distinction that they don't see at all. so we can't espionage. they see as making their industries more competitive with the west. it's stealing intellectual property, trade secrets, ago shooting information. if you're iran if some less economic and mortal of national power, disrupt bank of america, but as america in the title, and use distributed denial of service attacks to make their life more difficult. so it is everything we see in the fiscal world with all the same motivations, just being able to do it using asymmetric dual to reach a vastly wider audience of adversarial clients. ..

>> you know, you just came out of a summer if previous year what you had blaster and bagel, so the purpose of a lot of what we were dealing with and worried about was just keeping our servers online and not being with knocked off the internet. since then you've had organized crime, as was mentioned, has really come of age, and the tools they're creating are just amazing. some of them are very, very automated, and the population of attackers that can harm every one of us just at the push of a button has grown because of those tools. so there's this community and commodityization of all of these tools at all different levels, i think, that's really changing the game, and the trends are just kind of spreading out of that over the last ten years.

>> i think wade's exactly right. it's almost quaint, the worms of 2004. if you haven't done so, go cut and paste about two or three paragraphs from the doj indictment of the chinese and put that in your next them hoe to your ceo and the members of your board to show the sophistication with which the chinese in this case are doing the social engineering, are sending the e-mails. >> yep. >> and i really think you can't but shocked at the degree to which people are thinking through this to make economic or national espionage games. >> i'd like to get back to china in a second, but when you guys look at the, i think you called it the year of the retail hack, are there sort of broad, big picture lessons that we can draw from some of those high profile attacks whether target or snapchat that apply to corporations more generally? what to do, what not to do, how to respond? >> yeah. so just kind of looking at

target or adobe or think of the big breaches -- any of the big breaches, i think there's a tendency to get lulled into this compliance area, right? i mean, they had just completed a great compliance cert, but two or three months later we see the hall wear im-- malware implants. getting people trained, overworked folks, paying attention to alerts, knowing what to do with an alert. extended interrise, right? supply chain. we saw the entry through fazio. that's a huge problem. how do we deal with interconnectedness in a supply chain in an extended enterprise over time? it's not just one factor, a series of factors. the challenge i find is by the time we identify the risk and kind of looking back retrospectively, adversaries have moved on, and we haven't increased work factors for

adversaries at this point in time. so the gap is widening as you work through closing the risk that you just identified from the last breach. >> a vice president at she man tech got a lot of attention a couple weeks ago for ab interview -- an interview in "the wall street journal" in which he said i'm not going to focus on stopping intrusions because it's going to keep happening. i'm going to focus on detection and recovery. is that a student approach, do you -- prudent approach, do you guys think? >> i think over time what we have to be able to do is share information to increase what's in our filters writ large not only across the private sector, but also what the government can share with the private sector can and the private sector can share with each other. i do think there is a lot to that statement this that when you read the -- in that when you read the indictment and you see that plain old spear phishing which we've been hearing about so much over the past few years

was the cause of what the breaches were at alcoa and the other things in pennsylvania. i think when you see over and over the same techniques and tactics, i think it's a reasonable conclusion to draw that they're definitely going to get in, but there's a lot of capability that's on the bench that's not been put out on the field yet, and we have to work towards that so that we might be able -- a rising tide might be able to lift all boats this that we can spread around information so that we're in better shape. >> i'm going to take a real risk and say potentially that quote by the press is not 100% reflective of semantech's strategy. [laughter] antivirus as a solution to your cyber threat is dead. antivirus as, you know, one of the arrows in the quiver and especially for kind of the less sophisticated user, the average customer, the average mother in iowa who isn't a cyber expert --

she should still have good antivirus protection, that will still be with a part of a lot of strategies. if you're alcoa, if you're boeing, you still need your antivirus, but you need about 20 other things, 10 of which might be technical, 5 of which having to do with business process and 5 of which have to do with your people. so antivirus remains an arrow in the quiver, it is just, it is realistically a much smaller arrow than it was five, ten years ago. >> i think, tim, you've got to work across the spectrum of planning where you're involved with protection and prevention activities which drives you back to threat intelligence and detection capabilities. you certainly want to be on the left side of the exploit, right? as opposed to being on the right side of the exploit or the boom. but you have to be ready. you're not going to be able to mitigate all of this. we talk about it all the time. a network is breached, we can identify what we can, but you've got to be ready to shift risk and do risk mitigation on the right side as well.

so i agree that you absolutely should be invested in doing protection and better jobs on up-front surveillance, but you have to be prepared for the consequence management on the back side. >> tim, could i go back to one thing about target? >> sure. >> target's good because of its name, but the lesson for me from target is people have to understand how good a company target is more security. >> yep. >> target has been more involved with industrial security practices than almost any company in the country. and target was still the victim of a huge breach. >> yep. >> target also is not a traditional cane that many might -- company that many might think would be targeted. not booz allen, northrop grumman. now you see hem getting hit successfully, and that means there really is no company which doesn't face this as a real business risk. >> in terms of -- and target's a

great example -- in terms of the effect of businesses of getting hit by one of these attacks, target sales dropped, its share price dropped. seems to have more or less bounced back now. do you guys think this is sort of the new normal where with consumers say, hey, this happens to everybody, we get a little pissed off, but eventually they come back and accept the fact that this is just part of the landscape of commerce in 2014? >> so this is something that has interested me for quite some time, is what is the real impact. and, of course, when you're talking about national security, that's a different question than internet fraud. so, but specifically in something like a target incident, you know, studies have shown that they do tend to bounce back. i think that might be changing. i do an experiment, actually, with my family on when we get together on holidays, and over the past several years i've

asked about whatever the large breach was in my world, have you guys heard of. and never before target have they said yes, but everybody at the table said yes. and i thought that was really interesting. so i don't know if there's something maybe that's changing about that perception of, hey, that really did get in my life and kind of bother me a little bit. but i think without that outrage, you're not going to have people leave anything droves or anything like that. maybe multiple times, maybe it matters more with business-to-business relationships than it does with consumers. all of those things are factors in this. >> i think you have to look at the value of the organization, what the business value or the security value, what you're trying to market, right? so, again, if you're a product company, you're a one-trick product, right? that's a problem. that's a real problem. you probably won't recover very easily. if but if you've established branding in a broad array of products and services, i agree, i think -- and you have a good

reputation, i think you're in better shape. and i will tell you that a lot has to deal with how you handle the situation. in terms of the speed of recovery, in terms of revenue and profit. you know, and i think there's case studies going back, certainly when i was serving in government, we looked at this in terms of reputation and what it took in terms of public imaging going with forward. what boards did, what ceos did, what c level did and those that had a strategy that reached out were actually in probably a better position than most. >> i think the shoe has probably dropped on target and look now and assess the damage done. i think in a lot of these cases the shoe hasn't yet dropped. so the you're a product company -- if you're a product company and the intellectual property and the sensitive trade material has been stolen on that product but a competitor hasn't yet gone to market on that

product, well, it's not at all clear how the effect, how it will affect you and your business opportunities. i think certainly what we saw from are some of the manufacturing companies in western pennsylvania took some time, and economically it's been quite bad. the second piece is i think there's probably going to be, because we're americans and we're so proud of our productiveness, we're going to end up with a lot of litigation about this. and a key point on those five companies, none of them had reported to the sec about those breaches. i always say this because i know that they already know this. if you're a plaintiff's lawyer, wait a minute. so you knew about these breaches for how many years and you didn't report it to the sec that might have a material impact on your stock price? so there's going to be a mini industry which sprouts up around these breaches -- to some extent, there already has on the arrives front, but it's going to the stock value front as well,

and that's going to drive an additional degree of economic impact for companies. >> speaking of problems for product companies, one of the things that you always hear in the tech world is how the internet of things is coming to life, companies are building products more and more. by one estimate there's going to be 50 billion devices connect to the internet -- connected to the internet by 2020. is it not rational to panic and assume that these things are going to be compromised in some way, or am i being paranoid about this in. >> the chinese will need a lot of server capacity, that is true. [laughter] it's an economic opportunity. >> so in this space i spend a lot of time looking at the marriage of physical can is cyber and data centers, i see the operational technology and i.t., i think we've got to do a lot more work here. i mean, as i look at what we have left open and the fact that we can, we still

organizationally consider things separate, we have facility managers running the data center infrastructure, we have i.t. managers running the i.t. stack, and a lot of times they're not talking. technologically, we're not there. and then from the adversary's perspective, i think mike and i have seen in this government, you see a foreign intelligence service running through those seams, right? so i think there's at least three thoughts with regards to the technology trends and the internet of things. as we become more interconnected, we're seeing new innovation, right? cloud computing and virtualization. there's a need to create the transparency, right? to make people comfortable with where their data is. but we have to up the game in security. i think in the world of i.t. consumerrization, and i think about mobile devices -- smartphones and tablets and so forth -- here we have another challenge because i think as we

move forward in time, adversaries are going to exploit globally-interconnected and mobile environment in bigger ways. we're just beginning to see it with the mobile sms-40 malware. so i think as we kind of look at ip addressing all over the place, we have got to try to get ahead of that and think about it both from an innovation, efficiency/effectiveness perspective, but baking in as best we can risk mitigation activities. we're still doing it reactively. >> i just wanted to touch on the internet of things question there. i try not to get too worked up about the latest threat and all of these trends and prefer to just stand back and study them, but that one, that one is concerning to me kind of going back to your question just by the blend of lots of separate threads sort of converging there. so in the security defense area,

i can't say that we've been highly successful yet in sort of defending just a network, you know? like our castle. we haven't fully mastered that yet. and thousand we're talking about not just -- now we're talking about not just defending the castle, but the country, and then the entire empire spread out everywhere all over the place, and it's just a different game. and devices can't run all the av and ips and all the things that we load on them that take 90% of the processing power on our computers sitting on our desktops now. so it really is going to fundamentally change things. and that's the part that concerns me about it. so, you know, your toothbrush, i don't know, maybe that already exists, but i'm sure if it doesn't, someone's going to be measuring how much time they spend on each tooth, and that data's -- >> it does exist? okay, thank you. [laughter] >> maybe i need it. >> it also produces a natural point of tension for business, right? because a lot of the reason, you bring your own device policies, you move into cloud infrastructure.

>> right. >> you're doing more sas. all these things produce great efficiency for business. it allows people to be more mobile, work from home, have relationships with supply chains in ways that you could never imagine without this technology. >> right. >> and. >> that sense -- and from that sense, if you're a business, you're trying to increase sales, you're pushing all of this really hard. and then you have those really pain in the tail risk cyber types saying, not so fast. so it's a natural point of tension. and when you, again, when you don't know what the repercussions of loss will be for some period, it's really easy to say, okay, well, security people, you fix that. we're going to keep going down this bring your own device policy, and come back to me when you have a solution, but we're not slowing down our business. and that leads to hard choices for boards and ceos. >> is there more that the government could be doing to help businesses protect themselves? mike, i know you've worked on the inside of the house

intelligence committee. i think you are a pretty strong proponent of legislation of some kind. >> that's right. >> what do you think we need from congress to protect businesses? >> look, i'm not saying congress through an information-sharing bill will absolutely solve the problem completely. i agree with what mike said earlier, you're going to have to use a holistic approach. you're going of to have to figure out what to do with standards, with people, policy and procedures within different canes. but like i said -- different companies. but like i said earlier, the government is in possession of information that, if shared with the private sector, could help them stave off certain cyber attacks. the government, as you heard from admiral rogers through its foreign intelligence mission, has come into possession of certain malware and other information that is of use to the private sector. that alone people like to say, well, that's not very much, or

it's not a a finite amount of information, it's going to continue to evolve, and that's absolutely true. but what congress needs to be able to do is to try and eliminate the barriers to information sharing. it has to, most people have written about the antitrust problems, most of those have been debunked so far. but certainly we need to give liability protection to companies. this is where we have a lot of the controversy in the house of representatives on the fiscal legislation which passed twice with bipartisan majorities, by the way. but that was before edward snowden. and one of casualties of edward snowden in addition to the tremendous foreign intelligence loss and the billions of dollars and maybe less confidence in the u.s. intelligence services is that now it's sort of the ghost in the machine. we were just beginning to get to a point where the president was raising cyber espionage as a key issue in our bilateral relationship with china. we were finally moving forward

on cyber legislation, but post-snowden that has, in a sense, affected all of for the worse and really stymied progress across the board on cybersecurity legislation. >> sorry, go ahead. >> no, i was going to just build on the points, you know, based on my perspective in the government, now in industry, you know, we worked on this defense industrial base information sharing program when i was back in the pentagon. certainly saw some downside, but a lot of benefit in terms of building trust. and to me, we have got to move faster in that space. just based on what we've just talked about with the threat. >> that's right. >> i also think that that trust and what i see especially in the private sector as you build it into your either supply chain or a customer base, you're doing joint solution, right? not one organization, one person can handle what you need to do with regards to threat

mitigation. be the you internally try to do it, it's hard. it's really hard. so it's information sharing that enables a level of trust where you can do some joint solution. and the government needs to reach out, and we in, and industry also needs to reach the other way. and we need to develop much more rapidly cross-sector sharing platforms. >> i think the government can be a help, but i think there's a huge capacity deficit, and there's clearly a trust deficit, and if companies are looking to the government to solve this problem, they height as well just shut down shop -- they might as well just shut down shop right now. the nsa, the fbi, they could throw everyone on this, they still couldn't do what one-one hundredth of companies need to do to trust themselves. the second piece, snowden destroyed, in my view, any chance of really progressive legislation. >> yep. >> finally, you've got to be careful what you wish for. a lot of people and a lot of companies in pushing the u.s. government to be stronger on this, i think they did with the

indictments. if that's the first stage in an effort to really coalesce pressure against china, that's a good thing. but many of the companies i talk to post-doj indictment said, whoa. [laughter] i've got a lot of business in china. i'm trying to do business in china. what about my data? >> how worried, i mean, should companies be about that? where does this dispute go from here? does it keep escalating? >> companies should be unsure -- companies should be very nervous mostly because there's a lot of uncertainty. so do i think that the chinese are going to start indicting u.s. officials? that could happen. how much does it matter to a company? not that much. do i think the chinese are going to make it more difficult for certain u.s. companies to do business in china? they already have. you know, two days after the indictments, not a coincidence in my view, some requirements for information technology companies to operate in china in a way they couldn't before. other canes that view china

as -- companies that view china as one of their most significant growth markets over the next decade are looking at this very nervously. i don't think americans should necessarily worry about their employees getting locked up tomorrow in shanghai or beijing, but are there going to be further obstacles? could this escalate so it's more difficult to do business in china? in the short term, i think if they're not looking at those possibilities, again, they're crazy. >> on that cheerful note -- [laughter] i want to leave a few minutes for questions. i think we have a couple microphones here. if anybody has something they want to ask, just raise your hand. >> so you talk a lot about what organizations, corporations should do to protect, defend, collaborate, the share. what's your perspective on what the technology providers should do? what's the customer/provider relationship expectations about what's baked in for capabilities when i buy the solutions? why do we keep hearing about bug

fixes for products that were rushed to market instead of being engineered better to start with? >> you want to take that one? >> yeah. well, i'll take it there a couple different angles. one is in the customer technology/provider relationship, i think there's a lot more attention now on service-level agreements and what's in it and what's out of it, and it depends on where you sit in terms of responsibility and accountability. i think the challenge is we typically want to avoid risk, and so we try to write in insurances within the soas to make sure that we're not liable. and we haven't gotten to a point on how we collaborate. i do see that as especially in consulting as well as with a company, i'm the chief security officer, we are getting more and more into this issue as we get into deeper discussions on internal audits, which is

helping us. in terms of relooking at soas, relooking at how we're going to work together. i see it also with, as we're working through compliance regimes and actually not just doing a check on an audit, but actually exercising to it. so if it's an iso 27,000 cer, that you're looking for, a lot of companies, a lot of bigger companies critical infrastructure really now building plan, exercising plans and working through how do we need to adjust that relationship between the technology provider and the ultimate customer. >> whether we like it or not, a lot of these agreements and arrangements are shaped by litigation. >> yeah. >> and what will happen is when x company gets sued because they had a data breach, privacy problem, loss of personal identifiable information, they're going to say, hey, not

my fault. whose fault is it? it's michael allen's company who advised me on cyber, or it's verizon who didn't patch, or it's microsoft. and that's going to start to drive, i think -- in not the most efficient way -- a lot of how those agreements look in the future. >> yep. >> anyone else? >> thanks. [laughter] >> thank you. andy purdy with -- wawei. leveraging purchasing power not just of government, but private companies so that vendors have to raise bar. and do you see any -- do you have any recommendations or see any encouraging developments about what could happen in the area where china is setting requirements on their import on

the possibility of having global agreements or agreements between the u.s. and major suppliers for a level playing field, for a risk-informed, fact-based approach to addressing the risk of products and services coming into the united states. >> take it? >> you know, frankly, my sense there is when you look at it from the standpoint of within the u.s. you can come to one viewpoint be, the you look at it internationally especially as you engage other nation-states, we're kind of all over the happen, and there's a lot of suspicious feelings about, you know, how we handle the first question on purchasing power or your second question. my sense is it ties into the ongoing policy discussions on internet governance, the issues that we're now dealing with post-snowden revelations on data sovereignty and how that impacts u.s. businesses, indigenous businesses as they move into

foreign markets. and so it's really building a credible can -- credible coalition of companies that would allow you to make a difference in a global world, right? and it's challenging. i don't think we're there yet. >> yeah. i think the legal policy front is clearly lacking technology. you hook at the e.u. decision -- you look at the e.u. decision, google, i'm pretty confident that no one who made that decision had ever coded anything in their life. [laughter] and if they did, they got fired as soon as they put it up for sale. you can't have a better illustration of a legal policy decision which doesn't synchronize well with technology. and on the international front, that's going to happen in a number of different places, a number of different ways. that's going to make any sort of international coalition of standards very, very difficult to apply to the multitude of business challenges that companies face. >> anybody else with a question? be -- in the back.

>> good morning. this question's for mr. allen. nick kalman from fox news channel. we've been trying to sit down with you for quite some time so, unfortunately, i had to bring these questions here. how do you respond to allegations that you helped run interference on the benghazi investigation first? >> you know what? i'm going the take that question for michael, unless he wants to answer. >> no, no, no, there's nothing to those allegations. but thanks for, thanks for bringing them up. >> i'm still going to follow be up. i am a registered independent. i was nominated by president bush, i was asked to stay on by president obama. i take great ride in being nonpartisan on these national security issues. i worked with michael allen in the bush administration, i've known him since then. michael allen is a dear friend, so maybe i'm just biased, but i think it's horrendous that individuals who have dedicated

their lives to the u.s. national security when they finally get an opportunity to actually make a living and support their family immediately their motives are impugned for crass political reasons. [applause] >> if i could just ask one follow up. [laughter] can you tell us when you began discussions with -- [inaudible] in terms of employment? >> we already put out a statement to fox news on that, so i'd refer you to the statement that we already gave you. >> appreciate your time. >> thank you very much. i believe that we are running out of time here. [laughter] on that note, but i'd like to thank all of you. this is a very interesting panel and very informative for all of us. thank you once again with. before we move on to trish, i

would just like to remind everybody watching online that you can continue the discussion on twitter at hashtag bgovcyber, and you can submit questions for all of our panelists on clicking on the right-hand side of your panel. so thank you once again to all of you. [applause] >> today heart attacks the 70 -- marks the 70th anniversary of the world war ii d-day invasion of normandy france. saw on your screen there, john kerry, secretary of state. he is here in france about 40 miles east of one of the invasion points for a remembrance of the 70th anniversary. french president francois hollande will be speaking here. it was on june 6, 1944, that 160,000 allied troops attacked along a 50-mile stretch of french coastline defended by german forces. and despite suffering more than 9,000 casualties, by the end of

the day, the allies had gained a strong foothold in normandy. there was a ceremony earlier, the french president spoke at that as did president obama. we saw secretary kerry, also a number of members of the house and senate in attendance as well. the former french president, sarkozy there, arriving at the ceremony which should get underway shortly with our live coverage continuing here on c-span2. [speaking french]

[speaking french] [inaudible conversations]

[inaudible conversations] [speaking french] [background sounds]

[background sounds] [background sounds]

[inaudible conversations] [background sounds]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] [background sounds]

[background sounds] [background sounds]

[background sounds] [background sounds]

[inaudible conversations] [background sounds]

[background sounds]

[background sounds] [background sounds]

[background sounds] [background sounds]

[background sounds] [background sounds]

[inaudible conversations] [inaudible conversations]

♪ ♪ ♪ ♪

♪ ♪ ♪ ♪

♪ there are. ♪ ♪ [applause]

♪ ♪ ♪ ♪

♪ ♪ ♪ ♪

[applause] [background sounds]

[applause]

[inaudible conversations] ♪ ♪

[speaking french]

[speaking french] [speaking french]

♪ ♪ ♪ ♪

[background sounds] [speaking french]

[background sounds] ♪ ♪ ♪ ♪

♪ ♪ [applause] ♪ ♪

♪ ♪ ♪ ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪

[applause] ♪ ♪ ♪ ♪ ♪

♪ ♪ ♪ ♪

♪ ♪ ♪

♪ ♪ ♪ ♪

♪ [background sounds] ♪ ♪ ♪

♪ ♪ ♪

♪ ♪ ♪ [background sounds]

[background sounds] [speaking french] ♪ ♪

♪ [inaudible conversations]

[inaudible conversations] [inaudible conversations]

[inaudible conversations] ♪ ♪ [inaudible conversations]

[inaudible conversations] [speaking french] ♪ ♪

♪ [applause] ♪ ♪ [speaking french] ♪

♪ ♪ ♪ [applause]

[inaudible conversations] [background sounds] [speaking french] ♪ ♪

♪ ♪ [applause] ♪

♪ ♪ ♪ [background sounds]

[applause] [inaudible conversations] ♪ ♪

[applause] ♪ ♪ root'

[speaking french] ♪ ♪ ♪

[applause] [inaudible conversations] ♪ ♪ [applause]

[inaudible conversations] [background sounds] ♪ ♪ [speaking french]

♪ ♪ ♪

♪ ♪ [applause] ♪ ♪

♪ ♪

♪ [background sounds] [speaking french] ♪ ♪

♪ ♪ [applause]

♪ ♪ [speaking french] ♪ ♪ [applause] ♪ ♪

[applause] ♪ ♪ ♪ [background sounds] [applause]

♪ ♪ ♪ [applause]

♪ ♪ [applause] ♪ ♪ ♪

[applause] ♪ ♪ [inaudible conversations]

[applause] ♪ ♪ [speaking french] ♪ ♪

♪ ♪ [applause] ♪ ♪ ♪

♪ ♪ [applause] ♪ ♪ ♪

♪ [background sounds] [applause] ♪

♪ ♪ ♪ ♪

♪ [speaking french] ♪ ♪ ♪

♪ [applause] ♪ ♪ ♪ [background sounds]

[background sounds] ♪ ♪ ♪

♪ ♪ ♪

♪ ♪

♪ ♪ [speaking french] ♪ ♪ ♪

♪ [applause] [inaudible conversations] >> thank you for your service. thank you. wonderful to see you.

thank you for your service. wonderful to see you. good to see you. thank you. good to see you. thank you. good to see you. thank you so much for your service. very nice to see you. thank you. [applause]

[background sounds] [applause] ♪ a not ♪ ♪ ♪

♪ ♪ ♪ ♪

♪ ♪ ♪

♪ ♪ ♪

[inaudible conversations] [inaudible conversations] ♪ ♪

♪ ♪ ♪

♪ ♪ ♪

♪ [background sounds] ♪ ♪

[applause] ♪ ♪ ♪ ♪

♪ [inaudible conversations] [applause] [inaudible conversations]

[inaudible conversations] [applause] [background sounds]

[background sounds] [applause]

[speaking french] ♪ ♪ [speaking french] ♪ ♪ ♪. ..

♪