created a worthwhile debate, as we wrap up here? >> guest: i think the debate is good on the data, and u.s. surveillance, and i think that's valuable and fruitful. i fish it came about a different way, and i don't think that would have happened without the snowden disclosure, but he disclosed so much else nothing to do with america or american constitution. i think that is huge di damage willing and rep henceble. >> host: because the technology can want adapt quickly enough to learn how to do things differently, or what is so damaging about it? i mean, you have just said that these -- many of the countries are going to continue working with us. >> guest: inevitably, but there's a chilling effect for a

while, more reluctance on their part to share what they have, and while it's not going to be permanent, issue, you know, what happens if there's shortage of information about a terrorist attack, and for whatever reason, because of political climate, because of what snowden created, that information is not passed? that's what i worry about. >> host: do you think -- we're out of time and it's the last question -- where our government and certainly cia, too, needs to just assume that things are going to get out, and they, then, in other words, secrets will not remain secret, especially in the environment where we depend on the internet for i.t. to keep the secrets, and they have to calibrate that and act differently? >> guest: yeah, we talked about this before. leaks are inevitable. there were leaks in the cia 35 years ago, and there's going to be leaks 35 years from now. leaks are a facts of life in the intelligence business and business community, as you know,

and so we have to just live with it and reconcile it. we've gotten bigger seemingly, but, yeah, we do have to factor that in. i mean, our national ears, intelligence leadership factor in that inevitable and what they are planning today, yeah. >> host: okay. well, thank you so much, john, and enjoy your book. >> guest: thank you. >> it is a civil rights march beginning in memphis, june 1956, ands three weeks later in jackson. you can argue the movement transforms, that it approaches

the cross roads; right? call for black power is first heard. they unvailed the slogan, if you will, midway through the march and mitigates controversy, immediately generates a great swelling of enthous yasm, and in a lot of ways,ignites a new direction in black politics. those changes might have happened over the course of time anyway, but this dramatized this shift because it brought together civil rights leaders, all people, black and white, and put them through black politics going through mississippi, creating doctormatic moments highlighting key divisions, tension, and strengths that had long animated the simple rights movement. >> a look at the civil rights movement saturdays night ten eastern on sunday at nine on "after words," and march 2, more about the civil rights movement

as we take your calls, comments, e-mail, and tweets live from noon to 3 p.m. eastern in-depth on c-span 2's booktv. there's time to comment on this book, a women's history for beginners, and go to booktv.org to enter the chat room.

the ringing of this bell notes thanks giving day. this universal declaration of human rights may well become the international magna carta of all men everywhere.

the equal rights amendment when ratified will not be an instant solution to women's problems. i'm trying to find my way through it and trying to figure out how best to be true to myself and how to fulfill by responsibilities to my husband and my daughter and the country. >> what they may not imagined looking at the white house from the outside is that it is a very normal life upstairs. >> i try to bring a little bit of michelle obama into this, but at the same time respecting and valuing the tradition that is america's.

>> let me start by returning to the southern itinerary, the state of the union, as i said, this is reflected, all of the above, and i mentioned fossil fuels, efficiency, and we newbles, and tomorrow, i'll go to georgia to approve a loan guarantee for reactors at the generating plant. in 2010, the department of energy offered additional comments for 8.3 billion in loan guarantees to support construction of the first new generation nuclear power plants in nearly 30 years. this was, again, in the spirit of the first mover challenge of

getting new nuclear plants build, and three separate commitments made to three of the four owners of the plant, and tomorrow, the department is closing on two of the commits, georgia power, constituting 6.5 billion of those loan guarantees. so truly i want to emphasize we are working across the board to push technology forward into the marketplace for all of our energy sources. these will be two new 11 megawatt nuclear reactors, and the first u.s. deployments of the next generation of advanced reactors. earlier, they cost shared the moving towards define certification of this and other reactors on to a program, again, to stimulate development of next

generation of reactors with passing the safety features. once completed, new units will produce enough safe, reliable and carbon free energy to power about 1.5 million home, and the president, and when i emphasize it, did make it clear he sees nuclear energy as part of america's low carbon energy portfolio, and, of course, nuclear power already is a major part of the carbon free portfolio.

>> okay. hello, and welcome on behalf of the brookings sender for 21st searching rights movement security intelligence. i'm'ian wallace, visiting fellow for cybersecurity here at the center. and today, we are honored to have a distinguished panel that has to discuss the new sib security frame work. essentially, the document represents the best efforts of the administration and, i think, as we'll hear, industry representatives from the 16 critical infrastructure sectors to work together to address a threat which president obama has called one of the gravest national security dangers the united states faces.

i look toward forward to hearing more about how the gram work was developed, and i think that's going to be pretty central to its future, but we have to remind ourselves the frame work owes existence in harnlg part to the failure of congress to achieve consensus on cybersecurity legislation in the years up to 2012, and that, in turn, led to the president issuing an executive order, 1833.36 on improving critical infrastructure at the same time as the state of the union address on the 12th of february 2013, and that, as the president described it, as three things, improve information sharing within the private sector, raise the level of sib security across critical infrastructure, and privacy and civil liberties. while the executive order

contains a whole lot more than just the frame work, it's clear the frame work evolved as the centerpiece for the executive order, and by extension, the administration's policy, and vehicles for delivering second and third of the aims, the raising the security while protecting privacy. according to the order, the frame work set out to prioritize, provide a repeatable, performance base, cost effective approach to managing cybersecurity rirveg, and, by the way, had to be completed within a year. it can be argued to achieve one important objective, even if not the formal one, and that is to remove some of the political rank from the debate, and that is, in itself, no mean feet, but the question to discuss today is

whether the framework is going to make us any safer, and wrapped in that is some pretty fundamental questions. you know, what is the frame work? how is it meant to work? will it be a fit? even if it does, will it be sufficient to deal with the graveness of the threat that the president described? to get to grips with this, we are pleased to be joaned by the very man charged just over a year ago with delivering that frame work, dr. patrick gal gear, 14th director at the department of commerce, department and technology, nest, and alongside him, cameron carry, now the distinguished fellow in the governance program here and acting secretary and present ceo of the information technologies industries counsel. i'm not going to take too long

over the bios. you have those, but to recap. pat was the director in november 2009, also served as undersecretary for commerce to standards and technology, joined this in 1993, as the research physicist, obtaining a ph.d. from the university of pittsburgh, returning later this year having been elected as the new chancellor. cam joins us, brookings, in december, as a visiting scholar at the media lab, and general counsel of commerce in may of 2009, working across commerces bewillingerring range of issues, and before that, he was the lawyer, specializing amongst other things at telecommunications firm. dean was the present ceo of ati

in 2008, a position remitting the tech secretary in washington and in and around the world, in fact, and previous that, held positions at the motion picture association and recording industry association, fun jobs to be doing, i'm sure. so, if i could begin handing over to three panelists just to give short remarks, and then i will lead a bit of a discussion, and pretty quickly, we'll open up to the floor and give you the tint to ask questions. i would ask you to keep your phones switched to silent, feel free, however, to tweet, the hash tag recommended is hash tag

nistcsf. pat thank you very much for joining us, and congratulationses on the frame work. among those people who have been in the past is been, i think, universally compment rights movement how the process is run, and that's a testament in the way of which they have gone about it. well done on that. just to kick off, perhaps you could start by telling us what the frame work is, meant to be used, and then touch on the process for how we, you, the industry developed the framework, and explain to us why this is going to do what the president wanted and make us safer. >> okay. in just a few minutes; right? [laughter] first of all, it's great to be here. i want to start with, what is the frame work, question, and answer it in a nontypical way because you are probably

expecting me to lay out how it is structured, key parts of the frame work, and you probably looking at the frame work, but let me actually do it from a different perspective which is the key attributes. the frame work is a living document. one thing to really keep in mind is that it's not stat tick. when we ask the question, is this frame work going to solve the problem, you're really going to get to a very different answer, which is this ongoing frame work process continues to adapt and work. this is a very fast nay namic area, an ongoing process. the other part of the frame work critically important is this is a market response. what do i mean by that? you characterize this as being a failure of congress. i actually don't view it that way. a discussion in congress was naturally focused on questions of authority.

therefore, you know, it had a hence on the problem in terms of what the solution set was. what we are saying here is that one of the best ways to address sib risk is to have private sector technology companies and providers and all the others have a set of best practices aligned with how the organizations run. for that to happen, there was a document that was a product of industry, and what this did was adopt the approach in standard setting to be the convener and agent as a sort of -- a facilitator, if you will of a broad faculty take holder, getting the band together for that critical discussion. you know, because it had to be aligned with business, it means that the frame work in the end was both what you would expect, and i think something new, and

what you would expect is the set of controls and technologies, solutions, and standards drawn from best practices across all the sectors. we call that the core, and that's in the frame work in a very indirect way pointing to standards and reference standards where a lot of the meaty details are, and the other part of the frame work was really a structure. to put things in prak, and in particular, to integrate practice into the way the organization runs. it's designed to talk to the technologists and the leadership, so it's designed to align with risk management, tools like profiles where you self-assess, against all the various functional areas, they constitute risk management and your ma tourties because what's

important is that like other risk mitigations organizations in a company, you get better. that was the analysis. some draw safety management. you address things by implementing rules and doing things in a particular way, but, in fact, what you are after in a higher maturity is the ability to recognize risk and be adaptive and to be more proactive, and so good framework embraces that as well. that for me is the frame work, both the practices and structure on which to support implementation, and i think that the reason this is promising has to do with the attributes, owned by the stake holders with the most to gain by managing risk, aligned with other practices and risk management that organizations do, and the fact that it is, itself, dynamic and

adaptive to the changing way we use the technology and the way the technology itself is unfolding. in terms was process, bah, it's not over, we met the deadline of one year given in the executive order, but stated from the beginning that for the framework to make sense, we are talking about kicking off a continue yows process, and so the finish line here is not being done. it's being normal. this is part of the breathing and operating we do routinely, and so we are looking for a normal sigh of operation, not the end point, and the process is one based on industry ownership and participation. we used every trick in the tool book. we knew how to do, by putting things out publicly, no one was surprised by the frame work.

the workshops built on each other, public comment, drafting up for comment, and we would anticipate that as we move into the next phase of the frame work, ongoing fame work process, we maintain that approach. >> thank you. plenty to dig into there, but before we do, we'll move on to cam. you were there at the creation, there at the beginning, had the opportunity to step away and look at the process from the outside, which is a unique position to be in. perhaps you can touch on three things. firstly, if you have a chance how things change as a result of the process and where we came from, important to remember how things felt just over a year ago before the president spoke in

the state of the union the executive order and the general counsel of commerce, give a little bit of an insight into the privacy discussions that sat alongside the developments, the frame work, and that is a draft privacy annex that drew comments during the process, and that's changed in the final version, but talk to that, and third, could be interesting to get the sense of what you think the administration has learned from this process. >> well, thanks, ian, and, pat, congratulations, both on the frame work and on the university of pittsburgh announcement, both terrific things, commerce and

the country, i think, will mists your hands on public policy issues. you know, we are, i think, in the outcome of the frame work in a very different place than i think any of the predictions would have been when this started three and a half, four years or more ago, and, you know, at that time, the sort of conventional wisdom was that the way to approve this issue was have authorities, department of commerce or dhs, somebody, to address cybersecurity by conventional rule making, and that would go out and duped a

set of rules to create a standard that people had to meet. this is a very different frame work. pat has outline today what this frame work does for the model that it implements is something very different, and some of that, certainly, is a product of the congress' inability to legislate on this, but, you know, part of that failure was a lack of con consensus about the right model, the right approach here, and i think more than anything the model that's reflected in the frame work reflects an evolution into the thinking of policy in this area.

it's an appreciation of the complexity of the issue, the speed with which the technology is changing, both on the company side, you know, what it is that you are protecting, and, you know, what risks are out there. this is constantly evolving. evolving at a pace that simply is much faster than contentional rule making can deal with. this has been a long process, but getting this done in a year is a lot faster than the pace of, you know, classic notice and comment rule making. this also is ad 340 eel that is far more adapted to the technology space, to the world

of digital communications and technology that really is at the heart of cybersecurity, and i think that is an important piece to stress here, that this model described as a living document is version 1.0. this is an inraytive process of policymaking. something that as pat says has been taken and moved over from, you know, from standards setting which is really why this was charged with the responsibility here because that is in the sweet spot, has done the guidance for federal agencies in the 80.53 documents that inform

the framework, and part of the evolution of the model reflects an appreciation for success in developing standards, its engagement with industry, its role, you know, as an honest broker in the process, and so i'm -- what we have is something that will help to move the needle in some important respects. cyber security is emerged as one of the critical board room issues that companies of all kinds need to address in today's

digital economy, and this frame work provides a set of benchmarks that corporate managers, boards of directers, and others can apply to ensuring, you know, that companies are meeting cyber security goals in ways to protect their assets, be cost effective, and meet expectations of the shareholders, of customers, and, you know, other stake holders in the environment. another piece to underscore in the development is designed as something that can cross borders. here, the united states has taken a lead in establishing a

frame work, establishing some standards, and doing so with a model that can be used around the world in this space. you know, it's been difficult in the current international environment in the wake of the snow den disclosures to do that. it is important that the united states continue to lead here, that it continue to advocate for a model of regulations and governance in the digital space that is adaptive, does not operate by government

prescription, and that, you know, can transcend borders, so this frame work does that. that's an important thing. >> thank you, and i think that is an extremely good lead in to dean. dean, you represent a private sector perspective, and, you know, not only the tech aspect, but presumably people who your members support, and i would be grateful if you could give us a sense of what you hear from the private sector about the frame work. are we going it get concept and avade or something that gets into the bloodstream, and if you can pick up the point about the international dimension, you represent a global industry. does this frame work have the weight to build up an international following or is it going to bump up a regulatory

approach, and, thirdly, part of your role, you talked to people on the hill, and it would be great to hear what you hear from legislators about how they feel about the frame work. >> yeah, i'll try to address all three. on the first, i think it's the latter, that it will get into the bloodstream for two reasons. one part in the process, and, two, due to the substance. on the process, the way pat described it, it seems quite inevitable and logical and linnier, which, in part, it was, but it was that way because of the process that pat had and put together and the folks as well, which was open, transparent, and collaborative, and i think he and the team needs to be complimented for that. on the substance, i think there

are three reasons why it's a part of the bloodstream and speaks to the question of the global impact. one is that -- the frame work is flexible and based on risk management, and so it's not prescriptive, and i think because of that, and because of the collaborative nature of the process, folks feel that they had an input it in and no hatter what your business is like, there's something there to integrates it, and second, the foundation for a lot of what exists in the frame work are global standards developed through multitake holder processes as pat pointed out, and because of that, because they are global and multistake holder and open processes, the likelihood of success, particularly globally, is high.

this is a model how they should be run internationally both in the process and in the substance that results, and, finally, as far as preliminary comments, the fact it's intertive, but not without a pathway forward, i think the conclusion of the road map that speaks to nine different paths or work streams including international is critically important. we all benefit from an open, integrated, interoperateble internet, and cam eluded to it, there's efforts globally to shift that and make it more bulk newsed, and i think this frame work is a step in the right direction away from that, and i think it's quite helpful. as far as conquerous, what we heard thus far is twofold.

one is how can they help create a pathway for success for the frame work, which, literally, on the day that it was advanced, and if the white house releases it, we got calls from members of congress says this is a positive step forward. we concurred, and how can we help? i think the second, which a year ago after the president's statement and promise of getting this done, literally, a week later, in california, rsa, a big cybersecurity conference, and there was a lot of participation in energy and concern around what is congress going to do. my hope is that because of the frame work, it creates a motivating force or action forcing event to get congress to take on the elements of this that still require public

policy. we intend to do everything we can to follow that. >> when congress suffers and representatives phone you up and say, what can we do to help? what are you telling them? >> you know, the great question, i have to talk to daniel who takes care of these things on our team, and much of what we focus on on what they can do is one, they are still the issue around making sure we have realtime access to information and information sharing, and so heavy emphasis on that. the second part of it actually relates to something that we published on. dhs has an important role and the department of homeland security has an important role in the process going forward, and so what can we do to bolster what dhs does enabling success here? i can get back to tangibles to that.

>> before we do, you mentioned the road map, and, pat, this is a welcomed part of the document, but it is perhaps piece that we less well understood, because most people expect government to produce documents that then sit on shelves and gather dust. what you, as you describe, setting up a living document, an ongoing process, and the road map to the certain extent is the guide book for that process. could you go into a little bit more detail on aspects like, you know, the work force, the federal agency, alignment, international aspects, and how you see that working? >> well, we are good at writing reports that sit on the shelf. [laughter] remember, this is not a government report. this was an industry document, and, you know, in your opening comment, you talk about the

executive order laying out a year, which was an interesting time frame because depending the time frame, it was hope leslie too vast or up spropsive to the need to protect critical infrastructure; right? everyone was unhappy at some level. from a pragmatic perspective, going through the process, we built on existing foundations. it was of pulling best practices from everyone and identify gaps, and we had a to-do list, and pulling the learning we got from going through the process the first time to make sure we had both everything we could capture from best practice and the identified gaps. part of that to-do list is pointing to the on going frame work process, and it was things

identified as the go through gap areas. they fall in two areas. one is where the policy or standards where it needs to be advanced, and privacy is a good example there, a lot of work to identify those, and some has to do with the frame work process itself, so governance, adoption, those types, forming assessment or government adoption, international are issues that go to how to you provide a structure conducive to widest possible adoption? that, itself, was open. as we go forward, we'll be having new workshops, the first privacy workshop is in april, and there's, you know, continuing the full throat of engagement through the frame work process, and each one, we ask the group about gap areas, and that work litts, itself, is a living thing as we continue to

revise and check things off. >> and now people in this room and in the country at large take out into the frame work that they would like to comment on. is there a mechanism in place to receive those comments? >> yeah. i mean, the frame work website is up, collect comments continuesly, feeding those as always, acting to compile and provide them to the group going forward, and then, you know, every new, you know, every new version unfolded is subject to the same public comment. what's important to keep in mind with the ongoing process, though, is that, and this is really an important point, that if you're waiting for this to settle down before you do anything about it, you're going to miss the train. right? this -- that's not what this is about. in fact, my view is that the frame work will actually be driven by those who are the users and adopters of it.

most learning is from the hard knock lessons of putting it into practice in the organization seeing where it worked, where it did not, and feeding that back into the process to be approved, and what rewith careful about is, you know, you know, don't wait for perfection. we've been asking, you know, most value are those companies rolling up their sleeves, going to give this a try, putting it to use, and willing to participate in the frame work going forward to help refine it from that perspective. that's the most precious perspective of all. >> that's particularly apt in that there's a lot of discussion around incentives and the role they should play in getting people to adopt the frame work, and we could spend all time focused on that and whether congress enables it or whether it comes with executive action, and yet do nothing else, and i think the idea much moving forward while continuing to grow and improve is the apt approach.

>> i mean, yeah, i think the lesson that i think of this document is that cyber security is not a state. it is a process. this really helps to lay out a process to get there, but it's a continuous one. >> i mean, the question of incentives is probably one worth spending a little of time on. the executive order actually focused on incentives and the administration put out some work on incentives, perhaps not forcefully as it might have done reflects, perhaps, internal discussions about how that all ought to work. .. you is that you would rather take the discretion away from incentives and focus on other aspects. >> i wouldn't say ignore it. , this is a process.

it is a process that we will continually improve. where we have improvement mechanisms, they will get integrated into this like everything else. in the intervening time, let's do the baseline work that we know is achievable today. >> let's do the baseline work that way now is achievable to that. rather then wait. >> let me make a quick comment on the incentives. the perspective i've taken through this whole discussion on incentives was that the challenge to industry was our national interest as a country is to protect international infrastructure. we think it's also in your business interest to protect these assets. .. ment.

where business interests aren't quite aligned. --re there is a natural where it is unnatural. -- anyot so much a caution is not about internal skirmishes. it is about timing. incentives will be formed by those organizations that are putting these in the practice. what you really want to zero in on is the barriers. >> i mentioned that this has been an issue of great concern over theate suites last several years. that thereeflection are powerful incentives to address this. ask target corporation.

ask the hundreds of thousands of companies that have had intellectual property stolen through cyber intrusions. forward, themove scc as guidance out there for assessing and disclosing cyber risk. benchmarks,set of it helps to inform that process. of good andenty important business reasons for companies to address this issue. most companies know that. now we have some tools to help that. >> one of the challenges, of a company like target -- it'll be interesting

to see how the framework helps this process -- is that some of those threats are getting more and more sophisticated. even if they take cyber security seriously, the cost of dealing with those hind threats is challenging. how is it going to help deal thatthose advanced threats are hitting the headlines more and more frequently? -- one ofuple of ways them is that a lot of those threats are enabled by the same moving parts that the framework addresses. --lures and authentication failures in authentication. having the wrong behaviors within your organization that provide latent vulnerability that these threats are designed to tackle. they get more sophisticated in how they do it.

that some lot there of the statistics show -- 80% of these are addressable by pretty basic application. the other part is that the a continuously improving process. risk management framework has the capacity to be able to identify what is happening. one of the behaviors you are looking for is self-awareness. the responsiveness to identify problems. it is faster. aree kind of behaviors specifically addressed. that is, to the extent there is actually gaps in the framework itself. the technology space opens up and you have brand-new issues in the same mobility space. the reason the process has to be continuous is that there has to n ability to adapt.

>> this is certainly one place where congress could help a. toislation can help facilitate the sharing of information about threats, sharing among companies, as well one direction with the government that can take place. the other direction is more competition. legislation would certainly help to make that easier. --is a known market failure all the participants have identified this. the question is, what do we do about it? one other thing i would add, much of the conversation this far has focused on big businesses. we have talked to vendors and look at the framework and identified ways that we can

improve, even in our organization come using the framework. the great thing about it is that , no matter your size of business or where you sit or which industry use it within, it is efficiently flexible and risk based so that you can find use out of it. peopleother area where have critiqued if not criticize the framework is those industries where the market does not dominate. where there iss a less obvious financial driver. that -- how are you confident are you that the framework will be able to run national security objectives in those industries where the bottom line might never get you to the level of cyber security

that is required to deal with a great threat? >> time will tell ultimately how effective this is in those kinds of markets. i should point out that those organizations operating under this market condition were part of the process from the beginning. it was a part of the discussion to make sure it was responsive to their needs and interest as well. the regulators themselves were part of the discussion. this effort to make sure alignment was real, that was a key part of the engagement that had to be there. that that is not the case. the way i have articulated this to the companies themselves is thinking of are regulation as addressing market failure mode this is your chance to make sure the market has every opportunity to work.

which is in everyone's best interest. intrinsic number of advantages, including the ability to operate a market scale come included overseas. the ability to be much more nimble and adjust to flexing technology. bought into that theory of the case. hopefully those alignment issues have burned brought in -- have been brought in. the word regulation in the context of a voluntary program. there are regulated sectors here. what we were trying to do is not end up in a situation where everybody worked together on this framework but then were driven to do something different than that market solution by the regulations. this is really an effort by the existing regulatory entities to have an opportunity to align against a framework. that is the spirit in which they have been participating. that will be constructive one. >> i completely agree with that

last point. some of that will be determined by what was outlined in the roadmap. agenciesnd related aligned behind the framework. that is one of the questions going forward. a good point to focus on. implementation of the framework is going to be key. having the industry involved in the framework, but within puttingnt, they will be in the process. how is that process going to work? how will you make sure that the momentum you have created will dhs takes on the implementation echo >? guest: i don't see the

responsibilities passing to dhs. the framework process continues and this continues to act as a convener. nothing has changed on that front at all. doing isis establishing a voluntary program that is there to support and promote adoption. aat includes acting as clearinghouse for best practices karen hopes that with authorities to support adoption, they've been working with us from the beginning. we have done everything possible to make sure our efforts are aligned with the framework. i want to and on a final point. the most powerful force driving adoption are the companies themselves. we see that from their discussions. this not just about what you do internally. this is about your relationship to your vendors come your suppliers, your supply chain.

how the sector community organizes. those are actually more powerful than almost anything we can do from helping on the government side. sometimes people let construed a voluntary program as toothless. i don't subscribe to that. standard ist safety self regulated by industry through standards. these can be very muscular approaches. that will be a lot of the driving force comes from. >> cam? >> i'm ready to go to questions. >> you mentioned you had some thoughts on dhs having a role in promoting the framework. >> i think much of it is already contemplated. i know there are a number of

workshops that have been scheduled already. t mentioned one of them. part of his education -- part of it is education. we need to make sure we are measuring the right things. developing clear metrics for evaluating the success of this effort. --have alluded to it earlier the focus on incentives. i think they are important, but we should not make them the only thing. process, thetive collaborative process that nist has adopted that has worked exceptionally well. it is critical that we keep that part of the work going forward. it is the way to ensure that it becomes broadly integrated in ses operate. is >> i want to come back to what

success looks like. i would like to open it up to questions. we have some microphones going around. the usual brookings rules apply. keep your questions short and ended with a? mark.on give your affiliation when you ask it. >> good afternoon afternoon. thank you for this opportunity. i want to ask a question about a as identifiednt by the department of homeland security requiring all 15 to haveucture sectors gps, which is essential for a lot of networks. dhs appears to be looking at these 16 sectors to implement regulations with regard to that

gps data that they require. i would like to hear from the panel what you see coming up with a roadmap in regard to the pnts to integrate data and ensure that organizations have what they need when they need it. so, anyone reading the 39 pages of the framework would not up.pnt showing that is one of those examples of an issue that is embedded in the core. it points to a particularly class of position critical data. for the framework attendees, they were dependin addressing dependency.

without getting to the specific threat of vulnerability that dhs is worried about ,nist has a lot to do with that. vehicleework becomes a for -- this is why the federal agency participation is so important -- there is a new class of vulnerability that is essential to critical infrastructure, across sectors like that. as ae counting on dhs participant to flag bad and take it back to industry as part of that process and make sure that the framework process does not have that as a cap area. gap area. >> if i can add one thing, as a part of the executive order, all of the agencies are supposed to cascade the framework. to come back with their ideas within a defined time.

that work is incredibly important as well. to dhs.t isletolated >> you there. when you use the safety model as an example, do you see in the future a credit rating agency or type of third party to provide an audit function on companies? how will they implement the framework and then issue a grade? onlyppliers know, i am

going to work with grade a suppliers. the way i would answer a question as to pick up the last thing raised. what we call these are conformity assessment. you develop a set of practices and it may very well be critical theive an organization knowledge that they're working with conform to some level within the standards. a voluntary program. the government is not going to be setting up a grade. something we opposed to the framework process is you may very well find for this to work you need that type of assessment. there are a lots of different types. the trick is, there is not a right or wrong one. which is the right approach given the market conditions you are facing echo that is very much on the to-do list. the rumors hasof

been this question of cyber insurance. there has been some suggestion that the foreign work might offer an opportunity to the insurance industry, giving it a t of metrics to use. what sense do have from your discussions about whether that is likely possible or realistic? >> i'm not sure my crystal ball is any better than anybody else's. in or forn an that reason. as soon as you put in something, the idea of all those assets coming into play, including insurance markets, my sense is they have found a profit for use for them. they're still active discussions at breakout sessions on this

particular issue specifically. to hearing from members of congress and your staff about it, the other folks we heard from our companies who intend to examine that space. insurance companies and law firms are evaluating what this all means. pat is absolutely right. >> this sort of audit process that you have mentioned and pat has outlined isn't example of how standards work in the marketplace. i don't have a better crystal ball than pat to say whether that will definitely occur here. istainly, part of the idea creating the tools and benchmarks, to inform that process. a number of the organizations

that they're involved with in one, thereds, iso is are others that perform audit functions -- some 40% of corporate sectors have insurance. insurance against data breaches. that is triggering exactly the sort of engagement by insurance to take a close look at people's practices. this is a way to benchmark that look. area, at thisy point, most companies have been able to sort of sweep it aside by saying that the risk is not material. i'm not sure after the target experience that it is so easy to do that. shareholders, for

or, there is a roadmap that people can look to to assess those issues. >> do think people are making assessments based on where people fit in the framework ? companies will have to take a more critical look at the disclosures that they make. that can influence investors. >> the point he made x the point made earlier about ceo spending real time with board shareholders around this issue is indicative of how important this is, and the creation of a real market place to mitigate those risks.

sex in the middle -- >> in the middle. >> i would like to follow-up on the question about pmt boehner ability. it has become quite the subject in late november. in fact, the u.k., russia, and china have terrestrial systems to back up their pmt to make sure they are not dependent on the signal from space. do i understand, peter, this has not been flagged as a problem by dhs or anyone in terms of cyber or ofty impacting -- impacting the cyber security of the nation? >> no, i would not characterize it that way. i would say that to the extent of pmt standards are found, or lack of redundancy or whatever the issue is would be reflected in those things referenced in the framework core. what i'm not aware of is whether as a specific

issue as we were putting together the top work -- top-level framework structure. that is not to say they did not raise it as one of the constituent standards. in other words, you have a little bit of an onion here in terms of the overall framework ross s, and then the constituent standards underneath. -- framework process, and then the constituent standards underneath. i would expect the pmt to be with the constituent standards discussion and not the overall framework. >> [indiscernible] clicks but the best -- >> but the best team in sitting in front, so if you want to follow-up afterward. [laughter] >> this site on the aisle. with the canadian embassy. looking globally, can you talk about the reception you've had, both from allies and foreign companies? >> you might want to get a couple of perspectives here. the overall reaction we have

gotten from the very beginning was a combination of intense interest, wanting to wait to see what it look like when it was promising of all, i think, and understanding that this can be used as a foundation for a variety of approaches around the world. even those areas that we are considering a more national response, including a regulatory response. because one of the things we point out, again, this is a global infrastructure. that really important information and data companies be able to operate on that scale. that is what makes these technology so powerful. aligning too, just like we've asked our own internal regulators in the critical infrastructure space to align to this, it is something that can be done on the international scale. a lot of positive reaction to that. the most interesting reactions have come from europe and have to do with the fact that the same really -- the same week that the president released the executive order, there were some

draft approaches that were going to be used for cyber security. from the very beginning, they have been quite interested in looking at this as a basis for moving forward. but 30% of the companies we represent our international entities, and the reaction there has been favorable as well. they operate in a world that has been global integrated and interconnected. they offer services, products, systems that they want to work , so theyal basis appreciate and welcome the framework. they are also competing in a where increasingly, their efforts to use cyber security or national security as a market access barrier, whether multilevel protection scheme in china or some of the problems we had around preferential market access in india.

having this framework that is built on global standards that are consensus based and developed through multi-stakeholder processes is helpful for those international companies as well. clicks -- >> what would be the process to internationalize the framework, or at least give it more encouragement to be used internationally? clicks what we did in this case is something modeled after the approach that we did with the smart grid standard a few years back. we started with the standard that the framework process was immediate international. we invited international participation. i was meeting with delegations around the world. tomade a deliberate effort look at international standards as one of the building blocks of the framework, and where it asks companies to bring those forward. in some sense, we have been

international from the beginning. the way, i expect the international flavor of the framework process to actually grow as we go forward. it was actually get identified in the roadmap. what is interesting is maybe more on the adoption side. in other words, the extent to which the certification and the product id, the extent to which those can be put into a global structure with global contacts can be very interesting. and then you are dealing with critical infrastructure. how do countries respond from that -- to that from their own national policy perspective? that will be the issue, the between-- the matching befor the global markets and how the compliant piece itself works. that will be quite interesting.

clicks -- >> dr. gallagher, can you speak more about the next phase in terms of how and when the framework will be realized? -- revised? >> we have not announced a revision schedule yet for the framework. what we have done is deliberately created a bit of a a bit of a in- --a pause in our schedule for the very reason we wanted the framework and follow-up to be informed by those organizations using the framework. but we have set up a tentative schedule of workshops that are on the framework website. the first one is probably the privacy one in april, and i

think there is another one this summer. in july. again, there is no super eyes on what the agenda is, because the roadmap was laid out -- no surprise on what the agenda is, because the roadmap was laid out in that process. i do not it at any major revisions to the framework itself. the impetus is going to be going after these gap areas, identifying these areas where we felt there was real work to be done. read your -- maturing what we call the governance discussion. in other words, we should seriously start taking on if this framework is going to go and be a normal process. how do we set up a governance scheme where all of these different companies can work together to turn this into an ongoing, routine process? and again, we've had exterior -- experience doing that both in the cloud sector and smart grid and other areas.

would like to continue those discussions as well. inwhat was your experience the cloud sector and smart grid sector tell you that will end up looking like? >> probably the most maturing right now is the discussions the smart grid, just because it is a little bit older than the cloud side. it was focused on the government adoption side. the smart grid, a smart grid interoperability panel, which is an actual 501(c)(3) organization , was put together because the stakeholder group felt there was not an existing organization that could facilitate that process. they establish one of their own. this has provided funding for the operation of the organization. we remained working with them routinely today where you now have a living cycle of, ok, here are the changing issues, here

the top ones, here are the ones to fix. the top panel does the triage. and in many cases, now works with all of the different standard organizations that are hey,rting that, saying, here are key areas to improve. and making sure the adoption side is worked out. because again, that was interfacing with the regulated industries as well. i think it might look different. it probably will. this is a different sector. we are not going in with an answer. and this may take a wild to put together, but it is worth continuing discussions about how we do this if it is not a one-time process, but something we do year in and year out. >> thank you for this discussion. i am unaffiliated.

you spoke a little bit about how the federal agencies are going to comment on this, and react, and how industry has incentive. i was wondering how you will get the state government to adopt this and get involved. there are many things at the state level that our matter -- that are very important. that is a great question. i will let you answer that. [laughter] >> we have had strong interest from the states. a number of state cio's were at .he event i was talking to them about their framework process. they end up touching this problem and a number of different levels. many of these critical infrastructure entities are interacting heavily with the theys, and in some cases are regulated or involved with the states themselves anyway. again, this harmonization issue comes right out for them, that this is an important building , becauseuilding block

it is something they can use as a framework for these organizations. think of the water utilities and others that are happening at this level. the other place that this is helpful to them is the extent to which we see widespread adoption of the framework means that the technology providers that are providing technology and software and security solutions to support these companies are now creating a market of some scale. they can help drive down costs and improve performance. affects all the states that may be in and of themselves would not have the market scale to drive this. we encourage state participation from the very beginning. they have it involved in the framework process from the very beginning and you will continue to see their involvement ramp up. click the only thing is, one of the reasons we have been pushing for legislation at the federal level is the fear that you would end up with a mishmash of state

legislation that doesn't allow for these types of efficient, effective markets. the framework is helpful, because it creates a baseline that is collaborative and based on the sort of standards full stop i think it's quite helpful. -- sort of standards. i think it's quite helpful. but how do you think it is handled at the federal level -- >> how do you think it is handled at the federal level? there are requirements of security at the federal government. how do you see this being ruled -- rolled out? clicks -- >> at the rollout, we talked a little bit about this in terms of government use. the most straightforward thing that every adopting company is doing right now is to use the framework to develop profiles of your current practice. that is what is laid out in the framework. one of the first things we will

be doing is at the agency level, we will be using this to, similar to your in the station, try to develop -- similar to your organization, try to identification. the security model aspect of the implementation of the framework could be extremely helpful to the federal government. they moved the debate past the and theion of controls notion that the only thing you can assess and measure is how many of the controls you put in place. under the framework, that is a tier one implementation level. what this starts to point to is that you can move beyond that into a real risk management framework with a higher maturity level that has bigger advantages. it opens up the pallet of addressing this as a risk management exercise within the

government. and finally, the last one is, there has been a tendency to address cyber security performance issues within the government i just making the cio's more and more muscular. the framework actually points to a different answer, which is integrating it with the program lines. this is going to the boardrooms and to the ceos. it points to a very interesting starting with is the cabinet level secretaries and accountability there and looking at this from an integrated perspective. we just started that, but i think it will be quite interesting. >> you have been a cabinet level secretary. >> i was privileged to have a wonderful acting deputy , dr. patrick gallagher. and one of the things he has done in that capacity is to really take in hand the cyber

security management at the department of commerce. i think you called it eating our own cookie. in terms ofat, making management at the highest levels of the department security,e for cyber and not simply something that our cio's deal with. >> when do you see that being made publicly available, published? know, there isou no obvious exemption. there may be security issues and aspects of them. >> let me go back to the point that the framework is not about the controls. in any organization, you're going to have the dynamic set of

controls. in piles are drowning of controls that they have been looking at, and by the way, other mandates outside the security space. what is unique about the framework from the government's perspective is the management approach to really integrate it into how you run the department. and to make those decisions, not just technology decisions, but skill sets and hiring and cost allocation, and all of the other things that are just as much a part of cyber security as controls. is a veryys, this fresh perspective on the government approach. and i think the management approach could be very public. that is probably more important. that is where the real accountability lies. we have two questions. you can take them both, and then we will have two questions to finish. we will take both questions and then we will answer them.

i wanted to come back on your comment about controls. if i understand correctly, the controls are the first step of four. does that mean that the controls are within the government today? bitet me be a little careful about what the implementation is pointing to. there are controls at every level. and controls are an important control ahow you particular risk. i'm not saying there are only controls at tier one and then you can get away from the controls. what the mud -- the implementation here is pointing to is, in some ways, you are maturing and managing this risk. i think of tier one as being a rule following culture. in other words, you create it and the success is i got through the list and i can do all of this reliably and repeatedly. that is quite different than an

adaptive or proactive type culture, where in addition to having the rules and controls, you are actively identifying new changes preemptively. it is going from ace -- from a set of static controls to an immune system. controls are everywhere. but you asked an interesting question -- where will the federal government and up as we start doing profiles? i don't know. i think, because -- my suspicion is that since we have been mesmerized by control belications, we should not surprised to find ourselves near an implementation level that is focused on that, which would be ground one. but we will see. it will be quite interesting as we do that. >> final question. one of the things the panel talked about was the alignment

of the business interests with the national interests. andme give you a scenario see how that would really change in the corporate world. i'm talking about a target named nieman marcus. i recently read a study where the u.s. credit cards are eons behind the european credit cards with a magnetic strip and everything. visa, mastercard, american now, a target like neiman marcus could be losing $7 billion a year. replace all ofto the credit cards, it will cost us more like $11 billion, right? normally, cyber security they don't really do. case, they are doing that. how do you make sure that some interestin a financial

does not overtake what you would call the national interest? >> underneath your question is one of the profound issues congress will face. if these are not aligned, then i think that is because ultimately, we are talking about something that if it fails under a cyber attack has great harm to the country. that is just going to get fixed somehow. but i think, backing up a little bit, i'm not sure that i would financial risk assessment that they were looking at was correct. in the following sense, you know, you are correct that one of the issues the u.s. has seen in the sector is we were early adopters of car tech -- of card technology, but it was very expensive to deploy. it has been compared to mature -- too much younger technology

for card readers and so forth. and with that legacy comes vulnerability. ie question will really be, yes -- that is why the risk management is so important. to what extent does the refresh of this technology help and mitigate and control those risks? i would assume that is what a good organization would be going after. but this is not just the direct financial loss of those customers who lost their information. and that is certainly not what i'm hearing from the ceo's. this is a profound reputational loss. this is potentially going right at their market share. what i'm hearing from ceo's is a very acute sensitivity that this is a big deal and that is why it is rising to the very top of the boardrooms as the discussion. i would be surprised if they were reaching that kind of simple apples to oranges comparison, because that does not track from what -- track with what i'm hearing from ceo's today.

>> i think that is right. the cost benefit analysis is, in today's environment, wrong. i think it reflects what has challengerically the in dealing with cyber security. , the compliance , they were whirring about it, but it is a cost issue. it is difficult to get attention. i think because of reputational concerns, because of the impact if you are a company that has a , i thinknt failure that is reaching -- that is changing, as reflected in the level of concern that was talked about. and i think we are seeing that reflected in some of the demand in the corporate sector to change, for example, card technology, despite the economics that you talked about.

>> i work in a highly disruptive sector where companies don't , largely based on new innovation. the key to the success of those companies are trust and integrity. to the extent that we don't take cyber security seriously, we are undermining that trust and integrity. and that is a principal reason why it is one of the issues that fromr, perhaps, most often our most senior executives in the companies that iraq present. it is truly one of their top priorities. in anright and pure analytical or quantitative sense might not show up. but the and the brand damage is so significant that it is conscious of those issues. >> one penultimate question

whate we end up looking at this is like in this. and that is, the question of privacy. what is explicit when the president gives his executive orders that he needed to respect privacy. and throughout the process, from the --ncern what you might call the privacy lobby -- to ensure that was the case. and you have produced a response in -- a response to that. could you tell us the story so that we have a better understanding of how you have altered the framework to reply to some of those concerns? >> i think, the short version of that story is the one you laid

out, that privacy was the explicit requirement for us to consider as we developed the framework from the very beginning. it was actually part of every discussion and every workshop we had, including the kickoff workshop. i remember having a discussion about the incorporation of privacy at that point. -- weeemed to happen could come back and have a discussion about what the psychology was, but it was intended to be an issue where, first of all, the maturity of how you implement the building .locks those were less mature than what was true in a lot of the cyber security areas. and partly based on that, it was relegated -- even though we brought it up at every workshop, it is one that we kept going back to, saying that we need to work on this. and one of the consequences of this is that midway through the process, the privacy principles were basically in a standalone section as an appendix.

what think maybe that is caught everyone's attention. when that construct was finally there, then i think the stakeholder group was working on them,amework, all 3000 of they jumped in. it was an interesting perspective of how the framework works. the whole industry stood up and said, this does not make sense to have this be a full on attachment. this is based on the same kind of data protection principles that are integrated. they made a counter proposal to integrate those into the main framework. now it is actually integrated and not bolted on. that is where we stand today. >> i think where it ended up is the right place. security is an essential ingredient of privacy. it is part of the privacy principles, part of the white

consumer privacy bill of rights. it is not a standalone issue. privacy implications on some of the cyber security practices, particularly when you get into sharing information , or inird parties particular the government. incorporateant to into the framework the privacy practices, as has been done. it really is part and parcel of security. we were one of the stakeholders who were concerned with the bolted on approach. but we think it ended up in the right place. i do note that it is one of the

nine more extremes, so we intend to engage and make sure it progresses forward. >> which brings me to my last question, which is as we do what do werward, think success is going to look like? and an important part of the framework, i hope i am correct is to assess where there may be a requirement for legislation or others to engage. a question for each of the knowists is, how will we ,hether a direction is required but more importantly, what does becess look like, and can we confident that this is delivering what we think it should deliver? would come down this way.

>> i think a big part of it is adoption. the extent to which most businesses are looking at the framework and integrating it into their operations, much in the way we talk about ceo's taking it apart of their boardroom discussion. the second part of it is that if it am i in fact, does not become a stale document that sits on the shelf, but does become a living, breathing, iterative process as opposed to an -- whereby we be are still working on it 10 years from now. gaps with congress. i think we have spoken to those. and the most pressing that can be dealt with on its own is around information sharing. >> how much confidence do you have that those can happen? >> a high degree of confidence. the question is when. [laughter] my confident, i'm sitting in a discussion with congressman

rogers and ruthless burger on -- lossless burger on monday. i hate to say anything that would give away my position. it is highly unlikely, but i think it is possible. or one version, 2.0, point some significant number. because i think that would be a that there is active engagement, active adoption, and is leading toe the iterative process, and any indication that the model is working?

it to getways like asked this question. acid test of all of this is our nations critical infrastructure, is it better protected, and it is also hard to measure. that is going to be very challenging. so i think of the success story as having sort of two elements. one is the near-term. i think that is the adoption, and the way i have characterized that, is that inevitable? and we are struggling with those kinds of nuts and bolts issues. they may be tough, but the kinds of things that can only come up with those trying to use this. that is a big success, because that means this is actually need put into practice, and you have a framework to improve, and then i think there is an intermediate set of metrics that i think are potentially very powerful, and it kind of goes to the safety comparison, so while the final

outcome could be something we are only retrospectively looking back, i hope that we start seeing some very meaningful improvements in what i call security behavior, and that could be the capacity within organizations to be able to identify risks, that could be the capacity of staff, it could be skill level, and it could also be behaviors like self awareness, the idea that we know what is happening on our systems more or that the speed improves. i think it is quite measurable. it would point to a healthier organization in managing these risks, and my hope is we will be working with industry. nist thing toof a do, looking for meaningful measurements along those lines. >> thank you. we will be looking forward to the cyber security framework 2.0 or 3.0 and perhaps have comment on it, and i would like to thank

all of you for joining us here today and invite you to join me thinking dean garfield, pat gallagher, and others for a fantastic panel. [applause] [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] [inaudible conversations] [inaudible conversations] >> congressional budget office director spoke about the impact of raising the minimum wage. his remarks came after the cbo released a report assessing possible job losses. here's a look at his remarks, and you can see the entire event any time and i knew website, c-span.org.

>> do you think of that letter sent by the economist said that increases the minimum wage have little to no negative effect on the employment of minimum-wage workers of alysian within the your report kind of lined up with that assessment by the economist. to you think that a loss of 500,000 jobs with equal little to no negative impact of in a blunt. >> and not going to speak directly to lovely opposes of great neck and want to call is because of our analysis. as i said before, our analysis is quite consistent with the latest thinking nikon's. what i noticed about this letter and about the survey and referred to is that those economists don't put numbers to their words. it's hard to know exactly what the people meant by little to no effect. hard to know exactly what people meant in the survey by noticeably harder.

higher estimates for $9 minimum wage which, as i said kali is the increase that is most consistent for the increase that they have studied the pass in terms of the extent of the increase in a foreign to the contribution of cuts. our analysis of the proposal suggests a decline in employment would be between one and a half to tie between two and a half percent of a slight increase. at two and a half% decline for many people that will be a small decline. if would be no affect roughly. i'll take one can tell from the statement, one cannot be sure exactly how that prove those economists would agree with will we have done.

will we have done ourselves as a do a very careful reading of literature. naturally economists to put more weight on certain studies and utterly will find our estimates of the employment effects to be larger than they would pick themselves and others would find our estimates the smaller cells. our job is to provide the congressman. >> i'm sorry, go ahead. [inaudible question] >> i wondering if the impact on unemployment at the $10.10 range could be lower. >> the rains that we provided for an increase the minimum wage to $2.10.

we say we have constructed this range to capture -- capture as best we can judge two-thirds of the resolution at a reduced -- not release and not to of employment and all or increased. two-thirds chance that it will be between a slight decrease in the decrease of about a million workers. >> does this surprise you of all ? >> much of the work that we do, there is a range of reactions. we take great pains in doing analysis to read ahead of time and consult with people with a wide range of views. if you look at the people we list at the end of our document we spoke about this work. you will see from knowing their

own work that they came to this question with a very different set of views about what happened we understand it will be a range of reactions among professionals , analysts, and among policy-makers and commentators outside of cbo. that does not surprise us, nor does it have any effect on the work we do. >> coming up on c-span2, book tv in prime time. first, michael malan examines intelligence after 9/11. the investigative reporter james ..

>> the dalai lama is in washington thursday where he will speak at the american enterprise institute. he will be part of two panel discussions focusing on free-market economics and happiness. live coverage at 9:30 a.m. eastern also here on c-span2's. >> i grew up in a very small catholic community and when i was growing up the two classes

whether it was first and second or third and fourth were all in the same classroom and at that time there were a small group of girls. there was a mary beth and she was betsy and mary ann and mary jo who was mazie and mary catherine. might parents never called me mary. my name is cathy but my best friends name was cathy and so she decided in the third grade that she would rename me and so she was a voracious reader and had already read hundreds of books i think by the time she was in the third grade and heidi was one of her favorite books. she thought it was great alliteration and she gave me the name heidi and the stock. >> my grandfather and great uncle came over from norway in 1906 and actually when they got to ellis island they didn't know english with the exception of i

guess the words apple pie and coffee which evidently they learned on the way over but they were asked by officials to change their name because they thought it would be too difficult to spell and pronounce for people in this country and their name in norway was yell sick. so when i got to ellis island they asked them to change their name. they picked the name of the farm where they lived near norway which was called as soon farm. my grandfather became mixed soon so they got their ellis island and they had a sponsor in south dakota and came out to work on the railroads. now an insider's account of the restructuring of the u.s. intelligence system after 9/11. michael allen majority staff director of the house

intelligence committee discusses his book "blinking red." this is just over an hour. >> good afternoon and welcome to the america foundation -- and new america foundation. i'm peter bergen. it's with pleasure that we get to welcome michael allen to talk about his excellent new book "blinking red" and mike has had his distinguished career most recently in the government's chief of staff to mike rogers on the house intelligence community and spent seven years in various senior positions at the national security council under the george bush administration. he managed to write a book and have two young sons and set up a successful new business all in the space, and continue work on the hell at the same time. so very impressive all those different things he does simultaneously. mike has agreed to speak about

the exams and stories in his book for a half an hour and i will engage them in q&a and open it up to your questions. >> very good. thank you. i will go to the podium if that's okay. >> i think you can do without that. >> i want to thank the new america foundation for having me today especially peter for the invitation and thank you all for coming out in the rain to hear about my book "blinking red" and i look forward to q&a about other pressing intelligence community topics. "blinking red" is an attempt to write the authoritative objective history of the most substantial restructuring of the u.s. intelligence community since its foundations in 1947. the aim in 1947 of course was to create a central intelligence

agency that would and this sounds familiar to many of you who have studied 9/11 but to make sure that pockets of the u.s. government did not have information that is shared with other entities have the government might foretell of a particular attack or national security threats on the united states. the national security act of course also created the national security council and the defense department but the creation of the central intelligence agency really laid the foundations for the modern american intelligence community. the fault of the national security at the 1947 was that it seemed to get the central intelligence agency many responsibility for coordinating the variety of intelligence and cities across the federal government but not enough authority to do the job. so let me break that down for you just if i could. the cia is of course famous for

two missions you are all very familiar with, covert action and the recruitment of spies around the world. the security act of 47 also sought to make the cia director give him another mission which was to manage the community to be the dci and to coordinate the growing infrastructure of intelligence agencies that began to grow up around world war ii. as you approach through the cold war years a variety of task forces and commissions noted that the underlying ability of the director of central intelligence to coordinate for example the signals intelligence entities in the department of defense was very weak. literally dozens of commissions and foundations recommended augmenting the director of central intelligence's --

's power so they would be all to keep up with the complexity, billions of dollars being spent on american intelligence and to be able to better face down the soviet union. none of these recommendations, none of these attempts to reform were centralized greater authority than the director of central intelligence went anywhere until 2004. there were several factors which i go through in "blinking red" that contributed to this major juggernaut of activity which rewrote one of the most famous pieces of legislation in american history in four and a half months. there were a variety of things going on that summer. i want to thank -- take you back a little bit. at this time the central intelligence agency had really taken a beating. they had been through grueling hearings before congress about who should be blamed for 9/11 and whether the cia had failed

to watchlist certain individuals and otherwise failed to share information with the f. d. i bet might have foretold of our allowed the fbi to investigate the plots on 9/11. the cia i think it's fair to say was really outfitted by these particular hearings and the 9/11 commission came along and had another set of hearings which really were very tough. indeed the chairman of the 9/11 commission noted that their staff statement about what happened and what the cia did on 9/11 was an indictment of the agency's performance. a second factor that occurred that contributed to this momentous change of events in the fall of 2004 was really the 9/11 commission itself. they were group of nationally prominent men and women who were able to build a national audience through a series of hearings about what happened on 9/11 and really they had a lot

of cachet and a lot of influence and indeed they constructed their own strategy to be able to build a legislative proposal that would have the chance of succeeding and could be acted on very swiftly. the third factor occurring at the time was the failure or the mess assessment of iraq wmd was coming in to start belief in the summer of 2004. the senate intelligence committee's report came out and faulted groupthink and again the cia was at a very low level of prestige at the time. finally you have to note of course the presence of the 9/11 commission families who i go through in the book became quite a powerful special interest group advocating for reform of the intelligence community, join forces with the 9/11 commission and was able to have tremendous influence of process. the last thing and really the conventional wisdom is that we

created a director of national intelligence and national counterterrorism center that the 9/11 commission recommended because of the presidential election of 2004. i think the conventional wisdom is a little bit wrong for the reasons i just stated. i think the looming presidential election in which the performance of george bush and whether he made the country safer were undoubtedly incredibly powerful factors that influence the likelihood of congress and the president to take on intelligence reform but it's not the only factor. we had not one but two spectacular intelligence failures really in the same two to three year period. what did the 9/11 recommend -- commission recommend? what they recommended a super empowered spymaster would have the ability to an increasingly complex world of proliferators

and stained backed terrorists and the 9/11 commission words, we needed a quarterback. we need someone very agile who would be able to move dollars, people and analysts to be able to meet new threats to be able to organize quickly to meet what they determined was perhaps a greater national security challenge than the soviet union had been. in the 9/11 commission's estimation the soviet union while for voting of course at least an intelligent sense there were an embassy's from which to recruit spies. there were armaments to look at through satellites and other particular government agencies to seek to intercept their communications but this wasn't the case with terror cells so we need to be able to organize differently. on the point about there being a

particular electoral impact john kerry the democratic nominee for president endorsed the 9/11 commission recommendations 17 minutes after the commission recommendations were announced in july of 2004. george bush endorsed the dni in concept 10 days later so this speaks to the tremendous force and the incredible forces that were at play at this particular time. however while a lot of members of congress and the two leading individuals of each political party endorsed the 9/11 commissions recommendations nearly immediately it inspired tremendous bureaucratic opposition and this is really the heart of "blinking red." it is a tale of bureaucratic power and jockeying for influence really over the 80 billion-dollar intelligence enterprise who would be able to control the intelligence assets

of the united states. i go through the book three camps that were in opposition to the 9/11 commission's recommendations. i will go through them briefly and we will talk a little bit about what the entire act means for national security today. i think these three camps are very important because as people try and contemplate where we are 10 years after the 9/11 commission report a lot of people are asking how is the system working and how could we improve it? why do we created and what were we trying to do at the time? one of the camps that broke out immediately in opposition to the 9/11 commission report were those in the military who are at it that the primary mission of intelligence should be direct tactical support to the warfighter and that now in this time period in 2004 was no time to centralize intelligence anywhere else be at the current

system with the director of central intelligence located in langley virginia, a dci who in their estimation might retain the two other missions that the dci had namely human intelligence and covert action but especially not into a new super empowered individual spymaster because they viewed this as a zero-sum game, that any rebalancing of authority away from the department of defense would degrade the department of defense is the intelligence capabilities. the two principle players in this camp for secretary rumsfeld and vice president cheney. secretary rumsfeld is of course very quotable. he at the time was vociferously against the 9/11 commission recommendations and he wrote in a letter to george bush from this time period something that i think is very notable and economics here the intensity in

his voice which was something basically that the united states congress, the media and john kerry can afford to do wrong and pay no penalty. the president of the united states has to be right on a matter of such importance and the end of this memorandum to george bush at the time which is detailed in the book with a single word, caution. urging caution on the president before he adopted these petite or recommendations. vice president cheney himself a former secretary of defense also oppose the dni recommendations. he focused on the fact that we were at war at the time in iraq and afghanistan and said now is no time to be rearranging the debt -- debt chairs on the titanic as we are trying to fight and win a war. the second view was those at cia. cia i think took some offense

that they were being so heavily faulted for intelligence failures on 9/11 and began to argue that really what the essence of power is in washington d.c. is bureaucratic clout. at least the director of central intelligence, the head of the intelligence community when he headed the cia at least had troops. he had analysts. he had collect theirs. he had someone that he could ask and they would actually respond to what he wanted to do so the point of robert gates himself a former dci argued that summer that the 9/11 commissions dni would create a unique someone who at the unable to effectuate his will. indeed this was the view of almost all the former directors of central intelligence who argued that the only way to

increase centralize power in the intelligence community would need to give him more authority and more bureaucracies to directly control and not to subtract from his authority by separating these community management functions. these courting functions from the cia from langley virginia. finally another camp and this is interesting because of who the people were in the positions that they would come to hold. they argued without the knowledge of secretary rumsfeld ironically enough that the national security agency and the national geospatial agency at the very least these two factories of intelligence now we know nsa very well through the const -- present -- they argued that the dni would be indeed feckless unless they had authority, direction and control over these massive intelligence agencies that

resided in the department of defense. the two individuals who argue for this bureaucratic position by the current director of national intelligence today jim clapper and the future cia director general michael hayden. at the time there was at the head of nga and in the same prospectively so was quite an incredible positions they would advocate of moving their bureaucracies out of the department of defense. this set up the infamous lunch in washington with secretary rumsfeld learn that general hayden and general clapper's efforts to advocate around town on behalf of a more muscular dni who would control their intelligence agencies and rumsfeld invited him to lunch at the pentagon. to hear general hayden retold the story he says it looked like peace talks between north and south korea as they sat on opposite sides of the table.

the only thing missing were the respective flags of their nation. they sat there and argued about whether the dni in the 9/11 commission recommendations would lead to a more successful intelligence community and according to the participants of the lunch secretary rumsfeld slammed his work onto his plate and said he couldn't believe what he was hearing from two people who had warned -- worn the uniform of their country that the dni should not have control or any additional control over the intelligence agencies and the department did and so needless to say the lunch ended badly and the rest is history. these bureaucratic divisions in the book goes through this were reflected in the argued aggressively throughout august 2004 in the national security council as george bush's advisers tried to color in exactly what president bush's beliefs would be in a piece of

legislation that he later sent to the hill on what the future intelligence communities would look like. i won't go into this in great detail but the congress embraced the 9/11 commission's recommendations the dni and the nctc, the dni separate from the cia and really tried in the united states senate to enact the will exactly of the 9/11 commission's report. i was the carrot that time as a white house legislative affairs staffer and people carried around the 9/11 commission book as if it were the bible and try to interpret as faithfully as possible what they thought the 9/11 commission meant. this is really the reason for my argument of why the 9/11 commission has been the most successful commission in american history because they were able to dictate the policy agenda in the fall of 2004 and cause caused the congress to immediately endorse respective presidential nominees to

immediately endorse their recommendations. the bill did hit some snags. the house of representatives was more interested in the secretary of defense's authority over the intelligence agencies and the book goes exhaustively through some of the arguments that they advance in opposition to the 9/11 commission and eventually how after the presidential election of 2004 the bill was enacted into law. i will end with this. secretary gates was gracious enough to let me interview him for my book and i wanted to know the views and whether the rumor was true that president bush had offered him the job to be the first director of national intelligence. he confirmed that indeed andy car and steve hadley two of the president's top lieutenants had tried to recruit him to be the director of national intelligence and i think this is very interesting contemporaries

contemporaries -- contemporaneous view immediate after it passed and look down to the sum of the problems he would have been his first years. he gave me his e-mails that he sent to the white house in december and january of 2004 and 2005 critiquing the law and some of the conditions that he would ask president bush for him to even consider. secretary gates and i have this in the book describes the new law as quote strange. he said the president needs to make clear the new director of national intelligence is the head of the intelligence community not some mere budgeteers or coordinator who just has common denominator, the elegy to convene people and only hash out the common denominator about the policy and directives affecting u.s. intelligence

community. eventually secretary gates turned down the offer. he said sort of to me that hadley and car made a mistake that the neophyte car salesman would never make when i visited the white house. they let me off a lot without a sail. he went back to texas and thought about whether to take the job and eventually he turned it down. we had four dni's in the first or years that inspired bureaucratic opposition from the central intelligence agency which i mentioned was in a very good place to be able to affect the outcome when the bill was under consideration but i think was able to maneuver and jockey successfully so that the cia might know today that they don't feel substantially managed or impinge upon by the new intelligence community. so as we sit here in 2013 amidst

a variety of intelligence challenges from iran to syria and the crisis of edward snowden has cause for the national security agency i think it's a good time to ask ourselves and reflect upon the situation the structure that we set up post-9/11. this was the most tangible reform of the intelligence community and what the american people thought they were doing when they asked for reform of intelligence after two calamitous intelligence failures in president bush's first term. has the dni been successful in making the country safer or did we give the dni tremendously more of a to-do list as john mclaughlin likes to say the former acting director of the cia, did we get the dni all the

responsibility but not enough new authority to make a decisive difference in the overall cohesive management of the american intelligence enterprise and all 17 intelligence agencies that reside around u.s. government. so peter with that i will leave it at that and welcome questions. >> thank you very much mike. that was a great overview of the themes of your book. jumping off from where you left it, is the director of national intelligence the dni and we shouldn't use too many acronyms because we have a c-span audience. is the director of national intelligence basically a figurehead with no authority because he or she doesn't have the budget and is sort of in

this coordinating position or has the job somewhat at fault so that whether it's general clapper for some future dni director of national intelligence he or she actually can move the intelligence community and a project would direction certain genes on and issue like syria or whatever. >> i think it's an open question. i think the cia very at deftly at the beginning of the obama administration when admiral blair became the dni read the statute and it says the cia director reports to the dni and he tried to make it very clear to the central intelligence agency that as far as he was concerned he got to be able to appoint certain cia individuals in positions around the world and the dni ought to have a greater oversight role in covert action. these two issues i think leon

panetta appealed to the white house and the dni lost so it was a pretty spectacular loss. he wanted basically the power to appoint station chiefs effectively and the most important person in the country. he wanted that to be news remit. >> he did indeed on this is where the book tries to get into some of the vagaries of the statute in that we didn't really consider or debate very much in 2004 the relationship between the cia and the director of national intelligence however this came to be one of the chief lines in the side of the dni going forward. the blair episode merits aside the issue everyone knew he had fought leon panetta on these two issues and came out on the losing side. people in washington noticed.

people notice the new director of national intelligence had lost an important issue and something they had appealed to the white house on and it hurt the dni's authority. >> going forward is this going to be personality dependent depending on who the dni is because he or she will have to and a sense operate by consensus or basically is this it bureaucratic battle which generates the covert action. the most optimistic case about whether dni can ultimately succeed or not is by looking back at history and the record of the secretary of defense. when the secretary of defense was created in the 1940s he had no real authority over the departments of army, the department of the navy and overtime accreted more authority up until the congress revisited this particular law in 1986.

defenders of the dni like to say give it time. we are only in the first few years read the dni willow creek more authority over time. i think what a lot of the experts also believed in was that if the president makes very clear that the dni ahead of the intelligence community with all the things that people want the dni to do here at the top three things that will lead to more dni success because that is in the end one of the key ingredients of bureaucratic power in washington. if people believe that he is acting at the behest of the president of the united states then he will have more bureaucratic clout. i see that as a way forward something that may work overtime but i think your point is right. we have had real operators and