>> as we heard from some of the government speakers in terms of whether it is embraced or not we have seen a lot of companies talk about how they are applauding the release of the framework and that includes at&t, the chairman spoke of the release at the white house, there is general support for the framework but as to whether that continues, will the framework be used as it was intended so it remained flexible non regulatory risk-management tool. if it continues down that path you will see fairly widespread use among the private sector. as for whether or not the framework is going to improve cybersecurity that is a harder question to answer. clearly the framework is intended to raise the bar for cybersecurity to make it more difficult for attackers.

that is something that would be helpful for medium-sized businesses, you may not have sophisticated capabilities today but we should probably clear any reasonable expectation cybersecurity is an ongoing issue that won't go away anytime soon so there's no panacea here to solve problem. >> i would like to echo what nadya bartol was saying because what i have seen about a common language is a lot of times when i have a board of directors or senior leadership conversation, usually before they start with me they say in english, please. having some common language is a really important thing at this juncture because we have eyeballs on cyber to a greater degree than we ever had in history. and it is incumbent upon us to take it vantage of that and develop a mechanism to talk about cyber in a way that is understandable to that group of

individuals that make these key decisions from the standpoint of governance, expenditure of resources. that is important. i am sure we will talk about the supply chain and other things as well, as we go forward but one of the things i have seen in conversations particularly with andrew, when we have met with them, my bankers have said this is a process which we actually are already utilizing within our financial institutions. the words may be a little different, it may be described differently but there's a process that a lot of institutions are already going through. one thing that will be helpful is to take it one step further and talk to our supply chain partners about that and give them in some cases a place to start because a lot of times it is difficult for companies that less mature to really know how to structure this within their organization loan talk about it. that is my key observation.

>> there are three key questions in that. usefulness and how will affect security. will it be useful, i think yes. fundamentally i will start with the point that is flexible risk-management guidance and one of the differences between what we have seen a lot of standards today is the framework does talk about the outcome is. in other words what needs to be done and doesn't specify how to do it and by doing that it gives the flexibility for organizations to evolve and innovate security practices to meet those dance doesn't get stuck in how. other standards are more focused on the house. this really does, as my colleagues said, bridge the technical communities who are dealing with standards with the business community that wants to know and i secure enough? it provides a translation

function between the two. with the be embraced? i think it will be embraced. as we heard there is critical infrastructure organization across all 16 sectors many are doing good things today and have done so for market-based reasons, my organization included. that said, there are inconsistencies across critical infrastructures in what they're doing and this is an opportunity that will be embraced to say what is the right thing to do here? does that mean we don't need incentives? no, but incentives are required to advance progress, no. both cases. the last thing on improving security i do think this will raise the bar of security across the critical infrastructure community. i don't think that it will in doubt necessarily fully addressing the full range of national security risk facing our critical infrastructure and that is a conversation that will need to keep devolving but it

will raise the bar which is an important progress towards that overall high level of security necessary for our critical infrastructure. >> what was that? [laughter] >> i can certainly speak from the century link perspective on this question and when i tagged onto will improve cybersecurity, i'd think this entire process is already successful. it has gotten it in the common vernacular, and had has been talked about across all 16 sectors. let me drive down operationally, it is snowing out there. the weather is bad. tornadoes, floods, whatever, we are accustomed to customers going i have done my risk-management and i need to have circuits that i know will keep coming up and have a service level agreement on redundancy and diversity and until about two or three years

ago did i have very many customers coming to me and saying we are assessing our cyberrisk and wondering what you could do to help with this. and i tell you if that that has tipped. that has kept. the fact is the we now have a common tax and we were already citing do you think you can help us out in.3, that is huge, that is huge. so yes. it is new, it is nations. we are trying to raise the bar particularly for some of the companies that have not had the opportunity to think about things for cyber zori orientation, but speaking as someone, a company that can provide support for many of these elements, yes, this is already a huge success. it is now becoming part of the vernacular and customers are asking us what can we do to

mitigate. >> let's start at this end. and just follow upon that. does the structure of the framework and the language in the framework speak to all the audiences that it needs to? we talked a little bit about supply chain. does it talk to the executives at the corporate level that you deal with and doesn't speak to audiences going down with in the company and within a big company supply chain? >> i know at this sector level we work extensively to review the language and in this case we are in washington the speak more executive or policy language and we got it. it took some time. more importantly at least at the sector level, we spend a significant amount of time talking to the risk managers and companies. do you read it? do you get it?

deal understand it? are you happy with it? do you implement? most importantly you have to drive it down to the very operational level and once again we were fortunate because we had such broad representation and frankly people were very generous with their time to have practitioners, people who would have to tweak the bold, put in the filter, whatever it was, to be able to speak ill little bit more operationally. did they get it? did they get the intent? without question one of the reasons we are so successful is we could meet those bandwidths and they both came away with what they felt was important for them. barista more work to do. i know at this sector level we will be working with all the various trade associations to be able to further flaw shout the framework in such a way that it is more communications sector

specific, we have work initiatives within the sector, some with dhs, some not, some in the industry that are very much focused on that. if you are doing this, that sort of falls into that. so there's a quick short and so that no matter what level you are at, putting in the filters or putting in the protocols or creating the plan or looking at it from policy and strategic and board level, to understand how can i read this and interpret this from a communications sector perspective. so far so good. you have to do education outreach and feedback and over the course of this coming year the feedback will be conveyed, communicated and used to solve the process further. >> you have customers, microsoft has customers at every possible stage of maturity in terms of

their cybersecurity posture. do you think this provides the common technology, the common language you to use in talking to these customers? >> glad you asked that question because it builds on catherine's point. as part of the development process we both engage inside the company across different types of audiences that exist in the company, everyone from the person who's doing coating of particular feature up to the senior level decisionmakers who are talking about research in security so that was the internal conversation. does this mean all the different levels and your fault question, the same conversation with the bunch of external customers and that gets to what catherine was saying earlier. we have people coming to us saying what is this framework and can you help us figure out what we need to do with this and so i think it has -- it does start to hit the language that

matters to different communities. they are still going to be some work done on that as you rollout of voluntary program because 45 or so page document and it does have a language that speaks to everyone, as it rolls out its voluntary program they have to think even more about customizing and specifying various messages for the audiences but overall i think it is driving a conversation inside of organizations and between i tea companies, communications companies and our customers about how to drive this culture of risk-management and in that context it is when. >> does it give senior executives the type of information they need in a way that they can use it to make investment decisions on cybersecurity? >> yes, i think it does. largely that has to do with the fact that it listen overtime. we saw migration in that

language, cleaning up the definitions so i think we have some ability to use that. i go back to conversations i have with ceos now because one of our main missions is to really particularly in community bank environment to ensure that language exists for ceos and their boards and part of that mission, one question i get a lot of observation is when i listen to you you scare the hell out of me and i go back to my institution and they say everything is okay. that should not be the end of the conversation. should be the beginning of the conversation. but what is important is the questions being asked because if you went back two years that question wasn't even necessarily being asked sufficiently with in the senior management suites of those organizations so when you get to the point where like i said before you have those eyeballs, where did they gravitate to? they might gravitate toward

regulation. but regulation and a lot of cases can be quite technical in nature and so what is going to be some overlying document that a manager can look at to really get to the right questions and so i think, charlie, this framework does start to do that. i think this is an ongoing conversation as angela and kathy indicated. i think this will continue to morph as time goes on. will get better as time goes on. i think dhs and national security staff will help us with that as this migrate away from this and for a more collaborative, not more collaborative but increasingly collaborative environment based on what we have already done so i think we have a good basis to start. >> does it speak to an audience in a very sophisticated companies such as yours which is at&t as well as again that very very varied audience through a

large supply chain? >> i think it does. i think it is the best effort i have seen yet in trying to bridge the gap between technical standards and how to talk about cybersecurity. is still a 30-40 page document so i'm not sure i would, an executive level document but it has a lot of good information in there and i think there is still going to be some challenges in breaking it down in simple terms but it is the best effort i have seen and will be useful for at&t, we have a robust cyberprogram in place today that we will be using to see how it happens and i think from an executive perspective, the tears are the most important element because it gives you an idea where you stands in different practices and if you have a more desirable level to which he gives people a way to understand where am i now, where the want to be in the future. >> nadya bartol's membership is

very very very and lots of companies and utilities within their. is this something you are going to be able to use to communicate and talk with them throughout these different levels? >> if one looks at the collection of utilities that respond to various comments at various stages of the framework you see huge companies, and anything in between all kinds of ownership types utilities certainly picked this up as an effort of interest and importance and as a tool that will be useful for them in things they might not have been able to do in the past. and we heard at rollout event about a framework to speak to board members which was great and other members have told us about a useful thing that they can use. i would like to note the membership is not cyber security by and large. it is technology practitioners and utilities to don't do cybersecurity day in and day out and that is the audience of the framework we haven't fully tease

out yet because again cybersecurity people know what we need to do and all these standards referenced in the framework and the compendium, the folks who buy, implement and maintain technology in our critical infrastructure who don't cook in this soup all the time, that need to use these tools in the toolbox to communicate across the organization with their cybersecurity colleagues or their it colleagues all over the place and that is because that is the hopeful. >> why don't we continue and take on a question last panel addressed about the metrics for success. how do you determine this framework is successful? >> the program as a whole? >> the framework has already been successful in a certain way because it tries the level of national conversation on this topic. over the past year there was a group of how many hundreds of

people who came together to talk about this? it has been all over the news. my friends who have nothing to do with this ask what is this thing? and that is a good thing. is positive even though there are all kinds of opinions. in the utility sector writing success will be achieved when we know it a certain way that utilities of all sizes have looked at this and they have implemented some sort of minimum security practice. whether they have done it to the framework, whether they have done it -- it really doesn't matter because the framework encompasses them all. so when we can, when we see that there's some sort of adoption of some sort of cybersecurity practice i think that is success and in pretty commanders are lucky that the mayor had a great role in putting together and bring to the world so we can actually tell things are happening. >> chris, they will probably

never have a victory parade in the cybersecurity space but how do we determine -- how do we determine we are on a successful path using the framework? >> definitely having been to the cyber rigsecurity discussion in washington we were talking the couple years ago about to elevate cybersecurity so the framework and discussions on the hill have accomplished that. there are conversations going on at a higher level than we ever had before and a lot of questions from senior executives about the framework and sideburnssecurity. it is a confluence of issues, the framework, the reports on security so certainly seiders of the securities elevated to a higher level than the past and as an offshoot i think companies of looking at cyberpractices which as a whole make as more secure than we were but as far as the framework itself goes the easiest way to measure its success would be to see how widely it is being used. the reason i say it is the

framework is a voluntary framework so if it is used widely you are presuming there is some value the company that looking at it saying there is business value in the use of the framework. making a decision to use of voluntary framework in their business so if it is widely used that should mean companies are presuming there is some value that it provides from a security perspective and that should mean the by is being raised in security. that is how i would look at how to determine how it is -- how successful it has been. >> do you think we and the government will have the ability to measure whether it is being widely used? >> that remains to be seen. that was a topic of conversation a couple days ago and the government speakers, not sure how it will play out but that is an open question i think. >> some of that gets into is there a certification at the end of the day which we seem to be moving away from in terms of adoption. one of the things we learn from the fraud environment can be

very helpful in this environment going forward if we want to find quantitative measures little qualitative measures will be there. the quantitative ones are more difficult. over time, how well can we measure what we stopped as opposed to what actually has gotten into our systems? on the fraud side we do that very well. in financial services because there is no way for us really to justify to management our expenses in fraud mitigation unless we can measure what we mitigate. what we prevented from occurring in the fraud environment and so we have done a good job defining what that should look at, how we measure that and we have done that essentially since 1997 and increasingly we are measuring that in the electronic environment and by way of example if we can do ten years from now what i'm about to say we can do since 1997 for fraud in the cyberincident versus breach space we have done well and that is in 1997 for every

dollar of fraud we stopped within the demand deposit account environment we lost a dollar. in the last year for every dollar of fraud that we lost we kept ten dollars from going out the door and those of the kind of quantitative measurements that we should be able to develop over time to measurable of success and individual institutions as well as industries overall. might be helpful way to think about it. >> i like to put out a caveat. success founts like the finite place. we are all going to arrive at success, throw a party and will be exciting but that is not house cybersecurity works so we have to manage expectations about what we can think about success looking like and the way i think about success of the framework and voluntary program is if we can move forward within a phased approach, the phase we are in right now is we have just

released a document two days ago, there aren't a lot of additional incentives out to bring people along haven't necessarily been doing things already so what we have in this phase is the opportunity to touch people and make somewhere of this process, to drive that cultural change the framework does want to affect and as we move further down we can then think about as i said earlier what are the target audiences. are we reaching the right people, one of those common challenges in the critical infrastructure space has been defining what is critical and focusing in on the areas of highest risk and so as we move past the outreach and awareness phase one of the things i encourage us to think about is what are the right target audiences? are we touching them and getting this feedback from them, is the framework useful to you? how did it work? what were your challenges?

those are two initial phases and i believe as the incentives get billed out and we get feedback on how this is being used we will have more information to see what those metrics should be like down the line but caution i would put out is we don't want to be sitting around counting incidents, that is both impossible and not meaningful because we don't know what that means relative to the other. we still have major data reaches and in addition to measuring success we also start to have to continue having the reach and awareness conversations particularly with policymakers in d.c. that this isn't going to be a static point of success, accounting particular numbers might not be it. we have to think about an evolving process because the risk environment is going to change, the framework is going to need to be evolve to and what companies can apply in terms of resources will change. is an evolving conversation.

>> little more real life. i think we will find it to have been a success at least with the communications sector if the same number of customers who have service level agreements with us have that same number of customers, also have some factor for cyber. this will be a success if the culture has successfully permeated then there is no such thing as being at home without anti virus and some sort of protection on your home computer and that makes it a huge success because then you kind of got a safety net. you got the 80. which allows us to put resources and time and effort in pinpointing that most critical 20, that most critical 20 , where do we apply resources so that we are automated,

repeatable, adaptive, all that, so much about this framework in my mind was about raising the bar and if we raise the bar, everyone has supplementing read cajon computers, that is huge. allows us then to redirect resources for some of the harder things. >> let's plow right into incentives which angela raise. what are the most important incentives the government can provide and how does this fit into the whole process? >> the government needs to provide no incentive see is the framework. that has to be the cheapest thing on earth. read it. okay. and really, we struggle so hard to make sure it was readable.

that you could get it and for any company that does not read it, i am good or need to think, that has to have been the most cost-effective way of preserving their business, their brand, customer confidence no matter what company are in so that is cost-effective. and i think that is an incentive that was made so simple. that is the main strength. there are going to need to be some incentives in the communications sector where we are more sophisticated and robust and there are probably things we as a collective sector to do that are more -- what is the word they use? repeatable and adaptive to better protect not only our networks but our customers's use of our networks and that will need legislation and we will see if that helps. that will be an incentive there

as well. >> angela? >> that is building and catherine's point which is different incentives are going to matter to different people so the things that may matter to my organization will be different from those in nadya bartol's constituency. i would say microsoft security and privacy guidance is already consistent, security and privacy risk-management is already consistent with the guidance that has come out of the framework. we had marked drivers and incentives for years going back to the ugly days you might remember in the early 2,000s with bugs that had the first name so we are already doing this. there are going to be incentives that matter to other people and that is important to, focusing on the target audience, where i am trying to effect change and the incentives that matter to them. two things i will say for those organizations who are doing a lot already i going to be the

procurement references, particularly in driving the supply chain effect we have all talked about which is if you have organizations who are contract with the federal government, requiring them to use the framework and pushing that out through the supply chain i think will have a significant effect of the market-based incentive to drive improvement. on the other one i will raise here this is definitely from a global company point of view, one of the incentives we think is important is working toward harmonization of these types of approaches to cyber risk-management on a global basis so we have conversations, both industry and government, with our partners in the european union who are working on the network and information security directive also thinking about what are the right things to do to improve cybersecurity, working toward harmonization is another significant incentive on the demand side and i will add

one last one which is the supply side incentive. michael brought this up when he kicked off the discussion. there are a lot of organizations particularly in the small and midsize who are going to look at this and say this might be something i'd do, how do i do it? i don't have the people, the capabilities, i am concerned about how to resources it. back to those of us who provide services who may be offered to cloud base services to fulfill the functionality that exists across different parts of the framework. you have to think about it from both sides. the things that may request or in sent people to do actions and those other things that are going to say what would i have to offer customer base to help them in this. >> what do you think? >> we heard a lot from everybody, the first panel and kathy and angela about

market-based incentives and that is going to be the primary driver and a couple different examples of that. on the insurance side, we have already seen insurance carriers going to larger institutions and ask specific questions, what are you doing about implementing the cybersecurity framework. those conversations are already happening in our larger financial institutions. notwithstanding insurance, looking at it in large part anyway but the insurance industry looking at how this all fits together and how they factor utilization framework into their pricing in the long term, not today, not tomorrow but in the long term so that is starting to happen as well. another thing in the insurance realm is fidelity association, those folks that essentially right the policies have come to

us and said we are about to rewrite our computer crime policies that is essentially the carriers use. how do we factor in this framework on that process as well. i think there is some good thinking by business in terms of how this might end up working going forward and i take the points that were brought by the government panel that those are the things that need to happen because if it is not market-driven it won't succeed, it won't have that opportunity. puts now i will deal with the one that is really the dicey one and that is the two pieces of liability protectionists that have been talked about as part of this discussion. had quite a few of these discussions with cleat johnson particularly when he was with the senate intelligence and supporting senator rockefeller over that. i know how much he loves the

safety act. those are two very difficult questions in terms of how liability protection can be baked into this cake to the extent someone is abiding by the framework, should they be able to enjoy a liability protections to the extent that they are sharing information which is the other side, should they be able to have a level of liability protection to give clarity to that information sharing. both of those questions are difficult and can be market driven to the same degree the others have so that is where government has to play a thoughtful role in terms of trying to figure out for instance what existing programs might have relevance to give liability protections to the extent that events occur and what clarity can be given by government in terms of specifically what identifiable information, how it is defined.

and challenges with cross schechter -- those are two areas government will have to play on. >> particularly for the company's, smaller companies, midsize companies, need to kick up their game a notch and the incentive on the financial side and the tangible side to make the improvements that we like to see for overall cybersecurity. >> speaking from an at&t perspective i will address smaller size companies. we have a huge incentive to invest in cybersecurity. the victim of a cyberattack, we

invest significantly, microsoft, and looking at the framework can evaluate what we are already doing. we take cybersecurity as a significant issue in our day-to-day business. we are not looking for economic or financial incentives for adoption of the framework or use of the framework or how to incorporate existing practices. from a small and medium-sized business, we don't fit the category of small or medium-sized but from that standpoint, one of the reasons, it is adapted to the business needs. if you are a smaller enterprise, the idea of before, how can we get to talking about cybersecurity. they don't even know where to

begin. and a risk assessment to determine what other business needs and apply the framework adapted to their situation, they should be able to pick and choose from the menu of categories and subcategories. that can help but to be cost-effective, and to do 100 things and pick from the list and say do one or two things in five categories and potentially customized to their business allowing for the flexibility and not make a top-down checklist approach, that will allow smaller medium-sized businesses to customize it. and the issue of disincentives. there is the issue of it, and flexible and adaptable we will

see widespread support. and the risk of increment of regulation is applied, that will have a chilling effect, it is entirely appropriate, to look at existing regulations in how to streamline and how to basically harmonize with the framework but the idea of incremental regulation, growing regulatory pace will have a chilling effect on companies ongoing support of the frame work. >> from membership of your institute? >> and benefit the framework is expected to have the supply chain for pieces of technology and industrial control systems. the liability protection is important to share information,

primarily with who they know. getting the right information from the government in usable shapes and forms. the lack of legislation liability protection so that is important. another thing that is important is federal, state and local regulations. our regulatory agency is independent. streamlining regulations and i say this cautiously because god forbid we disturbed, it is the way it is. we know what to do with it. and state and local and standards of guidelines to affect facilities. it is extremely important. anywhere government agencies can do to work with state and local legislation so that whatever they end up doing to regulate

local utilities does not conflict with the framework because right now we are in a situation where utilities in different states will get different audit results from the same set of information. we would really like to do what they want and to demonstrate compliance or adherence or whatever it is that our members are subject to. >> that leads to my next question about regulation and we heard this morning and be heard repeatedly from the administration that the goal isn't to create new regulations. section 10 melmack of the executive order has been something of a bogyman throughout the process which people little fearful about what may come out of that. what is your sense right now of whether there is a command-and-control regulatory structure in the future?

are you satisfied this is not voluntary track? what do you think? >> i am satisfied with reassurance from government folks that this is voluntary and i tell my members there will always be an anxiety on this topic. and the regulatory agency in our space and state and local agencies. these are all outside the executive order. so again, the collaborative work we understand the white house are state and local and independence cycle agencies, extremely important to us to ensure this doesn't somehow an advert we become basis for regulation that was not intended to do so. >> can you talk about how the framework interact with existing regulations and your thoughts on what the future holds? >> the last question is fair for

streamlining to occur. there's always going to the level of anxiety on the private sector side about criminal regulation but right now we have been very encouraged about comments made by the administration about it being on regulatory and voluntary. we had conversations with independent regulator and at this point we are optimistic to work with them to rollout the framework that works for the business side and the agency side and catherine pointed out the coordinating council, very prepared to start through the outreach committee working to roll the framework out and get the broadest base in the communications sector so i am optimistic. we will check in in a year or two and see where we stand that now we are optimistic that things will proceed down the right path, there are existing uses through the sector coordinating council to accomplish things without having to go down the regulatory path.

>> your sector has danced. >> if you regulations and financial services. i would absorb that the framework has not slowed down at all. anyway, shape or form, we have seen in our agencies a lot of interest in third-party risk-management and outsourcing lately. that wasn't driven by a fee cybersecurity framework but by regulatory concerns in that area and a reminder that all of our partners need to adhere by the way to safeguarding customer information requirements so we already have by regulation a specific linkage between our regulations and third-party provision of service within the

supply chain. it gives us an opportunity to have a better vehicle to talk about how companies can implement that. i am cautiously optimistic on this one, over time we will see whether or not there is increasing push toward making this stuff mandatory, some of that will be driven by events and we will see what the next year brings and so it is up to congress and a lot of instances to make those kind of determinations. there was a lot of thinking earlier that this should be mandatory, that could be revisited. it is up to us in the private sector to do what we can on a market based basis to keep that from happening, to the extent that we do our job government doesn't have to come back behind us on a legislative basis and

try to do this. >> going down the line just as much as there is anxiety in when i talk with customers in the u.s. about a regulatory approach, is there equal speculation outside of the united states about whether a voluntary approach will work? i want to make the point that the impetus is up to us to make it work. as i talk with customers i spent a huge amount of time talking to the customer base there are a lot of customers in the united states assuming that regulation is coming. that is the mindset they are operating in. the conversation i continue to have with everyone is impetus is up to those of us in this space to demonstrate that an industry driven standards based approach can demonstrably approve

cybersecurity so we need to take the action to show that this can mitigate and manage risk of concern and we are in it for the long game. we didn't just come to develop the framework or be here for the first round but this is an ongoing conversation between industry and government to move this forward and we need to see how much the market can do and given all of the elbow and shoulder that we can. let's have the opportunity to see now that we have defined how much to put behind and small areas of risk that may exceed coming out and very narrow and government and industry that can be applied. >> look at the regulatory action --

>> between the four individuals. >> one airline question. >> you thought you were getting out of that. >> it is from patrick at night reading, and analysts, he is asking what kind of legislation do you think is needed for communications service providers. >> you can talk at greater length, i am an adviser in the sea-tac environment. however by and large, we have been seeking some legislative support in terms of not believe the information sharing peace but because i think you understand this communications sector i s ps are not supposed to share anything about anything about anything about our

customers. and i don't say anything. maybe you should call and share this and we do see so much and can manage so much and protect some much are precluded by law and we follow that about that kind of information. it might be the time to revisit whether or not that is appropriate or under what circumstances we who might see first might be able to share faster so that others can protect. that is one element. there's also an element of if we do see something bad coming what do we do about it? there is a liability protection. if we see bad things heading directly for major slots of the network should we turn it off? if we turn it off, i am not talking about the internet turn

off button but are there other things we should do? other things we could do? those are areas that need to be discussed, explored, repeatable, adaptive and in the current environment right now we cannot do so. we might be in better position to protect our customers but this is the sort of thing where if we do take action and we unwittingly turn off two or three people, we are trying to protect 2,000 that is where the dialog needs to occur, where the dialogue is occurring and we will see how it takes off. >> there's a lot of conversation about those very issues. >> i think the industry as a whole, at&t, no big secret we are pushing for establishment of

a clear legal framework and includes liability for information sharing but i want to stress it is not just information sharing but the practice of cybersecurity. it is basically an exception within existing statute. and an exception based on functions that from our perspective, the clarity in the law that cyber security is a positive thing that should be done and not something you'd and a negative white. in a purely legal framework in the act of performing cybersecurity and other actions is where we would like to try the conversation in congress. >> yes? question? >> a generation of transmission electric cooperative in minnesota, the jet audience in

general, observation i am making everyone in this room and on the panel come from large companies. we have a generation in transmission in 20 distribution members. the i t staff in the security department, distribution members do not. they have one i t person assuming they can't have 80 independent telephone companies in minnesota as well who also assume assuming in a similar situation i don't know they know this framework exists. i don't know if there is a plan on how to communicate the framework to these small companies who might not know it exists because they have a large impact as well collectively. not as much as large companies to but collectively there's a large impact and how do you make sure they are being i guess

taking these considerations of the framework into account? >> that is a critical question. >> i will take a little bit of that because we are conflicted on every single issue because we represent large as well as small and medium-sized institutions. we have thousands of community banks we work with and i deal with that issue everyday in terms of trying to ensure practices in larger institutions to the extent they are reasonably repeatable in community-based environments we do that and i think one mechanism that we use rather than our working group's is we have 4,000 members within that. many of those are community banks and we also use our coordinating council environment to do that because many trade associations within our financial service sector coordinating council represent

smaller institutions within financial service sector broadly as well so the answer is every single communication vehicle imaginable should be utilized to get the word out that the framework is out and second of all how can we at the top level talk about the framework to encourage institutions to actually look at it and think it is relevant to them. that is the job of the trade association, to build those relevant talking points so that smaller institutions really understand this has meaning to them. and can be very helpful to them as they have those conversations about cybersecurity. >> that is an issue that is of real importance to your membership. >> absolutely. there was an off site next-door the last few days and a couple

people stuck in council we had wonderful participation in the back because they couldn't get out of town and i appreciate the support in the bed room. reaching out to smaller organizations and people who can spell cybersecurity has been a concern throughout this process. we are doing a number of things costs, the usual out reach and posting things. we understand the number of things have been done by individual sectors particularly the energy sector working on guidance and the other sectors. there are things the government can do to small business administration. a variety of efforts as a community. outside of the normal state cauldron we are in to people going into cybersecurity or smaller organizations who never heard of it. they read the news and they know it is a problem. is an evolving conversation how

is going to happen but there are encouraging signs of working on it. >> we have been very fortunate in the communications sector. every association member has been articulate about the needs of their constituents and in particular the cooperative association in our association. we will be working with them collectively and individually to make sure they have what they need to talk to their constituencies and they will be part of the feedback loop to the implementation so that if for instance we find out a cooperative telephone cooperatives are not -- that they are missing this or don't get fat or need more help they will end up being of key important feedback loop back to our government partners. >> the only thing i would add is u.s. question to emphasize the point i have been making throughout this panel which is we need to think about not only

brought out reach and awareness but who are we intending to target, what matters to them, what are the resources available to them got the feedback into the process. it really ties again to thinking about who we are trying to reach and what we are trying to accomplish with the outrage awareness, not just scattering resources. >> a question? >> european telecom council, thank you very much for reporting the issue from the americas here. from the point of view of the framework of what like to applaud the fact the we have some level of common lexicon which we can actually rally around now globally, not just in the u.s.. that is very helpful. one thing i am concerned about

is cybersecurity is an issue around holistic design and ability for you to actually implement all the way through the supply chain, holistic implementation. the time scales will get in the utility sector especially, we have a 30 year lost cycle and yet some of the things we are talking about as if we can do it in nine months i am interested about how we are going to secure the holistic design and implementation on the rollout of this framework in a timely manner to secure critical infrastructure. >> let me take a shot at that. >> a couple things that i would say on that. first of all when we think this does bring up one point where i think there is an opportunity for improvement in the framework moving forward because there is

an opportunity to enhance the guidance around secure engineering practices associated with the framework as we think about moving forward, talking about a holistic overall approach and there are a lot of organizations who are doing a lot, mine included, who have very rigorous secure engineering practices. that said, when i think about what is going on in critical infrastructure space almost everyone is some sort of piety producer or provide a. utilities, building and house apps in order to be able to do the processes that are unique to yourself and when i think specifically about the framework itself i think enhancing the secure engineering practices such that those are promulgated more broadly across the ecosystem is one area where we can think about improvement. the other piece on change over time. that is the other piece i hear in your question, environments that are architecting in one

place and the risk landscape and practices and innovations to deal with are moving very fast. that is an area where we see parallels between what occurred in the primary infrastructure space in the early 2,000s and what is occurring in the industrial control systems environment, we are starting to have conversation class about securing cheering practices and how you use new environments like a cloud and virtual machines so that you can run live switch industrial and control system to existing, another virtual machine inside the same server so this is where the framework is driving the conversations that needs to occur because some of the practices and innovations that occurred in the primary i t space may need to occur in the operational technology space you are dealing in and so it is not the i have a specific answer now but it gets to this is a catalyst of a conversation between communities that will

help to study the red dress or manage some of those concerns. >> do you want to -- >> the framework has been discussed as a useful tool for discussion between acquirers and suppliers and we talk this morning about being market-based incentives. the discussion has been happening in the i t communications base for some time and hopefully as far as you to the spacing will percolate under the i c s space and help provide that catalyst for suppliers to further adopt good secure engineering processes. is not good to happen overnight but raising the level of discussion in the united states and migrating in a collaboration, angela addressed, would be helpful. >> one another point. a lot of larger communications companies, we have expectations supplies are adopting secure practices, we talked about that

earlier this week, we today when we do a supplier agreement with at&t you have to meet certain criteria, we have review process is in place. angela makes a good point, that the framework becomes a catalyst for discussion about more secure engineering practices and special software development because the framework by its very nature is really about this is processes and risk-management, not really getting below that we're so is about the things you should be thinking about your business to secure your risks but each individual company has their own business they have to apply to themselves so i certainly hope software developers and others will apply the framework to their business and try to build more security and privacy they talk about privacy by designs of the concept of security design software is something that will be necessary in addition to the frame work. >> i want to thank everybody on the panel. this was a terrific conversation and you have helped to enliven the audience about what is going on and what are the next steps

to look for. thank you very much and look forward to continuing this conversation. i will hand it back to robert. thank you. >> so very quickly i want to thank our panelists on the industry and government side and our moderators and i want to thank our audience here and in person and folks in cyberspace, we look forward to further discussions, national security policy forum will be a venue for these conversations and i think all of you. [applause] [inaudible conversations]

>> thank you. [inaudible conversations] [inaudible conversations] >> welcome to booktv on c-span2, three days of nonfiction books and authors every weekend. today booktv is live from the sun than a book festival. check booktv.org for complete schedule. john walker talks about code name johnny walker, the extraordinary story of the iraqi who risked everything to fight with the u.s. navy seals. tomorrow booktv interviews professors from catholic university and sandra grimes talk about the hunting down and capture of cia mole aldrich ames. jeffrey frank on ike and dick. ..