features on their products we wouldn't do business with them to read as more and more utilities deliver that message with in the marketplace i think you will see more and more having their volatile moment when they realize that seat belts and car safety is not this annoying thing that they are supposed to do. it is a basis for the sustainable competitive the advantage. and it's something that customers need and want. so we have not necessarily rely the first and foremost with the

government is telling us we need to do to secure our system we are very compliance focused and we need those requirements to take them seriously but we go above and beyond those requirements as i mentioned earlier we conduct penetration tests that go beyond anything that it is requiring us to do. we take a system wide approach to these potential threats in the is vulnerabilities. and we do our best to make certain that we are making the appropriate security and function of the trade-off decisions. when you look at the people that have made the most money in the i.t. marketplace, faye for the most part have fled with functionality and not necessarily security. what we have done and what you have heard from the other folks up here is within the utility industry we take that security functionality trade off very seriously coming and if we have

to do something slower in order for it to be more secure, maybe not move in any particular area we will do that because the security and reliability go hand in hand. >> so, at exelon in order for anybody to put something on the corporate data network or to bring in a new industrial control system, they have to go through a review process by security recreate the architecture team now that is dedicated to 3g when all of the proposals that come in and of the way that we view it and buy a and across the company is we have the argument that if it's not secure, it's not reliable. so when you're dealing with engineers who their entire careers have looked at things through the reliability that

really rings true so they are more apt to come to us at the very beginning when they are getting ready to send out a statement of work or rfp for something they will get us and at the very beginning. >> anyone else? >> i think we have time for me one more. >> if you had a wish list doesn't matter federal commission, state commissioner, what ever what tools do you need that you don't have. whoever wants to come first, especially when we have a commissioner in the room we are a little apprehensive about what

we may say now would be the opportunity to say here's what i need to come here is what is in my way. >> i think you've heard these referenced. for the response efforts we need very clear particles and procedures along what agencies are responsible for what and lead the results in the opening remarks but the utilities rely on clarity and consistency when we respond to emergencies and that would be very beneficial to us. the second half would be again, information. and if that information can be the classified but the dynamic and at that boring level of detail where it's very beneficial for the i.t. groups, and i guess fer would be some

degree of consistency around the path to recovery for the security investments. >> i would add to those comments, and i agree with everything he said as far as priorities go, what i would like to see is machine time information exchange what i mean by that is something similar that is being done at the national labs that have a federated model with some of the intelligence community members, the national lab is funneled into one location and then that information is pushed out by machines to all of the members so i would like to see something along those lines i think it is more of a technology challenge at this point rather than the willingness to share.

>> i have a long list so i apologize for in advance. first and foremost we need a trained work force. we need to invest in bringing up a generation of cyber professionals coming and we don't need to wait until they are in college to do that and we don't need to look at the i.t. field. i've got the parents that have young kids that know how to mess with their phones a lot better than their parents do. that is the age we need to start hitting them and bringing them up and make them understand what security privacy is. along with that we also need excellent sharing and i talked about that and i talked about by directional and getting the information from the federal government. i would like to raise my hand and the federal government i have information that might be beneficial to you and i think everyone of us at the table has information that will help the

federal government make what they share with us more actionable. we also need federal lions and the federal government of who is in charge. everybody wants to be in charge but we've really need to know if we are going to call the backbone we need to know who is going to pick up on the other line, and it can't be a rotating set of characters. last, the need is limited liability for due diligence. i think all of the companies we are doing things that are good and something bad is going to happen at some point in time. the fact we did our due diligence doesn't mean automatically that we should be penalized for that. right? again it is how you respond. what we don't need, we absolutely don't need and this is coming from information security offices, i don't want the prescription control. that limits my ability to be agile. telling me everything i need to do to protect my system is going

to create complexity and it's also going to create a security risk for my company. i need the controls in place that respond to threats, vulnerabilities and threat actors, not the checklist. thanks. >> i would characterize it more if i have three priorities i think need the most attention. one is that the nerc needs to mature and it's on the right path where there is latitude and flexibility for the entities to self identify and fix their issues from the security compliance standpoint. it seems to be the approach and i think that we are moving in the right direction. so, i am very encouraged by where that's going. i think that it's already been discussed as the information

sharing, the public partnership needs to mature and needs to be more effective and we need to leverage more of the capabilities and offerings the federal government has to offer a round of the training. i think there is a lot of benefit that we can leverage from the industry's perspective. last, from the standpoint we need to continue to mature. this is an evolving process building this labor and regulatory constructs we need to continue improving making investments much in the workforce, bring in talent, bring the right technologies into place, automate. all of those things go in to a well integrated and functioning cyber program. so i would say that those are

the three areas that are important to us right now. >> one last question. one word. i don't want you to get into it. you can do that later if you like. if we had to identify risks and say our cyber risk or more on the distribution side that is our weakest link or on the transmission side, which would you choose? which would you say is the weak link, transmission or distribution on the cyber risk? >> i don't think it is a distribution. i think it's a people issue not having the right folks in place. it doesn't matter what part of the business you are in. there are four of italy's everywhere and if you don't have the functional program, you have risk everywhere.

it can be distribution, it can be on the corporate side, it can be at the personal level. so i think the risk is everywhere. it's the maturity of the program that is the rest in all parts of your business. i know that is a more complex answer that you are looking for but the risk is there. >> i would agree with chris. it could be either one, and i think it is a people issue. we found about 70% of all of the viruses that we get at exelon and cleanup are caused by people just clicking on things they shouldn't. it really is an education, awareness, and a people issue

for the most part but it can exist on any distribution. >> i agree awareness is job number one and that is why we try to make sure the colleagues appear do the same thing and make sure every employee for every contractor understands what they can do to help keep our grid secure and reliable. it's a human issue and a supply year issue for sure. >> i didn't get a single answer that i was looking for. tony is sympathetic to that, right? let me invite the panel to do this. obviously the reason the bpc is here is to present facts and understand issues when it comes to cyber and how we deal with that going forward. we will be producing a paper.

we will be writing that in the coming months. as you leave here i know you have been picked by the industry to share your information and you are intelligent people. we would invite you to send us any information you may have when it comes to how we do this better, how we do it best and how we make america safe. please, read the biographies. i want to thank chris and scott for being here and take a 15 minute break and we will be back at 11:15. thank you. [applause] >> i'm not some sort of antisuburb person who thinks that everyone needs to live in new york city. i was very sensitive coming across as a sort of espresso setting come macondo dwelling easily -- ellitest.

i get fed up with a lot of the daily new york city life of lot. i was more drawn to the trends that were undeniable and the fact there is a shift in the way suburban america is perceived by the people that are there is too big of a story to ignore. cia and nsa director michael haydon says they will get worse before they get better. mr. haydon was among the speakers at an event looking at former devotees of the country's electric grid. the bipartisan policy center held the event yesterday in washington, d.c.. this is about 45 minutes. >> good morning.

if everybody would take a seat. i am phil krueger at bpc. for those that don't know less, bpc was founded in 2007 by former senate majority leader's, tom daschle, bob dole and george mitchell. we like to say that we are bipartisan, not non-partisan. we work with people who are strongly partisan in the various parties but who believe that the good and the rigorous analysis, negotiation and respectful dialogue you can actually come to agreement on policy issues for the good of the country. it sounds crazy, right? but it's what we do. and i think that it's needed now more than ever. and cybersecurity really is a type of issue that can and should be bipartisan.

..

it is also important between the private sector, how do we ensure why we do that would be appropriate privacy protection and if there is in fact, this conversation about when there is a successful attack. how do we limit that and how we respond to that we are prepared for that. so overall initiatives with cybersecurity is cochaired by the general and we will be the moderating panel later today.

we expect to release this with recommendations with policymakers. we are going to start there. thank you again for coming. we think the partners for helping us with this story workshop today. it is a very important topic and one housekeeping thing at the end of each session, we will have time for questions and answers. we would ask you to come up and also introduce yourself before you ask a question. i am introducing my colleague, and she will introduce the keynote speaker. thank you. >> good morning. well, i know you didn't all come

here to listen to me, so i will make it very short and sweet. i am the director of homeland security project at the bipartisan policy center and for those of you who are not familiar, it is chaired by former governor tom kean and lee hamilton, some who remember them as the cochairs of the 9/11 commission. they have come together with experts to make sure that our country is keeping vigilant and remaining ready to face any threat that we face. honestly it is something that a lot of people are talking about. but not a lot of people know exactly what to do about it. that is why we are so thrilled to be working with the energy team on this lecture initiative. general hayden is here to speak with us this morning. he is the cochair of the initiative and general michael hayden is a expert on the issue

of cybersecurity. the director of the csa and nsa. he is going to spend a few minutes talking to us about the threat as he sees it. then we will open it up to q&a as joe has already mentioned. so without further ado, i would like to introduce general michael hayden. [applause] [applause] >> good morning and thank you for the chance to chat with you a bit today as carie lemack suggested, i will try to limit my time appeared to about 20 minutes or so. i get to do the strategic overview. what you have are people that are far more expert in the

definition of the problem and sponsors to the problem that i think we will all identify with your today. folks in government, folks in industry, federal government, state and local government. think tanks you can come and perhaps begin to map out the way ahead that we want to see reflected in our final report. zelezny began. the cyberthing is very important. i think it is here to stay. we kind of messed it up. i actually did that at a conference about four summers ago in las vegas. i leaned forward. i was at the ballroom at caesars palace. i leaned into the darkness out there with the bright lights on the inside, as an american g.i.,

i have used cyberas a domain. land and sea, air and space. sieber. and i know we did a reasonably good job. and i think i know who did this one. that is you. i kind of leaned into the darkness and said okay. no one said to get the rope. there were mild giggles and we moved on. but we did kind of screwed up. looking back at the history of this thing. i mean, we are lucky enough to have people that created this. we are in great falls and we are we're talking to students about being out there, those that are starting to respond. give me something that connects

a limited number of labs and universities so i can get information quickly and easily. keep in mind that the statement is quickly and easily. that remains the architecture of today's world wide web. that is why we are in the position we are in today. it wasn't built to be protected. it made no more sense to build defenses into the original concept and would be for you and i to put a locked door between the kitchen and dining room. the whole architecture of the house it is an unlimited amount of individuals, most of them i do not know. but it is clear, as i can put it.

now, let me talk about cybercenters. since we are he suggested this. three cents. the first layer of sinister stealing stuff. and the former deputy secretary of defense wrote what i think is still the seminal article. bill pointed out the things it is cyberespionage, criminality, information, it's your pin number, it's your credit card number you're going to get this commentary pretty soon. the second player has become more active. it is not just stealing your stuff, it is disrupting the

network. so estonia, 2007. crashing their internet system because they were mad, they were moving able morrill out to the suburbs, same actors in 2008. bringing the net to its knees, which was using for command and control. more problematic, more personal for you and me. 35,000 hard drives wiped clean. take your enterprise, and imagine tomorrow 35,000 hard drives being wiped clean. you get the picture. although our government has not quite announced it yet, i think that we know this is the iranians. they feel offended in the cyberdomain and we will get to that in a minute.

they have been attacking american banks with massive service attacks. serial attacks against jpmorgan chase on the list goes on. i talk to one security officer who said that you and i hit the website about 15,000 times a minute. they're getting 3 million hits a minute at this height. a lot more disruption. then finally using this domain appear to create effects not confined to my son here, but creating effects down here for the most dramatic example of that destroyed about a thousand centrifuges at a time. it is too complicated to be done in the garage and basement. but given my background, i think

it is described as i just described with a slightly different words. someone using a cyberweapon to destroy critical infrastructure. and that is a big deal. you might have seen me making a comment on 60 minutes about a year and half ago. they have a legion on the other side of the river and life is going to be very different. so stealing this stuff, destroying the infrastructure. so who are these dinners? criminal elements, one group that i have trouble defining. an artist, activist, 20 somethings talking to the

opposite sex. the capacity to do harm is pretty much the way i laid out this. criminal gangs, then you have this down here. and this is kind of good. because as bad as governments could be, they should be held accountable. so you have criminal elements, they can be pretty dangerous. the fundamentally criminals want to make money. and they enter into a symbiotic relationship with whatever their target is. it is a strange creature who enters into this symbiotic relationship with a host that they want to kill or destroy. so i think criminals are somewhat limited. what worries me is this.

do you know better than i that the tide is coming in and all the votes in the harbor are going up. this is beginning to acquire capacities that may be a year or two or three ago, we equated only with someone more competent or capable. we are beginning to negotiate with capacities. so one example would be edwards noted. bringing a matter for trial. what does this group do? so who are they going after?

who, for them, the world trade center's? as they were for our kind of? so i guess what i'm suggesting is it's going to get worse before it gets better. and i mentioned it before. let me give you a couple of reasons why it is hard for us to defend ourselves. pulling you through a knothole here, just talking about intelligence and operations for a moment. intelligence is what you do before the operation. you have to know your operation you have to know your enemy. so it is sequential. until first, operations next.

i would suggest you that as hard as intelligence was sometimes, it almost always -- and this is pretty close to the universal rule, intelligence gathered was almost always easier than the actual operations they were going to try to perform. they threaten the united states. that is in the physical domain. now, let's talk about this. reconnaissance up here still happens before operations. you have to have another target before you operate against us. but unlike the physical domain,

the constant is harder. it is more difficult to penetrate a network and live on an it undetected. extract what you need from the network for a long period of time and to continue to operate it. it is far more difficult to do that than it is figuratively and metaphorically to kick in the front door or something. in other words, up here the attack, it is a lesser included case of the reconnaissance. if i can live on your network undetected for intelligence purposes, i heard he established far more than enough control to use your network for destruction or destructive purposes. so that is why president obama mr. state of the union, when he

makes this cyberpoint, he talks about enemies on our networks. enemies on our grid. and why that is so disturbing. because of their armor and undetected, whatever their intent, they already have the capacity to do harm. without question the country out there stealing our stuff the most is china. and there is evidence about the chinese, there is evidence that they are under industrial control networks, as well as penetrating networks and negotiating positions and the like. but frankly i find it hard to imagine circumstances where

china would want to do something incredibly destructive to any american network. the great absent that is far more problematic in which the cyberattack is part of a larger package. the bear with me for a moment. i mentioned around. what would prompt them, a very bright nation, what would prompt them to try to inflict economic pain it is limited kinetic action against iranian nuclear facilities. you know, i'm not trying to be

predictive of here, i'm just trying to be illustrative. okay. this will get worse before it gets better. now, a few words on how to make it better. a lot of this is heading south. what are the steps we can take is a prudent people. again, appear, it is much harder for us. we didn't have a lot to go with on this domain, so don't defense is very hard i stand by the fact

that we will one day have one of the most well-designed and networks on the planet. we as a people have not yet created a concern since as to what it is we want our government to do appear. or what it is we will let our government do appear. it's easier this point in the speech. i say, okay, give me another 15 minutes, and you'll be all scared of your iphone or blackberry. i usually get a response from

the audience, yes, he is right. select two years ago i am up here in the contract is over. and you know how it works. young kid comes up to you, and he is telling me its features and he points to the iphone and he pulls up the page and says, 400,000 apps available. then he turns to do something else. and he says, this kid really doesn't know who i am, does it. [laughter] i mean, those are attacks and i can generally convince the audience that this is a gateway and most americans say, okay, where's my government. i pay taxes, wiser my government defending me.

and so then some actually do a lot there are phones and blackberries and what do they do? and check their e-mail. i was waving my arms of their 20 minutes earlier. so it's like, gee, i wish the government would hear. [laughter] and so we have that tension. for all of his recent stuff, they have a bipartisan bill passed the house of representatives a very modest bill about information sharing.

moving this cyberball down the field. so he, you know, keith alexander has world-class athletes not only on the field, they haven't even suited up. you and i haven't figured out what we want our government to do or whether we will let our government do.

so next time the sound of pounding hooves comes over the nearest ridge line to your cyberrescue. to a degree, you have never expected it down here in the physical domains it has cleared another useful approach with regard to dealing with this domain and its inherent dangers. that is international cooperation. i'm has release of alleged hacking the chinese computers was timed precisely the few days before president matt with the chinese president they were to begin an honest dialogue about cyberbehavior. that turned ito

recriminations as the chinese were allowed to pretend that there was some actual equivalency between american and chinese cyberbehavior. the good news is that industry understands this a great deal. ceos want to talk to us.

the private sector is the issue and the private sector is also doing some incredibly interesting things. there is a tremendous intellectual framework out there in terms of reducing vulnerability, managing consequences, or precisely identifying the kinds of threats that we should be worried about. let me give special credit to ministries season. one is financial services. the other is the electric industry. they are different, that they enjoy one thing in common. if something goes bad, you will notice it. so they know that they are on the edge.

we are hoping to be safer and more secure. there is a lot less personally identifying information sloshing around in the electric problem than there is in the financial services problem. i would suggest that the electric industry understands how lucrative of a target they are so most people are seeking opportunity, perhaps if they have a few less of the problems that.

so this is the kind of relationship that we will all have to develop over time so what are the avenues by which they can move forward. a point that i simply wanted to make her at the end is other industries are going to go to school. and that actually is a pretty attractive proposition. kerry said we could have some questions. there are microphones here and i'm very happy to take whatever you might have. [applause]

[applause] >> thank you very much. >> please introduce yourself and your affiliation. >> thank you. i'm spencer with the guardian. >> you suggested that in the event of apprehending edwards noren a mother could be cyberterrorism is a reprisal. could you outline three skills where they might occur and what evidence do you have that causes you to say something like that. >> yes, i am just trying to illustrate that you have a group of people out there who make demands. the demands that may not be rational or the kinds of things that government can accommodate. but certainly he has created quite a stir among those folks who are very committed to transparency.

i don't know that there's a logic between the american institutions if so, what with that level look like is what you're asking and again, thank you. i said that there are three levels of attacks. this one down here worries me the most. but they become more capable each day. i cannot predict you were one or another element is dispersed, where it might have skills with vulnerabilities. how much of an effort he could put together on short notice. i know nothing about that. but i do know with wiki leaks,

they conducted service attacks against american kirker companies and paypal and someone as theoretical punishment for steps that they took. also that could happen again. thank you. >> mr. hagan, i find your comments interesting about the weight governments are getting bombarded with cyberattacks everyday. is it fair to assume that one of the potential ways to combat those are both a reduction in communication electronically. and is it fair to assume that governments and private sector would be looking at information and the like, if they know they are being attacked, i assume you could create this data to send people from a cyberperspective, wouldn't those be a couple of other ways? >> yes, obviously.

to make it less lucrative and more problematic. those who are less sophisticated, one idea i have heard, and if i say a lot about it, i will be truly making it up. but from my liberal arts background, people talk about an additional network, taking a mulligan up your, you know, getting a do over on the fairway. and here it doesn't mean i'm doing what we have done. it is keeping what we have for everybody who wants to buy this and make their own privacy and postings on facebook. so forth and so on. they enjoy the freedom and they create another environment that is less ubiquitous and easy to use, it requires this and isn't as nearly as fast. it is really hard to take this.

i'm a history major. i reason by example. i have been to london. soho back then, theater, art, dance. freedom and liberty, drugs, prostitution, petty theft. that is over here where you get the maximum liberty and maximum danger. most houses had fences around them before. i don't think they aren't nearly as interesting as soho, but again there wasn't much petty theft there. so there may be a future in which we began to build an alternative universe that actually has security from the

beginning rather than trying to apply it here. >> next? >> general, this has been very interesting this morning. you said you're only 10%. that may be true, and some may consider it 90% propagated. because you raised this apprehension. and of course the chinese consider kidnapping. i am sure that your member the united states and israel together happen iranian nuclear facility together before they started attacking this and so on. giving this product heated

speech that you are giving here, is that meant to provoke the united states government? >> first of all, it is not a government contract. we have had our fill of the government. there's lots of questions in there. hang on. there are two countries on earth that have a cybercommand. one of them is the republic of korea. the other is united states of america. when you mentioned the deputy secretary of defense during three years ago, the most important line in the article was the deputy secretary of defense. a seminal american article on cyberthinking. not by the office of science

policy in the white house, not by the u.s. trade representative. not by anyone except the deputy secretary of defense. i am catholic by tradition. so bless me, father, i have sinned. we could be accused of nudging the militarization of cyberspace in that direction. by the way we have talked about it as a nation and we have organized ourselves as a nation. you talk about the earth's atmosphere, air dominance, cyberdominance, on command. that is how we talk about it. so i get it. i have no views on who may or may not have conducted this. but i have been very public with my views as to that being a big

deal. were i understand the difference and destruction is dramatic. but someone just use a new weapon in this weapon will not be put back in the box. i get all of that very much. i was probably provoked by edward snowden's in the comment about him being here in america. we are really good at that spirit is a security agency, we were number one when it came to stealing stuff in the cyberdomain. we steal stuff to keep people free and safe. we do not still stuff to make anyone rich. that is a big discriminator.

>> hello, general hayden. sir, you seem to be confident about the ability of the grid and the assets. executives have to make cost calculations. they have to weigh the costs against the threat or risk and the kind of incidents that you're talking about a low probability but high-impact, a commendation that you're familiar with from the intelligence world. are you comfortable the private industry facing low probability of incidents that would have a high-impact are going to make the same sort of cost calculations and expense calculations that an agency would make? >> yes. even in the probability of an

attack, it is infinitely less than the cost of the surrounding society it in no way came close to what it costs in virginia. so in addition to that low probability, we also have backup costs may be more confined there for what you need to do, it is really hard to do business. it really is. so it is more of a broader responsibility in terms of good corporate citizenship. one experimental idea is not quite tied to this.

it then spreads and i don't know what cyberinsurance looks like quite yet. but i can imagine cyberinsurance for lost my stuff in my network, or i have a big class-action suit because all of that personal information is out there. but there may be ways to create the structure and a kind of check the shingles on my house now before i buy because insurance is different. spread the burden over the society, but the government

chases with the fact without coming through the industry and checking things off. a great question. we have a lot of work to do. but i think that there are ways. >> i think we have time for one more question. >> yes, thank you for your comments this morning. i'm from the state utilities commission of missouri. you have mentioned in your talk about congressman rogers and the bill which stress information sharing. my question is how important do you think it is for the federal government to share information about threats with the utilities sector. and do you think the federal government is doing a good job in that area and threats that the electric industry can take into account and respond to.

>> yes, when i talk to anyone in government, and they tell me that i'm doing a really good job [laughter] >> it is not quite the glowing review. going out there, stealing stuff, about a the fifth of the agency's defense. it also has a responsibility for protecting government secrets here in the united states. offense and defense rotate around the same concept but even

though pre-cyber. in the life of the nsa back in the pre-cyberworld, we had a pretty well-worn rut in the road as where that line is. that will be in the one place it is a discrete decision in a sort of way, but the key motive effect of those discreetly

corrupt decisions has been a strategic problem. the industry is unaware of and i actually think that the more we can accelerate it, the better. and we will take it back a little bit as well. i think that this is in the direction of offense, to the degree right now, what we need to do is accelerate it. because i think it will go to a positive direction in time in which it is located. the sharing of information, that is how that works. it comes back to the core problem. what you want to do with vulnerability.

>> how will we provide assistance if it happens? how can we fight this and remain defensive? >> i don't know a lot about it. it really isn't a facet solution to this.

i think even the question and taking the opportunity to say that although this allegation seems to point to this, they share intelligence with almost everyone, to the benefit leaving it at that. >> while the senate is on break, many senators are holding town hall meetings. constituents asked him about the surveillance program. here's what he had to say. >> when the government government shuts down, does that mean the president and the judicial people don't get salaries as well?

>> absolutely. >> because then i was. >> they won't let it go very long without giving salaries. they will work on it if that is the issue. i mean, that is just my thought about it. >> again, i have had to deal with this stuff day after day as well. and i think it's a terrible policy.

shutting down the government come at the end of the day, it's a very risky thing to do. >> okay, i'm sure that there are concerns. people talk about obamacare. trying to do what we can to stop that. i would say that the biggest part of the frustration amongst us have is we say okay. i think that it's too difficult and really frustrates a lot of

people. we sort of see people on the other side sort of fight tooth and nail. they are playing dirty and the question or the issue that i want to get to a sort of the world we find ourselves in. this is the situation that is going every three months as part of the secret court which you can appeal to they don't need a

warrant to put this tracking device on your car. you have an irs who has an official position is that they don't need a warrant to check your e-mail. they targeted tea party groups and so far nobody has really paid a price for that nothing is being done to rein in these government agencies. the only privacy is what the government says you have.

i was really pumped, i was really happy about that i want to know why you were voted for the nsa -- they are collecting that information, no one said they are listening to this. if you ever thought that wasn't such a big deal and if there is no expectation of privacy to the records, and then when can we expect you to publish your work on calls online so we know that you called? >> that's a great question. >> that's a great question. this is one of the most important discussions in the debate.

now, they are not reading her e-mails and massive amounts of data, but they certainly have the ability. number three coming have to decide whether we have stopped about 50 terrorist attacks, and that is not to deal with this sort of stuff.

it was absolutely saving american lives both the speaker and the minority leader looked away. bush and obama fight our way. we have the edwards noted in revelations, he did not give us a single instance of abuse. the two people that have been

leaders of the country that feel the same way. but they would've stopped the program. i applaud him for bringing the amendment. and i don't blame you for using the only legislative vehicle that you have, which is amending the defense bill on this issue. investigations were we hold people accountable for people under criminal investigation not

only is the irs refund from obamacare, there is real cuts and i think that the same thing needs to happen in terms of this really detailed and thoughtful examination of the nsa but i don't think that we ought to immediately toss out a program and to we think about it and know about it with all the security people on both sides of the aisle, they tell us that it has made a difference. >> okay, so i like to point out that we wouldn't know it until it was too late. it would be like the thing is -- i know that, or -- or i guess i have read, that the way that

this is the controversy first started when bush was president. they weren't marked these phone calls and get these records were someone who was a suspected terrorist outside the borders of the united states when a person contacted someone within the united states, you're going to go and get a fisa order. and i i felt a little bit uneasy about that. it is one person come in two people, whatever it was with known terrorists turned there are things without saying that we need a database of your phone calls we need a database of that.

regardless fact is that they have the capability of doing it. but we don't know that they are saying no eventually it will get abused up we have the ability to take a look at that when you have a chance to reconsider this stuff. you know, i know these people are good peoples. but my point is that good people are not always going to be there. and i'm sure that the people who work for the irs that were abusing taxpayers will do their bosses told them to do. and so really that is the only response i have.

never just blew it for you to reconsider that and keep in mind that you can trade this for total security. >> yes, i agree. >> well, i agree with your point. and congress will reconsider this, we'll keep looking at it. probably coming up with a legislative angle. but the key part to me is so far. and i want to emphasize this we haven't found persons that have come forward and no whistleblower. but i think that the issue is worth looking up they walked in

and tell me that we are not doing this and not, we are not doing this and they ask questions. it will continue to be under scrutiny we need to have america kept free. individual citizens are passionate about this. we had this discussion in this room on c-span. ..

you can see the entire event on c-span.org. ♪ this week on q & a.