don't remember -- suggested some kind of spectrum innovation fund, and legislation going that way as well, that the auction proceeds would go into more broader re-investment into that kind of stuff. so the idea has been out there. it's a matter of really getting it obviously with private -- would require legislation everytime you move in money from one purpose to another, you have to get congress to bless that. so if there's other ways to do it, it would be fine, too. it's one of those ideas that has been around. it's matter of implementing it. because there's lots of demands for money, and that goes to the point, one of the -- talked about the process and stuff like that. these processes are such a drag sometimes on resources, and it's finding the resources to get these things done, whether it's to do a test, to go out and

conduct tests, modeling, simulation. i was talking to a company the other day about -- really large company, how long it took them to to get approval to buy some kind of software package to do some modeling. and this is the -- for one of the bands of the future, they had a lot of stake in. so, it's not just the government. it's a lot of folks that are hurting for money, and resources. so, any way to kind of filter that back into r & d and testing, that would be great. >> anyone else? go ahead. >> i just want to add, i think with regard to doing the testing and the studies, from an industry privilege, we actually embarked on a monitoring activity to assess the type of emissions that were enculpberred in specific bands and figure out

what impact would those emissions have on an imculp -- -- we're going to share that with the regulatory community and dod as a way to move things forward with regard to how can you better share between federal and nonfederal assets. >> i think it's a great idea. the idea of using the srf for this might actually be a good input to the whole spectrum incentive. if you think fat today disincentives to do testing and expend resources to figure out how to move out of a band or share it, but a case in point, going back to the combat training center example i gave before, had there been money

available for the u.s. army to have had done their testing, that program smooth have accelerated twofold easily, but it took awhile. the point is that it was still a proposal that was brought to them, they finally were able to test and get behind it and now they're implementing it. probably a way of getting around the disincentives for relocating or sharing. >> jennifer, please. >> jennifer warren, lockheed martin. my question is for peter and others as well. so the leadership at dod is providing and putting forward this new strategy. are you seeing that reflected in any other federal agency? because as you and general wheeler noted, there really is no exclusive dod spectrum, or very little so it's shared with other agencies that may have

significant infrastructure investment or operations. thank you. >> yes. oh, okay. on behalf of the federal agencies at large is also reexamining its strategy along these lines. so, obviously it plays and aligns with what is going to be announced later this week. so, i won't go into any kind of the details on that, not get out in front of that, but, again, like i mentioned before, it really should center around technology and innovation and -- but also collaboration, and so it's about -- it's continuing what we have kind of been doing in the sense of the -- bringing the agencies to the table and being on the same page, seeing

how they can work together, like in the example with regard to the -- one of the bands, 1755, law enforcement surveillance activities, happens across several federal and state agencies. so, is there a way that they can collaborate on developing the next generation of law enforcement surveillance applications? and technologies? so, it's really about getting the right people in the room talking to each other, and a strategy really is -- or tactic of using those kinds of crowd sourcing, for lack of a better term, among agencies and the commercial side. so, it's -- that's really kind of focused strategy. i'd like to see. >> definitely other agencies -- there's other agencies that are very interested in -- like

center for advanced communications we have been delving, and the -- so there will be all participating in that. >> i think -- yeah, i agree with peter's short answer, yes. you're actually seeing it in some of the grassroots in the agencies. having gone through this exercise, focused on commercial wireless, but there are plenty of other services to share spectrum. important point is it needs to be a two-way street. so when the agencies look at this and say, if you're going to believe in sharing, can't just be sharing my space. it needs to also be providing for the benefit to agencies to be able to share space elsewhere on the spectrum that-where they may not have a current

allocation. we have actually issued proposals to do just that in a number of places. certainly one you know about, relative to commercial space launches and been very important to the federal government to have an upgrade in their allocation for their own earth stations using commercial satellites. we proposed to allow federal systems to actually -- federal users to have access to the space, and even the spectrum we're talking about here, and we also propose to allow 3.5. so, i think there really has to be a change in the way we have look at things on both sides. >> if we don't have any final questions -- go ahead.

sorry. >> i suppose this question is mostly for fcc, though anyone is free to jump in. has to do if unmanned aircraft systems as an example of an emerging technology that is going to require spectrum resources. general wheeler had a couple pictures of the domino's pizza deliver y, but the jokes aside, this is going to be a technology that is going to have thousands of aircraft in the skies before too long, like before 2020. and faa has a congressional man dead of 2015 for -- mandate of 2015 for full integration. one detail macing from the road map is how we're going to handle frequency for line of sight and beyond line of sight.

i'm curious to know if, while dod has its spectrum assets, civil users do not and what this plan for addressing that? thank you. >> a different dance depending whether or not the peas says going to a private sector user or -- i think we have a lot of work ahead of us on this. first of all, don't think people appreciate the uass or uavs come in all shapes and sizes and have all sorts of different applications. so you have to be concerned about the command and control, you have to be concerned about in some cases looking to have -- we, i talk collectively, the real-time video. so, we have a lot of work ahead of news identifying exactly what the needs are and where the

appropriate places for them to operate, and i think sharing is going to be a -- i take is a given. we have to figure out what can they share with, so it is not going to be easy, but we'll find a way. and i -- clearly federal government as well. >> i'm glad you brought that up. also demonstrates the fact that the demand is not only on the commercial side in your traditional broadband mobile type applications. there's a lot of applications, federal and nonfederal, in other contexts, and supporting uavs and other unmanned systems is huge, huge driver for -- and so it's -- you'll see, for example, in dod proposals for using 2025,

it suggests using smarter technology and multiband capabilities. so, the newer applications and approaches are going to be more dynamic and more capable of finding the best spectrum available when and what it's needed. there's not one single scenario for those types of platforms. they're at various altitudes at various times and they have to be very, very spectrum agile so they'll be driving a lot of that technological development as well. so, i don't see the same old dedicated band approach. there may be one or two dedicated bands for safety, life, command and control links, but video download, payload type applications, you're going to have to find a lot of spectrum, variety of places, depending on

where it is. and just point out that the way that the supply chains work in these various industries are so different, and they don't even cross each other sometimes. you look at the commercial mobile industry, the supply is there and look at the suppliers in other radio markets. they don't even cross. so, you have to figure out a way for those to do a little cross-pollennization. >> i just want to talk on the number of bands. i think kind of coincides with what general wheeler was talking about, having platforms with multiband capability. what we found during some of the working group projects, particularly the uav platform itself is a multiband platform and actually had become somewhat agile in terms of your ability to move that system to other bands without impacting

incumbent federal operations. so, i think as we would look to frequency bands for uavs, i hope we continue that same process and making sure that these platforms do have a multiband capability. thank you. [inaudible] >> -- heard frequently. we need to think about how the process can be streamlined and also how it can be guided by policy that is shaped by both national security and economic concerns, and general wheeler pointed out how intertwined those are, but still some sufficient differences we need to think about the balance when

two. we talk a little bit about incentives. we talk about technology. we talked about r & d. the technology one always strikes me as sort of the silver bullet in some ways for spectrum problems. we'll fix it because we'll have a new technology. i'm an optimist but you have to invest in it if you want to get it. and we talk about the slow process, particularly on the international side. so these are all good topics to think about in the future. i'll close by asking, anyone have any final words of wisdom they want to share? >> well, i'll start off just by saying the sharing is not the only solution. i think that the mobile operators and the whole auction environment, which is very good to the economy and the treasury and all of that, from an auction perspective, needs to continue and that's going to be done by cleared and vacated spectrum

that can be sold at auction. so, while i understand the report is promoting sharing and we held general wheeler said, from his perspective, sharing is the future. i think we as an industry and an economy, need to be thinking about how can we find more available spectrum to auction and provide to commercial operators. >> first off, thank you for having us. i think it's a balance. i think to julie's point, look at the bands out there, it's a challenge for the federal government to find spectrum and make that available for mobile broadband. but i do think that as julia pointed out, we're moving in the right direction. i think both industry and government are forming ahead and trying to figure out -- forging ahead and trying to figure our out how to make the spectrum

utilization for everyone. it's not going to happen overnight. we are seeing sharing capables we can employ in the 1755 to the 1780 band, and the 3.5 band. so as we continue to focus on the technology improvements that facilitating access to those bands, that's where sharing becomes more common place of what we're seeing today. thank you. >> i had mentioned i think the models we have had in the pass of -- in the past of exclusive use will be pursued, and as you look at the spectrum chart, the challenge you have is the services that are there, where do you relocate them to? and that's what drives you off into sharing to see if you can actually get value. by value i mean not just having

access to spectrum and saying, well, got 100 megahertz here. i can't use it anyplace if there's people. it's got to be something as we go through the process that we actually -- is going to serve needs. so, i think we're going to continue to pursue long all fronts and it's just not going to be any easier. >> no words of wisdom but maybe just words of ignorance to offer. you don't -- we don't know where technology -- ten years ago, whatever, we could not have predicted necessarily where we are. we would have probably predicted the industry would be back for more spectrum for exclusive use, and i think it's easy to predict that some parts of the industry would not favor a sharing approach and would like -- i

think that a lot of federal agencies would like to have exclusive access to spectrum as well. so, -- but just don't know where technology is going to lead you. so if you have the incentive and drivers for technology to develop, and make sure that any regulatory barriers are out of the way, then the future is limitless. so, let's come back in ten years, after your next report, and we'll reflect on that and see how your recommendations are doing, jim. thanks for having us. >> well, i hope we can speed the process up a bit, more than ten years. please join me in thanking our panel. [applause]

[inaudible conversations] >> a diplomat says the european officials are going to hold sanctions against officials in ukraine in response to the violence. following the deadliest day of protest so far. at least 20 people have been killed, "associated press" report as many as 70. the white house says the u.s. outraged by the u.s. in ukraine and is asking the president to withdraw forces. we have been asking you what the u.s. response should be. a number of replies, ray hill says: stay out. russia is already anxious to show its power over the u.s. if the people of the ukraine want to move away from russia's influence they should look to

the eu. bradley says the u.s. should allow its citizens to join foreign armies. i they want to fight for other nation's causes. that's about it. here's a look at tonight's primetime lineup on c-span: a discussion on how journalism has changed since the snowden nsa leaks. and authors have written about political ideologies, and on american history tv primetime, the life of lbj, beginning at 8:00 p.m. eastern. >> the ringing of the bell announces the opening of thanksgiving day of the 22nd 22nd annual sale of -- >> this universal declaration of human rights may well become the international magna carta of all men everywhere. >> the equal rights amendment

when ratified will not be an instant solution to women's problems. >> i'm trying to find my way through and it trying to figure out how best to be true to myself and how to fulfill my responsibilities to my husband and my daughter and the country. >> what they may not imagine looking at the white house, from the outside, is that it's actually a very normal life upstairs. >> i try to bring a little bit of michelle obama into this, but at the same time respecting and valuing the tradition that is america's. >> watch our final two-hour program reviewing our original series, first ladies, saturday at 7:00 p.m. eastern on c-span.

the u.s. telecom association recently hosted an event assessing the final cybersecurity framework released by the national institute of standards and technology. the plan provides voluntary guidelines for companies to improve security and steps for responding and recovering from an attack. white house cybersecurity coordinator michael daniel outlines the plan in this two and a half hour event. >> good morning. i'm walter mccormick, the president and ceo of the united states telecom association and i want to thank you all for braving the snow to taped our event this morning. we rev been glued -- we have

been glued to our television sets watching weather reports, uncertain whether we would be able to be here this morning. so i'm grateful that it worked out so that we can have this important discussion about the release of the cybersecurity framework, which the white house announced on wednesday. we believe this framework is an important step forward for our industry in helping the industry achieve greater levels of security around critical infrastructure. it allows companies of all sizes to decide how to adopt the practices based on their unique circumstances, including specific threats, vulnerabilities, and risk tolerances. by creating a common language or protocol, the framework will help organizations to communicate about shared cybersecurity responsibilities with vendors, suppliers, customers and partners. our industry takes these responsibilities very seriously, and we look forward to the

framework to supplement and re-enforce existing best practices. it's my honor to introduce michael daniel, the special assistant to the president, and the cybersecurity coordinator. mr. daniel leads the development of national cybersecurity strategy and policy. prior to joining the national security staff, he served for 17 years with the office of management and budget. from 2001 to 2012, he played a key role in shaping intelligence budgets and resolving major policy issues as the chief of the intelligence branch, national security division. since 2007, mr. daniel has been heavily involved with federal cybersecurity activities, including the comprehensive national cybersecurity initiative, cybersecurity

funding issues, and the annual review of federal agency cybersecurity spending. please join me in welcoming michael daniel who will talk about the evolution of the framework, what are the next steps, and how we're going to go forward in improving critical infrastructure security. mr. daniel? [applause] >> thank you good morning, everyone. it's a flour be here at the u.s. telecom event focused on the cybersecurity framework. i currently serve as special assistant to the president in cybersecurity coordinator at the white house but that's too long of a title. i'm the chief cat herder for cybersecurity in the federal government. of course, today you actually have two great panels following me.

you have folks like samari and ari and adam and jenny, i see angela and chris and nadia here as well. all of whom are going to speak for more competently than me on the cybersecurity framework. so i'm like the warmup act, the band you vaguely have heard of that comes out and warms up the crowd for the real stars have an easier time of it. that's what i'm doing today. thank you to the u.s. telecom association and its members for all of the work and support on the framework. we appreciate the time and effort you put into helping to produce it. i think it's a product we can all actually be proud of. so, a little bit of how we got here. if you can actually rewind back to the summer of 2012, it became obvious that the cybersecurity legislation we were working on with congress was not going to make it out of the senate. and at that point we knew that we had to shift to some

alternative paths. so we began looking inside the administration for what our options were, and over the latter part of the summer of 2012 and the fall of 2012, we crafted this executive order, and of course it was the result of a tremendous amount of effort on the part of a lot of different people who put in a lot of different time, some of whom are now in different positions, doing different things, but still all contributed to the development of the framework. and we completed that in late fall of 2012, and then in february 12, 2013, the day of the state of the union between, the president signed executive order 13636 on improving cybersecurity. the executive order has a lot packed into it for what is actually fairly short document, especially in washington terms. but it really told federal agencies to do three things:

push more cybersecurity information out to the private sector, and also said: create a framework of best practices and standards that critical truck companies could use to improve their cybersecurity. the third was protect private and civil liberties while you're doing those other two things and built in a lot of different things into that process, but what i want to focus on today was the -- what happened with the creation of the framework of best practices and standards. the executive order charged the department of commerce's national institutes of standards and technology with leading the framework development process but in a way that was actually playing a convening role and lead industry in the development of an industry framework, and one that was actually owned primarily by the private sector, and they took this tasking

seriously and poured real energy into theert. i would say it put an a-team of people on the project, and it really ran an amazing process. if you think about it for crafting such a complex document in just a year. after the executive order came out, a flood of comments came into my office about the year-long deadline that the executive order set for developing the framework, and they were divided about 50-50. halve the comments said you're cds, can't ever develop that framework in a year. and then the other had, are you lazy? you can do that in two weeks. so i figured we must have hit it about right and fortunately adam and the team and others proved that was correct. still an amazing effort to pull that off in a year. we collected comments from across an enormous array of participants, held five work

shops, and my hats off to any of you in the room would actually went to all five of the workshops. i saw the agendas, heard the story, so i know that was not in fact a trivial commitment. in the end i think the participation from industry was really amazing. we ended up with well over 4,000 comments from 300 something different organizations, but i think more to the opinion you can really see how the framework evolved and true in response, in direct response to the industry input... -

>> to help organizations understan, communicate and manage their cyber risks. it provides a common language for discussing cybersecurity both within is and across different organization toes. it offers guidance for how organization toes can address privacy and civil liberties as part of their efforts to secure themselves. the framework consists of three components no reinforce the connections. the framework core, the profiles and the framework tiers. and the framework core is really those set of common cybersecurity activities that almost every organization has to carry out, including agencies. we'll come back to that, we're going to be using it on the federal side as well. the profiles help organizations align their activities to their business requirements, they can be used to describe a current

state or a potential state that you would like to get to. and it also helps companies chart a path from how to get from where they are now to where they would like to be. and then lastly, the tiers can help organizations better understand their approach to cybersecurity compared to other companies and how that compares with other approaches and standards across their industry. and companies can then make a better informed judgment about whether to invest their resources based on their own business requirements n. short, this framework is aimed at reducing and better managing cyber risk, and it offers flexibility for a wide range of organizations. so as we actually move into using the framework, the process for actually using the framework, what's it going to do for companies? well, i think it offers a baseline for risk management. it says here is a common lexicon, here is a baseline that all companies can rely on, that they can point to, that their

chief information security officers can point to. that have the advantage of being a widely accepted framework for doing that. i think it will also offer a really good way for communication with the c suite. certainly, i find on the federal side the ability of the seniors and people in senior management to understand and deal with cybersecurity has certainly increased over the last few years, certainly in my time in this position. but still searching more those ways to actually have those conversations in a language that everybody can understand. i think the framework will do a very good job of assisting with that. the framework will also enable, i think, much better communication with boards of directors for companies, that it will enable them to have that conversation about why you're managing your cybersecurity in the way that you are and what are the resources that we need to invest in this. now, i think this even applies to very sophisticated companies

that are already very far ahead this cyber security. for one, it serves as -- it can help them internally as an external reference point, as a benchmark, if you will, something against which to measure which we really haven't had in the cybersecurity world. so even if you're very far ahead, it still provides kind of a foundation and benchmark against which you can measure. but companies can also use it externally with their suppliers and other companies they work with as a way of communicating what cybersecurity requirements are and what they would like to see in terms of what other companies have in terms of their cybersecurity. and then, finally, i would not be -- i would be remiss if i didn't point out that it's a gigantic business opportunity for many people, that this is something more those sophisticated companies to actually provide services and other things to the small and medium-size enterprises are those that aren't sophisticated in this space. so i think it provides a lot of

opportunities whether you're talking about a small and medium enterprise that's really looking how to figure out how to do cybersecurity in a meaningful way all the way up to those that are actually very far ahead. so in addition to establishing and directing nist to actually develop the cybersecurity framework -- which all of the panelists will talk a lot more about morning -- the eo also directed the department of homeland security to establish a program for critical infrastructure and to serve as a federal coordination point for cybersecurity resources and to support the increased cyber resilience by promoting the use of the framework. and so dhs has created that program which we call the critical infrastructure cybersecurity voluntary program. but, of course, it's actually -- we can, we're the government, so we can reuse those acronyms, you could talk about c cubed meaning

you've got a convergence of critical infrastructure resources coming together in that program, you can think of it as connecting the stakeholders together and the national security resilience effort and coordinating those cross-sector efforts to maximize national security cyber resilience. so i think that this, the voluntary program really represents a long-term effort for us in cybersecurity. we launched that on wednesday along with the framework, but it's not done. and we acknowledge that. but there's a reason why it's not done, because it needs to actually be built with industry participation and industry involvement. now, there are things that are already in the voluntary program including dhs being able to support cyber resiliency reviews to provide resources to help an organization assess its information technology

resilience. they can, these kind of resiliency reviews can be done either with, through that suggestation with dhs or b can be done on its own. dhs itself has conducted over 330 of these at the request of critical infrastructure entities nationwide. we're bringing this together with the voluntary program so that it's clear that these a resources are there. dhs will also offer another, a range of cybersecurity resources to public and private sector organizations including information on threats and vulnerabilities. cyber incident resources such as the national cybersecurity communications and integrations center, the nccic and the u.s. computer emergency response readiness team, u.s. cert and ics-cert, the industrial control system cert. so all of these thines are going to come together,, the hs will work with the sector-specific

agencies as well as other federal agencies to identify other offerings and assistance that we can provide that will be best suited to that particular sector's capabilities and what they require. so, for example, the nist cybersecurity center of excellence plans to work with owners and operators to develop sector-specific use cases that bulled out security platforms -- build out security platforms based on the network. and the department of energy is offering guidance and assistance through their program that supports the energy sector maturity model, the c2m2. again, government; we love acronyms. so i think that really we're looking at the voluntary program through dhs as one that needs to grow and reflect in partnership with industry what is needed in order to actually implement the framework. so what's the way forward? so at least speaking for the

government side, in typical white house fashion our reward for this job well done is going to be, well, more work. after all, there is no point where we reach 100% security and declare ourselves done. instead, we have to be focused on reducing and managing cybersecurity risk. and this requires staying dynamically engaged over time. so i want to talk a little bit about our path forward and how we're going to plan to build on our success. i'm going to talk about three things, specifically what's happening with the regulatory direction, the direction in the eo that dealt with the regulators, what the future plans for the framework are and where we're going with some of the incentives. with respect to the existing regula tour environment, the goal of the administration and what we laid out in the executive order is to encourage harmonization among existing cybersecurity regulations and between those regular lawses and the framework. so let me be very clear: the

goal of the administration is not to expand regulation. rather, our goal is to actually streamline existing regulation, and as much as possible bring that into alignment with the framework over time. so to that end, the president directed the executive branch agencies to review their existing regulatory or voluntary programs in this area, and in may of this year, consistent with the executive order, these agencies will propose prioritized, risk-based, efficient and coordinated actions to mitigate cyber risk. we are encouraging those agencies to focus on voluntary efforts and programs to support the adoption of the framework. more those sectors where regulations do exist, agencies are encouraged to actually use their processes to bring their existing regulations into alinement with the framework. we, of course, can't direct the independent agencies to do anything, but we have invited them to follow the same process, and i -- some of them have

certainly indicated to us that they are interested in doing so. so what's next for the framework? well, as i've already mentioned today, i think the first step, of course, so actually use it. we actually need to see it in operation, see how it actually functions in corporate environments, see how it functions in the government environment and figure out how we can actually, figure out how we can make it work. and that's the first thing before we even think about sort of of tweaking it, adjusting it and doing anything else with it. we want to capitalize on the rollout that we've had, the trend of increased ceo engagement in this area and really get robust use of the framework going. excuse me. but we have always viewed the framework as needing to be a living document. so as the framework is used by various organizations, nist very much plans to integrate those

lessons learned into future versions of the framework. so i though that adam maybe able to talk about this more, but nist intends to hold futcher workshops and meetings to support the use of the framework and address specific areas eyed for further development and alignment. so in particular, your feedback on how the framework works will be valuable. nist will also discuss the potential for transitioning ownership to a nongovernmental organization of some kind. we've always viewed this framework as something that needs to be owned and operated, if you will, by industry over time. now, obviously, consistent with the open and transparent process that we used to develop the framework, any move to do a transition of the framework is going to be done in the same way and certainly won't happen overnight. but i think in the long run we all view that it would be much better this was actually something that industry could own and continue to drive.

so the last area that i wanted to mention was what we're doing with incentives to encourage the use of the framework. we very strongly believe that developing incentives around the framework is a e key endeavor for us, and we intend to keep moving forward with that process. back in 2013 we released a set of potential incentives that we intended to review further, and that's what we've been doing over the last few months. the relevant agencieses have further begunked the scope and path -- begun to define the scope of cost recovery, regulatory streamlining and government procurement. and as these plans develop, they will be shared publicly over the next few months and will include details on how to get engaged in the process. so as discussed earlier, dhs and other agencies will utilize their existing programs to provide technical assistance to companies to assist in their

efforts to adopt the framework as part of the voluntary program, and is we'll also be soliciting feedback on those incentives through, potential incentives through the voluntary program. but at the end of the day, i really feel like that the best drivers for adoption or use of the cybersecurity framework will ultimately be market based. i think the government incentives are really important for us to pursue and to get right, but it's the market that's going to make the business case. the federal government can try to make the costs a little bit lower, the benefits a little bit higher, but that's the icing on the cake. if cake is not tasty enough, i know some of us just like to eat icing straight from the can -- [laughter] but no amount of icing is going to actually make the framework really work. so that's why i think we believe that we can roll the framework out now, and companies can begin to use it even as we with continue working on the incentives. so i look forward to keeping the momentum going moving forward in this area.

i think we've gotten off to a really great start. it was a truly amazing endeavor to watch this framework come together and to watch it gel out of all the different versions that i saw as it went along. it was really quite amazing. i really do plead that this could be the beginning of a major shift in how companies talk about cybersecurity and how the government can talk to industry about cybersecurity and that we can use the framework the really -- excuse me -- to really kick start some conversations that really need to happen. so u.s. government staff, including many of the ones you'll see this morning, will be traveling around the country to promote the framework over the next three month, and i hope that the telecom industry can continue the great support it's shown so far. i would say kick the tires, try it out. see where it works, see where it doesn't, and then let us know about it. both good and the bad. that's the only way that we can actually make it better over time. and if we can do that, then

maybe welcome really lay -- maybe we can really lay the foundation and start to go after the real bad guys in this area and make cyberspace a whole lot safer for all of us. so thank you for letting you speak to -- letting me speak to you morning. i know you're going to enyou your panels, so thank you very much. ms. . [applause] >> thank you. thank you very much, mr. daniel, for that introduction and presentation. my name is robert mayer, i'm vice president for u.s. telecom of state affairs. i'm involved in cybersecurity policy with the communications community and other sectors, and i think i share membership in the league of cat herders and very proudly do so. i'd like to ask the panel is to come up, and we'll introduce them and turn it over to the

moderator shortly. i think it's also fair to say that when the executive order calm out and spoke about, spoke of a delivery of a framework in one year, there was universal concern that that was extraordinarily aggressive, and i think that once folks, stakeholders got involved with this particular group of leaders, it became clear to us that no matter what they were going to achieve their objective, and they did it in a way that was pretty remarkable in terms of transparency and inclusiveness of different stakeholders. so let me start by introducing samar iraq ah moore, serves on the white house national security council staff and coordinates efforts across the federal government and

partnering with the private sector to address cybersecurity policy areas for all critical infrastructure sectors. previously, she worked as the senior information technology and cybersecurity adviser at the department of energy focusing on cybersecurity for the energy sector and managing public/private partnerships. she also played a key role in i.t. and cybersecurity governance and led the development of the electric sector cybersecurity capability maturity model. she received a bachelor's degree from virginia tech, an accounting and information systems and a master's degree from george washington degree, an engineering management systems engineering where she's currently an adjunct professor. to her right, ari. >> schwartz. ari serves on the white house national security staff as director for cybersecurity privacy, civil liberties and policy. previously, he worked as a senior policy adviser for the department of commerce and was the senior internet policy adviser for the national institute of standards and

technologies, nist, where he represented the organization as a member of the department of commerce internet policy task force. between 1998 and 2010, ari led efforts to promote privacy protections in the digital age and expanding access to government information via the internet as the vice president and chief operating officer at the center for democracy and technology. ari won the 2006 rsi and 2010 online trust alliance awards for excellence in public service, and in 2007 he was named one of the top five influential i.t. security thinkers by secure computing bag. and ari holds a bachelor's degree in sociology from brandeis university. to ari's right is adam sedgwick, who many of you may have seen recently with a beard, but it's been replaced. [laughter] he's very clean shaven. adam is the senior information technology policy adviser at the national institute of standards

and technology, and he represents the organization as a member of the department of commerce internet policy task force coordinating information technology projects with nist's critical partners in the federal arena. adam has led the, with colleagues, nist's newest project which is the framework that we're discussing this morning for critical infrastructure, for the crut call infrastructure -- critical infrastructure sector. prior to joining, he was with coordinating cross-agency initiatives, previously handled technology policy for the senate committee on homeland security and government affairs, and in 2008 and 2013 adam received the federal 100 award for his contributions to federal information technology, to the federal information technology community. and to adam's right i'd like to

introduce jenny mennah and -- talk about long titles -- director of the stakeholder engagement and cyber infrastructure research division at the department of homeland security, and previously she directed critical infrastructure or cyber protect at the united states computer emergency readiness team, comely nope as u.s. cert -- known. jenny formerly served as the director of infrastructure partnerships, branch of the office of infrastructure protection and as the program manager for homeland security information network critical sectors. prior to joining the department of homeland security, she held a variety of leadership roles for large system integration firms, and she received her ma and ba from the university of chicago. she's a graduate of the initial cadre of fellows and was selected as a member of the senior service in 2009. we have a very distinguished panel, and with that, i'll introduce our moderator, alexis. and if you'll step to the

podium, please. alexis is the e of commerce private de-commerce reporter for bloomberg's dni executives, and he has written extensively on topics such as cybersecurity, online behavioral advertising and government surveillance on the internet. and with that, i'll turn it over to you alexei. >> good morning, everyone. thanks to u.s. telecom for putting this together. it's a very good panel, and i think it's going to be very informative. actually, michael daniel did a very nice job of sort of laying things out and touched on a lot of the questions i had. but you guys are not off the hook. so before we sort of get into the next steps, let me sort of set the stage by asking you how does this framework move the ball forward on cybersecurity from where we were, say, a year or two ago, particularly since

it basically compiles standards that were already out there? >> so i guess i'll start with that one. so i think what the framework does, i think we're in a period where we really will see how that question can be answered, because i think we had a good process, and there are a lot of folks that are standing up now and saying that they want to use the framework. but really its success will be measured by how many people use it and if it effectively does reduce cybersecurity risk across critical infrastructure. so i think it moves the ball forward in a couple different ways. what i think it does, i think it makes it a lot easier for companies to have these conversations. we have always talked about that whatever solutions are created, i have needs to support. there's a statistic that jenny might understand the origins a lot better than i do, 85% of

critical infrastructure is owned by the private sector. so those solutions and the things that we do to help companies need to be something that they can support and embrace and use. and a natural place for that to start is looking at these existing practices that are out there. so having that foundation of what's already out there in the market -- and to be clear, the underlying standards are things that evolve to meet business interests. so it's -- no part of this is static. but i also think that the structure that we have presented there goes beyond those set of existing practices, right? so i think about the framework, not only about those underlying standards, the ones we have mapped in, but also the ones that exist that nadia could talk about much better than i could. but also that structure we developed where you think about the profiles, the tiers, and really understanding the concept that this is something -- as michael alluded to -- that you

don't walk away from. it needs to be something that's embraced by the cultures of organizations. so what i think it really does here is having this common set of practices, this common set of understanding, it can allow conversations to occur that maybe couldn't have happened before. and that was one of the things we saw even throughout our workshop process. i don't think we realized at the time this was starting off just how unique it was to bring in all the different stakeholders across the ecosystem and have these really broad conversations about what the challenges are, what the challenges are and then think about ways to address that. and i think that's part of our work going forward too. michael talked a little bit about that as well, as we think about next steps and the a document we put out called the road map that lays some of those things out. the process was always about identifying the existing practices or that are out there, elevating the use of those that we know to be effective, and that's the structure we created. and that third key piece is really the next steps and how we work with industry to develop

solutions for the next, to help innovation and to deal with the next set of problems that we see. >> follow up on that. i think we've heard already just that the days since the framework has come out, we heard from a large fortune 500 energy company that told us they're now using the framework to talk to their board and have the conversation with their board. they've advanced it to use the final framework. we have heard from one of the top five largest banks in the u.s., that they're using it to have the conversation with their board as well. we've heard from i.t. company, one of the largest i.t. companies in the country that is now, is hiring a new chief information security officer. they're going to judge as a baseline how that person does their job based on the framework and how they use the framework and whether -- and whether they meet -- and how they move

forward based on the tiers set forward in the framework. so i think that gives a sense of already it's being used. that's a really good sign for what we thought that it would accomplish moving forward. >> so now let's talk about next steps. obviously, this is just the beginning of the process, and a key item that was announced the other day was the launch of the dhs program. this is probably a question for jenny. can you talk about this ram and how it will benefit -- this program and how it will benefit companies? >> sure, thank you. so the c cubed voluntary practice -- and we're excited about the name, especially when you see the title i have for dhs, that's sort of a short, catchy name -- [laughter] we're excited about what it's going to do. one, it's the way we're going to coordinate outreach, outreach and engagement with our critical infrastructure partners across the country. some of that will be done through the critical infrastructure sectors. we're going to leverage that

sector-specific agencies, coordinating councils, but we're also going to work more broadly with organizations like the u.s. chamber of commerce, how do we get out to those small and medium businesses nationwide who may not historically have participated in these national-level discussions about cybersecurity. and also an important part of our critical infrastructure that sometimes we don't talk about as much is state and local government, so we have a very active outreach campaign for them when you think about all of the very sensitive data that resides on state and local government networks and also all the critical programs including federal programs that are implemented through state and local government and the things that they do, you know, they operate municipal water systems, so they're also an important part of our outreach effort. a key part of our outreach is going to be our web site. you can cogo to dhs.gov which has some of the overall program information about c cubed, but then it will take you over to the u.s. cert web site that has far more extendsive information

that you can get, and that's the second important part of the voluntary program. it's really a place to bring together the resources that we have across dhs and across some of our federal partners as well, and we want to expand making it that place to go. tools, capabilities, whether it's things like access to the cyber resilience review where you can either get in touch with us to request someone to come out to do a site visit, or we now have a downloadable version where you can do it yourself, if you choose. but a broad set of tool, capabilities, best practices, mapped against the five areas of the framework. for example, we have work force diagnostics, best practices for things like incident response, access for things like exercises that you can go to. and we also recognize there isn't a one-size-fits-all set of tools that are going to be help. we've been recognizing there are very different needs across the community here in cybersecurity, the continuum of maturity of

organizations, there's some folks that are incredibly sophisticated, have huge program that have been thinking about this for years, and there are people that are just waking up to, oh, maybe i need to start thinking about cybersecurity. so as we look forward to broadening our set of services to recognize the unique needs of those different pieces of the community. so we have something up there that we're excited about now, but there's going to be a lot more to come for our different stakeholder groups whether it's state and local, so stay tuned. and the last part i'm mention is, only, we recognize we need to get feedback. we're planning to grow and improve and make this percent going forward. we need to get feedback from the community about what isn't working with the program, what your needs are that we're not yet meeting and how we can build those together and then feedback that we'll get as we work with our partners on things like these site assessments that we can feed back to our colleagues at nist as they work the iterations of the framework.

>> a follow-up question on the cyber resilience review service that you'll be offering. do you feel like dhs has adequate resources to incorporate this into the program given that it's going to be national and that a variety of different sectors are -- you're going to have to accommodate those needs? >> so we've been providing the cyber or resilience review for the past several years, so we've done a little over 300 of them. we've done them across the country and across the critical sectors. we do recognize there may be increased demand, and we've updated the crr. we've matched it to the framework but also made this tool available where you can do it yourself, or you can have someone, a vendor, do it for you. so we're hoping that will help with the scalability aspect as well. >> let's talk about just in terms of driving adoption of this framework given that it's voluntary, what tools or options

does administration currently have to do that? drive adoption of the framework as well as program participation? >> okay? so i'll talk to that. of we certainly have been looking into different tools and resources we have with our existing authorities to be able to do that. you know, one has been just awareness of the framework, and so we intend to continue to build upon relationships that we've formed over the years; in particular those that we've had a chance to work really closely with during the development of the framework. but also we're looking into some incentives in some different rares that we can work with our -- areas that we can work with our existing authorities to promote use of the framework. some of your may be aware of the

reports that were submitted last summer from the department of homeland security, commerce and treasury, and those reports recommended eight incentive areas. and we, essentially, in each of those reports it redded further -- recommended further analysis, particularly as the framework is final and companies begin to use the framework will get a better idea of how to encourage use. but those areas included cyber insurance, grants, cost recovery, liability limitations, research and development, technical assistance and process preference, streamlining regular laughses and public iraq in addition. so we have been with working since those reports were issued in the somewhere of last year, really within the interagency to do some of that further analysis, see what's feasible, what can we coin the fear term.

-- we do in the near term and the more particular scope that we'd like to move forward on. and so in the coming months, we intend to issue a road map -- really our path forward -- in those particular areas. there's some areas where we're able to take some action in the near term. so, for example, when we discuss technical and process preference, what svenny described -- jenny described through the voluntary program -- is a great example of some programs we already have in place within the federal government but are able to really support organizations that want to use the framework. we have some agencies that have taken leads in certain areas where it makes sense to really further analysis. and so, for example, in the area of cost recovery, the department of energy has taken the lead in that area and really furthering some work with some state organizations to see how could we pursue cost recovery for

certain utilities. also we have dhs that had been working with the cyber insurance industry, and so they're working to hold a series of workshops to be able to further promote and develop this. so we're looking forward to that. we believe that as organizations uses the framework more, we'll get much more insight into what incentive areas can really make a difference and actually really increase and promote use of framework. but we do believe that market-based incentives will be the best drivers for use of the framework. >> i add to that? >> i think one of the other key things and next steps that we think would really help is, you know, the framework was designed to be truly cross-sector, so it was looking at practices that could be used across the, those 16 different sectors that make up critical infrastructure. but i think we also realized that there would need to be additional work to think about

sector-specific needs. so the framework, you know, it really was an effort to the make it at a high enough level that it was truly sensible, that setting those existing standards and practices under those five higher categories of identify, protect, detect, respond and recover, that there were ways to use it that you could communicate within an organization or a small or medium could begin to think about what they're doing to better manage cybersecurity risk. but i think there's a lot more work we can do now that it's out there to think about those sector-specific needs and bring it down a few levels for those commitments. and i think, you know, for example, with telecom that'll be the work we do with the folks in the room so that they understand unique challenges that they have in their environment which might be very different from energy sector or other sectors that are out there. so i think that's part of the work that we can do now that the framework is final. and we already did that somewhat

leading up, and we asked sectors to come in. but i think that's sort of a key next step that we hope will really help with use. as well as working with the technology providers that provide the services to critical infrastructure. i think about how they provide these tools to manage cyber risk. >> you know, related to that i'll make another point. one of points that we heard throughout the workshops and the development process and also i think we heard related, we heard a bit in the panel, the ceo panel last wednesday during the rollout event was really the interdependency that we have both within sectors and across sectors and how the framework can be used the -- to really support management of cyber risk within the supply chain. and we believe that as that occurs, that will really, you know, we hope that that can really help to encourage,

support and use an adoption of the framework over time. that was something that we heard both through our working group meetings as well as the framework development sessions. >> you elaborate on the road happen that you're expecting? is it going to be sort of ideas, or is it going to be an actual action plan, and will there be a timeline in terms of actually moving forward with implementation of incentives? >> sure. so as it relates to -- you'll see a list, the path forward for multiple areas. and some of them we've identified a high level time frame, so some of them may be relatively near term, some may be three to five years. so, for example, as we're looking at grants to really influence and impact the grants process, it takes some time to build guidance and to actually work it into the process. and so the specific plans and

path forward for the areas had been shared along with how to get engaged. for some of them, for example, there may be open requests for information to receive additional, targeted feedback on particular areas. >> and will there be any legislative recommendations as part of this effort? >> so, again, we are looking to see how the framework is used to really help us target specific asks and requests as it relates to that in the legislative space. we want to have a better idea, particularly now that the framework is out but as organizations use it, how to best leverage legislation to encourage use of the framework. >> obviously, the incentive piece is very important. folks have said without adequate incentives that it's going to be very hard to drive adoption, and

one commentator said, basically, if you don't have the right incentives at all, this would have been a waste of time. >> i actually think that's somewhat been overstate ised. as we've -- overstated. as i said u three examples the day this thing rolled out we have very large companies implementing. somara raises another great point which is the supply chain, which sort of has the domino effect of making sure there's implementation. and we're hearing from companies that are voluntarily committing to do that with their entire supply chain, requiring of their supply chain that anyone that they may have contracts with has to use the framework in order to, in their risk management process and demonstrate how thai doing that. so -- how they're doing that. i do think we're moving in the right direction already even with very limited incentives. more will help, i agree with that. i just. >> think this idea -- i just think this idea that companies aren't going to use it, we're seeing that's already not true.

>> so you don't think that a lack of incentives, for example, congress stepping in and providing liability limitations, you don't think that would weaken the program? >> in the end -- if we don't have it, you're saying? >> right. >> yeah. i think that increased incentives will help, and that's the reason we're spending a lot of time on it, and the reason it was in the executive order. i think that because of the great support we've had from industry in creating the framework and building it and now in the beginning stages of use it's proving not to be as essential as some people have, some commentators have said that a it would be. and we heard that from the panel we had, the ceo of lockheed martin, the ceo of at&t, and the ceo of petco, all of them said they're using the framework, incentives were not that much of a, in point, driver to get them to use the framework. so that's just, i think, a good

example right there of the kinds of companies that we're hearing from right now that are committing, publicly committing to use the framework to, in their judgment of risk management in order, as we, and as we move forward we'll learn more about how they use it, etc. s and then we can try and figure out where the levers are and the incentives to try and get those that aren't at the front end of this and move them forward. so i think that's where the incentives really kick in. we have this group of, that kind of make up the critical mass of they're getting this moving, and then we'll see who are the laggards after that, maybe we can get some incentives aimed specifically at them. >> i have one or two maybe additional questions, and then i'll give the audience an opportunity to ask questions. i wanted to ask about, obviously, there's been some anxiety in the business community about the role that regulatory agencies might play in the process. and michael dan yell has spoken to -- daniel has spoken to this

today and, obviously, the administration has spoken to this concern. just wanted to give you an opportunity sort of to elaborate on what role is envisioned for regulatory agencies, and what type of actions might we expect the agencies to take and what type of timeline are today working with? >> so i'll respond to that question. so for the regulatory agencies, the executive order did have some directives to executive grants regulators. and, in fact, we had reports that were submitted on the 12th, a couple of days ago. remember the is foe day. on the -- remember the snow day. related to just that. the agencies are, have reviewed their existing regulations, and over the next few months -- in may -- they will submit their actions to address cyber risk as

appropriate within their sector. in particular, they are reviewing -- along with the framework, for alignment with the framework -- but are also encouraged to leverage voluntary means to address any identified risks that the sector feels needs to be addressed. there are some, though, and, you know, one of the incentive areas i mentioned was streamlined regulations. and that's an area where we do want to work with existing regulators to harmonize over time. we recognize you can't flip a switch, but where appropriate, we'd like to harmonize with the framework. we know, and we've heard from organizations that are members of multiple sectors and having some streamlined and harmonized regulations would definitely be of value to them. but to underscore what my boss, michael daniel, said, you know,

we're not looking and pushing for new regulations here. we really are promoting the voluntary approach and voluntary use of the framework. let's see, would you add anything to that? >> yeah. i just want to make it clear that, you know, we worked with the regulatory agencies throughout our entire process. they came to our workshops, they submitted comments both to the initial request for information and on a preliminary framework itself. and the reason we did that is because, you know, they are a key part of this ecosystem. and wal asked the -- we also asked the companies that were working with us what were those regulatory issues that they considered when they were managing cybersecurity risks so that when we built the framework, it wouldn't be something that was great for managing risk but also completely impossible to i implement. so i think, you know, somara's twul right. the regulates, it's not a one

size fits all environment. regulators will look differently in the way they consider cybersecurity risk. so, you know, they've been working with us, they understand the framework. i think the key part of our next steps is to think about, you know, how they view the framework and how they look at those security capabilities that are in the framework and perhaps not the specific technical implementations. so it's more about how are you meeting those goals instead of what exactly are you doing. and i think that will be, you know, the work that we look at next, and we'll bring them into the conversation more as they think about that. >> one of the challenges before the administration is how are you going to measure the effectiveness of this given that it's a voluntary program? have you, how much thought has been put into that, and do you have any options at this point? >> so lots of thought put into it, and it is a bit of a

challenging issue because it is a voluntary program x there are many organizations that are going to adopt the framework and avail themselves of the resources that we make available that we'll never know about. and that's fine, because our goal is that they be more secure. but what we can do is, you know, we do our cyber resilience reviews, and when we do those on a facilitated basis, we obviously get an idea of what is going on ors what is the posture within an organization and some of them we do multiple visits with over time we can see changes there. we can see, you know, how many people are visiting our web sites, downloading and using the different tools. we participate with a number of sector organizations, sector associations that can give us information about adoption within their sector. for example, there are associations that have a set of practices that all of their members agree to abide by. so when those are mapped to the framework, we can get an idea that things are being adopted within those sectors. and, obviously, there are a number of industry partners we know are going to be rolling out

services and tools and, hopefully, they can also give us an idea of how much those things are being adopted across the sector. again, with anything voluntary it's always a little bit of a challenge. you know, we have the paperwork reduction act that make it difficult for us to survey even if people chose to respond to a survey. but we're going to leverage all of our partnerships and ways to track that information just to get an idea of how broadly that implement -- and we're always welcoming suggestions in this area as well, because metrics are tough. >> all right. you know, jenny said it just right. we've been talking about this for quite some time, and, you know, we have started to identify some indicators of success. and jenny addressed many of the ones that we've come up with. but when you look at how the framework, there is many different ways that the framework can be used. because, you know, to take it back up what we're really shooting for is management of

cyber risk of. we want to strengthen how we are managing the cyber threats that impact the delivery of our critical infrastructure, that have the potential to negatively impact our businesses x. that's what we're trying to promote. so there are some organizations that may use the framework. they may already have robust cyber protections, but they're using it to aid in communications with their business partners and with their boards. how do you, you know, how do you capture and measure that? there are some that are going to use it to help communicate cyber requirements and cybersecurity expectations with their supply chain. so as a result, we're looking at different indicators of success. clearly, some of the feedback that we get from the community is part of it. the ability, i talks about streamlining and harmonizing our regulations over time, are we actually able to do that. we think that will be an indicator. do we start to see sector-specific guidance aligning? are we aligning our federal

programs to support use of the framework. are we aligning it to sport the functions that are outlined in the framework, you know, are we putting our money behind this, essentially. so we've identified several different indicators, but, again, do look for a feedback. and as we continue to work through our partnership and through the voluntary program, we're seeking to hear that a feedback. >> okay. well, i'm going the turn to the audience and see if there are any, if there's anyone in the audience who has a question. if you could identify yourself before asking your question, we'd appreciate it. anybody? >> we do have a couple of online questions, if we -- if no one else is ready to jump in, i'll read those for you. of the first question is: will following the framework be mandatory for government contractors? [inaudible conversations]

>> so we have, we have the report that was done jointly by gsh and services administration and department of defense on government procurement. and that report included a set of recommendations on how we can better manage cyber risk through government procurement efforts. so that effort is, the effort to actually implement and move forward on that recommendation is beginning. that report was not something that fsa -- gsa and dod did in a vacuum. they actually did it in a very similar, transparent and open process. and as they look to actually implement those recommendations, a similar process will be followed. so coming up there will be requests for information to really get feedback as we look to figure out how can we best use the framework to help drive,

you know, influence how we're managing cyber risks through federal procurement? >> a lot of that's looking at the federal side and things we can do in terms of the people that are making those procurements and writing those contracts. what they can put in to help manage cyber risk. >> [inaudible] can you talk a little bit -- oh, i'm sorry. can you talk a little bit about what the government is doing to encourage information sharing in the absence of legislation on that? >> certainly. in particular within the executive order, section four for those who follow closely, it was focused just on information sharing. and there were a number of things that we had in there. you know, within the executive order we stated, you know, it is our policy to really improve how we're sharing information with private sector. and to do it in a more timely basis and this many a way that is relevant for the needs of the

recipient of that information. and so within the federal government, we have been working diligently to improve some of our internal processes on how we do that. so, for example, developing some instruction such that we can share more timely and relevant unclassified information with the community. but also recognizing that while it helps to share more information at an unclassified level, there's still a need to share some classified information. and so we've worked on improving our processes to grant clearances to critical infrastructure. there's, and absolutely the next two really hit on jenny's area including the enhanced cybersecurity services program. so do you want to speak to that? >> sure. and thank you, yes. so we've actually paid some really good progress since the implementation of the executive order and information sharing on the classified side. we have our enhanced

cybersecurity services program, and what that is, is really where government shares classified indicators with i.c.t. providers so they can use that information to protect their customers' networks. so the ecs program is built upon what was started, what was referred to by some as the dib pilot or opt hip. what the executive order did was allow this program when it was transferred to dhs to be made available through those i.c.t. providers to all 16 critical infrastructure sectors. so we've been working since that time. the program is available to all 16 critical infrastructure sectors. you can imagine there were all sorts of policies and procedures and activities that needed to take place to make that happen. we've increased the frequency of the information, the indicator sharing with the proid viewers -- providers so they're getting more government information on a more frequent basis. we have a long list of providers, the initial providers have been isps, but we have well over a dozen companies from other sectors -- i'm sorry, from

other components o. i.c.t. community that have expressed an interest in being a proviewedder, that have signed a memorandum of understanding with us, and i should say our partners, community partners now have customers outside of the defense industrial-based sector. so it's a program that we look to continue to grow and expand. we think it's a real opportunity for market innovation of how can the i.c.t. community use the classified information recognizing the importance of keeping it secure to protect their critical infrastructure customers. so we're going to continue to work both with the providers and the customers to try to expand that program and make it as valuable as possible. two other important areas, samara mentioned the clearance. just to give you a real world example of how that's been put into place, we've had a private sector clearance program for a long time, but it's taken a long time to get there i the process.

so our partners came up with a streamlined process where they recognize that if you're a person in industry and there's a briefing you need to attend, we really needed to have an expedited track to get you to the front of the line so that you could participate the that briefing. as an example, a couple weeks ago we had the request from the rail sector saying these are some very specific things we would like to receive government brief withings at a class -- briefings at a class or level. some folks had clearances, some did not, and by the way, we'd also like to have our canadian partners attend. and so what we were able to do using those new processes was to get people expedited through the process. some of those folks actually got their clearances to participate in the meeting within a couple weeks of submitting all their information. so everyone who submitted their information -- yes, i know. i see jaws dropping, yes, within a couple of weeks we were able to get the canadian folks' clearances passed, and they were

able to see a briefing on list of intelligence requirements that they had that included briefers from dhs, office of intelligence and analysis, but also fbi, the tsa and also the national security agency provided briefings. so it was a really great example of bringing those capabilities for information sharing together. and then one last thing i'll mention our cybersecurity or information sharing and collaboration program which is where we share those sensitive but unclassified data continues to grow. i think we have 70 organizations both individual and information sharing and analysis centers from across all the sectors that are participating in that, where we share information out. machine readable, they share information back with us that then goes out through the group. and we also use that to do quarterly an his to-analyst coordination exchanges, accuracified and unclassified. so lots of progress many that area. >> do you believe the legislation's still necessary? >> wait for the mic.

>> hi, it's charlie mitchell with inside cybersecurity. thanks. >> so i will testify to my colleagues from the national security staff. >> he asked if we thought legislation would still be necessary, and the answer is, yes, we think legislation is necessary. we have seen an increase in information sharing, at least anecdotally in some sectors, but some sectors there's still hesitancy, and we're trying to map why that is. but we are still supportive of legislation in general. we had it in our package that went to the hill in may 2011 from the administration, and we've been, continued to work with industry and with congress and other stakeholders to try and figure out where the problem has been in holding up legislation, come promuse -- compromise legislation on in this issue. we think it is really the key issue that is outstanding on cybersecurity legislation, although there are a number of others we'd like to see pass as

well from the package we put out in 2011. >> any other questions? >> there's another online question. it reads. executive and independent agencies have submitted executive order section 10a reports and will later submit section 10b reports within 90 days of the final framework being forwarded to the administration. will these reports enjoy the same level of openness and transparency that every other aspect of the executive order and framework process have enjoyed? >> so for the reports that were submitted this week in response to the directive in section 10a, those reports are used for interim deliberative purposes only -- internal deliberative purposes only x so the plan is not to make those reports public. as agencies move forward for 10b

in their actions there, we've, we're in the process of still coordinating with them. we just received the 10a reports, but we are using those for deliberative purposes. >> so just to clarify, those are -- those are the agencies reporting forward. >> yes, the agencies that submitted the reports to the white house. >> okay. ..

have been involved in the framework development process. and so india pendant agencies are invited to engage -- independent. we have received hundreds of interest along those lines. we cannot direct but we are in discussions with them and they're looking, looking into how the framework, you know, could be leveraged within the area of responsibility. >> i would just underline that again. independent regulators have participated in our process. we had a panel with an independent regulatory agency that's of particular relevance to this community with the fcc kind of showing the system. it's not a one size fits all area. they will think about things very differently and they will have authority. i think it's a mistake not to leave out the other parts of

this because if you look at the state regulators, but you also look internationally, what other countries might do, and so i think the approach that we've taken is one way to bring all those folks together. it's a voluntary framework so we think effectively managing cyber risks come and in the broader committee, including those pieces of it. >> may have touched on this but in terms of the actions that are called for in the executive order for the irregular agencies to take, to expect this to be rule-making? if so, what is the timeline agencies are working with for that? >> so it's existing regulatory agencies with cybersecurity regulations determined that rule-making is required or necessary to harmonize and align with the framework, that would

be done through their existing open rule-making processes. >> and is there any particular time, would we expect to see that maybe this year or -- >> so the agencies are all very different in the processes may be different. again, with the framework that's been issued, the agencies are beginning the process to do that analysis. from our perspective we are promoting, you know, again voluntary use of the framework. however, if that is determined it's necessary it will go through their process. generally that involves engaging with the industry partners in this process and so i can't really provide a specific timeframe. timeframe. >> i think it's important to say we don't expect, the white house has said we don't want new regulations. michael daniel said this earlier as well. if utc something like that it would be streamlining, so specialty across different, for

industries, might all across different regular bodies, making sure there a line and not having different revelatory authorities. that with the only place you would see something like that. >> i think we have time for any other questions from the audience. otherwise, i might ask one or two more. in terms of what the transition from the draft to the final framework, i just wanted to hear whether there were any significant differences. i'm the one issue that came up from a lot of interstate commentators were the concern about the privacy language. and so if you could just address that and how that was addressed in any other major changes. >> sure. i'll start and ari is the privacy experts weekend correct me if i'm wrong.

as we talked about throughout this was an open process and we received comments multiple times. and october we presume some to call the primary framework which wasn't even the first draft. we put out a draft in the summer. our first folder of in a summit and it was the basis of our fourth workshop in dallas. at the preliminary framework we got by our account just over 200 submissions, and by our count that was just under 2500 separate comments. the changes that we made our throughout the document. there were a lot of people were saying things like, it would be really helpful if you had an executive summary that made those high level points and some of the things that were underbidding the executive ordered need to be made clear in the document itself. the international applicability, that it's not one size fits all. that even these tools within the

framework, the concepts of profiles, you can tailor it for different ways within an organization. and people ask for things like they helped us, including nokia, i'm doing better mapping for the existing standards we mention in the document as well. but you're right that probably the biggest difference or one of the key differences was that change with the privacy section. and what happened with that section is initially we had a separate section that was meant to encompass privacy and civil liberties. and we did that for two reasons. not only as short for michael was a key part of the executive order, but it was something that the stakeholders asked for. if you go back to the questions we asked when this started in february 2013, people identified privacy and civil liberties and specifically for this effort the considerations when you're

building strong cybersecurity programs. so the feedback that we got for the preliminary framework at the sessions leading up to that, we had a really good panel at our last workshop with ari, with my colleague, with michelle richardson from aclu, with harriet pearson, was about this topic and what we ended up doing for the final version was instead of having a separate appendix, i think stakeholders from both the privacy community and the business community said, given the mandate of the executive order, it would be much better if this was clearly about the privacy considerations when you're growing a cybersecurity program and the risks that could be out there to privacy and civil liberties windows programs are being built. so that's what we do in the section. the same sort of material, this is all about providing tools and

resources to critical infrastructure, that's all still there in the document but it's in the context of how to use section so it's very clear that this is how you build a strong cybersecurity program, giving the really important linkages of those things. you can't have one without the other. the other thing that we've done, and we did this throughout, another big change with the document was we separated out a section called areas for improvement, which was always about areas really for us to improve our work with the stakeholders to improve and not for the critical infrastructure community to improve. that was sort of the set of things we realized that we would need to do more work to develop the best practices, to develop the standards. so that section became separate and would put it out as a roadmap that we released on wednesday along with the framework. that lays out some the things that michael talked about, about future work, future transitions and the list of key items that we would need to do more work on.

one of them would say is privacy. so if you look at that roadmap, you see what we heard from the kennedy about what the needs are there, and that become something that we can have future work on. including a workshop that we are scheduling in april. to bring, you know, this diverse community back together and asked how do we make progress with those technical underpinnings that will help organizations manage privacy. >> i would take it back just a little bit further than where adam started, which is when executive order first came out one of the things we really pushed stakeholders for was to say we're going to need a lot of involvement on privacy and that privacy is extremely important in this process. and we're putting together methodology. this is something that hasn't been done before and we really need help from stakeholders to do that. we did receive some stakeholder involvement in that process. and i think that was ended up

reflected in the original appendix b. i was in both the draft and the preliminary version that came out. and i think the work that was done there is really interesting. almost more in an academic sense than this put forward. really it was good mapping of the technical standards approaches, internationally have been done in the privacy space. what we heard back from stakeholders and that came out, i think we got a lot more involvement on privacy suddenly when i came out, was -- and what nist picked up on the key points, adam touched on this a little bit, were that, number one, that the approach had to be much more tied to cybersecurity, clearly tied to cybersecurity and that wasn't the case in appendix b. it was more generally about data protection and other related

issues, to that, to be is in a cybersecurity context and could be used in other contexts as well. number two, these international technical standards were not widely used by industry at that time, which is part of the issue about the areas for improvement that this -- that nist was looking at. how do we get international standards that are being used more widely? because of that the section was changed to be much more functionally oriented. i think we did hear from a lot of different groups as well that we still needed to get the basic principles that were in the appendix and nist predicate those in as well and move this into the kind of how to use this document section, so that the whole rest of it utterly tied to framework, clearly tied to cybersecurity issues. and i think it's a much more focused methodology now for privacy and civil liberties than it was before. we've heard very good things

from industry that they do plan to use it. i think we have heard some criticism from privacy groups still, mostly around the fact that it's voluntary. which as we've been hearing is an issue for the entire framework, right, how to get people to use the framework. and we are hearing that people are planning on using the privacy section. i think that something has to be monitored as we monitor use of the entire framework. and some of the privacy groups have said they plan to do that, they plan to see how, ask companies how they will use this privacy section but i think that will be very useful feedback for us as it moves along and for nist for the future versions of the framework. >> i think we will into there. and please join me with thinking this panel. you are very helpful and answered a lot of questions, so thank you. [applause]

>> [inaudible conversations] >> okay, thank you very much for our government partners for participating. and now i would like to ask the industry participants to come up for their panel. and i'll make the introductions. so we have a very distinguished group of industry leaders here. these are the folks who have put

in a lot of effort over the last year to see the framework come to fruition and we're hoping to hear some very interesting perspectives -- perspectives in terms of what their views are on the framework, and especially issues and opportunities and challenges going forward. so with that i would like to start, and i'll keep this brief, there are more detailed biographical information available in the program. to my immediate right is trying to, and she is the utilities telecommunications council. i hope i have that correct, utc, senior cybersecurity strategist and she is responsible for helping utc member utilities address cybersecurity challenges from policies and standards to practical implementation. to her right we have christopher boyer, and chris is the assistant vice president of global public policy at at&t

services where he is responsible for developing and coordinating the companies public policy positions on issues impacting emerging services and technologies with focus on cybersecurity. to his right we have doug johnson, and doug is the american bankers association's vice president and senior advisor of risk management policy where he is involved in a variety of public policy and compliance issues and determine leaves the associations enterprise risks, physical and cybersecurity business continuity and resiliency policy and fraud deterrence efforts. and to his right we have angela, and angel is the director of cybersecurity policy and strategy at microsoft where she is responsible for addressing complex global challenges

related to critical infrastructure protection and information assurance across a wide range of topics, including strategic and operational risk management, information sharing, incident response, emergency conditions and software security integrity. and to her immediate right we have katherine don bell who is the director of national security for centurylink. catherine is also the current chair of the committee commissions sector court meeting council which represents five segments, wireless, wireline, broadcasting, cable and satellite. and she is also the former immediate past chair of the communications isac information sharing and analysis center were a lot of the operational activities or communicate and, coordination among industry and with the government are taking place. with that i would like to introduce charlie mitchell, who many of you read about on a daily basis.

charlie is a senior editor at inside cybersecurity.com, an exclusive service reporting on cybersecurity policy from inside washington publishers in addition to cyber policy charlie has extensive experience covering congress, energy and the environment, health and other policy areas, and previously served as editor in chief of roll call newspaper and roll call.com and is the managing editor of the "national journal"'s congress daily. >> all right, thank you. i just would like to start off and thank u.s. telecom and the folks at put in so much work in putting together this event. i believe that cybersecurity is really a policy issue for how the government and industry will interact in the 21st century. and the people that we found on

these two panels are the ones are going to make that work. not to put any pressure on anybody here, but it's a huge challenge and this is a terrific panel of people who are just right at the heart of what's going on in this area. let me start out and ask a really basic question here is this framework a useful tool that companies will embrace? it will improve the nation's cybersecurity? nadya, do you want to take a swing at that? >> sure. thank you. i believe it's a useful tool. it's a useful tool because for the first time in history cybersecurity -- communicate in plain language and not that technical babble that the committee can. so by saying these things that some of us know in simple words, that the rest of the public can't understand, it provides a useful, a vocabulary toolbox

that people can congregate around and work with in implementing good cybersecurity practices throughout the infrastructure. >> chris? >> i think as well from some the government speakers this morning, in terms of whether it's going to be impressed or not we've seen a lot of companies above, talk about how they're applauding release of the framework and includes at&t. our chairman spoke at the white house and so i think there is general support for the framework throughout industry. i think as to whether not that continues or not i think the key is will the framework to use as it was intended. doesn't remain a flexible non-rated tory risk management toolbox i think if it continues down the path you will see a fairly widespread use amongst the private sector. as for whether or not the framework is actually going to improve cybersecurity, i think that's a hard question to answer. clearly, the framework is intended to raise the bar for

cybersecurity, to make it more difficult for attackers. i think o that's something they could potentially help with especially for some small and been sliced this is, you might have as sophisticated capabilities today. we should all be clear and have reasonable expectations that cybersecurity is an ongoing issue. it's not going to go in the -- it's not going to go away anytime soon. it's not a panacea to solve a problem. >> i would like to echo what nadya was saying because i think one thing i've seen about the common language is a lot of times when i have either a board of directors at aba or senior leadership conversation, usually before they start with me basic, doug, english, please. i think having some common language is a really important thing at this juncture because we have eyeballs on cyber really to a greater degree than we probably ever had in history. it's incumbent upon us to really take advantage of that and develop a mechanism to really

talk about cyber in a way that's understandable to that group of individuals that make the key decisions. either from the standpoint of governance or the standpoint of expenditure of resources. i think that's really important. i'm sure we will talk about a supply chain and other things as well as we go forward, but i think one of the things i've seen in conversations, particularly with nist and entered when we have met with them, my bankers have said this is a process which we actually already utilized in a financial institutions, the words may be a little bit different, the tranches may be described a little bit differently but it's a process which i think a lot of our institutions are already going through. i think one thing that's going to be helpful is to take that one step further and talk to our supply chain partners about that, and given in some cases a place to start. because a lot of times it's difficult for companies that are less mature from a cybersecurity standpoint to really know how to structure this within their

organization, let alone talk about it. so that's my key observation. >> bridging actually to those points, there are three key questions embedded in the. the usefulness, will it be embraced and how is it going to the security? will it be useful? i think yes. fundamentally i'll start with the point that it is flexible risk management guidance. one of the differences between what we see in a lot of the standards debate is the framework really does talk about the outcomes. in other words, what needs to be done, and doesn't specify how to do it. and by doing that it gives the flexibility for organizations to evolve and innovate security practices to meet those. it doesn't get stuck in the habit the other standards tend to be a little more focus down in the how and so this really does come as my two colleagues here said, ridge the technical communities who've been dealing with the standards with the business community that wants to know, am i secure enough, are we

detecting incidents? it provides a translation function between those two. will it be embraced? i think it will be embraced. as we've heard about, critical infrastructure organizations across all 16 sectors. many that are doing really good things today and have done so for market-based reasons. my organization included. that said, there are inconsistencies across the critical infrastructures in what they are doing. i think this is an opportunity that it will be embraced to say, hey, really, what is the right thing to do here? does that mean we don't need incentives? no. does that mean incentives are required to advance progress? no, both cases. the last thing on improving security. i do think that this will raise the bar of security across the critical infrastructure community. i don't think that it will end up necessarily fully addressing the full range of national security risk facing our

critical infrastructure, and that's a conversation that we will need to keep evolving on. it's going to raise the bar which is an important progress towards the overall high level of security necessary for our critical infrastructures. >> what's left to be said? [laughter] i can service speak from, at least a centrally perspective on this one particular question. i'm going to tack on to will it improve the nation cybersecurity. i think this entire process has already been immensely successful but it has gotten it in the common vernacular. it's been talked about across all 16 sectors. were starting to use common taxonomies. let me drive down operationally. it's snowing out there, the weather is bad, tornado, flood. we are accustomed to customers say i've done my risk management and 90 debt service that i know what keep coming up and i have a service-level agreement, redundancy and diversity.

and up until about two, three years ago, and i have very many customers coming to me and saying, we were accessing our site risk and we were wondering what you can do to help with this. can i tell you that has kept, that has tipped. and the fact that we now have some form of common syntax. we are starting to hear do you think you could help us out in the detector deployed three. that's huge. that is huge. so yes, i become its new, its nascent. were trying to raise the bar, particularly for some of the companies that have not had the opportunity to rethink about things only risk assessment cyber orientation. but speaking as someone who likes to think of themselves as a company that is very sophisticated and to provide support for many of these element, yes, this is already a huge success. it is now becoming part of

vernacular, and customers are asking us, so what can we do to mitigate. >> kathryn, let's start at this and and just follow up on that. does the structure of the framework and the language in the framework speak to all of the audiences that it needs to? we talked a little bit here about supply chain. does it talk to the executives at the corporate level that you deal with? and doesn't speak to audiences going down within the company and within a big company supply chain? >> i know at the federal level, we worked extensively to review the language, and let's face it, we're in washington. we spend -- we tend to speak more with policy language, and we got it. it took some time. but more importantly, at least at the sector level, we spent a significant amount of time talking to the risk managers in the companies. do you read it?

do you get? do you understand it? are you happy with the? d. implement it? most important, however, you have to drive it down to the very operational level, and once again, we were fortunate because we have such a broad representation and, frankly, people were very generous with their time, to have practitioners, people who would have to tweak the bold, putting the aco, put in the filter, whatever it was to be able to speak a little bit more operationally. did they get it? did they get the intent? and without question, i mean i think one of the reasons we are successful is yes, we could meet those sort of bandwidth come awfully them and they both came away with what they felt was what was important for them. there's still more work to do. i know that serving at the sector level we're going to be working with all the various trade associations to be able to further flesh out these frameworks in such a way so that

it is, at least in our case, more communications sector specific. we have worked initiative within the sector, some with dhs, some not, some totally industry that are very, very much focused on mapping. if you're doing this, that sort of falls into that. so that there's a quick shorthand so that no matter what level you're at, whether you're at the, i'm putting in the filters, or putting in the protocols, or i'm going to plans, or looking at it from more policy a strategic and board level so that i can understand, you know, how could i read i this and interpret this from a communications sector perspective. so, so far so good. i know that dhs spoke about the fact that you have to do education outreach and feedback. i think over the course of this coming year the feedback will be conveyed, can indicated, and used to evolve the process further. >> angela, you have customers, microsoft has customers at every

possible stage of maturity in terms of their cybersecurity posture. do you think this provides that common taxonomy, that common language that you can use in talking to these customers of? >> so i'm glad you asked that question because it builds on kathryn's point. as part of the framework development process we both engage inside of the company across the different types of audiences that exist inside the company. everybody from the person who's doing coding, take your figure, up to the senior level decision make sure talking about resourcing security. that was the internal conversation. does this meet all the different levels. to your follow-up question, we have the same conversation with a bunch of external customers. that gets to what kathryn wasn't on your. we have people are coming to us and saying, so what is this framework? ..