element of discontinuity may be where these conflicts i think more often a place is our vital interests at risk and we have to be adept at coping with those. i do also see an element of continuity with those wars of the past because i do not think we can write off threats from nationstates and capable fielded forces of nationstates. ..

>> from anbar province in the 1991 gulf war, and now it gets to the long range rocket threat to israel from southern lebanon in 2006 or from gaz a saw -- >> let me intervene. you just listed examples to allies in the midst of war. if it's 1972, the american public is facing 25,000 nuclear weapons targeting it. so that's where i think the, in terms of it may be existential to those local actors, but in terms of the american public's viewpoint of it, is it viewed -- that, to me, is the disconnect. we don't view it as existential. >> with yeah. i think that's correct. and so, of course, it's incumbent upon the three of you to explain that. >> so, bill -- >> and then we're going to open it up. [laughter] >> you know, very quickly, first, you know, to my good friend, michael hanlon, who may be regretting having tendered

this invitation -- >> this is why we want you. go for it. >> the point, you know, the point i was making does not pertain principally to the wars that we are now in, it pertains to the willingness of the american people over the next decade or so to enter into new wars of that character. and my argument is that, you know, whatever reluctance americans have as a kind of a baseline is now much higher. you know? and the presumption against doing it is going to be harder to rebut over the next decade unless it is a clear response to aggression, clear response to aggression. that's point number one. i'm just -- and i would say in this connection please don't shoot the messenger. >> i'm not disagreeing with you. >> i am not, you know, i am not any happier about this swing in

public opinion than anyone else is up here. you know, i recall the years from 1973, the early 1980s as an appalling period in american history. and i pray that we don't repeat it. but i fear that we may. so that's point number one. here's point number two, and, you know, i, you know, i can't believe that a former marine sergeant is entering into a debate with general mcmaster, but we were taught to go with up the hill against superior forces, and so why should i change now? [laughter] you know -- >> about the best method. we can talk afterwards. [laughter] >> well, that's, you know -- [laughter] that's, you know, no one said we were the smartest force, but we are the toughest force. [laughter] you know, the point i was making was not about extended commitments, because we have, indeed, demonstrated our capacity to maintain extended,

deterrence-focused commitments in korea, in europe and elsewhere. i was talking about extended conflict. and that is a distinction with a difference. right? the american people can go for months without noticing that we have tens of thousands of troops in south korea. they can't go for a day without seeing what's going on in afghanistan. they tonight like it. that's the difference -- they don't like it. >> do they even know really what's going on in afghanistan? i think what's remarkable about afghanistan is i think it may be the most underreported war in american history, and this being the information age, you know? so in terms of the ability, i think, to gain access to it is, you know, is inversely proportional to the amount of really meaningful coverage that's available at least in the mainstream media. >> i think that links to the disconnect between vietnam and today is the fact of a draft-based force or not. so the media responds to its clients, its consumers and their

interests are elsewhere, and i think it reflects because we don't have that same link-up. but let's open this discussion up. please raise your hand, and we'll go from there. way in the back. >> i'm harlan almond, thank you for the interesting discussion. h.r., good to see you. i'm concerned by this whole session because it seems to me that the military by default is becoming the surrogate to try and solve national, international problems that it alone cannot do. so i'd like the panel to think about two observations. first, i would argue that the singlemost interesting issue of the 21st century is the empower ment of individuals and nonstate actors which is challenging the westphalian state-centric system. and, therefore, that has really changed the strategic calculus. second, seems to me that the country with the best armies, navies, air forces and the marines find it hard pressed to

win against enemies who lack those forces. so how would you argue about the future be of military -- the future of military power when it seems to me that the nature of the dangers are really changing from state-sent trick threats -- and we can deal with north korea, potentially iran, the list that michael comes up with -- and we're in brand new, and i shouldn't say brand new, but a different political environment in which military force may or may not be necessary, but it's far from sufficient? >> let's go down again. general? >> well, i would just say that mill tower force has never been -- military force has never been sufficient in itself to prevail in a conflict, and it's always taken the combination of all elements of national power combined in way that's, you know, that serves to defeat the enemy, but also to shape environments and consolidate gains consistent with our interests. and so i think that what is important from harlan's comment is that there is an increasing threat from transnational terrorist organizations,

guerrilla-type organizations who are now increasingly connected to transnational organized crime. and so it is immensely important to connect what we're doing militarily to a political strategy. what we want to achieve overall. and this is what we have to make sure that we take into consideration in all of our planning scenarios and war games and so forth. because we often times skip over that, and we just look at the application of military force as an end in and of itself. and so what is immembersly important as -- immensely important as we look at threats is that we have to contend on multiple battlegrounds simultaneously. we fight pretty well, i think, extremely well on physical battleground. but if you look really at what has been difficult for us to consolidate gains or factors that complicate our efforts to consolidate gains in afghanistan, it's really that our enemies are operating very effectively on other battlegrounds. sub subversion, they've been

extremely effective at subvert ising state institutions and functions in afghanistan. we don't contend on that battleground as well as we could. also these groups end -- enjoy state sponsorship and safe haven support basis. how well do we do diplomatically to isolate these groups from state support, for example? there also is the battleground of perception and information, and often times we're not very effective on this battleground as well to discredit and criminalize these people. we're fighting some of the largest criminal organizations in the world who rye to cloak themselves in an irreligious ideology. these are mass murders, narcotics traffickers, who send their kids to private schools in pakistan while they blow up schools in afghanistan. so i think to answer your question on what to do, i think it's a better integration of all of our elements of power or and contending on multiple battlegrounds. the biggest area for opportunity

for us, i think, is a greater swe gration of law enforcement with intelligence and military operations where that's appropriate. and this is as we look at these networks we have so many things that we could do, i think, to weaken these networks to effective -- through effective law enforcement tools, targeted economic sanctions, travel bans, visa denials. there's a broad range of tools that i think we can apply to these organizations morefectively. >> harlan, valid question. i would just underscore the obvious which is that this is a panel on the future of strategic land power, so we are allowed to talk about war, but i take your broader point which is that most crises should not and hopefully will not require the application of american military force. i said earlier i'm very happy that there's no discussion of possible military response in ukraine, nor should there be in my judgment now, nor in the future in that kind of a crisis, in that part of the world. the book that peter kindly mentioned that jim steinberg and i are finishing is largely about how we try to, to the extent

possible, demilitarize much of the u.s./china interaction going forward. and i'm content, and i heard army generals today say that they had no objection to the army getting a little smaller in the next round of quadrennial defense review and the next budget proposal. it causes some angst, it causes some concern, but people are not fighting it partly because of the reasons you mentioned. we need a strong economy, we need strong diplomacy, other tools of national power to befective in this world and an overly large defense budget could get in the way. so i take your point. i would simply submit that, in fact, that's what's on all of our minds. last point, however, syria is a case that i did mention. syria's a place where we're talking about, unfortunately, come into a messy mix. is that a classic problem or is that a new age problem? is that the individual empowered, thejihadist empowers or assad as the enemy? maybe it's all of the above.

all i'm submitting in this panel on the future of land power is that there may be a role -- whether we like it or not, whether we want to anytime it or not in 2014 here in washington now -- there may be a role for an international stabilization force. because the idea of seeing syria be, essentially, a sanctuary for jihadists and extremists indefinitely given its location is not necessarily one that i can accept over the long term. so i think we may need to have the capability for that kind of a mission should we ever get to a peace deal that might require an international implementation force. >> just very quickly on the theoretical point, i would distinguish between two propositions. proposition one, individuals and nonstate actors and transnational movements can exert more pressure on states now. than they could a generation ago. i think that's incontestably true. proposition number two, that somehow demonstrates the

obsolescence of the westphalian state system. you can believe in the first without believing in the second. i believe in the first, i don't believe in the second. >> one last point on this notion is, also, figuring out the match between the threats and your responses to them and distinguishing when it's good for your budget and when it's good for national security. so we've brought up cyber a number of times here, and you've seen, for example, recently the army argue the need for greater cyber capacity with the justification to help defend american energy company against attack. i can believe we need greater cyber capacity, i do, but i also believe defending american energy companies against cyber attack is actually the responsibility of american energy companies which are not doing enough on it. and so we need to be careful. it sort of parallels some of the decade-ago discussion of nation building. just because the military has the organizational heft in the

budget, there are certain roles that in the absence of other actors it sort of moves into it, we are seeing the same thing play out on cyber where it's not that it's not important, but we need these other tools of government to be matching what dod is doing in cyber. but let's give a question in the front. yeah, gary. >> thanks very much. i'm garrett mitchell, and i write the mitchell report, and i want to take one more swing at bill galston's observation about the linkage between american public opinion and the public action, the actions of its government and argue that for two, if not three reasons there's a sort of, i fear, an irretrievable break which i know bill doesn't. but let me just say professional army and no conscription means

that a statistically insignificant percent of the population has skin in the game. from a public opinion point of view. second issue is the increasing dominationing of -- domination of national security decisions of this sort at the white house and the growing irrelevance over time of the congress. in weighing in on those decisions. and i would say even i appreciate your distinction between actions that are in response to 9/11 as opposed to actions that we would take with

some less impetus that that, but i'm concerned about -- and that's why i raise the question -- i'm concerned about the fact that there is this break between what more than public opinion is about war and the extent to which it can actually play a role in discussions made by the government. by the president. the administration. >> bill? >> well, i absolutely agree, you know, that the movement to an all-volunteer force has made a significant difference in the relationship between the american people and the u.s. military, and i am on record as having opposed that movement for precisely that reason, you know? i think that, you know, i think that from a civic standpoint

that trade has been an unmitigated bad. from the standpoint of military efficacy, the arrow points in the other direction. and that raises some deep, that raises some deep challenges. with regard to your second point, i guess my reading of history is different. you know, i note for the record that when bush 41 was organizing, you know, the international community's response to the iraqi invasion of kuwait, he saw fit to go to the congress. he didn't claim that he could do it without going to the congress. when, you know, when bush 43 was on the verge of going into iraq -- indeed, had already

decided to go into iraq in my judgment -- he went to the congress, and there was a huge, full-scale public debate, and senators of both political parties were required to declare themselves on that question. and that, you know, that public declaration turned out to be extremely consequential. and so the idea that the white house can just go off on a toot and do what it wants is not count with my reading of large militarien gaugements. -- engagements. can the white house do smaller things on its own? sure. up to a point. but, you know, i wouldn't overplay that disconnect. i think presidents still understand that hay -- that they need a solid base of public support to enter into armed conflict, and tear right. they're right. >> mike and then -- i'm going to imuf you, we're hitting closing

time here, so i want to give an opportunity for you on last thoughts either on this question or beyond the themes that we've hit. so, mike and then we'll give you the last word. >> i think bill said it extremely well. so in the interest of hearing a grand finale from h.r., i'll thank you for the question and pass. >> well, i just thought one thing to highlight is really the importance of land power as part of joint portion the capability -- joint force capabilities to do what we're asked to do, which is prevent, shape and win. so i don't want us to undervalue, really, the importance of land power as part of that e detenter force. the other thing i'd like to just close with is that there is no bigger fan, there are no bigger fans of the united states air force and navy than the united states army. and the marine corps, for that matter, as well. and that's because, you know, we recognize that we couldn't even get into a fight or to protect our interests if it weren't for the air force and the navy. but it's important, i think, to understand something that we've alluded to in the previous panel. what distinguishes war on land

from war in the relatively fluid media of the aerospace and maritime domains? i think a few things. first of all, technology gives you a greater advantage because you typically have the bounded or a small number of targets that you can identify and engage and establish supremacy of those domains. but what's different about war on land is instead of a bounded number of targets on land, you typically have tens of thousands of targets, all of which are trying to avoid being classified as such, right in and so what you have to do is recognize countermeasures to your technological capabilities that are human-based, that are land based. because geography complicates things, and then our enemies apply countermeasures. i mean, there are two ways to fight the united states military broadly, asymmetrically and stupid, and we can't bank on our future enemies picking stupid. so what's important, i think, is for us to have a balanced joint

force capability that allows us to engage in, essentially, what is a game of rock, scissors, paper. that's what joint force capability is, right? that's what combined arms capability is. and our enemies will take action to avoid our strengths, right? there's never been a suggest very bullet. you have the submarine, the bomber, the radar, the antitank missile. and there are always countermeasures developed, and peter talked about some of those developing now. we've banked on our network, we've banked on our strike capability. that is under threat by not just the tactical countermeasures i mentioned, traditional countermeasures, but increasingly, technological countermeasures. so for us to have an effective deterrent capability, the ability to prevent, shape and win as a nation, we need a balanced joint force. land power, i would say, is an essential component of that. and so we have to consider changes in technology, threats, enemies, adversaries and our operating environments, the types of missions we might be

committed to which is the work that michael's doing as well. but also let's not neglect historical insights and in particular, i think, continue knew is in the nature of war. so i just want to say thanks to brookings for putting on an excellent panel. we talked about how many americans don't study war and warfare and in context and consider these things. what brookings has done, i think, to bring in the topic to the american people, i think, is admirable, and it's been a privilege to be on the panel with you guys. thank you. >> so you can see the importance of this topic and of the effort or that the task force is wrestling with by the series of bug questions that have all -- big questions that have all become tied together from land warfare and its past and future to larger scale questions about american strategy to where this lashes up with the american public. and really, i would argue, the health of our democracy. and so because of that a, i want to thank, first, all of you for

coming out, but in lahr, the panelists up here and also sitting up here in the front row. of we very much appreciate both your participation in this, but also the work you're doing on this in the future. so thank you again and, please, join me in a round of applause. [applause] [inaudible conversations] >> congressman buck mckeon of california spoke at the national press club here in washington yesterday about the proposed pentagon budget cuts and the u.s. mission in afghanistan. you can see his comments in their entirety on our web site. go to c-span.org. here's a quick look. >> as we speak, defense

secretary hagel is unveiling a budget proposal that will shrink the army to its smallest size since before world war ii, eliminate the a-10 is attack aircraft and cut several other programs. what do you think about secretary hagel's budget proposal? >> we had a meeting the morning, and e went over those things. i'm surprised any of you are here. i thought you'd all be over listening to his speech. but i have been talking about these cuts for several years now. there's no secret if you cut a trillion dollars out of defense, you're going to start cutting manpower, you're going to cut programs. and these things are important. in the last few years, we've changed our strategy that has stood us well since world war ii that we should be able to be equipped, ready to go, two major

contingencies at a time. of we have cut that back to fight one and hold one. you know, maybe people have kind of not heard that speech that the president gave where we cut our strategy back. then we switched, another speech he gave, to a pacific, pivot to the pacific. well, you didn't say in there, but we're also cutting the navy back to the smallestst been since -- smallest it's been since world war world war i. now, granted, the ships are much more powerful, the armies are much more powerful. but we haven't learned yet how to have a ship in two places at the same time. and when you cut from a 600-ship navy that we had just a few years ago under president reagan to one that is fast approaching 300 and 200, i really question that. so i think that what we're trying to do is solve our financial problems on the backs of our military. and that can't be done.

if it could be done, it shouldn't be done. but it can't be done. if we cut the whole military budget, if we cut the whole discretionary budget, just everything that we vote on annually as a congress, eliminate all that, we would still be running a deficit of a half trillion dollars a year. the real problem, the -- i was going to say elephant, but i'm -- i'll just say the big animal in the room, gorilla in the room -- [laughter] that everybody's avoiding is the mandatory spending. and unless we address that, we're just going to keep digging ourselves further and further in the hole. and that is the real problem. and we're rying to, like i say -- trying to, like i say, solve it on the backs of our military. can't be done. >> the house and senate veterans

affairs committees hold a joint hearing on disabled military veterans today. the committees will hear testimony from officials who will outline their 2014 legislative goals. that's live at 2 p.m. eastern on c-span3. >> today attorney general eric holder will speak to attorneys general from around the country at their annual winter meeting in washington d.c. live coverage starts at 10 a.m. eastern on c-span. finish. >> i think there are some myths out there. i think that, you know, people think the mare she know cherry is some miraculously preserved product, and it's really not. it's no different than, like i said, a pickled cherry, and the brine process is no different than the types of, you know, sulfates you use in making wine. so really it's a, i wouldn't call it a healthy product, but i

would call it something that's a tasty treat. >> what you see here is cherries in various stages of process. the cherries that come in even though with put them in water, they'll still have brine in the fruit, and so towel go through an extensive washing to get the brine, the sulfur and the calcium back out of the brew. the practice of making them is really, basically, you're taking that brine and just soaking it in a progressively stronger and stronger sugar and color solution. and so over the course of that syruping schedule, you'll see the color intense bety pick up as the sugar content picks up. you can see, you know, here's some fruit that's very early in process. it's lightly colored. you can see how much darker color that fruit is. that's much farther along. kind of gives you an idea on a normal day you'll see yellow, pink, deep red. and it's just that cycle of the infusion and where it's at in

the process. >> next weekend, booktv and american history tv look behind the history and lit lawyer life of salem -- literary life of salem, oregon, sunday at 2 on c-span3. >> on february 12, 2013, president obama issued an executive order mandating the creation of a cybersecurity framework. next, peter gallagher, director of the national institute of standards and technology, outlines those guidelines for companies to improve cybersecurity and recover from a cyber attack. from the brookings institution, this is 90 minutes. >> hello and welcome op behalf of brookings 21st century intelligence, my name's ian wallace, i'm the visiting fellow for cybersecurity here at the center. and today we are honored to have

a distinguished panel to discuss the new cybersecurity framework. eventually, this document represents the best efforts of the administration and, i think as we'll hear industry representatives from the 16 critical infrastructure sectors -- to work together to address the threat which president obama has called one of the gravest national security dangers the united states faces. i actually look forward to hearing more about how the framework was developed, because i think that's going to to be pretty central to its future. but it's worth taking a moment to reminding ourselves that the voluntary framework owes it existence in large part to the failure of congress to achieve consensus on cybersecurity legislation in the years up to 2012. and that in turn led to the president issuing executive order 13636 on improving

critical infrastructure at the same time as his state of the union address on the 12th of february, 2013. and that, as the president has described it, set out to do three things; improve information sharing within the private sector, raise the level of cybersecurity across our critical infrastructure and enhance privacy and civil liberties. and while the executive order contained a whole lot more than just the voluntary framework, it is clear that the framework has evolved as the centerpiece for the executive order and, by extension, the administration's cybersecurity policy. particularly as the vehicle for delivering the second and third of those aims, the raising the security while protecting privacy. and according to the executive order, the framework set out to prioritize, provide a prioritized, flexible, repeatable, performance-based,

cost effective approach to managing cybersecurity risk. and by the way, it has a to be completed within a year. [laughter] now, i think it can certainly be argued to the achieve one important objective even if not the formal one, and that is to remove some of the political rancor from the debate. and that is in itself no mean feat. finish -- but the real question we're here to discuss today is whether the framework is going to make us any safer. and wrapped in that are some pretty fundamental questions. you know, what is the framework, how is it meant to work, will it be adopted, even if it does, will it be sufficient to deal with the graveness of the threat that the president described? to get to grips with this, we are very pleased to be joined by the very man who was charged just over a year ago with delivering that framework, dr. patrick gallagher, 14th director of department of

commerce, national institute of standards and technology, nist. and alongside him, cameron kerry, now the distinguished fellow in the governance program here at brookings, but previously the general counsel and acting secretary of the department of commerce, and dean garfield, the present ceo of the information technologies industries council. i'm not going to take too long over bios. i think you have got those, but just to recap, pat became nist director in november 2009, also served as the undersecretary for commerce, joined nist in 1993 as a research physicist having obtained his ph.d. from the university of pittsburgh to where he is due to return later year having just been recollected as their -- elected as their new chancellor. cam joined us at brookings in

december, affiliated with the center for technology and innovation. he's also a visiting scholar at the mit media lab. he became the general counsel of commerce in may 2009 working across commerce's bewildering range of legal issues, and before that he was a lawyer specializing in, amongst other things, telecommunicationsment telecommunicationsment -- telecommunications. and dean became president and ceo of iti in 2008, a position representing the tech sector in washington and around the world, in fact. and previous to that he held positions at the motion picture association of measuring and the recording industries. fantastic jobs to be doing, i'm sure. so if i could begin handing over to my, i will begin by handing over to three panelists just to give some short remarks.

then i will lead a bit of a discussion and then pretty quickly we'll open it up to the floor and give you the opportunity to ask some questions. i would ask you to keep your phones switched to silent. feel free, however, to tweet or e-mail, and the hashtag we're recommending is hashtag nistcss. so, pat, thank you very much for joining us. congratulations on the framework. even among those people who have been critical in the past, they've been, i think, universeally complimentary about how the process has run, and that's testament to the way in which nist have gone about it, so well done on that. just to kick off, perhaps you could start by telling us what the framework here is, how it's meant to be used and then touch

on the process for how we or how you and industry develop the framework. and then explain to us why this is going to do what the president wants and make us all safer. >> okay. in just a few minutes, right? [laughter] so, first of all, it's great to be here. let me, let me start with the what is the framework question but answer it in a nontypical way, because you're probably expecting me to lay out how it's structured, what the key parts of the framework are, and a lot of you have probably taken a look at the framework. but let me actually do it from a different perspective which is some of the key attributes. first of all, the framework is a living document. one thing to really keep in mind is it is not static. so when he asked the question is this framework going to solve the problem, you're really going to get to a different answer which is, does this on going

framework process continue to adapt and work? this is a very fast, dynamic area, and it's important that you understand this is an ongoing process. the other part about the framework that was critically important is this was a market response. what do i mean by that? you characterize this as being a failure of congress. i actually don't view it that way. but a discussion in congress was rather naturally focused on questions of authority. and, therefore, a, you know, that -- so it had a lens already on the problem if terms of what the solution set was. what we're saying here is that one of the best ways to address cyber risk is to have the private sector organizations and companies and technology providers and all the others come up with a set of best practices that are max malley aligned with the way those organizations run. and for that to happen, it had to be, basically, a document that was a product of industry. and so what nist did was

actually adopt an approach that we used very often in standard setting to act as the convener and to act as sort of a facilitator, if you will, of a very broad, multistakeholder, you know, getting the band together to sort of have that critical discussion. but, you know, because it had to be aligned with business, it means that the framework in the end was both what you would expect and, i think, something new. and the what you would expect is the set of of controls and technology solutions and standards that were drawn from best practices across all the sectors. we call that the core. and that's in the framework in a very indirect way, because it points to a whole set of standards and reference standards, and that's where a lot of the meaty details are. and the other part of the framework was really a structure to put all a of those things into practice. and in particular, to integrate those practices into the way

organization runs. and so it's specifically designed to not only talk to the technologists within organizations, but to talk to the leadership. and so it's designed to align with risk management, it's designed to provide tools like profiles where you can basically self-assess against all the various or funkal areas -- functional areas that constitute risk management for cybersecurity, and it was also designed to look at your maturity as an organization. because one thing that's very important is that like many other risk mitigation behaviors in an organization, you get better. and that was important to acknowledge, that, you know, in some -- and some have drawn the analogy with safety management. you would start by addressing things by implementing certain rules and doing things in particular way, but, in fact, what you're after in a higher maturity is an ability to recognize risk and be adaptive and to be more proactive. and so the framework embraces some of that as well. so that, for me, is what the

framework is. it's both practices and the structure with which to support implementation. and i think the reason this is promising has to do with those attributes, the fact that it's owned by the stakeholders who have most to gain by managing cyber risk, that it can be aligned with business practices and integrated with other types of rusk management that -- risk management that organizations do, and the fact that it is itself dynamic and adaptive to, you know, the changing way we will use this technology and the way that technology itself is unfolding. in terms of the process, by the way, it's not over. we met the deadline of one year that was given in the executive order, but we've stated from the beginning that for this framework to make sense what we're really talking about is kicking off a continuous to process. and so the finish line here is not being done, it's being normal where this is just part

of the breathing and operating that we do routinely. and so what we're looking for is a normalcy of operation, not an end point. and the process is, has been one that was based around industry ownership and participation. we used every truck in the tool book -- trick in the tool book we knew how to do by putting things out publicly. no one, i think, was surprised by the final shape of the framework. it was multiple workshops across z the country that built on each other, extensive public comment, every drafting up for comment, and we would anticipate that as we move into the next phase of the framework, ongoing framework process, we would maintain that approach. >> thank you. plenty to dig into there. but before we do, we'll move on to cam. cam, you were there at the creation, you were there at the beginning. you now have had the opportunity to step away and look at the process from the outside which

is a, i must say, a unique position to be in. perhaps you could touch on sort of three things. first hi, if you could just -- firstly, if you could just give us a sense of how things have changed as a result of this process and where we came from. i think it's important to remember exactly how things felt just over a year ago before the president spoke of the state of the union and issued the executive order. and particularly as the former general counsel at commerce give a little bit of an insight into the privacy discussions that at alongside -- sat alongside the development and the framework. there was a privacy annex which drew some comment during the process, and that has changed in the final be version. but if you could talk to that. and third, and i think it might be interesting to get a sense of

how, what you think the administration has learned from this process. >> uh-huh. uh-huh. well, thanks, ian. and, pat, congratulations both on the framework and on the university of pittsburgh announcement. both terrific things. nist, commerce and the country, i think, will, will miss your hand on public policy issues. and so, you know, we are, i think, in the outof this framework -- outcome of this framework in a very different place than i think any of us would have predicted when in this policy discussion started three and a half, you know, four years or more ago. and, you know, at that time the

sort of conventional wisdom was that the way to approach the this issue was through some form of government prescription using authorities, the department of commerce or of dhs or somebody to address cyber security by conventional rulemaking. and go out and adopt a set of rules that would create a standard that people had to, had to meet. and this is a very different framework, what pat has outlined today, what the just frame -- the nist framework does for the model that it implements is something very difficult. and some of that, certainly, is a product of, you know, the

congress' inability to legislate on this. but, you know, part of that failure was sort of a lack of consensus about the right model, the right approach here. and i think more than anything the model that's reflected in the framework reflects an evolution into the thinking about powell in this area. and an appreciation for the complexity of the issue, the speed with which the technology is changing both on the company side in terms of kind of of what it is that you are protecting and, you know, what, you know, what the risks are out there. the this is constantly evolving, evolving at a pace that simply much faster than conventional

rule making can deal with. this has been a long process, but getting this done in a year is a lot faster than the pace of, you know, classic notice and comment rulemaking. and, you know, this also is a model that is far more adapted to the technology space, to the world of digital communications and technology that really is at the heart of cybersecurity. and i think that's, you know, an important piece to stress here. that, you know, this model which pat described as a living document is version 1.0. this is an iterative process of policy making. something that as pat says has been taken and moved over from,

you know, from standards setting which is really why nist was charged with the responsibility here. because that is a nist sweet spot. it has done the guidance for federal agencies in the 800.53 documents that inform the framework. and part of the, i think the evolution of the model reflects an appreciation for nist's success in developing standards, its engagement with industry, its role, you know, as, you know, a, an honest broker in the process.

so i'm -- what we have is something that will help to move the needle in some important respects. cybersecurity is, has a -- has emerged as one of critical boardroom issues that companies of all kinds need to address in today's digital economy. and, you know, this framework provides a set of benchmarks that corporate managers, boards of directors and others can apply to insuring that, you know, companies are meeting, you know, cybersecurity goals in ways that are going to protect their assets, that are imowng to be cost -- that are going to be cost effective and are going to meet expectations of

shareholders, of customers and, you know, other stakeholders in that environment. other piece that, you know, i want to underscore in the framework is that it has been designed as something that can cross borders. you know, here, you know, the united states has taken a lead in establishing, you know, some -- establishing a framework, establishing some standards and doing so with a model that, you know, can be used around the world in this space. you know, it's been difficult in the current international environment in the wake of the snowden disclosures to do that.

but, you know, it is important that the united states continue to lead here, that it continue to advocate for a model of regulation and governance in the digital spas that is adaptive, that does not operate by government prescription, that, you know, can transcend borders. so this framework does that, and that's an important thing. >> thank you. and i think that is an, treatmently good lead-in to -- extremely good lead-in to dean. you represent a private sector perspective, and, you know, not only the tech sector, but presumably those people who your members support. and i would be grateful be you

could give us a sense of what you're hearing from the private sector about the framework. are we going to get consent and evade, or is this something that's going to get into the bloodstream? ..ou could pick up cam's point about the international dimension. does this framework have the weights to build up an international following or will it bump up against european notions? role, talking to people on the hill, it would be great to hear what you're hearing from legislators about the framework. >> on the first question, i going to get into the bloodstream.

pat described it, it seemed inevitable and quite logical and linear. part applies because of the process that pat had come which was quite open, transparent and cooperative. and i think he and the team should be complemented for that. on the substance, i think there are three reasons why it will become a part of the bloodstream. it will also speak to the question about the global impact. one is that the, what the framework is actually quite flexible, and based on risk management. so it's not prescriptive. i think because of that and because of the collaborative nature of the process, folks who feel as if they had an input into it. and feel as if no matter what

your business is like, there is something in there that enables you to integrate it. second, the foundation for a lot of what exists in the framework for global standards that were developed through consensus-based, multi-stakeholder processes. and because of that, because there global, because their multi-stakeholder and open processes, i think the likelihood of success, particularly globally, is high. this is i think a model for how these processes should be run internationally come about in the process and in the substantive result. finally, part of the plenary comment, the fact it is iterative but not iterative without a pathway forward, i think the conclusion of a roadmap that speaks to nine different paths or work streams, including international is critically important. we all benefit from an open,

integrated interoperable internet, and cam alluded to it, there are lots of efforts, initiatives globally to shift that, to make it more vulcanized. and i think this framework is a step in the right direction away from that. and i think is quite helpful. as far as congress, much of what we have heard thus far is twofold. one is, how can they help create a pathway for success for the framework which literally on the day was advanced i in the white house released what it calls for members of congress saying this is a positive step forward. we concurred. i think the second which a year ago after the present statement and promise of getting this done, literally a week later we

were in california at rsa which the big security conference and there was a lot of anticipation energy and concern around what is congress going to do. my hope is that because of this framework, it creates a motivating force, an action forcing event to get congress to take on the elements of this that still require public policy. and so we intend to do everything we can to further encourage that. >> to follow what. when congress suffers and representatives comeuppance the conflict we do to help, what are you telling them? >> that's a great question. i tell them i need to talk to daniel who takes care of these things on our team. much of what we've been focused on on what they can do is, one, they're still the issue around making sure that we have

real-time access to information and information sharing. and so heavy emphasis on fat. the second part of it relates to something we published on, dhs has an important role in department of homeland security has an important role in this process going forward. what can we do to bolster what dhs and nist is going to do to enable successor? i can get back to cam's -- >> just before we do, you mentioned roadmap. and pat, this is i think a very welcomed part of the document, but it's perhaps a piece less well understood. because i think most people expect government to produce documents which then sit on shelves and gather dust. what, as you describe, setting up a living document, an ongoing process and the road map to a

certain extent is the guidebook for that process, could you just go into a little more detail on aspects like workforce, federal agency, alignment, the international aspects and how you see that working? >> well, we are pretty good at writing reports that can sit on shelves. but remember this is not a government report. this was an industry document, and in your opening comment you talked about executive order laying out the year. which was an interesting timeframe i was put in the executive order, because to be what perspective you had, that was either hopelessly too fast or completely unresponsive to the national needs to protect critical infrastructure. so everyone was unhappy at some level. and so from a very pragmatic perspective as we went through the process, we build on existing foundations.

it was about polling best practices from everyone and then quickly identifying those gaps, and putting those on the to-do list so it's -- the process continued to unfold we would have some focus. we were trying to pull the morning were getting out from the first time to make sure that we are both everything we could capture from best practice and the identified gaps. part of that to-do list is pointing to this ongoing framework process, and it was things that were identified as part of the first go through that our gap areas. areas. they follow two very. one are things where the policy or the standards where it needs to be advanced. privacy, is as a good example their weather was a lot of work to continue to identify those. and some of it has to do with the framework process itself. governance, adoptions, things of that type, government adoption, international are issues that really go to how do you provide

a framework structure that's conducive to the widest possible adoption? and i think that was itself open. as we go forward we will be having new workshops. the first privacy workshop is actually in april. we will be continuing the full throated engagement wind through the framework process, and each one of these we will be continuing to ask the group about gap areas. that will be a living thing as we continue to revise and check things off. >> as people in this room and in the country at large pick up a framework which they would like to comment on, is there a mechanism in place to receive those comments? >> so, the framework website is still a. we still collect comet continuously and we will be acting to compile and provide those to the group as we go forward. every new version as they unfold will be subject to the same kind

of public comment. one thing that's important to keep in mind with an ongoing process is that, in this is really an important point, that if you waiting for this to settle down before you do anything about it, you're going to miss the train. that's not what this is about. in fact, my view is that the framework will actually be driven by those who are the users and adopters of it. because most of the learning we're going to be doing from the framework is going to come from the hard knock lessons about trying to put into practice in your organization, find out what worked and what didn't. feeding that back into the process so it can be improved. what we've been trying to be careful about is, is you know, don't wait for perfection. we've been asking, where we most value those companies are rolling up their sleeves or will give us a try and putting it to use and are willing to didn't participate in the framework going forward to help, refined

from the perspective. that turns out to be the most precious perspective. >> that's particularly apps in that there's a lot of discussion about incentives and the roles they play in getting people to adopt the framework. we could easily spend all our time focused on that and whether congress is going to enable it or whether they can come with executive action, and yet do nothing else. i think the idea moving forward while continue to grow and improve is the act approach. >> -- the apt approach. >> cybersecurity is not the state. it is a process. and this really helps to lay out a process to get there, but it's a continuous one. >> the question of incentives is probably one worth spending a little bit of time on. the executive order did focus on incentives and did administration put out work on

incentives, perhaps not hopefully as a mother done which reflect perhaps some internal discussions about how that ought to work. what i'm hearing from you, dean, you would rather take the discussion away from incentives and focus on other aspects. >> i wouldn't say ignore it. i would say, cam articulated well, this is a process. it's a process where we will continue to improve. where we have improved mechanisms for incentivizing people, they will get integrated into his like everything else. but in the intervening time, let's do the baseline work that we know is achievable today. rather than waiting. >> let me make a quick comment on the incident. the perspective i've taken through this whole discussion on incentives was that the challenge to industry was to

serve national interest as a country to protect critical infrastructure. we think it's also in your business interest, as organizations to run elements to critical infrastructure to protect these assets. the best outcome of all is when it's totally aligned, when it's great business to be protective. and that's the premise under which a market-based standards driven internationally deployed framework makes the most sense. as we start to exercise that we may find areas where there is misalignment, where business interest aren't quite online, where there's unnatural -- that's going to the place where congress needs to help pay attention. and so in some sense it's not so much, you know, any caution i think is not about internal skirmishes. it's about really a question of timing. again i think incentives today will be really informed i those organizations that are putting this into practice. what you really want to zero in on is one of the barriers.

>> i mentioned this, this has been an issue of great concerns in corporate executive suites over the last several years. that's a reflection that there are some powerful incentives to address this issue, some powerful business interests. ask target corporation. you know, ask the hundreds, thousands of companies that affect intellectual property stolen through cyberintrusion's. you know, as standards move forward, the sec has guidance out there for assessing and disclosing cyber risk. this, by giving a set of benchmarks, you know, helps to inform that process.

you are plenty of good and important business reasons for companies to address this issue. most companies know that. now we have some tools to help that. >> one of the challenges, of course, for big companies including target is, and it will be interesting to see how the framework helps this process, is that some of those threats are getting more and more sophisticated. that even if they take some security search the, the cost of dealing with those high-end threats is challenging. how is the framework going to help deal with those advanced persistent threats that are hitting the headlines more and more frequently? >> so, i think in a couple of

ways. one of them is that a lot of those advanced persistent threats are enabled by the same moving parts that the framework addresses. failures and authentication, failures to understand assets, failure to having the wrong behaviors within an organization that provide the sort of latent vulnerabilities that these threats are designed to tackle. they did a little more sophisticated how they do it. so that's one piece of the. there's a lot of their that a think some of the statistics show, some 80% of these are really addressable by pretty basic application of well-known controls. the other part is that the process is pointing to a continuous improving process. the way risk management framework works if you have the capacity to be able to identify what's happening on your system. in other words, one of the behaviors you are looking for four decisions the user framework is their self-awareness gets better.

the responsiveness to identified problems gets faster. and so those kind of behaviors are specifically addressed, and that as i said, to the extent there is actual gaps in the frame itself, the technology space opens up and gillibrand issues in the mobility space right now with large data, the reason the process has to be continuous is that there has to be an ability to adapt in there as well. >> so this is certainly one place where congress could help legislation can help to facilitate the sharing of information about threats, sharing among companies, as well as sharing one direction with the government can take place, the other direction is more complicated. legislation would certainly help to make that easier, easier to

do. >> it's a known market failure, all the participants in the market have identified it and so the question is, what do we do about it? the one of the thing i would add is much of the conversation thus far is focused on big businesses where -- we are a small business represent big businesses and we got to talk to outside vendors, look at the from work and identify ways that we can improve, even in our organization using the framework. i think the great thing about it is that no matter your size of business or where you sit or which industry you fit within, it is sufficiently flexible and risk-based that you can find use out of that. and i think good use. >> the of the area where people have critiqued, if not criticize the framework, is those industries where the market does not dominate.

so particularly readily industries and those weather is a less obvious financial driver. how confident are you that the framework will be able to deliver on its national security objectives in those industries where the bottom line might never get you to the level of cybersecurity that is required to deal with the grave threat the president was talking about? >> i think time will tell ultimately how effective this is in those kinds of markets, but i should point out that those organizations operating under this market conditions were a part of the whole process from the beginning. it with an explicit part of the discussion to make sure it was responsive to their needs and their issues as well. in fact, even up to including the regulators themselves were part of the discussion. so we were actually, you know,

in an effort to make sure this climate was real, that was a key part of the engagement that had to be there. so i hope that that's not the case because the way i've articulate this to the companies themselves is that is you think of relation as addressing a market failure, then this is your chance to make sure the market is every opportunity to work. which is i think in everyone's best interest. and that has a number of intrinsic advantages including the ability to operate a market skill including overseas, the ability to be much more nimble and able to change with fluxing technology. and so i think everyone has bought into that theory of the case, and hopefully those aligned issues have been wrought in. one part of the executive way this raised a lot of questions because it mentions the word regulation in the context of evolves their program is that the are regulated sectors here.

and what we're trying to do is not independent situation where everybody worked together on this framework of practices but then you were driven to do something different than that market solution by the regulation. this is really an effort by existing rotary entities to have an opportunity to align against the framework. that's the spirit which they been participating in that as well. i think that would be constructive. >> i completely agree with that last point. some of that though will be determined by what was outlined in the road map. how dhs as well as all of the related agencies aligned behind the framework. that's one of the big question marks going forward. >> that's a good point to focus on before it opened up to the floor. implementation of the framework is going to be key. having the industry involved in the framework puts a little bit of fairness on them, but within

government nist will now be putting this process to a certain extent over the dhs and others. how is that process going to work? what i going to do to make sure that the good momentum you've created continues once dhs takes on the implementation? >> so, i ask i don't view the application responsibilities passing to dhs. so i think there's -- it's important to keep in mind three things. wonders the framework process continues and nist continues to act as convener and police. so nothing has changed on that front at all. what dhs is doing is establishing, has established a voluntary program that is there to support and promote adoption. that includes acting as a clearinghouse for best practices and a whole set of other things that within current authorities it can do to promote and support

adoption. they've been working with us from the beginning, so we think we did everything possible to make sure their efforts are aligned with what the framework is. i want to end on sort of the final point, the most powerful force, driving adoption are the companies themselves. and receive that from their discussions that they put this into use. this is not just about what you ddo internally. this about your relationship with your fingers, your suppliers can supply chain, other companies you work with in your sector. this is the way the sector committee organizes, how this will look for them. those are actually more powerful than almost anything we've been discussing that we can do from helping on the government side. so i think sometimes people construed as voluntary program as toothless. and i just don't describe to that. i think they are very powerful. in fact, every product safety standard in the training is basically self regulated by industries or standards. these can be very muscular

approaches, and i think that's really going to be where a lot of the left comes from and driving adoption. >> cam? >> i'm ready to go to questions. >> you mentioned you have some thoughts on dhs has a role in promoting the framework. is -- >> i think much of it is, some of it is already can't complete it and so another a number of workshops that have been scheduled already come and i think pat mentioned would've been a part of it is education, doing what we're doing here today but on a much larger scale and the more sustained scale. number two, making sure we are measuring the right things. for developing clear metrics for evaluating the success of this effort. third is we've alluded to it earlier, which is the focus on incentives. i think they are important but we shouldn't make them the only thing.

and then the collaborative process, the final part which is a collaborative process that nist has adopted this one has worked exceptionally well and it's critical that we keep that as a part of the work going forward. it's true the way to ensure that it becomes broadly integrated in how businesses operate, as i hope it will be a topic spent i want to come back to what success looks like at the end. since we have so many people there i would like to open it up to questions. we have some microphones going around. the usual brookings rules apply. keep your question short, in bed with a question mark, and please give your affiliation when you ask it. down here in front, please. >> good afternoon. thank you for this opportunity.

i'm with -- i would ask a question about a critical element as identified by the department of homeland security across all 16 of the critical infrastructure sectors, and that's navigation, timing, gps. which is essential for a lot of networks come for example. and dhs appears to be looking at the 16 sectors to implement protections with regard to that data, to gps data that they require. and i would like to hear from the panel what you see coming up with the roadmap, coming up down the road with regard to standards or other actions to integrate the tnt, and to make sure that organizations have what they need when they need it. >> so, anyone reading the 39 pages of the framework would not

see pnt showing up. that's going to be one of those examples of an issue that's embedded in the standards set that are in the core. because of points to a particular class of time critical position critical data and i think what the framework attendees were determining independence in making sure that's been addressed. without getting into the specific threat or vulnerability that dhs is worked out and my guess is that nist have a lot to do with time basis for that we are probably working on a technical level with them already, but the framework becomes a vehicle for, if this is why the federal agency participation was so important, for informing the process, that there is a new class of on the belief that is essential to critical infrastructure, particularly cross sector like that. we are counting on dhs as a participant in that process to flag that and actually take that

back in just as part of this process and make sure the framework process doesn't have that as a gap area. that that's something that is explicitly addressed. spent if i can add one thing, which is maybe lost in that, as a part of the executive order, all of the agencies, the federal agencies are supposed to cascade the framework. i think, or to come back with their ideas around it as well within a defined time period. and so i think that work is incredible important as well. so it's not isolated to dhs or nist, but is cascaded broadly to within all the relevant agencies. >> back, further back. you there. >> brian with the coast guard. contingency preparedness and consequence management.

when you use the safety model as an example, trigger something in my mind. do you see in the future a credit rating agency or an iso type of third party to provide an audit function on companies, how well that implemented the framework and then provide a grade, something about some sort? so suppliers can know, i'm only going to work with great a suppliers. if you don't meet that mark you can't do business, something like that. >> the way i would answer questions to pick up on the last point you just raised. what we call these are conformity assessment. in other words, you develop a set of practices and it may very well be critical to a given organization from a business-to-business perspective can know that the people there working with conform to some level within those standards. so this is a voluntary program aired so the government will not be setting up a grade, but, in

fact, something we opposed to the framework process is you may very well find for this to work you need that kind of conformity assessment. there's a lot of different types going all the way from self-attestation all went to third party testing and accreditation. there's not a right or wrong on. the questions which is the right approach given the market conditions are facing. so that's very much on the to-do list actually that was in the framework plan. >> and widely, one of the oldest in the room, subject for many years has been a question of cyber insurance. there has been some suggestions, the framework will offer an opportunity to the insurance industry, giving it a set of metrics to use. what sense do you have from your discussions about whether that's likely, possible, realistic? >> i'm not sure my crystal ball is in a better than anyone else's, but i will tell you

there was enormous interest in participation by the insurance sector in this for that reason. as soon as you put something into risk management framework, the idea of all those assets we have for doing risk management come into play, including insurance markets. my sense is they found the process for useful and i think there's some very active discussions. we had a number of breakout sessions in almost every workshop on this particular issue specifically here spent in addition to hearing from members of congress and their staff about this, the other folks were a lot from our companies who intend or examining whether to get in that space. insurance companies but also law firms who are evaluating what this all means. and so i think that is absolutely right. >> the sort of audit process that you've mentioned and that

transit outlined is an outline of how standards work in the marketplace. i don't have a better crystal ball than pat to say whether the government will occur here, but certainly part of the idea is creating the tools, the benchmarks, is to inform that process. a number of the organizations that they are involved in with some of the underlying standards, iso is one of them. there are others that perform audit functions. some 40% of corporate sector now has insurance. against data breaches. that is triggering exactly the sort of engagement by in insurance companies to take a close look at people's practices. this is a way to benchmark that

looked. in the security area, i mentioned earlier sec guidance. to this point most companies have been able to sort of sweep it aside by saying that the risk is not material. i'm not sure after a target or neiman marcus experience that it's so easy to do that. and again, for shareholders, for boards, for auditors, is now a roadmap that people can look to to assess those issues. >> do you think people making investments based on where people fit in the framework? >> i think that companies will have to take a more critical

look at at the disclosures that they make. and i think that can influence investors. >> the point you made earlier about ceos spending real time with their boards, shareholders, around these issues i think is indicative of how important this is, and the creation of the real marketplace to mitigate those risks. >> next question in the back on the aisle. in the middle on the end. >> thank you. i would like to follow up on a question about p&g boldly. that's been quite the subject of late gao report in november -- pnt report. to ensure they're not dependent upon the same signal in space. so did i understand, peter, to say this has not been flagged as a problem by dhs or in one in terms of cybersecurity and

impacting cybersecurity of the nation's? >> no, i wouldn't characterize it that way. what i meant to say was that the extent to which pnt standards are found, like a redundant whatever the specific issue is, what be reflected in those things that are referenced in the framework core. what i'm not aware of is whether dhs raised pnt as a specific issue as we are putting together the top of a framework structure. that's not to say they didn't raise it as one of the constituent standards. in other words, you have a little bit of an onion year in terms of your the overall framework process ending of the constituent standards underneath. i would expect given the nature of pnt that this would be one of the constituent standards discussions, not in the overall framework. [inaudible] >> if you want to direct follow-up afterwords.

[laughter] >> this slide on the aisle, place. >> i'm with the canadian embassy. looking globally can you talk about the reception you've had both from allies and foreign companies? >> i think you might want to get a couple of perspective here. the overall reaction we've gotten him the very beginning was a combination of intense interest, wanting to wait to see what it looked like when it was done, and most promising of all i think, and understand that this could be used as a foundation for a variety of approaches around the world, even including those areas that were considering more national response, even including a radio toward response. because one of the things we point out is again, if you want, this is a global infrastructure. it's really important that

information and data campus be able to operate on that scale. that's what make those technologies so powerful. than aligning to just like with as our own intro regulate and the critical infrastructure space to align to this, is something that can be done on the international scale. we've had a lot of positive reaction to that. the most interesting one was coming from europe and it had to do with the fact that in the same week the president releases the executive order, the european commission was proposing some draft approaches that were going to be used for cybersecurity. and from the very beginning they have been quite interested in looking at this as a basis for moving forward. >> 30% of the companies we represent our international non-us-based entities come and the reaction has been capable as well -- favorable as well. they operate and what that has been global integrated and interconnected. they offer services, products, systems that they want to work on a global basis, and so

appreciate and welcome the framework. they are -- they are also competing in the marketplace where increasingly their efforts to cybersecurity our national security as a market access barrier, ma you know, so whether it's multilevel protection team in china or some other problems we had around preferential market access in india, and so having this framework that's built on global standards are consensus based and developed through multistate color processes is helpful to those international companies as well. >> this is something nist -- what would be the process to internationalize the framework, or at least give it more encouragement to be used international? >> so, what we did in this case was actually something that was modeled after the approach we

took with smart grid standard settings a few years back which we started with the premise that the framework process was immediately international. we invited international participation. i was meeting with delegations from around the world as this actually started. and we made a deliberate effort to look at international standards as one of the building blocks of the framework, and asked companies to bring those forward. so in some sense we've been international from the beginning. i think the more, and by the way, i expect the international flavor of the framework process to actually grow as we go forward. that was actually identified in the roadmap. we expect this to happen. will be interesting is maybe more on the adoption cited. in other words, the extent to which conformity assessment, certification or product, the extent to which those can be put into global infrastructure or a global context will be very interesting. and then because you're dealing

with critical, national infrastructure, they said how do countries respond to that from the own national policy perspective to align and do something that makes sense of there? so i think that's going to be really the two issues there is this matching between the national and global market, and how does the entity want to put in the muscle and the compliance piece itself. it would be quite interesting. >> second row, please. >> rich weber at inside subsidy. could you speak more about the next phase in terms of when the framework for how the framework will be revised, so where and when will we know this will be revised? >> so, we haven't announced a revision schedule yet for the framework. in fact, what we've done is deliberately created a bit of a cause in our engagement in setting up the kind of workshop

schedule and would point to any kind of revision. for the very reason i did want to get in the way of the adoption peace. we really wanted companies using this year. .. framework and follow-up to be informed by those organizations using the framework. but we have set up a tentative schedule of workshops that are on the framework website. the first one is probably the privacy one in april, and i think there is another one this summer. in july. again, there is no super eyes on what the agenda is, because the roadmap was laid out -- no surprise on what the agenda is, because the roadmap was laid out in that process. i do not it at any major revisions to the framework itself. the impetus is going to be going after these gap areas, identifying these areas where we felt there was real work to be done. and and also i think much to bring the government's discussion. we should now start seriously

taking on, this framework will be an ongoing process. not that i am looking to get out of the business but how we look at the government's scheme where all these companies can look to get it to turn this into an ongoing routine process. in the cloud sector and smart grandmother areas and we would like to continue those discussions as well. >> what about that? does that tell you what that looks like? >> probably the most mature of those is the discussions in the smart grid because it is a little bit older than the cloud side. the cloud effort was focused on the government adoption side, smart grid, a smart get

interoperable the panel which is a 5013 c panel was put together, the stakeholder groups was -- was not an existing organization to help facilitate the process and establish one of their own, this provided funding for the operation. we work routinely today where you have a living cycle of issues that are changing and top priorities and this margaret interoperable the the panel, the tree edge, in many cases now works with all of the different standards organizations that are supporting that to say this is a key area to improve and make sure the adoption side of that is worked out. and making sure all of that was put into shape. it might look different, it probably will look different because it is a different sectors of we are not going in with this is what the answer

looks like. year in and year out? >> thank you for the discussion. you were talking about how the federal government agencies will react? i was wondering how you get the state governments to adopt this and get involved because a lot of these things are very important. >> we will let you answer. we had strong interest from the states. the number of states at the event rolling out the framework,

talking to them about their framework process and they end up touching this problem in a number of different ones. many critical infrastructure entities are interacting heavily with the state's. they are regulated or involved in the states themselves anyway and so this issue comes right out for them that this was an important building block because it is something they can use as a framework for dealing with these organizations. think of water utilities that are happening at this level. the other place this is very helpful to them is the extent to which we see widespread adoption of the framework means the technology providers that are providing technology and software and security solutions to support these companies are creating a market of some scale that can help drive down costs and improve performance and that

advantage in and of themselves would not have the markets to drive this outcome. i link we have encouraged state participation from the beginning. they have been involved in the framework process from the beginning and we will see this involvement wrap up. >> one of the reasons we have been pushing for legislation that the federal level is the fear to end up with a mishmash of state legislation that don't allow for it these effective markets. the framework is helpful to the extent that it creates a baseline that is collaborative and based on these standards is quite helpful in avoiding them. >> how do you see it used at the federal level? there are clear examples of the requirement for security in the

federal government, how do you see this being rolled out? >> we actually at the rollout for the framework talks the little about government use. the most straightforward thing every adopting company is doing is to use the framework to develop profiles of your current practice. that is what is laid on the framework and one of the first things we are doing at the agency level, using this, with the organization to develop profiles' where, where are we and where would we like to go? it is part of the adoption support system built into the frame work. this is actually going to be interesting because the maturity model aspect of what is in the framework could be extremely helpful to the federal government because they move the debate have the application of

controls and the notion that the only thing to assess is how many controls you put in place. that is tier one implementation level, you can move beyond that into a real risk management framework at higher maturity level that has bigger advantages but it opens up the palate of addressing this as a risk-management exercise in the government. the last one is there is the tendency to address cybersecurity by just making the cios more muscular. it points to different answer which is integrating with the program line. this is going to the board room. it starts at the cabinet level secretary and accountability there and looking at greater

perspective. we just started that but that will be interesting. >> being a cabinet level secretary -- >> i was privileged to have a wonderful acting deputy secretary, dr. patrick gallagher, one of the things he has done in that capacity is to really take in hand the cybersecurity department of commerce, you called it eating our own cooking and do that in terms of making management at the highest levels of the department accountable for cybersecurity and not simply something our cios deal with.

>> wendy's see those being made publicly available? >> i don't know. as a trial lawyer, there was no obvious exemption. there may be security issues. let me go back to the framework that it is not about the controls. in any organization you have a dynamic set of controls, our cios are drowning in piles of controls and other mandates outside the security space. what is unique from the government perspective is the management approach integrates into how you run a department and to make those decisions, not just technology decisions that skill set and hiring and cost allocation and all the other

things as controls. in some ways this is a fresh perspective on the government's approach and i think the management approach could be very public and that is more important. that is where the real accountability lies. >> we have a few questions, we will ask two questions to finish. we will take both questions and then answers them. >> at georgetown university, i want to come back to the controls. if i understand correctly the controllers are out of four. is that index what controls at least in the government today? >> let me be a little bit careful about what the implementation points to. there are controls at every level. controls are an important aspect

of how you control a particular risk. i am not seeing there are controls, what the implementation points to is in some ways you are maturing and managing this risk so i think of tier one as being a rulefollowing culture. you create to do list and success is i got through the list and doing it repeatedly. it is a proactive culture, in addition to controls, actively identifying new threats and preemptively, static controls to an immune system. controls are everywhere. where the federal government does profiles, i don't know. my suspicion is we have been

mesmerized by control and control operations. we shouldn't be too surprise to find ourselves near an implementation level that is focused on number one. >> one final question. one thing the panel talked-about is the alignment of the national interest. let me give you a scenario, and how it will change in the corporate world. i recently read the u.s. credit cards are behind the european credit card. and visa and mastercard and american express, right now

something like the new market scenario losing $7 billion a year. but it helps to replace all of the credit cards, that will cost us more like $11 billion. normally what they normally do, in the r o i -- and financial interest, does not overtake the international interest. >> hundred need your question one of the profound issues congress faced is what is not aligned, we are not talking about something that if it fails under a cyberattack there's great harm to the country. that gets fixed somehow. backing up a little bit i am not

sure i would buy that the financial risk assessment they were looking at was correct. in the following sense, you are correct that one of the issues the united states has seen is we were early adopters, very expensive deployed technology base being compared against much younger technology bases for carburetors and so forth. and there is vulnerability. the question would be, the risk management approach is important. to what extent is the technology to help us mitigate and control these risks? that is something i assume a good framework following organizations would be going after but this is not just the direct financial loss of those customers that lost their information and that is not what i am hearing from ceos, a

profound reputation lost. this is going at their market share. what i am hearing from ceos is acute sensitivity that this is a big deal and it is rising to the top of the board rooms of the discussion. i would be surprised if they reach that kind of simple apples-oranges comparison because that doesn't track with what i am hearing from ceos. >> that is right. the cross benefit analysis is in today's environment wrong. it reflects what has been historically the challenge of cyber security. the c i os, compliance officers were worrying about it, a cost issue, it was difficult to get attention. because of the reputation oil

concerns of the impact. if you are a company that has a significant failure, that was changing. that is reflected in the level of concern i talked-about and i think we are seeing that reflected in the demand where the corporate sector could change for example sunday technology despite the economics you talked about. >> i work in a highly disruptive sector where companies don't exist, largely based on new innovations and key to the success of those companies are trust and integrity so to the extent we don't take cybersecurity seriously we are undermining that trusting integrity and that is the principal reason why it is one of the issues that i hear

perhaps most often from our most senior executives in the company's representative wood is truly one of the top priorities and so it is right in pure analytical or quantitative sense it may not show up, but the brand and identity damage is so significant it is part of the consciousness on all these issues. >> can i take the moderator's prerogative before we end up looking at what that looks like and that is just to take a look at privacy. this was explicit when the executive order that everything you produce to respect privacy. throughout the process, there would clearly be concerns like privacy lobbied to ensure that that was the case and you have

adapted what you produce in response to some of that. can you tell a story so we have a better understanding of how all the responses you had and the framework to reply to some of it. >> the short version of that story is the one you laid out, that privacy was explicit requirement for us to consider as we developed a framework from but beginning. it was actually part of every discussion in every workshop including the kickoff workshop. i remember a discussion about the incorporation of privacy at that point. what seemed to happen and we could go back and have a discussion about what the psychology was but intended to be an issue where the maturity on some of how you implement, what are the building blocks you

build for privacy protection was less mature than what was true when a lot of cybersecurity areas and partly based on that it was relegated even though we brought it up at every workshop it was one we kept saying this is one we need to work on and one of the consequences of that is midway through the process the privacy principles were but basically in a stand-alone section as an appendix and i think maybe that is what caught everyone's attention. stakeholder groups working on the frame work, all 3,000 of them jumped in. was actually an interesting perspective on how the framework worked. a group of industries said this doesn't make sense to have this be an attachment. is based on the same data protection principles that are integrated and they made a counterproposal to integrate

those into the framework so now it is integrated and not bolted on and that is where we stand today. >> can i comment? >> i think where it ended up is the right place. security is an essential ingredient of privacy. is part of the privacy principal. part of the white house consumer privacy bill of rights. it is really not a stand-alone issue. there are privacy implications. some of the cybersecurity practices particularly when you get in to sharing information with third parties or in particular the government, so is important to incorporate into

the framework privacy practices as has been done. it really is part and parcel of security. >> remember companies -- >> we were one of the stake holders concerned about the bolt on approach so like him we think it ended up in the right place. is one of the more benign extremes so we intend to stay engaged and work to ensure that it progresses forward. >> which brings me to my last question which is as we do progress forward, what do we think it will look like? and important part of the framework i hope i am correct in thinking is to assess where there may be a requirement for legislation or others to engage.

question for each of the panelists, how will we know whether other action is required? more importantly what does success look like and how can we be confident this is delivering what we think it should deliver and if we come down this way? >> thank you very much. i pink a big part of it is adoption. the extent to which most businesses are looking at the framework and integrating it into their operations much in the way we talked about, ceos making it a part of their board room discussion. the second part of it is if it in fact doesn't become stale document that sits on shelves but does become a leading, breeding, iterative process as opposed to an end point whereby we are still working on it ten years from now and gaps with

congress, we have spoken to those and there are a number of the most pressing ones i think can be dealt with on its own is around information sharing. >> how much confidence do you have that this will have success? >> high degree of confidence. the question is when? my confidence i am sitting in a discussion with rogers and troopers burned on monday. i hate to leave them anything that they will be upset with me but it is unlikely anything meaningful will occur in this congress but i do think there's a sincere interest in fighting it. >> are you yet to put a metric ton it? my answer would be a version 2.0 or one point of significance because that would be a

reflection that there is active engagement, active adoption, that experience has, leading to the iterative process and an indication that the model is working. >> i always like it when the next guy gets asked the measurement question. for me, the asset test of all of this is the critical infrastructure is better protected. is also the hardest thing to measure. that will be very challenging. i think of the success story as having two elements. one is the near term and one is the adoption and the way i characterize it is is this inevitable? this is what everyone is doing and we are struggling with those nuts and bolts issues. they may be tough but the things

that will come up with organizations that are trying to use fists, that is a big success because that means this is being put into practice and you have a framework to improve and there is an intermediate set of metrics that are potentially very powerful and it goes to the safety comparison. the final outcome may be something we learn retrospectively looking back but i hope we start seeing meaningful improvements in security behavior. that could be the capacity of an organization to identify and manage risks, could be the capacity of staff, skill level, could also be behavior's like self awareness, the fact the we know what is happening in the system more, our speed to respond and to improve and a set of security behaviors that are measurable. that would point to a healthier organization in managing these risks and my hope is we will be

working with industry, the next thing to do to identify some meaningful measurements along those lines. >> thank you. we look forward to the private security framework, the chancellor of the university to comment on it. and i would like to thank all of you for joining us here today and invite you to pull in be thanking dean garfield, cameron kerry and patrick gallagher for fantastic panel. [applause] [inaudible conversations] [inaudible conversations] [inaudible conversations]

[inaudible conversations] [inaudible conversations] >> attorney general eric holder will speak to attorneys general from around the country at their annual winter meeting in washington d.c.. live coverage starts at 10:00 eastern on c-span. the house and senate veterans' affairs committee followed joint hearings on disabled military veterans today. the committee will hear testimony from officials at the disabled american veterans organization to outline their 2014 legislative goals. that is live at 2:00 p.m. eastern on c-span3.

>> there are some myths out there. people think maraschino cherry is a miraculously preserved product and is not. it is no different from of pickled cheri, the process is no different from the types -- it really is i wouldn't call it a healthy product but i would call it something that is a tasty treat. >> what you see here is cherries in various stages of process. even though we put the mint water, brian -- and extensive watching to get the salt back out. the practice of making them is basically you are soaking it in a progressively stronger sugar solution. it is over the course of that

schedule you will see the color intensity picked up as the sugar content picks up so you can see this process, lightly colored, you see how much darker that is, much farther along. it is un idea if you are in a normal day, yellow, pink, deeper, just that cycle of infusion and where it is in the process. >> this weekend booktv and american history tv look behind the history of literary life of salem, oregon saturday at noon on c-span2 and sunday at c-span3. >> the u.s. senate begins its work day in a moment. lawmakers continue deliberations on a series of judicial nominations with 11:15 eastern senators take up and vote on 3 u.s. district court nominees.

the chamber will recess between 12:30 and 2 eastern for weekend party lunches. the senate will start work on a bill expanding health care, job assistance, education benefits for veterans. the first procedural vote set for 3:15 eastern. live to the floor of the u.s. senate on c-span2. the president pro tempore: the senate will be in order. today's opening prayer will be offered by our guest chaplain father patrick conroy, who is the chaplain of the u.s. house of representatives. father conroy. the guest chaplain: let us pray loving god, we give you thanks for giving us another day. on this day, help us to discover the power of resting in you, and receiving assurance and encouragement in your amazing grace. send your spirit down upon the members of this senate, who have been entrusted by their ow